FFIEC cloud computing statement analysis
Following our trend, we are going to comment FFIEC (Federal Financial Institutions Examination Council) cloud computing public statement published past July, 10 (pdf). First, we would like to highlight some ideas that we also support:
- FFIEC considers cloud computing as a type of outsourcing.
- The use of third's parties "does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations".
- "It is important to look beyond potential benefits and perform a thorough due diligence and risk assessment of elements specific to that service" (see previous post about Cloud ROI).
And, secondly, we have extracted FFIEC statements and analyzed how security rating addresses them. We have summarize the analysis in the following table with three columns:
- First one includes the chapter in which FFIEC document is divided.
- Second reflects the text of original document with the specific statement.
- Finally, the third one explains how the security rating guide addresses previous statement.
| FFIEC Statement | leet security rating | |
| Type | Accionable statements | |
| Due Diligence | Ensure the provider will meet the institution's requirements in terms of cost, quality of service, compliance with regulatory requirements, and risk management. | Rating system takes into account security measures implemented by the vendor, but also other aspects that could impact the confidence and resilience capabilities of the provider, such as, long-term strategy, financial strength, human resources policies, interoperability procedures... |
| Vendor Management | Disengagement of a service provider is another aspect of vendor management that can be complicated in CC. | Criteria in availability dimension: [TPP.3] Data & Service portability [TPP.4] Termination guarantees |
| Audit | Auditors assisst in this evaluation by assessing whether those controls are functioning appropiately. | Rating agency audits every service in a random basis, at least every three years. Auditors could rely on this previous audit work. |
| Institution's audit policies and practices may require adjunstments to provide acceptable IT audit coverage of outsourced CC. | Criteria common to all dimensions: [ISMP.6] Testing, security, processes, and performance | |
| Information Security | Financial institutions may need to revise their information security polices, standards, and practices to incorporate the activities related to a CC service provider. | This statements rely only on Financial Institution side. |
| In high-risk situations, continous monitoring may be necessary for financial institutions to have a sufficient level of assurance that the servicers is maintaining effective controls. | Criteria common to all dimensions: [MO.1] Audit logging [MO.2] Monitoring system use [IH.1] Reporting infosec events and weaknesses [IH.2] Management of infosec incidents and improvements | |
| Maintain a comprehensive data inventory and a suitable data classification process. | Criteria common to all dimensions: [SO.3] Information / knowledge management and handling procedures | |
| A multi-tenant cloud deployment, in which multiple clients share network resources, increases the need for data protection through encryption and additional assurance that proper controls are in place. | Criteria common to all dimensions: [TPP.1] Shared processing | |
| Verifying the data handling procedures, the adequacy and availability of backup data, and whether multiple service providers are sharing facilities are important considerations. | Criteria in availability dimension: [RE.4] Information back-up [RE.6] Information security aspects of BCM | |
| Effective monitoring of security-related threats, incidents, and events on both financial institutions’ and servicers’ networks; comprehensive incident response methodologies; and maintenance of appropriate forensic strategies. | Criteria common to all dimensions: [MO.1] Audit logging [MO.2] Monitoring system use [IH.1] Reporting infosec events and weaknesses [IH.2] Management of infosec incidents and improvements | |
| Ensure that the cloud-computing service provider can remove NPPI from all locations where it is stored. | Criteria common to all dimensions: [TPP.1] Shared processing | |
| Legal, Regulatory, and Reputational Considerations | CC increase the complexity of compliance with applicable laws and regulations because customer data may be stored or processed overseas | Criteria common to all dimensions: [CO.1] With legal requirements |
| Financial institution’s ability to control access to its data. | Group of criteria common to all dimensions: [AC] Access control | |
| Requirements to notify customers and regulators of any breaches | Paragraph 5.2.6 Updating information Vendors are required to send relevant information that could affect the rating level of a service. For example, vendors should send information related with: security incidentes, changes in service plans… | |
| Business Continuity Planning | Determine whether the servicer and the network carriers have adequate plans and resources to ensure the financial institution’s continuity of operations, as well as its ability to recover and resume operations if an unexpected disruption occurs. | Group of criteria in availability dimension: [RE] Resilience |