The FFIEC has just added a section to the Outsourcing Technology Services IT Examination Handbook, and it should be required reading for financial institutions as well as any managed service providers. The new section is Appendix D: Managed Security Service Providers, and it is the first significant change to the Handbook since it was released in 2004. It addresses the fact that because of the increasing sophistication of the threat environment, and the lack of internal expertise, a growing number of financial institutions are (either partially or completely) outsourcing their security management functions to unaffiliated third-party vendors.
Because of the critical and sensitive nature of these security services, and the loss of control when these services are outsourced, the guidance stresses that institution must address additional risks beyond their normal vendor management responsibilities. Specifically, more emphasis must be placed on the contract and on oversight of the vendor’s processes, infrastructure, and control environment.
The most interesting addition to the guidance for me is the “Emerging Risks” section, which is the first time the FFIEC has addressed cloud computing. Although it is addressed from the perspective of the service provider, it defines cloud computing this way:
“…client users receive information technology services on demand from third-party service providers via the Internet “cloud.” In cloud environments, a client or customer will relocate their resources such as data, applications, and services to computing facilities outside the corporate firewall, which the end user then accesses via the Internet.”
Any data transmitted, stored or processed outside the security confines of the corporate firewall is considered higher risk data, and must have additional controls. This would seem to infer that data in the cloud should be classified differently in your data-flow diagram, and have a correspondingly higher protection profile.* It will be interesting to see if this will be the FFIEC’s approach when and if they address cloud computing in the future.
The guidance also has a useful MSSP Engagement Criteria matrix that institutions can use to evaluate their own service providers, as well as a set of MSSP Examination Procedures, which service providers (like mine) can use to prepare for future examinations. In summary, financial institutions would be wise to familiarize themselves with the new guidance, after all to quote from the last line;
“As with all outsourcing arrangements FI management can outsource the daily responsibilities and expertise; however, they cannot outsource accountability.”
* A protection profile is a description of the protections that should be afforded to data in each classification.
