UK FinanceCloud Computing Controls FrameworkCLOUD COMPUTINGCONTROLS FRAMEWORKA Procurement Framework for Public Cloud Computing Services 2019, UK Finance Limited trading as UK Finance1

UK FinanceCloud Computing Controls Framework2This report is intended to provide general information only and is not intendedto be comprehensive or to provide legal, regulatory, financial or other adviceto any person. Information contained in this report based on public sourceshas been assumed to be reliable and no representation or undertaking is madeor given as to the accuracy, completeness or reliability of this report or theinformation or views contained in this report. UK Finance shall have no liabilityto any person arising from or in connection with any use of this report or anyinformation or views contained in this report. 2019, UK Finance Limited trading as UK Finance

UK FinanceABOUT THISFRAMEWORKHOW TO USE THISFRAMEWORKCloud Computing Controls Framework3UK Finance sponsored the creationof a public cloud computingframework that sets out best practicefor the procurement and ongoingmanagement of cloud computingas a service. The target audience forthis framework is any financial serviceprovider and it will be particularlyhelpful for the technology, risk,vendor management and procurementfunctions within institutions.The controls have been derived fromanalysis of UK Finance memberscontrol sets and in collaborationwith cloud service providers. Eachcontrol has been cross checkedfor compliance against ISO 27001,COBIT 5.0, Cloud Security AllianceGuidance, AICPA SOC 1 and EBA CloudOutsourcing Guidelines.The framework can help teams acrossthe technology lifecycle, bearingin mind that it will depend on yourindividual organisation. Those workingin technology procurement coulduse it as part of their tender processto assist in checking suppliers arefollowing best practice, and thosewho work in contract managementcould use it as part of their ongoingsupplier engagement.Audit and risk functions could use theframework to assess the ongoing riskmanagement profile of their publiccloud estate by aligning with bestpractice. Those in security could use itwhen assessing and managing securityfor tools and applications (such asencryption key management).The framework consists of 44 controls,each control is mapped to one ofnine domains and one of eleven risksassociated with the management ofcloud computing as a service.Where applicable, available evidenceshould be sought from the cloudservice provider to support responses.Many thanks to the following institutions: Bank of America Merrill LynchCYBGHSBCLloyds Banking GroupRoyal Bank of Scotland 2019, UK Finance Limited trading as UK Finance SantanderAmazonGoogleMicrosoft

UK FinanceCloud Computing Controls FrameworkIDENTIFIED DOMAINS AND RISKSDomainsAudit assurance and complianceAssuring customer institution that the provider has appropriate businesscontinuity and operational resilience measuresEncryption key managementThe processes, and their management, used to keep customer datasecure and segregated from other tenantsGovernanceThe provider’s internal policies and governance and how they may affectcustomer dataIdentity and access managementAssuring that the appropriate controls can or will be in place to ensurethe security of customer dataLifecycle managementThe lifecycle of data and how it is deleted/removed from the providerSecurity controls on physicalinfrastructure and facilitiesThe physical security of the datacentres where client data and/orsystems are hostedSecurity of cloud networks andconnectionsThe virtual security of the cloud infrastructure and its connections withother systems, whether customers or third partiesSecurity provisions for cloudapplicationsThe virtual security of the cloud applicationsWorkforce security and accessmanagementHow the staff of the provider have been trained to ensure the security ofcustomers’ data 2019, UK Finance Limited trading as UK Finance4

UK FinanceCloud Computing Controls FrameworkRisksBusiness viability of providerCompliance with EU regulation and legislationInability to audit cloud service provider in compliance with clients’ internal policies and regulatory expectationsInability to set or enforce security policy with cloud service providerInability to track or troubleshoot data once it leaves the clientInability to track or troubleshoot data once it leaves the client and/or unauthorised access or leak of unauthoriseddataProvider’s business continuity and disaster recovery readinessSecurity defects in technologyUnauthorised access or leak of customer dataUnauthorised access or leak of proprietary dataVendor lock-in 2019, UK Finance Limited trading as UK Finance5

UK FinanceCloud Computing Controls Framework6DomainControlRisk1Audit assuranceand complianceDo you have an independent function whichperiodically reviews processes and systems forcompliance with policies?Unauthorised access or leak ofcustomer data2Audit assuranceand complianceDo you support forensics and investigations onyour virtual infrastructure?Inability to track or troubleshootdata once it leaves the client3Audit assuranceand complianceDo you have the technical and contractualcapabilities in place to support suchinvestigations?Business viability of provider4Audit assuranceand complianceWill you allow us physical access to yourpremises in the context of audits and does yourcontract provide supervisory audit rights?Inability to audit cloud serviceprovider in compliance withclients’ internal policies andregulatory expectations5Audit assuranceand complianceDescribe how you support a customer thatwants to exit the service? What technical andcontractual means are in place to support this?Vendor lock-in6Audit assuranceand complianceDescribe your contingency plan in case a supplieror partner decides to end the relationshipVendor lock-in7Audit assuranceand complianceWhat are your procedures for securely migratingdata to other cloud platforms or back to theorganisation?Unauthorised access or leak ofcustomer and/or propriety dataand vendor lock-in8Encryption keymanagementPlease detail the cryptographic key managementsystems in place for your cloud services, and arethey governed by a defined and documentedcryptography policy?Unauthorised access or leak ofproprietary data9Encryption keymanagementPlease describe which encryption standards andcertifications are available for the online serviceUnauthorised access or leak ofproprietary data10Encryption keymanagementIs data encrypted at rest and in transit in open/validated formats?Unauthorised access or leak ofproprietary data11Encryption keymanagementDo you use a hardware security module for cloudinfrastructure cryptographic key management? Ifyes, then please answer the following questionUnauthorised access or leak ofproprietary data 2019, UK Finance Limited trading as UK Finance

UK FinanceCloud Computing Controls Framework7DomainControlRisk12Encryption keymanagementIs the HSM certified against FIPS 140-2 or otherstandards and if so, at which level? How doyou manage access and authorisation for keysand certificates stored in these HSMs, and forsubordinate keys protected by the HSM keys?When operating the service, can you ensurethere are no ways to bypass security providedthrough the HSMs when accessing lower-levelencryption keys?Inability to track or troubleshootdata once it leaves the client13GovernancePlease describe how you govern customer datainternallyInability to track or troubleshootdata once it leaves the client14GovernanceAre all actions in the online service audited andare these audit logs available to the customer?How long is this information stored or archived?Provider’s business continuityand disaster recovery readiness15GovernancePlease identify the individual or group, includingexecutive leadership and senior management,who are responsible and accountable forinformation security and business continuitywithin your organisation and detail theirresponsibilitiesProvider’s business continuityand disaster recovery readiness16GovernancePlease outline your disaster recovery andbusiness continuity plans and any relevant testingInability to audit cloud serviceprovider in compliance withclients’ internal policies andregulatory expectations17GovernanceAre your information security policies madeavailable and communicated to staff andcontractors?Inability to audit cloud serviceprovider in compliance withclients’ internal policies andregulatory expectations18GovernanceAre there procedures in place to ensure policiesare reviewed by staff and contractors?Inability to audit cloud serviceprovider in compliance withclients’ internal policies andregulatory expectations19GovernancePlease explain how customer data is governed.Who can access customer data within yourorganisations and what safeguards are in place tocontrol and monitor this?Unauthorised access or leak ofcustomer and/or propriety data 2019, UK Finance Limited trading as UK Finance

UK FinanceCloud Computing Controls Framework8DomainControlRisk20Identity and accessmanagementDo you allow the use of open standards and/or identity federation standards to delegateauthentication capabilities to your tenants?Unauthorised access or leak ofcustomer and/or propriety data21Identity and accessmanagementDo you support identity federation standards asa means of authenticating/authorising users?Unauthorised access or leak ofcustomer and/or propriety data22Identity and accessmanagementDoes your information access managementsystem solution provide for role/context-basedentitlement based upon the classification of dataand the principle of least privileged access?Security defects in technology23Identity and accessmanagementHow do you protect access to administrativeaccounts that give broad access to parts of theservice? Do you ensure that, at as a minimum,any accounts with full administrative privilegerequire multi factor authentication?Unauthorised access or leak ofcustomer and/or propriety data24Identity and accessmanagementAre the information and operating systemsprotected by appropriate organisational andtechnical access controls, including networkaccess control?Unauthorised access or leak ofcustomer and/or propriety data25Identity and accessmanagementAre user credentials for physical and logicalaccess to locations, systems and informationreviewed during defined intervals and arethe requirements contained within a defineddocumented policy?Unauthorised access or leak ofcustomer and/or propriety data26Identity and accessmanagementDo you use generic (non-personalised) accountsand how do you manage them? Do you havepolicies and procedures in place to ensure thatgeneric accounts for systems and applicationsare appropriately managed and monitored at alltimes?Security defects in technology27Identity and accessmanagementDo you have a process ensuring that the useof these generic accounts is kept to a bareminimum?Inability to set or enforcesecurity policy with cloudservice provider28Identity and accessmanagementDo you have a defined and documentedpassword policy that mandates quality passwordcriteria such as length, age, history andcomplexity, as well as global requirements forlockout enforcement and duration?Inability to track or troubleshootdata once it leaves the client 2019, UK Finance Limited trading as UK Finance

UK FinanceCloud Computing Controls Framework9DomainControlRisk29Identity and accessmanagementAre the information access managementrequirements for the provisioned online serviceclearly articulated and documented withappropriate terms?Inability to track or troubleshootdata once it leaves the client30LifecyclemanagementHow does the deletion of data work? Is datasecurely deleted from, but not limited to, yourdata centre storage, contingency sites andbackup media when no longer required?Unauthorised access or leak ofcustomer and/or propriety data31LifecyclemanagementIs the process for the secure deletion of dataautomated (by technical policy or scheduledwork) or is the process manually done byauditable process?Compliance with EU regulationand legislation32Security controlson physicalinfrastructure andfacilitiesDo you have physical and logical securitycontrols around information systems anddatabases to avoid unauthorised access anddetect/prevent potential data leakage?Security defects in technology33Security controlson physicalinfrastructure andfacilitiesWhat is the geographic location and legaljurisdiction of the data centre that will be storingand/or processing customer data?Security defects in technology34Security of cloudnetworks andconnectionsAre your network environments and virtualinstances designed and configured in accordancewith a documented network security policy torestrict and monitor traffic between trusted anduntrusted connections?Security defects in technology35Security of cloudnetworks andconnectionsAre these configurations reviewed at leastannually, and risk assessed to justify use forall allowed services, protocols, ports, and bycompensating controls?Unauthorised access or leak ofcustomer and/or propriety data36Security of cloudnetworks andconnectionsDo you have documented information securitybaselines for every component of your cloudinfrastructure? (e.g. hypervisors, operatingsystems, routers, DNS servers, etc.)Unauthorised access or leak ofcustomer and/or propriety data 2019, UK Finance Limited trading as UK Finance

UK FinanceCloud Computing Controls Framework10DomainControlRisk37Security of cloudnetworks andconnectionsDo you perform regular penetration testing witha CREST approved (or equivalent) penetrationtesting third party or individual, on yourinfrastructure?Unauthorised access or leak ofcustomer and/or propriety data38Security of cloudnetworks andconnectionsDo you ensure there is a log and notifications forall virtual network changes?Unauthorised access or leak ofcustomer and/or propriety data39Security of cloudnetworks andconnectionsDo you ensure that you have a log of informationabout IP traffic going to and from the interfacesof your virtual networks?Vendor lock-in40Security of cloudnetworks andconnectionsDo you also monitor data that is entering orleaving these networks?Unauthorised access or leak ofcustomer and/or propriety data41Security of cloudnetworks andconnectionsAre all DNS services used for the corporate andproduction environments secured in accordancewith good practice, and monitored to detectaccess and changes?Unauthorised access or leak ofcustomer and/or propriety data42Security provisionsfor cloudapplicationsWhen applicable, does your Hardware SecurityModule (HSM) or HSM as a service includecryptographic mechanisms to support securelogging of transactions, data, and events toenable auditing?Inability to audit cloud serviceprovider in compliance withclients’ internal policies andregulatory expectations43Security provisionsfor cloudapplicationsHow do you encrypt information through thedata lifecycle (create, store, transmit, process,archive, backup, destroy)?Inability to track or troubleshootdata once it leaves the clientand/or unauthorised access orleak of unauthorised data44Workforcesecurity and accessmanagementDo you conduct security training for the relevantstaff with appropriate procedures for reportingand acting on unauthorised activity and misuseof confidential information?Unauthorised access or leak ofcustomer data 2019, UK Finance Limited trading as UK Finance

UK FinanceCloud Computing Controls Framework11OUR TEAMDan Crisp, Director, Digital, Technology and Cyber, UK FinanceDan is the Director for Digital, Technology and Cyber at UK Finance, overseeing policyinitiatives including FinTech, cloud computing and data protection. Dan is also focused onprojects to operationalise industry utilities for technology risk and E-ID.Prior to joining UK Finance, Dan was the Chief Operations Officer for Barclays GlobalInformation Security, primarily responsible for the technical integration of globalacquisitions. Dan has also held various senior risk and compliance roles at JP Morgan andCitigroup. Most recently, Dan served as the Chief Technology Risk Officer for BNY Mellonwhere he led the innovation, development and deployment of global technology riskregulatory controls.Dan is a board member for the Internet Security Alliance, a non-executive director forHuntswood and a charter member of the Cloud Security Alliance metrics group. He isalso a mentor at Level 39, Europe’s largest FinTech accelerator and incubator. Dan holdsqualifications from the University of Memphis (USA) and Stanford University (USA). He hasalso completed the Strategic Management Program at Cambridge University (UK).Ian Burgess, Head of Cyber Policy, UK FinanceIan is the Head of Cyber Policy at UK Finance, primarily focused on operationalisingthe Financial Sector Cyber Collaboration Centre (FSCCC), an industry utility designedto promote cyber intelligence sharing amongst financial institutions and increase thecyber resilience of the whole sector. He also leads on cyber security regulatory or policyresponses that impact UK financial services.Most recently Ian was part of the BNY Mellon EMEA technology risk leadershipteam where he led on the development and deployment of a global system to maptechnology risk regulatory controls to global regulations and also managed the redesignof the entire suite of technology risk metrics. Prior to this, having commissioned fromthe Royal Military Academy Sandhurst he served eight years as a British Army Officer,managing complex strategic communications installations and providing leadership andcommunications training.Ian holds a BA (Hons) degree in Business Studies from Coventry University, and is acertified Project Management Professional (PMP), Certified Information Security Manager(CISM) and Certified in Risk and Information Systems Controls (CRISC).Oliver Nelson Smith, Business Analyst, UK FinanceOliver is a business analyst in UK Finance, supporting all areas of the Digital, Technologyand Cyber team. Recent projects have included the business analysis for the strategyand business case of the Financial Sector Cyber Collaboration Centre, creating acomprehensive Actions and Communications tracker, mentoring interns and supportingthe head of the Digital, Technology and Cyber team.Before coming to UK Finance, Oliver had multiple experiences in hospitality, fromcreating a database of venues for Triumph UK, to managing teams of bar staff. He taughtEnglish Speaking in Tokyo, Japan and studied Aeronautic Engineering at the University ofSouthampton. He has a TEFL qualification, a Duke of Edinburgh and was a house prefect atRugby School. 2019, UK Finance Limited trading as UK Finance

UK FinanceCloud Computing Controls Finance1 Angel CourtLondon, EC2R 7HJUnited Kingdom 2019, UK Finance Limited trading as UK Finance

COBIT 5.0, Cloud Security Alliance Guidance, AICPA SOC 1 and EBA Cloud Outsourcing Guidelines. The framework consists of 44 controls, each control is mapped to one of nine domains and one of eleven risks associated with the management of cloud computing as a service. ABOUT THIS FRAMEWORK Many thanks to the following institutions: