The US Federal Financial Institutions Examination Council is focused in helping financial institutions by providing a resource document which it hopes to address and understand the risk of cloud computing. In its four-page document, Outsourced Cloud Computing, the council stressed that due diligence must be performed in assessing a cloud computing service provider rather than just take a look at all the benefits the provider is offering. The resource material focuses on business continuity planning, regulatory and legal compliance, audits, information security, vendor management, and due diligence.
According to William Henley of Federal Deposit Insurance Corporation, financial institutions must follow the basic risk strategies and guidelines found in the Federal Financial Institutions Examination Council Information Technology Examination Handbook. Great focus must also be on the Outsourcing Technology Services Booklet. Henley said that there may be vendors who don’t know about the regulatory requirements which are applicable to financial institutions and it is for this reason that the Council decided to issue the resource document.
In the said document, the Council focuses on how a financial institution can address cloud computing outsourcing. It stresses the need for due diligence because financial institutions are still responsible for the compliance and security of their records. Therefore, financial institutions must make sure that their cloud computing providers meet the requirements for risk management, compliance, quality of service, and cost. The document also highlights data classification, data segregation, and data recoverability. The financial institutions must also ensure that the cloud computing providers follow the regulatory requirements. Service-level agreements and contracts must specify dispute resolution, format and location of data, and ownership.
Audit is also an integral part of the resource document. Internal controls provided by the cloud providers must be adequate so that risks can be mitigated and evaluated effectively. External auditors can be tapped to help with the evaluation of internal controls. The document also notes that it may be necessary for the financial institution to adjust its audit procedures and policies with regards to cloud computing. Training may be needed for the audit staff or hire personnel who has expertise on virtualized technologies and shared environments can be hired.
Also, the financial institutions may be required to revise their information security practices, standards, and policies to include cloud computing activities. Data handling procedures must be verified. Backup data must be available and adequate. It is also important to know if several providers are sharing facilities or not. In certain situations, the financial institutions must continuously monitor cloud computing activities so that they can be sufficiently assured that their chosen cloud computing service provider maintains effective internal controls.
Financial institutions must also ensure that reputational, regulatory, and legal risks have been clearly identified as well as mitigated before shifting to public clouds. They must take into consideration the compliance standards and legal mandates from international jurisdictions. Lastly, the financial institutions must check if the cloud computing service provider and also its network carriers has sufficient resources and plans to guarantee business continuity.