FDIC on Disaster RecoveryRegulator Says Working in Cloud Requires Proactive Vendor Management
"We listed some guidance back in 2008 and it covers a lot of new areas [such as cloud computing] and a lot of traditional areas," Saxinger sys. "Reliance on interdependencies is something we highlighted here. ... Even if you are working in the cloud, you can't work in a vacuum. You have to work together to test systems. Just because you outsource does not mean you eliminate risk."
Many questions about the resilience of the cloud also exist, meaning banks really need to have a thorough understanding of how the vendors they rely on back up their regional and physical systems. "There's probably a lot more planning that needs to go into which elements are covered by the cloud's recovery process," Saxinger says.
During this second part of a two-part interview with Information Security Media Group, Saxinger discusses:
- Lessons the industry learned about cloud downfalls from the Amazon.com outage;
- How disaster recovery during severe storms can be foiled if service level agreements with cloud vendors are not clearly spelled out;
- Why testing is so critical, before an outage occurs.
Be sure to also listen to part 1, when Saxinger talks about vendor management programs and the heightened scrutiny they are now getting from regulators, especially in areas of emerging technology. [See FDIC on Improving Vendor Management.]
Saxinger is the team leader and subject expert for the FDIC's Division of Supervision and Consumer Protection in the area of regulatory IT examinations. He serves as the lead developer of the FDIC's IT examination standards and procedures, IT examiner education, and IT examination oversight. He has authored or contributed to various regulatory policies such as third-party risk and outsourcing, business continuity, payment systems, authentication, identity theft, spyware, and other emerging technologies. He is also a member of the FFIEC IT Examination Handbook working group which publishes the interagency guidance and examination procedures for various IT, payment, and operational risk areas.