This course aims to provide a general introduction to cloud computing, within the context of IT outsourcing. The goal is to prepare someone to assume the role of “Cloud Officer” as per CSSF Circular 17/654 and be responsible for the use of cloud services, understanding the competences of the staff managing cloud computing resources
At the end of the training, participants will be able to:
-Describe different governance models supporting IT outsourcing to a public cloud provider
-Explain the different cloud platform service delivery models
-Describe how risk is managed within the context of a “shared security model” with a cloud provider
-The role of Cloud Officer
- Risk Management (Territoriality,…)
- GDPR journey
- Outsourcing Framework
-Overview of Cloud Technologies
-Cloud risks (and shared security/Responsibility models)
-Vendor/Supplier Management/Third Party Risk Management
- Notification to the CSSF (authorization request, discontinuation, etc.)
-Applicability of the Circular
-Requirements of the CSSF
(IT) GRC (Governance Risk Compliance)
Client Notification and Consent
-ISCR complies with data protection regulations
Necessity to inform the Competent Authority
Management of outsourced risks
Right to Audit
Performance of the right to audit
Establishing and completing the Register
Particular case of Investment fund managers
-Individuals who are going to be a Cloud Officer
-IT supervisors of organizations using or contemplating cloud use
-Internal Audit (as requested by CSSF)
-Member of Credit Institution and PFS within the meaning of the Law of 5 April 1993 on the Financial Sector (“LFS”).
-Member of payment institution and electronic money institutions within the meaning of the Law of 10 November 2009 on payment services (“LFS”)
-Member of investment fund partners subjects to circular CSSF 18/698.
This course does not present the concepts of Google Cloud, AWS, Microsoft Azure, IBM and other APIs (Application Programming Interface) or other connectors used by these providers or other providers will not be discussed.
It is merely impossible to go into more depth, particularly at the level of each connector (API), application, environment and IT strategy in order to explain whether or not there must be a prior declaration to the CSSF, both the ramifications and exceptions between the different types of connectors in an ever-changing environment are complex.
The Low-Level analysis of an IT architecture with connectors operating in a Public Cloud will only be approached if this does not hinder the progress of the course for all stakeholders and according to the architectural knowledge of the trainer on this part
The course will allow you to understand how to fill in the Cloud Register and to identify the processes revolving around it. However, in a large majority of cases, this register must be completed with internal or external IT teams or even the various providers from which the trainer cannot avoid.
In view of the time allotted and the complexity of each organization's architectures and infrastructures, this course will not be considered as consultancy.