This post has been republished via RSS; it originally appeared at: Financial Services Blog articles.
As a financial services institution, you need to balance the risks with the benefits of moving to the cloud, especially around compliance. At Microsoft, we help customers understand how they should be thinking about compliance in the cloud. Here are some recommended steps to complete the risk assessment of Microsoft’s cloud solutions efficiently:
- Identify internal stakeholders. The various internal stakeholders should be brought together to agree upon their level of involvement.
- Choose an appropriate reference framework. Any existing internal risk assessment models may not always translate well into the context of cloud computing where part of the service is now managed by the cloud service provider (CSP). As an alternative, try adopting an independent external model for addressing cloud risks such as the CSA CCM, which was specifically created for assessing cloud deployments.
- Use Compliance Manager to assess risks. With Compliance Manager*, financial institutions can view a dashboard that summarizes Microsoft’s and your organization’s control implementation progress for Office 365 across various standards and regulations, such as GDPR, ISO 27001, ISO 27018, and FFIEC. It offers a built-in workflow management system that also allows customers to follow-up on the controls for which they remain responsible.
- Use our compliance guides to assess regulatory compliance by country. Microsoft also created some excellent compliance guides on a country-by-country basis, which can be leveraged to help ensure that the cloud deployment is compliant with all relevant regulations in the countries where the service will be offered.
- Prepare an exit strategy. More and more regulators require financial services institutions to prepare a strategy document which explains how the institution would recover from a major CSP failure (e.g. bankruptcy). Our recommendation is to prepare a short principles-based document listing key threat scenarios that might lead to an exit taking place and detail strategies on how these can be achieved by highlighting key process steps/phases, involved staff and their responsibilities, dependencies, timing, cost estimates.
- Create risk action plans and service approval. Merge the business case, risk assessment summary, compliance assessment summary, the risk exceptions that need approval, and exit plan (when ready), in a management letter asking formal approval to start consuming the cloud service.
- Notify financial and privacy supervisors. Strive for maximum transparency by informing supervisors on the recently approved case, not just the regulators where notification is mandatory.
- Join the Microsoft Cloud Financial Services Compliance Program (FSCP). The FSCP was specifically created to help financial services and regulated financial affiliates assess the risks of using Microsoft’s cloud services. This paid program is entirely optional, but offers deep insights into Microsoft cloud services’ capabilities, risks, and performance for those customers that want to achieve the highest level of assurance over the service.
When deployment activities are planned in parallel with the risk assessment phase, a successful first deployment of Microsoft cloud services can be achieved in a matter of months while staying fully compliant with all supervisory requirements. For more information about how to start your risk assessment of Microsoft cloud services, download our whitepaper, Risk Assessment and Compliance Guide for Financial Institutions in the Microsoft Cloud.
*Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature and recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance.