Article 18 Physical and environmental security
-
As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entitiesas defined in Article 2, points (a) to (t) shall specify, document, and implement a physical and environmental security policy. Financial entitiesas defined in Article 2, points (a) to (t) shall design that policy i light of the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; and accessible information assetsmeans a collection of information, either tangible or intangible, that is worth protecting;.
-
The physical and environmental security policy referred to in paragraph 1 shall contain all of the following:
-
a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g);
-
measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; and information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; reside;
-
measures to secure ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;, both within and outside the premises of the financial entity, taking into account the results of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment related to the relevant ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;;
-
measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;, information assetsmeans a collection of information, either tangible or intangible, that is worth protecting;, and physical access control devices of the financial entity through the appropriate maintenance;
-
measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including:
-
a clear desk policy for papers;
-
a clear screen policy for information processing facilities.
-
For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein.
For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;.
-