On 17/11/2010, at 11:56 AM, Bayan Khalili wrote:
I didn't know that regulated institutions were so.. um.. regulated.
If using cloud services are categorised as outsourcing, then would
using any other hosted services (email, issue trackers, project
management systems, etc) be included as well?
How about sending a parcel overseas, or picking up the phone and
making an international call? Are these forms of offshore outsourcing
that require "...the regulator's tick of approval..."? Don't they
depend on services that are managed and owned by overseas
organisations?
I think the key sentence here is this one:
[cloud services] may form an integral part of an institution's
core business
processes, including both approval and decision-making, and can be
material and critical to the ongoing operations of the institution
It's certainly the case that government's own policies, for example
privacy
policies, require them to not outsource applications *even within
Australia*
without fairly comprehensive security risk assessments and contractual
terms. Even a lowly webmaster has to get a security clearance to work on
systems that may contain private information. I'm not talking about
medical
records here either; any identifying data including browsing history
is covered.
Clifford Heath.
Bayan
On Nov 17, 9:22 am, Clifford Heath <[email protected]> wrote:
Hmmm. Relevant? I think so.
Clifford Heath.
Begin forwarded message:
-------- Original Message --------
Subject: Regulator warns Australia's finance industry on cloud risks
Date: Wed, 17 Nov 2010 05:34:44 +1100
From: Don McKenzie <[email protected]>
Newsgroups: aus.computers,aus.electronics
Regulator warns Australia's finance industry on cloud risks
By Brett Winterford on Nov 16, 2010 4:56 PM (12 hours ago)
========================================================
APRA's cloud computing fears published in open letter.
"The letter will prove a blow to U.S.-owned cloud computing
providers such as Amazon's EC2, Salesforce.com, Microsoft's Azure
and Google's App Engine - all of which to date are hosted elsewhere
in Asia."
Australian banking regulator APRA has written an open letter to the
financial services industry, urging executives to view cloud
computing as a new form of outsourcing or offshoring that requires
the regulator's tick of approval.
The rise of cloud computing has - as formerly expressed by CSC chief
technology officer Bob Hayward - "caught the regulator by surprise."
Earlier this year the regulator stepped in to apply pressure on one
wealth management firm that had endeavoured to migrate its CRM
system to Salesforce.com, hosted in Singapore.
Today's letter [PDF] - first reported on technology news site
Delimiter - reinforced APRA's view that cloud computing is still
untested technically and legally.
The regulator said organisations migrating services such as
messaging and calendaring, collaboration and CRM to the cloud be
concerned about serious risks to the business.
"While these applications may seem innocuous, the reality is that
they may form an integral part of an institution's core business
processes, including both approval and decision-making, and can be
material and critical to the ongoing operations of the institution,"
APRA said in the letter.
"APRA has noted that its regulated institutions do not always
recognise the significance of cloud computing initiatives and fail
to acknowledge the outsourcing and/or offshoring elements in them,"
the letter said.
"As a consequence, the initiatives are not being subjected to the
usual rigour of existing outsourcing and risk management frameworks,
and the board and senior management are not fully informed and
engaged.
"Regulated institutions are reminded that, under the prudential
standards on outsourcing, they are required to consult with APRA
prior to entering into any offshoring agreement involving a material
business activity."
APRA expects that any outsourcing project that could hinder an
organisation's ability to manage risks effectively or have a
"significant impact on the institution's business operations"
requires the regulator's approval.
Those wishing to embrace the cloud are required to undertake a
"comprehensive risk assessment" around the type of service, the
service provider and where it is located, and the "criticality and
sensitivity of the IT assets involved."
"APRA has observed that, to date, assessments of cloud computing
proposals typically lack sufficient consideration of these factors,"
the letter said.
--
You received this message because you are subscribed to the Google Groups "Ruby or
Rails Oceania" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rails-oceania?hl=en.
