Pub. 11 2020 Issue 4

Pub. 11 2020 I Issue 4 Winter 33 West Virginia Banker Chris Joseph is a partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia office. A Certified Public Accountant, Certified Information System Auditor, certified in Risk and Information Systems Control and certified as an Information Technology Professional, Mr. Joseph has over 35 years of experience in information technology audit and security services in the financial institutions industry.Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@actcpas.com . • Resiliency and Recovery  Business resilience and recovery capabilities — The business resilience and recovery should be appropriate for the cloud computing service’s risk.  Incident response capabilities, including the challenges introduced in a cloud computing services arrangement (how to address technology assets owned and man- aged by the cloud service provider). • Audit and Controls Assessment  Regular testing of financial institution controls for criti- cal systems (should be included in the standard audit schedule).  Oversight and monitoring of cloud service provid- er-managed controls. The financial institution should evaluate and monitor the cloud service provider’s applicable controls. As in other vendor management ar- rangements, while the responsibility to perform controls can be outsourced, the accountability for protecting customer information is with the financial institution. There are also some controls unique to cloud computing services, including: • Management of the Virtual Infrastructure — Secure virtual infrastructure is managed through cloud security tools. The control over those tools is the responsibility of the cloud service provider. The financial institution should gain an understanding and verify the cloud service pro- vider controls are working as intended. • Use of Containers in Cloud Computing Environments — Use of containers provides many advantages, including portability and less demand on resources. However, containers share the same kernel presenting potential security risks. • Use of Managed Security Services for Cloud Comput- ing Environments — Consider leveraging other security tools and services. • Consideration of Interoperability and Portability of Data Services — Interoperability and portability capabilities should be considered related to the financial institution’s overall strategic plan and risk appetite. • Data Destruction or Sanitization — Financial institu- tions should ensure the data destruction and sanitization policies and procedures follow their policies and docu- mented in the service level agreement. Conclusion . With the continued increase in cloud computing services, financial institutions should ensure that their overall risk management program considers the services outsourced and the various risks associated with the cloud computing service. Understanding the controls at both the financial insti- tution and the cloud service provider should be understood, tested and monitored.  The financial institution is also responsible for implementing and managing controls over operations, applications, operating systems, data and data storage. The cloud service provider is primarily responsible for the overall infrastructure, including the physical data center.