FFIEC and Agencies (OCC, Fed, CFPB, FDIC, NCUA, State liaison) issued joint statement on cybersecurity in cloud computing environment

April 30, 2020

Risks
While risks associated with cloud computing environments are typically similar to traditional outsourcing arrangements, there are often unique security considerations.

Security Risk Management
The statement highlights risk management practices and controls for safe and sound use of cloud computing services, and controls for the use of cloud service providers (CSPs).

Management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment.

Key practices include appropriate due diligence and ongoing oversight and monitoring of CSPs; implement appropriate control processes to mitigate identified risks. Clearly defined contractual
responsibilities, capabilities, and restrictions of each party. Security controls for sensitive data; awareness/training programs, among others.

Additional Resources
The references section of statement provides links to numerous other resources.

For more information, visit www.occ.gov



We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.
Accept