Search Results for: NS0-404 Schulungsunterlagen 🩱 NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⮆ NS0-404 ⮄ zu erhalten 🦗NS0-404 Fragen Antworten

Posted
By

The trend in Big Data analytics among companies shows no sign in abating, with companies covetously collecting vast amounts of data with the hopes of harvesting market differentiators.  A study by open-source research firm Wikibon, for instance, forecasts an annual Big Data software growth rate of 45% through 2017.  But what tools are companies using to implement Big Data solutions? For purposes of this article, let’s set aside for a moment the intended outcome of whatever Big Data project your company has planned in the coming year (whether it be predicting the outcome of Supreme Court cases or helping a baffled spouse pick out the right lingerie set), and instead let’s focus on the tools available in the industry (and some of the associated pitfalls) in getting your company from concept to solution.

First, consider how you are going store and analyze the data.  For companies with significant internal resources and focus on Big Data, it may make sense to hire an in-house analytics team and invest in the requisite infrastructure and tools.  However, there are many options in the marketplace that require less investment in order to gain actionable insights:

§ Database Marketing Outsourcing: An end to end service often used by retailers in which a supplier licenses data and provides data mining analytics, marketing campaign sales management and analysis, and other ancillary functions.

§ Analytics-as-a-Service: A “software-as-a-service” offering through which a supplier can quickly deploy data analytics resources without an upfront investment from the customer. AaaS offerings often draw data from external data sources as part of the services.

§ Data Warehouse: A central location to store copies of data from multiple sources. Data warehouses vary in complexity from providing a relatively simple datamart to performing more complex functions such as online transaction processing. Generally, data is cleansed, organized and categorized in a manner to facilitate a customer performing its own analysis and reporting with the data.

§ Public/Private Cloud: A private cloud provides for easily scalable solutions that can be customized by the customer on a cost effective basis. The public cloud is generally the most low cost option, but perceived risks in security and privacy prevent many companies from utilizing this option.

As the lines blur in these services offerings, we are seeing more analytics and cloud services bundled into a single offering within the industry.

Once your company has determined a solution for implementing your Big Data project, what are a few pitfalls to watch out for?

§ Beware of the Supplier Form Contracts: It may seem obvious, but supplier contracts are almost always going to be very one-sided in favor of the supplier and negotiating is unlikely to give your company the same protections you will get when starting with your own form. If possible, advocate for using an alternative, customer friendly form. If you don’t have the leverage to use an alternate form, then just focus on the key terms (see below for a starting list of them).

§ Identify the Data “Pedigree“: What data is going to be used in order to implement your solution? What is the source of data? Will external data be combined with your company’s internally sourced data? Key questions for you to ask your supplier are : (1) where did the data come from, (2) how will the data be used as part of the solution, and (3) does the intended use of the data match the scope of the consent for which it was given? Ensure that the supplier has the right to use the data and that the use of the data matches the original scope of consent given by the individual that gave it.

§ Define Your Rights to Supplier Data: If you anticipate using any supplier furnished data as part of your Big Data solution, then you need to ensure that you have clearly defined license rights to the data. Typically, a supplier will license its data for specified terms that expire at the end of the agreement. However, if data licensed from the supplier is integrated into the customer’s own data, then such data cannot readily be removed and may prove to be expensive to accomplish. In order to protect your company, try to secure unlimited perpetual licenses to any data that is integrated with your own data.  As an alternative, if you cannot obtain a perpetual license, then the supplier should bear the expense of removing the data from your data at the end of the relationship.  For example, if you are in the business of creating aggregated customer records or scorecards, where supplier data is merged with your data, then extracting the supplier’s data will be an expensive and difficult thing to accomplish, and may be detrimental to your business.

§ Limited Supplier Termination Rights: Suppliers often ask for a right to terminate an agreement for convenience, or at minimum, for the right to not renew an agreement at the end of an initial fixed term. Generally, it is acceptable for a customer to push back on these terms and argue that the supplier should only be able to terminate for material breach in limited circumstances.  However, it is not unrealistic that a supplier may have sound reasons for not wanting to renew an agreement (e.g., lack of predictability in the market, material changes in the service).  In any circumstances, you should ensure that you have sufficient notice and time to transition your data back from the supplier so that service is not impacted by the termination.  The contract should impose an obligation on the supplier to provide an actual plan on how the supplier will complete the transfer activities.

§ Protect Your Customer Relationships and Data: Data analytics companies often rely on data you provide to improve their databases and enhance the services they offer all their customers.   They may also use the data you provide about your customers to establish their own contractual relationships and/or market other services directly to your customers.  While these arrangements may be acceptable in some contexts, make sure that they are clearly defined and that you have considered the implications of the data analytics provider’s business model on your business and customer relationships both during and after the term of your contract.

§ Data Security: If the data analytics provider will store or process your customer or other proprietary data in a cloud environment, the contract should impose clear data security obligations on the provider, including defining standards of care, SSAE 16 or other security audit requirements, and notification obligations following any unauthorized access or disclosure of your data.

§ Allocation of Risk: Form contracts will often allocate most or all risks of using a data analytics solution onto the customer, even for claims that may arise through no fault of the customer.  Likewise, the limitations of liability in form contracts will often cap the provider’s liability at a negligible amount while exposing your company to unlimited liability.  In most cases, it will be appropriate to negotiate a more balanced allocation of risk between the parties.

Keep these issues in mind whenever you are considering your next Big Data solution, and taking the first steps toward minimizing some of the inherent risks with data analytics.

Posted
By

Any company that uses information technology is a potential target for data theft, advanced malware and other cyber threats.  Cyber threats have emerged as a growing systemic risk particularly to the financial sector in which Financial Market Infrastructures (“FMIs”) are increasingly under attack from a wide range of players, at greater frequency and growing levels of sophistication.   Regulators, standards bodies and other authorities around the world are giving a high priority to cybersecurity for these reasons.  This post summarizes what regulators are doing in the Europe to address these threats and describes some of the actions companies everywhere can take to minimize their exposure.

What are EU regulators proposing to improve FMI cybersecurity?

The European Commission has initiated a push to “protect open internet and online freedom and opportunity” by 2020. This initiative includes combatting cyber-attacks against information systems, establishing an EU cybercrime centre and coordinating Emergency Response teams, cyber-attack simulations and national alerts among all EU Member States. These efforts are also intended to align with the international fight against cybercrime. The next five years will see an increase in costs as FMIs and regulators pay to rapidly update single FMIs and solidify an EU-wide cybersecurity structure.

With a number of new regulations coming down the track in the EU, such as the General Data Protection Regulation (“GDPR”) and the Network and Information Security Directive (commonly referred to as the “Cybersecurity Directive”), the implementation of the Principles for Financial Market Infrastructures (“PFMIs”) into the regulatory frameworks of many jurisdictions worldwide, and the proliferation of standards such as the US’s NIST Cybersecurity Framework, FMIs are faced with significant investment and operational costs as they pay increased attention to improving their cyber-threat prevention, monitoring, detection and recovery capabilities. Such regulations seek to impose 1) notification and reporting requirements on critical infrastructure providers and data controllers, specifically including financial institutions; and 2) near-immediate recovery times in the event of cybersecurity breach incidences. The minimum standards for cyber risk management in the EU are not expected to vary by type of FMI.

The Bank for International Settlements’ Committee on Payments and Market Infrastructures (“CPMI”), a global standards setter charged with promoting the safety and efficiency of payment, clearing, settlement and related arrangements, thereby supporting financial stability and the wider economy, considers that the inability of FMIs, following an attack, to quickly resume operations in a stable state could cause systemic risk through transmission to the wider financial system. Hence Principle 17 of the PFMIs states that FMIs should implement business continuity plans that ensure critical IT systems “resume operations within two hours following disruptive events“; and are “designed to enable the FMI to complete settlement by the end of the day of the disruption, even in the case of extreme circumstances“.  The overall objective of the PFMIs is to promote stability and efficiency in the financial system. CPMI concludes, however, that in the context of an extreme cyber event, a two-hour recovery objective would be extremely challenging for many FMIs.

As FMIs move towards faster recovery targets, they will likely experience three main areas of increased costs:

  1. An initial update of equipment, software and staff, along with periodic updates thereafter;
  2. Drafting of internal policies, procedures and training programs that are regularly updated and tested for efficiency and vulnerabilities; and
  3. Improved capabilities to detect cyber threats, which will correspondingly increase the need to record, respond to and report those incidents, in some cases to multiple regulatory bodies.

Regulators have also increased the incentive for FMIs to invest the above costs in improving cybersecurity by threatening hefty fines for financial institutions found to be non-compliant. Under the EU’s Cybersecurity Directive, businesses will be fined a percentage of their revenue, though such penalty may be eliminated absent intent or gross negligence. The level of regulatory scrutiny an organization receives may depend on its role in and impact on market-wide cybersecurity, meaning the bulk of security audits will probably target high-risk industries and businesses like FMIs. Likewise, under the GDPR, the European Parliament proposes that sanctions be up to 5% of annual worldwide turnover or €1,000,000, whichever is greater. In preparation for and response to these regulations, FMIs must balance the costs of upgrading and maintaining their cybersecurity with the risk and cost of sanctions.

What should FMIs do next to meet cybersecurity challenges?

Putting in place appropriate contractual and governance safeguards is paramount. FMIs need to ensure that data loss and corruption caused by the service provider will amount to a breach of contract, though if the service provider is able to restore data from back-ups and does so within the time period stipulated in the contract, the service provider arguably should not suffer further liability to the FMI. A truly comprehensive program requires managing cybersecurity in an integrated fashion using a combination of in-house and third party resources.

The complexity of IT environments and the increasing sophistication of bad actors make this a difficult situation to manage and control without outside assistance.  All facets of IT are at risk, from applications to centralized infrastructure, to even the most mundane endpoints.  FMIs and their outsourcing partners would do well to focus primarily on isolating network components and important information, as well as managing personnel interfaces with network and data access points. Several isolation strategies are key to cyber resiliency:

  • Ramp up in FMI compliance with new regulations will drive opportunity for the IT services sector, with the adoption of new technologies and practices such as VMs and VDIs (virtual machines and virtual desktop images), which can be reset to a known “golden state” to, in effect, remove malicious software installed by a cyber-attacker, and heuristic monitoring that is used to detect anomalies such as abnormal usage of an application or abnormal transaction behaviour.
  • FMIs may set up processes to capture transaction and other important data in near real time and store that information outside the main or central system. Frequent reconciliation against the stored records could assist with ongoing detection of corrupted or fraudulent transactions and cyber-intrusions, or during recovery to return the system to the “golden state”.
  • To avoid significant data losses, FMIs should ensure that back-ups are made at regular intervals by the service provider and that the back-ups are also regularly tested to confirm that it is possible to reload the data. If a loss of data occurs, the stored information can then be reloaded from the latest available back-up.
  • The access points of any FMI network should be limited by reducing the number of internet gateways and whitelisting software.
  • Incorporate “defence in depth” strategy, which layers systems and system components and builds firewalls within the network. If one component is then compromised, an attacker could not access another component without breaching another obstacle. Internet-facing applications, such as e-mail software, are considered to be of greatest risk and should therefore be a top priority for isolation from core system components.
  • Install proactive measures like hacking back, cyphertext, which requires users to enter a key code prior to opening information, or cryptographic defences that encrypt sensitive data, from HTTPS protocols to VPN clients.
  • Keep confidential or critical information in separate storage systems, ideally at a separate data centre. Different systems covering different functionalities within an FMI, for example wholesale and retail payment systems, may be set up as each other’s backup system in the event of a security breach.

An integrated approach to cyber resiliency covers not just an FMI’s IT infrastructure,
but also personnel, procedure and communications. Often the most severe data security breaches
“result from inadvertent or deliberate acts of employees or contractors“.
Disgruntled employees are a high risk area
as data can easily be sent into the cloud and physical copies do not need to be
removed to create a data leak. Strategies to limit personnel-rooted
cybersecurity vulnerabilities include:

 

  • FMIs should require service providers of IT and other outsourced services to warrant that only personnel who are properly vetted, by the Disclosure and Barring Service in the UK or a similar body elsewhere, have access to the service infrastructure.
  • An FMI’s entire staff – operational, senior management, board level and service provider personnel – should be involved in the drafting and implementation of security and recovery plans and procedures.
  • Organization-wide password management, locking of computers when not in use and physical security of data storage centres should be considered as a governance issue.
  • FMIs may also want the contractual right to interview key provider personnel and/or to require that personnel it objects to are removed from the service provision arrangements. Service providers are likely to resist inclusion of such provisions, so balancing risk versus cost should be the key metric in drafting an agreement.
  • In this era of Bring Your Own Device (“BYOD”), employees expect to access FMI systems from their own computers, tablets and phones. Security of these devices is often in question, particularly if multiple users have access to the device, so two-factor identity verification prior to access should be standard.
  • Encryption before transmission of information between the FMI’s premises and the service provider’s premises or between both such locations and any other remote access location may also be desirable.

The Big Picture

FMI efforts to integrate and manage compliance with cybersecurity regulations in outsourcing arrangements should start early and continue throughout the contracting lifecycle. Due diligence, negotiation of terms and conditions, including governance structure, liability and audit and risk assessment provisions, should all be considered part of the agreement’s overall security strategy. FMIs should recognise that some data loss and corruption is likely to occur, but the ability to respond quickly to incidents and make the appropriate risk management decisions will be defining characteristics of a strong FMI cybersecurity program.

Posted
By

A recent survey of over 1,200 of the top mobile apps in 19 countries by the Global Privacy Enforcement Network (“GPEN”) has found that 85% of the apps reviewed were non-compliant, failing to provide even the most basic privacy information to users.

In addition, 43% failed in their obligation to tailor privacy notices to smaller screens and almost 30% unlawfully requested excessive personal data from users.

Concerns for users are compounded given the lightning speed at which new apps are hitting the market.  Last year, for example, in excess of 1 million apps were reported to be available via Apple’s iOS App Store.

Should developers care about these findings?

In short, yes, especially given that the UK privacy regulator, the Information Commissioner’s Office (“ICO”), has recently conducted research that demonstrates that around half of app users have decided against downloading an app due to privacy concerns at some point in time.

Risk for developers does not stop there either.

Continue reading

Posted
By

Quantitative measures of supplier performance in the form of service levels are critical in any outsourcing relationship.   However, they provide an incomplete picture of how well the supplier is performing and meeting the client’s business and IT objectives.  A common complaint is that the service levels are green each month, but the client is dissatisfied with the supplier’s performance – typically due to the supplier failing in areas that are difficult to measure quantitatively.

To fill this gap, we recommend to our clients that a quarterly “key stakeholder satisfaction survey” be included in the outsourcing contract as a service level.  This service level is a subjective determination by the client of its level of satisfaction with the supplier’s performance.  A meaningful service level credit applies if the supplier fails to achieve an acceptable rating.

Continue reading

Posted
By

In July, the Financial Conduct Authority (FCA – the financial regulatory body in the United Kingdom) issued a paper titled “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions” (the Considerations).  The Considerations contain about five pages of checklist “Areas of interest” and related notes, which are stated to be things a firm subject to regulation by the FCA should consider when procuring ‘off the shelf’ technology solutions.

When do the Considerations apply?
We view the application of the Considerations as two-fold.  First, they supplement the existing IT-related banking regulations. Second, they are intended to apply to procurements where firms might not ordinarily consider applying FCA-originating guidelines.

Continue reading

Posted
By

It seems intuitive that, by and large, employees prefer to use their own mobile devices, carrying only a single device for personal and work purposes, and having choice over the device to be used (please don’t take away my iPhone). There has also been a hypothesis that there could be cost savings for companies that allow employees to BYOD because of the ability to defer the cost of the devices and service to the employee.

In fact, maintenance of a BYOD program (we have previously reported on legal issues surrounding Bring Your Own Device and the importance of BYOD policies), including the need to manage across non-standard devices and platforms, may actually result in a BYOD program being more costly than having a standard corporate-liable program. Add to those costs a recent California ruling that requires companies to reimburse employees for wireless service. Although the case raised more questions than it answered about what level of reimbursement is required, it seems clear that companies will bear a larger portion of the cost of BYOD programs than they had previously borne.

Continue reading

By
Posted In: Industry Trends
Posted
Updated:

Posted
By

The UK financial services regulator, the Financial Conduct Authority (FCA), has launched a guidance consultation in order to clarify and confirm its approach to the supervision of financial promotions in social media, including the use of character-limited forms (Examples of character-limited formats are Twitter (which limits tweets to 120 characters) and Vine (which limits videos to six-second loops).

The FCA has identified an increase in the use of character-limited social media (and social media generally) and warned of confusion among firms over the inclusion of regulatory information such as risk warnings (in compliance with the financial promotion rules) when communicating through social sites such as Twitter, Pinterest and Vine.  And, as the FCA makes clear, every communication (e.g. each tweet, Facebook page or insertion) must be considered individually and comply with the relevant rules.

Continue reading

Posted
By

In May earlier this year, the European Union’s top court held in favor of an individual who requested that Google remove the search results associated with his name.  In this particular case, a Spanish citizen requested that Google Spain remove an auction notice of his repossessed home from its search results, as the proceedings had been resolved for a number of years. The court held that individuals have the right to require search engines to remove personal information about them if the information is “inaccurate, inadequate, irrelevant or excessive.” This precedent established the “right to be forgotten,” which gives Europeans the right to require search engines to remove information about them from search results for their own names.  The ruling has not been met with universal applause, and in fact a U.K. House of Lords subcommittee recently declared the right to be forgotten misguided in principle and unworkable in practice.

Continue reading

Posted
By

Ofcom has published a call for input, entitled “Promoting investment and innovation in the Internet of Things“, regarding issues that might affect the development of the emerging Internet of Things (IoT) sector in the United Kingdom. Ofcom is the UK’s independent regulator and competition authority for the UK communications industry. It regulates the TV and radio sectors, fixed line telecoms, mobile devices, postal services, plus the airwaves over which wireless devices operate. It operates under a number of Acts of Parliament, in particular the Communications Act 2003.

IoT (which is also referred to as Cloud of Things or CoT) describes the interconnection of multiple machine to machine (M2M) applications and covers a variety of protocols, domains and applications (see J. Höller, V. Tsiatsis, C. Mulligan, S. Kamouskos, S. Avesand, D. Boyle: From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence. Elsevier, 2014). These technologies and methodologies underpin smart applications and embedded devices that enable the exchange of data across multiple industry sectors, such as heart monitoring implants, factory automation sensors, industrial robotics applications, automotive sensors and biochip transponders. A 2013 report by Gartner suggested that by 2020 there will be nearly 26 billion connected IoT devices.

Continue reading

Posted
By

The General Affairs Council, on 23 July 2013, adopted a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the Internal Market. Until the new regulation, the E-Signatures Directive (1999/93/EC) provided the only EU rules relating to e-signatures and said nothing about trust services.  The E-Signatures Directive is to be repealed with effect from July 2016 when, with some exceptions, the new regulation will start to apply.

The new regulation sets out rules for cross-border electronic trust services (electronic identification schemes) within the EU (the new rules will only cover cross-border aspects of electronic identification; issuing means of electronic identification remains a national prerogative. The general position at English law remains unchanged – sophisticated electronic signatures are not necessary for the formation of a binding contract) and creates a legal framework for:

  • electronic signatures,
  • seals and time stamps,
  • electronic documents,
  • electronic registered delivery services, and
  • certificate services for website authentication.

Continue reading