DNB Good Practice Information Security 2023 — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each DNB Good Practice requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseDNB.1.1 Information security plan
Rationale
PL-01 establishes the overarching security planning policy. PL-02 requires system security and privacy plans that document controls, responsibilities, and expected behaviour. PM-01 defines the information security program plan with objectives, milestones, and resource requirements. PM-09 risk management strategy informs the security plan. PM-11 defines mission/business process linkage. RA-01 provides risk assessment policy that feeds the plan. SA-02 addresses allocation of resources to security. DNB requires a board-approved information security plan that is reviewed annually, integrated with business strategy, and aligned with DNB supervisory expectations — a governance-level planning requirement that SP 800-53 addresses through multiple planning controls but without the specific Dutch regulatory alignment mandate.
Gaps
DNB requires the information security plan to be explicitly approved by the management board and aligned with the institution's risk appetite statement as reported to DNB. SP 800-53 planning controls are comprehensive but do not prescribe board-level approval or regulatory alignment with DNB supervisory expectations. The COBIT 4.1 maturity model assessment of the plan is DNB-specific.
DNB.1.2 IT policies management
Rationale
SP 800-53 has comprehensive policy controls (-01) for every family, establishing policy frameworks with review cycles, roles, and responsibilities. PL-01 is the overarching planning policy. Each family-specific -01 control requires documented policy with purpose, scope, roles, management commitment, and coordination. This directly addresses DNB's requirement for a coherent IT policy framework with regular review, communication, and enforcement. The breadth of per-family policies exceeds DNB's single-control scope.
Gaps
DNB requires IT policies to be managed through a defined lifecycle including creation, approval, communication, compliance monitoring, and periodic review with documented policy exceptions process. SP 800-53 policy controls are more granular per-family while DNB expects a coherent hierarchical policy management framework. DNB-specific: policies must reference Wft (Wet op het financieel toezicht) obligations.
DNB.2.1 Enterprise Information architecture model
Rationale
PL-08 establishes security and privacy architectures that are integrated into the enterprise architecture. PM-07 enterprise architecture alignment. SA-08 security and privacy engineering principles. SA-17 developer security and privacy architecture and design. These controls address the security dimension of enterprise architecture. However, DNB requires a broader enterprise information architecture model that encompasses data flows, application landscape, and technology infrastructure — not solely security architecture.
Gaps
DNB requires a comprehensive enterprise information architecture model covering data, application, and technology layers, not just security architecture. SP 800-53 focuses on security architecture as a component of enterprise architecture (PL-08, PM-07) but does not mandate a complete enterprise information architecture model. The TOGAF/ArchiMate-style architecture governance DNB expects is beyond SP 800-53 scope.
DNB.2.2 Data classification scheme
Rationale
RA-02 security categorisation directly addresses data classification through FIPS 199 categorisation of information and systems based on confidentiality, integrity, and availability impact. AC-16 security and privacy attributes support attribute-based classification labels. MP-04 media storage references classification for handling. SC-16 transmission of security and privacy attributes ensures classification metadata travels with data. SP 800-53's categorisation approach is well-aligned with DNB's requirement for a data classification scheme that drives protective controls.
Gaps
DNB requires a data classification scheme specific to financial sector data types (client data, transaction data, market-sensitive data) with handling procedures per classification level. SP 800-53 uses FIPS 199 impact levels (low/moderate/high) rather than financial-sector-specific classification tiers. DNB also expects classification to drive Dutch financial regulatory reporting obligations.
DNB.3.1 Monitor future trends and regulations
Rationale
PM-15 security and privacy groups and associations provides channels for monitoring industry developments and emerging threats. PM-16 threat awareness program. SI-05 security alerts, advisories, and directives for monitoring external threat intelligence. RA-03 risk assessment considers emerging threats. However, DNB's control is broader — it requires active monitoring of technology trends, evolving regulations (including EU and Dutch financial regulation), and industry developments that could impact the institution's IT risk posture.
Gaps
DNB requires proactive monitoring of future technology trends, emerging regulations, and industry developments with formal assessment of their impact on the institution. SP 800-53 addresses threat monitoring (PM-15, PM-16, SI-05) but does not mandate monitoring of regulatory developments, technology trends, or strategic technology planning. This is fundamentally a governance/strategy control that extends beyond SP 800-53's technical security scope.
DNB.3.2 Technology standards
Rationale
CM-02 baseline configurations serve as technology standards for system builds. CM-06 configuration settings establish security-relevant technology standards. CM-07 least functionality constrains technology choices. SA-04 acquisition requirements enforce standards in procurement. SA-08 security engineering principles guide technology selection. PL-08 security architecture provides architectural technology standards. SP 800-53 addresses the security dimension of technology standards comprehensively.
Gaps
DNB requires formal technology standards encompassing approved platforms, development frameworks, database technologies, and network architectures — broader than security-specific standards. SP 800-53 addresses configuration baselines and security requirements but not enterprise technology standardisation governance. DNB expects alignment with industry best practices and vendor support lifecycle management.
DNB.4.1 IT risk management framework
Rationale
PM-09 establishes the risk management strategy including risk tolerance, risk assessment methodology, and risk response approaches. PM-28 risk framing. RA-01 provides risk assessment policy. RA-02 security categorisation feeds risk decisions. RA-03 risk assessment process. PM-08 critical infrastructure plan. PM-11 mission/business process definition ensures risk framework alignment with business objectives. SP 800-53's risk management controls are comprehensive but focus on information security risk rather than integrated IT risk.
Gaps
DNB requires an integrated IT risk management framework covering operational, strategic, and compliance risk dimensions — broader than information security risk alone. SP 800-53 focuses on security and privacy risk. DNB expects the framework to be embedded in the institution's three-lines-of-defence model and aligned with Wft Article 3:17 sound business operations requirements. COBIT 4.1 maturity assessment of the framework is DNB-specific.
DNB.4.2 Risk assessment
Rationale
RA-03 directly covers risk assessment including threat identification, vulnerability analysis, likelihood/impact determination, and risk determination. RA-05 vulnerability monitoring and scanning provides technical vulnerability input to risk assessment. RA-07 risk response identifies responses to assessed risks. RA-09 criticality analysis. PM-09 risk management strategy provides the methodology framework. PM-28 risk framing establishes the risk context. SP 800-53 risk assessment controls are well-aligned with DNB requirements.
Gaps
DNB requires risk assessments to consider financial sector-specific threats (fraud, market manipulation, regulatory non-compliance) and to feed into the institution's Internal Capital Adequacy Assessment Process (ICAAP) where applicable. SP 800-53 risk assessment is comprehensive but does not mandate integration with financial regulatory risk reporting. DNB expects at least annual comprehensive risk assessment with interim updates for material changes.
DNB.4.3 Maintenance and monitoring of a risk action plan
Rationale
PM-04 plan of action and milestones directly addresses risk action plan maintenance with tracking and reporting. PM-09 risk management strategy includes risk response monitoring. RA-07 risk response tracks remediation actions. CA-05 plan of action and milestones from security assessments. PM-03 information security and privacy resources ensures funding for risk action plans. These controls collectively address the creation, maintenance, and monitoring of a risk treatment plan.
Gaps
DNB requires the risk action plan to be regularly reviewed by senior management with escalation procedures for overdue items and formal acceptance of residual risk by the management board. SP 800-53 POA&M controls track remediation but do not prescribe board-level governance of risk treatment plans. DNB expects risk action plans to be available for DNB supervisory review.
DNB.5.1 Responsibility for risk, security and compliance
Rationale
PM-02 assigns senior-level information security officer role. PM-01 information security program plan defines responsibilities. PM-29 risk management program assigns risk ownership. PS-01 personnel security policy establishes responsibility framework. PS-07 external personnel security responsibilities. PL-01 planning policy assigns planning responsibilities. SP 800-53 establishes clear responsibility assignment for security but does not mandate the three-lines-of-defence model DNB expects.
Gaps
DNB requires explicit assignment of risk, security, and compliance responsibilities within a three-lines-of-defence governance model: first line (business), second line (risk/compliance functions), third line (internal audit). SP 800-53 assigns a senior information security officer (PM-02) but does not prescribe the three-lines-of-defence organisational model. DNB expects a CISO or equivalent with direct access to the management board and supervisory board.
DNB.5.2 Management of information security
Rationale
PM-01 information security program plan with objectives and governance. PM-02 senior security officer assignment. PM-03 resource allocation for security program. PM-05 system inventory supports security management scope. PM-06 security measures of performance. PL-01 security planning policy. PM-14 testing, training, and monitoring. These controls provide a comprehensive security management framework. However, DNB requires security management to be embedded in the institution's overall governance structure with regular reporting to the management board.
Gaps
DNB requires information security management to include regular board-level reporting, security committee governance, and integration with the institution's overall risk management framework. SP 800-53 establishes security program management (PM family) but does not prescribe board-level governance mechanisms or security committee structures. DNB expects security management maturity assessment using COBIT 4.1 maturity levels.
DNB.6.1 Data and system ownership
Rationale
PM-05 system inventory identifies system boundaries and ownership. AC-16 security attributes support data ownership marking. RA-02 security categorisation requires system owner input. CM-08 system component inventory tracks ownership. PL-02 system security plans identify system owners and authorising officials. SP 800-53 establishes the concept of system owners and data stewardship but DNB requires more formal data and system ownership assignment with documented responsibilities.
Gaps
DNB requires formal assignment of data owners and system owners with documented accountability for classification, access decisions, and risk acceptance. SP 800-53 references system owners in multiple controls but does not mandate a comprehensive data ownership framework covering data lifecycle stewardship, data quality responsibilities, and formal delegation procedures. DNB's requirement aligns with COBIT 4.1's concept of data stewardship and enterprise data governance.
DNB.7.1 Segregation of duties
Rationale
AC-05 directly addresses separation of duties by defining duties requiring separation, establishing separate roles, and preventing conflicts. AC-06 least privilege ensures users have only necessary access, supporting segregation. CM-05 access restrictions for change prevents development and production overlap. PS-02 position risk designation feeds role-based access and separation requirements. SP 800-53 segregation of duties controls are well-aligned with DNB requirements for financial institutions.
Gaps
DNB requires segregation of duties specifically for financial sector roles: separation between trading and settlement, development and operations, security administration and audit. SP 800-53 AC-05 is comprehensive but does not prescribe financial-sector-specific segregation patterns. DNB expects segregation matrices documenting incompatible function combinations.
DNB.8.1 Personnel recruitment and retention
Rationale
PS-02 position risk designation assesses risk of personnel positions. PS-03 personnel screening ensures proper vetting during recruitment. PS-01 personnel security policy establishes the framework. PM-12 insider threat program addresses retention and loyalty concerns. SP 800-53 focuses on the security dimension of personnel management rather than broader HR recruitment and retention practices.
Gaps
DNB requires comprehensive personnel recruitment and retention practices ensuring adequate staffing of IT and security functions, not just security vetting. SP 800-53 addresses personnel screening and risk designation but not recruitment strategy, retention programmes, succession planning, or workforce capability planning. These are HR governance controls beyond SP 800-53's scope.
DNB.8.2 Personnel competences
Rationale
AT-02 literacy training and awareness establishes baseline competence. AT-03 role-based training ensures specialist competence for security roles. PM-13 security workforce management addresses competency frameworks. PM-14 testing, training, and monitoring validates ongoing competence. PM-12 insider threat program includes competence-related indicators. SP 800-53 addresses security competences well but DNB requires broader IT competency management.
Gaps
DNB requires formal competence management for all IT staff including skills assessment, training plans, certification requirements, and competence verification — broader than security-specific training. SP 800-53 focuses on security awareness and role-based security training (AT family) but does not mandate comprehensive IT competency frameworks, professional development programmes, or skills gap analysis across the IT function.
DNB.8.3 Dependence upon individuals
Rationale
CP-02 contingency planning considers single points of failure including key person dependencies. PM-12 insider threat program addresses risks from key individuals. PM-13 security workforce planning considers staffing adequacy. PS-02 position risk designation identifies critical roles. SP 800-53 addresses some aspects of key person dependency through contingency and workforce planning but does not directly mandate key person risk reduction.
Gaps
DNB specifically requires institutions to identify and mitigate dependencies on key individuals, including knowledge documentation, cross-training, succession planning, and backup arrangements for critical IT roles. SP 800-53 does not have a direct control for key person risk management. This is a workforce resilience control that extends beyond security into operational continuity governance.
DNB.8.4 Personnel clearance procedures
Rationale
PS-03 directly covers personnel screening with background checks, verification of credentials, and rescreening requirements. PS-06 access agreements ensure personnel understand and accept security responsibilities before access is granted. PS-07 external personnel security extends screening to third-party personnel. PS-01 personnel security policy establishes the clearance framework. SP 800-53 personnel screening controls are comprehensive and well-aligned with DNB requirements.
Gaps
DNB requires clearance procedures aligned with Dutch financial sector requirements including Wft fit-and-proper assessments for key function holders and compliance with WWFT (anti-money-laundering) screening obligations. SP 800-53 PS-03 is comprehensive for background screening but does not address financial sector-specific fit-and-proper testing or Dutch regulatory screening requirements.
DNB.8.5 Job change and termination
Rationale
PS-04 directly addresses personnel termination including return of assets, revocation of access, and exit procedures. PS-05 covers personnel transfer with access modification for role changes. AC-02 account management includes account removal/modification upon role change or termination. PE-02 physical access authorisations are updated upon personnel changes. SP 800-53 provides comprehensive coverage of the access lifecycle tied to employment changes.
Gaps
Minimal gap. DNB requires termination and transfer procedures to include knowledge transfer obligations and non-compete/NDA enforcement specific to financial sector roles. SP 800-53 covers access revocation and asset return comprehensively. DNB-specific: exit procedures may require notification to DNB for key function holders.
DNB.9.1 Knowledge transfer to end users
Rationale
AT-02 literacy training and awareness provides the primary mechanism for knowledge transfer to end users on security topics, acceptable use, and threat awareness. AT-06 training feedback allows assessment of transfer effectiveness. PL-04 rules of behaviour establishes the acceptable use framework that end users must understand. SP 800-53 awareness training is well-suited to DNB's requirement for ensuring end users understand their security responsibilities.
Gaps
DNB requires knowledge transfer to encompass broader IT application training and change communication — not just security awareness. SP 800-53 AT-02 focuses on security and privacy literacy training. DNB expects formal training programmes for new IT systems, application changes, and business process modifications that affect end users.
DNB.9.2 Knowledge transfer to operations and support staff
Rationale
AT-03 role-based training provides specialised security training for operations and support staff based on their assigned roles and responsibilities. AT-04 training records tracks training completion and currency. PM-13 security workforce management ensures staff maintain required competencies. PM-14 testing, training, and monitoring validates operational staff capabilities. SP 800-53 role-based training controls address the security dimension of operations staff knowledge transfer.
Gaps
DNB requires comprehensive knowledge transfer to operations staff covering IT service management, incident procedures, operational runbooks, and change processes — broader than security-specific training. SP 800-53 AT-03 focuses on security role-based training rather than full operational knowledge transfer including ITIL-aligned process training and technology platform certification requirements.
DNB.9.3 Employee awareness
Rationale
AT-02 directly covers security and privacy literacy training including awareness of threats, social engineering, and reporting procedures. AT-06 training feedback measures awareness programme effectiveness. PM-12 insider threat program includes awareness of insider threat indicators. PM-14 testing, training, and monitoring includes exercises that reinforce awareness (e.g., phishing simulations). SP 800-53 awareness controls are comprehensive and well-aligned with DNB's employee awareness requirements.
Gaps
Minimal gap. DNB requires awareness programmes to cover financial sector-specific threats including fraud, social engineering targeting financial transactions, and regulatory obligations under Wft. SP 800-53 AT-02 is comprehensive for general security awareness. DNB expects measurable awareness metrics and regular programme effectiveness assessment.
DNB.10.1 Change standards and procedures
Rationale
CM-01 establishes configuration management policy including change management procedures. CM-03 provides detailed configuration change control with approval workflows, documentation, and review. CM-04 impact analysis ensures changes are assessed before implementation. CM-05 access restrictions for change limits who can authorise and implement changes. SA-10 developer configuration management extends change control to development. SP 800-53 change management controls are well-aligned with DNB requirements.
Gaps
DNB requires change standards to define change types (standard, normal, emergency), approval authority levels, and change advisory board governance. SP 800-53 CM-03 covers change control comprehensively but does not prescribe specific change type categorisation or CAB structures. DNB expects ITIL-aligned change management maturity.
DNB.10.2 Impact assessment, prioritisation and authorisation
Rationale
CM-04 directly covers impact analysis including security impact analysis of changes before implementation. CM-03 configuration change control includes authorisation requirements. RA-03 risk assessment methodology applies to change-related risk assessment. RA-07 risk response provides the framework for change-related risk decisions. SP 800-53 provides strong coverage of impact assessment and authorisation for changes.
Gaps
DNB requires formal prioritisation of changes considering business criticality, risk, and resource availability — a project governance dimension beyond pure security impact assessment. SP 800-53 CM-04 focuses on security impact analysis. DNB expects change prioritisation to consider business continuity impact and customer-facing service availability.
DNB.10.3 Test environment
Rationale
CM-04 security impact analysis requires testing environments for change validation. SA-11 developer testing and evaluation requires appropriate testing infrastructure. SC-32 system partitioning supports environment separation. CM-02 baseline configuration with variants for different environments. SP 800-53 implies test environment requirements through change control and testing controls but does not mandate specific test environment governance.
Gaps
DNB requires dedicated test environments that mirror production with controls over data used in testing, environment refresh procedures, and separation from production. SP 800-53 implies but does not mandate specific test environment provisioning, data masking for test environments, or production-equivalent test infrastructure. DNB expects test environments for all critical systems with documented refresh and data sanitisation procedures.
DNB.10.4 Testing of changes
Rationale
CM-04 security impact analysis includes testing of changes for security implications. SA-11 developer security testing and evaluation covers functional and security testing. CA-02 security assessments can apply to change validation. SA-15 development process, standards, and tools includes testing standards and criteria. SP 800-53 testing controls are comprehensive for security-relevant change testing.
Gaps
DNB requires comprehensive testing including functional, regression, integration, performance, and user acceptance testing — broader than security testing alone. SP 800-53 focuses on security testing (SA-11) and security impact analysis (CM-04). DNB expects formal test plans, test criteria, and documented test results for all material changes with sign-off before production promotion.
DNB.10.5 Promotion to production
Rationale
CM-03 configuration change control includes approval processes before production deployment. CM-05 access restrictions for change limits who can promote to production. CM-02 baseline configuration ensures production baselines are updated. SA-10 developer configuration management covers the development-to-production handover. SP 800-53 provides good coverage of production promotion controls through configuration management.
Gaps
DNB requires formal production promotion procedures with documented approval, rollback procedures, post-implementation review, and separation between those who develop/test and those who deploy to production. SP 800-53 CM-03/CM-05 cover authorisation and access restriction but do not explicitly mandate post-implementation review or rollback planning. DNB expects ITIL-aligned release management practices.
DNB.11.1 IT continuity plans
Rationale
CP-01 establishes contingency planning policy. CP-02 directly covers contingency plan development with essential mission/business functions, recovery objectives, restoration priorities, and roles. CP-07 alternate processing site. CP-08 telecommunications services for continuity. CP-10 system recovery and reconstitution. PM-08 critical infrastructure plan. PM-11 mission/business process definition identifies critical processes for continuity planning. SP 800-53 contingency planning is comprehensive and well-aligned with DNB continuity requirements.
Gaps
DNB requires IT continuity plans to be integrated with the institution's overall business continuity plan (BCP) and to define RTO/RPO targets for critical financial services and systems. SP 800-53 CP-02 is comprehensive but DNB expects continuity plans to specifically address financial market infrastructure dependencies, payment system continuity, and customer service availability commitments. Plans must be reviewed by internal audit and available for DNB supervisory review.
DNB.11.2 Testing of the IT continuity plan
Rationale
CP-04 directly covers contingency plan testing with various testing methods (tabletop, walkthrough, simulation, full failover). CP-03 contingency training ensures staff can execute the plan. IR-03 incident response testing covers the incident management dimension of continuity. PM-14 testing, training, and monitoring provides the overarching test programme framework. SP 800-53 contingency testing controls are comprehensive.
Gaps
DNB requires at least annual testing of IT continuity plans with scenarios that include financial-sector-specific situations (payment system outage, market data feed failure, regulatory reporting system unavailability). SP 800-53 CP-04 mandates testing but does not prescribe financial-sector-specific test scenarios. DNB expects test results to be reported to the management board and made available for supervisory review.
DNB.11.3 Offsite backup storage
Rationale
CP-06 directly covers alternate storage site requirements including geographic separation, access controls, and environmental protections. CP-09 system backup includes offsite backup provisions with transfer frequency and integrity verification. MP-04 media storage addresses physical protection of stored media. PE-17 alternate work site provides additional offsite considerations. SP 800-53 offsite storage controls are comprehensive.
Gaps
DNB requires offsite backup storage to ensure data sovereignty within EU/EEA jurisdictions and to consider geographic risk diversification specific to the Netherlands (flood risk, concentrated data centre regions). SP 800-53 addresses geographic separation but does not mandate EU/EEA data residency or Netherlands-specific geographic risk considerations.
DNB.11.4 Backup and restoration
Rationale
CP-09 directly covers system backup including backup frequency, integrity testing, and backup protection. CP-10 system recovery and reconstitution addresses restoration to a known secure state. CP-02 contingency planning defines recovery priorities and procedures. SI-13 predictive failure analysis supports proactive backup planning. SP 800-53 backup and restoration controls are comprehensive and well-aligned with DNB requirements.
Gaps
Minimal gap. DNB requires backup and restoration procedures to include regular restoration testing (not just backup verification), defined backup retention periods aligned with Dutch regulatory record-keeping requirements, and documented RPO/RTO targets for critical financial systems. SP 800-53 CP-09/CP-10 address these substantially.
DNB.12.1 Storage and retention arrangements
Rationale
SI-12 information management and retention covers information lifecycle including retention requirements. AU-11 audit record retention establishes retention for audit data. MP-04 media storage addresses physical storage protections. MP-02 media access controls storage access. SP 800-53 addresses storage security and some retention aspects but is less prescriptive about business record retention.
Gaps
DNB requires storage and retention arrangements that comply with Dutch regulatory retention requirements under Wft, Wwft, and AWR (General Tax Act), which mandate specific retention periods for financial transaction records (typically 5-7 years). SP 800-53 SI-12 addresses retention conceptually but does not mandate financial sector-specific retention periods. DNB expects documented retention schedules with regulatory justification.
DNB.12.2 Disposal
Rationale
MP-06 directly covers media sanitisation with clear, purge, and destroy methods appropriate to data sensitivity. MP-08 media downgrading addresses reclassification before reuse. MP-01 media protection policy establishes the disposal framework. SI-12 information management and retention covers information lifecycle including disposal triggers. SP 800-53 media disposal controls are comprehensive.
Gaps
Minimal gap. DNB requires disposal procedures to comply with Dutch regulatory record-keeping requirements — data must not be disposed before regulatory retention periods expire. SP 800-53 MP-06 is comprehensive for sanitisation methods. DNB expects documented disposal logs with certification of destruction for sensitive financial data.
DNB.12.3 Security requirements for data management
Rationale
AC-03 access enforcement protects data in use. AC-04 information flow enforcement controls data movement. AC-16 security attributes support data classification and handling. SC-08 transmission confidentiality and integrity protects data in transit. SC-28 protection of information at rest. MP-04 media storage protects stored data. SI-12 information management and retention. SP 800-53 provides comprehensive data protection controls across the data lifecycle.
Gaps
DNB requires security requirements for data management to encompass data quality, data integrity verification, data lineage tracking, and master data management — governance dimensions beyond pure data protection. SP 800-53 addresses data security (confidentiality, integrity, availability) but not data governance quality controls. DNB expects data management aligned with BCBS 239 (risk data aggregation) principles for systemically important institutions.
DNB.13.1 Configuration repository and baseline
Rationale
CM-02 directly establishes baseline configuration requirements with documented, reviewed, and updated baselines. CM-06 configuration settings establishes mandatory settings. CM-08 system component inventory serves as the configuration repository tracking all components. CM-01 configuration management policy establishes the governance framework. SP 800-53 configuration baseline controls are comprehensive and directly aligned with DNB requirements.
Gaps
Minimal gap. DNB requires a centralised Configuration Management Database (CMDB) with relationship mapping between configuration items — more prescriptive about tooling than SP 800-53. SP 800-53 CM-02/CM-08 require baselines and inventory but do not mandate CMDB-specific tooling or ITIL-aligned configuration management process maturity.
DNB.13.2 Identification and maintenance of configuration items
Rationale
CM-08 system component inventory directly addresses identification and tracking of configuration items including hardware, software, and firmware. CM-03 configuration change control maintains configuration items through their lifecycle. CM-02 baseline configuration identifies authorised configurations. CM-07 least functionality ensures only necessary components are maintained. SP 800-53 configuration item management is comprehensive.
Gaps
DNB requires configuration item lifecycle management including creation, classification, status tracking, verification, and audit of all IT assets — aligned with ITIL configuration management best practice. SP 800-53 CM-08 covers inventory and CM-03 covers change control but does not mandate formal CI lifecycle states or CMDB relationship mapping between infrastructure, application, and service CIs.
DNB.14.1 Monitoring and reporting of SLAs
Rationale
SA-09 external system services requires service-level agreements and monitoring of external services. SA-04 acquisition requirements includes service level specifications. PM-06 security measures of performance provides performance monitoring framework. CA-07 continuous monitoring can include service level monitoring. SP 800-53 addresses SLA monitoring for external/acquired services but not internal IT service level management.
Gaps
DNB requires comprehensive SLA monitoring and reporting covering both internal and external IT services with regular reporting to business stakeholders and the management board. SP 800-53 focuses on external service provider SLAs (SA-09) but does not mandate internal IT service level management, OLA governance, or ITIL service level management process maturity. DNB expects SLA breach escalation procedures and trend analysis.
DNB.14.2 Supplier risk management
Rationale
SR-01 supply chain risk management policy. SR-02 supply chain risk assessment. SR-03 supply chain controls and processes. SR-05 acquisition strategies and tools. SR-06 supplier assessments and reviews. SA-04 acquisition security requirements. SA-09 external system services with security provisions. SP 800-53 supply chain risk management controls (SR family, which replaced the withdrawn SA-12 in Rev 5) are comprehensive and well-aligned with DNB's supplier risk management requirements.
Gaps
DNB requires supplier risk management to include concentration risk assessment (avoiding over-reliance on single providers), fourth-party risk awareness, and exit strategy planning for critical suppliers. SP 800-53 SR family is comprehensive but DNB expects financial sector-specific supplier due diligence including financial stability assessment of critical suppliers, alignment with EBA outsourcing guidelines, and notification to DNB for material outsourcing arrangements.
DNB.15.1 Security incident definition
Rationale
IR-01 incident response policy establishes the incident framework including definitions and categories. IR-02 incident response training ensures staff understand incident definitions and reporting requirements. IR-08 incident response plan documents the complete incident response programme. SI-05 security alerts and directives provide context for incident identification. SP 800-53 incident definition through IR-01 and IR-08 provides a solid foundation for DNB's requirement.
Gaps
DNB requires security incident definitions aligned with DNB's incident reporting taxonomy and thresholds, including mandatory reporting of incidents affecting availability of critical financial services (e.g., payment services downtime > 2 hours). SP 800-53 incident definitions are organisation-specific. DNB expects incident classification to distinguish cyber incidents requiring DNB notification under Wft Article 3:17 and the EBA/ECB incident reporting framework.
DNB.15.2 Incident escalation
Rationale
IR-04 incident handling includes escalation within the handling process. IR-05 incident monitoring tracks escalation status. IR-06 incident reporting covers internal and external reporting obligations. IR-01 incident response policy defines escalation procedures. PM-12 insider threat program includes specific escalation paths. SP 800-53 incident escalation coverage is comprehensive for internal escalation procedures.
Gaps
DNB requires incident escalation procedures to include mandatory escalation to DNB for material cyber incidents within defined timeframes, escalation to the management board for significant incidents, and crisis communication procedures for customer-impacting incidents. SP 800-53 IR-06 covers reporting but does not prescribe financial regulatory incident notification timelines or the DNB-specific reporting format and escalation matrix.
DNB.16.1 Security testing, surveillance and monitoring
Rationale
CA-02 security assessments cover periodic security testing. CA-07 continuous monitoring provides ongoing surveillance. CA-08 penetration testing addresses offensive security testing. SI-04 system monitoring covers real-time surveillance and anomaly detection. AU-06 audit review and analysis supports security monitoring. RA-05 vulnerability monitoring and scanning. SP 800-53 provides comprehensive security testing and monitoring controls well-aligned with DNB requirements.
Gaps
DNB requires security testing and monitoring to include financial transaction monitoring for fraud detection, which extends beyond IT security monitoring into business process monitoring. SP 800-53 covers IT security testing and monitoring comprehensively. DNB expects testing results to be reported to the management board and internal audit.
DNB.16.2 Monitoring of internal control framework
Rationale
CA-02 security assessments evaluate the effectiveness of internal controls. CA-05 plan of action and milestones tracks control remediation. CA-07 continuous monitoring provides ongoing control effectiveness assessment. PM-06 security measures of performance tracks control metrics. PM-14 testing, training, and monitoring provides the assessment framework. SP 800-53 addresses control monitoring through the CA family.
Gaps
DNB requires monitoring of the internal control framework through a three-lines-of-defence model with first-line self-assessments, second-line independent testing, and third-line internal audit. SP 800-53 CA controls focus on security assessment but do not prescribe the three-lines-of-defence governance model or COBIT 4.1 maturity-based assessment. DNB expects control framework monitoring to feed into the institution's annual ISAE 3402 / SOC reporting where applicable.
DNB.16.3 Internal control of third parties
Rationale
SA-09 external system services with security monitoring and assessment requirements. SR-06 supplier assessments and reviews provides direct third-party control assessment. SR-03 supply chain controls and processes. CA-02 security assessments can be applied to third-party services. PS-07 external personnel security covers third-party personnel controls. SP 800-53 provides good coverage of third-party control assessment.
Gaps
DNB requires internal control of third parties to include right-to-audit clauses, regular on-site assessments of material outsourcing providers, and chain outsourcing (fourth-party) visibility. SP 800-53 addresses third-party assessment (SA-09, SR-06) but DNB expects alignment with EBA outsourcing guidelines and DNB's specific outsourcing supervision expectations, including notification for material outsourcing to cloud providers.
DNB.16.4 Evaluation of compliance with external requirements
Rationale
CA-02 security assessments can evaluate regulatory compliance. CA-06 authorisation (ATO) provides formal compliance determination. PM-06 performance measures can track compliance metrics. PM-01 security program plan references applicable laws and regulations. PM-15 security groups and associations helps monitor regulatory developments. SP 800-53 supports compliance evaluation through assessment and programme management controls.
Gaps
DNB requires systematic evaluation of compliance with external legal and regulatory requirements including Wft, Wwft, GDPR/AVG, PSD2, and sector-specific DNB guidance. SP 800-53 supports compliance assessment conceptually but does not mandate systematic regulatory compliance tracking, compliance gap analysis, or regulatory change impact assessment. DNB expects a formal compliance monitoring programme with regular reporting to the compliance function and management board.
DNB.16.5 Independent assurance
Rationale
CA-02 security assessments by independent assessors. CA-06 authorisation provides formal independent acceptance of risk. CA-08 penetration testing as an independent assurance activity. PM-14 testing, training, and monitoring provides independent testing framework. SP 800-53 supports independent security assessment but DNB's requirement is broader — covering IT audit, external audit, and regulatory examination.
Gaps
DNB requires independent assurance through a structured internal audit programme for IT, external audit coverage of IT controls, and readiness for DNB supervisory examinations. SP 800-53 CA-02 supports independent assessment but does not prescribe a formal IT audit programme, external audit integration, or regulatory examination preparation. DNB expects compliance with IIA standards and alignment with ISAE 3402 where applicable.
DNB.17.1 Identity management
Rationale
IA-01 identification and authentication policy establishes the identity management framework. IA-02 identification and authentication of organisational users. IA-04 identifier management covers lifecycle of identifiers. IA-05 authenticator management covers credentials and authentication factors. IA-08 identification and authentication of non-organisational users. IA-12 identity proofing supports identity verification. SP 800-53 identity management controls are comprehensive and well-aligned with DNB requirements.
Gaps
DNB requires identity management to include privileged identity lifecycle management, service account governance, and identity federation controls for inter-institutional access. SP 800-53 IA family is comprehensive. DNB expects documented identity management procedures covering the full identity lifecycle from provisioning through deprovisioning, with periodic identity recertification.
DNB.17.2 User account management
Rationale
AC-02 directly covers account management including account lifecycle (creation, modification, disabling, removal), account types, and periodic review. AC-03 access enforcement implements access decisions. AC-05 separation of duties prevents conflicting account privileges. AC-06 least privilege ensures minimal necessary access. AC-07 unsuccessful login attempts provides account lockout. IA-04 identifier management and IA-05 authenticator management support account credential lifecycle. SP 800-53 account management is comprehensive.
Gaps
Minimal gap. DNB requires periodic user access reviews (at least annually for standard accounts, more frequently for privileged accounts) with documented recertification by data/system owners. SP 800-53 AC-02 includes account review requirements. DNB expects access review results to be available for internal audit and DNB supervisory examination.
DNB.18.1 Infrastructure resource protection and availability
Rationale
SC-05 denial of service protection safeguards infrastructure availability. SC-07 boundary protection secures infrastructure perimeters. CP-07 alternate processing site provides infrastructure redundancy. CP-08 telecommunications services ensures network availability. AU-04 audit log storage capacity protects against capacity exhaustion. PE-09 power equipment protection, PE-10 emergency shutoff, PE-11 emergency power. SP 800-53 infrastructure protection and availability controls are comprehensive.
Gaps
DNB requires infrastructure resource management to include capacity planning, performance monitoring, and availability management aligned with defined SLA targets for financial services. SP 800-53 addresses availability through contingency planning and denial-of-service protection but does not mandate proactive capacity management or IT service availability management processes.
DNB.18.2 Infrastructure maintenance
Rationale
MA-01 maintenance policy establishes the governance framework. MA-02 controlled maintenance with scheduling, documentation, and approval. MA-03 maintenance tools controls and monitors tools used for maintenance. MA-04 nonlocal maintenance addresses remote maintenance security. MA-05 maintenance personnel ensures proper authorisation and supervision. MA-06 timely maintenance ensures prompt remediation. SP 800-53 maintenance controls are comprehensive and well-aligned.
Gaps
Minimal gap. DNB requires infrastructure maintenance to include vendor patch management alignment, planned maintenance windows coordinated with business operations, and maintenance change records integrated with the change management process. SP 800-53 MA family covers these substantially through controlled maintenance (MA-02) and timely maintenance (MA-06).
DNB.18.3 Cryptographic key management
Rationale
SC-12 directly covers cryptographic key establishment and management including key generation, distribution, storage, access, destruction, and archiving. SC-13 cryptographic protection specifies algorithm and key length requirements. SC-17 public key infrastructure certificates management. IA-07 cryptographic module authentication for FIPS validation. SP 800-53 cryptographic key management controls are comprehensive.
Gaps
DNB requires cryptographic key management to address financial-sector-specific requirements including key management for payment systems (PCI PIN, HSM governance), certificate management for electronic signing under eIDAS, and crypto agility planning. SP 800-53 SC-12 is comprehensive for general key management but does not address financial sector-specific cryptographic requirements or Dutch payment infrastructure (iDEAL/Currence) key management standards.
DNB.18.4 Network security
Rationale
SC-07 boundary protection with DMZ, filtering, and segmentation. SC-08 transmission confidentiality and integrity. AC-04 information flow enforcement. AC-17 remote access security. SC-20/SC-21/SC-22 DNS security (authoritative source, resolver, architecture). SC-23 session authenticity. SP 800-53 network security controls are comprehensive covering perimeter defence, encryption, segmentation, and protocol security.
Gaps
DNB requires network security to include network segmentation aligned with data classification, DDoS protection for customer-facing services, and network monitoring with Security Operations Centre (SOC) integration. SP 800-53 covers these substantially. DNB expects network security architecture documentation maintained and available for supervisory review.
DNB.18.5 Exchange of sensitive data
Rationale
SC-08 transmission confidentiality and integrity directly addresses data exchange security through encryption in transit. SC-12/SC-13 provide the cryptographic infrastructure for secure exchange. AC-04 information flow enforcement controls data exchange paths. AC-21 information sharing governs authorised sharing decisions. SC-16 transmission of security and privacy attributes ensures classification travels with data. SP 800-53 provides strong coverage for secure data exchange.
Gaps
DNB requires secure data exchange procedures for financial data including interbank communication (SWIFT, TARGET2), regulatory reporting data, and customer personal data. SP 800-53 addresses secure transmission comprehensively but does not prescribe financial messaging security standards (SWIFT CSP compliance) or Dutch financial infrastructure-specific data exchange protocols. DNB expects documented data exchange agreements with counterparties.
DNB.19.1 Malicious software prevention, detection and correction
Rationale
SI-03 directly covers malicious code protection including prevention, detection, and eradication across all system components. SI-04 system monitoring detects malware activity through behavioural analysis. SI-08 spam protection addresses email-borne malware. SC-44 detonation chambers provide advanced malware analysis through sandboxing. SC-18 mobile code controls restrict potentially malicious code execution. SP 800-53 malware protection controls are comprehensive.
Gaps
Minimal gap. DNB requires malware protection to cover all endpoints including ATMs, point-of-sale terminals, and specialised financial processing systems. SP 800-53 SI-03 is comprehensive. DNB expects malware protection strategy to be documented and tested, with integration into the institution's security monitoring and incident response processes.
DNB.19.2 Vulnerability management
Rationale
RA-05 vulnerability monitoring and scanning with automated tools and defined scan frequency. SI-02 flaw remediation with patching timelines and prioritisation. SI-05 security alerts, advisories, and directives for external vulnerability intelligence. RA-07 risk response for vulnerability-related risk decisions. CM-06 configuration settings to reduce vulnerability exposure. SP 800-53 vulnerability management controls are well-aligned with DNB requirements.
Gaps
DNB requires vulnerability management to include defined remediation timelines based on severity (critical: 48 hours, high: 7 days, medium: 30 days as guidance), vulnerability scanning coverage of all internet-facing and critical internal systems, and regular reporting to the CISO. SP 800-53 RA-05/SI-02 cover scanning and patching but do not prescribe specific remediation timelines. DNB expects vulnerability management metrics in board reporting.
DNB.19.3 Life cycle management
Rationale
SA-22 directly addresses unsupported system components including replacement planning and alternative risk mitigations. SA-03 system development life cycle covers the full lifecycle from conception through disposal. CM-08 system component inventory enables lifecycle tracking. PM-05 system inventory provides enterprise-level lifecycle visibility. PL-02 system security plans document lifecycle status. SP 800-53 addresses lifecycle management through multiple controls.
Gaps
DNB requires comprehensive IT asset lifecycle management from acquisition through retirement, including technology roadmaps, end-of-life planning, and migration strategies for legacy systems. SP 800-53 SA-22 addresses unsupported components and SA-03 covers SDLC but does not mandate strategic technology lifecycle planning or legacy system modernisation roadmaps. DNB expects lifecycle management integrated with the institution's IT strategy and investment planning.
DNB.20.1 Protection of security technology
Rationale
SC-07 boundary protection safeguards security infrastructure. CM-06 configuration settings hardens security technology. CM-07 least functionality minimises attack surface of security tools. AC-03 access enforcement restricts access to security management interfaces. AU-09 protection of audit information secures security log infrastructure. SC-42 sensor capability and data protection safeguards security monitoring sensors. SP 800-53 provides good coverage for protecting security infrastructure.
Gaps
DNB requires protection of security technology to include hardening of SIEM, IDS/IPS, firewalls, PKI infrastructure, and other security tools with dedicated administration networks (out-of-band management), and regular assessment of security tool effectiveness. SP 800-53 addresses protection through general controls but does not mandate dedicated security management networks or formal security tool effectiveness evaluation programmes.
DNB.21.1 Physical security measures
Rationale
PE-01 physical and environmental protection policy. PE-02 physical access authorisations. PE-03 physical access control with guards, locks, CCTV, and access control systems. PE-04 access control for transmission medium. PE-05 access control for output devices. PE-06 monitoring physical access. PE-08 visitor access records. PE-09 power equipment and cabling. SP 800-53 physical security controls are comprehensive and well-aligned with DNB data centre and office security requirements.
Gaps
DNB requires physical security measures proportionate to the criticality of the facility, with specific attention to data centre tiers (Uptime Institute standards), secure areas for financial processing, and physical security for ATM/branch networks. SP 800-53 PE controls are comprehensive for general physical security but do not prescribe financial sector-specific physical security standards for branch networks or payment infrastructure.
DNB.21.2 Physical access
Rationale
PE-02 physical access authorisations with approval and review processes. PE-03 physical access control with multiple authentication mechanisms. PE-06 monitoring physical access including CCTV and guard patrols. PE-07 visitor control within areas of the facility. PE-08 visitor access records with logging and retention. SP 800-53 physical access controls provide comprehensive coverage of DNB's physical access requirements.
Gaps
Minimal gap. DNB requires physical access controls to include visitor escort procedures, access log retention aligned with regulatory requirements, and integration of physical access management with logical access management for consistent identity governance. SP 800-53 PE family covers physical access comprehensively.
DNB.22.1 Penetration testing and ethical hacking
Rationale
CA-08 directly covers penetration testing with scope definition, methodology, and rules of engagement. CA-02 security assessments include technical testing. RA-05 vulnerability scanning complements penetration testing findings. SA-11 developer security testing includes security testing during development. SP 800-53 penetration testing controls are well-aligned with DNB's requirement for periodic penetration testing and ethical hacking.
Gaps
DNB requires penetration testing to be conducted by qualified independent testers, with scope covering internet-facing services, internal network, and social engineering. SP 800-53 CA-08 covers penetration testing but DNB expects alignment with TIBER-NL (Threat Intelligence Based Ethical Red Teaming) for systemically important institutions and annual penetration testing at minimum. DNB expects test results reported to the management board with remediation tracking.
Methodology and Disclaimer
This coverage analysis maps from DNB Good Practice clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.