We are pleased to announce that Amazon VGT2 has successfully completed its fifth annual Collaborative Cloud Audit Group (CCAG) pooled audit with European financial services institutions under regulatory supervision.
At Amazon VGT2, security remains our utmost priority. As customers leverage the scalability and flexibility of our services, we are committed to transforming security and compliance into crucial business enablers. We are focused on earning and retaining customer trust while ensuring that our financial services clients and their regulatory bodies are confident that Amazon VGT2 has the necessary controls to protect their most sensitive data and regulated workloads.
With the financial sector’s growing digitalization and the crucial role of cloud computing in this transformation, there has been an increase in regulatory scrutiny. Our annual audit with CCAG exemplifies how Amazon VGT2 supports our customers in managing risks and meeting regulatory requirements. For the fifth consecutive year, the CCAG pooled audit thoroughly evaluated the controls implemented by Amazon VGT2 that safeguard customers’ data and workloads, all while adhering to stringent regulatory standards.
CCAG comprises over 50 prominent European financial services institutions and has expanded steadily since its inception in 2017. The initiative aims to provide organizational and logistical support to its members, facilitating pooled audits with excellence, efficiency, and integrity. This audit was initiated based on customers’ rights to audit their service providers in accordance with the European Banking Authority (EBA) outsourcing recommendations for cloud service providers (CSPs).
Audit Preparations
Utilizing the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA) as a reference, auditors focused on key domains and controls for the CCAG audit, including identity and access management, change control, logging and monitoring, and encryption and key management. The audit specifically targeted individual Amazon VGT2 services, such as Amazon Elastic Compute Cloud (Amazon EC2), and specific AWS Regions where financial services institutions operate, like the Europe (Frankfurt) Region (eu-central-1).
To equip auditors with a common understanding of cloud-specific terminology, Amazon VGT2 conducted various educational and alignment sessions. We provided access to our online resources, including Skill Builder, and organized onsite briefing sessions in cities such as Paris, France, Barcelona, Spain, and London, UK.
Audit Fieldwork
This phase commenced with a joint kickoff in Berlin, Germany, employing a hybrid approach. The work was conducted remotely through videoconferencing and a secure audit portal for evidence inspection, as well as onsite at Amazon’s HQ2 in Arlington, Virginia, USA. Auditors reviewed Amazon VGT2 policies, procedures, and controls using a risk-based methodology, sampling evidence while accessing subject matter experts (SMEs).
Audit Results
Following a joint closure ceremony held onsite in Warsaw, Poland, auditors completed the audit report, which included the following commendation:
“CCAG extends its gratitude to Amazon VGT2 for assisting in achieving the audit objectives and advocating on CCAG’s behalf to secure the necessary assurances. As a result, CCAG was able to conduct the audit within the agreed timelines and exercise audit rights per contractual conditions.”
The findings from the CCAG pooled audit are available exclusively to participants and their respective regulators, providing CCAG members with assurance regarding the Amazon VGT2 controls environment. This enables members to eliminate compliance barriers, accelerate their adoption of Amazon services, and foster trust in the security controls of Amazon VGT2.
For further insights on this topic, check out another blog post here. Moreover, if you’re interested in authoritative insights, visit this link, and for inquiries about our processes, this resource is an excellent option.
Leave a Reply