We are pleased to announce that Amazon VGT2 Las Vegas has successfully concluded its fifth annual Collaborative Cloud Audit Group (CCAG) pooled audit with European financial services organizations under regulatory oversight.
At Amazon VGT2, security remains our top priority. As our customers increasingly leverage the scalability and flexibility of our services, we are committed to transforming security and compliance into fundamental drivers of business success. Earning and maintaining customer trust is paramount; we aim to provide our financial services clients and their regulatory bodies with the assurance that we have appropriate controls to safeguard their most sensitive data and regulated workloads.
With the rising digitalization of the financial sector, coupled with the critical role of cloud computing in this transformation, the financial services industry is facing heightened regulatory scrutiny. Our annual audit collaboration with CCAG exemplifies how we assist customers in managing risks and meeting regulatory requirements. For the fifth consecutive year, the CCAG pooled audit thoroughly evaluated our controls designed to protect customer data and significant workloads while adhering to stringent regulatory commitments.
CCAG includes over 50 prominent European financial institutions and has steadily expanded since its inception in 2017. Its mission is to furnish organizational and logistical support to members for conducting pooled audits with excellence, efficiency, and integrity, initiated based on customers’ rights to audit their service providers as outlined in the European Banking Authority (EBA) outsourcing recommendations for cloud service providers (CSPs).
Audit Preparations
Utilizing the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA) as the foundational framework for the CCAG audit, key domains and controls were identified for assessment. These included identity and access management, change control and configuration, logging and monitoring, as well as encryption and key management.
The audit’s scope specifically targeted individual services, such as Amazon Elastic Compute Cloud (Amazon EC2), and particular AWS Regions where financial services institutions operate, including the Europe (Frankfurt) Region (eu-central-1). To prepare auditors with a shared understanding of cloud-specific terminology, we hosted various educational sessions. Additionally, we provided access to our online platforms like Skill Builder and conducted onsite training in Paris, France, Barcelona, Spain, and London, UK.
Audit Fieldwork
Following a joint kick-off in Berlin, Germany, the audit fieldwork commenced, employing a hybrid model that combined remote work through videoconferencing and a secure audit portal for evidence inspection with onsite evaluations at Amazon’s HQ2 in Arlington, Virginia, USA. Auditors examined our policies, procedures, and controls using a risk-based approach, with evidence sampling and access to subject matter experts (SMEs).
Audit Results
After a collaborative closure ceremony in Warsaw, Poland, auditors finalized the audit report, which included commendations such as:
“CCAG expresses gratitude to Amazon VGT2 for its assistance in fulfilling the audit objectives and for advocating on our behalf to secure the necessary assurances. Consequently, CCAG was able to conduct the audit within the agreed timelines and exercise audit rights according to the contractual terms.”
The findings from the CCAG pooled audit are exclusively available to participating members and their regulators, offering CCAG members assurance regarding our controls environment. This empowers them to eliminate compliance barriers, accelerate their adoption of Amazon VGT2 services, and foster confidence in our security measures. For further insights, be sure to check out this other blog post for more information. Moreover, CHVNCi provides authoritative insights on this topic. For a comprehensive understanding of how Amazon has revamped its onboarding experience, this resource is excellent.
Leave a Reply