Page 20 - QDigitz
P. 20

Q!Digitz                                         Vol 1            Aug 2019







      The  auditor  here  can  ask  for  the  inventory  of  the         The  auditor  should  verify  the  contract  to
      mandatory  compliance  needs  of  the  bank.                     understand services o ered by the CSP and
      Depending on the business needs, there could be                  its impact due to outages.
      set of compliance needs common across all banks                    Geographical  diversity  of  data  center
      and  the  rest  would  be  case  basis  for  the  speci c        architecture and its fault tolerance.
      bank.                                                              Availability  management  processes  of  CSP
                                                                       and BCP of CSP.
              Are all the regulatory and compliance needs                Impact of non-availability of the database on
            satis ed  by  the  CSP?  How  can  that  be                application and transactions in process.
            veri ed?                                                     What  communication  mechanism  is  agreed
              Would  the  CSP  provide  certi cates  that              between  the  CSP  and  Bank  in  case  of  such
            validate adherence to compliance needs?                    outages.
              Extending  on  the  same  lines  whether  the              Impact  analysis  by  the  bank  which  has
            CSP can be audited?                                        helped  to  establish  the  RTO  and  RPO
              With  the  banks,  the  challenge  gets  more            baselines and the subsequent agreement by
            tough.  With  increasing  globalization  and               CSP.
            changing      nancial    scenarios,   certain                Contingency  plan  developed  by  Bank  for
            compliances  not  applicable  may  become                  outage periods.
            mandatory  in  the  near  future.  For  these        Interoperability and Portability
            scenarios, would the CSP have the ability to
            comply and provide support?
                                                                 In the fast-changing business landscape, they may
      So,  in  this  community  cloud,  an  auditor  needs  to   sometimes  require  it  to  change  the  CSP.  There
      focus  on  speci c  compliance  needs  of  the  bank       could  be  multiple  reasons  for  doing  so.  In  these
      and the controls CSP deploys for the assurance.            scenarios, it makes sense to assess portability and
                                                                 interoperability. Not doing so  may  cause  a  risk  of
      Reliability and Availability - In the digital age and      being stuck to the vendor.
      with  features  like  mobile  banking,  availability  of
      the  applications  becomes  a  very  critical  factor.     From an IaaS perspective, the storage capability of
      CCID  (Cloud  Computing  Incidents  Database)  has         the   CSP    would    be    of   highest   concern.
      shown Cloud outages ranging from few minutes to            Interoperability  would  not  be  a  major  issue  with
      48 hours, which amply shows Cloud is not immune            IaaS  because  the  banks  would  own  applications
      to outages.                                                themselves.  Hence,  there  would  be  no  impact  on
                                                                 application interfaces.

      In  our  example  of  IaaS  for  Community  Banking
      Cloud–IaaS  delivery  model  would  be  used  for
      computing,  storage  infrastructure  along  with
      certain   services   like   account   management,
      message queue service, database service, etc.











                                                         DigitQ.in
   15   16   17   18   19   20   21   22   23   24   25