The Guidelines are Clear – P2
(This is Part 2 of a three-part analysis)
Following our introduction to the MFSA 2020 publication “Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements” carried in our May Newsletter, the following is the second part of the feature. In the first part of the feature we highlighted the high level principles adopted and we continue in this feature with the Technology Arrangements presented next in the publication.
The MFSA Guidance document presents the essential characteristics of Cloud computing by referring to the NIST Doc. 800-145 defined characteristics, namely:- On demand self-service; Broad Network Access; Resource Pooling; Rapid Elasticity; and Measured Service. In this context, the cloud infrastructure is the collection of hardware and software that enables the above five essential characteristics.
The MFSA document identifies a number of cloud computing service models, namely: Infrastructure as a Service (IAAS); Platform as a Service (PAAS); Software as a Service (SaaS); Anything as a Service (XaaS); Business Process as a Service (BPaaS).
In defining the Computing Deployment Models the document again refers to the NIST framework (3.3.1-3.3.4) namely: Private Cloud; Community Cloud; Public Cloud; Hybrid Cloud which NIST defines as a combination two or more distinct Cloud infrastructures that remain unique entities; and Virtual Private Cloud (VPC). The Guidance document confirms that the complex variety of Cloud service options available “in most cases involves complex outsourcing and sub-contracting chains, and which therefore demands a well-defined shared responsibility model with respect to security and compliance obligations at every stage in the chain”. All too often it is not just about acquiring the best technologies, but about finding the most appropriate technologies and integrating these into a seamless infrastructure that is secure and up to the demands of the organisation.
The Guidance doc highlights the importance of shared responsibilities for different cloud service models and refers to Microsoft’s framework as shown below:-
It also refers to isolation in virtualised environments where multi-tenancy provides benefits through multiplexing physical resources and services providing cost benefits as these costs are shared between customers and related parties. The MFSA Guidance Document confirms that Isolation is a core security challenge in virtualised environments and cloud services. Cloud Infrastructures are generally designed and implemented in a way that mitigates against threats to data confidentiality, integrity and availability. Isolation measures implemented by CSPs at various layers and across different virtualised resources need to be understood.
Monolithic, microservices and serverless architecture are also referred to in the MFSA Guidance document recognising the fact that legacy financial services monolithic core software platform architecture, or one enhanced with classic Enterprise Service Bus integration leveraging centralised storage, is proven in the field to be stable and largely cyber resilient. However these systems have been made obsolete in many ways and are being replaced with more modern and flexible solutions such as Microservices and/or Serverless architecture solutions. The Guidance document confirms that within this more complex infrastructure firms need an IT architecture that meets current demands for connectivity to anything, anywhere, any time. As APIs are becoming a key competitive factor in the industry firms need a loosely coupled architecture to allow for adoption. IT modernisation or greenfield deployments must be considered broadly, deeply and strategically.
The issues of unrestricted audit, on-site and remote access and information gathering and investigations are also addressed in the Guidance doc since MFSA requires arrangements by regulated entities for such access. Similarly, Security Monitoring, DLP (Data Loss Prevention), eDiscovery, and forensic capabilities are also addressed in the document. In the consumption of cloud services over the Internet, the Guidance Document notes that the Internet Technologies provide firms with no control over the traffic that traverses the public Internet. This can cause service failures that may result in performance problems.
ICT & Security Risk Management
The next section of the Guidance Document specifically deals with the internal governance and risk management measures that Licence Holders should take to manage risks associated with Technology Arrangements, their operations, and data therein. It recognises that ICT is a major enabler of business continuity, particularly through effective Disaster Recovery Planning and Business Continuity Planning (BCP). Although BCP can be broadly defined, in the context of the Guidance Document it is taken to be the availability, continuity and recoverability of ICT services and information assets.
The ICT governance is therefore needed to ensure the effective implementation of ICT and security risk management. The Guidance Document contends that “the Management Body of the Licence Holder should ensure that there is an adequate internal governance and internal control framework in place covering ICT risk management as part of an overarching operational risk management framework, in accordance with all applicable legal and regulatory requirements, and sector-specific guidelines”. Furthermore, the Management Body should set clear roles and responsibilities on ICT management, cybersecurity/information security management, as well as business continuity management.
Senior Management should ensure that the organisation has enough human resources with the necessary skill sets to support the ICT operational needs, including effective ICT risk management on an ongoing basis, and to ensure the implementation of the ICT strategy. It requires that “Senior Management should also ensure that all staff involved in ICT operations and ICT risk management receive continuing professional development, training, or (re)certification commensurate with the individual’s roles and responsibilities as required. Furthermore, Senior Management should ensure that all staff in the organisation are suitably trained, at least annually, on information security through cybersecurity awareness initiatives in accordance with the organisation’s information security framework”.
The Guidance Doc holds management responsible for the overall accountability for setting, strategy as part of the overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. It goes on to state that “ICT strategy business strategy and should define: a) effectively support and participate in their business strategy, including the evolution of the organisational structure, ICT system changes and key dependencies with third parties; b) how the ICT operations and ICT risk management organisational structure need to develop accordingly; c) clear information security objectives, focusing on people, process and technology (i.e. ICT systems and ICT services).”
With regards to the ICT Risk Management the three lines of defence module (3LOD) put forward in the Basel Committee on Banking Supervision 2011, Principles for the sound management of operational risk, is recommended. It describes how Pillar 2 of Solvency II effectively delineates internal control and compliance as the second line of defence. This separate to operational risk management practices and processes which form the first line of defence. Internal audit provides reasonable assurance as the third line of defence. The guidelines provide detailed references as to how these three activities need to be implemented and co-ordinated.
In dealing with Information Security the Guidance Document confirms that there is no one-size-fits-all approach. It recommends that Licence holders should, under the principle of proportionality, consider internationally recognised standards and frameworks such as ISO/IEC 27001:2017 (particularly in conjunction with 27002:2013 and/or 27017:2015), the NIST Cybersecurity Framework, or CIS Critical Security Controls and their security objectives, when implementing their security control framework. Licence Holders are encouraged to “develop and document an information security policy, approved by the Management Body, that: a) defines the high-level principles and rules to protect the security framework tailored to meet business objectives and regulatory requirements; and b) should be based on the relevant results of the risk assessment process, as well as sector-specific compliance requirements”. The Guidance Document provides extensive detail as to the minimum requirements and the manner in which such a policy is developed and implemented.
In dealing with ICT Operations Management, the Guidance Document contends that Licence Holders should manage their ICT operations based on documented and implemented processes and procedures. Amongst the various obligations listed in this regards, the Guidance Document contends that “Licence Holders should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should beset in line with business recovery requirements and the criticality of the data and the ICT systems, assessed according to the performed risk assessment. Testing of the backup and restoration procedures, including ensuring that the procedures are in line with the information security policy, should be undertaken on a periodic basis”. Licence holders ae expected to act proactively to minimise the impact of adverse events and enable timely recovery. They are expected to have in place “appropriate processes and organisation structures to ensure the consistent and integrated monitoring, handling and follow-up of operational and security incidents to ensure that the root causes are identified and eliminated preventing the occurrence of repeated incidents”.
The ICT Project and Change Management issues are also dealt with in the Guidance Document. This calls for Licence Holders to implement a programme and/or project governance process that defines roles, responsibilities and accountabilities to effectively support the implementation of the ICT strategy. Licence Holders are required to appropriately monitor and mitigate risks deriving from the portfolio of ICT projects. Such oversight needs to take into account any risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/or expertise. Under the principle of proportionality Licence Holders should establish and implement an ICT projects portfolio management (also known as programme management) framework, and project management methodology that fits their scale, complexity, and nature of the business.
The challenge of Business Continuity Management is referred to once again in the Guidance Document by requiring Licence Holders to “have business continuity arrangements as part of their operational risk management framework, in accordance with all applicable Acts, Regulations, rules or sector-specific guidelines, and having regard to the nature, scale and complexity of their business. As part of sound business continuity management, Licence Holders should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively, using internal and/or external data (e.g. third party provider data relevant to a business process or publicly available data that may be relevant to the BIA) and scenario analysis. The BIA should also consider the criticality of the identified and classified business functions, supporting processes, third parties and information assets, and their interdependencies. BIAs should result in Business Continuity Plans (BCPs) based on a range of plausible risk scenarios, including extreme ones such as major cyber-attacks or a systemic failure of a cloud service provider upon which critical or important Licence Holder functions depend. BCPs should be documented and approved by the Management Body.
This feature highlights the detail set out in
the MFSA Guidance Document which provides an insight into the level of
complexity and sophistication of ICT frameworks and operations within the
regulated sector. For the non-regulated entities, these guidance notes serve as
a best practice benchmark and provide relevant perspectives to the manner in
which ICT systems, processes, infrastructure and operations need to be
integrated to provide a secure and reliable environment for the operation of