This post has been republished via RSS; it originally appeared at: Financial Services Blog articles.
Due to regulatory and compliance concerns, many financial services institutions (FSIs) have remained unsure about moving to the cloud, even as they embrace the idea of digital transformation. That’s why completing a risk assessment is a critical step in the decision to adopt any cloud services and a precursor to notifying regulators of the cloud plan. Any strong assessment covers two key areas:
- General risk, which helps you ensure that whatever systems or data you are planning to move to the cloud will not introduce any new or unidentified risks for your organization
- Compliance, which ensures you’ve considered the external regulations imposed by industry or governments on FSIs (such as privacy regulations, general banking and insurance regulations, or cloud and outsourcing regulations), as well as your own internal procedures and guidelines.
You probably have mature assessment models for your on-premises systems. Assessing risk for cloud services requires a different approach. First, you need to think through all of the challenges moving to the cloud might present for your organization. For example, in almost all cases, the responsibility for security controls and compliance will shift between your organization and the cloud service provider (CSP), depending on the type of service you choose—say, infrastructure as a service (IaaS) versus software as a service (SaaS). In addition, when you move to the cloud, your data is managed externally; your CSP may be in a different part of the world, with very different contractual terms and regulations for handling data.
However, moving to the cloud also presents considerable opportunities in the areas of security and compliance. Large CSPs like Microsoft operate at large economies of scale. This means we can rapidly develop best-in-class security measures, deploy them, and keep them updated. And in the shared responsibility model we mentioned above, we also remove some of our customers’ burden for the cost of keeping systems compliant. Finally, we offer a high level of service availability across multiple geographic areas worldwide, which means your services are much more fault-tolerant and resilient against failures than an on-premises environment.
At Microsoft, we understand that assessing risk and notifying regulators are critical steps in any FSI’s decision to move to the cloud. We’ve created a cloud risk assessment model to walk you through completing an effective end-to-end risk analysis of Microsoft cloud services, with guidance for steps including:
- Identifying stakeholders and determining a governance approach. Determining who your internal stakeholders will be and outlining internal processes and responsibilities for internal governance.
- Choosing the right reference framework for your assessment. Selecting an external reference framework like the Cloud Security Alliance’s Cloud Controls Matrix or creating an assessment based on a service against regulatory requirements like GDPR.
- Using Microsoft Compliance Manager* to assess risks. For Microsoft customers, assessing their deployment in the Microsoft cloud to distinguish between provider- and customer-managed controls.
- Assessing regulatory guidelines by country. Microsoft provides Compliance Guides by region as part of our commitment to financial institutions around the world. We developed these guides to help financial institutions adopt Microsoft cloud services with confidence that they are meeting the applicable regulatory requirements. Our most recent regional additions include Israel, Poland, France, India, Belgium, and the Netherlands.
- Assembling regulatory submission. Preparing a formal notification providing the information regulators expect about the cloud project and how risks have been assessed, mitigated, and approved. We provide a template for notifying regulators.
To learn more, click here to download the free whitepaper, “Risk Assessment and Compliance Guide for Financial Institutions in the Microsoft Cloud,” or visit the Microsoft Service Trust Portal Compliance Guides to view Compliance Guides by region.
*Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature and recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance.