The OGO Blog

FFIEC IT Handbook – Credit Union Cloud Services – Part 1

Credit Union cloud services

Credit Union cloud servicesWhile researching a question for a client regarding cloud computing and NCUA examination requirements, my attention was drawn to the FFIEC IT Handbook – Outsourcing Technology Services section where they do an excellent job of outlining the expectations surrounding Credit Union cloud services (among other outsourced services).  Realizing not everyone has a chance to sit down and read the “FFIEC IT Handbook” cover to cover 🙂  – we’re going to break down this section for you.

According to the FFIEC if the institution engages in cloud computing, the examiner should determine whether:

  • The cloud computing service is or will be hosted internally or outsourced to a third party provider (hosted externally).
  • Resources are shared within a single organization or across various clients of the service provider. (Resources can be shared at the network, host, or application level).
  • The institution has the ability to increase or decrease resources on demand without involving the service provider (on-demand self-service).
  • Massive scalability in terms of bandwidth or storage is available to the institution.
  • The institution can rapidly deploy or release resources.
  • The financial institution pays only for those resources which are actually used (pay-as-you go pricing)

OGO INTEL WEIGHS IN:

It’s helpful at times to understand that the examiner’s role is to help identify gaps in your mitigation strategies. I feel these questions were developed to engage the Credit Union in a conversation at a very high level to determine if the service(s) whether internal or external are configured and managed in such a way as to create operational efficiencies as well as operational stability/integrity. With that said, reading between the lines of this section becomes very important! Let’s take a closer look.

  • The cloud computing service is or will be hosted internally or outsourced to a third party provider (hosted externally)
    • This is about awareness of your own infrastructure and services. Without awareness of what you have, it’s impossible to protect it. An internally hosted cloud vs. an external cloud requires completely different strategies.
  • Resources are shared within a single organization or across various clients of the service provider. (Resources can be shared at the network, host, or application level).
    • This is about knowing where your data is (or goes). Can other organizations access or intercept your data (intentionally or unintentionally)? If infrastructure resources are shared there is a possibility of cross contamination.
  • The institution has the ability to increase or decrease resources on demand without involving the service provider (on-demand self-service).
    • Having the ability to allocate resources (up/down) can be a valuable tool for a Credit Union. Being able to add users, add new hosted VDI’s, increase bandwidth allocation are convenient capabilities for your Credit Union IT staff to have access to thus reducing the dependency on the 3rd party provider.
  • Massive scalability in terms of bandwidth or storage is available to the institution.
    • Provisioning whether its for bandwidth or for storage is vitally important. Why the guidelines state the scalability should be “massive” escapes me however. Bandwidth and storage are both infrastructure resources that can and should be deliberately calculated. A fluctuation here/there may occur but should be the exception not the rule.
  • The institution can rapidly deploy or release resources.
    • Again, this is all about convenience and control to ensure operational integrity. A Credit Union should seek a partner that is pursuing a self service model for cloud services deployment.
  • The financial institution pays only for those resources which are actually used (pay-as-you go pricing)
    • Um, no explanation necessary here I’m sure

We’ve barely scratched the surface of guidelines provided by the FFIEC IT Handbook. Have you considered the impact of multi-tenancy? Have you identified the data types that are in your cloud? Look for how to approach these questions and more in our next post where we dive deeper into how the FFIEC and NCUA look at Credit Union cloud risk mitigation strategies.

Related Posts:

Credit Union Compliance and Credit Union Risk Management

Be Sure and Secure in the Cloud

5 Ways the Cloud Can Save You Money

Can I work from Anywhere with Hosted Virtual Desktop? – Part 1

 

 

 

Have Questions? Contact Us: