資訊和通信技術提供商遵守 DORA - 您需要做什麼？ (DORA compliance for ICT Providers - What Do You Need to Do?)

字幕列表影片播放

由 AI 自動生成

Good afternoon everybody.

大家下午好。
I hope you can all hear me see me and see my presentation.

我希望大家都能聽到我的演講，看到我的演講。
So we are going to have a this afternoon we're going to go through talk about DORA compliance for ICT providers, what you need to do, what you need to know, some of the key things you need to think about, need to understand and what DORA is, how it's affecting things, all these all these wonderfully interesting topics.

是以，今天下午我們將討論資訊和通信技術提供商的 DORA 合規性，你需要做什麼，你需要知道什麼，你需要思考和理解的一些關鍵問題，以及 DORA 是什麼，它如何影響事物，所有這些都是非常有趣的話題。
So we will start off in a couple of minutes.

我們馬上就開始。
I'm going to ask you to be a bit interactive and respond to a few questions because it's going to be useful for me to to understand who I've got on the call etc.

我想請你們互動一下，回答幾個問題，因為這對我瞭解誰來參加電話會議等很有幫助。
So first of all who am I?

首先，我是誰？
Very good question.

問得好
So my name is Andrew Paterson.

我叫安德魯-帕特森。
I'm the head of GRC consultancy for IT Governance Europe and I've been working in GRC for probably it's near the 30 years and 20 years anyway, probably quite a lot closer to 30 years and 20 years.

我是 IT Governance Europe GRC 諮詢公司的負責人，從事 GRC 工作大概有 30 年和 20 年之久，可能更接近 30 年和 20 年。
I'm a certified ISACA trainer.

我是 ISACA 認證培訓師。
I have a master's in information systems management which was quite a long time ago but we weren't just looking at advocacies we were looking at proper IT even then.

我擁有信息系統管理碩士學位，那是很久以前的事了，但那時我們關注的不僅僅是宣傳，我們還關注適當的信息技術。
I'm the SME within the group in things like NIS, NIS2 which as we may know is a directive, things like cybersecurity framework 27001, SIS 18, ECC which is a Saudi Arabian standard and DORA.

我是組內的中小型企業，負責 NIS、NIS2（我們都知道這是一項指令）、網絡安全框架 27001、SIS 18、ECC（沙特阿拉伯標準）和 DORA 等方面的工作。
I've worked in lots and lots of sectors over the years.

這些年來，我在很多很多部門工作過。
That's just a few examples of some of the areas I've been helping people affected with DORA for around the last 12 months, helping them to get ready for the deadline which we'll talk about when that is a bit later.

這只是我在過去 12 個月中幫助受 DORA 影響的人的幾個例子，幫助他們為截止日期做好準備，我們稍後會討論截止日期。
I'm also the author of a DORA, a guide to the DU Digital Operationals Resilience Act and it's very much that book is a practical guide about what you need to do about it.

我也是《DORA》一書的作者，這是一本關於《DU數字營運復原力法案》的指南，這本書在很大程度上是一本關於你需要做什麼的實用指南。
It's not particularly legalistic, it's about how you develop and implement an ISMS that will meet the requirements of DORA.

這不是什麼法律問題，而是關於如何制定和實施符合 DORA 要求的 ISMS。
So just a couple of little slides here about who we are, IT Governance.

是以，這裡只需要幾張小幻燈片，介紹一下我們的定位--IT 治理。
You've obviously heard of us before because you're sitting on this webinar but we've been in the industry for over 20 years, 12,000 clients, we work globally.

顯然，你已經聽說過我們，因為你現在就坐在網絡研討會上，但我們在這個行業已經有 20 多年的歷史，擁有 12,000 家客戶，我們的業務遍及全球。
The big area of people more familiar with us is in 27001 and GDPR and everything but when you start looking at DORA, 27001 is an incredibly useful vehicle for helping you to deal with what is required out of DORA.

人們更熟悉我們的主要領域是 27001 和 GDPR 等，但當您開始關注 DORA 時，27001 是一個非常有用的工具，可以幫助您處理 DORA 的要求。
It talks about the same sort of things, there's a different emphasis in some areas but we'll go through that.

它談的是同一類事情，但在某些方面有不同的側重點，不過我們會一一討論。
So that's who we are, we've worked with all of these different people, we've got 1300 projects in ISO, we've got our cyber essentials and we've got our governance and risk tool called cyber comply which has got almost two and a half thousand people customers using it globally.

這就是我們，我們與所有這些不同的人合作，我們在 ISO 中有 1300 個項目，我們有我們的網絡要領，我們有我們的治理和風險工具，名為 cyber comply，全球有近兩千五百名客戶在使用它。
You can see all the information on there, just a little thing on the slides, you will be given access to a slide pack because some of the slides have got quite a lot of detail on them and probably more useful if you come back and read them later because I will not be reading every single line on every slide, I'll be talking around them.

你可以看到上面的所有資訊，只是幻燈片上的一個小東西，你會得到一個幻燈片包，因為有些幻燈片上有相當多的細節，如果你稍後再來看，可能會更有用，因為我不會讀每張幻燈片上的每一行，我會圍繞它們來談。
So that's that sort of thing.

就是這樣。
If you're familiar with Net Promoter Scores, that's our things like that over the last whatever you've had to do.

如果你熟悉淨促進者分數，那就是我們在過去的任何時候都要做的事情。
So this is where we're going to ask you to do a little bit of interaction and voting and it'll give me a little bit idea about who's on the call and maybe I will make sure I mention a few things which are specific to those requirements.

在這裡，我們會請大家做一些互動和投票，讓我瞭解一下誰在電話會議上，也許我會確保我提到一些與這些要求有關的事情。
So the first question we'd like you to respond to is this one, what is your role in the DORA compliance decision making process?

我們想請您回答的第一個問題是，您在 DORA 合規決策過程中扮演什麼角色？
So you've got the choice of this, I am a key decision maker, I influence decisions but I'm not the final decision maker, I am gathering information for my team.

所以，你可以這樣選擇：我是關鍵決策者，我影響決策，但我不是最終決策者，我為我的團隊收集資訊。
So you should get the option there to respond to that question.

所以，你應該可以選擇回答這個問題。
So I'll give you a little bit of time to do that.

所以我給你一點時間來做這件事。
It's like waiting for the the results of Eurovision.

這就像在等待歐洲電視大獎賽的結果。
So a few more moments.

再等一會兒
Okay then, so we've got a few decision makers on there and then it's split between people influencing the decision maker and I'm gathering for the team.

好吧，那麼我們已經有了幾個決策者，然後由影響決策者的人和我為團隊收集資訊。
So it's pretty much your most most of you are finding out more information etc and all that sort of stuff.

是以，你們中的大多數人都在尋找更多的資訊，諸如此類。
That's brilliant, thank you very much.

太棒了，非常感謝。
Okay the next question, what is your timeline for implementing DORA?

好的，下一個問題是，您實施 DORA 的時間表是什麼？
We might have a different response at the end of the webinar on this one.

網絡研討會結束時，我們可能會對此有不同的迴應。
Within the next three months, in four to six months, beyond six months or no timeline set?

未來三個月內、四至六個月內、六個月後還是沒有時間表？
So if you can respond to the questions there.

所以，如果你能回答這些問題。
Okay we'll wait for a couple of more responses on that.

好吧，我們再等幾個人的回覆。
Okay then, so most of you are talking about probably something in beyond six months.

好吧，那麼你們大多數人說的可能是六個月以後的事情。
Okay if you speak quicker than that.

好吧，如果你說得比這還快。
Okay thank you for that.

好的，謝謝你。
Next question, what type of support does your organization need most for DORA compliance?

下一個問題，貴組織在遵守 DORA 方面最需要哪種類型的支持？
So compliance software solutions, consultancy and advisory services, training and education, and so on and so forth.

是以，合規軟件解決方案、諮詢和顧問服務、培訓和教育等等，不一而足。
Okay, so what type of support do you need most for DORA?

好吧，那麼您最需要 DORA 提供哪種類型的支持？
So if you could give us your response on that.

是以，請您就此給我們答覆。
A few more seconds.

再等幾秒鐘
Okay, so on this we've got a pretty much a split, we could be almost across the three areas on that.

好的，在這個問題上，我們幾乎是各執一詞，幾乎可以說是橫跨三個領域。
So thank you very much for that.

非常感謝。
And now the last question, has your organization allocated a budget for DORA compliance solutions?

現在是最後一個問題，貴組織是否為 DORA 合規解決方案分配了預算？
Yes, we have a dedicated budget.

是的，我們有專門的預算。
Budget is under consideration.

預算正在審議中。
No budget allocated yet.

尚未分配預算。
Just a few more moments and then we'll close that poll.

再等一會兒，我們就結束投票。
Okay then, so mainly no budget allocated yet and a few people have got a budget under consideration, but actually you need to be able to show that you have budgets for cyber security etc.

好吧，那麼主要是還沒有分配預算，有幾個人正在考慮預算，但實際上你們需要能夠證明你們有網絡安全等方面的預算。
So we'll talk about that.

那我們就來談談這個問題。
So a couple of things, you will see that you've got the ability to ask questions.

所以，有幾件事，你會發現你已經有了提問的能力。
If you put questions in there, we'll have some time at the end of the webinar for me to respond to those questions.

如果您有任何問題，我們將在網絡研討會結束時安排一些時間讓我回答您的問題。
So if anything comes to mind as we're going through, please put them up.

是以，如果我們在檢查過程中想到了什麼，請把它們放上來。
Also, just to remind you, you do actually get a CPD point for this, so you will get a certificate for that.

另外，提醒您一下，您確實可以是以獲得 CPD 點數，所以您會是以獲得證書。
It's always useful for your professional development, do a few webinars and you can make inroads into the amount you need to get through the year.

這對你的職業發展總是很有幫助的，參加幾次網絡研討會，你就能獲得完成全年任務所需的資金。
So we're going to go through several of the topics and again some of the slides are quite detailed and you'll have access to them.

是以，我們將討論幾個主題，其中一些幻燈片非常詳細，你們可以查閱。
You may be going to read those later.

你以後可能會讀到這些內容。
So it's all about trying to explain to you what DORA is and how we're particularly looking at it, what it means for third party suppliers.

是以，我們要向你們解釋什麼是 DORA，我們如何特別關注它，它對第三方供應商意味著什麼。
So we'll go through all these different things and we will talk to them some in more detail than others.

是以，我們將討論所有這些不同的問題，有些問題會比其他問題更詳細。
So what's DORA got to do with ICT third party suppliers?

那麼，DORA 與 ICT 第三方供應商有什麼關係呢？
Now DORA is the Digital Operational Resilience Act.

現在，DORA 就是《數字運行復原力法案》。
It's a regulation.

這是一項規定。
So to understand that, that means that it without need to go through parliaments, it's not a directive.

是以，要理解這一點，這意味著它無需通過議會，它不是一項指令。
So it doesn't have to go through 27 parliaments and be approved.

是以，它不必經過 27 個議會的準許。
And it's very specific in what it says needs to be covered by the regulation.

該條例對需要涵蓋的內容規定得非常具體。
And they talk about financial entities and they describe what a financial entity is.

他們談到了金融實體，並描述了什麼是金融實體。
It's anything which is regulated, okay.

就是任何受管制的東西，好嗎。
Few exceptions etc and all that, but basically anything.

很少有例外等等，但基本上什麼都有。
And then on the last line, it goes ICT third party suppliers.

最後一行是 ICT 第三方供應商。
So if you supply into a financial entity, which is in the European Union, you're going to be covered by DORA, okay.

是以，如果您向歐盟的金融實體供貨，您將受到 DORA 的保護。
Even if you're not in the European Union, okay.

即使你不在歐盟，也沒關係。
So if you're an ICT third party supplier and you're supplying into a financial entity in the European Union, you're covered by it.

是以，如果你是資訊和通信技術的第三方供應商，並且你向歐盟的金融實體供貨，你就在它的覆蓋範圍內。
If you're a large organization, which is supplying services to a part of your organization, which is in the European Union, okay, you have to comply with the requirements of DORA.

如果您是一家大型機構，為您機構中位於歐盟的一部分提供服務，那麼您必須遵守 DORA 的要求。
So if you're sitting there thinking, all right, so who's that?

所以，如果你坐在那裡想，好吧，那是誰？
Does that affect me?

這對我有影響嗎？
This is not a definitive list, but this is because it doesn't actually say in there, what is an ICT third party supplier, but it builds up and gives you some sort of ideas on this.

這並不是一個明確的清單，但這是因為它實際上並沒有說明什麼是資訊和通信技術第三方供應商，但它為你提供了一些這方面的想法。
So it's people who are impacted, people who are delivering services.

是以，受影響的是人，是提供服務的人。
And it is specifically where I'll talk about on the next slide in more detail is that supporting critical important functions, right, or services that the financial entity provides.

具體來說，我將在下一張幻燈片中更詳細地討論支持金融實體提供的關鍵重要功能或服務。
So there's a quick list there of some of the things.

是以，這裡快速列出了其中的一些內容。
So if you actually look at it, it's very broad on what they mean by an ICT third party supplier.

是以，如果你仔細研究一下，就會發現資訊和通信技術第三方供應商的含義非常廣泛。
So, you know, GIC risk management providers, collaborative tool providers, desktop service providers, IT service providers, SOC service providers.

是以，你知道，GIC 風險管理提供商、協作工具提供商、桌面服務提供商、IT 服務提供商、SOC 服務提供商。
So if you're working with a financial entity and you're providing any ICT services, you're probably going to be covered by the requirements of DORA.

是以，如果您與金融實體合作，並提供任何資訊和通信技術服務，您很可能會受到 DORA 要求的保護。
And what do I mean by covered by the requirements of DORA?

我說的 "DORA "是什麼意思？
The next slide gives you a bit of a feel for how the structure works and why it's important to think about where you are.

下一張幻燈片讓你瞭解一下該結構是如何運作的，以及為什麼要考慮你所處的位置。
So this is a nice little, nice and colourful pyramid.

這就是一座漂亮的小金字塔，色彩斑斕。
And it just gives you a feel.

這只是給你一種感覺。
So at the top, we've got the EU Parliament, we've got the European Central Bank, we've got the supervisory authorities, the member states, they need to be enforcing this and making sure this happens.

是以，在最高層，我們有歐盟議會、歐洲中央銀行、監管機構、成員國，他們需要執行並確保這一切發生。
And then they have things in their countries called national competent authorities.

然後，他們在自己的國家有一個叫做國家主管當局的機構。
These are the guys who are going to make sure that financial entities are doing what they need to do with DORA.

這些人將確保金融實體按照 DORA 的要求行事。
And then you have the financial entity.

然後是金融實體。
And the financial entity needs to make sure that you're doing what they need to ensure that they are going to comply with DORA.

金融實體需要確保您正在做他們需要做的事情，以確保他們將遵守 DORA。
Okay.

好吧
So much so that DORA specifies certain things that need to be in the contractual requirements while dealing with third parties.

是以，DORA 規定了與第三方打交道時合同要求中的某些事項。
And when you get into that particular, some of And if you think about it, if you've got third parties working for you who are providing your services to you, which is central to the services that you're providing a financial entity, you're going to have to manage your third party supply chain as well.

如果你仔細想想，如果你有第三方為你工作，為你提供服務（這是你為金融實體提供服務的核心），你也必須管理你的第三方供應鏈。
And this is one of the very key things.

這也是非常關鍵的一點。
It's about improving resilience and operational resilience, not just within the financial entity, but within that supply chain, because there is an understanding of weakness.

這不僅關係到金融實體內部，還關係到供應鏈內部的復原力和營運復原力，因為我們對薄弱環節有所瞭解。
And that more comes on to what we talk on the next section.

這也是我們下一節要討論的內容。
So why does DORA exist and what is it?

那麼，為什麼會有 DORA，它又是什麼呢？
Okay.

好的
So this slide is the sort of slide, but when you've got it back and you can zoom it up, but it gives you the, you know, it's about a risk, systemic risk across financial services in the European Union.

所以，這張幻燈片就是這樣的幻燈片，但當你把它拿回來，你可以放大它，但它給了你，你知道，它是關於風險，整個歐盟金融服務的系統性風險。
We all know that with, I mean, I'm old enough to remember when, you know, you had to be physically on a, in front of a machine with a cable coming out the back of it in the same building to get access to things.

我們都知道，我是說，我年紀大了，還記得當年，你必須親自站在一臺機器前，在同一棟樓裡，機器後面有一根電纜出來，才能訪問東西。
And we don't work in that world anymore.

我們已經不在那個世界工作了。
We've got 24 seven access.

我們提供 24/7 全天候服務。
Everything is interrelated.

萬事萬物都是相互關聯的。
So there's so much interconnectivity within all sectors and within financial services that if you get a problem somewhere, it's multiple countries.

是以，各行各業和金融服務業之間的相互關聯性非常強，如果某個地方出現問題，就會波及多個國家。
So it's about building up and understanding this, where the resilience is, because, you know, it's so important that these functions from financial services operate.

是以，我們要建立並瞭解這一點，瞭解復原力在哪裡，因為你知道，這些金融服務功能的運行非常重要。
That's basically how economies don't work.

經濟基本上就是這樣運轉不起來的。
Okay.

好的
And if you're an ICT third-party supplier in that chain, it's very important for you meeting those requirements.

如果你是產業鏈中的資訊和通信技術第三方供應商，那麼滿足這些要求就非常重要。
So what was the key things and what they were talking about when they were developing this?

那麼，他們在開發時討論的關鍵問題是什麼？
DOOR sets out a harmonized approach to digital operational resilience across the EU's financial sector.

DOOR 為歐盟金融部門的數字業務復原力制定了統一的方法。
So everybody has to do it.

是以，每個人都必須這樣做。
Okay.

好的
Level playing field.

公平競爭。
It's not like somebody in one legislation doesn't have to do the same.

在一項立法中，也不是沒有人必須這樣做。
It's why it's a regulation and not a directive, because it doesn't need to go through national law or national parliaments.

這就是為什麼它是法規而不是指令，因為它不需要通過國家法律或國家議會。
This is what people need to do.

這就是人們需要做的。
And it's been around since 22.

它從 22 年就開始存在了。
Okay.

好的
It's not just like appeared recently.

不只是最近才出現。
Okay.

好的
It's been around since December 2022.

它從 2022 年 12 月開始使用。
And it harmonizes, removes, you know, certain directives, etc.

它還協調、刪除了某些指令等。
As it's a regulation, it supersedes the requirements of the NIST directive and NIST 2.

由於這是一項法規，它取代了 NIST 指令和 NIST 2 的要求。
And it sets out certain things expected by financial entities.

它規定了金融實體應做的某些事情。
And this will be new for many service providers.

這對許多服務提供商來說都是全新的。
Okay.

好的
So you may be doing some of these things, but this is not a tick box.

是以，你可能正在做其中的一些事情，但這並不是打勾。
Okay.

好的
This is about operational resilience.

這關係到業務復原力。
So this is about financial entities being able to provide their services when bad things are happening to them.

是以，這關係到金融實體能否在遭遇不測時提供服務。
Okay.

好的
I describe it in one simple way, and we'll go into more detail of this, is if you think about incident management, business continuity, and disaster recovery, which you all probably do, but the volume's turned up on it, it's taking it to the next level.

我用一個簡單的方法來描述它，我們將對此進行更詳細的介紹，那就是，如果你考慮事件管理、業務連續性和災難恢復，你們可能都會這樣做，但它的音量被調高了，它正在將其提升到一個新的水準。
Okay.

好的
And it's definitely not tick box.

這絕對不是 "勾選框"。
You have to do things.

你必須做事。
And they're very specific in what they require.

他們的要求非常明確。
So the regulation covers certain things.

是以，該條例涵蓋了某些內容。
So ICT risk management, everything is driven by risk.

是以，資訊和通信技術風險管理，一切都是由風險驅動的。
What are the risks to the organization?

組織面臨哪些風險？
What are we doing about this?

我們該怎麼辦？
And this is any type of organization.

任何類型的組織都是如此。
It's very specific in what they need to do about incident reporting.

在事故報告方面，他們需要做的事情非常具體。
So the financial entity has to report about incidents to the competent authorities if they're happening.

是以，如果發生事故，金融實體必須向主管當局報告。
You as an ICT third party service provider need to make sure that you are sharing with your financial entity, the correct information in that regard as well.

作為 ICT 第三方服務提供商，您需要確保與財務實體共享這方面的正確資訊。
What testing have you got in place?

你們有哪些測試？
You know, so it is, you might have some nice plans, but if they don't test it, they don't exist.

你知道，就是這樣，你可能有一些很好的計劃，但如果他們不進行測試，這些計劃就不存在。
That's a nice sack of view of the world.

這種世界觀真不錯。
And that's a good view to have.

這種觀點很好。
Testing is so important.

測試非常重要。
And when we mean testing, it doesn't mean, you know, you go and pull the plug out the back of things and see what happens.

我們所說的測試，並不是說，把插頭拔掉，看看會發生什麼。
But if you've got DR site, have you tested it all over?

但是，如果您已經有了 DR 網站，您是否對其進行了全面測試？
Are you doing tabletop exercises?

您在做桌面練習嗎？
You know, are you doing this?

你知道，你在做這個嗎？
There is again, in there about information sharing.

其中還有關於資訊共享的內容。
It's only a small part of it about how organizations can share information.

這只是組織如何共享資訊的一小部分。
It's particularly in there, but if they want to share information about threats and intelligence, they're not falling foul of competition laws and all that sort of stuff.

如果它們想共享有關威脅和情報的資訊，就不會觸犯競爭法等法律。
But one of the big things in there is how they manage their third parties.

但其中一個重要問題是他們如何管理第三方。
Instant, you know, ICT service providers about dealing with the risks involved in that.

即時，你知道，資訊和通信技術服務提供商如何應對其中的風險。
And if we look at it, it requires, so further technical requirements will set out.

如果我們看一下，它要求，是以將列出進一步的技術要求。
So we've got DORA and there's additional technical requirements called in regulatory technical standards, which go into more detail on things and they are being published and approved.

是以，我們制定了 DORA，並在監管技術標準中增加了一些技術要求，這些標準對一些問題進行了更詳細的說明，目前正在公佈和準許中。
So you have to require the DORA requirements and then the regulatory technical standards.

是以，你必須符合 DORA 的要求，然後再符合監管技術標準。
They're giving guidance on things like risk tools, you know, and in there they're getting very specific things about what should be in certain policies.

他們正在就風險工具等問題提供指導，你知道，在這些指導中，他們對某些政策中應該包含哪些內容有了非常具體的規定。
Okay.

好的
If you're familiar with certain standards, they don't necessarily tell you what you've got to have in policies, but you've got to, you've got to do something.

如果你熟悉某些標準，它們不一定會告訴你政策中必須有什麼，但你必須，你必須做一些事情。
Things about classification of instance.

關於實例分類的事情。
So there's guidance on that.

是以，在這方面有指導意見。
There's also requirements for third parties to share the contractual information or the financial entity, sorry, have to share the, tell their competent authority who their ICT third party suppliers are and going into the contractual stuff and all that sort of thing.

此外，還要求第三方共享合同資訊，或者金融實體必須共享合同資訊，告訴主管當局誰是其資訊和通信技術的第三方供應商，以及合同內容等等。
So, so lots of detail in there.

所以，裡面有很多細節。
And there's a lot of stuff in DORA of telling the competent authorities or the national regulatory bodies, how they work with the other national regulation bodies.

在 DORA 中，有很多內容都是告訴主管當局或國家監管機構，他們如何與其他國家監管機構合作。
Again, this is all about level playing field.

再說一遍，這就是公平競爭。
Everybody's doing the same thing, better understanding of risks and threats and what's happening, increased speed and understanding of what is happening with incidents, all those sorts of things.

每個人都在做同樣的事情，更好地瞭解風險和威脅以及正在發生的事情，提高速度，瞭解正在發生的事件，所有這些事情。
So there's, there's a huge amount of detail in there.

所以，裡面有大量的細節。
So key dates.

關鍵日期
So the regulation entered force on the 16th of January, 2023, and it will apply from the 17th of January, 2025.

是以，該條例於 2023 年 1 月 16 日生效，並將於 2025 年 1 月 17 日開始適用。
So this means it's, it's going to apply.

是以，這意味著它將適用。
And for non-compliance, and if a problem happens, the regulation allows for large and dissuasive fines.

對於不遵守規定的行為，如果出現問題，法規允許處以鉅額勸阻性罰款。
So you think about fines, you think about more what, what's happened with GDPR.

所以，你會考慮罰款，你會考慮更多，GDPR 發生了什麼。
Financial entities are not doing what they're meant to do here.

在這裡，金融實體並沒有做它們應該做的事情。
And they have a problem.

他們遇到了問題。
They're, they're, the competent authorities are going to, are going to start fining them.

他們，他們，主管當局將開始對他們進行罰款。
And that's the, an interesting thing when that happens.

這就是發生這種情況時的有趣之處。
I think it happened with GDPR.

我認為這發生在 GDPR 上。
Everybody took that very seriously when, when that all started kicking in.

當這一切開始起作用時，每個人都非常認真地對待。
Okay.

好的
So just remember that date, 17th of January, 2025.

所以，請記住這個日期，2025 年 1 月 17 日。
So EU Act with global implications.

是以，歐盟法案具有全球影響。
So, so first of all, so it's European Union.

所以，首先是歐盟。
And so if anybody here is from the UK and a third party supplier, it affects you if you're supporting a financial entity in the European Union.

是以，如果在座有來自英國的第三方供應商，如果你支持歐盟的金融實體，就會受到影響。
It's also defined, and you see this a little bit with the European Union, you'll see it at the moment with the, the regulation on use of artificial intelligence and things like that.

這也是一種定義，你在歐盟就能看到一點，你現在就能看到，關於使用人工智能的法規和類似的東西。
They, and also things like, things to do with the Euro privacy certification scheme.

它們，還有與歐洲隱私認證計劃有關的東西。
The EU is very much trying to set the agenda on these things and be the way that the rest of the world should go.

歐盟在很大程度上試圖在這些問題上制定議程，併成為世界其他地區應該走的道路。
And, you know, it's, it's, it's, it's, they're, they're quite, quite keen on that.

而且，你知道，這是，這是，這是，這是，他們，他們相當，相當熱衷於此。
So it's going to affect anybody who works with financial entities in the, in the EU.

是以，這將影響到任何與歐盟金融實體打交道的人。
Okay.

好吧
So it's, it's not just, just don't think about it.

所以，這不僅僅是不要去想它。
It's just those people inside.

只是裡面的那些人。
So if you've got, if you are a third party supplier and you're outside the EU, but again, you're dealing with somebody in the European Union, you know, you are covered by this.

是以，如果你是第三方供應商，並且不在歐盟範圍內，但你又在與歐盟內的某個人打交道，那麼你就在此範圍內。
And it specifically says you are in there in the regulation.

條例中明確規定了你。
It's about, you know, again, it's about dealing with systemic risk.

這是關於，你知道，還是關於處理系統性風險。
Okay.

好吧
So it's making sure that again, financial entities are doing all the things that you can reasonably do.

是以，這也是為了確保金融實體正在做的所有事情都是合理的。
To reduce that risk.

為了降低這種風險
Okay.

好吧
And that will include the services that you provide them.

這將包括您為他們提供的服務。
And I mentioned this briefly, and this is a slide that the next, this next two slides, you can look at a little bit more detail yourself, but it's about making sure that there's joined up approach, you know, understanding how and where third parties sit in the supply chain.

我簡要地提到了這一點，這是下一張幻燈片，接下來的兩張幻燈片，你可以自己看更詳細一點，但這是關於確保有一個聯合的方法，你知道，瞭解第三方在供應鏈中的位置和作用。
And they are also have a view that what they're going to do as well.

他們也有自己的看法。
So if you are a third party, say example, they're Microsoft, AWS, Google, they're actually going to view them on a EU wide level.

是以，如果你是第三方，例如微軟、AWS、谷歌，他們實際上會在歐盟範圍內查看這些資訊。
So there's going to be a, an individual or person called a lead overseer, and they will be looking at the, their compliance at a EU point of view.

是以，會有一個被稱為首席監督員的個人或人員，他們將從歐盟的角度來審視他們的合規性。
Because if you imagine, you know, small organizations have no influence on the big IT players, et cetera.

因為如果你想象一下，你知道，小型組織對大型 IT 企業沒有影響力，等等。
And it's very important that they are taken into consideration.

考慮到這些因素非常重要。
Because if you think about it, those, if you just think about Microsoft and AWS, how much of the financial sector supply chain do they, do they actually impact on?

因為如果你仔細想想，那些，如果你只想想微軟和 AWS，它們對金融行業供應鏈的實際影響有多大？
And that's very important.

這一點非常重要。
It will also imply to certain other suppliers who might not be that big, but potentially in the sector they supply into, they based on say the financial entities coverage.

這也意味著某些其他供應商可能沒有那麼大的規模，但在他們供應的行業中，他們有可能以金融實體的覆蓋範圍為基礎。
So if you've got two financial entities in you're working with, and it's a specific part of the financial services, and you suddenly realize that those two financial entities cover 30% of the market, well, and you're supplying to both of them.

是以，如果你有兩家金融實體與你合作，而且是金融服務的一個特定部分，而你突然意識到這兩家金融實體覆蓋了 30% 的市場，那麼，你就得同時為它們供貨。
If you've got a problem, you could be expecting, infecting or have an impact on 30% of that sector or that function or that service within the European Union.

如果出現問題，你可能會影響到歐盟內 30% 的部門、職能或服務。
So there's, there's lots and lots of things going on here.

所以，這裡發生了很多很多事情。
There is a slide a little bit there on understanding what the regulators do.

有一張幻燈片介紹了監管機構的工作。
But if you see that on the bottom left hand slide, I think that gives you a feel.

但如果你看到左下方的幻燈片，我想這就能給你一種感覺了。
So you're going to have to be able to show the financial entities that you're meeting the requirements.

是以，你必須能夠向財務實體證明你符合要求。
So the financial entities can show that they are meeting the requirements.

這樣，金融實體就可以證明它們符合要求。
This is going to have a big impact on how third-party service providers impact or work with financial entities.

這將對第三方服務提供商如何影響金融實體或與金融實體合作產生重大影響。
It's probably going to mean that some third-party ICT providers are not going to want to deal with the financial entities.

這可能意味著一些第三方資訊和通信技術提供商不願意與金融實體打交道。
It means that if you're doing this well, you've got a really good, strong, competitive place to deal with more financial entities.

這意味著，如果你在這方面做得很好，你就有了一個非常好的、強大的、有競爭力的地方來與更多的金融實體打交道。
And when you actually look at the requirements, it's not actually asking you to do anything too strange.

而當你真正瞭解這些要求時，其實並沒有要求你做什麼太奇怪的事情。
It's probably asking you to turn the volume up on what you're doing.

它可能要求你把正在做的事情的音量調大。
But really, when you look at it, you should be doing this stuff anyway, you know, in the new world that we're working in.

但實際上，當你看到這一點時，你無論如何都應該做這些事情，你知道，在我們工作的新世界裡。
The way that there are lots of threats out there, and there's lots of things we need to worry about, and there's lots of risks, and there's lots of things we need to do to counter them.

外面有很多威脅，有很多我們需要擔心的事情，有很多風險，有很多我們需要應對的事情。
So it could be very useful if you get this right.

是以，如果你能正確處理這個問題，它可能會非常有用。
So, January 2025.

那麼，2025 年 1 月。
So this is just the thing.

所以，這就是問題所在。
So the reality is that we expect that a lot of people are not going to be particularly conformant by the time they get to the 17th of January.

是以，現實情況是，我們預計到 1 月 17 日時，很多人都不會特別遵守規定。
If you are an ICT third-party supplier, you do have time, you know.

如果你是資訊和通信技術的第三方供應商，你就有時間。
When we're asking you to have time, you've got, depending on how you count it, eight or nine months to get into place.

當我們要求你們有時間時，根據你們的計算方式，你們有八九個月的時間到位。
And you may be, if you're looking at it, and I'm helping people where I go in and do a gap assessment of where they are at the moment and where they need to be.

如果你正在研究這個問題，而我正在幫助一些人，我會對他們目前的狀況和需要達到的目標進行差距評估。
And, you know, a lot of organizations might be doing some of this, or you've got to do a bit more, you've got to document a bit more, you need to be able to show, if required, that you're doing these things.

而且，你知道，很多組織可能正在做其中的一些事情，或者你必須做得更多一些，你必須記錄得更多一些，如果需要的話，你必須能夠證明你正在做這些事情。
Financial entities are working from it.

金融實體正在從中受益。
They're trying to understand what their supply train is.

他們正試圖瞭解他們的供應列車是什麼。
They're trying to understand where their contracts are.

他們試圖瞭解自己的合同在哪裡。
Do not be surprised if financial entities are turning around and saying, right, we need to add additional things into your contracts with us, your service levels.

如果金融機構回過頭來說，好吧，我們需要在你們與我們的合同中增加額外的內容，增加你們的服務水平，請不要感到驚訝。
It's things like that your service level agreements and your contracts have to be in one document, you know.

比如，你的服務水平協議和合同必須在一份文件中，你知道的。
There's certain things that if you do not meet the requirements of DORA, the financial entity can terminate the contract.

如果您不符合 DORA 的要求，金融實體可以終止合同。
And how does it terminate?

它是如何終止的？
What's the exit strategies?

退出策略是什麼？
How all those sort of things.

所有這些事情。
So there's quite a lot of things going on.

所以，事情還真不少。
We'll also discover that cyber breaches will happen and they will start to be reviewed within the terms of the DORA regulation.

我們還將發現，網絡洩密事件將會發生，並將開始在 DORA 法規的範圍內對其進行審查。
So it's pretty important there that you're in as good a position as possible.

是以，儘可能佔據有利位置非常重要。
And again, the key thing is in, it's going to be a bit like GDPR.

同樣，最關鍵的是，這將有點像 GDPR。
Until things start happening and they're enforcing them, we don't really know what's going to happen and how it's going to look.

在事情開始發生並得到執行之前，我們真的不知道會發生什麼，也不知道會是什麼樣子。
So what do you need to do?

那麼你需要做什麼呢？
Some people, not a lot.

有些人，不是很多。
Some people, a bit more.

有些人則更多一些。
So, you know, when you're looking at it, you know, we're looking at every work stream.

所以，你知道，當你看它時，你知道，我們正在看每一個工作流。
So current cyber security, you know, keep out of trouble, you know, do your pen testing, do all the standard stuff you need to be doing.

是以，當前的網絡安全，你知道的，要遠離麻煩，你知道的，做你的筆測試，做所有你需要做的標準事情。
You know, and hopefully if you are supplying to a financial entity, they'll come and told you and ask you what you need to do for them.

你知道，如果你向金融實體供貨，希望他們會來告訴你，問你需要為他們做什麼。
Because it's the financial entity needs to go and do that.

因為這是金融實體需要去做的。
Won't be the competent authority coming and talking to you.

不會是主管當局來找你談話。
It's the financial entity needs to be going, this is going on.

這是金融實體需要去的，這是怎麼回事。
We have decided that what you are doing is providing a support to a critical or important service.

我們認為，您所做的是在為一項關鍵或重要的服務提供支持。
Yeah.

是啊
And that's what they focus on.

這就是他們關注的重點。
And we need to know that you're meeting these requirements.

我們需要知道你們是否滿足了這些要求。
And you probably need to sit down, kick off a program, you know, thinking about it.

你可能需要坐下來，啟動一項計劃，你知道，考慮一下。
So you need to make sure that people are being trained.

是以，你需要確保人們接受培訓。
It requires training in a regulation.

這就需要進行法規培訓。
Okay.

好的
Training up to this point for in cyber or operational resilience has always just been a good thing to do.

迄今為止，網絡或業務復原力方面的培訓一直都是一件好事。
Maybe a requirement of a standard or like 27,001.

也許是標準的要求，或者類似於 27 001。
This isn't a regulation saying people need to be trained.

這不是一項規定，說人們需要接受培訓。
You need to make sure that the roles and responsibilities that somebody takes ownership of risk within the organization, that you have someone designated at the senior level who is responsible for DORA.

你需要確保組織內部有人承擔風險的角色和責任，在高層指定專人負責 DORA。
You know, you need to be able to support the strategies of the financial entities about both on operational resilience and their risk.

你要知道，你需要能夠支持金融實體在營運復原力和風險兩方面的戰略。
And just as, you know, if you need any help, there's a very practical guide.

如果你需要任何幫助，這裡有一份非常實用的指南。
I've only mentioned this twice, that book.

那本書我只提過兩次。
Okay.

好的
But it's a practical approach doing it.

但這是一種務實的做法。
It's not legalistic.

這不是律法主義。
It's about how you develop your information security management system, because this is basically what you need to do for DORA.

這關係到你如何開發信息安全管理系統，因為這基本上就是你需要為 DORA 做的事情。
You need to have an information security management system in place functioning.

您需要有一個信息安全管理系統在運行。
So the benefits of DORA compliance, and think about this, and this is maybe how you sell it.

是以，考慮一下遵守 DORA 的好處，也許你可以這樣推銷它。
Okay.

好的
If you do DORA, your services system solutions are going to be more resilient.

如果您使用 DORA，您的服務系統解決方案將更具彈性。
You're going to be able to support the needs of not only your financial entities who you support, but also your other customers, because you're building resilience into your systems.

您不僅能滿足您所支持的金融實體的需求，還能滿足其他客戶的需求，因為您正在為您的系統建立彈性。
You've looked at risk seriously.

你已經認真審視了風險。
Now you might have already been doing this, but sometimes the experience is that people aren't doing enough on risk.

現在你可能已經在這樣做了，但有時經驗告訴我們，人們在風險方面做得還不夠。
You've also understand your supply chain, your single points of failure, all these sort of things.

你還必須瞭解你的供應鏈、單點故障等所有此類問題。
You could show that you've got regulatory compliance.

你可以證明你遵守了法規。
Okay.

好的
There's various ways you could do that, but it could give you that competitive edge when you're dealing with other organizations that we are, we're top notch here.

你可以通過各種方式做到這一點，但當你與其他組織打交道時，這可以給你帶來競爭優勢，因為我們是一流的。
We are dealing with various things that can support the requirements, the standard.

我們正在處理各種可以支持要求和標準的事情。
So we talked about this.

所以，我們談到了這個問題。
So proactive risk management.

是以，要積極主動地進行風險管理。
Okay.

好的
Just a very quick thing about risk.

關於風險，我只想簡單說幾句。
Okay.

好的
Then, so if you're ever thinking, why is risk so important?

那麼，如果你曾經想過，為什麼風險如此重要？
If you think about it, your organization's there to try and deliver value, value to shareholders, customers, financial value, just describe it as value.

如果你仔細想想，你的組織就是要努力為股東、客戶、財務價值提供價值。
You need to understand what your objectives of the business are to deliver that value, to meet the requirements of interested parties.

你需要了解你的業務目標是什麼，以實現這一價值，滿足相關方的要求。
You know, yeah, very ISO term.

你知道，是的，非常 ISO 術語。
No apologies for that.

我對此深表歉意。
You then look at what your risks are against delivering those objectives.

然後，你再看看實現這些目標的風險有多大。
Now, from an organizational point of view, that's very useful because what you're sitting there doing is if you then have to address your risks, you've almost written a business case because you're associating or making sure that your risks relate to objectives, which relate to what the business is trying to achieve.

現在，從組織的角度來看，這是非常有用的，因為你坐在那裡所做的事情是，如果你必須解決你的風險，你幾乎已經寫了一個商業案例，因為你正在關聯或確保你的風險與目標相關，這與企業試圖實現的目標相關。
And the business will always understand that as long as risks are related to that.

只要風險與此相關，企業就會始終明白這一點。
So you then, you know, proactive risk management leads, then you can do strategic planning.

這樣，你就可以主動進行風險管理，然後進行戰略規劃。
So what do we need to do with rest of these risks?

那麼，我們需要如何應對這些風險呢？
That develops stakeholder, interested party confidence, and it all reads through, but you're supporting your business, your confidentiality, integrity, and availability, all these fun things.

這可以培養利益相關者和相關方的信心，而這一切都會被讀取，但你支持的是你的業務、你的保密性、完整性和可用性，以及所有這些有趣的東西。
And it helps build up your reputation of what you're doing in the business, because no matter what's happening, this regulation will not get less in this field.

這也有助於建立你在行業中的聲譽，因為無論發生什麼，這一領域的監管都不會減少。
Okay.

好的
If you're not having to do DORA, you're going to have to do NIST too.

如果你不用做 DORA，你也得做 NIST。
Okay.

好的
So you're going to find that other parts of your business might need to be doing stuff in NIST too.

所以你會發現，你業務的其他部分可能也需要在 NIST 中做一些事情。
Okay.

好的
But if you're doing DORA to the level that DORA requires, you know, you're going to be meeting the requirements of NIST.

但是，如果你按照 DORA 的要求進行 DORA，你就會達到 NIST 的要求。
So it is, you know, these things are all interrelated.

所以，你知道，這些事情都是相互關聯的。
So think about, you know, you've got to think about these things.

所以，你要想想，你知道，你必須考慮這些事情。
And this is, this is standard stuff like asset management.

這就是資產管理等標準內容。
So what are you trying to protect?

那麼，你想保護什麼？
What are your risks?

您的風險是什麼？
Okay.

好的
What are the risks to do that will be specific to your business?

您的企業將面臨哪些特定風險？
Your risks will be very much based on who you're supplying to, you know, all those sorts of things.

你的風險很大程度上取決於你的供貨對象，你知道，所有這些事情。
You know, cyber essential controls frameworks, like cyber essential is a UK one, but we've got things being developed in that on the European basis as well.

你知道，網絡基本控制框架，如網絡基本控制框架是英國的一個框架，但我們也在歐洲的基礎上制定了相關內容。
You know, staff awareness, vendor management, instant management, reporting and business continuity.

你知道，員工意識、供應商管理、即時管理、報告和業務連續性。
So just think of, remember that.

所以，請記住這一點。
So years ago, we used to talk about disaster recovery.

多年前，我們經常談論災難恢復。
Then we started talking about business continuity.

然後，我們開始討論業務連續性。
Then we started talking about instant management.

然後，我們開始討論即時管理。
You view them as a journey.

你將它們視為一段旅程。
So you go instant management, business continuity, disaster recovery.

是以，你需要進行即時管理、業務連續性和災難恢復。
You're good at instant management.

你擅長即時管理。
You're less likely to do business continuity.

你更不可能做到業務連續性。
If you're good business continuity, you're less likely to go to disaster recovery, you know, but you can't see they're not in isolation.

如果你的業務連續性很好，你就不太可能去做災難恢復，你知道的，但你不能看到它們不是孤立的。
Okay.

好的
At door, as I said, just requires more of those three.

在門口，正如我所說，只是需要更多的這三個人。
Okay.

好的
Reporting, you know, testing, you know, can you show that your resilience is in place?

報告，你知道，測試，你知道，你能證明你的復原力到位了嗎？
Can you demonstrate that?

你能證明這一點嗎？
You require them to do things like print led pen testing.

您要求他們進行打印引導筆測試等工作。
Put my teeth back in for that one.

把我的牙齒塞回去
So just a little bit more about how door is structured.

所以，我只想再介紹一下門的結構。
And this is, as I keep telling people, door is a beast.

正如我一直告訴人們的那樣，"門 "是一頭野獸。
It's big.

它很大。
And the way that they can bring on, like, so you've got the door regulation, and then below it, you've got regulatory technical standards.

他們可以採用的方式是，先制定門規，然後在門規下面制定技術標準。
And they're currently developing some of them.

目前，他們正在開發其中的一部分。
They haven't been approved or signed off yet.

它們還沒有得到準許或簽字。
But there's more information there.

但那裡有更多的資訊。
Some of it is actually very useful because it tells you exactly what they need to do.

其中有些內容實際上非常有用，因為它能準確地告訴你他們需要做什麼。
But door itself is, we could talk about it being five pillars.

但門本身就是，我們可以說它是五大支柱。
Okay, you can actually talk about it being one pillar.

好吧，其實你可以把它說成是一個支柱。
It's all about risk.

這就是風險。
So it's risk management.

這就是風險管理。
And this is what the financial entities have to deal with instant management, digital operational resilience testing, third party risk management.

這就是金融實體必須處理的即時管理、數字營運復原力測試、第三方風險管理等問題。
So they are going to have to actively really dig down, understanding the risks are of using you using you as a third party service provider.

是以，他們必須積極地深入研究，瞭解使用第三方服務提供商的風險。
And then there's information intelligence sharing.

還有資訊情報共享。
Okay.

好的
And this is regulatory.

這就是監管。
So how do you do your approaches?

那麼，您是如何採取方法的呢？
How do you manage this?

您是如何做到這一點的？
How do you make sense of this?

你如何理解這一點？
And one of the ways you can do it is use something like 27,001.

其中一種方法就是使用 27 001 這樣的數字。
You know, 27,001 is the requirements for information security management.

要知道，27001 是信息安全管理的要求。
You've got 27,005 on risk, and 22,301 on business continuity.

風險方面有 27 005 項，業務連續性方面有 22 301 項。
If you implement them, making sure that you've got your interested parties done well, you're acknowledging your risks, your contractual legal and regulatory requirements.

如果你實施了它們，確保你的相關方都做得很好，你就承認了你的風險、你的合同法律和監管要求。
You maybe even mentioned DORA in your scope.

你甚至可能在你的範圍內提到了 DORA。
And when you're doing your risks, you're really focusing on the risks in relation what DORA looking at, you can use the ISO standards to implement your DORA.

當你在處理風險時，你真正關注的是與 DORA 有關的風險，你可以使用 ISO 標準來實施你的 DORA。
Okay.

好的
And it gives you the structure, the information security management system in 27,001 gives you the structure to be able to implement DORA within your organization and meet the requirements that that financial entity is going to ask you about at some point, if they haven't done already.

27001 號文件中的信息安全管理系統為您提供了在組織內部實施 DORA 的結構，並滿足金融實體在某些時候會向您提出的要求（如果他們還沒有這樣做的話）。
So again, this slide sort of shows a little bit more about sort of things that you need to do in the five pillars, where you can get additional guidance and support, and to show you where you need to go on things.

是以，這張幻燈片再次展示了你需要在五大支柱中做的事情，你可以在哪裡獲得額外的指導和支持，並向你展示你需要去做的事情。
So again, maybe have a little bit of a look at that afterwards.

所以，還是那句話，也許事後可以看一看。
And again, with the next slide, you know, again, it's just this is just some information about the sort of thing you need to do.

同樣，在下一張幻燈片中，你知道，這只是一些關於你需要做的事情的資訊。
So it's about comprehensive risk assessment.

是以，這需要進行全面的風險評估。
Remember, that's comprehensive.

記住，這是全面的。
It's not just going through the motions on it, really, really thinking about it.

這不僅僅是走過場，而是真正地、認真地思考。
Your robust instant response, that resilience.

你強大的即時反應能力，這種應變能力。
Part of that is your testing.

其中一部分就是你的測試。
Okay.

好的
Understanding your third party risks.

瞭解第三方風險。
Okay.

好的
So whether the financial entity is going to be understanding what risks you are to them, you need to understand what your third party risks are as well.

是以，無論金融實體是否要了解你對他們有什麼風險，你都需要了解你的第三方有什麼風險。
Because we, you know, everybody uses something from everybody else, etc, and all that sort of stuff.

因為我們，你知道，每個人都在使用別人的東西，諸如此類。
And knowledge sharing.

知識共享
And that's one of those key areas.

這就是其中一個關鍵領域。
Okay.

好的
So it's really those first four we talked about there, which are going to really impact on you.

是以，真正對你產生影響的是我們談到的前四點。
So depending on how you've got to do it, you've got nine months.

是以，根據你的方式，你有九個月的時間。
So hopefully your financial entities have been talking to you about this already.

所以，希望你們的財務實體已經和你們談過這個問題了。
And I'd say if they haven't, maybe want to go and ask them the question.

我想說的是，如果他們還沒有，也許可以去問問他們。
Because else they're going to come to you in the middle of December panicking and saying, you've got to do all this stuff.

否則，他們就會在 12 月中旬慌慌張張地來找你，說你必須做這些事情。
And, you know, typically, you just about get ready for Christmas, and you have to go and sit there and get ready for a regulation, which comes into, you know, on the 17th, although it has been around for two years.

而且，你知道，通常情況下，你剛剛為聖誕節做好準備，你就不得不去坐在那裡，為 17 日生效的條例做好準備，儘管它已經存在了兩年。
So you need to understand about your key milestones.

是以，您需要了解您的關鍵里程碑。
And I think the thing is that you've got to sit there and you go, who owns risk in your organization?

我認為問題在於，你必須坐在那裡，想一想，在你的組織中，誰擁有風險？
Have you got a comprehensive and effective risk strategy?

您是否制定了全面有效的風險戰略？
What's your DORA operational resilience strategy?

您的 DORA 運行恢復戰略是什麼？
Are you doing training?

你在接受培訓嗎？
Do you understand your single points of failure?

您瞭解您的單點故障嗎？
You know, have you done things like a business impact analysis, you know, part of business continuity?

你是否進行過業務影響分析等工作，你知道，這是業務連續性的一部分？
And that's really good at showing what's your critical systems, etc.

它能很好地顯示關鍵系統等。
Hopefully financial enterprises and entities are doing this.

希望金融企業和實體正在這樣做。
That's why they've worked out for what you do for them is critical or important, and needs to be supported from a DORA point of view, all these things.

這就是為什麼他們認為你為他們做的事情至關重要，需要從 DORA 的角度給予支持，等等。
But the key thing is, it's time to act now.

但最關鍵的是，現在是採取行動的時候了。
Because January isn't that very long away.

因為距離一月已經不遠了。
And actually, if you look out the window today in, I'm in Northern Ireland, it feels like January.

實際上，如果你今天從窗戶往外看，我在北愛爾蘭，感覺就像一月份。
So it's not long away, it is not long at all.

是以，它並不遙遠，一點也不漫長。
But you need to speak to your financial entities to understand what they're expecting from you.

但您需要與您的財務實體溝通，瞭解他們對您的期望。
And they should be talking to you, you know, it's a key thing.

他們應該和你談談，你知道，這是關鍵。
Because there's lots of things to do.

因為有很多事情可以做。
So how IT governance can help you on the DORA journey?

那麼，IT 治理如何在 DORA 之旅中助您一臂之力呢？
Okay, so we've got several things that we can do is, I think one of the things that we've got to understand now we've gotten to this point there's so many things you need to comply with GDPR, DORA, NIS2, all these other sort of regulations, PCI, PSD, all these sort of things.

好了，我們可以做的幾件事是，我認為我們必須明白的一件事是，現在我們已經到了這個地步，你需要遵守 GDPR、DORA、NIS2、所有這些其他類型的法規、PCI、PSD，所有這些類似的東西。
And it's a bit like, well, how do I do this, etc.

這就有點像，好吧，我該怎麼做等等。
And all that sort of thing.

諸如此類。
So having a tool, we're going beyond spreadsheets, okay, particularly for risk, having a spreadsheet work to a certain point of view, I used them for years, got very comfortable with them.

是以，有了這樣一個工具，我們就超越了電子表格，好吧，尤其是在風險方面，電子表格在某種程度上是有效的，我用了很多年，用起來非常得心應手。
But you're sitting there going beyond the spreadsheet.

但你坐在那裡，卻超越了電子表格。
So you need to have a tool.

是以，你需要一個工具。
So again, look at the details on this afterwards.

所以，還是要看一下之後的細節。
But you know, it is something like our cyber comply, gives you the ability to manage all those things, you can do instant management, you could go and have audit, the auditing tool, you know, show that you are auditing things, you will be able to show how you are dealing with what controls you are using to address the risks that you've identified.

但你知道，它就像我們的網絡合規，讓你有能力管理所有這些事情，你可以進行即時管理，你可以去進行審計，審計工具，你知道，顯示你正在審計的事情，你將能夠顯示你是如何處理你正在使用的控制措施來解決你已經確定的風險。
And all these things are about and you can do your GDPR, your data flow mapping, huge amounts of stuff within the cyber comply environment.

所有這些事情都與 GDPR、數據流映射以及網絡合規環境中的大量內容有關。
And this very detailed, very trendy little slide here gives you the view of sort of things that you need to do, where various standards and requirements sit in, and how the cyber comply application can help you with that.

這張非常詳細、非常時髦的小幻燈片為您介紹了您需要做的事情、各種標準和要求的位置，以及網絡合規應用程序如何幫助您完成這些工作。
And the next slide is just an example.

下一張幻燈片只是一個例子。
So this is just some of the stuff on there.

這只是其中的一些內容。
So what you also get within it is that you get, you know, information security standards, you know, sources of information, how you can build up your controls for dealing with your risk.

是以，你還能從中獲得信息安全標準、資訊來源、如何建立應對風險的控制措施。
There's an instant management module in there, there's DPIA toolkit, there's a GDPR manager, there is supplier risk in there as well.

其中有即時管理模塊、DPIA 工具包、GDPR 管理器，還有供應商風險。
Just bear with me a second.

請稍等一下。
Pardon me.

請原諒
And then there's toolkits.

還有工具包。
And very soon there will be within there a DORA toolkit.

很快就會有一個 DORA 工具包。
So you'll have the documentation.

這樣你就會有文件。
Now the DORA toolkit is basically additional documentation and guidance and note to support what you'd be using for doing a 27001.

現在，DORA 工具包基本上是額外的文檔、指南和說明，以支持您在執行 27001 時使用的內容。
Because remember, 27001 is a very flexible thing.

因為請記住，27001 是一個非常靈活的東西。
And it's based on your context, your interested parties, legal regulatory requirements, and risk, you can make 27001 address whatever you want.

根據具體情況、相關方、法律法規要求和風險，你可以讓 27001 解決任何你想解決的問題。
It is a proactive, that's the wrong word, it is a very flexible way of dealing with it.

這是一種積極主動的方式，這個詞用得不對，這是一種非常靈活的處理方式。
And it gives you that structure for an information security management system.

它為你提供了信息安全管理系統的結構。
And because you can go and get external accredited certification by an external body, it gives you some way of showing somebody independent verification that you're doing this.

因為你可以通過外部機構獲得外部認可的認證，這樣你就有辦法向別人展示你正在進行的獨立驗證。
Okay.

好的
And particularly if in scope statement, you mentioned DORA or operational resilience, it's a key thing.

尤其是在範圍聲明中，你提到了 DORA 或營運恢復能力，這是一個關鍵問題。
Because as well as if you're supplying people in the financial sector in the European Union, you might be doing that in the wider world.

因為除了為歐盟金融業的人員提供服務外，你還可能在更廣闊的世界裡從事這項工作。
And so you go to Singapore, you go to the UK, they're all requiring some sort of stuff about operational resilience.

是以，你去新加坡，你去英國，他們都需要一些關於營運復原力的東西。
So it's very, very good.

所以它非常非常好。
And we can also develop, we do consultancy, gap analysis, all those sort of things.

我們還可以提供諮詢、差距分析等服務。
We can do the threat led pen testing for you.

我們可以為您進行威脅引導筆測試。
So all these different bits of it.

所有這些不同的部分。
And that's a little bit about who we are, what we what our background is, etc.

我們是誰，我們的背景是什麼，等等。
So we can do all the bits that you need to get you through your DORA journey.

是以，我們可以提供您所需的一切服務，幫助您完成您的 DORA 之旅。
Because it's going to require quite a bit of effort.

因為這需要付出相當大的努力。
So if you go and look at the links on this information, or go onto a website, you can see that on training, we do a foundation, which is a day course where you sit there and go, this is what DORA is.

所以，如果你去看看這些資訊上的鏈接，或者進入一個網站，你就會發現，在培訓方面，我們有一個基礎課程，這是一個為期一天的課程，你坐在那裡，然後去了解，這就是 DORA。
I talk about this for a day.

我一說就是一天。
Okay, so this is a bit condensed.

好吧，這有點濃縮了。
And there's a lot more to talk about.

還有很多事情要談。
Practitioner, four day course.

從業人員，為期四天的課程。
Okay, how do you implement it?

好吧，如何實施？
Gap analysis, come in and do a gap analysis.

差距分析，進來做差距分析。
Well, how long that takes is depending on how big you are, how complicated you are, lots of things.

至於需要多長時間，這取決於你的規模有多大，你的情況有多複雜，等等。
We do self-awareness e-learning courses.

我們開設了自我意識電子學習課程。
Now remember, you need to do e-learning.

現在請記住，您需要進行電子學習。
Okay, very, very, very important.

好吧，非常非常非常重要
Okay, it is a requirement for people who are aware, okay, of what they need to do.

好吧，這是對意識到自己需要做什麼的人的要求。
You can then sit there and go, you could go and also do lead auditor training course.

然後，你就可以坐在那裡，去參加首席審核員培訓課程。
So if you want somebody to learn how they can go and audit against the regulation, again, so that you can see where your gaps are, where your non-conformancies are, but also that you've got a record, can you show that we are auditing against this?

所以，如果你想讓別人學習如何對照法規進行審核，同樣，這樣你就能看到你的差距在哪裡，你的不符合項在哪裡，同時你也有了記錄，你能證明我們正在對照這個進行審核嗎？
Again, if you ever have to show that to the competent authority, very, very important.

同樣，如果你需要向主管當局出示這些資料，這也是非常非常重要的。
And then there's another course there, which is on the compliance officer.

還有一門課程是關於合規官的。
Okay, how do you compliance people make sure you're doing DORA?

好吧，你們是如何確保遵紀守法者遵守 DORA 規定的？
You know, so there's lots of things on that.

你知道，這上面有很多東西。
So take a bit of time to look through the slides when you get them.

是以，拿到幻燈片後，請花點時間仔細閱讀。
That's the contact things.

這就是聯絡方式。
So we'll work anywhere.

所以我們可以在任何地方工作。
We don't care what time zone you're in.

我們不管你在哪個時區。
And we work with all over the world.

我們的合作伙伴遍佈世界各地。
We do customers all over the place.

我們的客戶遍佈各地。
And we can do lots of things.

我們可以做很多事情。
So first of all, questions.

首先是問題。
So has anybody got any questions?

大家有什麼問題嗎？
So I've got one here.

所以我這裡有一個。
So how would I define my third party risks?

那麼，如何界定第三方風險呢？
And how would I set those requirements?

我又該如何設定這些要求呢？
And again, the easiest thing, I mean, with risk, if anyone wants to do a five day course on that, I teach C-risk, which is the ISACA qualification on enterprise risk management.

再說一遍，最簡單的事情，我的意思是，關於風險，如果有人想參加為期五天的課程，我可以教授 C-風險，這是 ISACA 關於企業風險管理的資格認證。
But you can go and do things.

但你可以去做事。
So the key thing with your risk is you need to understand what you're trying to achieve.

是以，風險的關鍵在於你需要了解你想要實現的目標。
And you're looking at the risks in relation to that.

你們正在研究與此相關的風險。
And you need to basically be documenting them.

你基本上需要把它們記錄下來。
You need to work out what your current risk state is, what your residual risk will be, what controls you need to implement, who owns the risk, how you're progressing on the risk, reviewing the risk.

你需要弄清當前的風險狀況是什麼、剩餘風險是什麼、需要實施哪些控制措施、風險由誰負責、風險進展情況如何、風險審查情況如何。
And you need to be able to show that you're doing this.

你必須能夠證明你正在這樣做。
You're also going to need a policy, a strategy, and all those sort of things.

你還需要一項政策、一項戰略，以及所有類似的東西。
That's where something like a tool like CyberComply can make things a lot easier for you.

這時候，CyberComply 這樣的工具就能幫你輕鬆很多。
Over time, the management, and you can relate risks to documentations, lots and lots of different things, and to tasks.

隨著時間的推移，管理層可以將風險與文件、很多很多不同的東西以及任務聯繫起來。
So you can task people to deal with things and implement controls and all that sort of stuff.

這樣，你就可以派專人處理事情，實施控制等。
And it gives you that ability to manage risk going forward.

這讓你有能力管理未來的風險。
So I think that may have answered that question.

所以，我想這可能已經回答了這個問題。
Have we got any more questions?

還有問題嗎？
Because I can't have answered everything because it's too big a subject.

因為我不可能回答所有問題，因為這個問題太大了。
Let's just see.

讓我們拭目以待。
Let me make sure I'm looking at the right place.

讓我確定我找對了地方。
Okay, I have another question.

好吧，我還有一個問題。
Right, let me see if I can.

好吧，讓我看看能不能。
How far away from DORA can I answer?

我可以在離 DORA 多遠的地方回答問題？
Right, okay, that's a very good question.

好吧，這是個非常好的問題。
How far away from DORA compliance are organizations that are on a very high level for both an ISMS and a BSMS?

同時擁有 ISMS 和 BSMS 的組織距離 DORA 合規還有多遠？
Okay, the question is there is, if you've designed your ISMS and BSMS business continuity management system, so two things.

好了，問題來了，如果你已經設計了 ISMS 和 BSMS 業務連續性管理系統，那麼有兩件事。
If you've designed it with DORA in mind, you're probably very close.

如果您在設計時考慮到了 DORA，那麼您可能已經非常接近了。
But if you've got an ISMS which is in place, but you haven't considered DORA, you're not going to be close because there are other things to do it.

但是，如果你已經建立了 ISMS 系統，卻沒有考慮 DORA，那麼你就無法接近 DORA，因為還有其他方法可以做到這一點。
So if when you've sat there, you've gone right, the context of the organization, we are a supplier to the financial entities.

所以，如果你坐在那裡，你已經走對了，組織的背景，我們是金融實體的供應商。
We are suppliers to a highly regulated market.

我們是高度規範市場的供應商。
We have acknowledged that we have an interested party, which is potentially a competent authority, although the financial entity is who we deal with.

我們承認我們有一個利益相關方，它可能是一個主管當局，儘管金融實體才是我們的交易對象。
So you know that you've got to be able to do things that a competent authority is wanting you to do.

所以你要知道，你必須有能力去做主管當局希望你做的事情。
If you've sat there and you've mentioned and you acknowledged and you've got in your contractual legal regulatory requirements, both DORA and anything specific the financial entity is asking, you've then got a scope on your certification, which is, doesn't maybe explicitly say DORA, but you mentioned that our scope is to cover the requirements of DORA there.

如果你已經坐在那裡，你已經提到，你已經承認，你已經在你的合同法律監管要求，無論是 DORA 還是金融實體的任何具體要求，你已經得到了你的認證範圍，這是，也許沒有明確說 DORA，但你提到，我們的範圍是涵蓋 DORA 的要求。
You can word this in many ways, and you have done your risks based on what is going to be the requirements of DORA and taking those into consideration, you'll be a long way there.

你可以用多種方式來表達這個意思，你已經根據 DORA 的要求做了風險評估，並考慮到了這些因素，你就會有長足的進步。
So if you're in an ISMS at the moment, and you've got a mature system in there, and you haven't quite done all this bit, you go through your continuing improvement process.

是以，如果你目前正在實施 ISMS 系統，並且已經有了一個成熟的系統，但還沒有完成所有這些工作，那麼你就需要通過持續改進流程。
So at least you've got the frameworks to do stuff, and you basically, you're going to be sharpening your pencil on things.

所以，至少你已經有了做事情的框架，基本上，你會在一些事情上磨刀霍霍。
Being more to the point, making sure that you're specifically doing these requirements, looking at the regulatory technical standards and going, is there anything in here I need to enhance what my pen testing or my vulnerability management or my access control?

更重要的是，要確保你正在具體執行這些要求，查看監管技術標準，然後想一想，這裡有什麼是我需要加強筆測試、漏洞管理或訪問控制的嗎？
But if you've got a well implemented, well-defined ISMS and business BSMS or combined system, you're in a good place to make sure that you deal with the requirements of DORA.

但是，如果你有一個實施良好、定義明確的 ISMS 和業務 BSMS 或組合系統，你就能很好地確保滿足 DORA 的要求。
You've got your structure in there.

你的結構就在裡面。
Okay.

好的
So I think I've answered that question.

我想我已經回答了這個問題。
Any other questions?

還有其他問題嗎？
I will give you a couple of more moments if people want to ask me anything else.

如果大家還想問我什麼，我再給你們一些時間。
Who's going to win on Saturday, Man United or Man City?

曼聯和曼城誰會在週六獲勝？
Manchester City, probably.

可能是曼城
But that's not the sort of questions you want to ask me.

但這不是你想問我的問題。
So any more questions on DORA or anything like how you'd use a 27,001?

還有什麼關於 DORA 的問題，或者類似如何使用 27 001 的問題嗎？
One thing, actually go back on just one point there on the ISMS is that one thing you have to do in DORA, which is a little bit more of a slight change.

有一件事，其實只需回到關於 ISMS 的一點上，那就是你必須在 DORA 中做的一件事，這是一個稍微有點變化的地方。
So if you're doing your risks quite well, so if you've got 27,001, we talk about confidentiality, integrity and availability.

是以，如果你的風險控制得很好，那麼如果你有 27 001 項風險，我們就會討論保密性、完整性和可用性。
DORA talks about authenticity as well.

DORA 還談到了真實性。
So you'd have to look at your messages, your risks with how that would affect it.

是以，你必須考慮你的資訊和風險會對它產生什麼影響。
So you need to look at authenticity.

是以，你需要關注真實性。
Now, they specifically take authenticity.

現在，他們特別注重真實性。
You could argue that authenticity is a subset of integrity, you know.

你可以說，真實性是正直的一個子集。
So just remember that if you're going to have to add that into your risks.

所以，如果你不得不把這一點加入到你的風險中，請記住這一點。
Okay.

好的
Right.

對
So let's see.

讓我們來看看
Okay.

好吧
So let me have a look.

讓我來看看。
I've got some more Okay.

我還有一些
Penalty for non-compliance.

違規處罰。
Okay, good one.

好，說得好
Likelihood of enforcement and how seriously will it be taken?

執法的可能性和嚴肅程度？
Very seriously.

我是認真的。
Because it hasn't happened yet, it's a bit difficult, but I think the GDPR, but when they talk about, so you look at NIS, it talks a percentage.

因為它還沒有發生，所以有點困難，但我認為 GDPR，但當他們談到，所以你看看 NIS，它談到了一個百分比。
You talks about in the enforcement as being significant and dissuasive.

您在執法中提到，這具有重要的勸阻作用。
So how big is a fine got to be to make a major bank decide that they don't want to get fined?

那麼，到底要多大的罰款才能讓一家大銀行決定不想被罰款呢？
Okay.

好吧
You know, it's so I think we're going to be the financial entities who are going to be fined in this, but then again, you've got contractual implications if you are a supplier into that.

你知道，我認為我們將是被罰款的金融實體，但同樣，如果你是供應商，你也會受到合同的影響。
So I think it's work on the principle is going to be like GDPR and some of the things on GDPR, you know, BA or International Aviation Group, was it 180 million they got fined or tried to find?

是以，我認為它的工作原則就像 GDPR 和 GDPR 上的一些事情，你知道，BA 或國際航空集團，他們被罰款或試圖找到的是 1.8 億美元嗎？
Okay.

好的
Let's see.

讓我們看看
Now I did see some, just bear with me a second.

我確實看到了一些，請稍等一下。
I thought I saw some more questions.

我想我又看到了一些問題。
But, ah, yes.

但是，啊，是的。
Okay.

好的
Who will enforce?

誰來執行？
Right.

對
So enforce.

那就執行吧。
So it's down to competent authorities.

是以，這取決於主管當局。
And there's a requirement on auditing in there of your risk management system being audited annually.

其中還要求每年對風險管理系統進行審計。
Okay.

好的
So this would be driven by the financial entities.

是以，這將由金融實體來推動。
They had to return submissions about how many people have, what their supply chain is.

他們必須提交材料，說明有多少人，他們的供應鏈是什麼。
So they supply.

是以，他們提供。
So if you supply in that, all information will be going to the competent authorities on that.

是以，如果您在其中提供了資訊，所有資訊都將提交給主管當局。
So the enforcement will be due by the competent authority within the region, within the jurisdiction.

是以，執行工作應由本地區、本轄區內的主管當局負責。
Okay.

好的
Let me just see.

讓我看看
So penalty is the likelihood for that.

是以，處罰是可能的。
So let me just see.

讓我看看
Okay.

好的
Right.

對
So where do you start for New Dora?

那麼，新朵拉該從哪裡開始呢？
Right.

對
New Dora.

新朵拉
So I guess our foundation course is a real good place.

所以，我想我們的基礎課程是一個真正的好地方。
Well, you've started in the right place.

你找對地方了。
You're at least asking the question.

你至少提出了問題。
You've turned up on this.

你在這裡出現了
So doing that.

那就這樣做吧。
There is our foundation course is a very good place to start.

我們的基礎課程就是一個很好的開始。
It's a one day course.

這是一個為期一天的課程。
You get a certificate.

您將獲得證書。
You've got an exam at the end of it.

最後還要考試。
So that's a pretty good one to do.

所以，這是一個很好的選擇。
And it is.

確實如此。
Yeah.

是啊
So that's where I do.

這就是我的工作。
Then maybe look at the book.

那就看看書吧。
Look at the competent authority will start producing information depending where you are.

看一下主管機構將根據您所在的位置開始製作資訊。
But if you're looking at the competent authority in Dublin, the Bank of Ireland, they haven't produced anything on Dora for months.

但如果你看都柏林的主管當局，愛爾蘭銀行，他們已經幾個月沒有任何關於朵拉的消息了。
They've just got one page on it.

他們只有一頁。
Okay.

好的
We provide IT services, financial entities in multiple EU countries.

我們為多個歐盟國家的金融實體提供 IT 服務。
How is a competent authority chosen?

如何選擇主管機構？
Okay, then.

那好吧
Right.

對
The competent authority is in that jurisdiction.

主管當局在該轄區。
So it's where somebody is registered.

是以，這是某人註冊的地方。
So you find, you know, a lot of organizations are registered in Cyprus, Luxembourg.

所以你會發現，你知道，很多組織都是在塞普勒斯、盧森堡註冊的。
So a lot of UK companies will be if they've got a European part of them, will either be registered in Luxembourg or in the Cyprus, for example.

是以，很多英國公司都會在盧森堡或塞普勒斯等歐洲國家註冊。
If you are a financial, if your IT company is supplying into it, they're all going to have different competent authorities, but the requirements are going to be exactly the same.

如果你是一家金融公司，如果你的 IT 公司正在為其提供服務，它們都會有不同的主管部門，但要求是完全一樣的。
That's why they made it a regulation.

這就是為什麼他們將其作為一項規定。
So it's reasonable.

所以這是合理的。
Okay.

好的
An ITC provider should accept that the financial entity will ask to yeah.

國貿中心提供商應接受金融實體的要求。
Penetration.

滲透。
If you are a third party supplier to a financial entity and you are providing services, which they support, they're critical, important services as they define them, they will be wanting to do pen testing on those.

如果你是金融實體的第三方供應商，你提供的服務是他們支持的，是他們定義的關鍵、重要服務，他們就會希望對這些服務進行筆測試。
Yeah.

是啊
And they should contractually be out that they're allowed to do it under DORA.

他們應該在合同上註明，根據 DORA，他們可以這樣做。
Yeah, that one, let me just see.

對，那個，讓我看看。
How do I, how would I define my third party risks and how would, yeah, I've already done that one.

我應該如何定義第三方風險？
Sorry.

對不起。
I've answered that questions.

我已經回答了這個問題。
Yeah.

是啊
Is competent authority in a jurisdiction any different from that for ISO 27001?

司法管轄區的主管當局與 ISO 27001 的主管當局是否有任何不同？
Yeah, we don't talk about competent authorities in ISO 27001.

是的，我們在 ISO 27001 中沒有提到主管當局。
So competent authority, so the best way to think about, you'll probably come across it more, is whoever enforces GDPR in the country.

是以，主管當局，也就是你可能會經常遇到的最好的思考方式，就是在國內執行 GDPR 的人。
They're a competent authority for GDPR.

他們是 GDPR 的主管機構。
If you do things with NIS, you'll know there's competent authorities for whatever sectors you're working with.

如果您與 NIS 合作，您就會知道，無論您與哪個部門合作，都會有主管當局。
So what you would say in your 27001 is the competent authorities would be an interested party potentially.

是以，在 27001 中，主管當局可能是相關方。
You'd say your financial entity, but you're definitely thinking about competent authority would be an interested party in that.

你會說是你的財務實體，但你肯定會想到主管當局會是其中的利益相關方。
Okay.

好的
I think I have answered all the questions there now.

我想我已經回答了所有的問題。
If anybody has any more questions, please add.

如果還有問題，請補充。
Okay.

好的
Right.

對
Okay.

好的
I will give you, we're coming up to the end of it.

我告訴你，我們馬上就要結束了。
Well, thank you very much for your time.

非常感謝你抽出時間。
Hope you all found that useful and good luck on your DORA journey.

希望這些對你們有用，祝你們在 DORA 之旅好運。