think new york/ june 19, 2018 / © 2018 ibm corporation / # ... · developing strong cloud security...

T h in k N e w Y o r k / J u n e 1 9 , 2 0 1 8 / © 2 0 1 8 I B M C o r p o r a t io n / # t h in k r o a d s h o w

New York

N e w Y o r k / J u n e 1 9 , 2 0 1 8 / © 2 0 1 8 I B M C o r p o r a t io n

Managing Regulatory Compliance—Judith PintoManaging DirectorPromontory Financial, IBM

Developing Strong Cloud Security Is a Strategic Imperative

• Cybersecurity risk appears on the ‘top risk’ list of almost every institution. Risks relating to cloud computing are a significant driver of cybersecurity risks due to transparency issues and reliance on third party vendors.

• Consequently, standards setting bodies, bank regulators and internal audit functions are applying significant focus to this topic and setting heightened expectations for a robust and reliable control framework.

• The myriad of different jurisdictions, regulators and constantly changing environment means that centrally managed services that help deliver a consistent and robust control framework represent a compelling and cost effective solution.

• IBM and Promontory’s Technology Compliance Advisor managed service offering, supported by Promontory and incorporating emerging cognitive tools and automation, offers a robust and effective solution that effectively mitigates risk and will satisfy the multiple stakeholder bodies.

Regulators Expect the Same Level of Control in a Cloud Environment Regulators require financial services firms

to review the following before deciding to use cloud services:

• Location of data and the related legal jurisdiction

• Identity and access management

• Auditability

• Availability

• Data classification

• Encryption management

• Security incident management

• Business continuity

Any Move to Cloud Needs an Effective Controls Framework

MONITORING, MEASURING AND MANAGEMENT INFORMATIONMonitor threats, incidents and the performance of controls

Track the performance of risk management against risk appetite, using quantitative metrics where possible

Feedback loop –from front line controls to overall strategy

STRATEGY

Set the overall strategic approach to assessing and managing risk, and the risk appetite that fits with business goals and the firm’s environment

Outline the budget, roadmap and implementation approach

CONTROLS

Define the control environment that delivers the chosen risk appetite and enforces the policy framework

GOVERNANCE

Define organizational roles and responsibilities, policy framework and arrangements for oversight of the risk profile and risk management framework

EXTERNAL COMMUNICATION AND STAKEHOLDER MANAGEMENTManage external reporting requirements and requests, and engagement with external stakeholders such as regulators

Multiple Challenges Inhibit Delivery of Controls

Cloud concerns such as visibility

and control

Lack of regulatory alignment

Lack of a controls database

Internal management capacity and capability

Poor fit with existing governance frameworks

Lack of overall reference framework

Need for automation and cognitive capabilities to improve processes

Need for a clear financial and operational path while in transition

Risk management

CISO

CRO

CCO

Three Cogs Underpin Cyber Risk Management

Policy framework

Compliance monitoring

Regulatory reporting

Compliance breach reporting

Residual risk assessment

Feedback to risk appetite

Regulatory obligations inventory

Incident planning and

response

Controls

Testing

Risk reporting

Threat analysis

Risk assessmentGovernanceRisk appetite

ControlsReporting

Risk management

Which Need to be Integrated

Linking to risks, regulations & controls

Standard Control Framework

And Supported by a Control Framework

Policy framework

Compliance monitoring

Regulatory reporting

Compliance breach reporting

Residual risk assessment

Feedback to risk appetite

Regulatory obligations inventory

Incident planning and

response

Controls

Testing

Risk reporting

Threat analysis

Risk assessmentGovernanceRisk appetite

ControlsReporting

Risk management

Technology Compliance Advisor

• IBM and Promontory have developed Technology Compliance Advisor (TCA) managed service to financial institutions that includes:̶ Common obligations library curated from regulations and guidance

issued by the major financial services regulators̶ Creation of a Technology Regulatory Framework (TRF) extended

from CSA̶ Monitoring of relevant regulations for updates̶ Initial launch for IT and cloud regulations with support for other

regulatory offerings to follow

• TCA is a fully outsourced managed service available to regulated financial institutions on a subscription based model

Technology Controls FrameworkHybrid Cloud Compliance Controls

(HC3) Framework

• Application, Systems & Interface Security• Asset Mgmt• Audit Assurance & Compliance• Business Cont Mgmt & Op Resilience• Change Control & Config Mgmt• Data Security & Info Lifecycle Mgmt• Datacenter Security• Development • Encryption & Key Mgmt• Governance & Risk Mgmt• Human Resources Security• Identity & Access Mgmt• Infrastructure & Virtualization• Interoperability & Portability• Mobile Security• Physical & Environmental Mgmt• Regulatory Requirements• Sec Incid Mgmt, e-Disc & Cloud forensics• Supply Chain Mgmt, Transparency & Acct• Threat & Vulnerability Mgmt

CSA• Application & Interface Security

• Audit Assurance & Compliance

• Business Cont Mgmt & Ops Resilience• Change Control & Conf Mgmt

• Data Security & Info Lifecycle Mgmt• Datacenter Security

• Encryption & Key Mgmt• …

Enhancements required for regulatory

requirements

Additions for organizations’ requirements

Other standards

ISO

NIST

N orth A m erica

U nited S tates

C anada

A sia | A ustralia

Austra lia

C hinaH ong KongTaiw anS ingapore

Japan

IndiaM alaysiaBruneiSouth Korea

M iddle East

U nited Arab Em irates

Europe

EU

FranceG erm anyPoland

U nited

K ingdomIrelandIta ly

Jersey

G uernseySw itzerlandLuxem bourg

North Americae.g. FFIEC handbooks, NY DFS500

Europee.g. GDPR, NISD

Asia Australiae.g. APRA PPG 231

Middle Easte.g. DFSA Rulebook

EXA M PLE R EG U LA TIO N S

Regulatory Obligations Library

Technology Compliance Advisor Managed Service

Cognitive System for RegTech

Common Obligations

Library

1Managed service updates obligation library, according to criteria set by IBM/ Promontory, transitioning workload to Watson for RegTech

2Controls mapped to obligations, at both framework and library levels

3Web alerts and reports generated, tracked and published to clients via their ‘adaptor’

4(Future) Fully automated updates to regulations and then controls, updated with changes made by each firm to their controls

IBM Client

Controls

CSP/SaaS Changes

Client-specific adapter built from assessment

Client Control & Compliance Framework

Policies Standards Procedures/ Processes

GRC Tool(s)

Optimized Control Framework and Library

NIST

CSA

ISO

COBIT

IBM Best Practices and Certifications

Regulations

Client-Specific

Publishing• Monitoring• Mapping• Self-Assessments• Alerts• Reg Updates• Issues / Actions• Vendor Risk Management• Reporting

10 Step Process Covered by Managed ServicesIdentifying newregulationspotentiallyrelevant to IT

Ingesting newregulations

Parsing newregulations

Identifying gaps orrequired changes

Mapping toframeworkand controls

Identifying potentially relevant new controls

Updating of obligations library

Reportgeneration

Updating ofcontrols

Remapping postcontrol changes







Reportgeneration

Updating ofcontrols



Thank you

Judith PintoManaging Director

[email protected]+1 212 542 6798

promontory.comibm.com

T h in k 2 0 1 8 / D O C I D / M o n t h X X , 2 0 1 8 / © 2 0 1 8 I B M C o r p o r a t io n 2 5

ü Sign up for an IBM Cloud account or Watson Studio trial.

ü Get a free, 30-minute strategy consultation.

ü Get free expert advice on cloud, data, or AI.

ü Create an engaging client experience with IBM Cloud Garage.

For presentation and additional special offer, visit the event blog: ibm.com/cloud/think/newyork

Accelerate your cloud and data transformation

https://console.bluemix.net/registration/?cm_mc_uid=98326945144415253747933&cm_mc_sid_50200000=34956051525454416370&cm_mc_sid_52640000=34982901525454416372&cm_mmc=OSocial_Blog-_-Cloud+Audience-Led_Umbrella+Cloud-_-NA_WW-_-NA+Roadshow&cm_mmca1=000030WA&cm_mmca2=10002514&

https://datascience.ibm.com/registration/stepone?apps=data_science_experience&context=analytics&cm_mmc=OSocial_Blog-_-Cloud+Audience-Led_Umbrella+Cloud-_-NA_WW-_-NA+Roadshow&cm_mmca1=000030WA&cm_mmca2=10002514&

https://www-935.ibm.com/services/consulting/migrating-to-the-cloud/?cm_mmc=OSocial_Blog-_-Cloud+Audience-Led_Umbrella+Cloud-_-NA_WW-_-NA+Roadshow&cm_mmca1=000030WA&cm_mmca2=10002514&

https://www.ibm.com/cloud/expert-advice?cm_mmc=OSocial_Blog-_-Cloud+Audience-Led_Umbrella+Cloud-_-NA_WW-_-NA+Roadshow&cm_mmca1=000030WA&cm_mmca2=10002514&

https://www.ibm.com/analytics/expert-advice?cm_mmc=OSocial_Blog-_-Cloud+Narrative_Umbrella+Cloud-_-NA_WW-_-ThinkRoadshow&cm_mmca1=000030WA&cm_mmca2=10002522&

http://ibm.biz/watsonplatform-scheduler?cm_mmc=OSocial_Blog-_-Cloud+Audience-Led_Umbrella+Cloud-_-NA_WW-_-NA+Roadshow&cm_mmca1=000030WA&cm_mmca2=10002514&

http://ibm.com/cloud/garage?cm_mmc=OSocial_Blog-_-Cloud+Audience-Led_Umbrella+Cloud-_-NA_WW-_-NA+Roadshow&cm_mmca1=000030WA&cm_mmca2=10002514&

http://ibm.com/cloud/think/newyork

think new york/ june 19, 2018 / © 2018 ibm corporation / # ... · developing strong cloud security...

Documents