In many ways The Depository Trust & Clearing Corp. (DTCC) is a proprietary cloud provider for the financial sector. Participant firms and exchanges send us the data involved with securities transactions, and we move the money and assets where they need to go. For our clients, this is similar to a “black box,” but it's an immensely reliable and secure black box, on a huge scale. In 2012, our critical systems processed about $1.6 quadrillion dollars within an environment of very strong controls, which we operate at our highest control level – the “gold maturity level.”
Like most large firms, however, the spectrum of risk that we deal with every day ranges from the immaterial, like non-confidential training videos, to the orderly operation of the global financial system, which is systemically important.
DTCC's technology risk management area has been using a maturity modeling scheme to define the target state of technical and operational security controls based on the inherent risk of each of our business processes. In this way, we can leverage the low-cost cloud offerings where risk and control levels match high-risk functions with more controls, and low risk with modest controls.
Those with the highest risk levels need to run in the “gold maturity level” environment where we have total transparency into operations, massive instrumentation and an aggressive level of controls. Other processes for information, such as a training video, could very well be made available on a public cloud, like YouTube or Vimeo.
The challenge and opportunity for us is in deciding if, when and how to use the cloud for everything in between these two extreme points on the risk curve. As a result, we added definitions for three additional maturity levels to the compute environments in our IT portfolio.
Lead maturity levels are used for risk-level functions that are inherently low and require a minimal set of controls to be sufficient, such as for contracts and the provider having a security policy. A bronze maturity level ups the ante for us and requires active security controls, formal incident notification processes, deeper due diligence on operations controls, and monitoring of service-level agreements.
At the silver level, we look for the capability in a provider to make operational and situational awareness linkages to the same systems we use for core gold infrastructure – for example, having select log data flow from a provider to our security event monitoring systems – where we can use our advanced analytic tools to examine for additional threats. We also want to have linkage to the normal IT monitoring tools we use for health and wellness, uptime, and service-level management.
We started out building a cloud strategy and controls assessment of maturity by surveying providers based on our internal controls. This proved less than effective. Most recently, we have begun to use the National Institute of Standards and Technology's Federal Risk and Authorization Management Program (NIST FedRAMP) to map to our controls, as many cloud providers now describe their services against the FedRAMP requirements and have completed its accreditation documentation. This vastly shortens the time it takes us to evaluate providers and can be included in future requests for proposals issued by our businesses.
Mark Clancy is managing director of technology risk management at New York-based The Depository Trust & Clearing Corp. (DTCC), which provides clearing and settlement services to the financial markets.