2021 Call for Code Awards: Live from New York, with SNL’s Colin Jost! Learn more

Our Journey to Continuous Compliance

Abstract

Continuous compliance is a popular, widely-used term. There is the common perception that implementing continuous compliance is a straightforward task thanks to the rich set of compliance products on the market. However, practitioners know that maintaining continuous compliance is a really tough problem. Each environment has its own specific challenges that require creative approaches for achieving and maintaining compliance. In this talk we present methods, tools, and processes that we have developed for the continuous compliance of the IBM GCDO Cognitive Enterprise Data Platform (CEDP)

An up-to-date asset inventory is at the core of any compliance solution. Many of the existing solutions rely on an inventory that is maintained within the solution itself. However, this hinders the interoperability of different compliance solutions because there is no longer a single master inventory. Our newly developed solution is based on a standalone, automatically maintained master inventory that integrates with IBM compliance solutions such as the IBM Shared Operational Services (SOS) and the IBM Mixed Address Database (MAD).

Compliance is a joint effort and relies on multiple stakeholders. Assessing the adherence of a system to IBM’s IT Security Standard (ITSS) is the responsibility of the system owners. However, they have to be empowered to do the assessments in an efficient and transparent way. Our ITSS compliance framework supports in an integrated fashion compliance assessments, the validation and collection of compliance data, and it feeds higher-level applications such as compliance dashboards. While initially developed for CEDP, it is applicable in any other environment striving for continuous compliance.

The presentation covers not only the newly developed tooling but also its management and the related compliance processes.

Speaker Bio

BIO – Dr Andreas Wespi is a Research Staff Member at IBM Research – Zurich. His current research focuses on security analytics applied to hybrid multi-cloud environments. For many years he was managing the Security and Privacy Research team at IBM Research – Zurich and leading projects on intrusion detection, data security, cloud security, security policy management, and privacy. In the beginning of his IBM career, he was a member of IBM’s Global Security Analysis Lab (GSAL). The GSAL made substantial contributions to IBM’s security product and service offerings. Among others it developed the technology behind IBM Tivoli Risk Manager, the first commercial Security Information and Event Management (SIEM) product

BIO – Chris Giblin – I am a software engineer who has, during the course of meanwhile many years, worked in a wide variety of projects, from customer engagements, to learning services, through to the ever-inspiring Zurich Research Lab where I am based.

My areas of specialization are authorization policy, compliance, software architecture and middleware programming.

In recent years I have had the privilege, with many outstanding collaborators, to focus on building and operating data intensive systems. This has included developing middleware for sales and marketing applications, IBM’s CoRE recommendation engine, and most recently serving as security technical lead for the Cognitive Enterprise Data Platform (CEDP), IBM’s internal AI data platform.

Currently I am busy extending security features for IBM Cloud Event Streams and developing approaches to automating compliance.

BIO – Dave Ryan is currently the Risk and Controls Leader of the Global Chief Data Office. His current focus is on providing advice, guidance and support across the GCDO team by offering education, tools and support that increases the breadth and depth of risk management capabilities and assists management teams in implementing best practices in governance, risk analysis, monitoring, metrics and management systems. He began his IBM career as an Account Administrator in the National Accounts Division in 1981. From there he held several leadership positions within the Customer Fulfillment organization including leading North America Application and Change Management, Americas Sales and Distribution Fulfillment Business Controls and Americas Software Customer Fulfillment. He then moved to Global leadership roles including Global Process Executive Software Fulfillment, Global Process Executive Order to Cash and Global Markets Risk and Controls Leader Direct Sales

BIO – Monica Manni works at IBM Research – Zurich in the role of Finance Business Controls. Tasked to oversee the Internal Control posture and ensure Audit readiness of the Zurich Lab, she provides controls guidance, advice and counsel to the Zurich Research Community and local management. She started her career in Italy as an accountant and after two years she joined a global SAP project team. She was responsible for the implementation of SAP module FI-CO and centralization of accounting processes. She ran Finance Operations in The Netherlands with focus on Financial Management Reporting. After she moved to Switzerland, in addition to her previous role, her new assignment was to lead the implementation of Sarbanes-Oxley (SOX), from set up of Internal Controls to Certification.

BIO – Pascal Vetsch – Experienced Information Technology Advocat with a demonstrated history of working in the information technology and services industry.

  • Skilled in Data Center-, Network- and System-Design.
  • Experienced in operation of Enterprise Linux and Windows environments as well as Cisco-based Networks.
  • Strong in Software Engineering and DevOps in various programming and scripting languages.

Strong design professional with over 10 years of experience in Network, Security and Software Engineering. Currently working in the hybrid cloud space in various projects related to data security and compliance.

BIO – Chris Giblin – I am a software engineer who has, during the course of meanwhile many years, worked in a wide variety of projects, from customer engagements, to learning services, through to the ever-inspiring Zurich Research Lab where I am based.

My areas of specialization are authorization policy, compliance, software architecture and middleware programming.

In recent years I have had the privilege, with many outstanding collaborators, to focus on building and operating data intensive systems. This has included developing middleware for sales and marketing applications, IBM’s CoRE recommendation engine, and most recently serving as security technical lead for the Cognitive Enterprise Data Platform (CEDP), IBM’s internal AI data platform.

Currently I am busy extending security features for IBM Cloud Event Streams and developing approaches to automating compliance.