DORA
Overall statement
Statement of Compliance with the EU Digital Operational Resilience Act (DORA)
We are pleased to confirm that baseVISION complies with the EU Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. This regulation, which aims to strengthen the digital operational resilience of financial entities, is a critical component of our commitment to maintaining the highest standards of ICT security and operational integrity.
As part of our compliance efforts, we have implemented robust ICT risk management frameworks, conducted comprehensive digital operational resilience testing, and established stringent monitoring and reporting mechanisms for ICT-related incidents. Additionally, we have made certain that all third-party ICT service providers we work with comply with the required contractual terms and oversight standards.
The Board of Executives is dedicated to maintaining high security standards and continuously monitors, measures, and supports improvements to ensure these standards remain at an elevated level. Key commitments, roles, and responsibilities are clearly defined, implemented, and integrated into our services. We have established a robust risk management framework, overseen by the Chief Information Security Officer (CISO), which is reviewed and approved by the Board of Executives at least annually. Our policy outlines the risk framework and mandates recurring risk assessments of current assets to identify and address potential risks.
Our adherence to DORA not only enhances our ability to withstand disruptions but also reinforces our dedication to providing secure and reliable services to our clients.
For more information on our compliance measures and how we are safeguarding your digital operations, please contact our CISO (ciso@basevision.ch).
Statement on “Chapter V, Managing ICT third-party risk”
baseVISION implemented and certified a ISO/IEC 27001 Information Security Management System (ISMS) with yearly reviews cycles by internal and external audits. The ISMS is implemented with no exceptions and further expended to comply with DORA requirements.
Management committment
The Board of Executives is committed to high security standards and continuously monitors, measures and supports to keep the security standard on a high level. Key commtiment, roles and responsibilites are defined and implmented and part of our services. We have an established risk management maintained by the CISO and at least yearly reviewed and approved by the Board of Executives. A policy defines the risk framework and the recuring evaluation risk assessments of current assets with identified risks.
Key contractual provisions
Our service come with detailed service descriptions or Statement of Work (SOW) depending on the service. Service description are part of long term services like SOC services. These contracts are part of the SOC contract framework which includes further information like our third-party providers, “ADV Data Protection Addendum” or “Technical and Organizational Measures” implemented to protect the data. We will notify the customer of any service changes that necessitate updates to the contract documents.
With written customer approval will we provide contract documents to approved authorities. The customer shall notify baseVISION before documents are forwarded to third-parties not agreed in the service contract or Statement of Work.
Obligation
We can guarantee the support in case of ICT security incident in your financial institute related with our services. Time, duration and fees are part of the contract.
Audits
We process at least two ISMS audits within a calendar year. An external party audits baseVISION’s ISMS as a review and preparation for the audit by the certification authority. The whole baseVISION is ISMS certified without any exceptions in the controls. See our website for the lastest certificate. baseVISION will grant audit rights to is customers as agreed in the contracts or terms and conditions on the website. Contact the CISO for further information.
Incident handling
We have implemented incident handling processes as part of our own Security Operation Center (SOC). The SOC processes first security incident analysis and informs or escalates the incident according to the pre-defined escalation process. Depending on the case, will the SOC inform our Incident Management Team for further analysis or inform the CISO. In the event of a critical security incident that endangers the customer’s data, baseVISION will inform the customer via the agreed communication channel and format.
Penetration Testing / Assessments
At baseVISION, we conduct regular internal and external penetration tests to identify vulnerabilities in our systems. We inform our management about the types of tests performed and provide a summary of the results and mitigation steps. This approach demonstrates our commitment to continuous improvement, proactive risk management, and protecting sensitive data and devices.
Vulnerability- / Patch-Management
We ensure that operating systems, along with their components and software, are consistently updated to maintain optimal security. This proactive approach helps us safeguard against potential vulnerabilities and ensures the highest level of protection for our systems and data. Our Security Operations Center (SOC) conducts monthly threat reviews to stay ahead of potential risks and reports the results to the CIO and CISO.
Awareness
At baseVISION, all new joiners must complete a cybersecurity training within their first weeks. Additionally, all employees are required to undergo annual cybersecurity training. These sessions cover essential topics such as confidentiality, data privacy, data security, governance, and the secure use of tools. This ensures that everyone is well-informed and equipped to maintain the highest standards of security within the organization.
Insolvency, liquidation, discontinuation and termination
We provide our services in the customers Microsoft Azure tenant. So the data remains in your infrastructure where you keep the control over the data. We temporary store data to create reports which then will be stored in your infrastructure.