Tom Hinkel, Director of Compliance
Even if the term “cloud computing” is new to you, chances are you’re already familiar with the concept. If you are a financial institution using an outsourced core vendor, you’re in the cloud. If you use LinkedIn or Twitter, you’re in the cloud. Offer Internet Banking or outsource your website? You’re already there. Fact is, although the term “cloud computing” is relatively new term, it’s a well established concept. So what is the best way for you to first understand, and then manage, the risks inherent in this technology?
First let’s first define what is meant by “cloud” services. Typically they fall into one or more of three categories;
- Infrastructure – Typically hardware, examples include a hosted web site that you maintain, or on-line data vaulting.
- Platform – Typically a combination of hardware and software, most core vendors fall into this category.
- Software or Application – Hosted Exchange, for example.
It’s important to understand how your vendor delivers their products and services, because each category has its own concerns that must be addressed. And whether existing or emerging, the FFIEC makes it clear that although you can outsource the delivery of the services, you cannot outsource your responsibility for assuring that the vendor provides those services in a safe and sound manner.
“Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost-effective means to support the institution’s technology needs, the ultimate responsibility and risk rests with the institution.”
You may be thinking that you’ll wait for the regulators to issue new guidance on this matter before you draft your cloud computing policy. But a recent interview with Don Saxinger, the FDIC head of field examinations, he made it clear that the agency believes that current guidance is sufficient to provide the framework for an effective vendor management policy, regardless of whether the technology is established or emerging.
“…a question I get is “Can we do cloud computing?” And, so the first thing I look at is, well, what does the existing guidance say? …So, let’s go back to the guidance that the agencies, all the agencies wrote on outsourcing technology services, and particularly around the contract issues, there are certain requirements that banks, financial institutions, need to insure when they are outsourcing their banking function. In particular, they have to look at the confidentiality of customer information; they have to look at the business continuity or the availability of the service, if it is critical. They have to look at the integrity of the data as it is processed, regulatory access, they need to be able to get their data back, if there is a problem with the service provider or contract ownership of the data, and all of these things are covered in contract terms.”
And, regarding social media:
“The existing guidance seems to work pretty well, particularly on vendor management.”
There are 3 pieces of existing guidance that financial institutions would be wise to review prior to (or as soon as possible after) jumping into the cloud:
- The FDIC “Information Technology Officer’s Questionnaire”
- The FFIEC “Outsourcing Technology Services” Handbook
- The FFIEC “Management” Handbook
If the FDIC regulates your institution, you’re already familiar with the first piece of guidance. It’s found in the IT examination questionnaire that the FDIC has been using since 12/07, entitled “Part 5 – VENDOR MANAGEMENT AND SERVICE PROVIDER OVERSIGHT”. It has six Yes or No questions (summarized in the attached checklist), and you want to be able to answer “Y” to all of them.
Both the Outsourcing and (to a lesser extent) the Management Handbooks contain useful guidance for vendor management in the “Appendix A: Examination Procedures” sections. Although I’ve summarized these in the checklist as well, you should be familiar with all of the objectives in both the Tier I and Tier II examination procedures.
Using all three of these documents as the basis of your own risk control self-assessment program will assure that you have adequately addressed all vendor-related risks. Additionally, the guidance requires that…
“To oversee the risks associated with the use of external providers effectively, the institution should evaluate the adequacy of a provider’s internal and security controls. … Financial institutions should conduct a regular, comprehensive audit of their service provider relationships.”
Based on the nature of the relationship between you and the vendor (the criticality of the service provided and level of access to customer information), the oversight process may not include an actual audit, but should include strong contracts, review of vendor financials, third-party reviews, and participation in user groups. (Complicating this process somewhat is the phase-out of the SAS 70 reporting format, and the uncertainty of the relevance of the replacement report to non-financial related IT controls.)
In conclusion, to a considerable degree managing the risks in the “cloud” means managing the vendor. And regardless of whether the vendor delivers their services through the “cloud,” or through more traditional methods, you must always be able to adequately address your concerns about the privacy, security, confidentiality, integrity and availability of your data…wherever it is stored, processed or transmitted.
Download the Cloud Vendor Checklist.
Although there are important differences between the way hosted and cloud-based models deliver services, for the purposes of this paper I will focus on the outsourced similarity.
 Information Security Booklet – July 2006, page 76
 The FDIC actually has 2 versions of the 12/07 IT Examination Questionnaire. The older version has Part 5 entitled “PART 5 – Gramm-Leach-Bliley Act/FDIC Rules and Regulations – 12 CFR Part 364 Appendix B.
 Outsourcing Technology Services Booklet – June 2004, page 22
 The SSAE 16 is the replacement for the SAS 70, but the AICPA has made it clear that it should only be used to validate controls specific to financial reporting, NOT as an overall assessment of IT controls.