European Banking Authority (EBA)
It highlights the classification and risk assessment requirements that institutions must meet in terms of criticality, for which they must, as a minimum, consider the requirements of confidentiality, integrity, and availability. It focuses on risk mitigation, based on risk assessments, as well as defining and implementing measures to mitigate security and ICT risks. Protect information assets according to their classification. Of relevance is the section on information security training and awareness. Where it is emphasized that financial institutions should establish a training program, including periodic security awareness programs, to all personnel and contractors to ensure they are trained to perform their duties and responsibilities in accordance with relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address risks related to information security.
NISTIR 8286A. Identifying and Estimating Cybersecurity Risk for Enterprise Risk.