FFIEC Keynote Addresses Emerging Cloud Risk, Organized Crime, Compliance
Online PR News – 31-August-2011 – – Boston, Mass., August 31, 2011 -- Connecting the dots between organized crime, terrorist financing, narcotics trafficking, trade secret theft, human trafficking, money laundering, social media, mobile media, and cloud computing illustrate an emerging, disturbing trend: the progression of increased regulatory, legal, financial, reputation, and cascading risk.
The keynote address at the recent Federal Financial Institutions Examination Council (FFIEC) Information Technology Conference held in Washington, DC was delivered by MacDonnell Ulsch, CEO and Chief Risk Analyst of the Boston, MA-based ZeroPoint Risk Research, LLC. The subject of the address, Risk, Compliance, and Cloud Computing, focused on how technology innovation often results in unanticipated risk. The FFIEC, empowered by the Board of Governors of the Federal Reserve System, promotes uniformity and consistency in the supervision of financial institutions.
“Technology innovation is in part what makes America great, and it is a clear demonstration that the U.S. is a technology leader,” said Ulsch. “But we often fail to reasonably assess the regulatory and other risks associated with new technologies and applications. Failing to meet the mandatory minimum requirements associated with data security and privacy regulations could lay a foundation for other highly impactful risk.”
Data breaches, including those originating inside and outside of the organization, continue to affect companies at an alarming rate. Nearly half a billion electronic records in the United States have been compromised over the last six years.
Ulsch pointed out that the Massachusetts privacy regulation, 201 CMR 17.00, is one of the more restrictive privacy regulations, and he discussed many of the complexities associated with 201’s specific requirements in a cloud computing environment, including third-parties with sensitive information access, information systems access, and physical plant access. Managing compliance can become more difficult when cloud providers utilize off-shore providers.
Ulsch, author of the book THREAT! Managing Risk in a Hostile World, encouraged the conference attendees to approach the management of risk from a post-breach perspective. “Assessing the potential impact of risk before it happens is the best way to put in place the protective mechanisms needed to reduce the likelihood of a breach or the severity of one,” he said. “Focus on managing vendor approaches on information security, information privacy, threat and risk analysis, compliance requirements, enforcement mechanisms, internal audit access and latitude, and foreign corrupt practices management.”
Understanding how a cloud vendor is going to manage these elements is critical to managing information risk as part of corporate governance. Questioning cloud providers about the approach to-and level of-due diligence applied to domestic and foreign partners and providers is increasingly necessary. How are backgrounds investigations conducted to prevent criminals and even terrorists from gaining employment in these companies? With billions of dollars of technology investment behind the development of communications networks in emerging foreign economies, what protections are principal cloud computing providers using to manage client information risk? While cloud computing is economically compelling, providers will constantly seek lower cost services to remain competitive.
“Holding these cloud computing vendors accountable is fundamental and vital to managing information risk,” recommended Ulsch.
For a copy of the presentation, please contact Susan Shea at Susan.Shea@ZeroPointRisk.com or by telephone at (617) 517-0063.
* * * * * * * * * *