Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1
Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant Function: Financial Services Industry Company: ServiceNow Brett has been a Solutions Consultant with ServiceNow for the last 2.5 years, most recently focusing on the Financial Services Sector; previous to that he has been working in the IT industry for various vendors focusing on Automation and Governance systems. 2
Regulations Driving IT Spend The regulations that matter the most What regulations are driving the funding of your organisation IT security? EU General Data Protection Regulation Internal laws by country PCI DDS Sarbanes-Oxley US state laws for data breach GLBA HIPAA (including HITECH) NERC CIP FISMA FACTA FCRA Federal Privacy Act CANSPAM 3% 2% 2% 2% 2% 1% 1% 6% 17% 26% 47% 51% 50% 0 10 20 30 40 50 60 3
Australian Mandatory Breach Notification What Does This Mean? Who Does This Affect? When Does This Happen? Why Is This Relevant To You? Organisations and agencies will be required to notify when a breach has occurred. Mid-sized to large organisations in addition to government agencies. It is expected to go into full affect by 1 March 2018 Impact brand or agency reputation that could lead to financial loss or government trust 4
GDPR By The Numbers 2018 4% 250m 190+ 25 th of May, 2018 the regulation will be enforced Potential fines as a percentage of global turnover Cost of 4% fine for a typical FTSE 100 company Countries potentially in scope of the regulation 28,000 80+ 7 72 Organisations potentially in scope New requirements in the GDPR Core individual rights afforded under the GDPR Hours given to report a data breach 5
GDPR What Is It? The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for European Union (EU) citizens, regardless of where the company is based Major goals of the General Data Protection Regulation (GDPR) (2016/679/EU) are: Protect personal data of EU citizens Establish rules for free movement of personal data in the EU Extend to all organizations globally that engage EU citizens Requirements catalog is published in 28 languages and includes 99 articles and 1021 citations EU GDPR Official Website 6
Challenge: Current State of GRC for Many Unknown or High Costs Risks and Vulnerabilities Complexity in silos Losses Due to Non-compliance (investigations, fines, etc.) Lack of Confidence in People, Process and Technology 7
GDPR Amps Up the Challenges Must have consent to use an EU citizen s personal data Must protect their privacy Must be able to send the data to other organizations if user requests it Must be able to delete the personal data in all locations if the user requests it Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer s IP address. 8
GDPR Amps Up the Challenges Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and a prior approval of the DPA for high risks. Enterprises that process personal data for 5,000 EU citizens or more must hire a Data Protection Officer. 9
Specific GDPR Challenges 72hr Expanded definition of personal data & specific consent to use required Transport or delete data when requested Data Protection Impact Assessments (DPIA) required regularly Breach Notification within 72 hours 10
ServiceNow Solution: Get to the Future State of GRC Now You Don t Want to Pay the ENORMOUS Fines Associated with GDPR Reduce the Pain of Compliance and Audit Realistic Implementation Timeframes Measure Success Guidance is Available to Determine the Path Forward Return to Core Business Utilize a Common Integrated Platform 11
Customer Benefits from ServiceNow GRC Now there is much more traceability and audit teams can instantly pull reports from one system. Compliance management is improved with automation and real-time visibility of key controls. The entire compliance exception lifecycle is automated and traceable so the team can provide comprehensive, reliable evidence to regulators for all exceptions. Compliance is streamlined and the team reclaimed over 75 hours a week by eliminating manual efforts. 12
ServiceNow GRC and GDPR Supporting Your Compliance Journey With Our Scalable Solution 13
Framework for GRC & Security Operations Internal Goals and Objectives Inherent Exposure, Vulnerability & Threats External Legislation and Regulations Governance, Oversight, & Policy Management System of Internal Controls Risk Management ServiceNow can map identified GDPR requirements directly into the application with the underlying citation and controls needed for compliance checks and continuous monitoring. All GDPR requirements with description and guidance can be imported in ServiceNow with available UCF integration. Security Operations A license to import the GDPR content from Common Controls Hub is required. GDPR Authority Document & Citations Compliance Management Compliance Management Compliance Management Policy Regulations Third Party Security Incident Response Threat Intelligence Vulnerability Response Audit Management, Observations, and Remediation 14
Step 1: Align Organisational Policies with GDPR Data Protection Policy Security Policy Policy Code of Conduct ServiceNow Capabilities: ServiceNow offers a full Policy Life Cycle Management. Drafting a policy according to requirements through Review, Approval, Publishing and Retirement stages are available out-of-the-box. A policy can include the GDPR requirements listed within it for alignment. Knowledge Base information can be automatically created while publishing the relevant policy. Knowledge Base 15
Step 2: Schedule Data Protection Impact Assessments ServiceNow Capabilities: Data Protection Assessments can be aligned with Data Protection Policy and underlying requirements in ServiceNow. All assessments requirements can be built with the Assessments Designer or enhanced with existing Data Protection Assessments. The assessments can be scheduled to run at regular intervals. Attestations 16
Step 3: Gain Visibility into Compliance Status ServiceNow Capabilities: Roles based access provides stakeholders the information they need to make decisions and there are specific dashboards for contributors, approvals, audit, and control testing. Control Compliance The compliance status can display in a dashboard to easily view compliance levels and take any needed remediation actions. Assessment outcomes are also reflected in the Compliance Dashboard. Controls status is automatically updated. For any non-compliant outcomes, an issue will be automatically created and assigned to the responsible party to take actions on requirement gaps. Issues & Remediation Compliance Dashboard 17
Step 4: Define Risk Framework ServiceNow Capabilities: ServiceNow provides a full Risk Management Lifecycle process including robust scoring, risk indicators, financial impact based reporting, statistical reporting, etc. Regular risk assessments can be implemented & assigned automatically. Risk identification & compliance stats can be made transparent. Breach notifications with associated risks can be sent automatically or manually to the designated Supervisory Authority. Data processing on Information layer with PII can be implemented. Pseudonymisation and encryption functionalities support GDPR compliance. Risk Dashboard GDPR Risk Assessment Risk Management 18
Step 5: Measure Risk on Critical Systems ServiceNow Capabilities: CIA assurance of systems & applications. Unauthorized disclosure of business records stored or processed by the business service results in reputation damage, legal penalties, and/or fines. Failure to maintaining the consistency, accuracy, and trustworthiness of data stored or processed by the business service results in reputation damage, legal penalties, and/or fines. CIA Risks for GDPR Failure to maintain timely and reliable access to and use of information processed by the business service results in a loss of revenues, productivity, and/or customer confidence. 19
Step 6: Manage Audit Engagements ServiceNow Capabilities: GDPR Dashboards monitor the global level of compliance to GDPR, as well as by specific entities, systems, units, etc. Design and run regular GDPR Audits targeting the enterprise and its PII sensitive systems. Generate remediation plans and track Data Protection corrective actions to conclusion. Same visibility, ease of management, and overall process is available for basically all regulations Issues & Remediation Audit Workbench 20
Step 7: Identify PII Assets ServiceNow Capabilities: Manage information assets and associate them to other CIs. Profile information assets to generate associated risks and controls. Manage risks, continuous control monitoring and data protection impact assessments on information assets as well as on business services or on IT CIs. Relating Risks, Control, & Audit Engagements to Information PII & PCI Information 21
Step 8: Design PII Breach Processes ServiceNow Capabilities: Leveraging ServiceNow CMDB to manage Information Assets and associate them to other CIs. Connecting PII Security Incidents to Information Assets to understand the Risks and Controls towards them. Managing PII Security Incidents to containment and root cause analysis. Escalating and reporting on PII Security Incidents to the wider Enterprise and to the DPO. Reporting PII Security Incidents to the Supervisory Authority Security Incident Workflow & Treatment PII Information SecOps & GRC 22
Step 9: Assess your 3 rd Parties GDPR Compliance ServiceNow Capabilities: Implementing Vendor Risk Management from ServiceNow to: - Manage the Vendors portfolio - Design a library of Assessments, based on questionnaires and evidence collection. - Schedule the Data Privacy Assessments to Vendors, based on Tiers / Risks. - Connect questionnaire questions to GRC controls, so that the Vendors response automatically sets the related control to Compliant / noncompliant. - Propose an external Vendor portal for Vendors to freely respond to the Privacy Assessments pushed to them. - Managed identified Issues / Actions to resolution to improve Vendors GDPR compliance. Privacy Questionnaire Vendor Portal Vendor Portfolio SecOps & GRC 23
Finally! DPO Processes & Dashboard Visibility ServiceNow Capabilities: Leveraging Performance analytics and the standard ServiceNow dashboarding / reporting engine: - Follow up the level of Compliance & Risks for various dimensions (Group, Units, Processes, Systems, CIs, Information (PII), Projects, etc - Manage the DPIAs and their results - Manage the GDPR Control Framework and follow the attestations, evidence, indicators of some critical controls. - Review the progress of remediation Issues & Tasks to completion. - Review the progress of PII breach Security Incident to completion. - Trend to understand progress towards full compliance and evaluate predictive analytics. - Report to the Supervisory Authority based on evidence. SecOps & GRC 24
Simplify Personal Data Record Compliance ServiceNow Capabilities: Use ServiceNow Customer Service Management to interact with EU Citizens. Manage requests for personal data updates, transfers, and deletions. Provide personal data access for EU Citizens through CSM portals. Provide GDPR related information, policies & procedures. Manage specific consents (opt-in, opt-out, etc.) Supply GDPR risk Information directly to EU citizens. 25
Simplify Personal Data Record Compliance The same GDPR requirements apply to more than customers and prospects. Easily manage personal data for employees, vendors, third parties, and other types of EU citizens. 26
What are customers saying about ServiceNow GRC Productivity Gains Integrated GRC gave us back over 9000 IT man hours annually. We ve reduced our audit data collection time by 93% Rapid ROI We were up and running with full functionality in just eight weeks allowing the quarterly audit activities to proceed without a hitch. Reliable, Real-time Insight When we provide results to executives, ServiceNow has done the work for us with accuracy and ease. ServiceNow GRC gives us realtime insight to metrics. Proactive Risk Management We are taking our controls framework from being manual and detective to being automatic and preventative and embedded within the processes we are implementing in ServiceNow Cost Avoidance We re able to avoid large fines ~$200MM per year, in addition to large audit, consulting, and project related fees ~400MM per year. Significant Cost Reduction Our annual audit costs were reduced by 80%. We re expecting to save on average ~$4MM per year per control automation. 27
Top Takeaways 1 2 3 ServiceNow GRC is scalable to accommodate many new and existing regulations The GDPR can be managed through ServiceNow s GRC application The heavily regulated financial industry can use the combination of GRC and SecOps for GDPR and much more 28