How CSPs Can Make the Security and Compliance Evaluation Process Easier for Financial Institutions
This blog was originally published by Oracle here
Oracle author: Maywun Wong, Director, Product Marketing
Contributed by: Steven D'Alfonso, Research Director, IDC Financial Insights
So, you have finally decided to move applications to the cloud. But your board's risk committee wants assurance that security and compliance requirements will be met. While IT and compliance executives understand that cloud infrastructure provides many benefits, they also have security and compliance top of mind. How do you choose a cloud service provider (CSP)? When it comes to CSPs, are they all the same? What type of information and documentation should you request from a prospective CSP?
Each financial institution (FI) will likely have a standard policy on performing a third-party risk assessment but there are particular questions and assessments that are needed to properly evaluate a potential CSP partner. FIs are required to perform a risk assessment of all third-party service providers but CSPs that will provide critical infrastructure and security technologies need particular scrutiny.
Just like no two FIs are quite the same, no two CSPs are the same. There will be differences in standard offerings, capabilities, costs, and overall value CSPs provide to a financial institution. Each financial institution will have needs based on its customer base, products, geographies in which it operates, and compliance requirements, among others.
While each FI will use its own criteria to evaluate a CSP, there are certain things a CSP can do and provide to make the assessment process easier. Most of an FI's questions will likely be answered through the CSP's service organization controls report, which will provide details around processes, controls, and services. The CSP should also have reference content readily available to share with prospective FI clients, including:
- Regulatory Intelligence. The CSP should be able to provide a description of how it maintains compliance with regulatory changes. The CSP should have a robust process related to regulatory intelligence collection, impact assessment and analysis, and sound infrastructure change management practices.
- Shared Responsibility and Security and Compliance Control Mapping. One of the important ways in which an FI can understand how a CSP can help it meet security and compliance requirements is through a shared responsibility model. The CSP should outline, in specific detail, its responsibility under the applicable regulations that affect the FI and the jurisdictions in which it operates. The model will highlight which provisions of a regulation are the responsibility of the CSP, the financial institution, or a joint responsibility. This control responsibility matrix will help IT risk management to communicate, to executive management and the board, how security and compliance controls will be maintained.
- Security and Compliance Certifications. A CSP should provide evidence of security and compliance certifications, such as Payment Card Industry Data Security Standard (PCI DSS), SOC2, ISO, among others. For regulatory requirements for which there may not be a certification, a CSP should be able to provide compliance alignment white papers that detail how the CSP meets the requirements of particular regulations.
- Reliability and Consistency. Beyond compliance related inquires, FIs should interrogate the CSP's transparency related to risks that will affect the FI. These risks may include employee and management turnover and depth of industry-related experience within the ranks of its staff as well as the CSP's experience in working with FIs. Additionally, the CSP should provide guidance on infrastructure reliability supported by service level agreements and the CSP's openness to allow the FI the right to audit. Other important aspects to understand when evaluating a CSP may include the CSP's ability to scale its infrastructure, the methodology used to quantify and manage risk, the extent to which third-party partners are used, how the CSP controls access to the network, and the CSP's openness to allow the FI the right to audit. All of these factors address a CSP's ability to provide consistent and reliable services to its customers.
On the surface, many CSPs may appear similar. It is common for CSPs to provide much of the information described in this blog. However, a comprehensive assessment will likely reveal that some CSPs offer a greater breadth of services and capabilities associated with the topics discussed in this blog. There is certainly a lot of planning and careful consideration before moving workloads to the cloud. A quality CSP with experience working with banks and other financial services organizations should make the process straightforward by providing guidance and clear communications.
To learn more, download the IDC paper, “The Security and Compliance Benefits of IaaS for Financial Services,” found here: https://idcdocserv.com/US47588821.