Andrzej Badowski provides advisory and professional services in the areas of governance, risk, compliance, information and data security, business resilience and continuity planning .
I’m sincerely grateful to UK Financial Conduct Authority (FCA) for introducing and pursuing the concept of RegTech.
Although currently this effort may seem focused exclusively on the financial market and its regulatory environment, I’m positive RegTech will soon become a one word synonym for “automating compliance monitoring and reporting to boost its efficiency, significantly reducing cost and overhead” in all other industries as well. This task has been a challenge throughout my career, but since 2006 became my priority and primary ambition.
I have served as a head of security for highly regulated payment card processing companies, where our team had to host numerous annual audits, the outcomes of which determined certifications required to stay in the business. Most of our efforts have been dedicated to monitoring and reporting on mandated processes and controls. As both the complexity and scale were overwhelming, we grasped and held firmly to any ideas, options, tools or solutions to automate or script some of those tasks to free scarce resources. Processing millions of payment cards and payments for billions of dollars, one of primary regulations we had to comply with has been the PCI DSS.
PCI DSS has been designed around a specific data subset – cardholder data. The standard is quite specific and requires defined security measures, unlike more generic frameworks like ISO 27001, where we have much more flexibility over the controls we implement. On the other hand, PCI DSS is deemed as a mature and somehow complete set of coherent best practices, which may serve as a benchmark to give the organisation’s stakeholders adequate confidence in its security management maturity. It is a common opinion that adopting PCI DSS is a very attractive path to address current GDPR challenges (searching for “pci dss gdpr” returns numerous links). By replacing the expression cardholder data with PI (personally identifiable) data in the contents of PCI DSS, we receive a set of controls, that has been globally verified in practice during the last 12 years, efficiently reducing payment card fraud.
In my humble opinion, having this mature, invested, nourished and proven standard at hand, creating a new GDPR specific should be seen as reinventing the wheel. I hope the regulators will soon confirm PCI DSS likely “ensures a level of security appropriate to the risk” in common market scenarios, since I also believe GDPR’s requirement of “Encryption and pseudonymisation of personal data” has been inspired directly by the encryption and tokenisation practice of PCI DSS.
Few years ago I had the opportunity to lead the design of an information security management system for a card processor from scratch. With PCI DSS in my mind, I found a system called Alienvault Unified Security Management (USM). Alienvault USM has been designed to integrate several security functionalities under one database and management console, please refer to the following presentation for details:
In my humble opinion, to this date Alienvault USM offers quite a head start for a PCI DSS oriented environment and remains an attractive option – in our scenario it replaced and integrated several solitary systems. Implementing out of the box functionalities addressed approximately one fifth of PCI’s almost 300 controls in areas of asset / data discovery, FIM, HIDS, log retention and correlation, IDS/IPS, vulnerability scanning, threat management, etc. Great start, but just a foundation, as we are aiming much, much higher, towards a TOTAL security and compliance management system.
Dreaming of automating virtually ALL compliance related tasks, on top of above capabilities we have designed, prototyped, piloted, tested and in numerous cases implemented in the production environment the following value added functionalities (numbers in parenthesis relate to PCI DSS requirements):
Having implemented the functionalities above, how far would we be from the utopia, where compliance management and reporting is about ensuring all lights blink GREEN on the dashboard, being able to click on “Generate one complete and global GDPR (in this example) compliance report in minutes” button any time we like to? Quite close. Let the dream go on: could we find an auditor professional enough to emphasise on validating our controls, to later rely on them, instead of following dreadful and ineffective manual auditing practices like collecting screenshots? Let’s hope FCA’s effort around RegTech will help to turn that vision into reality soon.
Real-time, on demand or retrospective compliance reporting would bring unprecedented comfort and confidence both to the management and the organisation’s stakeholders. If the assurance levels were to be quantified, they should rise by orders of magnitude when compared to manual, time-limited, sample based, point in time audits. Having the ability to prove systems were compliant at the time of a serious incident or breach would be invaluably beneficial during a crisis. All functionalities described above are not only possible, but also quite feasible. What do you need to get there? A large dose of determination, and perhaps some help from very experienced professionals, who already know what does and what does not work in practice. Please get in touch if you’d like to know more.
Copyright © 2019: risk-master.com, Andrzej Badowski