Managing Privacy Risk & Compliance in Financial Services · Managing Privacy Risk & Compliance in Financial Services ... Security Incident Response Vulnerability ... Management from

1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved

Managing Privacy Risk & Compliance in Financial ServicesBrett HamiltonAdvisory Solutions ConsultantServiceNow

2© 2017 ServiceNow All Rights Reserved

Speaker Introduction

Brett has been a Solutions Consultant with ServiceNow for the last 2.5 years, most recently focusing on the Financial Services Sector; previous to that he has been working in the IT industry for various vendors focusing on Automation and Governance systems.

Name: Brett Hamilton

Title: Advisory Solutions Consultant

Function: Financial Services Industry

Company: ServiceNow

INSERT PHOTO


Regulations Driving IT Spend

1%1%2%2%2%2%3%

6%17%

26%47%

50%51%

0 10 20 30 40 50 60

EU General Data Protection Regulation

Internal laws by country

PCI DDS

Sarbanes-Oxley

US state laws for data breach

GLBA

HIPAA (including HITECH)

NERC CIP

FISMA

FACTA

FCRA

Federal Privacy Act

CANSPAM

The regulations that matter the mostWhat regulations are driving the funding of your organisation IT security?


Australian Mandatory Breach Notification

Organisations and agencies will be

required to notify when a breach has

occurred.

What Does This Mean?

Mid-sized to large organisations in

addition to government

agencies.

Who Does This Affect?

It is expected to go into full affect by 1

March 2018

When Does This Happen?Why Is This Relevant

To You?

Impact brand or agency reputation that could lead to financial

loss or government trust


GDPR By The Numbers

201825th of May, 2018 the

regulation will be enforced

4%Potential fines as a percentage of global turnover

7Core individual rights

afforded under the GDPR

72Hours given to report

a data breach

250mCost of 4% fine for a typical FTSE 100

company

28,000Organisations potentially

in scope

190+Countries potentially in scope of the regulation

80+New requirements

in the GDPR


GDPR—What Is It?

• The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for European Union (EU) citizens, regardless of where the company is based

• Major goals of the General Data Protection Regulation (GDPR) (2016/679/EU) are: – Protect personal data of EU citizens

– Establish rules for free movement of personal data in the EU

– Extend to all organizations globally that engage EU citizens

• Requirements catalog is published in 28 languages and includes 99 articles and 1021 citations– EU GDPR Official Website

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC


• Unknown or High Costs

• Risks and Vulnerabilities

• Complexity in silos

• Losses Due to Non-compliance (investigations, fines, etc.)

• Lack of Confidence in People, Process and Technology

Challenge: Current State of GRC for Many


GDPR Amps Up the Challenges

Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

Must have consent to use an EU citizen’s personal data

Must protect their privacy

Must be able to send the data to other organizations if user requests it

Must be able to delete the personal data in all locations if the user requests it

“

”


GDPR Amps Up the Challenges

• Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects.

• Risk assessment and mitigation is required and a prior approval of the DPA for high risks.

• Enterprises that process personal data for 5,000 EU citizens or more must hire a Data Protection Officer.


Expanded definition of personal data & specific consent to

use required

Transport ordelete data when

requested

Breach Notification within 72 hours

Data Protection Impact

Assessments (DPIA) required

regularly

Specific GDPR Challenges

72hr


ServiceNow Solution: Get to the Future State of GRC Now

• You Don’t Want to Pay the ENORMOUS Fines Associated with GDPR

• Reduce the Pain of Compliance and Audit

• Realistic Implementation Timeframes

• Measure Success

• Guidance is Available to Determine the Path Forward

• Return to Core Business

• Utilize a Common Integrated Platform


Now there is much more traceability and

audit teams can instantly pull reports

from one system.

Compliance management is improved with

automation and real-time visibility

of key controls.

Compliance is streamlined and the team reclaimed over

75 hours a week by eliminatingmanual efforts.

Customer Benefits from ServiceNow GRC

The entire compliance exception lifecycle is

automated and traceable so the team can provide comprehensive, reliable evidence to regulators

for all exceptions.

13© 2017 ServiceNow All Rights Reserved 13© 2017 ServiceNow All Rights Reserved

ServiceNow GRC and GDPR

Supporting Your Compliance Journey With Our Scalable Solution


Framework for GRC & Security Operations

ComplianceManagement



Policy Regulations Third Party

System of Internal Controls Security Operations

Security Incident Response

Vulnerability Response

Risk Management

Governance, Oversight, & Policy Management

Audit Management, Observations, and Remediation

External Legislation and Regulations

Inherent Exposure, Vulnerability &

Threats

Internal Goals and Objectives

Threat Intelligence

• ServiceNow can map identified GDPR

requirements directly into the application

with the underlying citation and controls

needed for compliance checks and

continuous monitoring.

• All GDPR requirements with description and

guidance can be imported in ServiceNow with

available UCF integration.

• A license to import the GDPR content from

Common Controls Hub is required.System of Internal Controls

GDPR Authority

Document & Citations


Step 1: Align Organisational Policies with GDPR

• Data Protection Policy

• Security Policy

• Code of Conduct

• ServiceNow Capabilities:– ServiceNow offers a full Policy Life Cycle

Management. Drafting a policy according to requirements through Review, Approval, Publishing and Retirement stages are available out-of-the-box.

– A policy can include the GDPR requirements listed within it for alignment.

– Knowledge Base information can be automatically created while publishing the relevant policy.

Policy

KnowledgeBase


Step 2: Schedule Data Protection Impact Assessments

ServiceNow Capabilities:

• Data Protection Assessments can be aligned

with Data Protection Policy and underlying

requirements in ServiceNow.

• All assessments requirements can be built with

the Assessments Designer or enhanced with

existing Data Protection Assessments.

• The assessments can be scheduled

to run at regular intervals.

Attestations


Step 3: Gain Visibility into Compliance Status


• Roles based access provides stakeholders

the information they need to make decisions

and there are specific dashboards for

contributors, approvals, audit, and

control testing.

• The compliance status can display in a

dashboard to easily view compliance levels

and take any needed remediation actions.

• Assessment outcomes are also reflected

in the Compliance Dashboard.

• Controls status is automatically updated.

• For any non-compliant outcomes, an issue

will be automatically created and assigned

to the responsible party to take actions on

requirement gaps.

Control Compliance

Compliance Dashboard

Issues & Remediation


Step 4: Define Risk Framework

ServiceNow Capabilities:• ServiceNow provides a full Risk Management

Lifecycle process including robust scoring,

risk indicators, financial impact based

reporting, statistical reporting, etc.

• Regular risk assessments can be

implemented & assigned automatically.

• Risk identification & compliance stats can be

made transparent.

• Breach notifications with associated risks can

be sent automatically or manually to the

designated Supervisory Authority.

• Data processing on Information

layer with PII can be implemented.

• Pseudonymisation and encryption

functionalities support GDPR compliance.

RiskManagement

GDPR Risk Assessment

RiskDashboard


Step 5: Measure Risk on Critical SystemsServiceNow Capabilities:

• CIA assurance of systems & applications.

Unauthorized disclosure of business records stored or processed by the

business service results in reputation damage, legal penalties, and/or fines.

Failure to maintaining the consistency, accuracy, and trustworthiness of data stored or processed by the business

service results in reputation damage, legal penalties, and/or fines.

Failure to maintain timely and reliable access to and use of information processed by the business service results in a loss of revenues, productivity,

and/or customer confidence.

CIA Risksfor GDPR


Step 6: Manage Audit EngagementsServiceNow Capabilities:• GDPR Dashboards monitor the

global level of compliance to GDPR,

as well as by specific entities,

systems, units, etc.

• Design and run regular GDPR Audits

targeting the enterprise and its PII

sensitive systems.

• Generate remediation plans and

track Data Protection corrective

actions to conclusion.

• Same visibility, ease of management,

and overall process is available for

basically all regulations

AuditWorkbench

Issues & Remediation


Step 7: Identify PII AssetsServiceNow Capabilities:• Manage information assets and

associate them to

other CIs.

• Profile information assets to

generate associated risks and

controls.

• Manage risks, continuous

control monitoring and data

protection impact assessments

on information assets as well as

on business services or on IT

CIs.

PII & PCIInformation

Relating Risks, Control, & Audit Engagements

to Information


Step 8: Design PII Breach ProcessesServiceNow Capabilities:

• Leveraging ServiceNow CMDB to manage Information Assets and associate them to other CIs.

• Connecting PII Security Incidents to Information Assets to understand the Risks and Controls towards them.

• Managing PII Security Incidents to containment and root cause analysis.

• Escalating and reporting on PII Security Incidents to the wider Enterprise and to the DPO.

• Reporting PII Security Incidents to the Supervisory Authority

PII Information

SecOps & GRC

Security Incident

Workflow &

Treatment



• Implementing Vendor Risk Management from ServiceNow to:- Manage the Vendors portfolio

- Design a library of Assessments, based on questionnaires and evidence collection.

- Schedule the Data Privacy Assessments to Vendors, based on Tiers / Risks.

- Connect questionnaire questions to GRC controls, so that the Vendors’ response automatically sets the related control to Compliant / nonCompliant.

- Propose an external Vendor portal for Vendors to freely respond to the Privacy Assessments pushed to them.

- Managed identified Issues / Actions to resolution to improve Vendors GDPR compliance.

SecOps & GRC

Vendor Portal

Step 9: Assess your 3rd Parties GDPR Compliance

Vendor Portfolio

Privacy

Questionnaire



• Leveraging Performance analytics and the standard ServiceNow dashboarding / reporting engine:- Follow up the level of Compliance &

Risks for various dimensions (Group, Units, Processes, Systems, CIs, Information (PII), Projects, etc…

- Manage the DPIAs and their results

- Manage the GDPR Control Framework and follow the attestations, evidence, indicators of some critical controls.

- Review the progress of remediation Issues & Tasks to completion.

- Review the progress of PII breach Security Incident to completion.

- Trend to understand progress towards full compliance and evaluate predictive analytics.

- Report to the Supervisory Authority based on evidence.

SecOps & GRCFinally! DPO Processes & Dashboard Visibility


Simplify Personal Data Record Compliance


Use ServiceNow Customer Service Management to interact with EU

Citizens.

Provide personal data access for EU Citizens through CSM portals.

Provide GDPR

related information,

policies & procedures.

Manage requests for

personal data updates, transfers,

and deletions.

Manage specific

consents (opt-in, opt-out,

etc.)

Supply GDPR risk Information directly

to EU citizens.


Simplify Personal Data Record Compliance

The same GDPR requirements apply

to more than customers and

prospects. Easily manage personal

data for employees, vendors, third

parties, and other types of EU citizens.


What are customers saying about ServiceNow GRC

Rapid ROI

“We were up and running with full functionality in just eight weeks allowing the quarterly audit activities to proceed without a hitch.”

ProductivityGains

“Integrated GRC gave us back

over 9000 IT man hours

annually.”

“We’ve reduced our audit data

collection time by 93%”

Proactive RiskManagement“We are taking our controls

framework from being manual

and detective to being

automatic and preventative and

embedded within the processes

we are implementing in

ServiceNow”

Cost Avoidance

“We’re able to avoid large

fines ~$200MM per year, in

addition to large audit,

consulting, and project related

fees ~400MM per year.”

Reliable, Real-time Insight

“When we provide results to

executives, ServiceNow has

done the work for us with

accuracy and ease.”

“ServiceNow GRC gives us real-

time insight to metrics.”

Significant CostReduction

“Our annual audit costs were

reduced by 80%.”

“We’re expecting to save on

average ~$4MM per year per

control automation.”


1 2 3

Top Takeaways

ServiceNow GRC is scalable to

accommodate many new and existing

regulations

The GDPR can be managed through ServiceNow’s GRC

application

The heavily regulated financial

industry can use the combination of GRC

and SecOps for GDPR and much

more

Documents

Managing Privacy Risk & Compliance in Financial Services · Managing Privacy Risk & Compliance in Financial Services ... Security Incident Response Vulnerability ... Management from