FCA (Financial Conduct Authority) in Britain has published a Guidance which lays the rules and regulations when outsourcing to the cloud.
The Guidance which was published in a PDF format is open for consideration or proposals until 12 February 2016. Then it will reach its final form and will be published in FCA website. FCA asks for responses to be sent by email to itoutsourcing@fca.org.uk
The reason for publishing such a Guidance is said to have come from the demands of Stakeholders including firms and cloud service providers for they were unsure about how FCA applies its rules relating to outsourcing to the cloud. Through roundtable discussions and other interactions with firms and cloud service providers, FCA reached to the conclusion that "this uncertainty may be acting as a barrier to firms using the cloud."
FCA defined its understanding of the term "Cloud" and its' aim to introducing the Guidance with the following words:
" 'Cloud’ is a broad term, and stakeholders have interpreted it differently. The FCA sees
the cloud as encompassing a range of IT services provided in various formats over the
internet. This includes, for example, private, public or hybrid cloud, as well as
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS). Cloud services are constantly evolving. Our aim is to avoid imposing
inappropriate barriers to firms’ ability to outsource to innovative and developing areas,
while ensuring that risks are appropriately identified and managed."
FCA articulated the risks involved with outsourcing to the cloud as
"There are particular risks associated with outsourcing to the cloud which differ from
traditional outsourcing arrangements, and these risks primarily affect the degree of
control exercised by the firm. Cloud customers may have less scope to tailor the service provided.
"Cloud customers may also have to accept that cloud service providers move their data around; however, in some cases, cloud customers may be able to specify which overall geographic region in which their data is stored.
"Firms should also consider the risks associated with outsource service providers who may contract out part of their operation to other cloud providers. This may occur without the firm initially realising.
"There are particular risks associated with outsourcing to the cloud which differ from traditional outsourcing arrangements, and these risks primarily affect the degree of control exercised by the firm."
Full Guidance pdf document can be obtained from the link
|