Pub. 4 2013 Issue 2

summer 2013 15 computing service provider who is familiar with banking regulatory requirements is a plus. The governance strategy must include understanding the compliance and risk measures as well as the overall performance goals. The bank should also ensure that the various risks are understood and addressed including: • Privacy • Security • Performance and availability • Interoperability • Information shared across international borders Several other risks should also be considered. The FFIEC notes that banks have to consider the fundamental risk of risk management as noted in the IT Handbook. Governance works best when IT and the overall business initiatives are working together. Security. The bank must consider the security of the cloud service provider - the bank must look beyond their infrastruc- ture and security. Various areas of the cloud service provider should be considered including: • Security architecture • Their understanding of industry governance • Their understanding of regulatory guidelines • Partitioning of data / information • Patch management program • Antivirus program • Firewall protection • Physical security • Encryption and key management program • Third party security testing • Independent review of policies and adherence A good guideline to follow is that if the cloud service provider has security issues, it becomes the bank’s security issues. Due Diligence . The Bank should ensure they conduct the ap- propriate due diligence prior to moving a service to a cloud computing environment. As noted previously, not all pro- cesses are made for the cloud. Other areas the bank should consider include: • Sensitivity of data • Data segregation requirements • Recoverability • Uptime requirements • Complexity of the process – more complex process results in more issues • Software dependencies – more dependencies make it more difficult to use cloud computing Q Cloud Computing — continued on page 17