More Clouds on the Radar, Are You Ready?
More clouds on the radar, are you ready?
As cloud computing continues to mature and gain popularity worldwide, the financial industry creeps ever closer to integrating this methodology into their IT strategy. Most of this migration has occurred with peripheral services, like backups, and not core banking. Some suggest that this is about to change. Gartner has most recently proclaimed that “by 2016, poor return on equity will drive more than 60 percent of banks worldwide to process the majority of their transactions in the cloud.” While I think there is some truth to this logic, I believe that this might be a little further into the future given the current regulatory and security environment. The concern over security and privacy was echoed in a recent KPMG cloud computing survey across all industries. That being said, cloud adoption continues to grow, with small to mid-size organizations leading the way. Based on what we have seen during our 2014 fieldwork, it might be a good opportunity for some review.
First and foremost, utilizing cloud-based vendors depends on solid vendor management. In addition to the usual vendor efforts (RFP, annual review, etc), you will want to ask a few more questions:
- Where is your data being stored, who owns it, and how easy is it to remove?
- Does the vendor work with other financial institutions?
- Have they been through a third party security audit?
- How do they monitor the environment for unauthorized access to systems and data?
- Have they assessed the vulnerabilities associated with internal staff?
- Do they have a regularly tested disaster recovery plan?
- Have they established appropriate service level agreements?
- How do they secure your portion of the service from others (multi-tenancy)?
- Do they have a process for breach notification?
- Do they carry breach insurance coverage?
- Where does the liability stand if a cloud system is breached?
While this list is certainly not exhaustive, it will give you a good start. There are many other resources available on line. Here are a few that might be helpful:
- FFIEC guidance on cloud computing: http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_computing_-_public_statement.pdf
- National Institute of Standards and Technology (NIST) pub. 800-146: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
- Cloud Security Alliance audit control matrix: https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/
- COSO – Enterprise Risk Management for Cloud Computing: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf
Cloud usage will continue to grow, especially into the mobile space. If you are a small to mid-sized organization, the opportunities to expand services and sure up the technology infrastructure are hard not to appreciate. Ensuring a solid understanding of prospective cloud services and solid due diligence, will ultimately lead to a positive outcome with management and the regulators.
For additional information contact Jeffrey Johns at JJohns@fosaudit.com