The OGO Blog

FFIEC Credit Union Cloud Services – Part 2

FFIEC Audit

FFIEC AuditIn an earlier post, we reviewed a portion of the examiners guidelines for Credit Union cloud services.  Today we continue that discussion with a breakdown of more in the Appendix A –  FFIEC IT Handbook – Outsourcing Technology Services. Remember our goal is simply to provide an overview along with some insight from our OGO engineering and professional staff. Our experience with 100’s of Credit Unions and NCUA examinations may help you better prepare for your next audit.

According to the FFIEC if the institution engages in cloud computing, the examiner should determine that inherent risks have been comprehensively evaluated, control mechanisms have been clearly identified, and that residual risks are at acceptable levels.  Specifically, the Credit Union will be asked for evidence of:

  • Action plans are developed and implemented in instances where residual risk requires further mitigation.
  • Management updates the risk assessment as necessary.
  • The types of data in the cloud have been identified (social security numbers, account numbers, IP addresses, etc.) and have established appropriate data classifications based on the financial institution’s policies.
  • The controls are commensurate with the sensitivity and criticality of the data.
  • The effectiveness of the controls are tested and verified.
  • Adequate controls exist over the hypervisor if a virtual machine environment supports the cloud services.
  • All network traffic is encrypted in the cloud provider’s internal network and during transition from the cloud to the institution’s network.
  • All data stored on the service providers systems are being encrypted with unique keys that only authenticated users from this institution can access.
  • Unless the institution is using private cloud model, determine what controls the institution or service provider established to mitigate the risks of multitenancy.
  • If a financial institution is using the Software as a Service (SaaS) model, determine whether regular backup copies of the data are being made in a format that can be read by the financial institution. (Backup copies made by the service provider may not be readable.)
  • Ensure that the financial institution’s business continuity plan addresses contingencies for the cloud computing service. Determine whether the financial institution has an exit strategy and de-conversion plan or strategy for the cloud services.
  • Determine whether the cloud service provider has an internal IT audit staff with adequate knowledge and experience or an adequate contractual arrangement with a qualified third-party audit firm.

As I shared in last week’s post, it is helpful at times to understand that the examiner’s role is to help identify gaps in your mitigation strategies. I feel the examiner questions were developed to engage the Credit Union in a conversation at a very high level to determine if the service(s) whether internal or external are configured and managed in such a way as to create operational efficiencies as well as operational stability/integrity. Another area of emphasis is on making sure the Credit Union has not “given away” responsibility! Let’s see what our experts have to say this week:

OGO INTEL WEIGHS IN:

  • Action plans are developed and implemented in instances where residual risk requires further mitigation.

As Credit Union leaders, you already understand risk mitigation. Where many fail to excel is once strategies have been developed for risk mitigation, no one writes the action plans! Do yourself a favor, grab your leadership and functional managers and get this down now! It wont take more than a few hours and will not only ensure you meet the FFIEC requirements but you’ll identify gaps in your plans as well!

  • Management updates the risk assessment as necessary.

This one’s a no brainer – update the risk assessment annually. Nothing changed? Make a note of the review date and mark it completed! You’d be surprised at how many documents in your business continuity plan may not change each year – but that doesn’t mean you don’t have to review and provide evidence of your oversight.

  • The types of data in the cloud have been identified (social security numbers, account numbers, IP addresses, etc.) and have established appropriate data classifications based on the financial institution’s policies.

Each Credit Union is required to have a program in place that identifies where their member information resides. When you work with your cloud provider it is extremely important to discuss the data types being transferred. Your cloud provider will assist you with establishing the proper security parameters. Ask key questions about traffic flow. Does it ever leave the providers infrastructure?

  • The controls are commensurate with the sensitivity and criticality of the data.
  • The effectiveness of the controls are tested and verified.
  • Adequate controls exist over the hypervisor if a virtual machine environment supports the cloud services.

Controls, controls, controls. Where would we be without controls? Notice that it is not enough for you to simply have the controls but they must be tested! Scenarios can be built to stage outages in which you  can test your Credit Union’s resiliency and controls over the cloud infrastructure.

  • All network traffic is encrypted in the cloud provider’s internal network and during transition from the cloud to the institution’s network.
  • All data stored on the service providers systems are being encrypted with unique keys that only authenticated users from this institution can access.

Encryption is a given in cloud technologies. I simply do not want to insult you by delving much further in this.

  • Unless the institution is using private cloud model, determine what controls the institution or service provider established to mitigate the risks of multitenancy.

Multi-tenancy doesn’t have to be a show stopper when it comes to implementing cloud services. Work with your provider to understand the boundaries that separate the tenants, what controls are in place to ensure no overlap or data leakages. A good cloud provider will work with you until you are 100% confident in the solution.

  • If a financial institution is using the Software as a Service (SaaS) model, determine whether regular backup copies of the data are being made in a format that can be read by the financial institution. (Backup copies made by the service provider may not be readable.)

Pretty straight forward if you ask me – you have to be able to USE the data being backed up. But I guess somewhere along the line this issue has occurred thus it warranted discussion in the handbook. It’s pretty intuitive. Just make it happen.

  • Ensure that the financial institution’s business continuity plan addresses contingencies for the cloud computing service. Determine whether the financial institution has an exit strategy and de-conversion plan or strategy for the cloud services.

Your cloud provider should have a BCP plan that meets your RTO/RPO and nothing less. It will not be sufficient during a crisis to blame it on a service provider. Ultimately the recovery of the member services is the responsibility of the Credit Union leadership team.

  • Determine whether the cloud service provider has an internal IT audit staff with adequate knowledge and experience or an adequate contractual arrangement with a qualified third-party audit firm.

Your current internal auditing team probably takes care of oversight of your IT department. When that is “clouded”, the IA should be able to coordinate and obtain evidence of the cloud providers IT audits. Nothing magical here – the cloud provider should be very open and willing to provide you with this information.

We’ve barely scratched the surface of guidelines provided by the FFIEC IT Handbook. Have you considered the impact of multi-tenancy? Have you identified the data types that are in your cloud? Look for how to approach these questions and more in our next post where we dive deeper into how the FFIEC and NCUA look at Credit Union cloud risk mitigation strategies.

Related Posts:

Credit Union Compliance and Credit Union Risk Management

Be Sure and Secure in the Cloud

5 Ways the Cloud Can Save You Money

Can I work from Anywhere with Hosted Virtual Desktop? – Part 1

 

 

Have Questions? Contact Us: