DORA compliance for ICT Providers - What Do You Need to Do? - VoiceTube: Learn English through videos!

Subtitles section Play video

Good afternoon everybody.
I hope you can all hear me see me and see my presentation.
So we are going to have a this afternoon we're going to go through talk about DORA compliance for ICT providers, what you need to do, what you need to know, some of the key things you need to think about, need to understand and what DORA is, how it's affecting things, all these all these wonderfully interesting topics.
So we will start off in a couple of minutes.
I'm going to ask you to be a bit interactive and respond to a few questions because it's going to be useful for me to to understand who I've got on the call etc.
So first of all who am I?
Very good question.
So my name is Andrew Paterson.
I'm the head of GRC consultancy for IT Governance Europe and I've been working in GRC for probably it's near the 30 years and 20 years anyway, probably quite a lot closer to 30 years and 20 years.
I'm a certified ISACA trainer.
I have a master's in information systems management which was quite a long time ago but we weren't just looking at advocacies we were looking at proper IT even then.
I'm the SME within the group in things like NIS, NIS2 which as we may know is a directive, things like cybersecurity framework 27001, SIS 18, ECC which is a Saudi Arabian standard and DORA.
I've worked in lots and lots of sectors over the years.
That's just a few examples of some of the areas I've been helping people affected with DORA for around the last 12 months, helping them to get ready for the deadline which we'll talk about when that is a bit later.
I'm also the author of a DORA, a guide to the DU Digital Operationals Resilience Act and it's very much that book is a practical guide about what you need to do about it.
It's not particularly legalistic, it's about how you develop and implement an ISMS that will meet the requirements of DORA.
So just a couple of little slides here about who we are, IT Governance.
You've obviously heard of us before because you're sitting on this webinar but we've been in the industry for over 20 years, 12,000 clients, we work globally.
The big area of people more familiar with us is in 27001 and GDPR and everything but when you start looking at DORA, 27001 is an incredibly useful vehicle for helping you to deal with what is required out of DORA.
It talks about the same sort of things, there's a different emphasis in some areas but we'll go through that.
So that's who we are, we've worked with all of these different people, we've got 1300 projects in ISO, we've got our cyber essentials and we've got our governance and risk tool called cyber comply which has got almost two and a half thousand people customers using it globally.
You can see all the information on there, just a little thing on the slides, you will be given access to a slide pack because some of the slides have got quite a lot of detail on them and probably more useful if you come back and read them later because I will not be reading every single line on every slide, I'll be talking around them.
So that's that sort of thing.
If you're familiar with Net Promoter Scores, that's our things like that over the last whatever you've had to do.
So this is where we're going to ask you to do a little bit of interaction and voting and it'll give me a little bit idea about who's on the call and maybe I will make sure I mention a few things which are specific to those requirements.
So the first question we'd like you to respond to is this one, what is your role in the DORA compliance decision making process?
So you've got the choice of this, I am a key decision maker, I influence decisions but I'm not the final decision maker, I am gathering information for my team.
So you should get the option there to respond to that question.
So I'll give you a little bit of time to do that.
It's like waiting for the the results of Eurovision.
So a few more moments.
Okay then, so we've got a few decision makers on there and then it's split between people influencing the decision maker and I'm gathering for the team.
So it's pretty much your most most of you are finding out more information etc and all that sort of stuff.
That's brilliant, thank you very much.
Okay the next question, what is your timeline for implementing DORA?
We might have a different response at the end of the webinar on this one.
Within the next three months, in four to six months, beyond six months or no timeline set?
So if you can respond to the questions there.
Okay we'll wait for a couple of more responses on that.
Okay then, so most of you are talking about probably something in beyond six months.
Okay if you speak quicker than that.
Okay thank you for that.
Next question, what type of support does your organization need most for DORA compliance?
So compliance software solutions, consultancy and advisory services, training and education, and so on and so forth.
Okay, so what type of support do you need most for DORA?
So if you could give us your response on that.
A few more seconds.
Okay, so on this we've got a pretty much a split, we could be almost across the three areas on that.
So thank you very much for that.
And now the last question, has your organization allocated a budget for DORA compliance solutions?
Yes, we have a dedicated budget.
Budget is under consideration.
No budget allocated yet.
Just a few more moments and then we'll close that poll.
Okay then, so mainly no budget allocated yet and a few people have got a budget under consideration, but actually you need to be able to show that you have budgets for cyber security etc.
So we'll talk about that.
So a couple of things, you will see that you've got the ability to ask questions.
If you put questions in there, we'll have some time at the end of the webinar for me to respond to those questions.
So if anything comes to mind as we're going through, please put them up.
Also, just to remind you, you do actually get a CPD point for this, so you will get a certificate for that.
It's always useful for your professional development, do a few webinars and you can make inroads into the amount you need to get through the year.
So we're going to go through several of the topics and again some of the slides are quite detailed and you'll have access to them.
You may be going to read those later.
So it's all about trying to explain to you what DORA is and how we're particularly looking at it, what it means for third party suppliers.
So we'll go through all these different things and we will talk to them some in more detail than others.
So what's DORA got to do with ICT third party suppliers?
Now DORA is the Digital Operational Resilience Act.
It's a regulation.
So to understand that, that means that it without need to go through parliaments, it's not a directive.
So it doesn't have to go through 27 parliaments and be approved.
And it's very specific in what it says needs to be covered by the regulation.
And they talk about financial entities and they describe what a financial entity is.
It's anything which is regulated, okay.
Few exceptions etc and all that, but basically anything.
And then on the last line, it goes ICT third party suppliers.
So if you supply into a financial entity, which is in the European Union, you're going to be covered by DORA, okay.
Even if you're not in the European Union, okay.
So if you're an ICT third party supplier and you're supplying into a financial entity in the European Union, you're covered by it.
If you're a large organization, which is supplying services to a part of your organization, which is in the European Union, okay, you have to comply with the requirements of DORA.
So if you're sitting there thinking, all right, so who's that?
Does that affect me?
This is not a definitive list, but this is because it doesn't actually say in there, what is an ICT third party supplier, but it builds up and gives you some sort of ideas on this.
So it's people who are impacted, people who are delivering services.
And it is specifically where I'll talk about on the next slide in more detail is that supporting critical important functions, right, or services that the financial entity provides.
So there's a quick list there of some of the things.
So if you actually look at it, it's very broad on what they mean by an ICT third party supplier.
So, you know, GIC risk management providers, collaborative tool providers, desktop service providers, IT service providers, SOC service providers.
So if you're working with a financial entity and you're providing any ICT services, you're probably going to be covered by the requirements of DORA.
And what do I mean by covered by the requirements of DORA?
The next slide gives you a bit of a feel for how the structure works and why it's important to think about where you are.
So this is a nice little, nice and colourful pyramid.
And it just gives you a feel.
So at the top, we've got the EU Parliament, we've got the European Central Bank, we've got the supervisory authorities, the member states, they need to be enforcing this and making sure this happens.
And then they have things in their countries called national competent authorities.
These are the guys who are going to make sure that financial entities are doing what they need to do with DORA.
And then you have the financial entity.
And the financial entity needs to make sure that you're doing what they need to ensure that they are going to comply with DORA.
Okay.
So much so that DORA specifies certain things that need to be in the contractual requirements while dealing with third parties.
And when you get into that particular, some of And if you think about it, if you've got third parties working for you who are providing your services to you, which is central to the services that you're providing a financial entity, you're going to have to manage your third party supply chain as well.
And this is one of the very key things.
It's about improving resilience and operational resilience, not just within the financial entity, but within that supply chain, because there is an understanding of weakness.
And that more comes on to what we talk on the next section.
So why does DORA exist and what is it?
Okay.
So this slide is the sort of slide, but when you've got it back and you can zoom it up, but it gives you the, you know, it's about a risk, systemic risk across financial services in the European Union.
We all know that with, I mean, I'm old enough to remember when, you know, you had to be physically on a, in front of a machine with a cable coming out the back of it in the same building to get access to things.
And we don't work in that world anymore.
We've got 24 seven access.
Everything is interrelated.
So there's so much interconnectivity within all sectors and within financial services that if you get a problem somewhere, it's multiple countries.
So it's about building up and understanding this, where the resilience is, because, you know, it's so important that these functions from financial services operate.
That's basically how economies don't work.
Okay.
And if you're an ICT third-party supplier in that chain, it's very important for you meeting those requirements.
So what was the key things and what they were talking about when they were developing this?
DOOR sets out a harmonized approach to digital operational resilience across the EU's financial sector.
So everybody has to do it.
Okay.
Level playing field.
It's not like somebody in one legislation doesn't have to do the same.
It's why it's a regulation and not a directive, because it doesn't need to go through national law or national parliaments.
This is what people need to do.
And it's been around since 22.
Okay.
It's not just like appeared recently.
Okay.
It's been around since December 2022.
And it harmonizes, removes, you know, certain directives, etc.
As it's a regulation, it supersedes the requirements of the NIST directive and NIST 2.
And it sets out certain things expected by financial entities.
And this will be new for many service providers.
Okay.
So you may be doing some of these things, but this is not a tick box.
Okay.
This is about operational resilience.
So this is about financial entities being able to provide their services when bad things are happening to them.
Okay.
I describe it in one simple way, and we'll go into more detail of this, is if you think about incident management, business continuity, and disaster recovery, which you all probably do, but the volume's turned up on it, it's taking it to the next level.
Okay.
And it's definitely not tick box.
You have to do things.
And they're very specific in what they require.
So the regulation covers certain things.
So ICT risk management, everything is driven by risk.
What are the risks to the organization?
What are we doing about this?
And this is any type of organization.
It's very specific in what they need to do about incident reporting.
So the financial entity has to report about incidents to the competent authorities if they're happening.
You as an ICT third party service provider need to make sure that you are sharing with your financial entity, the correct information in that regard as well.
What testing have you got in place?
You know, so it is, you might have some nice plans, but if they don't test it, they don't exist.
That's a nice sack of view of the world.
And that's a good view to have.
Testing is so important.
And when we mean testing, it doesn't mean, you know, you go and pull the plug out the back of things and see what happens.
But if you've got DR site, have you tested it all over?
Are you doing tabletop exercises?
You know, are you doing this?
There is again, in there about information sharing.
It's only a small part of it about how organizations can share information.
It's particularly in there, but if they want to share information about threats and intelligence, they're not falling foul of competition laws and all that sort of stuff.
But one of the big things in there is how they manage their third parties.
Instant, you know, ICT service providers about dealing with the risks involved in that.
And if we look at it, it requires, so further technical requirements will set out.
So we've got DORA and there's additional technical requirements called in regulatory technical standards, which go into more detail on things and they are being published and approved.
So you have to require the DORA requirements and then the regulatory technical standards.
They're giving guidance on things like risk tools, you know, and in there they're getting very specific things about what should be in certain policies.
Okay.
If you're familiar with certain standards, they don't necessarily tell you what you've got to have in policies, but you've got to, you've got to do something.
Things about classification of instance.
So there's guidance on that.
There's also requirements for third parties to share the contractual information or the financial entity, sorry, have to share the, tell their competent authority who their ICT third party suppliers are and going into the contractual stuff and all that sort of thing.
So, so lots of detail in there.
And there's a lot of stuff in DORA of telling the competent authorities or the national regulatory bodies, how they work with the other national regulation bodies.
Again, this is all about level playing field.
Everybody's doing the same thing, better understanding of risks and threats and what's happening, increased speed and understanding of what is happening with incidents, all those sorts of things.
So there's, there's a huge amount of detail in there.
So key dates.
So the regulation entered force on the 16th of January, 2023, and it will apply from the 17th of January, 2025.
So this means it's, it's going to apply.
And for non-compliance, and if a problem happens, the regulation allows for large and dissuasive fines.
So you think about fines, you think about more what, what's happened with GDPR.
Financial entities are not doing what they're meant to do here.
And they have a problem.
They're, they're, the competent authorities are going to, are going to start fining them.
And that's the, an interesting thing when that happens.
I think it happened with GDPR.
Everybody took that very seriously when, when that all started kicking in.
Okay.
So just remember that date, 17th of January, 2025.
So EU Act with global implications.
So, so first of all, so it's European Union.
And so if anybody here is from the UK and a third party supplier, it affects you if you're supporting a financial entity in the European Union.
It's also defined, and you see this a little bit with the European Union, you'll see it at the moment with the, the regulation on use of artificial intelligence and things like that.
They, and also things like, things to do with the Euro privacy certification scheme.
The EU is very much trying to set the agenda on these things and be the way that the rest of the world should go.
And, you know, it's, it's, it's, it's, they're, they're quite, quite keen on that.
So it's going to affect anybody who works with financial entities in the, in the EU.
Okay.
So it's, it's not just, just don't think about it.
It's just those people inside.
So if you've got, if you are a third party supplier and you're outside the EU, but again, you're dealing with somebody in the European Union, you know, you are covered by this.
And it specifically says you are in there in the regulation.
It's about, you know, again, it's about dealing with systemic risk.
Okay.
So it's making sure that again, financial entities are doing all the things that you can reasonably do.
To reduce that risk.
Okay.
And that will include the services that you provide them.
And I mentioned this briefly, and this is a slide that the next, this next two slides, you can look at a little bit more detail yourself, but it's about making sure that there's joined up approach, you know, understanding how and where third parties sit in the supply chain.
And they are also have a view that what they're going to do as well.
So if you are a third party, say example, they're Microsoft, AWS, Google, they're actually going to view them on a EU wide level.
So there's going to be a, an individual or person called a lead overseer, and they will be looking at the, their compliance at a EU point of view.
Because if you imagine, you know, small organizations have no influence on the big IT players, et cetera.
And it's very important that they are taken into consideration.
Because if you think about it, those, if you just think about Microsoft and AWS, how much of the financial sector supply chain do they, do they actually impact on?
And that's very important.
It will also imply to certain other suppliers who might not be that big, but potentially in the sector they supply into, they based on say the financial entities coverage.
So if you've got two financial entities in you're working with, and it's a specific part of the financial services, and you suddenly realize that those two financial entities cover 30% of the market, well, and you're supplying to both of them.
If you've got a problem, you could be expecting, infecting or have an impact on 30% of that sector or that function or that service within the European Union.
So there's, there's lots and lots of things going on here.
There is a slide a little bit there on understanding what the regulators do.
But if you see that on the bottom left hand slide, I think that gives you a feel.
So you're going to have to be able to show the financial entities that you're meeting the requirements.
So the financial entities can show that they are meeting the requirements.
This is going to have a big impact on how third-party service providers impact or work with financial entities.
It's probably going to mean that some third-party ICT providers are not going to want to deal with the financial entities.
It means that if you're doing this well, you've got a really good, strong, competitive place to deal with more financial entities.
And when you actually look at the requirements, it's not actually asking you to do anything too strange.
It's probably asking you to turn the volume up on what you're doing.
But really, when you look at it, you should be doing this stuff anyway, you know, in the new world that we're working in.
The way that there are lots of threats out there, and there's lots of things we need to worry about, and there's lots of risks, and there's lots of things we need to do to counter them.
So it could be very useful if you get this right.
So, January 2025.
So this is just the thing.
So the reality is that we expect that a lot of people are not going to be particularly conformant by the time they get to the 17th of January.
If you are an ICT third-party supplier, you do have time, you know.
When we're asking you to have time, you've got, depending on how you count it, eight or nine months to get into place.
And you may be, if you're looking at it, and I'm helping people where I go in and do a gap assessment of where they are at the moment and where they need to be.
And, you know, a lot of organizations might be doing some of this, or you've got to do a bit more, you've got to document a bit more, you need to be able to show, if required, that you're doing these things.
Financial entities are working from it.
They're trying to understand what their supply train is.
They're trying to understand where their contracts are.
Do not be surprised if financial entities are turning around and saying, right, we need to add additional things into your contracts with us, your service levels.
It's things like that your service level agreements and your contracts have to be in one document, you know.
There's certain things that if you do not meet the requirements of DORA, the financial entity can terminate the contract.
And how does it terminate?
What's the exit strategies?
How all those sort of things.
So there's quite a lot of things going on.
We'll also discover that cyber breaches will happen and they will start to be reviewed within the terms of the DORA regulation.
So it's pretty important there that you're in as good a position as possible.
And again, the key thing is in, it's going to be a bit like GDPR.
Until things start happening and they're enforcing them, we don't really know what's going to happen and how it's going to look.
So what do you need to do?
Some people, not a lot.
Some people, a bit more.
So, you know, when you're looking at it, you know, we're looking at every work stream.
So current cyber security, you know, keep out of trouble, you know, do your pen testing, do all the standard stuff you need to be doing.
You know, and hopefully if you are supplying to a financial entity, they'll come and told you and ask you what you need to do for them.
Because it's the financial entity needs to go and do that.
Won't be the competent authority coming and talking to you.
It's the financial entity needs to be going, this is going on.
We have decided that what you are doing is providing a support to a critical or important service.
Yeah.
And that's what they focus on.
And we need to know that you're meeting these requirements.
And you probably need to sit down, kick off a program, you know, thinking about it.
So you need to make sure that people are being trained.
It requires training in a regulation.
Okay.
Training up to this point for in cyber or operational resilience has always just been a good thing to do.
Maybe a requirement of a standard or like 27,001.
This isn't a regulation saying people need to be trained.
You need to make sure that the roles and responsibilities that somebody takes ownership of risk within the organization, that you have someone designated at the senior level who is responsible for DORA.
You know, you need to be able to support the strategies of the financial entities about both on operational resilience and their risk.
And just as, you know, if you need any help, there's a very practical guide.
I've only mentioned this twice, that book.
Okay.
But it's a practical approach doing it.
It's not legalistic.
It's about how you develop your information security management system, because this is basically what you need to do for DORA.
You need to have an information security management system in place functioning.
So the benefits of DORA compliance, and think about this, and this is maybe how you sell it.
Okay.
If you do DORA, your services system solutions are going to be more resilient.
You're going to be able to support the needs of not only your financial entities who you support, but also your other customers, because you're building resilience into your systems.
You've looked at risk seriously.
Now you might have already been doing this, but sometimes the experience is that people aren't doing enough on risk.
You've also understand your supply chain, your single points of failure, all these sort of things.
You could show that you've got regulatory compliance.
Okay.
There's various ways you could do that, but it could give you that competitive edge when you're dealing with other organizations that we are, we're top notch here.
We are dealing with various things that can support the requirements, the standard.
So we talked about this.
So proactive risk management.
Okay.
Just a very quick thing about risk.
Okay.
Then, so if you're ever thinking, why is risk so important?
If you think about it, your organization's there to try and deliver value, value to shareholders, customers, financial value, just describe it as value.
You need to understand what your objectives of the business are to deliver that value, to meet the requirements of interested parties.
You know, yeah, very ISO term.
No apologies for that.
You then look at what your risks are against delivering those objectives.
Now, from an organizational point of view, that's very useful because what you're sitting there doing is if you then have to address your risks, you've almost written a business case because you're associating or making sure that your risks relate to objectives, which relate to what the business is trying to achieve.
And the business will always understand that as long as risks are related to that.
So you then, you know, proactive risk management leads, then you can do strategic planning.
So what do we need to do with rest of these risks?
That develops stakeholder, interested party confidence, and it all reads through, but you're supporting your business, your confidentiality, integrity, and availability, all these fun things.
And it helps build up your reputation of what you're doing in the business, because no matter what's happening, this regulation will not get less in this field.
Okay.
If you're not having to do DORA, you're going to have to do NIST too.
Okay.
So you're going to find that other parts of your business might need to be doing stuff in NIST too.
Okay.
But if you're doing DORA to the level that DORA requires, you know, you're going to be meeting the requirements of NIST.
So it is, you know, these things are all interrelated.
So think about, you know, you've got to think about these things.
And this is, this is standard stuff like asset management.
So what are you trying to protect?
What are your risks?
Okay.
What are the risks to do that will be specific to your business?
Your risks will be very much based on who you're supplying to, you know, all those sorts of things.
You know, cyber essential controls frameworks, like cyber essential is a UK one, but we've got things being developed in that on the European basis as well.
You know, staff awareness, vendor management, instant management, reporting and business continuity.
So just think of, remember that.
So years ago, we used to talk about disaster recovery.
Then we started talking about business continuity.
Then we started talking about instant management.
You view them as a journey.
So you go instant management, business continuity, disaster recovery.
You're good at instant management.
You're less likely to do business continuity.
If you're good business continuity, you're less likely to go to disaster recovery, you know, but you can't see they're not in isolation.
Okay.
At door, as I said, just requires more of those three.
Okay.
Reporting, you know, testing, you know, can you show that your resilience is in place?
Can you demonstrate that?
You require them to do things like print led pen testing.
Put my teeth back in for that one.
So just a little bit more about how door is structured.
And this is, as I keep telling people, door is a beast.
It's big.
And the way that they can bring on, like, so you've got the door regulation, and then below it, you've got regulatory technical standards.
And they're currently developing some of them.
They haven't been approved or signed off yet.
But there's more information there.
Some of it is actually very useful because it tells you exactly what they need to do.
But door itself is, we could talk about it being five pillars.
Okay, you can actually talk about it being one pillar.
It's all about risk.
So it's risk management.
And this is what the financial entities have to deal with instant management, digital operational resilience testing, third party risk management.
So they are going to have to actively really dig down, understanding the risks are of using you using you as a third party service provider.
And then there's information intelligence sharing.
Okay.
And this is regulatory.
So how do you do your approaches?
How do you manage this?
How do you make sense of this?
And one of the ways you can do it is use something like 27,001.
You know, 27,001 is the requirements for information security management.
You've got 27,005 on risk, and 22,301 on business continuity.
If you implement them, making sure that you've got your interested parties done well, you're acknowledging your risks, your contractual legal and regulatory requirements.
You maybe even mentioned DORA in your scope.
And when you're doing your risks, you're really focusing on the risks in relation what DORA looking at, you can use the ISO standards to implement your DORA.
Okay.
And it gives you the structure, the information security management system in 27,001 gives you the structure to be able to implement DORA within your organization and meet the requirements that that financial entity is going to ask you about at some point, if they haven't done already.
So again, this slide sort of shows a little bit more about sort of things that you need to do in the five pillars, where you can get additional guidance and support, and to show you where you need to go on things.
So again, maybe have a little bit of a look at that afterwards.
And again, with the next slide, you know, again, it's just this is just some information about the sort of thing you need to do.
So it's about comprehensive risk assessment.
Remember, that's comprehensive.
It's not just going through the motions on it, really, really thinking about it.
Your robust instant response, that resilience.
Part of that is your testing.
Okay.
Understanding your third party risks.
Okay.
So whether the financial entity is going to be understanding what risks you are to them, you need to understand what your third party risks are as well.
Because we, you know, everybody uses something from everybody else, etc, and all that sort of stuff.
And knowledge sharing.
And that's one of those key areas.
Okay.
So it's really those first four we talked about there, which are going to really impact on you.
So depending on how you've got to do it, you've got nine months.
So hopefully your financial entities have been talking to you about this already.
And I'd say if they haven't, maybe want to go and ask them the question.
Because else they're going to come to you in the middle of December panicking and saying, you've got to do all this stuff.
And, you know, typically, you just about get ready for Christmas, and you have to go and sit there and get ready for a regulation, which comes into, you know, on the 17th, although it has been around for two years.
So you need to understand about your key milestones.
And I think the thing is that you've got to sit there and you go, who owns risk in your organization?
Have you got a comprehensive and effective risk strategy?
What's your DORA operational resilience strategy?
Are you doing training?
Do you understand your single points of failure?
You know, have you done things like a business impact analysis, you know, part of business continuity?
And that's really good at showing what's your critical systems, etc.
Hopefully financial enterprises and entities are doing this.
That's why they've worked out for what you do for them is critical or important, and needs to be supported from a DORA point of view, all these things.
But the key thing is, it's time to act now.
Because January isn't that very long away.
And actually, if you look out the window today in, I'm in Northern Ireland, it feels like January.
So it's not long away, it is not long at all.
But you need to speak to your financial entities to understand what they're expecting from you.
And they should be talking to you, you know, it's a key thing.
Because there's lots of things to do.
So how IT governance can help you on the DORA journey?
Okay, so we've got several things that we can do is, I think one of the things that we've got to understand now we've gotten to this point there's so many things you need to comply with GDPR, DORA, NIS2, all these other sort of regulations, PCI, PSD, all these sort of things.
And it's a bit like, well, how do I do this, etc.
And all that sort of thing.
So having a tool, we're going beyond spreadsheets, okay, particularly for risk, having a spreadsheet work to a certain point of view, I used them for years, got very comfortable with them.
But you're sitting there going beyond the spreadsheet.
So you need to have a tool.
So again, look at the details on this afterwards.
But you know, it is something like our cyber comply, gives you the ability to manage all those things, you can do instant management, you could go and have audit, the auditing tool, you know, show that you are auditing things, you will be able to show how you are dealing with what controls you are using to address the risks that you've identified.
And all these things are about and you can do your GDPR, your data flow mapping, huge amounts of stuff within the cyber comply environment.
And this very detailed, very trendy little slide here gives you the view of sort of things that you need to do, where various standards and requirements sit in, and how the cyber comply application can help you with that.
And the next slide is just an example.
So this is just some of the stuff on there.
So what you also get within it is that you get, you know, information security standards, you know, sources of information, how you can build up your controls for dealing with your risk.
There's an instant management module in there, there's DPIA toolkit, there's a GDPR manager, there is supplier risk in there as well.
Just bear with me a second.
Pardon me.
And then there's toolkits.
And very soon there will be within there a DORA toolkit.
So you'll have the documentation.
Now the DORA toolkit is basically additional documentation and guidance and note to support what you'd be using for doing a 27001.
Because remember, 27001 is a very flexible thing.
And it's based on your context, your interested parties, legal regulatory requirements, and risk, you can make 27001 address whatever you want.
It is a proactive, that's the wrong word, it is a very flexible way of dealing with it.
And it gives you that structure for an information security management system.
And because you can go and get external accredited certification by an external body, it gives you some way of showing somebody independent verification that you're doing this.
Okay.
And particularly if in scope statement, you mentioned DORA or operational resilience, it's a key thing.
Because as well as if you're supplying people in the financial sector in the European Union, you might be doing that in the wider world.
And so you go to Singapore, you go to the UK, they're all requiring some sort of stuff about operational resilience.
So it's very, very good.
And we can also develop, we do consultancy, gap analysis, all those sort of things.
We can do the threat led pen testing for you.
So all these different bits of it.
And that's a little bit about who we are, what we what our background is, etc.
So we can do all the bits that you need to get you through your DORA journey.
Because it's going to require quite a bit of effort.
So if you go and look at the links on this information, or go onto a website, you can see that on training, we do a foundation, which is a day course where you sit there and go, this is what DORA is.
I talk about this for a day.
Okay, so this is a bit condensed.
And there's a lot more to talk about.
Practitioner, four day course.
Okay, how do you implement it?
Gap analysis, come in and do a gap analysis.
Well, how long that takes is depending on how big you are, how complicated you are, lots of things.
We do self-awareness e-learning courses.
Now remember, you need to do e-learning.
Okay, very, very, very important.
Okay, it is a requirement for people who are aware, okay, of what they need to do.
You can then sit there and go, you could go and also do lead auditor training course.
So if you want somebody to learn how they can go and audit against the regulation, again, so that you can see where your gaps are, where your non-conformancies are, but also that you've got a record, can you show that we are auditing against this?
Again, if you ever have to show that to the competent authority, very, very important.
And then there's another course there, which is on the compliance officer.
Okay, how do you compliance people make sure you're doing DORA?
You know, so there's lots of things on that.
So take a bit of time to look through the slides when you get them.
That's the contact things.
So we'll work anywhere.
We don't care what time zone you're in.
And we work with all over the world.
We do customers all over the place.
And we can do lots of things.
So first of all, questions.
So has anybody got any questions?
So I've got one here.
So how would I define my third party risks?
And how would I set those requirements?
And again, the easiest thing, I mean, with risk, if anyone wants to do a five day course on that, I teach C-risk, which is the ISACA qualification on enterprise risk management.
But you can go and do things.
So the key thing with your risk is you need to understand what you're trying to achieve.
And you're looking at the risks in relation to that.
And you need to basically be documenting them.
You need to work out what your current risk state is, what your residual risk will be, what controls you need to implement, who owns the risk, how you're progressing on the risk, reviewing the risk.
And you need to be able to show that you're doing this.
You're also going to need a policy, a strategy, and all those sort of things.
That's where something like a tool like CyberComply can make things a lot easier for you.
Over time, the management, and you can relate risks to documentations, lots and lots of different things, and to tasks.
So you can task people to deal with things and implement controls and all that sort of stuff.
And it gives you that ability to manage risk going forward.
So I think that may have answered that question.
Have we got any more questions?
Because I can't have answered everything because it's too big a subject.
Let's just see.
Let me make sure I'm looking at the right place.
Okay, I have another question.
Right, let me see if I can.
How far away from DORA can I answer?
Right, okay, that's a very good question.
How far away from DORA compliance are organizations that are on a very high level for both an ISMS and a BSMS?
Okay, the question is there is, if you've designed your ISMS and BSMS business continuity management system, so two things.
If you've designed it with DORA in mind, you're probably very close.
But if you've got an ISMS which is in place, but you haven't considered DORA, you're not going to be close because there are other things to do it.
So if when you've sat there, you've gone right, the context of the organization, we are a supplier to the financial entities.
We are suppliers to a highly regulated market.
We have acknowledged that we have an interested party, which is potentially a competent authority, although the financial entity is who we deal with.
So you know that you've got to be able to do things that a competent authority is wanting you to do.
If you've sat there and you've mentioned and you acknowledged and you've got in your contractual legal regulatory requirements, both DORA and anything specific the financial entity is asking, you've then got a scope on your certification, which is, doesn't maybe explicitly say DORA, but you mentioned that our scope is to cover the requirements of DORA there.
You can word this in many ways, and you have done your risks based on what is going to be the requirements of DORA and taking those into consideration, you'll be a long way there.
So if you're in an ISMS at the moment, and you've got a mature system in there, and you haven't quite done all this bit, you go through your continuing improvement process.
So at least you've got the frameworks to do stuff, and you basically, you're going to be sharpening your pencil on things.
Being more to the point, making sure that you're specifically doing these requirements, looking at the regulatory technical standards and going, is there anything in here I need to enhance what my pen testing or my vulnerability management or my access control?
But if you've got a well implemented, well-defined ISMS and business BSMS or combined system, you're in a good place to make sure that you deal with the requirements of DORA.
You've got your structure in there.
Okay.
So I think I've answered that question.
Any other questions?
I will give you a couple of more moments if people want to ask me anything else.
Who's going to win on Saturday, Man United or Man City?
Manchester City, probably.
But that's not the sort of questions you want to ask me.
So any more questions on DORA or anything like how you'd use a 27,001?
One thing, actually go back on just one point there on the ISMS is that one thing you have to do in DORA, which is a little bit more of a slight change.
So if you're doing your risks quite well, so if you've got 27,001, we talk about confidentiality, integrity and availability.
DORA talks about authenticity as well.
So you'd have to look at your messages, your risks with how that would affect it.
So you need to look at authenticity.
Now, they specifically take authenticity.
You could argue that authenticity is a subset of integrity, you know.
So just remember that if you're going to have to add that into your risks.
Okay.
Right.
So let's see.
Okay.
So let me have a look.
I've got some more Okay.
Penalty for non-compliance.
Okay, good one.
Likelihood of enforcement and how seriously will it be taken?
Very seriously.
Because it hasn't happened yet, it's a bit difficult, but I think the GDPR, but when they talk about, so you look at NIS, it talks a percentage.
You talks about in the enforcement as being significant and dissuasive.
So how big is a fine got to be to make a major bank decide that they don't want to get fined?
Okay.
You know, it's so I think we're going to be the financial entities who are going to be fined in this, but then again, you've got contractual implications if you are a supplier into that.
So I think it's work on the principle is going to be like GDPR and some of the things on GDPR, you know, BA or International Aviation Group, was it 180 million they got fined or tried to find?
Okay.
Let's see.
Now I did see some, just bear with me a second.
I thought I saw some more questions.
But, ah, yes.
Okay.
Who will enforce?
Right.
So enforce.
So it's down to competent authorities.
And there's a requirement on auditing in there of your risk management system being audited annually.
Okay.
So this would be driven by the financial entities.
They had to return submissions about how many people have, what their supply chain is.
So they supply.
So if you supply in that, all information will be going to the competent authorities on that.
So the enforcement will be due by the competent authority within the region, within the jurisdiction.
Okay.
Let me just see.
So penalty is the likelihood for that.
So let me just see.
Okay.
Right.
So where do you start for New Dora?
Right.
New Dora.
So I guess our foundation course is a real good place.
Well, you've started in the right place.
You're at least asking the question.
You've turned up on this.
So doing that.
There is our foundation course is a very good place to start.
It's a one day course.
You get a certificate.
You've got an exam at the end of it.
So that's a pretty good one to do.
And it is.
Yeah.
So that's where I do.
Then maybe look at the book.
Look at the competent authority will start producing information depending where you are.
But if you're looking at the competent authority in Dublin, the Bank of Ireland, they haven't produced anything on Dora for months.
They've just got one page on it.
Okay.
We provide IT services, financial entities in multiple EU countries.
How is a competent authority chosen?
Okay, then.
Right.
The competent authority is in that jurisdiction.
So it's where somebody is registered.
So you find, you know, a lot of organizations are registered in Cyprus, Luxembourg.
So a lot of UK companies will be if they've got a European part of them, will either be registered in Luxembourg or in the Cyprus, for example.
If you are a financial, if your IT company is supplying into it, they're all going to have different competent authorities, but the requirements are going to be exactly the same.
That's why they made it a regulation.
So it's reasonable.
Okay.
An ITC provider should accept that the financial entity will ask to yeah.
Penetration.
If you are a third party supplier to a financial entity and you are providing services, which they support, they're critical, important services as they define them, they will be wanting to do pen testing on those.
Yeah.
And they should contractually be out that they're allowed to do it under DORA.
Yeah, that one, let me just see.
How do I, how would I define my third party risks and how would, yeah, I've already done that one.
Sorry.
I've answered that questions.
Yeah.
Is competent authority in a jurisdiction any different from that for ISO 27001?
Yeah, we don't talk about competent authorities in ISO 27001.
So competent authority, so the best way to think about, you'll probably come across it more, is whoever enforces GDPR in the country.
They're a competent authority for GDPR.
If you do things with NIS, you'll know there's competent authorities for whatever sectors you're working with.
So what you would say in your 27001 is the competent authorities would be an interested party potentially.
You'd say your financial entity, but you're definitely thinking about competent authority would be an interested party in that.
Okay.
I think I have answered all the questions there now.
If anybody has any more questions, please add.
Okay.
Right.
Okay.
I will give you, we're coming up to the end of it.
Well, thank you very much for your time.
Hope you all found that useful and good luck on your DORA journey.