Financial Services Industry

Financial Services Meeting - 6/22/22

• CSA Events and Updates
  • Infosecurity Europe - June 21^st - 23^rd
  • CSA CxO Trust Summit at Barcelona - June 29^th - July 1^st
  • CloudCon 2022 - July 25^th - 26^th
  • SECtember 2022 - September 26^th- 30^th
• Zero Trust Advancement Center Events
  
  • A Guided Approach to Support Your Zero Trust Strategy - June 29th
  • The Journey to Zero Trust starts with Secure Identity - July 20th
  • Top 5 Zero Trust Practices to Stop Modern Attacks - August 24th
    
• Financial Services Research in Development
  
  • Cloud Usage in the Financial Services Sector v2
  • Execution Stage - Continue to review draft, finalize by July 30th, Peer Review throughout July, potential release in August/September 2022
  • Add applicable categories/domains which would provide useful information for modern Financial Institutions in the cloud.
  • Develop questions/answers of different styles and varieties to get a well-rounded perspective of the current state of the industry.
  • Add informative graphics, tables, and charts to provide context.
    
    
  • Domains for the next survey in progress:
    
    • Data privacy/sharing: GDPR / Schrems 2
    • Vendor risk assessments: SaaS provider -> subcontractor to CSP
    • Zero Trust / Multi-cloud:
      
    • Encryption/key:
    • Secrets (short lived etc) lifecycle management:
    • Compliance infra for SaaS/PaaS decentralized/centralized environments
    • Application / Ops: end-to-end understanding/visibility, maturity, documentation (DevOps as a forcing function highlighting gaps in Application teams understanding and appreciation for Ops) / Incident Preparedness within Ops
    • Agile maturity: how are orgs benchmarking their maturity within agile adoption
    • BCP: region migration (e.g. in response to geo-political events): tension between availability zones vs region (particularly in context of SaaS providers)
    • SOC: logging/visibility/response, level of integration with internal/3rd party SOCs
    • SaaS integration with SOC - is it happening?
    • Lift and Shift: nuances within risk assessment process (example of using cloud keystore vs. "secretless" service where secrets are managed through an intermediary CSP service.
    • Incident response:
      
    • (New Questions Added) Cloud Service Provider change notification and management:
    • Do your key cloud service providers provide timely and comprehensive notifications for upcoming changes to their services?
    • What form do those notifications take?
      • Email notification
      • Webpage
      • Service API
      • Integration with change management software
      • Podcast
      • Social Media/LinkedIn
      • ____________
    • Is the pace of CSP initiated changes mananagable or problematic?
      • Manageable
      • Problematic
    • Has a CSP change ever resulted in an operational or security incident for your organization?
      • Yes, Operational
      • Yes, Security
      • No
      • Optional Comment: ________________
    • As the customer, do you feel like you have sufficient input to CSP prioritization of enhancements and changes, whether functional, SLA, or security-related?
      • Unhappy
      • Moderately happy
      • Very happy
• CSA Peer Reviews and Surveys
• None currently available
  
  
• Recent Research Releases
• Measuring Risk and Risk Governance - June 21^st
• SaaS Governance Best Practices for Cloud Customers - June 8^th
• The Continuous Audit Metrics Catalog: Towards a Machine-Readable Representation - June 7^th
• Top Threats to Cloud Computing Pandemic Eleven - June 6^th
• CISO Perspectives and Progress in Deploying Zero Trust - June 3^rd
  
• Next Zoom Meeting: July 27^th 8:00 AM PT
• https://cloudsecurityalliance.zoom.us/j/94151107820
  • Agenda, guest speaker TBA
  • Cloud Usage in the Financial Services Sector v2 development

------------------------------
Alex Kaluza
Research Analyst
Cloud Security Alliance
------------------------------