COMPLIANCE OF TRUST AND SECURITY

1

• COMPLIANCE OF TRUST AND SECURITY
• Juan Bareño, Atos Origin SAE

2
Introduction

• Compliance Managment Current State
• Todays challengues
• Current monitoring basic solutions
• Remaining gaps
• Identify the Future Compliance Management needs
• NESSI Projects main innovations and results
• NESSI Projects contribution to the Future
  Platform
• Answers to the remaining gaps
• What NESSI Projects can provide to NEXOF-RA
  reference model

3
Today organizations challenges

• Risks related to rapidly changing regulatory
  requirements
• Risks associated with complex heterogeneous
  information systems and fast moving new
  technologies
• Risk associated with dynamic relationships with
  SOA enabled business processes
• High cost of resulting internal and external
  audit fees

4
The iceberg of risk
Source Teleconference Why A GRC Software
Platform? Forrester 2007
5
Risk Audit considerations

• Compliance rules are often scattered throughout
  the company (internal/external)
• IT processes have not been updated to support the
  increased changes introduced by SOA business
  enabled processes
• Existing monitoring solutions
• Does not provide the right information to the
  appropriate management level
• Leaves too much access to sensitive information
• Does not cover all risks or is not updated to
  cover new risks (changes in legal requirements,
  changes in information systems ).

• Internal Auditors are therefore being expected
  to
• Understand new technologies and the risks
  associated by SOA business enabled processes
• Advise management on appropriate monitoring
  tools Continuous Auditing, Continuous
  Monitoring, monitoring tools

6
Compliance Management Current State

• Managed in silos
• Mostly reactionary

• People used as middleware
• Limited and fragmented use of technology

• More projects than programs
• Handled separately from mainstream processes and
  decision-making

Source Open Compliance Ethics Group
7
Components required to manage GRC
Documentations and communication of policies,
procedures, controls, and practices is the
foundation for GRC management.
Policy/control environment
. A single system should be capable of providing
real-time capture, workflow prioritization, and
case management of GRC breaks, and, batch
equivalent for incremental breaks, over time.
Monitoring environment
There must be a way to manage the necessary data,
document the audit trail, measure impact/fallout,
and quantify, categorize, and report enterprise
risk management (ERM) outcomes.
Case Management Environment
Information on which to base codified and ad hoc
risk mitigation decisions should include all
appropriate data, optimally utilized in a
preventive, preemptive, and predictive
controls-management-driven environment.
Analytics environment
Source Teleconference Why A GRC Software
Platform? Forrester 2007
8
Future Compliance Management State

• Effective use of information technology
• Architected solutions

• Embedded within mainstream processes and
  decision-making

• Enterprise approach
• Integrated GRC

9
Today solutions for the Future Platform

• A number of approaches, such as business rules or
  composition concepts for services, have been
  proposed
• ..but none of these approaches offers a unified
  approach with which all kinds of compliance rules
  can be tackled
• Additionally, vendors solutions exist but not
  appropriated for SOA business enabled processes

10
However the following questions remain

• GRC Lifecycle Gap How can management be sure
  that top-level policies are fully covered by the
  controls that are implemented?
• Control failure How can management be sure that
  the controls implemented
• are never bypassed?
• always function correctly?
• Heterogeneous legacy systems How can
  management implement controls across
  heterogeneous Information System environments and
  legacy systems?
• Third-parties How can management be sure that
  service providers have an appropriate level of
  internal control?

11
NESSI Projects' main innovations and results

• MASTER links business level challenges to
  operational compliance management
• Decision Support on key security/assurance
  indicators
• A trusted Monitoring Infrastructure of the SOA
  business enabled processes
• An Infrastructure for Enforcement of the security
  policy by preventive and reacting control.
• COMPAS addresses a major shortcoming in todays
  approach to design SOAs
• Service composition policies, Service deployment
  policies,
• Information sharing/exchange policies, Security
  policies, QoS policies,
• Business policies, jurisdictional policies,
  preference rules, intellectual property and
  licenses

12
NESSI Projects Contribution to the Future
Platform

• - Design Workbench
• - Language Framework
• - Specification Policy
• - Implementation Policy
• Configuration Policy
• KSI KAI concepts

• - Control Cockpit
• - Design Workbench
• Repository
• Risk analysis
• KAI KSI concepts

• Policy Verification
• Evidence model
• Evidence collection
• Code annotation
• Automatic reaction

• SOA approach
• Code annotation
• Decoupled Policies

• Privacy-preserving
• mechanisms
• Secured platform

• - SOA approach
• Signal filtering
• CEP capability

- Compliance Centric Approach - Repository of
policies - Common Language - MASTER s methodology
Source Open Compliance Ethics Group
13
New Approach provided

• COMPAS
• unified framework
• agile
• extensible, tailor-able
• domain-orientation
• automation
• etc.

• CURRENT PRACTICE
• per case basis
• no generic strategy
• ad hoc, hand-crafted solutions

14
Answers to the remaining questions

• Policy decisions at a senior management level VS
  Deployment and operation of controls

Bottom Up Approach KAI and KSI concepts
GRC GAP

• Controls may be bypassed or may malfunction faced
  with clever malicious users, (system changes or
  outages).

KSI correctness effectiveness
computation Control by Reaction
Control Failure

• Heterogeneous legacy systems make the
  implementation of controls across all business
  processes difficult

Centralized policy repository SOA approach
Heterogeneous legacy IT

• Third-parties have their own way of working,
  which might not always be compliant with the
  organizations policies, despite contractual
  agreements and annual audits.

PRM concepts
Third parties
15
What NESSI Projects can provide to NEXOF-RA
reference model

• A complete security compliance assurance and
  auditing infrastructure for highly dynamic
  service-oriented infrastructures

• Risk Management Methodology to manage compliance
  requirements.
• Indicator tailored for compliance to measure
  levels of compliance
• A component architecture that can deliver these
  indicators.

16
Summary

• NESSI Projects bridge the gap between current
  auditing practices.
• .. and needs for automated and trustworthy
  evidence collection in Future Internet enabled
  business processes.
• Some Key innovations
• Key indicators (Security/Assurance)
• Protection and Regulatory Models (PRM)
• Protection-Level agreements (PLAs)

17

• We thank our Sponsors

18
(No Transcript)