In recent years, the rapid development and maturation of cloud computing, storage, and application services have driven financial institutions to enhance their digital transformation and service resilience. In August 2023, the Financial Supervisory Commission issued the revised Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, which primarily adjusts the regulations for financial institutions' cloud operations. These adjustments include a risk-based outsourcing management framework, outsourcing application processes and documentation, cross-border outsourcing, and the scope of cloud outsourcing operations that require regulatory approval.

As a crucial post-trade infrastructure in the financial sector, TDCC has established remote backup and recovery mechanisms and conducted continuous operational drills for various scenarios. It has also continuously strengthened its capabilities to respond to extreme situations to minimize the risk of service interruptions. Given the diverse development of service areas, including stock custody, futures, and bond settlement, and transitioning from B2B to B2B2C models, safeguarding the core data of the aforementioned businesses is vital to the public's property rights within financial institutions. Therefore, the future utilization of cloud services to enhance backup and recovery mechanisms is a significant issue in digital transformation.

Internal Auditing Department Chief Audit Executive Olivia Chang was invited to participate in this year's Google Cloud Security Forum, engaging in a fireside chat with MediaTek Chief Audit Executive Kirin Liu. I will extend the discussion from the perspective of cybersecurity audits and risk management in cloud environments.

Photo: 2024 Google Cloud Security Forum

(From left to right: Google Cloud Security Sales Director Scott Wang, MediaTek CAE Kirin Liu, ASUS CISO Robert Chin, TDCC CAE Olivia Chang, Portto CTO Hao Chang)

1.Who Determines Cyber Security?

The elite participants in this year's cloud security forum discussed information security from management and technical perspectives. Even from an audit standpoint, they delved into how companies can balance risk and efficiency. The Three Lines of Defense Model proposed by the Institute of Internal Auditors (IIA) indicates that information security is not a matter for a single person or unit to decide. Therefore, cooperation among CIOs, CTOs, CISOs, etc., and even CAEs is essential for each function and duty. In this way, companies can effectively manage cybersecurity risks brought by emerging technologies and foster a strong cybersecurity culture. From an audit perspective, I support the use of cloud services and related applications, as they allow companies to adjust the installation, setting, and allocation of hardware and software resources flexibly and efficiently. Companies can better focus on their core competencies. The key lies in the different stages of pre-cloud, during use, and post-cloud. At each stage, specific matters require special attention, such as whether a comprehensive risk and impact assessment has been conducted, whether review and monitoring mechanisms have been established, and whether emergency response measures have been planned. When planning audit operations, auditors should first evaluate the scope of cloud services used by the enterprise, such as whether core or critical systems are covered from a system operation perspective and whether customer personal data is involved from a privacy protection perspective. Then identifying potential risks during these processes and assessing the adequacy of control measures are conducted. Audit items should comply with relevant laws and regulations on information security and privacy protection and refer to industry guidelines or standards. Meanwhile, auditors should enhance their understanding of practical operations to deepen their knowledge of laws and regulations. This will enable them to formulate appropriate audit plans and items, conduct confirmations based on the organization's current status, and provide suitable audit findings. In this way, risk control's third line of defense can be effectively implemented. Example audit items include:

1. Sensitive data protection measures as well as identity verification and access control,
2. Logging and analyzing system activity logs and abnormal behavior reporting processes,
3. Cybersecurity testing、patching records and malicious activity review,
4. System workload and usage analysis.

2.Utilizing Emerging Technologies to Hunt Cyber Threats

With the development of AI and cloud computing technologies, the participants mentioned in the meeting that developers extensively use cloud-based code hosting platforms. Apart from facilitating the tracking and management of code version history, the most significant benefit is that members of the development team can collaborate and make modifications more easily. It also allows project managers to grasp the overall development progress more efficiently. From an audit perspective, control mechanisms for cloud environments are crucial. For instance, storing sensitive corporate data (e.g., code, business logic) in the cloud, if not adequately protected, may result in unauthorized access or data leakage. Auditors can use digital tools to assist audit operations, such as Cloud Security Posture Management (CSPM) tools, to perform continuous compliance checks and automated audits in cloud environments. This ensures that cloud configurations are secure. Besides, issues such as parameter misconfigurations, unauthorized access, and account hijacking can be promptly identified through constant monitoring and anomaly detection. This approach strengthens access principles, configuration settings, network control, traffic analysis, or control measures such as response to threat intrusions.

The detection content of such tools shall refer to specific cybersecurity standards, such as the Critical Security Controls by the Center for Internet Security (CIS). This allows for the selection of appropriate control items within the organization to conduct audit operations based on different types of cloud information assets (e.g., applications, data, devices, networks, and users).

Furthermore, regarding the precautions for using cloud environments, examples are as follows:

1. Not enabling multi-factor authentication: Multi-factor authentication is especially recommended for accounts with special accesses, such as management (Admin, root) or accounts with write and delete permissions. It is recommended to use multi-factor authentication, with a preference for those specifically protecting against phishing attacks.
2. Inadequate segregation of operational and development environments: For resource deployment in cloud environments, separating the production environment from the development and testing environments is recommended. Attention should be paid to the group settings of user accounts and the permissions granted to each group.
3. Not requiring designated connection devices: When connecting to the cloud environment, it is recommended to restrict the devices used for connection, manage them in a registry, and limit the network sources to specific domain addresses for connections.

3.Conclusion

Considering the development trends in the financial industry, the Internal Auditing Department foresees the potential adoption of cloud services in the future. In response to changes in system architecture or potential corporate network boundaries due to post-cloud adoption, the Internal Auditing Department is committed to continuously researching the application of cloud cybersecurity audits to implement and strengthen risk control effectively. We aim to align with TDCC's business development timeline, focusing on corporate resilience as a core concept. This will involve gradually integrating digital tools into internal audit operations, achieving a step-by-step digital transformation, and improving internal audit enhancement.