Cloud Computing: Keeping Your Data Safe

Emily Antonico, Manager, and Patrick Morin, Principal, Risk & Business Advisory Practice
June 2015

On July 10, 2012 the Federal Financial Institutions Examination Council (FFIEC) Information Technology Subcommittee issued a public statement likening cloud computing to a form of outsourcing which has similar risk characteristics and must be properly managed. Fast forward three years to today, and this is still an area that many companies do not adequately understand or on which they do not apply the correct amount of emphasis.

The Importance of Security

When utilizing a cloud-based application, companies are putting customer data, as well as their own data, in the hands of a service provider. This involves a certain transfer of control and responsibility relating to the security of the data. Companies need to ensure that they have established adequate controls both internally and externally to maintain data integrity.

What Companies Can Do

Conduct a Risk Assessment

One of the first steps that a company should complete when contemplating the migration to a cloud-based application is a risk assessment. The risk assessment should be used to identify any potential risks that would be associated with utilizing a cloud application. Through the risk assessment process, the company should be able to identify the nature of the data that will be stored in the cloud application and if there should be any special considerations based on the sensitivity of the data that will be present. All data should have an associated classification that details the access restrictions and handling requirements for the data. Such access restrictions and handling requirements may include a determination of where the data can be accessed from (such as via mobile devices, remote locations, and employee homes) and subsequent restrictions based on the sensitivity of the data. Companies should ensure that their chosen application has the ability to address the risks identified by the company and provides the necessary controls and restriction options to keep company and customer data secure.

Apply Thorough Due Diligence and Vendor Management

Initial vendor due diligence as well as continual vendor management is integral in any outsourcing agreement. Third-party assurance reports, such as the SSAE 16 Service Organization Controls (SOC) report, should be obtained from vendors prior to beginning any relationship and during the course of the engagement as well, to ensure that data will be properly handled and kept secure. Companies should seek to review the substance of the reports and any findings and user entity considerations noted within the reports.

Keep Access Provisioning Centralized

All access additions, modifications, and deletions should be done by the same centralized function that performs user provisioning and administration for internal systems. This will help to ensure that all granting, modifying, and removal of access is performed consistently with employee roles and job functions appropriately in a manner that strengthens the related segregation of responsibilities. Additionally, on a periodic basis (at minimum annually) access rights should be reviewed to ensure that access is still appropriate based on job functions and that all users are still active employees.

Establish an Acceptable Use Policy

Like all access to Information Technology resources, employee use should be governed by a company developed acceptable use policy. When acceptable use of applications by employees is not defined, the risk exists that data could be incorrectly input, used inappropriately, or compromised. The policy should clearly define what is acceptable for typical actions related to company and customer/prospect data, including collection, access, use, transmission and disposal.

The use of cloud computing and the addressing of information security requires the alignment of both internal resources and external, outsourced resources. Companies need to ensure that the agreements they are entering into are appropriate and that they have adequate internal controls to guide employees in how to keep data secure.

If you have questions or would like to discuss this further, please contact Patrick Morin or your BNN professional at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.