22 May FFIEC Issues Statement on Risk Management for Cloud Computing Services
April 30, 2020 – FFIEC issued joint statement on firm’s use of cloud computing services and appropriate security risk management principles necessary to prevent possible security breaches.
Financial institutions use private, public or a hybrid of cloud computing environments. Service models have varying responsibilities for firms, providers to manage controls. In Software as a Service (SaaS), firms do not manage/control the cloud infrastructure. Platform as a Service (PaaS), firms administer applications residing on cloud platform. Including managing controls over operations, operating systems, data and its storage. Infrastructure as a Service (IaaS) models, firms have similar responsibilities as PasS.
Use of Cloud Computing
Regardless of service model used, firms are responsible for safe, sound cloud services. Also for the protection of sensitive customer data, should conduct ongoing oversight. Including evaluating independent assurance reviews (audits of controls, penetration, vulnerability tests), corrective actions to confirm that adverse findings are addressed. The statement highlights that management should not assume that effective security and resilience controls exist simply because systems are operating in cloud computing. Contracts should define expectations, responsibilities of firms, cloud service providers. Statement also lists examples of risk management practices to protect customer data.
For more information, visit www.ffiec.gov