Placeholder Image

字幕列表 影片播放

由 AI 自動生成
  • Good afternoon everybody.

    大家下午好。

  • I hope you can all hear me see me and see my presentation.

    我希望大家都能聽到我的演講,看到我的演講。

  • So we are going to have a this afternoon we're going to go through talk about DORA compliance for ICT providers, what you need to do, what you need to know, some of the key things you need to think about, need to understand and what DORA is, how it's affecting things, all these all these wonderfully interesting topics.

    是以,今天下午我們將討論資訊和通信技術提供商的 DORA 合規性,你需要做什麼,你需要知道什麼,你需要思考和理解的一些關鍵問題,以及 DORA 是什麼,它如何影響事物,所有這些都是非常有趣的話題。

  • So we will start off in a couple of minutes.

    我們馬上就開始。

  • I'm going to ask you to be a bit interactive and respond to a few questions because it's going to be useful for me to to understand who I've got on the call etc.

    我想請你們互動一下,回答幾個問題,因為這對我瞭解誰來參加電話會議等很有幫助。

  • So first of all who am I?

    首先,我是誰?

  • Very good question.

    問得好

  • So my name is Andrew Paterson.

    我叫安德魯-帕特森。

  • I'm the head of GRC consultancy for IT Governance Europe and I've been working in GRC for probably it's near the 30 years and 20 years anyway, probably quite a lot closer to 30 years and 20 years.

    我是 IT Governance Europe GRC 諮詢公司的負責人,從事 GRC 工作大概有 30 年和 20 年之久,可能更接近 30 年和 20 年。

  • I'm a certified ISACA trainer.

    我是 ISACA 認證培訓師。

  • I have a master's in information systems management which was quite a long time ago but we weren't just looking at advocacies we were looking at proper IT even then.

    我擁有信息系統管理碩士學位,那是很久以前的事了,但那時我們關注的不僅僅是宣傳,我們還關注適當的信息技術。

  • I'm the SME within the group in things like NIS, NIS2 which as we may know is a directive, things like cybersecurity framework 27001, SIS 18, ECC which is a Saudi Arabian standard and DORA.

    我是組內的中小型企業,負責 NIS、NIS2(我們都知道這是一項指令)、網絡安全框架 27001、SIS 18、ECC(沙特阿拉伯標準)和 DORA 等方面的工作。

  • I've worked in lots and lots of sectors over the years.

    這些年來,我在很多很多部門工作過。

  • That's just a few examples of some of the areas I've been helping people affected with DORA for around the last 12 months, helping them to get ready for the deadline which we'll talk about when that is a bit later.

    這只是我在過去 12 個月中幫助受 DORA 影響的人的幾個例子,幫助他們為截止日期做好準備,我們稍後會討論截止日期。

  • I'm also the author of a DORA, a guide to the DU Digital Operationals Resilience Act and it's very much that book is a practical guide about what you need to do about it.

    我也是《DORA》一書的作者,這是一本關於《DU數字營運復原力法案》的指南,這本書在很大程度上是一本關於你需要做什麼的實用指南。

  • It's not particularly legalistic, it's about how you develop and implement an ISMS that will meet the requirements of DORA.

    這不是什麼法律問題,而是關於如何制定和實施符合 DORA 要求的 ISMS。

  • So just a couple of little slides here about who we are, IT Governance.

    是以,這裡只需要幾張小幻燈片,介紹一下我們的定位--IT 治理。

  • You've obviously heard of us before because you're sitting on this webinar but we've been in the industry for over 20 years, 12,000 clients, we work globally.

    顯然,你已經聽說過我們,因為你現在就坐在網絡研討會上,但我們在這個行業已經有 20 多年的歷史,擁有 12,000 家客戶,我們的業務遍及全球。

  • The big area of people more familiar with us is in 27001 and GDPR and everything but when you start looking at DORA, 27001 is an incredibly useful vehicle for helping you to deal with what is required out of DORA.

    人們更熟悉我們的主要領域是 27001 和 GDPR 等,但當您開始關注 DORA 時,27001 是一個非常有用的工具,可以幫助您處理 DORA 的要求。

  • It talks about the same sort of things, there's a different emphasis in some areas but we'll go through that.

    它談的是同一類事情,但在某些方面有不同的側重點,不過我們會一一討論。

  • So that's who we are, we've worked with all of these different people, we've got 1300 projects in ISO, we've got our cyber essentials and we've got our governance and risk tool called cyber comply which has got almost two and a half thousand people customers using it globally.

    這就是我們,我們與所有這些不同的人合作,我們在 ISO 中有 1300 個項目,我們有我們的網絡要領,我們有我們的治理和風險工具,名為 cyber comply,全球有近兩千五百名客戶在使用它。

  • You can see all the information on there, just a little thing on the slides, you will be given access to a slide pack because some of the slides have got quite a lot of detail on them and probably more useful if you come back and read them later because I will not be reading every single line on every slide, I'll be talking around them.

    你可以看到上面的所有資訊,只是幻燈片上的一個小東西,你會得到一個幻燈片包,因為有些幻燈片上有相當多的細節,如果你稍後再來看,可能會更有用,因為我不會讀每張幻燈片上的每一行,我會圍繞它們來談。

  • So that's that sort of thing.

    就是這樣。

  • If you're familiar with Net Promoter Scores, that's our things like that over the last whatever you've had to do.

    如果你熟悉淨促進者分數,那就是我們在過去的任何時候都要做的事情。

  • So this is where we're going to ask you to do a little bit of interaction and voting and it'll give me a little bit idea about who's on the call and maybe I will make sure I mention a few things which are specific to those requirements.

    在這裡,我們會請大家做一些互動和投票,讓我瞭解一下誰在電話會議上,也許我會確保我提到一些與這些要求有關的事情。

  • So the first question we'd like you to respond to is this one, what is your role in the DORA compliance decision making process?

    我們想請您回答的第一個問題是,您在 DORA 合規決策過程中扮演什麼角色?

  • So you've got the choice of this, I am a key decision maker, I influence decisions but I'm not the final decision maker, I am gathering information for my team.

    所以,你可以這樣選擇:我是關鍵決策者,我影響決策,但我不是最終決策者,我為我的團隊收集資訊。

  • So you should get the option there to respond to that question.

    所以,你應該可以選擇回答這個問題。

  • So I'll give you a little bit of time to do that.

    所以我給你一點時間來做這件事。

  • It's like waiting for the the results of Eurovision.

    這就像在等待歐洲電視大獎賽的結果。

  • So a few more moments.

    再等一會兒

  • Okay then, so we've got a few decision makers on there and then it's split between people influencing the decision maker and I'm gathering for the team.

    好吧,那麼我們已經有了幾個決策者,然後由影響決策者的人和我為團隊收集資訊。

  • So it's pretty much your most most of you are finding out more information etc and all that sort of stuff.

    是以,你們中的大多數人都在尋找更多的資訊,諸如此類。

  • That's brilliant, thank you very much.

    太棒了,非常感謝。

  • Okay the next question, what is your timeline for implementing DORA?

    好的,下一個問題是,您實施 DORA 的時間表是什麼?

  • We might have a different response at the end of the webinar on this one.

    網絡研討會結束時,我們可能會對此有不同的迴應。

  • Within the next three months, in four to six months, beyond six months or no timeline set?

    未來三個月內、四至六個月內、六個月後還是沒有時間表?

  • So if you can respond to the questions there.

    所以,如果你能回答這些問題。

  • Okay we'll wait for a couple of more responses on that.

    好吧,我們再等幾個人的回覆。

  • Okay then, so most of you are talking about probably something in beyond six months.

    好吧,那麼你們大多數人說的可能是六個月以後的事情。

  • Okay if you speak quicker than that.

    好吧,如果你說得比這還快。

  • Okay thank you for that.

    好的,謝謝你。

  • Next question, what type of support does your organization need most for DORA compliance?

    下一個問題,貴組織在遵守 DORA 方面最需要哪種類型的支持?

  • So compliance software solutions, consultancy and advisory services, training and education, and so on and so forth.

    是以,合規軟件解決方案、諮詢和顧問服務、培訓和教育等等,不一而足。

  • Okay, so what type of support do you need most for DORA?

    好吧,那麼您最需要 DORA 提供哪種類型的支持?

  • So if you could give us your response on that.

    是以,請您就此給我們答覆。

  • A few more seconds.

    再等幾秒鐘

  • Okay, so on this we've got a pretty much a split, we could be almost across the three areas on that.

    好的,在這個問題上,我們幾乎是各執一詞,幾乎可以說是橫跨三個領域。

  • So thank you very much for that.

    非常感謝。

  • And now the last question, has your organization allocated a budget for DORA compliance solutions?

    現在是最後一個問題,貴組織是否為 DORA 合規解決方案分配了預算?

  • Yes, we have a dedicated budget.

    是的,我們有專門的預算。

  • Budget is under consideration.

    預算正在審議中。

  • No budget allocated yet.

    尚未分配預算。

  • Just a few more moments and then we'll close that poll.

    再等一會兒,我們就結束投票。

  • Okay then, so mainly no budget allocated yet and a few people have got a budget under consideration, but actually you need to be able to show that you have budgets for cyber security etc.

    好吧,那麼主要是還沒有分配預算,有幾個人正在考慮預算,但實際上你們需要能夠證明你們有網絡安全等方面的預算。

  • So we'll talk about that.

    那我們就來談談這個問題。

  • So a couple of things, you will see that you've got the ability to ask questions.

    所以,有幾件事,你會發現你已經有了提問的能力。

  • If you put questions in there, we'll have some time at the end of the webinar for me to respond to those questions.

    如果您有任何問題,我們將在網絡研討會結束時安排一些時間讓我回答您的問題。

  • So if anything comes to mind as we're going through, please put them up.

    是以,如果我們在檢查過程中想到了什麼,請把它們放上來。

  • Also, just to remind you, you do actually get a CPD point for this, so you will get a certificate for that.

    另外,提醒您一下,您確實可以是以獲得 CPD 點數,所以您會是以獲得證書。

  • It's always useful for your professional development, do a few webinars and you can make inroads into the amount you need to get through the year.

    這對你的職業發展總是很有幫助的,參加幾次網絡研討會,你就能獲得完成全年任務所需的資金。

  • So we're going to go through several of the topics and again some of the slides are quite detailed and you'll have access to them.

    是以,我們將討論幾個主題,其中一些幻燈片非常詳細,你們可以查閱。

  • You may be going to read those later.

    你以後可能會讀到這些內容。

  • So it's all about trying to explain to you what DORA is and how we're particularly looking at it, what it means for third party suppliers.

    是以,我們要向你們解釋什麼是 DORA,我們如何特別關注它,它對第三方供應商意味著什麼。

  • So we'll go through all these different things and we will talk to them some in more detail than others.

    是以,我們將討論所有這些不同的問題,有些問題會比其他問題更詳細。

  • So what's DORA got to do with ICT third party suppliers?

    那麼,DORA 與 ICT 第三方供應商有什麼關係呢?

  • Now DORA is the Digital Operational Resilience Act.

    現在,DORA 就是《數字運行復原力法案》。

  • It's a regulation.

    這是一項規定。

  • So to understand that, that means that it without need to go through parliaments, it's not a directive.

    是以,要理解這一點,這意味著它無需通過議會,它不是一項指令。

  • So it doesn't have to go through 27 parliaments and be approved.

    是以,它不必經過 27 個議會的準許。

  • And it's very specific in what it says needs to be covered by the regulation.

    該條例對需要涵蓋的內容規定得非常具體。

  • And they talk about financial entities and they describe what a financial entity is.

    他們談到了金融實體,並描述了什麼是金融實體。

  • It's anything which is regulated, okay.

    就是任何受管制的東西,好嗎。

  • Few exceptions etc and all that, but basically anything.

    很少有例外等等,但基本上什麼都有。

  • And then on the last line, it goes ICT third party suppliers.

    最後一行是 ICT 第三方供應商。

  • So if you supply into a financial entity, which is in the European Union, you're going to be covered by DORA, okay.

    是以,如果您向歐盟的金融實體供貨,您將受到 DORA 的保護。

  • Even if you're not in the European Union, okay.

    即使你不在歐盟,也沒關係。

  • So if you're an ICT third party supplier and you're supplying into a financial entity in the European Union, you're covered by it.

    是以,如果你是資訊和通信技術的第三方供應商,並且你向歐盟的金融實體供貨,你就在它的覆蓋範圍內。

  • If you're a large organization, which is supplying services to a part of your organization, which is in the European Union, okay, you have to comply with the requirements of DORA.

    如果您是一家大型機構,為您機構中位於歐盟的一部分提供服務,那麼您必須遵守 DORA 的要求。

  • So if you're sitting there thinking, all right, so who's that?

    所以,如果你坐在那裡想,好吧,那是誰?

  • Does that affect me?

    這對我有影響嗎?

  • This is not a definitive list, but this is because it doesn't actually say in there, what is an ICT third party supplier, but it builds up and gives you some sort of ideas on this.

    這並不是一個明確的清單,但這是因為它實際上並沒有說明什麼是資訊和通信技術第三方供應商,但它為你提供了一些這方面的想法。

  • So it's people who are impacted, people who are delivering services.

    是以,受影響的是人,是提供服務的人。

  • And it is specifically where I'll talk about on the next slide in more detail is that supporting critical important functions, right, or services that the financial entity provides.

    具體來說,我將在下一張幻燈片中更詳細地討論支持金融實體提供的關鍵重要功能或服務。

  • So there's a quick list there of some of the things.

    是以,這裡快速列出了其中的一些內容。

  • So if you actually look at it, it's very broad on what they mean by an ICT third party supplier.

    是以,如果你仔細研究一下,就會發現資訊和通信技術第三方供應商的含義非常廣泛。

  • So, you know, GIC risk management providers, collaborative tool providers, desktop service providers, IT service providers, SOC service providers.

    是以,你知道,GIC 風險管理提供商、協作工具提供商、桌面服務提供商、IT 服務提供商、SOC 服務提供商。

  • So if you're working with a financial entity and you're providing any ICT services, you're probably going to be covered by the requirements of DORA.

    是以,如果您與金融實體合作,並提供任何資訊和通信技術服務,您很可能會受到 DORA 要求的保護。

  • And what do I mean by covered by the requirements of DORA?

    我說的 "DORA "是什麼意思?

  • The next slide gives you a bit of a feel for how the structure works and why it's important to think about where you are.

    下一張幻燈片讓你瞭解一下該結構是如何運作的,以及為什麼要考慮你所處的位置。

  • So this is a nice little, nice and colourful pyramid.

    這就是一座漂亮的小金字塔,色彩斑斕。

  • And it just gives you a feel.

    這只是給你一種感覺。

  • So at the top, we've got the EU Parliament, we've got the European Central Bank, we've got the supervisory authorities, the member states, they need to be enforcing this and making sure this happens.

    是以,在最高層,我們有歐盟議會、歐洲中央銀行、監管機構、成員國,他們需要執行並確保這一切發生。

  • And then they have things in their countries called national competent authorities.

    然後,他們在自己的國家有一個叫做國家主管當局的機構。

  • These are the guys who are going to make sure that financial entities are doing what they need to do with DORA.

    這些人將確保金融實體按照 DORA 的要求行事。

  • And then you have the financial entity.

    然後是金融實體。

  • And the financial entity needs to make sure that you're doing what they need to ensure that they are going to comply with DORA.

    金融實體需要確保您正在做他們需要做的事情,以確保他們將遵守 DORA。

  • Okay.

    好吧

  • So much so that DORA specifies certain things that need to be in the contractual requirements while dealing with third parties.

    是以,DORA 規定了與第三方打交道時合同要求中的某些事項。

  • And when you get into that particular, some of And if you think about it, if you've got third parties working for you who are providing your services to you, which is central to the services that you're providing a financial entity, you're going to have to manage your third party supply chain as well.

    如果你仔細想想,如果你有第三方為你工作,為你提供服務(這是你為金融實體提供服務的核心),你也必須管理你的第三方供應鏈。

  • And this is one of the very key things.

    這也是非常關鍵的一點。

  • It's about improving resilience and operational resilience, not just within the financial entity, but within that supply chain, because there is an understanding of weakness.

    這不僅關係到金融實體內部,還關係到供應鏈內部的復原力和營運復原力,因為我們對薄弱環節有所瞭解。

  • And that more comes on to what we talk on the next section.

    這也是我們下一節要討論的內容。

  • So why does DORA exist and what is it?

    那麼,為什麼會有 DORA,它又是什麼呢?

  • Okay.

    好的

  • So this slide is the sort of slide, but when you've got it back and you can zoom it up, but it gives you the, you know, it's about a risk, systemic risk across financial services in the European Union.

    所以,這張幻燈片就是這樣的幻燈片,但當你把它拿回來,你可以放大它,但它給了你,你知道,它是關於風險,整個歐盟金融服務的系統性風險。

  • We all know that with, I mean, I'm old enough to remember when, you know, you had to be physically on a, in front of a machine with a cable coming out the back of it in the same building to get access to things.

    我們都知道,我是說,我年紀大了,還記得當年,你必須親自站在一臺機器前,在同一棟樓裡,機器後面有一根電纜出來,才能訪問東西。

  • And we don't work in that world anymore.

    我們已經不在那個世界工作了。

  • We've got 24 seven access.

    我們提供 24/7 全天候服務。

  • Everything is interrelated.

    萬事萬物都是相互關聯的。

  • So there's so much interconnectivity within all sectors and within financial services that if you get a problem somewhere, it's multiple countries.

    是以,各行各業和金融服務業之間的相互關聯性非常強,如果某個地方出現問題,就會波及多個國家。

  • So it's about building up and understanding this, where the resilience is, because, you know, it's so important that these functions from financial services operate.

    是以,我們要建立並瞭解這一點,瞭解復原力在哪裡,因為你知道,這些金融服務功能的運行非常重要。

  • That's basically how economies don't work.

    經濟基本上就是這樣運轉不起來的。

  • Okay.

    好的

  • And if you're an ICT third-party supplier in that chain, it's very important for you meeting those requirements.

    如果你是產業鏈中的資訊和通信技術第三方供應商,那麼滿足這些要求就非常重要。

  • So what was the key things and what they were talking about when they were developing this?

    那麼,他們在開發時討論的關鍵問題是什麼?

  • DOOR sets out a harmonized approach to digital operational resilience across the EU's financial sector.

    DOOR 為歐盟金融部門的數字業務復原力制定了統一的方法。

  • So everybody has to do it.

    是以,每個人都必須這樣做。

  • Okay.

    好的

  • Level playing field.

    公平競爭。

  • It's not like somebody in one legislation doesn't have to do the same.

    在一項立法中,也不是沒有人必須這樣做。

  • It's why it's a regulation and not a directive, because it doesn't need to go through national law or national parliaments.

    這就是為什麼它是法規而不是指令,因為它不需要通過國家法律或國家議會。

  • This is what people need to do.

    這就是人們需要做的。

  • And it's been around since 22.

    它從 22 年就開始存在了。

  • Okay.

    好的

  • It's not just like appeared recently.

    不只是最近才出現。

  • Okay.

    好的

  • It's been around since December 2022.

    它從 2022 年 12 月開始使用。

  • And it harmonizes, removes, you know, certain directives, etc.

    它還協調、刪除了某些指令等。

  • As it's a regulation, it supersedes the requirements of the NIST directive and NIST 2.

    由於這是一項法規,它取代了 NIST 指令和 NIST 2 的要求。

  • And it sets out certain things expected by financial entities.

    它規定了金融實體應做的某些事情。

  • And this will be new for many service providers.

    這對許多服務提供商來說都是全新的。

  • Okay.

    好的

  • So you may be doing some of these things, but this is not a tick box.

    是以,你可能正在做其中的一些事情,但這並不是打勾。

  • Okay.

    好的

  • This is about operational resilience.

    這關係到業務復原力。

  • So this is about financial entities being able to provide their services when bad things are happening to them.

    是以,這關係到金融實體能否在遭遇不測時提供服務。

  • Okay.

    好的

  • I describe it in one simple way, and we'll go into more detail of this, is if you think about incident management, business continuity, and disaster recovery, which you all probably do, but the volume's turned up on it, it's taking it to the next level.

    我用一個簡單的方法來描述它,我們將對此進行更詳細的介紹,那就是,如果你考慮事件管理、業務連續性和災難恢復,你們可能都會這樣做,但它的音量被調高了,它正在將其提升到一個新的水準。

  • Okay.

    好的

  • And it's definitely not tick box.

    這絕對不是 "勾選框"。

  • You have to do things.

    你必須做事。

  • And they're very specific in what they require.

    他們的要求非常明確。

  • So the regulation covers certain things.

    是以,該條例涵蓋了某些內容。

  • So ICT risk management, everything