Mission

Develop principles regarding data security, integrity and accessibility in the cloud that address Financial Services Institution (FSI) expectations for cloud service providers (CSPs), thus providing FSI Chief Information Officers (CIO) with a helpful reference point supporting assessment of CSPs. Articulate the appropriate balance of responsibilities between FSIs and CSPs, including regulatory considerations, in promoting safe cloud adoption and usage, in the immediate and long-term.

Background

With the increasing deployment of cloud technology, the adoption of cloud solutions in other industrial sectors and the compelling economics of cloud computing, FSIs would benefit from a mechanism to validate a cloud solution against their own risk tolerance. However, challenges persist in how a CIO can assess a cloud provider’s ability to address regulatory requirements within the Financial Services sector as it pertains to data security, data privacy, data integrity and availability.

There are currently certifications and independent audit reports such as ISO 27001, SOC 2, PCI DSS2.0, EU Model Clauses, etc. that drive towards that goal. These standards and reports are not focused on the legal and regulatory frameworks that CIO’s in the Financial Services sector operate under, particularly with respect to outsourcing. There is a gap between existing certifications and the assessment process that the FSI and regulators undertake for cloud adoption.

The Financial Services sector could benefit from additional guidelines developed and adopted by cloud providers who wish to become trusted service providers within this sector, thus providing Financial Services CIO’s with a helpful; reference point from which to base their decision to move to the cloud, while considering needs from a regulatory and functionality perspective as it pertains to data security and data privacy.

Goals

Develop principles that address Financial Services Institutions’ (FSI) data security, integrity and availability expectations for cloud service providers (CSPs), and articulate appropriate balance of responsibilities between FSIs and CSPs in promoting safe cloud adoption and usage.

These principles should address the following topics, among other key considerations:

  • CSP resilience, business continuity, and support for hybrid deployment
  • Distribution of security responsibilities between the CSP and FSI
  • Audit considerations for FSIs and their regulators
  • Limits on CSP use and access to customer data
  • Risk assessment guidelines for FSIs transitioning to cloud services

Deliverables

The project team will summarize the working group and technology review findings in a final report or reports to be published upon completion of the project. The report will:

  • Provide principled guidance for FSIs and CSPs in the deployment and management of cloud services, including policy, practices, training and technology supporting FSI use of cloud. This will include an outline of an appropriate balance of responsibilities between FSIs and CSPs in promoting safe cloud adoption and usage.
  • Highlight areas in which there does not yet appear to be effective solutions
  • Suggestions for further research and development to advance Data Security, Integrity and Accessibility in the cloud.

Governance

The Collaborator Program Steering Committee will oversee this initiative in cooperation with the Security and Fraud Program steering committees along with the Vendor Management Advisory Group with all subject to Advisory Council and Executive Board oversight.

Lead

Jim Pitts – Project Management, Logistics, Communications, Content and Technology

214-793-1127 | jim.pitts@fsround.org

Meetings

  • Each work group will convene by teleconference monthly through October 2016
  • Ad hoc calls may be scheduled as needed to address targeted issues, opportunities, and specific research areas.
  • In-person meetings June 7, 2016

Participation

Based on these requirements the estimated time commitment is approximately 2-8 hours per month over the 12 month life of the project. Individual participants or working groups may wish to invest additional effort.

Experience and Skill Set of Participants

  • Senior IT Executives
  • Technical and solution provider experts
  • Regulatory and compliance
  • Data security
  • Risk management
  • Fraud and loss prevention
  • Supplier Risk Management
  • Project management & support professionals
  • Related leaders-in-development with desire to provide research and project support
  • Subject matter expertise – Information technology, cloud, security, regulatory and compliance, risk management, outsourcing, vendor management

If you or someone from your organization is interested in participating in this project, please email Jim Pitts at jim.pitts@fsroundtable.org with your name, organization, title, email address and office telephone number.