1 / 18

COMPLIANCE OF TRUST AND SECURITY Juan Bareño , Atos Origin SAE

COMPLIANCE OF TRUST AND SECURITY Juan Bareño , Atos Origin SAE. Introduction. Compliance Managment Current State Todays challengues Current monitoring basic solutions Remaining gaps Identify the Future Compliance Management needs NESSI Projects´ main innovations and results

tracey
Download Presentation

COMPLIANCE OF TRUST AND SECURITY Juan Bareño , Atos Origin SAE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMPLIANCE OF TRUST AND SECURITY Juan Bareño, Atos Origin SAE

  2. Introduction • Compliance Managment Current State • Todays challengues • Current monitoring basic solutions • Remaining gaps • Identify the Future Compliance Management needs • NESSI Projects´ main innovations and results • NESSI Projects´ contribution to the Future Platform • Answers to the remaining gaps • What NESSI Projects can provide to NEXOF-RA reference model NESSI Projects Summit

  3. Regulators Outsourcing Outsourcing Standards Bodies Outsourcing Outsourcing Best practices Outsourcing Offshore Today organizations ’ challenges • Risks related to rapidly changing regulatory requirements • Risks associated with complex heterogeneous information systems and fast moving new technologies • Risk associated with dynamic relationships with SOA enabled business processes • High cost of resulting internal and external audit fees NESSI Projects Summit

  4. The iceberg of risk Source: Teleconference Why A GRC Software Platform? Forrester 2007

  5. Risk Audit considerations • Compliance rules are often scattered throughout the company (internal/external) • IT processes have not been updated to support the increased changes introduced by SOA business enabled processes • Existing monitoring solutions: • Does not provide the right information to the appropriate management level • Leaves too much access to sensitive information • Does not cover all risks or is not updated to cover new risks (changes in legal requirements, changes in information systems ). • Internal Auditors are therefore being expected to: • Understand new technologies and the risks associated by SOA business enabled processes • Advise management on appropriate monitoring tools: Continuous Auditing, Continuous Monitoring, monitoring tools

  6. Compliance Management Current State • Managed in silo’s • Mostly reactionary • More projects than programs • Handled separately from mainstream processes and decision-making • People used as middleware • Limited and fragmented use of technology Source: Open Compliance & Ethics Group NESSI Projects Summit

  7. Components required to manage GRC Documentations and communication of policies, procedures, controls, and practices is the foundation for GRC management. Policy/control environment . A single system should be capable of providing real-time capture, workflow prioritization, and case management of GRC breaks, and, batch equivalent for incremental breaks, over time. Monitoring environment There must be a way to manage the necessary data, document the audit trail, measure impact/fallout, and quantify, categorize, and report enterprise risk management (ERM) outcomes. Case Management Environment Information on which to base codified and ad hoc risk mitigation decisions should include all appropriate data, optimally utilized in a preventive, preemptive, and predictive controls-management-driven environment. Analytics environment Source: Teleconference Why A GRC Software Platform? Forrester 2007

  8. Future Compliance Management State • Embedded within mainstream processes and decision-making • Effective use of information technology • Architected solutions • Enterprise approach • Integrated GRC NESSI Projects Summit

  9. Today’ solutions for the Future Platform • A number of approaches, such as business rules or composition concepts for services, have been proposed… • ……..but none of these approaches offers a unified approach with which all kinds of compliance rules can be tackled • Additionally, vendors´ solutions exist but not appropriated for SOA business enabled processes NESSI Projects Summit

  10. However the following questions remain • GRC Lifecycle Gap: How can management be sure that top-level policies are fully covered by the controls that are implemented? • Control failure: How can management be sure that the controls implemented: • are never bypassed? • always function correctly? • Heterogeneous & legacy systems: How can management implement controls across heterogeneous Information System environments and legacy systems? • Third-parties: How can management be sure that service providers have an appropriate level of internal control? NESSI Projects Summit

  11. NESSI Projects' main innovations and results MASTER links business level challenges to operational compliance management: Decision Support on key security/assurance indicators A trusted Monitoring Infrastructure of the SOA business enabled processes An Infrastructure for Enforcement of the security policy by preventive and reacting control. COMPAS addresses a major shortcoming in today’s approach to design SOAs: Service composition policies, Service deployment policies, Information sharing/exchange policies, Security policies, QoS policies, Business policies, jurisdictional policies, preference rules, intellectual property and licenses

  12. NESSI Project´s Contribution to the Future Platform • - Design Workbench • - Language Framework • - Specification Policy • - Implementation Policy • Configuration Policy • KSI & KAI concepts • - Control Cockpit • - Design Workbench • Repository • Risk analysis • KAI & KSI concepts • SOA approach • Code annotation • Decoupled Policies • Policy Verification • Evidence model • Evidence collection • Code annotation • Automatic reaction • Privacy-preserving • mechanisms • Secured platform • - SOA approach • Signal filtering • CEP capability - Compliance Centric Approach - Repository of policies - Common Language - MASTER’ s methodology Source: Open Compliance & Ethics Group

  13. New Approach provided • COMPAS: • unified framework • agile • extensible, tailor-able • domain-orientation • automation • etc. • CURRENT PRACTICE: • per case basis • no generic strategy • ad hoc, hand-crafted solutions

  14. Answers to the remaining questions • Policy decisions at a senior management level VS Deployment and operation of controls • Bottom Up Approach; • KAI and KSI concepts GRC GAP • Controls may be bypassed or may malfunction faced with clever malicious users, (system changes or outages). BusinessProcess • KSI correctness & effectiveness computation; • Control by Reaction Control Failure Control process Governance Board, CISO • Heterogeneous & legacy systems make the implementation of controls across all business processes difficult • Centralized policy repository; • SOA approach Business operations Business managers Heterogeneous & legacy IT • Third-parties have their own way of working, which might not always be compliant with the organization’s policies, despite contractual agreements and annual audits. Technical operations • PRM concepts Systemadministrators Third parties

  15. What NESSI Projects can provide to NEXOF-RA reference model Conceptual Model MASTER Arquitecture • A complete security compliance assurance and auditing infrastructure for highly dynamic service-oriented infrastructures: Design-Time Workbench Methodology • Risk Management Methodology to manage compliance requirements. • Indicator tailored for compliance to measure levels of compliance • A component architecture that can deliver these indicators. Asessement Cockpit Online Enforcement Run-time Monitoring and Signalling

  16. Summary • NESSI Projects bridge the gap between current auditing practices…. • ….. and needs for automated and trustworthy evidence collection in Future Internet enabled business processes. • Some Key innovations: • Key indicators (Security/Assurance) • Protection and Regulatory Models (PRM) • Protection-Level agreements (PLAs)

  17. We thank our Sponsors

More Related