COMPLIANCE OF TRUST AND SECURITY Juan Bareño , Atos Origin SAE

COMPLIANCE OF TRUST AND SECURITY

Juan Bareño, Atos Origin SAE

Introduction

• Compliance Managment Current State– Todays challengues

– Current monitoring basic solutions

– Remaining gaps

• Identify the Future Compliance Management needs– NESSI Projects´ main innovations and results

– NESSI Projects´ contribution to the Future Platform

– Answers to the remaining gaps

• What NESSI Projects can provide to NEXOF-RA reference model

Valencia, 12 and 13 April 2010 NESSI Projects Summit

Today organizations ’ challenges

• Risks related to rapidly changing regulatory requirements

• Risks associated with complex heterogeneous information systems and fast moving new technologies

• Risk associated with dynamic relationships with SOA enabled business processes

• High cost of resulting internal and external audit fees


Regulators

Standards Bodies

Best practices

Offshore

Outsourcing

Outsourcing

Outsourcing

Out

sour

cing

Outsourcing

The iceberg of risk

Source: Teleconference Why A GRC Software Platform? Forrester 2007

Risk Audit considerations• Compliance rules are often scattered throughout the

company (internal/external)– IT processes have not been updated to support the increased

changes introduced by SOA business enabled processes• Existing monitoring solutions:

– Does not provide the right information to the appropriate management level

– Leaves too much access to sensitive information– Does not cover all risks or is not updated to cover new risks

(changes in legal requirements, changes in information systems ).

• Internal Auditors are therefore being expected to:– Understand new technologies and the risks associated by SOA

business enabled processes– Advise management on appropriate monitoring tools: Continuous

Auditing, Continuous Monitoring, monitoring tools

Compliance Management Current State


• Managed in silo’s

• Mostly reactionary

• People used as middleware

• Limited and fragmented use of technology

Source: Open Compliance & Ethics Group

• More projects than programs

• Handled separately from mainstream processes and decision-making

Components required to manage GRC

Information on which to base codified and ad hoc risk mitigation decisions should include all appropriate data, optimally utilized in a preventive, preemptive, and predictive controls-management-driven environment.

Analyticsenvironment

.

A single system should be capable of providing real-time capture, workflow prioritization, and case management of GRC breaks, and, batch equivalent for incremental breaks, over time.

Monitoring environment

There must be a way to manage the necessary data, document the audit trail, measure impact/fallout, and quantify, categorize, and report enterprise risk management (ERM) outcomes.

Case ManagementEnvironment

Documentations and communication of policies, procedures, controls, and practices is the foundation for GRC management.

Policy/controlenvironment

Source: Teleconference Why A GRC Software Platform? Forrester 2007

Future Compliance Management State


• Effective use of information technology

• Architected solutions

• Embedded within mainstream processes and decision-making

• Enterprise approach

• Integrated GRC

Today’ solutions for the Future Platform

• A number of approaches, such as business rules or composition concepts for services, have been proposed…

• ……..but none of these approaches offers a unified approach with which all kinds of compliance rules can be tackled

• Additionally, vendors´ solutions exist but not appropriated for SOA business enabled processes


However the following questions remain

• GRC Lifecycle Gap: How can management be sure that top-level policies are fully covered by the controls that are implemented?

• Control failure: How can management be sure that the controls implemented:– are never bypassed?– always function correctly?

• Heterogeneous & legacy systems: How can management implement controls across heterogeneous Information System environments and legacy systems?

• Third-parties: How can management be sure that service providers have an appropriate level of internal control?


11

NESSI Projects' main innovations and results

• MASTER links business level challenges to operational compliance management:– Decision Support on key security/assurance indicators– A trusted Monitoring Infrastructure of the SOA business enabled

processes– An Infrastructure for Enforcement of the security policy by preventive

and reacting control.• COMPAS addresses a major shortcoming in today’s approach to design

SOAs:– Service composition policies, Service deployment policies, – Information sharing/exchange policies, Security policies, QoS policies, – Business policies, jurisdictional policies, preference rules, intellectual

property and licenses

NESSI Project´s Contribution to the Future Platform

- Policy Verification - Evidence model- Evidence collection- Code annotation- Automatic reaction

- SOA approach- Signal filtering- CEP capability

- Privacy-preserving mechanisms- Secured platform

- Compliance Centric Approach- Repository of policies- Common Language- MASTER’ s methodology

- SOA approach- Code annotation- Decoupled Policies

- Design Workbench - Language Framework- Specification Policy- Implementation Policy- Configuration Policy- KSI & KAI concepts

- Control Cockpit- Design Workbench- Repository- Risk analysis- KAI & KSI concepts

Source: Open Compliance & Ethics Group

New Approach provided

13

Modelling

Specification

Static verification/validation

Generation

Dynamic verification and validation

Using

Go

ver

na

nc

e an

d M

on

ito

rin

g

CURRENT PRACTICE:– per case basis– no generic strategy– ad hoc, hand-crafted

solutions

COMPAS:– unified framework– agile – extensible, tailor-able– domain-orientation– automation– etc.

Answers to the remaining questions

• Policy decisions at a senior management level VS Deployment and operation of controls

GRC GAP

Bottom Up Approach;KAI and KSI concepts• Controls may be bypassed or

may malfunction faced with clever malicious users, (system changes or outages).Control

Failure

KSI correctness & effectiveness computation;Control by Reaction

• Heterogeneous & legacy systems make the implementation of controls across all business processes difficult

Heterogeneous & legacy IT

Centralized policy repository;SOA approach

• Third-parties have their own way of working, which might not always be compliant with the organization’s policies, despite contractual agreements and annual audits.

PRM conceptsThird parties

BusinessProcess

Control process

15

What NESSI Projects can provide to NEXOF-RA reference model

Conceptual Model

Methodology

MASTER Arquitecture

Online Enforcement

Run-time Monitoring and Signalling

Design-Time Workbench

Asessement Cockpit

• A complete security compliance assurance and auditing infrastructure for highly dynamic service-oriented infrastructures:

– Risk Management Methodology to manage compliance requirements.

– Indicator tailored for compliance to measure levels of compliance

– A component architecture that can deliver these indicators.

Summary• NESSI Projects bridge the gap between current

auditing practices….• ….. and needs for automated and trustworthy

evidence collection in Future Internet enabled business processes.

• Some Key innovations:- Key indicators (Security/Assurance)- Protection and Regulatory Models (PRM)- Protection-Level agreements (PLAs)

16

We thank our Sponsors

Documents

COMPLIANCE OF TRUST AND SECURITY Juan Bareño , Atos Origin SAE