The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of...
Transcript of The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of...
![Page 1: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/1.jpg)
The vision of DNB on thesupervision of cloud-computingCBCS: Information Technology Service Management Seminar
Evert Koning, 18 November 2014
![Page 2: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/2.jpg)
Financial industry in the Netherlands
Institution type Number
Banking 100
Insurance companies 300
Pension funds 350
Investment firms 350
Trust and payment firms 400
Total 1500
2
![Page 3: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/3.jpg)
Strategy
Supervision focusses on protection of interests of
creditors/consumers stability and integrity of the financial system
This means that Supervision must be keptposted and understand what institutionsare doing and how they manage andcontrol the risksare doing and how they manage andcontrol the risks
Timely identify relevant developments &threats and advise on them
3
![Page 4: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/4.jpg)
Strategy of ICT supervision
ICT Focus Strategy withdifferentation
An institution of somemagnitude is not viablewithout ICT
Supervision needs tomake certain that theinstitutions recognisemake certain that theinstitutions recogniseand adequately manageICT-related risks
4
![Page 5: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/5.jpg)
Mission statement of EC-ICT
Was
To offer the maximum addedvalue for general Supervisionspecific as for the Central Bankas a whole by means of effectiveand efficient use of people andtools with the focus on the
5
tools with the focus on thedifferent expertises within thedepartment.
Is
To achieve, through effectiveand efficient means, adequatecontrol of IT risks by supervisedinstitutions
![Page 6: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/6.jpg)
Supervision cycle
6
![Page 7: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/7.jpg)
Assessment of risks
7
![Page 8: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/8.jpg)
Organisation EC-ICT
• 10 IT examiners
• No hierarchy
• 3 levels of experience
• Flexibility
• Account structure T5 and T4
8
![Page 9: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/9.jpg)
Cloud computing
Cloud computing qualifies as a form ofoutsourcing. So the same legal requirementsapply:
risk’s need to be demonstrably known and mitigated
Outsourcing to third parties may not obstruct
supervision by DNB
http://www.toezicht.dnb.nl/en/binaries/Circulaire%2
0cloud%20computing_tcm51-224828.pdf
9
![Page 10: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/10.jpg)
Legal Framework Outsourcing
Specific rules for outsourcing (6articles)
Outsourcing is not allowed if it obstructsprudential supervision on the institution (art. 27)
Outsourcing is not allowed if it harms theOutsourcing is not allowed if it harms theindependent internal audit & compliance process(art. 28)
The institution needs to have a sourcing strategyand detailed procedures in place to manage theoutsourcing(art. 29)
10
10
![Page 11: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/11.jpg)
Legal Framework Outsourcing
Specific rules for outsourcing (6articles)
The institution needs to have sufficientprocedures, knowledge & information to assessthe outsourced processes (art. 30)
a sufficient written outsource agreement ismandatory (art. 31)
Above mentioned articles are not applicable if theprocesses are outsourced to a company inanother country that is part of the group of thefinancial institution (art. 32)
11
11
![Page 12: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/12.jpg)
Legal Framework
Specific rules for riskmanagement(4 articles)
Policy regarding control ofrisks is documented indetailed procedures andmeasures to control risks(art. 23) Systematic and independent Systematic and independent
risks analysis (art. 23) Institution supervises
compliance of proceduresand measures as mentionedin art. 23 (art. 24) Internal developed models
are assessed and validated(art. 25) The treasurer of the
institution has proceduresand measures in place toensure the financial position(art. 26)
12
12
![Page 13: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/13.jpg)
Definition cloud computing
NIST definition of cloud computing (ref.SP800-145):“Cloud computing is amodel for enabling ubiquitous,convenient, on-demand network accessto a shared pool of configurablecomputing resources (e.g., networks,servers, storage, applications, andservices) that can be rapidly provisionedand released with minimal managementand released with minimal managementeffort or service provider interaction.This cloud model is composed of fiveessential characteristics, three servicemodels, and four deployment models”.
13
![Page 14: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/14.jpg)
Attentionpoints cloud computing
Where are my (back-up) data?
Who can access my data?
How do I know that performance is as contracted?
Exit from cloud provider: is all data wiped?
Right to audit also for subcontractor?
14
![Page 15: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/15.jpg)
Cloud computing / International aspects
International agreement on cloud computing
Letters on cloud computing: APRA, MAS, DNB, US,Spain and Canada All countries have the same attitude w.r.t. cloud
computing
Some countries are more strict
Bron:
http://www.toezicht.dnb.nl/binaries/Cloud%20com
puting_tcm50-224828.pdf
15
![Page 16: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/16.jpg)
International agreement
Common understanding ITSG
Cloud computing qualifies as outsourcing
Cloud computing is defined by NIST
Right to audit of Supervisors is obliged in contracts
Email is considered as part of critical businessEmail is considered as part of critical business
16
![Page 17: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/17.jpg)
Cloud computing & DNB
Journey with Microsoft:
circulaire cloud computing 6 December 2011 (English 10
January 2012*)
Contact with financial institution about Microsoft cloud
services.
Contact with Microsoft
Contact with Microsoft and financial institutionContact with Microsoft and financial institution
Agreement with Microsoft NL -> involvement Microsoft
EMEA and US
Agreement with Microsoft US
Implementing Microsoft office 365 Financial institution
Visit Dublin datacentre
Visit Microsoft Campus Redmond
*http://www.toezicht.dnb.nl/en/binaries/Circulaire%20cloud%20computing_tcm51-224828.pd
17
![Page 18: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/18.jpg)
Agreement with Microsoft
http://www.toezicht.dnb.nl/en/7/51-226970.jsp 18
![Page 19: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/19.jpg)
DNB & Cloud computing
Symposium Cloud Computing 2013
Regulator view
Assurance
Lessons learned by Service providers
Lessons learned by Financial organisations
Market perspective
http://www.toezicht.dnb.nl/7/50-228265.jsphttp://www.toezicht.dnb.nl/7/50-228265.jsp
Risk analysis framework based on Enisa*:
http://www.toezicht.dnb.nl/binaries/Sjabloon%20cloud%20com
puting%20%20risicoanalyse_tcm50-228202.pdf
* http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment
19
![Page 20: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/20.jpg)
Cloud computing – right to examine
20
![Page 21: The vision of DNB on cloud computing · 2019-07-26 · ICT-related risks 4. Mission statement of EC-ICT Was ... Cloud computing Cloud computing qualifies as a form of outsourcing.](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9d26c0ee6f911fb71e2bb2/html5/thumbnails/21.jpg)
Questions?
Evert KoningOperational Risks & Data quality
Telephone: +31 20 524 2428Mobile: +31 6 524 96 399E-mail: : [email protected]
21