The finance sector is repeatedly said to be behind the curve in Cloud adoption, so it’s interesting to note an initiative in the US by the Federal Financial Institution Examination Council (FFIEC).
The Technology Subcommittee of the Council – which is responsible for prescribing uniform principles and standards for federal financial institution examinations — has previously voiced its concern about the risks relating to what it calls “outsourced Cloud Computing”.
Following on from such statements, the Council has now formally identified what it sees as the major risk management issues that need to be considered before any institution deploys a Cloud-based solution:
- Due Diligence. The council recommends that financial institutions should ensure that Cloud vendors have adequate controls in place to protect sensitive data, and permit data recovery in case of an unauthorized breach or service interruption and that Cloud-based vendors demonstrate that they understand the specific regulatory requirements that financial institutions face.
- Vendor Management. Financial institutions should have a formal vendor review process to evaluate whether a given Cloud vendor can meet regulatory requirements, and should account for vendor disengagement in all contracts.
- Audits. Financial institutions should develop vendor audit plans. Moreover they need to make sure that the auditors they use are familiar with and accustomed to working with Cloud Computing environments in order to properly evaluate a vendor and mitigate risk.
- Information Security. Institutions need to review their security plans and procedures to account for Cloud-based application architectures in access management policies, data backup procedures, and policies regarding the use of shared data facilities.
- Regulatory Compliance. Regulatory compliance models need to be in place to account for jurisdictional differences – such as overseas data protection differences .
- Business Continuity. Institutions must take responsibility for ensuring that their chosen Cloud vendors have put in place appropriate business continuity and recovery plans to meet the financial institution’s needs.
None of that is rocket science of course - in fact, it's pretty much a checklist of the flamin' obvious - but if such formal rankings of obligation go some way to getting us past the 'finance sector is way behind' repetitions, then so much the better.