We would like to bring your attention to the following specific points, where we believe additional discussion and understanding of the risks and potential unforeseen consequences of the proposed guidance could create unfavourable outcomes, increased risks and additional costs for Financial Institutions (FIs), supervisors and Cloud Service Providers (CSPs). We have responded on an exception basis where points agreed or with no comment are accepted by their omission from our response. The responses provided are where we suggest an alternate action or further clarification. We have preceded the individual response comments with the appropriate section heading and paragraph reference (or order).
4. Recommendations (DRAFT) on outsourcing to cloud service providers
4 Recommendations on outsourcing to cloud service providers
4.3 Access and audit rights
6. a) IBM notes that the original CEBS guidance (reference 8.2 g), obliges an outsourcing provider to allow an outsourcing institution’s compliance, internal and external audit departments rights of inspection and access to its data. CEBS guidelines (8.2.h) also oblige an outsourcing service provider to provide regulator access to relevant data and its premises as required.
Whilst IBM recognises the requirement in certain circumstances for FI access to an outsource providers business premises, and an obligation to allow access to the outsourcing institutions data, including unrestricted rights of inspection and audit of that data (CEBS 2006); IBM remains concerned that by granting full access to business premises, devices, systems and networks, the EBA significantly increases the risk of uncontrolled and unauthorised access and potential for disruption to the secure cloud physical Data Center and the associated infrastructure. The lack of a definition of relevant business premises, or exclusion of Data Centers may have unintended consequences, where currently access is restricted for legitimate security reasons.
The EBA has the opportunity to clarify the definition of business premises and highlight the need to protect access to cloud Data Center infrastructure, by supporting the use of independent and industry recognised third party Data Center audit reports such as the American Institute of Certified Public Accountants (AICPA) Trust Services Principles or equivalent International Standard for Assurance Engagements (ISAE3402) based standards, Service Organizational Control (SOC) type I and type II reports.
6 b) IBM recognizes the need to balance the safety and integrity of cloud environments, with the requirement that regulated institutions own, and are responsible for, the management, supervision and mitigation of the inherent risks associated with outsourcing (cloud or otherwise). In that regard, whilst IBM respects the desire to codify a financial institution (FI) audit rights over CSPs – a unique 3rd-party environment not typically seen previously - we are concerned that the current proposals within the draft guidelines may inadvertently increase risk for FIs, regulatory supervisors and CSPs alike.
IBM believes it is important to reconsider the security requirements and impact of multiple client audit access of CSPs, to determine if client audits are the most appropriate, effective and secure mechanism for an audit of a CSP that will ensure the safety and integrity of a CSP’s environment given the potential for many 1000’s of regulated client audits. An unrestricted approach increases the risk for all CSPs customers, as the Data Centers are physically designed ground up for minimal physical/human intervention and access, to reduce the risk of unauthorised access to premises, systems, services and data. Particularly where that access will be outside of the restricted numbers of vetted Data Center staff and approved equipment maintenance engineers who are subject to detailed personnel checks by the CSP.
To meet the requirements of the original CEBS outsourcing guidance (8g) and these refined new cloud technology guidelines, IBM recommend the EBA support the adoption and use of industry best practice, through recognition of independent Audit reports produced in accordance with American Institute of Certified Public Accountants (AICPA) Trust Services Principles, or equivalent International Standard for Assurance Engagements (ISAE3402) based standards, Service Organizational Control (SOC) type I and type II reports, in addition to International Standards Organization (ISO) certifications ISO27001, ISO27017, ISO27018 and other jurisdictional based certifications and self-assessments (e.g. Cloud Security Alliance [CAIQ], EU Cloud Code Of Conduct, and others).
This alternate approach proposed by IBM enables the highest standards of inspection, examination and evidence; supports industry consistency and transparency; enhances FI operational risk assessment, risk management and risk understanding; whilst providing the opportunity for comparison, consistency and competition between CSPs; and most importantly reduces risk for the industry (FIs, supervisors and CSPs), whilst also managing costs.
7. IBMs response to the previous paragraph 6, addresses the EBAs concern of not ‘impeding or limiting’ the ‘effective exercise of the rights of access and audit by contractual arrangements’ through the provision of annually updated independent Audit evidence, and the availability of access to experts and technicians for additional queries and for responding to information or providing control explanations. This proposed approach is designed to avoid increasing the risk of disruption to all CSP clients, by reducing multiple physical (and logical) audit footprints from duplicative activity.
The use of professional auditors that are globally recognized and independent of the CSP (save for their remuneration), and are selected based on skills in testing of cloud technology controls, associated business risks, and an outsourcing institutions use of a CSP environment in its widest sense, ensures transparency, provides an appropriate level of assurance and a reduced risk to all CSP client environments.
Furthermore the use of professional recognised auditors for both AICPA, ISAE and ISO examinations ensures current industry leading audit techniques for cloud based controls are used and tested, and not ineffective legacy system controls as a result of misunderstood or inappropriately designed audit programmes. We would welcome clarification from the EBA on the acceptability and use of independent audit reports as an alternative to individual physical FI access.
8. IBM suggests the provision of independent audit reports and independent examination of certificated compliance to industry standards, demonstrates a risk based approach to enabling client due diligence, and continuous oversight of a CSPs Data Center activities. This in addition to an institutions independent access to data, audit trails, SLAs and KPIs of activities on their data cloud services and components, including access management and application level data controls, enables the risk based oversight and right of audit, without the need for physical FI access to a cloud Data Center.
a) IBM supports the need for an institution to maintain the necessary expertise to supervise the outsourced cloud activity and to manage the associated risks. We believe the availability of independent audit materials referred to in our response supports this approach. We do not believe that the use of pooled physical audit access (similar to individual FI audit access) is necessary, for the same reasons, as they will also increase risk for FIs, Supervisors and CSPs alike, whilst duplicating the proposed independent audit activities. Even if multiple clients collaborate, many multiple and independent requests will still be received, for the same activities at the same locations which is duplication, and increases access and disruption risk.
b) IBM supports the use of third party certificates as part of a fundamentally independent approach to the audit of a CSP, together with the use of third party auditors as previously described. This will enable an appropriate and risk based independent audit of a CSP by a FI. As implied by the EBA guidance, and as stated by IBM in our previous responses, this approach can provide the basis for institutional and statutory audits.
iv) IBM adopts and recommends the AICPA/ISAE3402, and ISO 27001, 27017, 27018 standards, in addition to localised jurisdictional requirements (e.g. EU Cloud Code of Conduct, US Federal Financial Institutions Examination Council [FFIEC], US Federal Risk and Authorisation Management Program [FEDRAMP], Federal Information Security Modernization [FISMA], Singapore Multi-Tier Cloud Security [MTCS] and/or others) as required.
9. Given the uniqueness and design of individual CSP’s environments, the technical and physical facilities, and the potential lack of accredited skills possessed by financial clients, IBM suggests that the use of AICPA or equivalent ISAE3402 SOC reports, ISO standards and other jurisdictional and sectoral independent certifications and reports (or mixture thereof), is an acceptable and independent alternate mechanism for the audit evidence required of CSPs and their Data Center Operations. These reports and compliance certificates are already independently produced by many CSPs, and recognized by FIs and their supervisors. IBM recommends the EBA consider this approach as an alternative to individual FI physical examination and audit of compliance of CSP Data Centers.
4.4 In particular for the right of access
14 a) Whilst IBM agrees with the pre-notification timescale principle for access to and audit of business premises, IBM does not support the need for a permanent ‘right to access’ and ‘right to audit’ for FIs of CSP Data Centers based on the requirements of paragraph 6. IBM suggests there can be sufficient independent material and evidence made available to address these requirements through the use of independent AICPA and ISAE SOC and ISO reports. The frequency of which (including for exceptional events such as a proven breach), can be addressed in the written contract. Where a control or risk is found not to be answered or where there has been a proven control failure/breach IBM agrees the CSP should work with the FI (including the regulator/supervisor if required) to address the control failure up to and including exceptional access to allow independent client verification access.
4.5 Security of data and systems
16. c) Whilst encryption remains an outsourcing institutions choice, we further recommend that the client should maintain independent control of encryption keys.
17. IBM seeks clarification on paragraph 17. It is IBMs understanding based on paragraph 17 and 16(c) that the regulated institution remains responsible for establishing the institutions security policy and expectations through its security and data classification policies. The regulated entity cannot abrogate its responsibility for this to the CSP. The FI is responsible for agreeing a solution in writing with the CSP that is commensurate and compliant to their policies, risk appetite, IBM recommends that the written agreement should refer to both the customer’s and the CSPs individual roles and responsibilities with respect to the security of data and systems.
IBM recommends consideration of an alternate independent approach to the audit of CSP Data Centers by outsourcing institutions, to reduce risk and support the objective of establishing a ‘level playing field’ for all institutions, supervisors, regulatory authorities and CSPs. This approach can be adopted immediately as the international framework and independently qualified and experienced auditors are in place. This approach will reduce both risk and cost for institutions, regulators, supervisors and CSPs alike, through establishing a standard repeatable process that can be shared with full transparency, including observed/tested failures and their remediation activities.
IBM recommends that the EBA gives consideration to the recognition and use of appropriate globally recognized independent cloud auditing standards, the approach to be taken to their adoption by CSPs and regulated institutions, through guidelines on use and frequency e.g. AICPA/ISAE3402 (or similar) Audit Trust Principles Service Organizational Control (SOC1 and 2) reports for Services organizations. This will establish a baseline for their use, and assurance of their operational effectiveness for the oversight of controls on an ongoing (annual) basis. This approach will enable the use of approved independent audit reports that are subject to scrutiny by the independent FI Audit teams and regulatory supervisors, as a proxy for individual on-site audits by FIs.