ES |EN

The EBA tells Banks how to contract cloud services

Published final report with recomedations

Following the European Banking Supervisors guidelines on outsourcing (CEBS directives), and in accordance with Article 16 of Regulation (EU) No 1093/2010, the European Banking Authority (EBA) published on December on 20th 2017 the final report with the recommendations on the outsourcing cloud services. The recommendations will apply from 1 July 2018.

Within the package, security measures constitute a key aspect for risk management. These include the need to identify the appropriate level of protection to ensure confidentiality, integrity, availability, and traceability of data, the right to audit and the development of contingency plans.

Next, see a summary of the recommendations:


 
Another relevant aspect addressed by EBA recommendations is the risk associated with chain outsourcing. In this line, the service provider should only subcontract with a third party that meets all the requirements.

How can an organization exercise its access and audit rights? Obviously, each and every one can use their own resources to do so, multiplying similar controls to all common providers. But EBA recommendations also outline two models which are more efficient: shared audits and certification by independent third parties.

In this line, our rating offers an unbeatable contribution for both models: as an independent certification, the more than 1000 controls coming from national and international regulations and standards (ISO 27001, ISO27002, ISO22310, TIA-942, PCI-DSS, PSD2, ENS , NIST SP 800-53 rev.2, FFIEC, etc.), contain the key measures that any organization may require, and the different levels allow to adapt the requirements to the particular needs according to the associated risk.

On the other hand, the model allows integrating and mapping specific sectorial requirements -like any regulation- to be used as a base in the performance of the shared mode audits, ensuring the perfect adaptation of them to the requirements of the group of entities that agree its carrying out.

In any case, the rating is shown as a fundamental tool in the efficient risk management in the supply chain, helping financial entities (and those that are not) in their processes in order to guarantee the information safeguard and business continuity.

Subscribe our Newsletter by clicking here