The Federal Financial Institutions Examination Council released a statement Tuesday highlighting key elements that financial institutions need to address before deciding whether to outsource cloud computing services.
In its summary statement, the FFIEC said financial institutions have to consider the “fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook (IT Handbook), especially the Outsourcing Technology Services Booklet (Outsourcing Booklet).”
The outsourcing booklet reviews specific issues of cloud computing such as data classification, data segregation and recoverability. The booklet also addresses vendor management, information security, legal, regulatory and reputational considerations, business continuity planning and auditing.
“The FFIEC statement is quite timely because there has been a lot of buzz about cloud computing and how cloud computing can help financial services,” said David Albertazzi, a senior IT analyst with the Aite Group in Boston.
“There are a lot of compelling benefits in cloud computing, but there are a lot of considerations as well. Up until now, there hasn’t been much from regulatory agencies which specifically addresses cloud computing, so the statement is very welcome,” Albertazzi said.
The statement revealed no surprises about FFIEC’s outsourcing guidelines, he said.
“The fundamentals of risk and risk management defined in the IT Handbook apply to cloud computing as they do to other forms of outsourcing. Cloud computing may require more robust controls due to the nature of the service,” the FFIEC position paper reads in part.
“When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service. As with other service provider offers, cloud computing may not be appropriate for all financial institutions,” the paper said.