米国連邦金融機関審査会(FFIEC)がクラウドコンピューティングサービスのリスク管理に関する声明を公表していますね。。。

こんにちは、丸山満彦です。

米国連邦金融機関審査会 (FFIEC)がクラウドコンピューティングサービスのリスク管理に関する声明を公表していますね。。。

内容は極めてベーシックです。なので、大変参考になると思います。。。

 

●  Federal Financial Institutions Examination Council's (FFIEC) 

・2020.04.30 FFIEC Issues Statement on Risk Management for Cloud Computing Services

・2020.04.30 [PDF] Joint Statement Security in a Cloud Computing Environment

他の形式に簡単に変換[Word][html]

-----

Governance
• Strategies for using cloud computing services as part of the financial institution’s IT strategic plan and architecture.

Cloud Security Management
• Appropriate due diligence and ongoing oversight and monitoring of cloud service providers’ security.
• Contractual responsibilities, capabilities, and restrictions for the financial institution and cloud service provider. 
• Inventory process for systems and information assets residing in the cloud computing environment. 
• Security configuration, provisioning, logging, and monitoring. 
• Identity and access management and network controls.
• Security controls for sensitive data.
• Information security awareness and training programs.

Change Management
• Change management and software development life cycle processes.
• Microservice architecture. 

Resilience and Recovery
• Business resilience and recovery capabilities.
• Incident response capabilities.

Audit and Controls Assessment
• Regular testing of financial institution controls for critical systems. 
• Oversight and monitoring of cloud service provider-managed controls.
• Controls unique to cloud computing services. 
 o Management of the virtual infrastructure. 
 o Use of containers in cloud computing environments.
 o Use of managed security services for cloud computing environments.
 o Consideration of interoperability and portability of data and services.
 o Data destruction or sanitization