Financial Crime World

Cloud Computing Risks and Regulatory Requirements: A Comprehensive Guide

As the use of cloud computing continues to grow, so do the risks associated with it. Cloud providers are responsible for ensuring the security and integrity of their services, but they also need to comply with various regulatory requirements and international laws.

Compliance and Audit

Maintaining compliance with internal security policies and regulatory requirements is crucial when using cloud computing. This includes:

  • Evaluating how cloud computing affects compliance with internal security policies
  • Compliance requirements (regulatory and legislative)
  • A thorough review of roles and responsibilities to define which party is responsible for operating and monitoring each cyber risk control

Information Governance

Governing data that is placed in the cloud is essential. This includes:

  • Identifying and controlling data in the cloud
  • Implementing compensating controls to deal with the loss of physical control when moving data to the cloud

End-User Developed Systems (End User Computing)

The risk from any end-user developed systems should be assessed, given that end-users may develop systems that do not follow formal IT standards. This may increase the risk of security incidents relating to:

  • Data security
  • Availability outages

Staff Vetting Process

The screening of staff is an important control used to minimize personnel risks. Therefore, DABs must implement a staff vetting process.

Security Review of New Projects and IT Systems

New projects that involve data or systems classified as critical must be subject to a technology risk assessment to identify and respond to any potential new risks introduced. Minor changes should be security-reviewed as part of the standard change process.

Detecting and Reporting Cybersecurity Incidents

DABs are required to notify the Authority within 24 hours from the time that there is either a determination or a confirmation of an event (whichever is sooner). An incident report containing details of the incident, the root cause, actions taken to minimize impact, and any actual adverse impact on the organization must be prepared. This must be submitted within 14 days of the initial incident notification date.

Multi-Factor Authentication

For any web-based services provided by a DAB where user authentication is required, multi-factor authentication must be used.

Logical Access Management

Procedures must be in place to manage the allocation of access rights to information systems and services. This includes:

  • Authorizing employees, third parties, and customers using IT systems through an approved process
  • Ensuring the access and level of privilege is appropriate to their role

Conclusion

A comprehensive guide to cloud computing risks and regulatory requirements, this article provides a detailed overview of the key issues facing DABs today. From compliance and audit to information governance and staff vetting, we cover it all.