I'm just getting caught up on some reading, and one of the things that I finally got a chance to read is the July 10th FFIEC "statement" on outsourced cloud computing. I'm going to provide a full analysis later this coming week, but something that struck me as I read this necessitated me writing this down, before it passes out of my brain.
First and foremost - what we've all been talking about: the FFIEC considers cloud computing just another form of outsourced IT.
Sure, this may be a big "no kidding!" thought to you, but maybe it'll lend some calm to the discussions currently going on about what wondrous new things 'the cloud' brings us. The FFIEC acknowledges increased flexibility, recoverability and other critical things, but in the end acknowledges that this cloud thing isn't really a full-scale invention of something new.
I think the most powerful statement in the entire 4-page document, which I encourage you to read for yourself, is this one:
"A financial institution’s use of third parties to achieve its strategic plan does not diminish
the responsibility of the board of directors and management to ensure that the third-party
activity is conducted in a safe and sound manner and in compliance with applicable laws
If your organization is going to go through with outsourcing (which is in effect what cloud computing is), then your organization isn't magically absolved from due diligence necessary and proper when doing other types of daily outsourcing. The FFIEC is basically chipping away at the "but they got hacked, it's not our fault" excuse that I suspect they anticipate organizations will start to use when their poorly designed, poorly secured applications are hacked in the cloud. I'm actually pretty excited about this.
Look for a break-down of the entire document later this week ... until then, ponder what this means to the financial services sector, which essentially was just told - you own the risk, whether you push the execution of the IT onto someone else or not - you're still on the hook for making sure they're doing the right things according to your risk-management practices.