The Fintech Open Source Foundation (FINOS), part of The Linux Foundation, announced that FINOS Common Cloud Controls (FINOS CCC), a set of open standards that describes consistent controls for compliant cloud deployments in the financial services sector, is now open sourced through FINOS under the Community Specification License.
Built upon the approach developed by FINOS member Citi and following the formation phase which started in July, FINOS CCC is officially open for participation and contribution at github.com/finos/common-cloud-controls.
FINOS Common Cloud Controls creates a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers (CSPs). In developing a unified taxonomy of common services and associated threats, the project also sets out to alleviate the systemic risk of cloud concentration within the financial services industry.
The announcements comes on the heels of the projects’ three month formation phase, where FINOS members, including more than 100 participants from 20+ financial institutions, cloud service providers, technology vendors, industry associations, and regulatory bodies were invited to start shaping the open standard’s roadmap to ensure broad representation of all constituents involved in the shared responsibility model.
“The financial services industry pace of cloud adoption has been drastically accelerating for some time now, yet there has been no truly open standardization in the risk mitigation approach when it comes to cybersecurity concerns, cloud vendor lock-in, and response to regulatory inquiries, until now,” said Gabriele Columbro, executive director of FINOS and general manager of Linux Foundation Europe, in a statement. “This goes to show these issues are very much top of mind in the industry’s C-Suite, and regulators alike, as we saw the White House put out an RFI on harmonizing cybersecurity controls just weeks after FINOS CCC’s launch.”
“The open sourcing of FINOS Common Cloud Controls marks a groundbreaking milestone not only in cloud computing, but for the entire financial services industry,” said Jim Adams, chief technology officer at Citi, in a statement. “This project leverages the power of collaboration to address critical challenges, and will establish consistent industry-standard controls for essential Cloud Service Provider (CSP) solutions.”
“The importance of establishing open standards for cloud deployment in financial services cannot be understated…The FINOS CCC project is an essential component of this” said Phil Venables, chief information security officer at Google Cloud, in a statement.
“Financial service companies around the globe expect high-assurance, resilient cloud ecosystems able to accommodate the security needs of highly regulated markets,” said Michaela Iorga, OSCAL strategic director and senior cloud security technical lead at NIST. “Working through FINOS with both financial services companies and cloud service providers, we will define threat-resilient common security baselines for the cloud ecosystems harboring financial data and services, setting in this way the foundation for standards-based assessment automation and continuous monitoring with NIST’s Open Security Controls Assessment Language (OSCAL).”
Member organizations that have participated in FINOS CCC’s formation and definition phase include Adaptive, BMO, Citi, Container Solutions, ControlPlane, Discover, GitHub, GitLab, Goldman Sachs, Google Cloud, Leading Point, Lloyds Banking Group, London Stock Exchange Group (LSEG), Morgan Stanley, NatWest Group, Red Hat, Royal Bank of Canada (RBC), Scott Logic, Societe Generale, Symphony, and Wellington Management. ComplianceCow and StormForge, new members to FINOS, have joined to participate in and contribute to FINOS CCC specifically.