TRENDING:

Managing Cloud Vendors

Ensuring Data Security Is Bank VP's Responsibility Tracy Kitten (FraudBlogger) • September 3, 2013     10 Minutes   
Managing Cloud Vendors
Bank regulatory guidelines for cloud providers highlight due diligence, and organizations that don't adequately screen vendors face trouble. Troy Wunderlich of Washington Trust Bank offers tips for vendor managers across industries.

Outsourcing data backup and other functions to cloud providers can help with business continuity and disaster recovery, says Wunderlich, the vice president and operational risk manager at Washington Trust Bank, a $4 billion institution based in Spokane.

But choosing the right one involves asking the questions, reviewing audits and examinations, and consistently testing recovery capabilities.

Vendor Management

In July 2012, the Federal Financial Institutions Examination Council issued a resource for banking institutions to follow when choosing a cloud computing vendor (see FFIEC's New Cloud Info 'Disappointing').

But Wunderlich says most of the regulatory mandates guidelines included in that resource relate to vendor management.

"The FFIEC's guidelines ... reiterated a lot of the vendor management standards they had mentioned before."

From a compliance perspective, banking institutions have to know that the cloud vendors they work with follow certain standards, such as those set by Statements on Standards for Attestation Engagements, he says.

SSAE 16 is an internationally recognized third-party assurance audit. "Part of SSAE 16 and really understanding what type of encryption they offer," Wunderlich says.

Most cloud vendors that cater to financial services providers are examined by federal banking regulators, Wunderlich adds. Requesting copies of those examination reports is an essential component of the due diligence banking institutions should perform on vendors before they sign a contract, he says.

Really understanding the vendor's encryption practices, for instance, is key, Wunderlich explains.

"[Banking institutions need to] Understand the vendor they're going to be working with," he adds.

During this interview, Wunderlich discusses:

  • The benefits the cloud offers for disaster recovery and business continuity;
  • How working with a third-party vendor offering other banking services can prove beneficial; and
  • Why ongoing and regular testing of cloud recovery capabilities must be part of an institution's due diligence.

At Washington Trust, Wunderlich oversees IT and physical security, and manages the bank's anti-money-laundering practices and fraud-prevention compliance programs. He also is responsible for risk management and internal controls, as well as vendor management, business continuity planning and policy-review oversight. Wunderlich is a certified information security manager.

Previous
Tracking the Fraud Lifecycle
Next
Implementing Continuous Monitoring Plan



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.