FFIEC Joint Statement on Risk Management for Cloud Computing Services

  • Source: fdic.gov

Treliant Takeaway:

The Federal Financial Institutions Examination Council (FFIEC) continues to emphasize the use of cloud computing services and security risk management principles in the financial services sector. The FFIEC statement does not contain new regulatory expectations, however, it highlights the fact that management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment.

Treliant helps firms be compliant with FFIEC cybersecurity and risk management requirements and other regulatory cyber guidance and expectations for cloud computing. Our professionals include, but are not limited to, former Chief Information Security Officers (“CISOs”) and Internal Auditors.  We understand how to make cloud computing and cybersecurity programs work and to prepare for regulatory exams.

Article Highlights:

The FFIEC briefly described the 3 service models as defined by the National Institute of Standards and Technology (NIST):

  • Software as a Service (SaaS);
  • Platform as a Service (PaaS); and
  • Infrastructure as a Service (IaaS)

Examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services were described and include:

Governance

  • Strategies for using cloud computing services as part of the financial institution’s IT strategic plan and architecture.

Cloud Security Management

  • Appropriate due diligence and ongoing oversight and monitoring of cloud service providers’ security.
  • Contractual responsibilities, capabilities, and restrictions for the financial institution and cloud service provider.
  • Inventory process for systems and information assets residing in the cloud computing environment.
  • Security configuration, provisioning, logging, and monitoring. Identity and access management and network controls.
  • Security controls for sensitive data.
  • Information security awareness and training programs.

Change Management

  • Change management and software development life cycle processes.
  • Microservice15 architecture

Resilience and Recovery

  • Business resilience and recovery capabilities.
  • Incident response capabilities.

Audit and Controls Assessment

  • Regular testing of financial institution controls for critical systems.
  • Oversight and monitoring of cloud service provider-managed controls.
  • Controls unique to cloud computing services.
    • Management of the virtual infrastructure.
    • Use of containers17 in cloud computing environments
    • Use of managed security services for cloud computing environments.
    • Consideration of interoperability and portability of data and services.
    • Data destruction or sanitization.

The regulators expect that in cloud computing environments, regulated entities (RE) may outsource the management of different controls over information assets and operations to cloud service provider(s). Careful review of the contract along with an understanding of the potential risks is important in management’s understanding of the RE’s responsibilities for implementing appropriate controls.

Management’s failure to understand the responsibilities for assessing and implementing appropriate controls over operations may result in increased risk of operational failures or security breaches.

Processes are to be in place to identify, measure, monitor, and control the risks associated with cloud computing. Failure to implement an effective risk management process for cloud computing may be an unsafe or unsound practice and result in potential consumer harm by placing customer-sensitive information at risk.

CISOs, Chief Information Officers (CIOs) and their teams must have implemented measures already in place to ensure the secure operations of their firms’ businesses as relates to cloud computing. They will need to demonstrate cybersecurity compliance and be ready for a thorough look at the underlying processes by the regulators.