Data Security Working Group Meeting - 10/24/24
Publications in Development:
Proposed:
Meeting Summary:
Alex, Rocco, and Onyeka discussed the CSA Global AI symposium on demand, the importance of data security and access control, and the upcoming Digital Operational Resilience Act (DORA) regulation in the European Union, . They also discussed the concept of a data lifecycle, acknowledging that there is no consensus on its stages, and the importance of a unique identifier for a document throughout its lifecycle. Lastly, they discussed the differences in regulatory compliance between the US and Europe, and the need to continue their work on a document related to data lifecycle and security.
AI Symposium and Dora Training Discussion:
- Alex and Rocco discussed the AI symposium and the on-demand links for it. Rocco mentioned that he had not focused on the AI symposium due to his current objective of training on Dora, a new project. He expressed uncertainty about the cost and certification process for Dora, and considered whether to prioritize it or the final exam for their team. Alex acknowledged the importance of Dora and its looming necessity. Rocco also mentioned reaching out to Eileen about a CSA star-enabled app, which he believed might be similar to the star attestation level 3 they were previously looking for.
Product Alignment and Industry Standards
- Rocco and Alex discussed the alignment of their product with industry standards, particularly in terms of data security. Rocco expressed a desire to showcase their alignment with industry leaders and mentioned that they already have two badges. However, he was unsure about the benefits of achieving a higher level, such as Star Level 2. Rocco also mentioned that they were working on a product that follows industry standards, but they needed to meet all the requirements. Alex agreed that Rocco was on the right track. They also discussed the possibility of Rocco's product being included in a list of industry names, but Rocco was unsure about the cost. Lastly, Alex mentioned a financial services leadership committee and suggested that a Dora-related project would be a good fit for this group.
Discussing DORA and Its Implications:
- Alex, Rocco, and Onyeka discuss the upcoming Digital Operational Resilience Act (DORA) regulation in the European Union. Rocco plans to purchase DORA training materials to gain expertise and share a blog article on the topic with the group. They agree that DORA is an important topic to cover, as it will significantly impact financial institutions in the EU starting in 2025. Rocco highlights that DORA emphasizes data privacy and encryption, which aligns with their company's capabilities. Alex shares an article suggesting AI-generated code requires more verification before deployment, potentially delaying releases. The group sees DORA as an opportunity for their company to provide solutions to help organizations comply with the new regulation.
- Latest DORA Report Surfaces Limited Gains from AI and Platform Engineering
Data Security and Access Control
- In the meeting, Alex, Onyeka, and Rocco discussed the importance of data security and access control, particularly in the context of financial services. They agreed that Identity and Access Management (IAM) is a crucial aspect of data security and that it should be closely tied to data access. They also discussed the potential for breaches in IAM systems, such as Octa, and the need for robust access control and categorization. The conversation also touched on the broader implications of data security, with Rocco emphasizing that it affects everyone who handles personal data. The team agreed to explore these issues further, with a focus on data access and security.
Regulatory Compliance Differences Discussed
- Rocco discussed the differences in regulatory compliance between the US and Europe, suggesting that Europe's infrastructure advancements post-World War 2 have led to more advanced policies. He also noted that business units often drive decisions, finding exceptions to regulations if it benefits their operations. Alex agreed, highlighting the differences in infrastructure and communication rates between the two regions. The team concluded that they were on a good track with their current project, but needed to continue their work.
Narrowing Data Lifecycle Document Scope
- Alex and Rocco discuss the scope and focus of a document they are working on related to data lifecycle and security. Rocco suggests that the initial draft covers too broad of a topic and proposes narrowing the focus to just defining the data lifecycle, as trying to cover security concerns at each stage would make the document too long. Alex agrees that they should start with the fundamentals and definitions before expanding into more specific areas like security.
Data Lifecycle and Unique Identifiers
- Rocco and Alex discussed the concept of a data lifecycle, acknowledging that there is no consensus on its stages. They agreed that the process can be broken down into numerous steps, but the major concept remains the same, with creation at the beginning and destruction at the end. They also discussed the importance of a unique identifier for a document throughout its lifecycle, with Rocco suggesting that it should be created with the document itself. The conversation ended with an understanding that the data lifecycle is a crucial topic, with everyone wanting to know how long their data is alive for.
------------------------------
Alex Kaluza
Research Analyst
Cloud Security Alliance
------------------------------