United States: FFIEC Recommends Risk Management Practices For Cloud Computing Services

In a joint statement, members of the Federal Financial Institutions Examination Council ("FFIEC") encouraged financial institutions to practice effective risk management concerning cloud computing services. The FFIEC recommended several strategies and practices for financial institutions, including:

• identifying security-related risks during the process of selecting a cloud service provider;
• clearly defining in contracts with cloud service providers the management responsibilities of each party;
• establishing effective inventory processes for using cloud computing environments in order to ensure "secure configuration management, vulnerability management, and monitoring of controls";
• preventing the misuse of cloud resources, which may lead to vulnerabilities in a system, through the use of security configuration tools, logging and monitoring;
• implementing identity and access management controls, as well as network controls;
• minimizing a hacker's ability to obtain data during a breach by creating safeguard controls (e.g., encryption, data tokenization, etc.); and
• providing information security awareness and training programs.

The FFIEC also emphasized the importance of (i) change management controls, (ii) business resilience and recovery plans, (iii) regulatory audit and control assessments and (iv) monitoring cloud service provider activities.

Originally published May 01, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.