Data Security

 View Only
Back to discussions
Expand all | Collapse all

Data Security Working Group Meeting - 2/1/24

  • 1.  Data Security Working Group Meeting - 2/1/24

    Posted Feb 02, 2024 03:45:00 PM

    Data Security Working Group Meeting - 2/1/24

    Meeting Summary

    • The CSA glossary was officially released on January 22nd and contains definitions sourced from NIST, Gartner, and CSA. The glossary aims to provide official and applicable definitions for terms related to Gen AI and other topics. The AI Summit took place on January 17th and 18th, and the upcoming event is the Fincloud Security Summit on February 27th. The Financial Service Leadership Committee has been evaluating the state of financial services, focusing on due diligence, validation of transparency, and overall confidence in the resiliency of CSPs. The committee is also interested in data resiliency and its impact on organizations, including the importance of encryption and network security. The group discussed the timeline and process for conducting a data resiliency survey, with a focus on highly regulated industries like financial services. Concerns were raised about the potential disruption caused by AI to traditional resiliency controls in financial services, as well as concerns about biasing in AI and enforcing regulations. The benefits of AI in anti-money laundering were mentioned. The meeting also covered topics such as business profile and resiliency, instant response and change control, vendor management challenges, blockchain technology in financial services, testing cyber resiliency, and the vendor management tool's role in resiliency. Concerns were expressed about document access, but a decision was made to directly share the document to resolve the issue.

    Topics & Highlights

    • CSA Events
      • The AI Summit took place on January 17th and 18th.
      • The upcoming event is the Fincloud Security Summit on February 27th.
    • CSA Data Security Glossary
      • The CSA Data Security Glossary was officially released on January 22nd.
      • The glossary contains definitions sourced from NIST, Gartner, and CSA.
      • The glossary aims to provide official and applicable definitions for terms related to Gen AI and other topics.
    • Data Resiliency Survey
      • The discussion focused on the timeline and process for conducting a data resiliency survey in the industry. It was mentioned that the survey will cover both the financial services industry and other industries, with a focus on comparing the impact of data resiliency in highly regulated industries like financial services. The timeline includes gathering feedback on the survey questions, conducting the survey, interviewing CISOs in financial services, analyzing the results, and writing a report.
      • The group also discussed the importance of encryption and network security in data resiliency.
    • Financial Service Leadership Committee
      • The committee has been evaluating the state of financial services.
      • They are interested in the level of due diligence, validation of transparency, and overall confidence in the resiliency of CSPs.
    • Data Resiliency
      • John mentions that the objective is to address cyber resiliency issues and understand how regulations like GDPR impact organizations. They want to capture industry perceptions and opinions on data resiliency.
      • John explains that surveys are important to capture perceptions versus actual situations. The community at CSA is expected to participate in surveys to identify and fix issues related to data resiliency.
    • Data Resiliency and Cloud Resiliency
      • The concern is raised about the potential disruption caused by AI to traditional resiliency controls in financial services.
      • The fact is discussed that AI ingestion and the difficulty of removing relative associations created by AI can impact the security of financial services.
    • Concerns about biasing in AI and regulations
      • Gopi expresses concerns about the increasing use of AI in various industries and institutions and the challenges of enforcing regulations across all industries.
      • Gopi and Rocco discuss the difficulty of removing copyrighted material from AI and the potential moral and technical problems associated with AI's ability to determine what is true or false.
    • AI in Anti-Money Laundering
      • Gopi mentioned that AI models have benefited the field of anti-money laundering and real-time money transfer risk calculation in banking institutions.
    • Business Profile and Resiliency
      • John explained that the initial questions aimed to gather information on organizational approach, perceptions, and business profiles related to resiliency.
    • Incidence Response and Change Control
      • John discussed the importance of understanding instant response plans, change control, and the impact of vulnerabilities and coordinated disclosures in customer environments.
    • Vendor Management
      • Rocco expressed concerns about vendor management, security reviews, and the challenges faced by financial services in managing vendor relationships and liabilities.
    • Vendor Management
      • The challenges of managing relationships with vendors, especially in the context of mergers and acquisitions, are discussed. The need for ongoing due diligence and security reviews is highlighted.
      • The importance of maintaining security and due diligence when using cloud services is mentioned.
      • The continuous challenges of vendor management and security reviews are discussed, including the difficulty of saying no to customers and the need for coordination.
      • The potential opportunities and challenges of integrating Gen AI into vendor management and predicting CSP outages are mentioned.
    • Blockchain Technology in Financial Services
      • The adoption and security concerns of blockchain technology in the financial services industry are discussed, including the potential vulnerabilities of smart contracts and the need for additional security measures.
    • Blockchain Technology
      • The participants discuss the emergence and investment in blockchain technology, comparing it to the rise of AI.
      • The participants discuss the challenges and cyber resiliency aspects of blockchain technology, including the need for AI in programming.
    • Testing Cyber Resiliency
      • The participants discuss the importance of joint testing with third parties and involving clients in recovery exercises.
      • The participants discuss the responsibility of organizations and cloud service providers in conducting proactive exercises for cyber resiliency.
    • Vendor Management Tool and Resiliency
      • John mentioned the vendor management tool and its role in resiliency across the supply chain.
      • John mentioned other technologies like blockchain.
      • John mentioned third-party use of testing and tabletop exercises.
      • John highlighted the importance of CSG participation in contesting exercises in the cloud.


    ------------------------------
    Alex Kaluza
    Research Analyst
    Cloud Security Alliance
    ------------------------------