Financial Services Industry

• Financial Services leadership and latest publications - Alex
  • Overview of leadership team and latest publications
• Latest Publications
  • Cloud Usage in the Financial Services Sector survey
    • February 21st, 2020
  • Cloud Octagon Model for Risk Assessment in the Cloud
    • June 24, 2019

• CSA Financial Services webpage update - Elisa
  • Elisa showed the group the new layout planned for the Financial Services CSA webpage.
    • https://circle.cloudsecurityalliance.org/viewdocument/new-webpage-for-fssp-wg-design-re?CommunityKey=9f9cdb69-619d-4d92-9124-0a2f100a0e4a&tab=librarydocuments 

• Craig gave an overview of the transition process and various stages of migrating to the cloud.
  
  

• ABM AMRO - Jim
  • Jim went over each the pillars of the Six Pillars of DevSecOps document, and give an overview on how it was implemented in his company.
    
    

Pillar 1: Collective Responsibility

• ABN AMRO published an AWS shared responsibility model and authorization matrix for devops teams. The model contains AWS, our AWS infra team and the Devops teams. We also want to add our CISO teams to the model. Model is published on our intranet and shared with the teams during training given by our security team. For Azure we do not yet have a detailed shared responsibility model.
  
  
• During onboarding and part of a devops maturity journey a security champion must be appointed per team. We organise events for these security champions.

• How to get your developers to take responsibility for security?
• How to get your management to give trust to devops teams?
• Do you have a security champions community? Please share your experience.

• During onboarding and part of a devops maturity journey a security champion must be appointed per team. We organise events for these security champions.

Pillar 2: Collaboration and Integration

• At ABN AMRO We observe a shortage of cloud engineers because all banks in Europe seems to be moving to the cloud. What are your thoughts on this and how can we address this problem? The balance between internals and externals is way of. 

Pillar 4: Bridging Compliance and Development

• At ABN AMRO we have translated cloud security requirements into AWS Config rules and monitor for compliance on a daily basis. In addition to AWS dashboards we have dashboard in Splunk. As explained in the previous call data quality is still a challenge.

• How mature and automated are your (IaaS PaaS) cloud security controls?
• How does your org measure this maturity?
• Are your cloud security controls linked to your key control framework?
• How mature and automated are your (IaaS PaaS) cloud security controls?

• October 28th 8:00 AM PT
• Topics will include blockchain and SaaS projects