Webinar Recording

Game On: Managing Multi-Regulatory Compliance


Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentleman, welcome to our cold webinar game on managing multi regulatory compliance. This is the presenters, this reg, this webinar, regular webinar are Martin Kuppinger from Ko cold. It's me Andel of cosec. This webinar is supported by Alliance. Before we start just some general information, some information around Cola and some housekeeping information. Cola is some Analyst company providing enterprise it research advisory, decision support, networking for it, professionals, both from end user and vendor organization through subscription services, advisory service and events have a look at our website. For more information, there will be two events, both in German language was in the next few weeks. One is on half day workshop at a fair and Germany called I T S a, which is wrong, risk and protection requirement analysis and cloud computing. So if you're speaking German, that might be a very interesting thing.
The second one is industry Roundtable only for end users, and it use organizations will be held in November 17th, which is also around cloud computing security and data protection. This frankness of its own end user organization only workshop and inevitably be for sure our European identity and cloud conference next year in April 17th, 20 Munich, the lead conference around these topics, identity cloud, the GRC aspects and all these things around these, these topics, which we will do there. So I think it's definitely worse to be there. And all the information could be found at the website regarding the housekeeping part. You are muted central, so you don't have mute. We are controlling these features. We will record the webinar and podcast recording will be available latest by tomorrow and Q and a will be at the end. So you can ask questions at any time using the questions tool in the go to webinar control panel.
However, we will pick them at the end or some cases. It might be appropriate to pick them during the webinar, but if there are any questions, my advice always is trust. Enter these questions when they come to your mind so that we have a comprehensive list of questions at the end of the webinar. So having that said, this I'll move forward to the agenda, which consists like in most of our webinars of three parts, the first one is mine. I will talk about or give a, give a quick overview on how to stay compliant in multi regulatory environment. So there's some sorts from my side and after this Oliver ale of Cognos and partner of Alliance, we'll talk about best practices of managing compliance in today's multi regulatory world with a lot of best practice inside and inside from project. Finally, we will do the Q and a.
So I'll start directly service what we are talking about. You're talking about GRC. So GRCs and acronym, which stands for governance, risk management, compliance, things, which are very tightly related. So, so governance is more overall view of these things. We have the risk part. We have the compliance part compliance is we fulfill regulations, risk. We have our risks under control, which means in some cases that risk management covers things which aren't direct related to compliance, but all these things are part of the governance. We have a lot of different levels and areas there. So we talk about corporate governance, where we have our general policies and organizations, our book of rules or books of rules, where we look at strategic risks for organizations. We have the business GRC part, which is around operational risks, around things like CCM, continuous controls, monitoring around process and risk controls, where we integrate things, where we look at, how do things affect the business.
We have it GRC things where we look more specifically at it risks. However, the only reason why we look at it risks, and I think that's very important always to keep in mind is that they are associated with business risks that might be operation risks might be even strategic risks. So if someone at a finance institution can create in a way he shouldn't, then that's an it problem. There's an it risk. And there's an operational risk or in the worst case, there's strategic risk behind this because the bang and wouldn't be the first one baring, Spanga an example might disappear from the market. So we have a lot of different it, tier C elements, access governance, database governance, and all these things. And a lot of supporting technologies behind this, which we need. And all these things are from our perspective related with each other.
So it's not that you say, okay, I've picked one tool and I do everything. And what I always mainly talk about. It's also, let's just say, okay, I have one regulation. I pick one tool, things are more complex and you need to have a holistic view on these things. What, what is our problem today or to, to a very locks degree is what I would call the regulation straw. So we have an increasing number of regulations. I made a very simple picture. So over time, over the last years, the number of regulations organizations have to follow has continuously increased, whether this is more, a little bit exponential or not, that might be discussed. I would say it's just an increasing number of regulations. And I try to find out a valid number of, of relevant regulations. I didn't really succeed in this because there are so many different regulations and so many different countries out there.
And the other thing is we not only have more regulations, we also have more requirements missing regulations. So we have PCI two, the payment card industry, DSL standard two. Right now we have a new release of DMA risk in Germany for the finance industry. We always have more requirements to fulfill. On the other hand, regulations tend not to be very, let's say standardized. So they're not, they don't have a cohesive stereotypical foundation, but some are more technical. Others are more abstract leave, more room to fulfill. And so it's very hard to deal with all these different regulations. And we also have inconsistencies of regulations across different countries, trusting about privacy laws between the EU and the us. There are some sub differences and regarding their, their legislations there. So that's, that's the situation we have to deal with. We have more regulations to deal with.
So multi regulation is from my perspective, something which is not only relevant for the extremely high regulated industries like online gaming finance industry or some others, but it becomes more and more a reality for every industry. And I think that's, that's a very important point to keep in mind, besides these different regulations we have, besides all these many regulations, we also have I've talked about is we have a lot of RC approaches. So we have business RC suites, which say they can cover everything. Many of these suites can because they, they don't provide automated controls, the automated information out of the it, you really need, for example, and don't have the interfaces to this. We have X governance, we have Siemens and enterprise lock management, product specific GRC, like SAP specific solutions and so on. So we have a lot of different approaches and we have a lot of players in there.
So if you look at today's reality in many organizations, a lot of different people are dealing with the GRC issues. So we have the CEO and the CFO they have to do because usually the, the legal situation just requires them to deal with it. We have sometimes compliance or risk officers. We have the internal auditors, the external auditors we, we sometimes have as well. The auditors internally ask the compliance and risk officers with frequently relatively undefined relationship in between. We have it, which also is responsible to provide a lot of answers and do a lot of things in the field of fulfilling regulations. So it's a scenario where a lot of things should group into each other. So the players, the approaches regulations, but the reality is that in many cases, we have a lot of things which are more like a, a broken machine where all these things are laying around and Aret connected, aren't tripping in each other.
And the other thing, we still still service that there's sometimes I'll see to say, okay, we have regulation and okay, we need a tool. And one regulation, one tool that has changed a little, but it's still something which, which happens. Or maybe it's not a single tool, that's a solution. So we say, okay, we have to solve the things we have to do around PC ideas as, and we focus on what we have to do around PC DSS. But what, what we miss is that a lot of things we do around P C I DSS S are the same things we should do for other types of regulations. And so the reality from my perspective is more that we have a lot of regulations, but we have layered tools probably less, and hopefully significantly last tools from here, which we need, which provide a high level dashboard, the big overview, but also automated information from lower levels.
We have a lot of recordings around how we equipping a policy, the world of QRC and how different layers trip into each other. So that might be interesting to you. And if I would have to make a very simple, wrong and false thing that I would say, it's that. So we need something where we say we have an infrastructure, we have an consistent approach to GRC across all the regulations. So that becomes also, I clear if you look at, for example, what we have done in our GRC cooking a call GRC reference arc, we have published some, I would say some two years ago where we have standardized elements within how to do CRC. And one of these things is we need to understand the requirements. So what do we do? What are our policies and how should our compliance dashboard look like? What are the points here?
We have to investigate the status. So we have to not only understand, okay, these are the risks, but we have to look at what happens there. So control status collection, automated and manual. These are the things we have here, our ongoing risk and threat situational license, which means we have an operational risk dashboard and we need improvement, activities, projects to improve things where we see there are the biggest risks. And we have to start for sure there where we really can mitigate risks most efficiently. And finally, we have to have something in place in case that something happens. So the crisis and incident management, we have to have answers on things which might happen. And we also might needs to have answers on things where we don't exactly know that they will happen. So where we trust now, if something happens, we didn't expect to happen.
How do we deal with that? And this is true for any level of GRC. So this approach is something which you can use for, for any level. And it's it. Trust shows you, okay? You have to understand, you have to measure, you have to improve and you have to react. If something goes wrong and doing this in a consistent way, definitely helps for a better GRC, because you will also quickly see that a lot of things you're doing in the improvement area are done once for a lot of things you have on the left side of this.
So points solutions for compliance tend to fail because point solutions are provided too much redundant work in the organization. So people are frequently asked for different parties on how do or what, what is the current status information for that? And that costs a lot of work. If I, if I talk to people in it, organizations, they say a lot of our time, we trust spend with providing answers for specific compliance issues. We have so many questions there and we need to do such, such an amount of things manually that trust kills us because we can't do our daily work anymore. We have too much redundant technology. So if you solve everything, a specific piece of technology you end up with having redundant technology doesn't make any sense from my perspective, you end up in, when you look at point solutions and for, for specific regulations, you frequently end up with very Inma tech technology solutions, which solves just one problem, which are frequently, somewhat too simple and too oversimplified.
So that there's a tendency at least to, towards two major technology. If you look at point solutions and you don't have any comprehensive view on your state of regulatory compliance, however, if you are living in a multi regulatory environment and that's the reality, then you need to have these things you need to minimize work. You need to minimize redundancy of technology. You need to have mature technology and to provide a comprehensive view on the oversight of regulatory compliance. Having said this, I will hand over to ALA who will then go much more into detail on these things. And yeah. Thank you for your attention. And we've, I will hear your view will hear me again in the Q and a session soon.
Good afternoon, everybody. Thanks. Thanks to keeping a call. Thanks to Alliance for having me here to present to you GRC and managing multi regulatory compliance. It's my name is my name is Oliver echo since about one month's time, chief chief executive officer of Cognos KHA for the last five years, my team and myself have been managing security, governance, risk and compliance at BWE. Now BWE party. And we're gonna tell you a little bit about how we implemented the GRC solutions in this case provided by our Alliance and, and how this helped us get across the minefield of, of regulatory problems we were facing in those five years, five years ago, when I started at B, when I was hired to make sure that the company becomes PCI compliant. At that time, it looked like a really challenging task. We had six months time to basically segregate the whole payment infrastructure from the, the gaming infrastructure and to, to segregate the gaming on payment applications and create the standalone payment environment that could then become PCI level one compliant.
After those six months, we actually went live and the payment environment at that time became an independent company of B wing, which is called secure payment solutions, which is now pay offering payment to a lot of other companies. The same time when I, at that time, we were supposed to start doing security. We very soon learned that security is one little part of this big cake, but that the security people have all the information, all the other people from the risk departments and the compliance departments really need. So we started leading auditors through the building. We were supporting our annual audit. We made sure that the it general controls were that the information was provided fast. And we started doing the first European gaming regulation implementations. And very, very soon the whole it security, which we were supposed to be initially department had changed into some kind of governance, risk and compliance and security department that was managing regulatory requirements in many, many different environments.
Well, we'll get more into detail on that a bit later, what we're gonna look at today is what we can learn very fast. We can talk about the challenges in a multi regulatory world, and we can look at some of the best practices and how everybody can get across these problems, basically using baby steps and using simple technologies and just fitting the right pieces together. In the end. We're gonna talk a little bit about selecting the right partners, and hopefully we'll have a lot of questions of you to answer briefly to Cognos sake. As I said until about one month ago, we were in the gaming industry, working for a gaming provider. Now we're an independent advisory and assurance company focusing mainly on eCommerce and companies, financial companies, and gaming companies with our core skill sets in the GRC area, in the security implementation area. Yeah.
If you have any questions, please send them through the chat. We'll be collecting the questions. And at the end, hopefully we'll have a lot of questions we can answer for you. If there's any questions we can't get answered within the next half hour hour, I'll be happy to answer anything via email. Good. So what we're gonna look at are today's most critical compliance challenges and how they relate to dealing with the regulations and standards. We're gonna learn about practical steps. We're gonna look at how we implement it, these compliance requirements, and how to actually move from a requirement down to technical level. And we're gonna look at benefits of continuous risk based compliance over the last five years. What we've seen is that in the first year we had like two audits. One was an annual audit by financial auditors. The second one was in the gaming industry by an association called DECRA, which was at that time auditing gaming regulations, which the gaming providers had imposed on themselves due to lack of, of governmental regulations in the gaming market. This has drastically changed and were go into details. There every European country has no, let's say two have two are in the process of, and the rest of the European countries are gonna regulate online gaming. The us is gonna regulate online gaming, probably on a state level in Germany. We expect a state level. So the amount of regulations to expect be expected in the gaming industry will definitely supersede any other industry.
The challenges, if we look at some of the requirements we have to follow for game, obviously as any credit card processing company that had the larger number, one of the main issues will always be PCI and all financial regulations. On the other hand, either you have help regulations such as HIPAA or high tech, but you'll also face the gaming regulations such as AMS, which is the regulation of the Italian authority, or which is the regulation of the French authority. As I said, these are gonna be regulated. All countries are gonna be regulated. We're talking. One of the issues is that these regulations are very complex. Some are very high level. Some are very detailed. It's very similar to ISO and PCI where PCI is very technical and actually really demands technical implementations. It explains you what to do. And I saw requirement is very high level and leaves you a lot of freedom. The same way gaming is being regulated. And it's getting more and more burdensome for companies to manage these compliance requirements.
The, obviously the only solution apart from Excel, which will drive everybody as much as a love Excel. When you're trying to manage these amounts of common requirements, it's it's, you need an automated solution. And then you'll face the next challenges which are, you have to manage your application and processes in a gaming environment. You can talk about several hundred applications, several hundred processes, thousands of people due to the cloud developments, virtual and physical assets and petabytes of data. All of these are subject to either privacy regulations, gaming regulations, payment regulations, and lesions. And you as a compliance officer risk officer or a security officer are responsible and also accountable for managing these requirements. And this will only work with tool support on the one side with automated surveys, obviously. And on the other side, really with automated controls, we've, we've talked about people's processes, assets, countries, fast, agile development, virtualization.
You have a compliance department. We face risk departments. We have departments that take care of financial audits. The amount of data being collected, the amount of requirements being defined is getting so large, that it is virtually impossible to manage this manually and also manage this in silos so that the, the only approach that will be successful and that's gonna be a lot of work, but it, it, you still face the chance of being successful is automating this and turning these processes, which are now still manual into, into automated processes with ex Excel. You're always in a, in a, in a, in, in the problem of not seeing the, the up to date information on your systems, you don't have any information that can help you to, to, to face take actions you're disconnected from security, the compliance people have no idea what the security people are doing.
Although the compliance people highly depend on the implementation of controls done by the security people. So the only sensible thing, and that's also what we did is merging compliance, merging risk, merging security. What we did is we even went one step further. We actually compliance security and, and, and risk actually merged into an internal audit department that supported the business of defining the requirements and then made sure that the requirements are being followed best practices generally. And, and this looks so simple and, and so straightforward steps. This is if you have one compliance requirements or one standard to follow that's okay. If you get more and more, and the gaming industry now is facing like probably depending on the market entries, one to two standards, such as PCI or ISO per year, these have to be implemented into an automated system. The controls have to be implemented, and you have to make sure that also the reporting and the results get, get reported manually.
This is technically not possible anymore. So that's where you really have to start doing automation. What we did was we had very strong, automated controls, starting with trip wire on the file, integrity monitoring and system compliance side identity access, right reports, vulnerability reports, all these went into an automated solution that then generated reports. The intention was always, and this is a process that will never end. You will always continue working on this. It's always gonna change. The intention is to have an auditor, enter your operation, to press a button, and to give him the results to whatever questions he might ask. You have all the information you need, because all standards are published. You can anticipate what auditors are gonna ask for. The main issue is really getting that information into your system, correlating it adequately, and, and then developing the, the, the right reports.
So, so generally you're, you're in a, it's a continuous compliance cycle. At one, you have the normal maintenance. You have an, you have a, you have a business that you have to maintain compliance in. At the same time, you already have to scope depending on which compliance or which requirements you have to implement, the scope is not gonna cover all assets, but all these specific assets relevant to those standards or, or compliance requirements, then you probably do a gap analysis. You look at what you have and you compare it to how it should be. That's where the big problem starts, because a lot of companies actually have no idea what they have, or it's very hard for them to monitor what they have. So you probably need a, a tight integration with some kind of asset database or some kind of asset management system, or as automated monitoring solutions, such as trip wire and the GRC tool such as.
So you always can identify the gap between what you have and how it should be. Once you've identified this gap and, and, and documented this gap, you can start remediating. So basically you'll see where you have the largest gap. You can start building strategies and planning how to reduce those compliance gaps, timing them correctly. Not all compliance requirements need to be implemented immediately. Most regulators give you a chance, the chance to, to, to, to do this in a stepped approach, but you really need to be aware of what needs to be when the next level is the certification. That's when the auditors come in, that's the toughest time, because either you're prepared or you're not prepared, and that will lead to a lot of extra work because you have to then do additional work to provide the certification documentation. Once you've survived this, normally the next auditor for the next standard comes in. If you're in the finance industry, probably it's less. If you're in, in a gaming industry, it it's much, much more in the end. I can remember you probably have monthly audits, some quarterly audits. So, so you will have auditors handing one auditor enters the room where the next auditor leaves the room to the only way to, to do this without completely bringing your it to a standstill. Because they're just talking to auditor constantly is by automating these solutions.
This is how do we automate these solutions? How do we manage these compliance requirements? It's by creating a common control framework. If you look at the different standards and requirements such as government regulations, which is so GBA, HIPAA Hightech for us in Austria, we ended up as, as a, at that time social security department implementing UEX 2008, which is the, the name of waste. So we found ourself implementing an internal control system. Very soon after that, we found ourselves implementing an enterprise risk management system. What we found out is there's no big difference in the end. You always have a business process. This process has objectives, which you can measure easily. This process is supposed to support the achievement of these objectives. What can stop you from achieving them? Those are your risks. These risks need to be reduced to a, a residual level. How do you do that?
You implement controls and suddenly security controls, which are actually there to protect the data, support, socks, or GBA, or any other compliance requirements. The control frameworks we're talking about either Octa, ISO and IST. There's many different frameworks, which are collections of these controls. These are very nice for it because you can save yourself a lot of time by using the already field frameworks, but just as well, you might create your own frameworks and add them. And what we've found is that there's many controls, many policies, which are identical throughout, or be it government, be it industry, or be it in this case, even gaming regulations, everyone is gonna ask you to do proper change management, proper configuration management. Everybody will want you to control access to your systems and access to data. Be it financial data, be it personal data. It's the same issue all over.
So you can actually take these, these thousands of controls, put them into one pot and start identifying controls that are across platform. So very soon, you'll see you don't have to follow 20 standards anymore, but you have, and, and the financial auditors call it the it general controls, which are the same throughout all systems. And then you will have very specific controls for specific standards. If I may go back into the gaming example, French regulation for gaming operators, for example, requires all gaming operators to store all their transactions into a encrypted database before they're allowed to process them. So if on a very technical BA on a very practical level, this means if you would play poker online, the operator has to store every hand. You have every cart that is dealt into an encrypted database that only the French government can access before. Even the game can continue.
This is a very specific requirement that was only in France, but it's in this catalog. Now we're facing Spanish developed and, and, and Denmark and, and other regulators, which are following this. So, so this, this very specific control is now becoming a common control throughout different standards. And, and this is what we see all over the place. We have 80% of controls, which are identical and probably 20% of the controls, which are different implementing these controls, putting them into a GRC framework is a process. You will start, you will never end, but it will save you a lot of time to be doing this. And it, it also really depends on the industry. You're in on the approach. We saw it with some other, and now we're a partner of AIAN. Initially, we were a customer of AIAN. We saw it with other customers. We saw it with a bank. They prepared for one and a half years before they even deployed AIAN. They had all processes, clearly defined, and they, they did all the groundwork before they even started using it. Whereas we had six months to become PCI compliant. So within three months we had it up and running and it was in an operational state. So it really depends on your, your organization in which the approach you want to take. But the tool is flexible enough to, to help you achieve this.
As we said before, compliance and security, they're not competing organizations. There should be one organization. Basically security does nothing else, but ensure compliance either with privacy regulations or financial regulations. It's, it's one of the things that compliance can really learn from security is that it's not an audit. And then you have piece for one year and then the next audit comes, but it's an ongoing process to stay compliant. You have to implement your controls, you have to monitor them. And they're probably most of the time, the same controls as in the security field. This is shows you very well. The, the cooperation between the compliance and the security department and how they grow together.
So we're slowly rounding up once again, the three areas, main areas, which are policy management, control, testing, and gap analysis and risk analysis. So on the one side, you reimplement implement your policies, whatever policies you have to follow, be regulatory, governmental, or internal. You can actually use the tool to put these policies into the tool. Then you do the gap analysis. You test the controls. You see if there's controls that ensure that you follow all these policies. And after that, you actually see where you have large gaps, where you can implement easy or where you have gaps, which, which will take a long time to implement. So now you're starting to do risk analysis and the correlation, you see the common framework down there, which encompasses anything from COVID to gaming regulations.
So this is the framework. So how do we get the information into the framework? Now we have policies in there. We have the controls and we have the risk management part, but we have no information about what we are actually managing. So we have two sides, which are the connector side and, and the E survey side. So on the one, one side I can actually, as administrator or compliance, responsible person generate surveys for my employees, I use any policy. And I, I build a survey which gets sent out automatically within certain timeframes to certain people. These people, I have identified them of owners of assets. So that's where once again, we really need the asset management. We need you as a customer to, or we need the customers to actually understand how their infrastructure looks, who is accountable and responsible for what, and who has to answer which questions these surveys can then be sent automatically a certain period before any auditor comes.
So whenever an auditor should come, you actually have a ready documentation for the auditors. On the other hand, this is the manual side. I mean, reports can easily be optimized, or don't always have to be, they can be influenced. Whereas technical, technically collected information is much more reliable in this cases. So that's why we have the connectors. That's why you can link the tool to, to information, which is collected automatically anyway, and used for many other purposes, but can contribute largely to your risk management, which is mainly connecting it to, to, to, to monitoring solutions, collecting it to vulnerability, scanners, connecting it to D CMDB. And in our case, our, our, our, the nicest connector we built was really the connected to, because there we had all the compliance checks of which did the, of, and we were talking about how growing demands to compliance and create, create extra burden to gaming companies.
How the lack of visibility to the overall compliance posture causes problems about the silos, having compliance departments in different countries, having security departments in different countries, and also about the failure to optimize the use of existing compliance and it resources it's. And this is where this is where the really added value of, of the tool based solution comes out is you free your it resources. Instead of having your it guys talking to auditors for 50 days a year, you can reduce that to probably two days of filling questionnaires here. The solution can help you provide a unified set of policies and controls based on critical regulation, standards and frameworks. Many of those are provided out of the box if it's it standards or financial standards, but you might as well just put the, your GA your specific standards in there too, and manage them there too. It consolidates compliance scores, and it helps you prioritize your vulnerabilities and helps you prioritize your it resources.
You need a scalable system. You need an open system. You need a, a system that can be deployed fast. You need common controls built in. You don't want to put PCI so HEPA or ISO into that framework. You would want that to come out of the box. You want risk based security built in, and you needed highly configurable. You don't want something customizable, because that normally means you get some kind of frame, but there's no content. You want content, but you want to be able to customize it. You want to achieve large scalability across several countries. You want the tool to be able to, to show you different views, to show you a business perspective, an it perspective, probably a compliance perspective. You want to be able to look at at, at the risks from different perspectives. You want to remove redundant efforts from independent overlapping assessment programs. You want to continue self assessment process that runs without you inter intervening all the time. And you want to make sure that whatever you collect from a security side or a compliance side also contributes to your risk management side. You want organization-wide risk for automat automation. You want want automated compliance, and you want the lowest possible TCO.
Thanks for listening to me. I hope I, I know the time was very short. I hope I touched a lot of topics and I would be very grateful for a lot of questions now. Thank you.
Thank you. And so let's proceed. I'll make me back the presenter and show my screen again. So we are right now, the Q and a, and after first questions here, and I'd ask you all to, to enter additional questions. And first of all, thank you to, for his presentation and his insights into the real best practice situation. So the first question, or in fact, a set of questions we have here, and I'd like directly like to start with this question, is you Mr. Ley, you've mentioned they, that, that they, in this project, there has been created an integration between drip wire and edge Alliance. So the questions are, is this easy to achieve edge Alliance or built edge Alliance? Did Cognos tech create integration themselves and finally, or did require specific development with professional services for naturally? So what is the effort behind creating such integrations
At the time when we built the integration, we were still working for B win. So, so that specific connector belongs to BW, but it's very, it's, it's quite straightforward to rebuild it. And we're of course, capable of rebuilding it. We got some support from, from both ware and Alliance, mainly for assisting us with mapping control and, and control results in, in the two tools, technically was not a big issue and it can be easily produced for other tools, too.
Okay. So if, if you look at this, what is, let's say, if you look at typical at a typical project, so what can you do out of the box and, and, and which amount of work is, is for individual customized integration stem.
As I said, for example, PCI, we did that within I think, three or, or four months of implementation, which really was importing all our assets and then mapping them adequately to the, to the controls in the tool that was straightforward and was very fast. If you have to implement a, a standard, which is not in the box, obviously it will take a longer time. You have to build your questionnaires. You have to think about what answers you would want in the questionnaire. So that's much more work. It really depends if you're lucky enough and your requirements are standard, like out of the box, ISO PCI, HIPAA you're, you can, you can probably get this up and running. It depends on the data quality you have to put inside. I think the biggest challenge is actually defining services and, and creating the link from a business to an it. And I think that's not even a GSE problem. It's a general business problem, really understanding how it processes affect your business and, and what a risk in an it process actually means to a business, to your business. What kinda business risk does that create?
Yeah, I think, I think that you're definitely right, because I think that's really one of the things that, what, what we frequently also see is that the business responsible for QRC still today tend to ignore the it part. Cause it's just it. And don't really see how, at which degree operation it risks are in fact associated with operation risk risk. And I think that's one of the learnings definitely, which are, are there. And, and then there are things around really setting up the processes, getting the processes really lift in an organization, which also adds to the problem and data quality also frequently is one of the interesting issues there
It's it's data quality on an it level normally tends to be quite okay. It's really, it's lost in translation problem between business and it, they tend to speak different languages and to find the common language that's the magic.
Okay. Then maybe another question from my side. So, so if you look at, at these these things, and I think we've, we've slightly touched it, or maybe we can go a little deeper and just, if you, if you look at the risk part and the regulatory compliance part, is it sort of correct to say the regulatory compliance part is only a subset of the entire thing, because the risk, the view, if you look at it from a risk perspective, where do I have our risk and all this stuff, this is bigger than just the things which are related to regulatory compliance.
I think regulatory compliance probably covers a lot of areas. It really depends on the regulator and what they intended to cover. It basically covers most areas, I would say, except for the business areas. So business risks, no regulator is really interested whether your business is gonna be successful or not. That is something you have to put in there. Yourself. Regulators are more interested in protecting their, their they're, the people they are supposed to. I don't know how to put that correctly in the gaming industry, regulators would be interested in, in, in protecting the, the nationals of their country and protecting mainly their, the governmental interest in tax areas or making sure that you're a good corporate citizen. So these risk areas, most of the time are, are covered quite well, but there is no business focus on, on these regulations. So that's where you have most of the work actually still to do where that's, where we are suddenly going into internal control systems, where you really identify the core processes of your company, where you identify the core objectives of your company. And then you also identify the risks that can hinder you from achieving these objectives.
Okay. There's there's another question. How important would the risk I am the, I think it's the wrong identity management. So you should be in this industry. Do you feel that knowing the risk of giving people and the same people having certain access is important?
I'm trying to understand the question.
Yeah. Maybe the, the, the one who asked the question, clarify it a little. So I'm not also a hundred percent person. Sure. What the question is about. We just wait a little until there what happened? The screen at that point of time is hand on upcoming called webinars, which are supported batch reliance. They will be online soon if they're not yet. So you can register for them sooner or later. And we will then go into additional topics which are around enterprise compliance and governance topics. And I think there are a lot of things. If you look at these, these topics you currently, you can currently see them. There are a lot of different things. Okay. So the question is, do you feel that knowing the risk of access that people in your organization have is important? So in fact, it's, what is the relevance of access governance within the entire picture? You've been talking about
Access government. Now we're talking governance.
Yeah. Access, risks,
Management, managing access rights and roles to certain information. Yeah.
Minimizing the risk of abusing this access and all the title things.
Why you have two areas, two high risk areas, which is one is, is of course the, the PII, the personal identifiable information. And the other one is the, the payment card information. So you're talking about financial information and you're talking about privacy information and obviously reducing access rights to the, to the, to the lowest necessary level is, is quite critical.
And yeah, I think it's, it's maybe to add it. It's critical. I think in any area to, to have these risks under control, because if, if you look at the reality, so, so if you look at people who are doing things they're not allowed to do in the finance industry take association, right. Case that was an access problem. Someone had access to too many things, he could control himself. And so from that perspective, I trust would say, yes, it's one part of the big story. It's one thing to solve. And it's something which has to be integrated into the big picture.
And, and that's one of the reasons why many regulators actually force you to review those access right. On the constant basis.
Yes. And
Of duties is, is another of the important areas. So obviously this is a very, and it can be very, very damaging to companies if they lose some data due to access issues. I mean, that's the whole incident we've been seeing over the last few months on the security side with data being stolen, the companies that do not have that as a very, very high on their risk rate are definitely doing something wrong and have done something wrong.
Yes. Okay. So I think we've done, we've done most questions. So we are through all the questions we have. So thank you to all the attendees for listening to this call webinar, thank you to you, Oliver for giving your presentation and so much insight in this real world case. And thank you to, for supporting this cold webinar. I'd hope to have you soon again, as attendees or upcoming cold webinar. Thank you.
Thank you very much.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00