think new york/ june 19, 2018 / © 2018 ibm corporation / # ... · developing strong cloud security...
TRANSCRIPT
T h in k N e w Y o r k / J u n e 1 9 , 2 0 1 8 / © 2 0 1 8 I B M C o r p o r a t io n / # t h in k r o a d s h o w
New York
N e w Y o r k / J u n e 1 9 , 2 0 1 8 / © 2 0 1 8 I B M C o r p o r a t io n
Managing Regulatory Compliance—Judith PintoManaging DirectorPromontory Financial, IBM
Developing Strong Cloud Security Is a Strategic Imperative
• Cybersecurity risk appears on the ‘top risk’ list of almost every institution. Risks relating to cloud computing are a significant driver of cybersecurity risks due to transparency issues and reliance on third party vendors.
• Consequently, standards setting bodies, bank regulators and internal audit functions are applying significant focus to this topic and setting heightened expectations for a robust and reliable control framework.
• The myriad of different jurisdictions, regulators and constantly changing environment means that centrally managed services that help deliver a consistent and robust control framework represent a compelling and cost effective solution.
• IBM and Promontory’s Technology Compliance Advisor managed service offering, supported by Promontory and incorporating emerging cognitive tools and automation, offers a robust and effective solution that effectively mitigates risk and will satisfy the multiple stakeholder bodies.
Regulators Expect the Same Level of Control in a Cloud Environment Regulators require financial services firms
to review the following before deciding to use cloud services:
• Location of data and the related legal jurisdiction
• Identity and access management
• Auditability
• Availability
• Data classification
• Encryption management
• Security incident management
• Business continuity
Any Move to Cloud Needs an Effective Controls Framework
MONITORING, MEASURING AND MANAGEMENT INFORMATIONMonitor threats, incidents and the performance of controls
Track the performance of risk management against risk appetite, using quantitative metrics where possible
Feedback loop –from front line controls to overall strategy
STRATEGY
Set the overall strategic approach to assessing and managing risk, and the risk appetite that fits with business goals and the firm’s environment
Outline the budget, roadmap and implementation approach
CONTROLS
Define the control environment that delivers the chosen risk appetite and enforces the policy framework
GOVERNANCE
Define organizational roles and responsibilities, policy framework and arrangements for oversight of the risk profile and risk management framework
EXTERNAL COMMUNICATION AND STAKEHOLDER MANAGEMENTManage external reporting requirements and requests, and engagement with external stakeholders such as regulators
Multiple Challenges Inhibit Delivery of Controls
Cloud concerns such as visibility
and control
Lack of regulatory alignment
Lack of a controls database
Internal management capacity and capability
Poor fit with existing governance frameworks
Lack of overall reference framework
Need for automation and cognitive capabilities to improve processes
Need for a clear financial and operational path while in transition
Risk management
CISO
CRO
CCO
Three Cogs Underpin Cyber Risk Management
Policy framework
Compliance monitoring
Regulatory reporting
Compliance breach reporting
Residual risk assessment
Feedback to risk appetite
Regulatory obligations inventory
Incident planning and
response
Controls
Testing
Risk reporting
Threat analysis
Risk assessmentGovernanceRisk appetite
ControlsReporting
Risk management
Which Need to be Integrated
Linking to risks, regulations & controls
Standard Control Framework
And Supported by a Control Framework
Policy framework
Compliance monitoring
Regulatory reporting
Compliance breach reporting
Residual risk assessment
Feedback to risk appetite
Regulatory obligations inventory
Incident planning and
response
Controls
Testing
Risk reporting
Threat analysis
Risk assessmentGovernanceRisk appetite
ControlsReporting
Risk management
Technology Compliance Advisor
• IBM and Promontory have developed Technology Compliance Advisor (TCA) managed service to financial institutions that includes:̶ Common obligations library curated from regulations and guidance
issued by the major financial services regulators̶ Creation of a Technology Regulatory Framework (TRF) extended
from CSA̶ Monitoring of relevant regulations for updates̶ Initial launch for IT and cloud regulations with support for other
regulatory offerings to follow
• TCA is a fully outsourced managed service available to regulated financial institutions on a subscription based model
Technology Controls FrameworkHybrid Cloud Compliance Controls
(HC3) Framework
• Application, Systems & Interface Security• Asset Mgmt• Audit Assurance & Compliance• Business Cont Mgmt & Op Resilience• Change Control & Config Mgmt• Data Security & Info Lifecycle Mgmt• Datacenter Security• Development • Encryption & Key Mgmt• Governance & Risk Mgmt• Human Resources Security• Identity & Access Mgmt• Infrastructure & Virtualization• Interoperability & Portability• Mobile Security• Physical & Environmental Mgmt• Regulatory Requirements• Sec Incid Mgmt, e-Disc & Cloud forensics• Supply Chain Mgmt, Transparency & Acct• Threat & Vulnerability Mgmt
CSA• Application & Interface Security
• Audit Assurance & Compliance
• Business Cont Mgmt & Ops Resilience• Change Control & Conf Mgmt
• Data Security & Info Lifecycle Mgmt• Datacenter Security
• Encryption & Key Mgmt• …
Enhancements required for regulatory
requirements
Additions for organizations’ requirements
Other standards
ISO
NIST
N orth A m erica
U nited S tates
C anada
A sia | A ustralia
Austra lia
C hinaH ong KongTaiw anS ingapore
Japan
IndiaM alaysiaBruneiSouth Korea
M iddle East
U nited Arab Em irates
Europe
EU
FranceG erm anyPoland
U nited
K ingdomIrelandIta ly
Jersey
G uernseySw itzerlandLuxem bourg
North Americae.g. FFIEC handbooks, NY DFS500
Europee.g. GDPR, NISD
Asia Australiae.g. APRA PPG 231
Middle Easte.g. DFSA Rulebook
EXA M PLE R EG U LA TIO N S
Regulatory Obligations Library
Technology Compliance Advisor Managed Service
Cognitive System for RegTech
Common Obligations
Library
1Managed service updates obligation library, according to criteria set by IBM/ Promontory, transitioning workload to Watson for RegTech
2Controls mapped to obligations, at both framework and library levels
3Web alerts and reports generated, tracked and published to clients via their ‘adaptor’
4(Future) Fully automated updates to regulations and then controls, updated with changes made by each firm to their controls
IBM Client
Controls
CSP/SaaS Changes
Client-specific adapter built from assessment
Client Control & Compliance Framework
Policies Standards Procedures/ Processes
GRC Tool(s)
Optimized Control Framework and Library
NIST
CSA
ISO
COBIT
IBM Best Practices and Certifications
Regulations
Client-Specific
Publishing• Monitoring• Mapping• Self-Assessments• Alerts• Reg Updates• Issues / Actions• Vendor Risk Management• Reporting
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
Ingesting newregulations
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
Parsing newregulations
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT
Ingesting newregulations
Parsing newregulations
Identifying gaps orrequired changes
Mapping toframeworkand controls
Identifying potentially relevant new controls
Updating of obligations library
Reportgeneration
Updating ofcontrols
Remapping postcontrol changes
T h in k 2 0 1 8 / D O C I D / M o n t h X X , 2 0 1 8 / © 2 0 1 8 I B M C o r p o r a t io n 2 5
ü Sign up for an IBM Cloud account or Watson Studio trial.
ü Get a free, 30-minute strategy consultation.
ü Get free expert advice on cloud, data, or AI.
ü Create an engaging client experience with IBM Cloud Garage.
For presentation and additional special offer, visit the event blog: ibm.com/cloud/think/newyork
Accelerate your cloud and data transformation
T h in k N e w Y o r k / J u n e 1 9 , 2 0 1 8 / © 2 0 1 8 I B M C o r p o r a t io n / # t h in k r o a d s h o w