Posted on 08/08/2012 at 08:01 AM by The Newsroom
The Federal Financial Institution Examination Councils (FFEIC) Information Technology Subcommittee issued a recent paper addressing key risks of outsourced cloud computing. Cloud computing is a general term for anything that involves delivering hosted technology services over the Internet. Cloud computing has become more popular as businesses look to outside sources to provide infrastructure, computing platforms, and software as a service. Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed. The FFEICs recent paper identifies cloud computing as just another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. As detailed in the FFEICs Outsourcing Booklet, a due diligence review should be performed to ensure that the provider will meet the institutions requirements. Following are the potential issues identified by the FFEIC related to cloud computing: Data classification: How sensitive is the data that will be place in the cloud and what controls should be in place to ensure it is properly protected? Does the cloud service provider appropriately encrypt or otherwise protect non-public personal information (NPPI) and other data? Data segregation: Will the financial institutions data share resources with data from other cloud clients? If so, what controls does the service provider have to ensure the integrity and confidentiality of the financial institutions data? Recoverability: How will the service provider respond to disasters and ensure continued service? Do the financial institutions disaster recovery and business continuity plans to include appropriate consideration of this form of outsourcing, the service providers disaster recovery and business continuity plans, and the availability of essential communications links? Regulatory requirements: Is the service provider able to implement changes to meet regulatory requirements? Disengagement: In the event of a contract termination, can the institution disengage without the loss and integrity of the data for a smooth transition to another provider? Although many of the risks identified above are applicable to any outsourced provider, cloud computing may require more robust controls due to the nature of the service. Thorough due diligence and risk assessment specific to cloud computing services must be performed prior to entering into an agreement.