FFIEC's New Cloud Info 'Disappointing'

Data Security Expert Says Cloud Services Pose Special Risks

By , July 13, 2012.
FFIEC's New Cloud Info 'Disappointing'

An attorney who specializes in data security issues says a cloud computing resource document that the Federal Financial Institutions Examination Council issued July 10 falls short of providing useful insights about how banks and credit unions must address privacy and security risks.

See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security

In the four-page document, the FFIEC explains how banking institutions should apply existing guidance to deals they sign for outsourced FFIEC Addresses Cloud Risks).

But Francoise Gilbert, an attorney at the IT Law Group, says the resource is far too shallow to offer banks and credit unions any real insights about precautions they should take when considering cloud computing.

The FFIEC's insistence that institutions should apply the same standards to cloud providers that they apply to other service providers reveals a lack of knowledge on the part of banking regulators about the unique risks posed by cloud computing, Gilbert says.

"I find this document a bit disappointing," she says. "They view cloud computing as just another form of outsourcing, and that's a far too simplistic view."

The FFIEC suggests that when considering cloud computing, banks and credit unions continue to follow the same fundamental guidelines and risk strategies outlined in the FFIEC Information Technology Examination Handbook, especially the Outsourcing Technology Services Booklet.

"This document codifies what we should look to and for in the Outsourcing Technology Services Booklet," says William Henley, director of technology for the Federal Deposit Insurance Corp., one of the four regulatory bodies that make up the FFIEC. "The expectation of the principles, we feel, should be applied to any vendor or outsourcing relationship."

The National Credit Union Administration says the new resource was issued to address risks and expectations related to the cloud. "Our primary goal here is to ensure credit unions are aware of the potential risks and develop adequate risk management approaches as they integrate this technology," the NCUA says. "Clearly, this type of relationship is like many other outsourced relationships. As such, appropriate due diligence, and understanding both the technical aspects of a cloud relationship and the effectiveness of security and privacy around member data is paramount."

But Gilbert points to separate cloud security guidelines that other agencies have issued to illustrate the shortcomings of the FFIEC's new resource. For example, guidelines issued in December by the National Institute for Standards and Technology and on July 1 by the European Commission delve more deeply into the nuances of cloud computing and offer specific risk mitigation considerations organizations should consider, she notes.

"Compare what the FFIEC has issued with the guidance just issued by the European Commission," Gilbert says. "That document is nearly 30 pages long and is much more detailed about the cloud's unique risks."

In its resource, the FFIEC makes reference to NIST's "Guidelines on Security and Privacy in Public Cloud Computing," and suggests banking institutions refer to it for further clarification.

FFIEC issued the resource to meet a need, Henley says. "There may be vendors that are providing cloud services that are not familiar with financial institutions, so those vendors may not be aware of all of the requirements in the regulatory environment that apply to financial institutions, and this is why we issued the resource document," he says.

What's Missing?

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE National Data Breach Notification Bill Advances

A House committee approved on April 15 a national data breach notification bill, but the committee...

Latest Tweets and Mentions

ARTICLE National Data Breach Notification Bill Advances

A House committee approved on April 15 a national data breach notification bill, but the committee...

The ISMG Network