1 / 10

White Paper: FCA and ICO/DPA technology guidelines - Serviced Cloud

7 ways to better meet FCA and ICO/DPA technology guidelines

Download Presentation

White Paper: FCA and ICO/DPA technology guidelines - Serviced Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud  Client Portal(/Client­Portal)  0207 093 6020 7 ways to better meet FCA and ICO/DPA technology guidelines TECHNOLOGY COMPLIANCE FOR ALTERNATIVE INVESTMENT COMPANIES AND OTHER ORGANISATIONS IN SCOPE OF FCA AND ICO/DPA REGULATION Introduction Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession demonstrates is the degree to which the world depends on the financial industry. Consequently, the rationale for robust regulatory oversight of the financial industry is compelling. Technology is a fundamental enabler of the finance industry. The financial system is interwoven with and highly reliant on technology. Technology changes quickly and the threat environment may be characterised as agile and blended, with a need for constant vigilance. Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV (CRD IV) are primary tools governing the core business of UK domiciled alternative investment firms. Technology is governed by Financial Conduct Authority (FCA) guidelines in conjunction with the Information Commissioner’s Office (ICO) which carries out enforcement action for breaches of the Data Protection Act (DPA). As a result there is a mix of recommendations and mandatory compliance points. This means some areas are open to interpretation and there is a need to understand where any distinctions exist, and act appropriately. The objective of this regulatory approach appears to be to create a culture where financial services businesses demonstrate a responsible approach and a willingness to consider their use of systems and any risks that need to be mitigated. In this guide we discuss 7 ways alternative investment businesses, and professional services companies supplying services to regulated firms, are able to improve the ability to meet FCA or ICO/DPA regulatory guidelines for using technology within their businesses. http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 1/10

  2. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud DOWNLOAD THIS WHITE PAPER First Name * Last Name Email * DOWNLOAD NOW DRIVE IT FROM THE TOP DOWN 1 Where ever there is a failure of leadership to assert control and set high standards for a business and its employees, there is often the potential for significant problems. Take responsibility at board level Ultimately, FCA/ICO compliance is a governance matter and it needs to be owned by the board and driven from the top down. Leave no doubt about standards by promoting a culture of resilience and security. There should never be complacency around the value of information and cyber security. The board should set up a process to ensure it is satisfied about policies and procedures for protecting information, especially where dependencies lie with third parties or with a parent group. Cyber security should be under the control of a CIO (Chief Information Officer) or someone with the equivalent accountability at board level. http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 2/10

  3. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud It is important that for procedures to deal with cyber-attacks; the prevention of fraudulent communications through both voice and email; and safeguarding against money laundering activities are all in place. Enforcement action The Money Shop Date: 06 August 2015 Type: Monetary penalties Sector: Finance insurance and credit The ICO has issued a £180,000 civil monetary penalty to The Money Shop in response to the loss of computer equipment containing a significant amount of customer details. KEEP YOUR SYSTEMS UP-TO-DATE 2 Many fines are issued by the ICO for failing to take reasonable steps to prevent hacking. Hackers often exploit ‘vulnerabilities’ (that’s IT code for holes in security) to gain unauthorised access to networks, systems and data. Simple to plug security gaps One of the most fundamental principles of IT security is to plug gaps by maintaining up-to-date software versions. This is done by regular updating or ‘patching’ with updaters downloaded or automatically pushed out by software vendors. Many of the firms that have been fined could have escaped financial penalty by simply taking the reasonable step of ensuring systems were kept up-to-date. TIGHTEN UP STAFF SECURITY 3 Employees are only human, and even in the most secure environments, people are often responsible for breaches, either through deliberate action or failing to observe security policies and procedures. Passwords One key aspect is password access and control. Companies should have strict password control policies. Users should not use the same name and password combinations for company and personal accounts, as this would allow hackers to gain access to company data and systems by stealing account data from personal or consumer accounts. Forcing regular password changes is one option, or consider Dual Factor Authentication. This means a unique, One Time Key is required at every login, so just knowing a user/password combination is not enough to permit access. Data loss http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 3/10

  4. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud Incidences of employees taking data offline (e.g. on a USB stick or a laptop) and then losing it are frequent. Consider prohibiting the practice or only allowing download to secure devices - those managed by the business and with encrypted storage - that are only accessible using a username/password combination. Activity monitoring Consider monitoring communications activity. Record all telephone calls and archive all email. Some companies record all network activity, although this is more for internal security rather than for FCA compliance. HR Policies Consider consulting with HR to review any points where security has touch points with HR policies. Some examples where issues may arise include: Hiring New hire induction Ongoing training Disciplinary procedures Termination of employment Dual Factor Authentication Offline working with company data Online working with data encryption Activity Monitoring Enforcement action Jala Transport Limited Date: 26 September 2013 Type: Monetary penalties Sector: Finance insurance and credit A monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database. KEEP ON TOP OF DOCUMENTATION 4 Always ensure up-to-date network documentation is available. Similarly, request documentation from your partners and any other 3rd parties. Typically, documentation should include information on: Who has access to what? What is the update procedure? http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 4/10

  5. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud How is data secured? What is the backup procedure? What is the disaster recovery plan? Enforcement action Think W3 Limited (Thomas Cook subsidiary) Date: 23 July 2014 Type: Monetary penalties Sector: Online technology and telecoms Think W3 Limited, an online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker. RFI External firms may submit a Request for Information (RFI) before commencing trading with your company. This will almost certainly include questions on software, versioning and IT security. Likewise, your business should consider issuing an RFI to any new partner before doing business. Also consider formalising documentation for existing partners if an RFI has not previously been part of the partner engagement process. Demonstrating a responsible approach Maintaining up-to-date documentation means you have the right information to hand whenever it is requested from your business. It reassures senior management everything has been given reasonable thought and appropriate systems are in place. Documentation can easily be passed to the FCA if required, to demonstrate a responsible approach. PLAN FOR DISASTER 5 Data backup, disaster recovery (DR) and business continuity (BC) planning are closely inter-related. Like many areas of IT there is no absolutely right or wrong way. There is a ‘menu’ of different elements that may be mixed and matched together to form the right solution to meet the specific needs of a business. The core question is: How long can you afford the business to be offline? Once you establish this maximum tolerance to a loss of IT services, you work backwards from there. Some points to consider are: Avoid backup tapes http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 5/10

  6. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud A credible backup tape regime requires tapes to be physically taken offsite, inviting the potential for loss. There are a number of examples of companies losing them and getting fined. Tapes and autoloaders are also expensive and prone to failure because they are mechanical. Online backup is more reliable and secure. Data retention Backup is central to the data retention strategy. Creating a reliable archive of legacy data is essential for compliance with FCA data retention rules. Ideally, legacy data needs to be kept accessible but out of the way and this could guide the design any hierarchical storage system for filing and retrieval. FCA retention periods for data Record type Retention period Emails 6 years Record of election to comply Indefinite All other financial records 3 – 6 years MiFID 1 – 5 years Basel II risk legacy data 2 – 5 years Telephone & electronic communications 6 months Identify single points of failure Typical single points of failure include power, network and servers. Search for anything where there is just one of. At the top level, the whole of an office or site is a single point of failure. To mitigate the loss of an entire site, it’s often easier to replicate all of your data to another site. Then comes the question – How far away is far enough? Data replication The potential for disasters – both natural and man-made - is a key consideration when determining the distance to the replication site. Many businesses in the UK conclude that a distance of 50 miles is appropriate. For even better risk reduction consider replicating in more than one place. Remember to include telephone systems. Document disaster recovery plans Whatever the specific process for disaster recovery it’s vital to document the disaster plan. Key DR plan information includes: Who instigates the plan? Where is the recovery site? http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 6/10

  7. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud How are employees notified? How long before the business returns to operational status? (Sometimes referred to as the Recovery Time Objective, RTO) COMMISSION AN EXTERNAL AUDIT 6 Consider assessing your systems against ISO27001, the management system for IT security, by checking credentials, external audit or penetration testing. External IT partner If you have an external IT partner ensure you check its credentials. It should be appropriately accredited and should adhere closely to industry best practice for information security. Internal IT team If you have an internal IT team consider getting a second opinion by engaging an appropriately accredited company to audit your network. An internal IT team may only have in depth experience in your environment. Employing an external team to check the systems often gives an insight into your own network you may otherwise not be able to obtain. Penetration testing Consider penetration testing or pen testing. This is the process of ‘stress’ testing your systems to see if a ‘tiger team’ of computer security professionals acting as hackers is able to break through to gain access to your network, servers and data. REVIEW PHYSICAL SECURITY 7 Companies that keep all their data in the office should review physical security with an audit. Some typical questions that might be used to audit physical security include: Who has access to the office? (Don’t forget cleaners, caterers & security guards) Are all computer workstations including laptops and tablets locked when not in use? Who has access to the server cupboard, comms room or data centre? Are there access control records documenting entry and exit of the premises? Offsite datacentre To mitigate physical security risks, consider the benefits of locating data in an offsite data centre. Any choice of data centre should be governed by accreditation to ISO 27001 and means the facility is audited for physical security in line with the management system standard. Data sovereignty http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 7/10

  8. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud It is vitally important to consider the issue of data sovereignty, the geographic locations where data is stored. When evaluating offsite data storage it is essential to understand where data may be stored by service providers. Changing legislation and challenges to agreements such as Safe Harbour mean the landscape may shift suddenly. Enforcement action Staysure.co.uk Limited Date: 24 February 2015 Type: Monetary penalties Sector: Finance insurance and credit An online holiday insurance company has been fined £175,000 by the ICO after IT security failings let hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack on Staysure.co.uk. Why is Serviced Cloud a preferred technology service provider to the finance sector? Serviced Cloud is a specialist provider of cloud technology solutions to the financial sector. Serviced cloud has the expertise and experience to help alternative investment companies and those supplying services to regulated businesses to meet their regulatory obligations or follow guidelines on the use of technology. The exact rules a regulated firm needs to follow, and their interpretation, is often determined by an in house compliance officer, or compliance team. This means FCA compliance is highly subjective. Getting it wrong can be a costly mistake. Serviced Cloud works with in-house compliance experts or external consultants to ensure any solution exceeds interpretation of the regulatory code. Serviced Cloud is able to provide the appropriate level of services required by the majority of SME FCA regulated businesses. About Serviced Cloud Serviced Cloud is a close knit and highly professional team of technology professionals that are evangelists for cloud solutions. This is because we believe the benefits are unrivalled by equivalent on-premise approaches to provisioning business technology. http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 8/10

  9. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud The business benefits of the cloud are regularly highlighted in the press and deliberated in boardrooms. Cloud technology is a topic about which the vast majority of business leaders are likely to have more than a passing interest. Based in the heart of London in Canary Wharf, Serviced Cloud was incorporated in 2009 with a clear and simple vision. We are dedicated to helping business leaders in financial service organisations find the best way of successfully adopting cloud technology in their businesses. We offer best of breed Hosted Cloud Services in our ISO27001 London data centres, and help clients to create their own Private Cloud systems in their own offices or data centres. Our friendly and professional engineers and consultants have extensive experience, proven track records and ‘can-do’ attitudes. We offer independent advice but partner with the leading cloud technology companies to ensure seamless support. We are serviced focused; our client’s satisfaction is paramount. References and further reading Financial Conduct Authority http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm-guides/information- gathering/data-security (http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm- guides/information-gathering/data-security) http://www.fca.org.uk/your-fca/documents/fsa-data-security-factsheet (http://www.fca.org.uk/your- fca/documents/fsa-data-security-factsheet) http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm-guides/information- gathering/call-taping (http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm- guides/information-gathering/call-taping) https://www.fca.org.uk/your-fca/documents/guidance-consultations/gc15-06 (https://www.fca.org.uk/your- fca/documents/guidance-consultations/gc15-06) Information Commissioner’s Office https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/ (https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/) https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ (https://ico.org.uk/for- organisations/guide-to-data-protection/principle-7-security/) Miscellaneous http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-is-Far- Enough.htm (http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-is- Far-Enough.htm) http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from- primary-site/ (http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal- distance-from-primary-site/) http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 9/10

  10. 8/19/2016 White Paper: FCA and ICO/DPA technology guidelines ­ Serviced Cloud SECTORS CLOUD SOLUTIONS Financial Services (/sectors/financial- services) Hedge Funds (/sectors/hedge-funds) Private Equity (/sectors/private-equity) Accountants (/sectors/accountants) Recruitment (/sectors/recruitment) Legal (/sectors/legal) Travel (/sectors/travel) Software (/sectors/software) Hosted Desktop (/cloud-solutions/hosted-desktop) Private Cloud (/cloud-solutions/private-cloud) Backup/DR (/cloud-solutions/backup-dr) VoIP (/cloud-solutions/voip) Support & Service (/cloud-solutions/support-and-service) Internet Connectivity (/cloud-solutions/internet- connectivity) Microsoft Office 365 (/cloud-solutions/microsoft-office-365) VEEAM (/veeam) OTHER ABOUT Home (/) Case Studies (/case-studies) Contact (/contact) Client Portal (/client-portal) Remote Support (http://help.servicedcloud.com/) About Us (/about-us) White Papers (/more/white-papers) Blog (http://blog.servicedcloud.com) NETWORK STATISTICS 500+ HOSTED DESKTOPS © 2016. Serviced Cloud. • Terms & Conditions (/terms-conditions) • Privacy Policy (/privacy-policy) (https://twitter.com/servicedcloud) (https://www.linkedin.com/company/serviced-cloud) (https://plus.google.com/+Servicedcloud) (/index.php? option=com_easyblog&view=latest&format=feed&type=rss) http://www.servicedcloud.com/white­paper/7­ways­to­better­meet­fca­and­ico­dpa­technology­guidelines 10/10

More Related