22 May FFIEC and Agencies (OCC, Fed, CFPB, FDIC, NCUA, State liaison) issued joint statement on cybersecurity in cloud computing environment
April 30, 2020
While risks associated with cloud computing environments are typically similar to traditional outsourcing arrangements, there are often unique security considerations.
Security Risk Management
The statement highlights risk management practices and controls for safe and sound use of cloud computing services, and controls for the use of cloud service providers (CSPs).
Management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment.
Key practices include appropriate due diligence and ongoing oversight and monitoring of CSPs; implement appropriate control processes to mitigate identified risks. Clearly defined contractual
responsibilities, capabilities, and restrictions of each party. Security controls for sensitive data; awareness/training programs, among others.
The references section of statement provides links to numerous other resources.
For more information, visit www.occ.gov