fbpx

AWS completes CCAG 2023 community audit for financial services customers in Europe

We’re excited to announce that Amazon Web Services (AWS) has completed its fifth annual Collaborative Cloud Audit Group (CCAG) pooled audit with European financial services institutions under regulatory supervision.

   <p>At AWS, <a href="https://aws.amazon.com/security" target="_blank" rel="noopener">security</a> is the highest priority. As customers embrace the scalability and flexibility of AWS, we’re helping them evolve security and compliance into key business enablers. We’re obsessed with earning and maintaining customer trust, and providing our financial services customers and their regulatory bodies with the assurances that AWS has the necessary controls in place to help protect their most sensitive material and regulated workloads.</p> 
   <p>With the increasing digitalization of the financial industry, and the importance of cloud computing as a key enabling technology for digitalization, the financial services industry is experiencing greater regulatory scrutiny. Our annual audit engagement with CCAG is an example of how AWS supports customers’ risk management and regulatory efforts. For the fifth year, the CCAG pooled audit meticulously assessed the AWS controls that enable us to help protect customers’ data and material workloads, while satisfying strict regulatory obligations.</p> 
   <p>CCAG represents more than 50 leading European financial services institutions and has grown steadily since its founding in 2017. Based on its mission to provide organizational and logistical support to members so that they can conduct pooled audits with excellence, efficiency, and integrity, the CCAG audit was initiated based on customers’ right to conduct an audit of their service providers under the European Banking Authority (EBA) <a href="https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2170121/5fa5cdde-3219-4e95-946d-0c0d05494362/Final%20draft%20Recommendations%20on%20Cloud%20Outsourcing%20%28EBA-Rec-2017-03%29.pdf?retry=1" target="_blank" rel="noopener">outsourcing recommendations to cloud service providers (CSPs)</a>.</p> 
   <h2>Audit preparations</h2> 
   <p>Using the <a href="https://cloudsecurityalliance.org/research/cloud-controls-matrix/" target="_blank" rel="noopener">Cloud Controls Matrix (CCM)</a> of the <a href="https://cloudsecurityalliance.org/" target="_blank" rel="noopener">Cloud Security Alliance (CSA)</a> as the framework of reference for the CCAG audit, auditors scoped in key domains and controls to audit, such as identity and access management, change control and configuration, logging and monitoring, and encryption and key management.</p> 
   <p>The scope of the audit targeted individual AWS services, such as <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener">Amazon Elastic Compute Cloud (Amazon EC2)</a>, and specific <a href="https://aws.amazon.com/about-aws/global-infrastructure/regions_az/" target="_blank" rel="noopener">AWS Regions</a> where financial services institutions run their workloads, such as the Europe (Frankfurt) Region (<span>eu-central-1</span>).</p> 
   <p>During this phase, to help provide auditors with a common cloud-specific knowledge and language base, AWS gave various educational and alignment sessions. We offered access to our online resources such as <a href="https://skillbuilder.aws/" target="_blank" rel="noopener">Skill Builder</a>, and delivered onsite briefing and orientation sessions in Paris, France; Barcelona, Spain; and London, UK.</p> 
   <h2>Audit fieldwork</h2> 
   <p>This phase started after a joint kick-off in Berlin, Germany, and used a hybrid approach, with work occurring remotely through the use of videoconferencing and a secure audit portal for the inspection of evidence, and onsite at <a href="https://www.aboutamazon.com/news/amazon-offices/amazon-headquarters-hq2-arlington-virginia-photos" target="_blank" rel="noopener">Amazon’s HQ2</a>, in Arlington, Virginia, in the US.</p> 
   <p>Auditors assessed AWS policies, procedures, and controls, following a risk-based approach and using sampled evidence and access to subject matter experts (SMEs).</p> 
   <h2>Audit results</h2> 
   <p>After a joint closure ceremony onsite in Warsaw, Poland, auditors finalized the audit report, which included the following positive feedback:</p> 
   <table width="100%"> 
    <tbody> 
     <tr> 
      <td width="100%"> <p><em>“CCAG would like to thank AWS for helping in achieving the audit objectives and to advocate on CCAG’s behalf to obtain the required assurances. In consequence, CCAG was able to execute the audit according to agreed timelines, and exercise audit rights in line with contractual conditions.”</em></p></td> 
     </tr> 
    </tbody> 
   </table> 
   <p>The results of the CCAG pooled audit are available to the participants and their respective regulators only, and provide CCAG members with assurance regarding the AWS controls environment, enabling members to work to remove compliance blockers, accelerate their adoption of AWS services, and obtain confidence and trust in the security controls of AWS.</p> 
   <p> <br>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> 
   <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> 

   <!-- '"` -->