The Australian Prudential Regulation Authority (APRA) today released the attached information paper on prudential considerations and key principles in relation to outsourcing involving shared computing services, including the cloud. The paper supersedes APRA’s November 2010 letter on specific considerations when using cloud computing services.
The information paper outlines prudential considerations and key principles in relation to outsourcing involving shared computer services. Throughout the paper, the term ‘shared computing services’ is used (whether labelled cloud or otherwise) to differentiate arrangements which involve the sharing of IT assets (including hardware, software and/or data storage) with other parties, from those where IT assets are dedicated to a single APRA-regulated entity.
APRA has noted an increase in the volume, materiality and complexity of outsourcing arrangements involving shared computing services reviewed by APRA and weaknesses in risk management approaches relating to these arrangements.
The paper identifies lower and higher risk shared computing scenarios. APRA has particular concerns about systems used to record holding information essential to determining obligations to customers (such as customer identity, current balance/benefits and transaction history).
To satisfy CPS 231 and SPS 231, APRA-regulated entities should:
– Adequately understand and manage risks – including, ability to continue operations and meet obligations following a loss of service, preservation of the quality and security of critical and/or sensitive data/information, compliance with legislative and prudential requirements and jurisdictional, contractual or technical considerations which may inhibit APRA, including its ability to have timely access to documentation and data/information).
– Consider both criticality and sensitivity when deciding whether is a material outsourcing agreement, taking into account the IT assets involved and the associated business processes impacted.
– Consider the use of scenario analysis to consider to consider plausible security events to fully understand the materiality of the arrangement.
– Undertake prior consultation when the use of shared computing services involves heightened inherent risks such as exposure to untrusted environments.
The paper identifies that prudent practices would normally include a well-considered strategy, effective governance arrangements, appropriate consideration of IT risk (including security and recovery) and sufficient assurance mechanisms. Areas of weakness identified by APRA include:
– proposals driven solely by cost considerations;
– business cases which focus on benefits without adequate visibility of associated risks;
– solutions not aligned to the desired enterprise architecture;
– bypassing established risk management and outsourcing frameworks;
– failure to engage with the risk, security, outsourcing and assurance functions at the initiation stage;
– a ‘fast track’ transition rather than a cautious and measured approach;
– impediments placed on APRA access rights to the service provider;
– risk descriptions which are too high level and do not identify control weaknesses;
– no consideration of critical and/or sensitive IT assets accessible from the shared computing service;
– inadequate consideration of the sensitivity of data (collectively and at the individual field level);
– cursory risk assessments which fail to consider specific risks and any changes to the risk profile or framework for ongoing management;
– limited due diligence with too great reliance placed on provider attestations and/or usage by other organisations;
– inadequate consideration of point-in-time recovery capability with reliance placed upon resilience;
– inadequate segregation between production and the IT assets necessary to enact recovery, such that a single incident could compromise recovery capability;
– reliance on key control testing alone for services that involve heightened inherent risk.
APRA will encourage ongoing dialogue to ensure prudent practices are in place and risks are adequately mitigated when regulated entities seek the advantages that shared computing services can realise.
Source: Minter Ellison
