Upload
tracey
View
32
Download
1
Tags:
Embed Size (px)
DESCRIPTION
COMPLIANCE OF TRUST AND SECURITY Juan Bareño , Atos Origin SAE. Introduction. Compliance Managment Current State Todays challengues Current monitoring basic solutions Remaining gaps Identify the Future Compliance Management needs NESSI Projects´ main innovations and results - PowerPoint PPT Presentation
Citation preview
COMPLIANCE OF TRUST AND SECURITY
Juan Bareño, Atos Origin SAE
Introduction
• Compliance Managment Current State– Todays challengues
– Current monitoring basic solutions
– Remaining gaps
• Identify the Future Compliance Management needs– NESSI Projects´ main innovations and results
– NESSI Projects´ contribution to the Future Platform
– Answers to the remaining gaps
• What NESSI Projects can provide to NEXOF-RA reference model
Valencia, 12 and 13 April 2010 NESSI Projects Summit
Today organizations ’ challenges
• Risks related to rapidly changing regulatory requirements
• Risks associated with complex heterogeneous information systems and fast moving new technologies
• Risk associated with dynamic relationships with SOA enabled business processes
• High cost of resulting internal and external audit fees
Valencia, 12 and 13 April 2010 NESSI Projects Summit
Regulators
Standards Bodies
Best practices
Offshore
Outsourcing
Outsourcing
Outsourcing
Out
sour
cing
Outsourcing
The iceberg of risk
Source: Teleconference Why A GRC Software Platform? Forrester 2007
Risk Audit considerations• Compliance rules are often scattered throughout the
company (internal/external)– IT processes have not been updated to support the increased
changes introduced by SOA business enabled processes• Existing monitoring solutions:
– Does not provide the right information to the appropriate management level
– Leaves too much access to sensitive information– Does not cover all risks or is not updated to cover new risks
(changes in legal requirements, changes in information systems ).
• Internal Auditors are therefore being expected to:– Understand new technologies and the risks associated by SOA
business enabled processes– Advise management on appropriate monitoring tools: Continuous
Auditing, Continuous Monitoring, monitoring tools
Compliance Management Current State
Valencia, 12 and 13 April 2010 NESSI Projects Summit
• Managed in silo’s
• Mostly reactionary
• People used as middleware
• Limited and fragmented use of technology
Source: Open Compliance & Ethics Group
• More projects than programs
• Handled separately from mainstream processes and decision-making
Components required to manage GRC
Information on which to base codified and ad hoc risk mitigation decisions should include all appropriate data, optimally utilized in a preventive, preemptive, and predictive controls-management-driven environment.
Analyticsenvironment
.
A single system should be capable of providing real-time capture, workflow prioritization, and case management of GRC breaks, and, batch equivalent for incremental breaks, over time.
Monitoring environment
There must be a way to manage the necessary data, document the audit trail, measure impact/fallout, and quantify, categorize, and report enterprise risk management (ERM) outcomes.
Case ManagementEnvironment
Documentations and communication of policies, procedures, controls, and practices is the foundation for GRC management.
Policy/controlenvironment
Source: Teleconference Why A GRC Software Platform? Forrester 2007
Future Compliance Management State
Valencia, 12 and 13 April 2010 NESSI Projects Summit
• Effective use of information technology
• Architected solutions
• Embedded within mainstream processes and decision-making
• Enterprise approach
• Integrated GRC
Today’ solutions for the Future Platform
• A number of approaches, such as business rules or composition concepts for services, have been proposed…
• ……..but none of these approaches offers a unified approach with which all kinds of compliance rules can be tackled
• Additionally, vendors´ solutions exist but not appropriated for SOA business enabled processes
Valencia, 12 and 13 April 2010 NESSI Projects Summit
However the following questions remain
• GRC Lifecycle Gap: How can management be sure that top-level policies are fully covered by the controls that are implemented?
• Control failure: How can management be sure that the controls implemented:– are never bypassed?– always function correctly?
• Heterogeneous & legacy systems: How can management implement controls across heterogeneous Information System environments and legacy systems?
• Third-parties: How can management be sure that service providers have an appropriate level of internal control?
Valencia, 12 and 13 April 2010 NESSI Projects Summit
11
NESSI Projects' main innovations and results
• MASTER links business level challenges to operational compliance management:– Decision Support on key security/assurance indicators– A trusted Monitoring Infrastructure of the SOA business enabled
processes– An Infrastructure for Enforcement of the security policy by preventive
and reacting control.• COMPAS addresses a major shortcoming in today’s approach to design
SOAs:– Service composition policies, Service deployment policies, – Information sharing/exchange policies, Security policies, QoS policies, – Business policies, jurisdictional policies, preference rules, intellectual
property and licenses
NESSI Project´s Contribution to the Future Platform
- Policy Verification - Evidence model- Evidence collection- Code annotation- Automatic reaction
- SOA approach- Signal filtering- CEP capability
- Privacy-preserving mechanisms- Secured platform
- Compliance Centric Approach- Repository of policies- Common Language- MASTER’ s methodology
- SOA approach- Code annotation- Decoupled Policies
- Design Workbench - Language Framework- Specification Policy- Implementation Policy- Configuration Policy- KSI & KAI concepts
- Control Cockpit- Design Workbench- Repository- Risk analysis- KAI & KSI concepts
Source: Open Compliance & Ethics Group
New Approach provided
13
Modelling
Specification
Static verification/validation
Generation
Dynamic verification and validation
Using
Go
ver
na
nc
e an
d M
on
ito
rin
g
CURRENT PRACTICE:– per case basis– no generic strategy– ad hoc, hand-crafted
solutions
COMPAS:– unified framework– agile – extensible, tailor-able– domain-orientation– automation– etc.
Answers to the remaining questions
• Policy decisions at a senior management level VS Deployment and operation of controls
GRC GAP
Bottom Up Approach;KAI and KSI concepts• Controls may be bypassed or
may malfunction faced with clever malicious users, (system changes or outages).Control
Failure
KSI correctness & effectiveness computation;Control by Reaction
• Heterogeneous & legacy systems make the implementation of controls across all business processes difficult
Heterogeneous & legacy IT
Centralized policy repository;SOA approach
• Third-parties have their own way of working, which might not always be compliant with the organization’s policies, despite contractual agreements and annual audits.
PRM conceptsThird parties
BusinessProcess
Control process
15
What NESSI Projects can provide to NEXOF-RA reference model
Conceptual Model
Methodology
MASTER Arquitecture
Online Enforcement
Run-time Monitoring and Signalling
Design-Time Workbench
Asessement Cockpit
• A complete security compliance assurance and auditing infrastructure for highly dynamic service-oriented infrastructures:
– Risk Management Methodology to manage compliance requirements.
– Indicator tailored for compliance to measure levels of compliance
– A component architecture that can deliver these indicators.
Summary• NESSI Projects bridge the gap between current
auditing practices….• ….. and needs for automated and trustworthy
evidence collection in Future Internet enabled business processes.
• Some Key innovations:- Key indicators (Security/Assurance)- Protection and Regulatory Models (PRM)- Protection-Level agreements (PLAs)
16
We thank our Sponsors