包阅导读总结
1. 关键词:AWS、DORA、Operational Resilience、Financial Entities、Compliance
2. 总结:亚马逊最近发布了 AWS 对《数字运营弹性法案》(DORA)的用户指南,该指南详细说明了 AWS 服务如何支持金融实体满足 DORA 要求,包括 ICT 风险管理等,DORA 已生效并设定了合规期限,多家云服务提供商都在推进合规工作。
3. 主要内容:
– AWS 发布了针对 DORA 的用户指南
– 介绍了 AWS 服务如何支持金融实体在 ICT 风险管理等方面符合 DORA 要求
– 解释了金融实体如何利用 AWS 服务和文档展示合规
– DORA 相关情况
– 2023 年生效,2025 年需合规
– 旨在实现高水平数字运营弹性,涵盖多项新监管要求
– 云服务提供商的应对
– AWS 不是唯一推进 DORA 合规的,如谷歌、微软、IBM 和甲骨文也有相应动作
思维导图:
文章来源:infoq.com
作者:Renato Losio
发布时间:2024/7/27 0:00
语言:英文
总字数:510字
预计阅读时间:3分钟
评分:84分
标签:AWS,DORA,金融服务,合规性,ICT 风险管理
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
Amazon recently released the AWS User Guide to the Digital Operational Resilience Act (DORA). The document details how AWS services support financial entities in complying with DORA’s requirements for operational resilience, including ICT risk management, incident reporting, testing, and third-party risk management.
Released over a year after submitting a response to the consultation on the second batch of DORA technical standards, the new guide offers a series of considerations for financial entities (FEs) seeking to meet the regulatory expectations set by DORA. It explains how FEs can utilize AWS services and documentation to help demonstrate their compliance with DORA requirements.
As the financial sector becomes increasingly dependent on technology and a few cloud companies to deliver financial services, DORA introduces new regulatory requirements to achieve a high common level of digital operational resilience. It entered into force on January 16, 2023, and will require compliance by January 17, 2025.
Stephen Martin, head of security and compliance for financial services industries at AWS, Akshay Dalal, EMEA regulatory risk and compliance at AWS, and Eduardo Vilela, head FSI reg. enablement EMEA at AWS, explain:
This guide describes the roles that AWS and its customers play in managing operational resilience in and on AWS, describes the AWS Shared Responsibility Model, compliance frameworks, AWS services, and features, and measures that customers use to evaluate their compliance with sample DORA requirements when adopting AWS.
The new European regulation covers ICT risk management requirements, reporting major ICT-related incidents and cyber threats, digital operational resilience testing, and information sharing on cyber threats and vulnerabilities. It includes measures for managing ICT third-party risk across 20 different types of financial entities and ICT third-party service providers, including major cloud providers. Maria E. Tsani, head of financial services public policy EMEA at AWS, previously wrote:
Our lack of visibility into data uploaded into a customer’s AWS account is a fundamental part of the governance model that operates in a cloud environment (the AWS Shared Responsibility Model).
While the regulation does not set any restrictions on the adoption and use of cloud services, Martin, Dalal, and Vilela add:
The regulation promotes a principles-based approach to ICT risk management, giving FEs the flexibility to use different management models as long as they address key functions such as identification, protection, detection, response, recovery, and communications.
One of the debated topics is the reliance on a single cloud provider. András Gerlits, founder at omniledger.io, comments:
Confusingly, DORA says you are legally allowed to use your exclusive cloud provider, but disallows this technically. It does this by expecting banks to have a monitoring, a mitigation and a recovery strategy in place in case of a disruption event. So sure, use your AWS/Azure/GCP for everything, but you must also be able to shift immediately with no data loss.
AWS is not the only cloud provider recently outlining its steps towards DORA compliance. Google has simplified the process with Google Cloud’s updated contracts and Microsoft has explained how to strengthen operational resilience and reduce concentration risk in financial services. IBM and Oracle OCI also provide dedicated resources.
