www.wvbankers.org 30 West Virginia Banker Continued on page 32 Cloud Computing Security Considerations By Chris Joseph, Arnett Carbis Toothman I ntroduction. Cloud computing services have been a part of financial institutions for several years. The reasons for utilizing cloud computing services have been discussed over those years, so we are not going to address the reasons in this article. We are going to focus on the security consider- ations, as the use of cloud computing services has increased significantly in the delivery of products and services in the financial services industry. With the increased use comes risk. Recognizing the risks, the FFIEC recently issued a joint statement titled “Security in a Cloud Computing Environment.” The statement indicated, “Financial institution management should engage in effective risk management for the safe and sound use of cloud com- puting services. Security breaches involving cloud computing services highlight the importance of sound security controls and management’s understanding of the shared responsi- bilities between cloud service providers and their financial institution clients.” The statement does not contain new regu- latory expectations but addresses risk management practices that should be considered. Background . As with other vendor arrangements, when engaging a cloud service provider, the financial institution should conduct effective vendor management over the relationship. As indicated by the FFIEC, “Due diligence and sound risk management practices over cloud service provider relationships help management verify that effective security, operations, and resiliency controls are in place and consistent with the financial institution’s internal standards. Manage- ment should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment.” The vendor management entails the contract review that documents the services, expectations, uptime requirements, controls, etc.