Security Risk Management When Using Cloud Computing (Part 1)
In the face of the recent impacts from a global pandemic, companies that had transitioned most or all of their production systems to cloud computing experienced some of the related benefits, allowing them to pivot more easily to alternate operating modes. Although cloud service providers provide a number of benefits, the outsourcing of essential business functions includes separate security risks that must be managed.
When working with cloud service providers, the management of the related risks cannot be fully outsourced. In April 2020, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement to highlight security risk management practices for cloud computing services and to emphasize that the related security risk management is a shared responsibility between the managements of financial institutions and their chosen cloud service providers.
The establishment of sound risk management practices over a cloud service provider begins with due diligence related to the provider’s security practices and operational integrity and consistency. Separately, financial institution management should review the contract for the related services to ensure it defines service levels and security practices that meet or exceed the standards of the financial institution. If necessary, the financial institution should negotiate changes to the contract. Further, as part of the review, management should ensure they evaluate the potential risks with using the cloud service and understand the respective responsibilities over security management. Before implementing the cloud provider’s service, management also should ensure that the financial institution has the necessary resources and established practices to carry out those responsibilities required by the financial institution.
Once engaged, management of the financial institution should regularly monitor and evaluate the cloud service provider and its performance as well as any of the financial institution’s complementary controls for the service. Proper risk management includes processes to identify, measure, monitor and control risks. As part of their joint statement, the FFIEC included examples of risk management practices in the following categories:
- Cloud Security Management
- Change Management
- Resilience and Recovery
- Audit and Controls Assessment
The FFIEC also included guidance in a separate section to provide information on effective IT risk management practices and references to other resources from a variety of industry organizations.
Financial institutions should review each of the example risk management practices to determine whether there are considerations or practices they might leverage to help ensure they have implemented sound risk management over their cloud computing services.
Check out part two of this article here for a more in-depth analysis of the risk management categories above.
If you would like to discuss these matters further, contact your BNN advisor at 800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.