the vision of dnb on cloud computing · 2019-07-26 · ict-related risks 4. mission statement of...
TRANSCRIPT
The vision of DNB on thesupervision of cloud-computingCBCS: Information Technology Service Management Seminar
Evert Koning, 18 November 2014
Financial industry in the Netherlands
Institution type Number
Banking 100
Insurance companies 300
Pension funds 350
Investment firms 350
Trust and payment firms 400
Total 1500
2
Strategy
Supervision focusses on protection of interests of
creditors/consumers stability and integrity of the financial system
This means that Supervision must be keptposted and understand what institutionsare doing and how they manage andcontrol the risksare doing and how they manage andcontrol the risks
Timely identify relevant developments &threats and advise on them
3
Strategy of ICT supervision
ICT Focus Strategy withdifferentation
An institution of somemagnitude is not viablewithout ICT
Supervision needs tomake certain that theinstitutions recognisemake certain that theinstitutions recogniseand adequately manageICT-related risks
4
Mission statement of EC-ICT
Was
To offer the maximum addedvalue for general Supervisionspecific as for the Central Bankas a whole by means of effectiveand efficient use of people andtools with the focus on the
5
tools with the focus on thedifferent expertises within thedepartment.
Is
To achieve, through effectiveand efficient means, adequatecontrol of IT risks by supervisedinstitutions
Supervision cycle
6
Assessment of risks
7
Organisation EC-ICT
• 10 IT examiners
• No hierarchy
• 3 levels of experience
• Flexibility
• Account structure T5 and T4
8
Cloud computing
Cloud computing qualifies as a form ofoutsourcing. So the same legal requirementsapply:
risk’s need to be demonstrably known and mitigated
Outsourcing to third parties may not obstruct
supervision by DNB
http://www.toezicht.dnb.nl/en/binaries/Circulaire%2
0cloud%20computing_tcm51-224828.pdf
9
Legal Framework Outsourcing
Specific rules for outsourcing (6articles)
Outsourcing is not allowed if it obstructsprudential supervision on the institution (art. 27)
Outsourcing is not allowed if it harms theOutsourcing is not allowed if it harms theindependent internal audit & compliance process(art. 28)
The institution needs to have a sourcing strategyand detailed procedures in place to manage theoutsourcing(art. 29)
10
10
Legal Framework Outsourcing
Specific rules for outsourcing (6articles)
The institution needs to have sufficientprocedures, knowledge & information to assessthe outsourced processes (art. 30)
a sufficient written outsource agreement ismandatory (art. 31)
Above mentioned articles are not applicable if theprocesses are outsourced to a company inanother country that is part of the group of thefinancial institution (art. 32)
11
11
Legal Framework
Specific rules for riskmanagement(4 articles)
Policy regarding control ofrisks is documented indetailed procedures andmeasures to control risks(art. 23) Systematic and independent Systematic and independent
risks analysis (art. 23) Institution supervises
compliance of proceduresand measures as mentionedin art. 23 (art. 24) Internal developed models
are assessed and validated(art. 25) The treasurer of the
institution has proceduresand measures in place toensure the financial position(art. 26)
12
12
Definition cloud computing
NIST definition of cloud computing (ref.SP800-145):“Cloud computing is amodel for enabling ubiquitous,convenient, on-demand network accessto a shared pool of configurablecomputing resources (e.g., networks,servers, storage, applications, andservices) that can be rapidly provisionedand released with minimal managementand released with minimal managementeffort or service provider interaction.This cloud model is composed of fiveessential characteristics, three servicemodels, and four deployment models”.
13
Attentionpoints cloud computing
Where are my (back-up) data?
Who can access my data?
How do I know that performance is as contracted?
Exit from cloud provider: is all data wiped?
Right to audit also for subcontractor?
14
Cloud computing / International aspects
International agreement on cloud computing
Letters on cloud computing: APRA, MAS, DNB, US,Spain and Canada All countries have the same attitude w.r.t. cloud
computing
Some countries are more strict
Bron:
http://www.toezicht.dnb.nl/binaries/Cloud%20com
puting_tcm50-224828.pdf
15
International agreement
Common understanding ITSG
Cloud computing qualifies as outsourcing
Cloud computing is defined by NIST
Right to audit of Supervisors is obliged in contracts
Email is considered as part of critical businessEmail is considered as part of critical business
16
Cloud computing & DNB
Journey with Microsoft:
circulaire cloud computing 6 December 2011 (English 10
January 2012*)
Contact with financial institution about Microsoft cloud
services.
Contact with Microsoft
Contact with Microsoft and financial institutionContact with Microsoft and financial institution
Agreement with Microsoft NL -> involvement Microsoft
EMEA and US
Agreement with Microsoft US
Implementing Microsoft office 365 Financial institution
Visit Dublin datacentre
Visit Microsoft Campus Redmond
*http://www.toezicht.dnb.nl/en/binaries/Circulaire%20cloud%20computing_tcm51-224828.pd
17
Agreement with Microsoft
http://www.toezicht.dnb.nl/en/7/51-226970.jsp 18
DNB & Cloud computing
Symposium Cloud Computing 2013
Regulator view
Assurance
Lessons learned by Service providers
Lessons learned by Financial organisations
Market perspective
http://www.toezicht.dnb.nl/7/50-228265.jsphttp://www.toezicht.dnb.nl/7/50-228265.jsp
Risk analysis framework based on Enisa*:
http://www.toezicht.dnb.nl/binaries/Sjabloon%20cloud%20com
puting%20%20risicoanalyse_tcm50-228202.pdf
* http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment
19
Cloud computing – right to examine
20
Questions?
Evert KoningOperational Risks & Data quality
Telephone: +31 20 524 2428Mobile: +31 6 524 96 399E-mail: : [email protected]
21