FFIEC's Outsourced Cloud Computing Standards

Banker Resource
January 16, 2014 — 1,259 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

Of late, terms like ‘cloud-based’ and ‘cloud-computing’ are being used for describing a huge range of technological products. Last year, Federal Financial Institutions Examination Council published certain regulatory standards that had been specifically prepared to address outsourced cloud computing. These new standards define cloud computing as migration towards shared resources from owned resources in which clients make use of information technology services via internet ‘cloud’ through third-party service providers.  The guidance also takes cloud computing to come out as a form of outsourcing which is subject to risk management requirements.

The following are the main risk management cloud computing controls mentioned in the FFIEC guidance:

  • Due Diligence

Institutions are required to conduct due diligence when it comes to cloud computing providers for assessing the control that the provider has over protecting integrity and confidentiality of the information saved. Apart from that they are also supposed to conduct due diligence to know whether the information will also be stored on servers that will be used by the clients of the provider.

  • Vendor Management

Institutions may need extra control for managing cloud computing providers who have a lot less experience in dealing with clients of financial institutions.

  • Audit

The audit coverage of the institution should contain outsourced cloud computing.

  • Information Security

Institutions will be required to incorporate services related to cloud computing in their existing data security policies, practices as well as standards. They will also be required to make sure that the information is protected and access to this data is restricted properly. In addition to that, institutions will also have to effectively monitor all the data security threats that can arise in relation to the systems of the institution as well as the provider. They will be required to come up with incident response methodologies too.

  • Legal, Regulatory and Reputational Considerations

All the institutions will be required to assess the limits to which these cloud computing services lead to an increase in the difficulty of complying with legal as well as regulatory requirements that are applicable on the institution. Apart from that, the contract with cloud computing provider should also specify the obligation of the provider with regard to responsibilities of the institution.

  • Business Continuity

All the institutions will have to determine whether their provider as well as the network carrier of the provider has adequate resources and plans to ensure the continuity of operations of the institution. It should also look into the ability of the institution to resume its operations and recover in case of any unexpected disturbance.

Possible Risks of Outsourced Cloud Computing

Outsourced cloud computing gives institutions the freedom to change their IT capacity rapidly and to adapt to the changes of the market. But these also bring in a few risks with them. Possible risks of outsourced cloud computing include loss or leakage of important or confidential data, system reliability, as well as disaster recovery. Serious issues which affect businesses on a constant basis need to be fixed in the first place before the implementation of cloud computing to keep the related risks from coming up.

Banker Resource