Beruflich Dokumente
Kultur Dokumente
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
Introduction
Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession
demonstrates is the degree to which the world depends on the financial industry. Consequently, the rationale
for robust regulatory oversight of the financial industry is compelling.
Technology is a fundamental enabler of the finance industry. The financial system is interwoven with and highly
reliant on technology. Technology changes quickly and the threat environment may be characterised as agile
and blended, with a need for constant vigilance.
Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV
(CRD IV) are primary tools governing the core business of UK domiciled alternative investment firms.
Technology is governed by Financial Conduct Authority (FCA) guidelines in conjunction with the Information
Commissioners Office (ICO) which carries out enforcement action for breaches of the Data Protection Act (DPA).
As a result there is a mix of recommendations and mandatory compliance points. This means some areas are
open
to interpretation and there is a need to understand where any distinctions exist, and act appropriately.
The objective of this regulatory approach appears to be to create a culture where financial services businesses
demonstrate a responsible approach and a willingness to consider their use of systems and any risks that need
to be mitigated.
In this guide we discuss 7 ways alternative investment businesses, and professional services companies
supplying services
to regulated firms, are able to improve the ability to meet FCA or ICO/DPA regulatory guidelines for using
technology within their businesses.
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
1/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
Last Name
Email *
DOWNLOAD NOW
Where ever there is a failure of leadership to assert control and set high standards for a business and its
employees, there is often the potential for significant problems.
2/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
It is important that for procedures to deal with cyber-attacks; the prevention of fraudulent communications
through both voice and email; and safeguarding against money laundering activities are all in place.
Enforcement action
Many fines are issued by the ICO for failing to take reasonable steps to prevent hacking. Hackers often exploit
vulnerabilities (thats IT code for holes in security) to gain unauthorised access to networks, systems and data.
Employees are only human, and even in the most secure environments, people are often responsible for
breaches, either through deliberate action or failing to observe security policies and procedures.
Passwords
One key aspect is password access and control. Companies should have strict password control policies. Users
should not use the same name and password combinations for company and personal accounts, as this would
allow hackers to gain access to company data and systems by stealing account data from personal or
consumer accounts. Forcing regular password changes is one option, or consider Dual Factor Authentication.
This means a unique, One Time Key is required at every login, so just knowing a user/password combination is
not enough to permit access.
Data loss
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
3/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
Incidences of employees taking data offline (e.g. on a USB stick or a laptop) and then losing it are frequent.
Consider prohibiting the practice or only allowing download to secure devices - those managed by the business
and with encrypted storage - that are only accessible using a username/password combination.
Activity monitoring
Consider monitoring communications activity. Record all telephone calls and archive all email. Some companies
record all network activity, although this is more for internal security rather than for FCA compliance.
HR Policies
Consider consulting with HR to review any points where security has touch points with HR policies. Some
examples where issues may arise include:
Hiring
New hire induction
Ongoing training
Disciplinary procedures
Termination of employment
Dual Factor Authentication
Offline working with company data
Online working with data encryption
Activity Monitoring
Enforcement action
Always ensure up-to-date network documentation is available. Similarly, request documentation from your
partners and any other 3rd parties.
Typically, documentation should include information on:
Who has access to what?
What is the update procedure?
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
4/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
RFI
External firms may submit a Request for Information (RFI) before commencing trading with your company. This
will almost certainly include questions on software, versioning and IT security. Likewise, your business should
consider issuing an RFI to any new partner before doing business. Also consider formalising documentation for
existing partners if an RFI has not previously been part of the partner engagement process.
Data backup, disaster recovery (DR) and business continuity (BC) planning are closely inter-related. Like many
areas of IT there is no absolutely right or wrong way. There is a menu of different elements that may be mixed
and matched together to form the right solution to meet the specific needs of a business.
The core question is: How long can you afford the business to be offline? Once you establish this maximum
tolerance to a loss of IT services, you work backwards from there. Some points to consider are:
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
5/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
A credible backup tape regime requires tapes to be physically taken offsite, inviting the potential for loss. There
are a number of examples of companies losing them and getting fined. Tapes and autoloaders are also
expensive and prone to failure because they are mechanical. Online backup is more reliable and secure.
Data retention
Backup is central to the data retention strategy. Creating a reliable archive of legacy data is essential for
compliance with FCA data retention rules. Ideally, legacy data needs to be kept accessible but out of the way
and this could guide the design any hierarchical storage system for filing and retrieval.
FCA retention periods for data
Record type
Retention period
Emails
6 years
Indefinite
3 6 years
MiFID
1 5 years
2 5 years
6 months
Data replication
The potential for disasters both natural and man-made - is a key consideration when determining the
distance to the replication site. Many businesses in the UK conclude that a distance of 50 miles is appropriate.
For even better risk reduction consider replicating in more than one place. Remember to include telephone
systems.
6/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
Consider assessing your systems against ISO27001, the management system for IT security, by checking
credentials, external audit or penetration testing.
External IT partner
If you have an external IT partner ensure you check its credentials. It should be appropriately accredited and
should adhere closely to industry best practice for information security.
Internal IT team
If you have an internal IT team consider getting a second opinion by engaging an appropriately accredited
company to audit your network. An internal IT team may only have in depth experience in your environment.
Employing an external team to check the systems often gives an insight into your own network you may
otherwise not be able to obtain.
Penetration testing
Consider penetration testing or pen testing. This is the process of stress testing your systems to see if a tiger
team of computer security professionals acting as hackers is able to break through to gain access to your
network, servers and data.
Companies that keep all their data in the office should review physical security with an audit. Some typical
questions that might be used to audit physical security include:
Who has access to the office? (Dont forget cleaners, caterers & security guards)
Are all computer workstations including laptops and tablets locked when not in use?
Who has access to the server cupboard, comms room or data centre?
Are there access control records documenting entry and exit of the premises?
Offsite datacentre
To mitigate physical security risks, consider the benefits of locating data in an offsite data centre. Any choice of
data centre should be governed by accreditation to ISO 27001 and means the facility is audited for physical
security in line with the management system standard.
Data sovereignty
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
7/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
It is vitally important to consider the issue of data sovereignty, the geographic locations where data is stored.
When evaluating offsite data storage it is essential to understand where data may be stored by service
providers. Changing legislation and challenges to agreements such as Safe Harbour mean the landscape may
shift suddenly.
Enforcement action
Staysure.co.uk Limited
Date: 24 February 2015
Type: Monetary penalties
Sector: Finance insurance and credit
An online holiday insurance company has been fined 175,000 by the ICO after IT security failings let
hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters
after the attack on Staysure.co.uk.
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
8/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
The business benefits of the cloud are regularly highlighted in the press and deliberated in boardrooms. Cloud
technology is a topic about which the vast majority of business leaders are likely to have more than a passing
interest.
Based in the heart of London in Canary Wharf, Serviced Cloud was incorporated in 2009 with a clear and simple
vision. We are dedicated to helping business leaders in financial service organisations find the best way of
successfully adopting cloud technology in their businesses. We offer best of breed Hosted Cloud Services in our
ISO27001 London data centres, and help clients to create their own Private Cloud systems in their own offices
or data centres.
Our friendly and professional engineers and consultants have extensive experience, proven track records and
can-do attitudes. We offer independent advice but partner with the leading cloud technology companies to
ensure seamless support. We are serviced focused; our clients satisfaction is paramount.
Miscellaneous
http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-is-FarEnough.htm (http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-isFar-Enough.htm)
http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-fromprimary-site/ (http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-idealdistance-from-primary-site/)
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
9/10
8/19/2016
WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud
SECTORS
CLOUD SOLUTIONS
OTHER
ABOUT
Home (/)
Case Studies (/case-studies)
Contact (/contact)
Client Portal (/client-portal)
Remote Support
(http://help.servicedcloud.com/)
About Us (/about-us)
White Papers (/more/white-papers)
Blog (http://blog.servicedcloud.com)
NETWORK STATISTICS
500+
HOSTED DESKTOPS
2016. Serviced Cloud. Terms & Conditions (/terms-conditions) Privacy Policy (/privacy-policy)
(https://twitter.com/servicedcloud)
(https://www.linkedin.com/company/serviced-cloud)
(https://plus.google.com/+Servicedcloud) (/index.php?
option=com_easyblog&view=latest&format=feed&type=rss)
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines
10/10