Financial Services Industry

Financial Services Meeting Minutes  6/24/20

• Intro
• Joining and using the FSSP Circle group to follow past and present initiatives.
• Reviewed previous FSSP Releases.

• CSA Events Calendar
  
• CSA Cloudbytes Connect (July) 
• SECtember (September) - Have a speaker from the FSSP working group present?

• Previous Financial Services Publications
  
  • Cloud Usage in the Financial Services Sector
    • Released: February 21st, 2020
    • Document: https://cloudsecurityalliance.org/artifacts/cloud-usage-in-the-financial-services-sector/
      Blog/Press Release: https://cloudsecurityalliance.org/press-releases/2020/02/24/csa-continues-to-drive-leadership-in-cloud-security-with-new-research/
      
  • Cloud Octagon Model for Risk Assessment in the Cloud
    • Released: June 24, 2019
    • Document: https://cloudsecurityalliance.org/articles/csa-releases-cloud-octagon-model-to-facilitate-cloud-computing-risk-assessment/
      Blog/Press Release: https://cloudsecurityalliance.org/press-releases/2019/06/24/csa-releases-cloud-octagon-model-to-facilitate-cloud-computing-risk-assessment/

• • Financial Services 2020-21 Charter
    • Released: June 9, 2020
      • https://cloudsecurityalliance.org/artifacts/fssp-2020-2021-charter/ 
      • https://docs.google.com/document/d/1G7UQlIklUXppr_e1I_BqmycN5v1wuUwfL4Ug05C-Oc
    • This Charter covers the scope and responsibility of the FSSP working group, potential initiatives, and reference publications contributing to the impact of cloud and technology adoption in Financial services.

• Guest Speaker: Michael Roza - Cloud Security Alliance – Contributing Author & Research Volunteer
  • Six Pillars of DevSecOps: Automation
    • This paper is still in development and early release, however comes from the Six Pillars of DevSecOps primary document: https://cloudsecurityalliance.org/press-releases/2019/08/09/csa-releases-the-six-pillars-of-devsecops-report
    • Michael gave an overview of the paper, and fielded questions from the group.
    • Used the Secure Deployment Lifecycle - Polices, Standards, Controls, and Best Practices chart as reference for discussion.
    • CSA DevSecOps Software Delivery Pipeline - Triggers, activities, setting up and maintenance of pipelines.
    • Risk-prioritized factors, delivery pipeline framework, securing applications, and automation best practices were also covered.

• Proposed Initiatives
  • Security & compliance dashboards for devops teams on AWS/Azure
    • DevSecOps - Bring security tools and practices to DevOps
    • Does your organisation use cloud native security and compliance dashboards?
    • Do you offer training to your devops teams on how to use those dashboards?

• • Blockchain for Financial Services
    • A DLT Security Framework for the Financial Services Sector.
    • What are the challenges in risk assessments in blockchain?
  • Serverless Security
    • How do you secure FaaS?
    • How do you implement IAM?

• Next Meeting
• Wednesday, July 22nd at 8 AM PT
• If anyone has a financial services topic of interest they would like brought up at the next meeting please let myself, or one of the Co-Chair's know.
  

------------------------------
Alex Kaluza
Research Coordinator
Cloud Security Alliance
------------------------------

Hi,

In searching the artifacts I found that various publications included change management controls. However, I could not find a publication whose subject was change management. Nor is there a change management working group.

@Craig Balding
@Jim de Haas​​

------------------------------
Michael Roza CPA, CISA, CIA
------------------------------

Original Message:
Sent: Jun 24, 2020 04:01:31 PM
From: Alex Kaluza
Subject: Financial Services Meeting Minutes 6/24/20

Financial Services Meeting Minutes  6/24/20

• Intro
• Joining and using the FSSP Circle group to follow past and present initiatives.
• Reviewed previous FSSP Releases.

• CSA Events Calendar
  
• CSA Cloudbytes Connect (July) 
• SECtember (September) - Have a speaker from the FSSP working group present?

• Previous Financial Services Publications
  
  • Cloud Usage in the Financial Services Sector
    • Released: February 21st, 2020
    • Document: https://cloudsecurityalliance.org/artifacts/cloud-usage-in-the-financial-services-sector/
      Blog/Press Release: https://cloudsecurityalliance.org/press-releases/2020/02/24/csa-continues-to-drive-leadership-in-cloud-security-with-new-research/
      
  • Cloud Octagon Model for Risk Assessment in the Cloud
    • Released: June 24, 2019
    • Document: https://cloudsecurityalliance.org/articles/csa-releases-cloud-octagon-model-to-facilitate-cloud-computing-risk-assessment/
      Blog/Press Release: https://cloudsecurityalliance.org/press-releases/2019/06/24/csa-releases-cloud-octagon-model-to-facilitate-cloud-computing-risk-assessment/

• • Financial Services 2020-21 Charter
    • Released: June 9, 2020
      • https://cloudsecurityalliance.org/artifacts/fssp-2020-2021-charter/ 
      • https://docs.google.com/document/d/1G7UQlIklUXppr_e1I_BqmycN5v1wuUwfL4Ug05C-Oc
    • This Charter covers the scope and responsibility of the FSSP working group, potential initiatives, and reference publications contributing to the impact of cloud and technology adoption in Financial services.

• Guest Speaker: Michael Roza - Cloud Security Alliance – Contributing Author & Research Volunteer
  • Six Pillars of DevSecOps: Automation
    • This paper is still in development and early release, however comes from the Six Pillars of DevSecOps primary document: https://cloudsecurityalliance.org/press-releases/2019/08/09/csa-releases-the-six-pillars-of-devsecops-report
    • Michael gave an overview of the paper, and fielded questions from the group.
    • Used the Secure Deployment Lifecycle - Polices, Standards, Controls, and Best Practices chart as reference for discussion.
    • CSA DevSecOps Software Delivery Pipeline - Triggers, activities, setting up and maintenance of pipelines.
    • Risk-prioritized factors, delivery pipeline framework, securing applications, and automation best practices were also covered.

• Proposed Initiatives
  • Security & compliance dashboards for devops teams on AWS/Azure
    • DevSecOps - Bring security tools and practices to DevOps
    • Does your organisation use cloud native security and compliance dashboards?
    • Do you offer training to your devops teams on how to use those dashboards?

• • Blockchain for Financial Services
    • A DLT Security Framework for the Financial Services Sector.
    • What are the challenges in risk assessments in blockchain?
  • Serverless Security
    • How do you secure FaaS?
    • How do you implement IAM?

• Next Meeting
• Wednesday, July 22nd at 8 AM PT
• If anyone has a financial services topic of interest they would like brought up at the next meeting please let myself, or one of the Co-Chair's know.
  

------------------------------
Alex Kaluza
Research Coordinator
Cloud Security Alliance
------------------------------