• No results found

The vision of DNB on the supervision of cloud-computing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The vision of DNB on the supervision of cloud-computing"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

The vision of DNB on the

supervision of cloud-computing

CBCS: Information Technology Service Management Seminar

(2)

Financial industry in the Netherlands

Institution type

Number

Banking 100

Insurance companies 300

Pension funds 350

(3)

Strategy

Supervision focusses on

protection of interests of creditors/consumers

stability and integrity of the financial system

This means that Supervision must be kept posted and understand what institutions are doing and how they manage and

control the risks

are doing and how they manage and control the risks

Timely identify relevant developments & threats and advise on them

(4)

Strategy of ICT supervision

ICT Focus Strategy with differentation

An institution of some magnitude is not viable without ICT

Supervision needs to make certain that the institutions recognise make certain that the institutions recognise and adequately manage ICT-related risks

(5)

Mission statement of EC-ICT

Was

To offer the maximum added value for general Supervision specific as for the Central Bank as a whole by means of effective and efficient use of people and tools with the focus on the

5

tools with the focus on the different expertises within the department.

Is

To achieve, through effective and efficient means, adequate control of IT risks by supervised institutions

(6)
(7)

Assessment of risks

(8)

Organisation EC-ICT

• 10 IT examiners • No hierarchy

• 3 levels of experience • Flexibility

(9)

Cloud computing

Cloud computing qualifies as a form of

outsourcing. So the same legal requirements apply:

risk’s need to be demonstrably known and mitigated

Outsourcing to third parties may not obstruct supervision by DNB

http://www.toezicht.dnb.nl/en/binaries/Circulaire%2 0cloud%20computing_tcm51-224828.pdf

(10)

Legal Framework Outsourcing

Specific rules for outsourcing (6

articles)

Outsourcing is not allowed if it obstructs

prudential supervision on the institution (art. 27)

Outsourcing is not allowed if it harms the

Outsourcing is not allowed if it harms the

independent internal audit & compliance process (art. 28)

The institution needs to have a sourcing strategy and detailed procedures in place to manage the outsourcing

(11)

Legal Framework Outsourcing

Specific rules for outsourcing (6

articles)

The institution needs to have sufficient

procedures, knowledge & information to assess the outsourced processes (art. 30)

a sufficient written outsource agreement is mandatory (art. 31)

Above mentioned articles are not applicable if the processes are outsourced to a company in

another country that is part of the group of the financial institution (art. 32)

11

(12)

Legal Framework

Specific rules for risk management

(4 articles)

Policy regarding control of risks is documented in detailed procedures and measures to control risks (art. 23)

Systematic and independent

Systematic and independent risks analysis (art. 23)

Institution supervises

compliance of procedures and measures as mentioned in art. 23 (art. 24)

Internal developed models are assessed and validated (art. 25)

(13)

Definition cloud computing

NIST definition of cloud computing (ref.

SP800-145):“Cloud computing is a

model for enabling ubiquitous,

convenient, on-demand network access

to a shared pool of configurable

computing resources (e.g., networks,

servers, storage, applications, and

services) that can be rapidly provisioned

and released with minimal management

and released with minimal management

effort or service provider interaction.

This cloud model is composed of five

essential characteristics, three service

models, and four deployment models”.

(14)

Attentionpoints cloud computing

Where are my (back-up) data?

Who can access my data?

How do I know that performance is as contracted?

Exit from cloud provider: is all data wiped?

(15)

Cloud computing / International aspects

International agreement on cloud computing

Letters on cloud computing: APRA, MAS, DNB, US, Spain and Canada

All countries have the same attitude w.r.t. cloud computing

Some countries are more strict

Bron:

http://www.toezicht.dnb.nl/binaries/Cloud%20com puting_tcm50-224828.pdf

(16)

International agreement

Common understanding ITSG

Cloud computing qualifies as outsourcing

Cloud computing is defined by NIST

Right to audit of Supervisors is obliged in contracts

Email is considered as part of critical business

(17)

Cloud computing & DNB

Journey with Microsoft

:

circulaire cloud computing 6 December 2011 (English 10 January 2012*)

Contact with financial institution about Microsoft cloud services.

Contact with Microsoft

Contact with Microsoft and financial institution

Contact with Microsoft and financial institution

Agreement with Microsoft NL -> involvement Microsoft EMEA and US

Agreement with Microsoft US

Implementing Microsoft office 365 Financial institution

Visit Dublin datacentre

Visit Microsoft Campus Redmond

*http://www.toezicht.dnb.nl/en/binaries/Circulaire%20cloud%20computing_tcm51-224828.pd

(18)
(19)

DNB & Cloud computing

Symposium Cloud Computing 2013

 Regulator view

 Assurance

 Lessons learned by Service providers

 Lessons learned by Financial organisations

 Market perspective

http://www.toezicht.dnb.nl/7/50-228265.jsp http://www.toezicht.dnb.nl/7/50-228265.jsp

Risk analysis framework based on Enisa*:

 http://www.toezicht.dnb.nl/binaries/Sjabloon%20cloud%20com puting%20%20risicoanalyse_tcm50-228202.pdf

*

http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment

(20)
(21)

Questions?

Evert Koning

Operational Risks & Data quality Telephone: +31 20 524 2428 Mobile: +31 6 524 96 399 E-mail: : [email protected]

References

Download now ( PDF - 21 Page - 1.48 MB )

Related documents

Investment, Inflation and Economic Growth: Empirical Evidence From Nigeria

Based on the above, it can be deduced that though the experience of other developing countries give contradicting reports on the effect of Investment, the Nigerian case

The Advantages of Cloud Contact Center Software

As you flesh out your list of candidates, look beyond the technology—you’ll want a provider with demonstrated expertise in contact center best practices and implementations, and

Economic impact of electronic prescribing in the hospital setting: a systematic review

The effectiveness of computerized order entry at reducing preventable adverse drug events and medication errors in hospital settings: a systematic review and meta-analysis..

MEMBER ADVANTAGE The Credit Union Advantage

The third tier is at the national level, consisting of a number of financial co-operatives and Credit Union Central of Canada, the national trade association for Canadian

Introduction to pepxmltab

All the peptides are seperated into different peptide classes based on tryptic status and charge status.. For each peptide class, PSMs were filtered based on user-specified FDR

Customer relationship management and customer driving companies

The perception of a customer as the most im- portant value for the company and understanding their needs and wants enables their reflection in production of goods and services

Grace to You :: Unleashing God's Truth, One Verse at a Time. Noah: A Preacher of Faith Hebrews 11:

All right, let’s turn to Hebrews chapter 11...Hebrews chapter 11 and we’re going to look at Noah and the work of faith, the great story of Noah is summarized in one verse, verse 7

Driving Transformational Change. Innovative Solutions for Optimising Performance in Quarrying & Mining Fleets

• Inability to measure asset performance • Lethargic maintenance supply chain • Poor daily / weekly check regimes • Reactive maintenance culture. • Unlikely to measure