Security and Operational Controls for a Public Cloud Service in a Financial Institution

doi: 10.32567/hm.2024.4.11

Absztrakt

Today, cloud computing services are growing very fast. One of the main reasons for this is the increasing competition and innovation in the market, the increased demand for resources in IT systems and the demand for more complex knowledge-based solutions. Deploying a server and performing the associated tasks on your own infrastructure can often take weeks or months, while the same process takes only a few minutes with a cloud service provider. The use of cloud services has become commonplace for anyone using mobile devices, and for financial institutions, this technology is becoming inevitable in the short term. If an organisation carefully selects a service provider on the basis of legal, technical and information security criteria, and then monitors its operations on an ongoing basis, there is no reason why a financial institution should not use public cloud services, according to the criteria examined. It is important to stress, however, that our analysis did not cover all possible risk factors.

Kulcsszavak:

public cloud operational security audit information security logical and physical controls

Hogyan kell idézni

Oláh, I., & Magyar, S. (2025). Security and Operational Controls for a Public Cloud Service in a Financial Institution. Hadmérnök, 19(4), 153–165. https://doi.org/10.32567/hm.2024.4.11

Hivatkozások

European Union Agency for Cybersecurity (ENISA) (2021): Cloud Security for Healthcare Services. Online: https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Cloud%20Security%20for%20Healthcare%20Services.pdf

Gartner (2021): The Cloud Strategy Cookbook, https://www.gartner.com/smarterwithgartner/the-cloud-strategy-cookbook

MELL, Peter – GRANCE, Tim (2011): NIST SP 800-145, The NIST Definition of Cloud Computing. Gaithersburg, MD, USA: National Institute of Standards and Technology. Online: https://doi.org/10.6028/NIST.SP.800-145

NAYDENOV, Rossen – LIVERI, Dimitra – DUPRE, Lionel – CHALVATZI, Eftychia (2015): Secure Use of Cloud Computing in the Finance Sector. ENISA. Online: https://doi.org/10.2824/199301

NIST Computer Security Resource Center (2020): NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations. Online: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

Recommendation No. 4/2019 (IV. 1.) of the National Bank of Hungary on the use of community and public cloud services. Online: https://www.mnb.hu/letoltes/4-2019-felho.pdf

Legal sources

Act CLXVI of 2012 on the Identification, Designation and Protection of Critical Systems and Facilities

Act L of 2013 on the Information Security of State and Municipal Bodies

Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises

Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision

Act CIII of 2023 on the Digital State and Certain Rules for the Provision of Digital Services

Decree No. 7 of 2024 (VI. 24.) of the Cabinet Office of the Prime Minister on the requirements for security classification and the specific security measures to be applied for each security class

Government Decree 42/2015 (III. 12.) on the protection of IT systems of financial institutions, insurance and reinsurance undertakings, investment ventures and commodity exchange service providers

Directive (EU) 2022/2555 OF the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)