HONG KONG INSURANCE COMPANIES GUIDANCE ON …download.microsoft.com/download/B/4/3/B4334FB1-E... ·...
Transcript of HONG KONG INSURANCE COMPANIES GUIDANCE ON …download.microsoft.com/download/B/4/3/B4334FB1-E... ·...
Confidential
Page 1 of 47
10006603-2
HONG KONG – INSURANCE COMPANIES
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO INSURANCE COMPANIES USING
CLOUD COMPUTING (AZURE)
Last update: November 2014
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to insurance companies (“ICs”) using
cloud computing. Note that other financial service institutions are subject to separate regulation in Hong Kong. Microsoft has prepared a guidance
document for other financial service institutions which is available on request.
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to the
use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from financial service institutions
that a checklist approach like this is very helpful. The checklist can be used:
(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and
(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to
compliance with their requirements.
Annex One also contains a list of the points that ICs should “consider” when negotiating the contract for cloud computing services.
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of
Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your
Confidential
Page 2 of 47
10006603-2
technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your
Microsoft contact.
2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?
The IA has developed a Guidance Note on Outsourcing which sets out the issues that the IA expects an IC to take into account in formulating and
monitoring outsourcing arrangements generally. The IA has not produced any specific guidance in relation to cloud services.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Insurance Authority in Hong Kong (“IA”)
4. IS REGULATORY APPROVAL REQUIRED IN HONG KONG?
No.
The IA does not require ICs to obtain prior approval before engaging service providers to provide cloud services.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
No.
Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an IC must complete when considering cloud
computing solutions.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
No.
Confidential
Page 3 of 47
10006603-2
The IA does not specifically mandate contractual requirements that must be agreed by ICs with their service providers. However, the Guidance Note on
Outsourcing does contain a long list of matters that it says that ICs should “consider” when negotiating the contract. Appendix One contains a
comprehensive list and details of where in the Microsoft contractual documents these points are covered.
Confidential
Page 4 of 47
10006603-2
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point
raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref. Question/requirement Template response and guidance
A. OVERVIEW
Part IV to the IA Guidance Note on Outsourcing requires ICs to provide certain information regarding any ‘material outsourcing arrangement’1within
30 days of entering into such an agreement. This section will assist you with this process as well as providing background and context information to
the rest of this document. The details of the commencement date will be agreed in the contract.
1. Who is the Service Provider? The Service Provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft
Corporation, a global provider of information technology devices and services, which is publicly-listed in
the USA (NASDAQ: MSFT). Microsoft’s full company profile is available here:
https://www.microsoft.com/en-us/news/inside_ms.aspx.
2. What service is being outsourced? Through adoption of Microsoft’s “Azure” product, which is described in more detail here: Azure.
Amongst other things, the Azure service includes:
1 For the IA’s definition of ‘material outsourcing arrangement’, see section 7 below.
Confidential
Page 5 of 47
10006603-2
Ref. Question/requirement Template response and guidance
Compute
Data & Storage
Networking
Identity & Access Management
IT support services.
3. Where will the outsourced services be
performed?
You may need to amend this depending on the final solution that you decide on.
Microsoft informs us that it takes a regional approach to hosting of Azure data. Microsoft is transparent
in relation to the location of our data. Microsoft data center locations are made public on the Microsoft
Trust Center.
Microsoft enables customers to select the region that it is provisioned from. Under the OST, Microsoft
commits that if a customer provisions its tenant in the United States or EU, Microsoft will store the
customer’s data at rest in the United States or EU, as applicable.
The table below will need to be amended depending on the specific solution that you are taking up.
# Locations of Data
Centre
Classification of DC: Tier I, II, III
or IV
Storing your organization’s data
(Y/N)
1.
Confidential
Page 6 of 47
10006603-2
Ref. Question/requirement Template response and guidance
2.
B. OUTSOURCING POLICY
4. Prior to the outsourcing of services, an IC
should develop an outsourcing policy,
approved by the Board of Directors. The IC
should have appropriate documentation of
its outsourcing policy and ensure that
procedures are in place such that all
relevant staff of the IC are fully aware of and
comply with the outsourcing policy
IA Guidance Note on Outsourcing, Section 10 and Section 11. The IA requires that ICs have in place a
comprehensive policy on outsourcing duly approved by the board of directors of the IC. This will differ
from one organization to another but the IA expects that this will cover the following specific points:
(a) The objectives of the outsourcing and criteria for approving an outsourcing arrangement;
(b) The framework for evaluating the materiality of outsourcing arrangements;
(c) The framework for a comprehensive assessment of risks involved in outsourcing;
(d) The framework for monitoring and controlling outsourcing arrangements;
(e) The identities of the parties involved and their roles and responsibilities in approving, assessing
and monitoring the outsourcing arrangements and how those responsibilities may be delegated
and details of any authority limits; and
(f) The review mechanism to ensure the outsourcing policy and the monitoring and control
procedures are capable to accommodate changing circumstances of the IC and cater for
market, legal and regulatory developments.
5. The IC should develop a framework for
assessing the materiality of an outsourcing
arrangement. The assessment of what is
IA Guidance Note on Outsourcing, Section 13. The IA deems a “material outsourcing” to be “an
outsourcing arrangement which if disrupted or falls short of acceptable standards, would have the
potential to significantly impact on an IC’s financial position, business operation, reputation or its ability
Confidential
Page 7 of 47
10006603-2
Ref. Question/requirement Template response and guidance
material may involve qualitative judgement
and depends on the circumstances of the IC
concerned.
to meet obligations or provide adequate services to policy holders or to conform with legal and
regulatory requirements.” The IA expects you to be able to demonstrate that you have considered the
materiality of the outsourcing in relation to at least the following factors:
(a) Impact on financial position, business operation and reputation of the IC if the outsourced
service is disrupted or falls short of acceptable standards;
(b) Impact on the ability of the IC to maintain adequate internal controls and comply with legal and
regulatory requirements if the outsourced service is disrupted or falls short of acceptable
standards;
(c) Cost of outsourcing as a proportion to the total operating costs of the IC; and
(d) Degree of difficulty and time required to find alternative Service Provider or to bring the
outsourced service in-house if necessary.
6. The IC should regularly conduct reviews on
the materiality of its outsourcing
arrangements. If it is reassessed to be
material, the IC should notify the IA
forthwith.
IA Guidance Note on Outsourcing, Section 13. It would be usual to undertake such a reassessment
whenever there is a change in scope or otherwise, annual reviews may be appropriate.
C. ACCOUNTABILITY
7. In any outsourcing arrangement, the Board
of Directors and management of ICs should
retain ultimate accountability for the
IA Guidance Note on Outsourcing, Section 8. We would suggest including a list, setting out the position
of the key people involved in the selection and any decision-making and approvals processes used.
Management in our organization has been involved throughout to ensure that the project aligns with our
Confidential
Page 8 of 47
10006603-2
Ref. Question/requirement Template response and guidance
outsourced activity. organization’s overall business and strategic objectives. At the center of our objectives are of course
legal and regulatory compliance and customer satisfaction and these were the key objectives that
management had in mind when it considered this project. We are satisfied that this solution will ensure
legal and regulatory compliance because of the key features (including the security and regulator audit
rights) forming part of the Azure service. We are also satisfied that customer satisfaction will be
maintained because we believe that Azure will actually have some major benefits for our IT operations
and, accordingly, improve the overall service that we are able to provide to customers.
8. Outsourcing can allow management to
transfer their day-to-day managerial
responsibility, but not accountability, for an
activity or a function to a service provider.
ICs should therefore continue to retain
ultimate control of the outsourced activity.
IA Guidance Note on Outsourcing, Section 9.
The handing over of certain day to day responsibility to an outsourcing provider does present some
challenges in relation to control. Essential to us is that, despite the outsourcing, we retain control over
our own business operations, including control of who can access data and how they can use it. At a
contractual level, we have dealt with this via our contract with Microsoft, which provides us with legal
mechanisms to manage the relationship including appropriate allocation of responsibilities, oversight
and remedies. At a practical level, we have selected the Azure product since it provides us with control
over data location, authentication and advanced encryption controls. We (not Microsoft) will continue to
own and retain all rights to our data and our data will not be used for any purpose other than to provide
us with the Azure services.
D. RISK ASSESSMENT
9. The IC should ensure that the proposed
outsourcing arrangement has been subject
to a comprehensive risk assessment (in
respect of financial, operational, legal and
reputation risks and any potential losses to
IA Guidance Note on Outsourcing, Section 15. Clearly the IA expects that your organization would have
carried out a risk assessment. In summary, this would need to include:
risk identification;
Confidential
Page 9 of 47
10006603-2
Ref. Question/requirement Template response and guidance
the customers in the event of a failure by
the SP to perform) and that all the risks
identified have been adequately addressed
before launch.
analysis and quantification of the potential impact and consequences of these risks;
risk mitigation and control strategy; and
ongoing risk monitoring and reporting.
Ideally this should also include all of the items listed in the next section. If you have any questions when
putting together a risk assessment, please do not hesitate to get in touch with your Microsoft contact.
Yes, led by our management we have carried out a thorough risk assessment of the move to Azure.
This risk assessment included:
[ ];
[ ]; and
[ ].
[A copy of the risk assessment can be provided to the IA upon request.]
10. Specifically, the risk assessment should cover
inter alia the following:
the impact on the IC’s risk profile (in
respect of operational, legal and
reputation risks and potential losses
to the customers in the event of a
See IA Guidance Note on Outsourcing, Section 15.
Yes, the risk assessment covered this.
Operational risk: We managed this through our choice of service provider (see for example,
Confidential
Page 10 of 47
10006603-2
Ref. Question/requirement Template response and guidance
failure) of the outsourcing. question 14), the controls we have in place to manage our relationship with the service provider
(for example, our contractual agreement, service levels, access to a Microsoft technical account
manager and the regulator rights of audit and inspection that we have in place) and our own
internal controls (for example, our business continuity and disaster recovery plans).
Legal risk: We have in place with Microsoft a legally-binding agreement regarding our
respective roles and responsibilities in respect of the outsourcing. We chose Microsoft for this
project because we believe it can help us to comply with our legal obligations – for example, the
fact that Microsoft permits data audits by regulators was a key advantage over other cloud
solutions that we considered.
Reputational risk: We chose Microsoft because of its reputation in this sector. It is an industry
leader in cloud computing. Azure was built based on ISO/IEC 27001 standards and was the first
major business productivity public cloud service to have implemented the rigorous set of global
standards covering physical, logical, process and management controls.
Risk of loss to customers in the event of a failure: The outsourcing will not involve critical
functions so the risks are greatly minimized in this respect. In addition, Microsoft’s accredited
systems and processes mean that there are robust procedures in place to prevent, detect and
quickly act in relation to any service issues that do arise.
11. After ICs implement an outsourcing
arrangement (or renew or vary one), they
should regularly re-perform this
assessment.
IA Guidance Note on Outsourcing, Section 16. The IA wants an assurance that you plan to re-perform
the assessment (e.g. annually).
Yes. We will conduct regular reviews of the outsourcing [at least annually].
E. ABILITY OF THE SERVICE PROVIDER
Confidential
Page 11 of 47
10006603-2
Ref. Question/requirement Template response and guidance
12. Before selecting a service provider ICs
should perform due diligence on the Service
Provider (including considering factors such
as aggregate exposure to the Service
Provider, possible conflict of interests that
may arise and price vis a vis the benefit
gained in assessing and selecting a Service
Provider).
IA Guidance on Outsourcing, Section 17.
We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to
Azure and no concerns have arisen including as to aggregate exposure and conflicts of interest.
As part of Microsoft’s certification requirements, they are required to undergo regular independent third
party auditing and Microsoft shares with us the independent third party audit reports. Microsoft also
agrees as part of the compliance program to customer right to monitor and supervise. We are confident
that such arrangements provide us with the appropriate level of up-front and on-going assessment of
Microsoft’s ability to meet our policy, procedural, security control and regulatory requirements.
13. ICs should conduct an (at least) annual
assessment to confirm the adequacy of the
Service Provider to ascertain whether it can
continue to provide the expected level of
service.
IA Guidance Note on Outsourcing, section 18. The IA expects that you repeat your assessment of the
adequacy of the Azure solution at least once a year. If you require any input from Microsoft, please do
not hesitate to get in touch with your Microsoft contact.
14. In assessing a provider, apart from the cost
factor and quality of services ICs should
take into account the provider’s (a) financial
soundness (and ability to continue to
provide the expected level of service), (b)
reputation, experience and quality of
service, (c) managerial skills, (d) technical
capabilities, (e) operational capability and
capacity, (f) any licence, registration,
permission or authorization required by law
IA Guidance Note on Outsourcing, section 17.
(a) Financial Soundness: Microsoft Corporation is publicly-listed in the United States and is
amongst the world’s largest companies by market capitalization. Microsoft’s audited financial
statements indicate that it has been profitable for each of the past three years. Its market
capitalization is in the region of USD 280 billion. Accordingly, we have no concerns regarding its
financial strength.
(b) Reputation: Microsoft is an industry leader in cloud computing. Azure was built based on
ISO/IEC 27001 standards and was the first major business productivity public cloud service to
Confidential
Page 12 of 47
10006603-2
Ref. Question/requirement Template response and guidance
to perform the outsourced service, (g)
compatibility with the IC's corporate culture
and future development strategies, (h)
familiarity with the insurance industry and (i)
capacity to keep pace with innovation in the
market.
have implemented the rigorous set of global standards covering physical, logical, process and
management controls. 40% of the world’s top brands use Azure. Some case studies are
available on the Microsoft website.
(c) Managerial skills: The fact that Microsoft already manages these services for financial
institutions in leading markets around the world and that it has achieved an ISO/IEC 27001
accreditation (which, amongst other things, assesses management controls) gives us
confidence that it has the necessary managerial skills.
(d) Technical capabilities: Microsoft’s ISO/IEC 27001 accreditation confirms that it has the
technical capability required for the service.
(e) Operational capability and capacity: Microsoft has demonstrated its operational capability
through its reputation (including the fact that 40% of the world’s top brands use Azure) and its
ISO/IEC 27001 accreditation and we have no concerns as to its operational capacity as it is one
of the largest providers of cloud computing services in the world.
(f) Licence, registration, permission or authorization required by law to perform the
outsourced service: We are not aware of any licence, registration, permission or authorization
required by the SP to perform the services that it does not already have in place. The SP is
already providing such services to numerous financial institutions around the world.
(g) Compatibility with the IC’s corporate culture and future development strategies: We are
confident that the use of Azure will align well with our corporate culture and the fact that the
service is scalable (i.e. it can be expanded or reduced to meet our demand) means that it is
compatible with our future development strategy.
(h) Familiarity with the insurance industry: FSI including insurance company customers in
Confidential
Page 13 of 47
10006603-2
Ref. Question/requirement Template response and guidance
leading markets, including in the UK, France, Germany, Australia, Hong Kong, Canada, the
United States and many other countries have performed their due diligence and, working with
their regulators, are satisfied that Azure meets their respective regulatory requirements. This
gives us confidence that the service provider is able to help meet the high burden of financial
services regulation and is experienced in meeting and understanding these requirements.
Where you have taken it up you may also add: [This is further evidenced by Microsoft’s
Compliance Framework Program which shows that Microsoft has given consideration to the
unique requirements of the insurance industry (see further details below).]
(i) Capacity to keep pace with innovation in the market: Microsoft has the financial, operational
and managerial capacity to lead innovation in the cloud computing market and it has
demonstrated this to date.
F. OUTSOURCING AGREEMENT
15. An outsourcing arrangement should be
undertaken in the form of a legally binding
written agreement.
IA Guidance Note on Outsourcing, Section 19.
We have in place a legally binding written agreement. This is in the form of Microsoft’s Service Level
Agreement (“SLA”) and its Business and Services Agreement. Amongst other things, they provide
details of the contractual liabilities and obligations of Microsoft (one of which is a contractual uptime
guarantee for Azure).
Please find a copy of the SLA at: http://azure.microsoft.com/en-us/support/legal/sla/
Microsoft’s Business and Services Agreement (“MBSA”) is available upon request.
16. The IC should consider the following when IA Guidance Note on Outsourcing, Section 19.
Confidential
Page 14 of 47
10006603-2
Ref. Question/requirement Template response and guidance
negotiating the contract:
(a) Scope of the outsourced service;
(b) Location where the outsourced
service will be performed;
(c) Effective period of the outsourcing
arrangement;
(d) Contractual obligations and
liabilities of the IC and the Service
Provider;
(e) Performance standards to be
attained in respect of the
outsourced service. This is
particularly appropriate when the IC
has committed to a service
standard or performance pledge to
its customers;
(f) Reporting or notification
requirements that the IC may wish
to impose on the Service Provider;
(g) The way in which the IC and the
Service Provider should monitor the
Taking each of the points in turn:
(a) Scope of the outsourced service: See responses to questions 2 and 3 above. The contract
pack comprehensively sets out the scope of the arrangement and the respective commitments
of the parties. The online services are ordered under the Enterprise Enrolment (“EA”), and the
order will set out the online services and relevant prices. The services are broadly described,
along with the applicable usage rights, in the product list and the Online Services Use Rights
(“OSUR”). The services are described in detail in the service description, which is not part of the
contract. However, Microsoft makes functionality commitments to us in the FSA which is
incorporated into the contract, and as a minimum the online services will meet that commitment
during the term of the contract.
(b) Location where the outsourced service will be performed: See response to question 4
above.
(c) Effective period of the outsourcing arrangement: EAs have a three year term, and may be
renewed for a further three year term.
(d) Reporting or notification requirements that the IC may wish to impose on the Service
Provider: See response to (f) below.
(e) Performance standards: See in particular the detailed performance standards and
commitments set out in the SLA and the MBSA above. These specify clearly the performance
standards of Microsoft (for example, uptime) and other obligations of Microsoft (for example, its
obligations to provide access in the event of an audit/inspection). They also cover clearly the
issue of software and hardware ownership (the software and hardware are both owned by
Microsoft but use of the software and hardware are licensed to us as users of the Azure
Confidential
Page 15 of 47
10006603-2
Ref. Question/requirement Template response and guidance
performance under the agreement
(e.g. evaluation of performance
through service delivery reports,
periodic self-certifications,
independent reviews by the IC’s or
the service provider’s auditors);
(h) Information and asset ownership
rights, information technology
security and protection of
confidential information;
(i) Rules and restrictions on sub-
contracting of the outsourced
service. The IC should retain the
ability to maintain similar control
over its outsourcing risks when a
Service Provider uses a sub-
contractor;
(j) Remedial action and escalation
process for dealing with inadequate
performance;
(k) Contingency planning of the Service
Provider to provide business
continuity for the outsourced
service).
(f) Reporting or notification requirements: As detailed below, Microsoft actually provides real
time information to us via the administrative dashboard. In our agreement with Microsoft, it
agrees that it will notify us if it becomes aware of any security incident, and will take reasonable
steps to mitigate the effects and minimize the damage resulting from the security incident.
(g) Performance monitoring: The extent of the rights to monitor performance that Microsoft
provides was a key differentiator with other service providers and a reason why we selected
Microsoft. We may monitor the performance of the online services via the administrative
dashboard, which includes information as to Microsoft compliance with its SLA commitments.
The Online Service Terms (“OST”) which is incorporated into the contract, we can review the
manner in which Microsoft provides the online services. As set out on page 13 of the OST, we
are entitled to access the Microsoft Online Information Security Policy, which is the document
where Microsoft sets out its information security management processes. Microsoft also
commits to providing the customer with a summary of Microsoft’s annual audit report, which is
performed by an independent third party and measures compliance against Microsoft’s
certifications.
(h) Information, security and protection of confidential information: The agreement ensures
that we will retain the rights in all of our intellectual property and data. MBSA clause 3 deals
with confidentiality. MBSA clause 11m states that Microsoft and the customer each commit to
comply with all applicable privacy and data protection laws and regulations. We retain the ability
to access our customer data at all times, and Microsoft will deal with customer data in
accordance with EA clause 6c(iv). In summary: following termination Microsoft will (unless
otherwise directed by the customer) delete the customer data after a 90 day retention period.
Finally, from a technical perspective the wide availability and usage of Microsoft’s products
Confidential
Page 16 of 47
10006603-2
Ref. Question/requirement Template response and guidance
service;
(l) Management and approval process
for changes to the outsourcing
arrangement;
(m) Conditions under which the IC or
Service Provider can terminate the
outsourcing agreement;
(n) Termination agreement, including
intellectual property and information
rights and clarification of the
process to ensure the smooth
transfer of the outsourced service
either to another Service Provider
or back to the IC;
(o) Guarantee or indemnity from the
Service Provider (e.g. an indemnity
to the effect that any sub-
contracting by the Service Provider
of the outsourced service will be the
responsibility of the Service
provider including liability for any
failure on the part of the sub-
means that customer data can be extracted in a format that is readily reusable. Microsoft also
makes specific commitments with respect to customer data in the OST. In summary Microsoft
commits that:
Ownership of customer data remains at all times with us (see OST, page 8).
Customer data will only be used to provide the online services to us. Customer data will not be
used for any other purposes, including for advertising or other commercial purposes (see OST,
page 8).
Microsoft will not disclose customer data to law enforcement unless it is legally obliged to do so,
and only after not being able to redirect the request to the customer (see OST, page 8).
Microsoft will implement and maintain appropriate technical and organizational measures,
internal controls, and information security routines intended to protect customer data against
accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction (see
OST, page 8 and pages 11-13 for more details).
Microsoft will notify us if it becomes aware of any security incident, and will take reasonable
steps to mitigate the effects and minimize the damage resulting from the security incident (see
OST, page 9).
Microsoft commits to reimburse our reasonable remediation costs incurred as a consequence of
a security incident involving customer data (see FSA under “Security Incident Notification”).
See also the responses further on in this document in relation to security and confidentiality.
(i) Rules and restrictions on sub-contracting: Page 9 of the OST states as follows: “Use of
Confidential
Page 17 of 47
10006603-2
Ref. Question/requirement Template response and guidance
contractor;
(p) Requirement for the Service
Provide to hold relevant insurance;
(q) Mechanism to resolve disputes that
might arise under the outsourcing
arrangement;
(r) The Service Provider’s agreement
to allow the access by the auditors
and actuaries of the IC and the IA to
any books, records and information
which facilitated them to discharge
their statutory duties and
obligations;
(s) Governing law of the outsourcing
agreement. The agreement should
preferably be governed by Hong
Kong law.
Subcontractor: Microsoft may hire subcontractors to provide services on its behalf. Any such
subcontractors will be permitted to obtain Customer Data only to deliver the services Microsoft
has retained them to provide and will be prohibited from using Customer Data for any other
purpose. Microsoft remains responsible for its subcontractors’ compliance with Microsoft’s
obligations in the OST. Customer has previously consented to Microsoft’s transfer of Customer
Data to subcontractors as described in the OST.” In addition, Microsoft maintains a list of
authorized subcontractors for the online services that have access to customer data and
provides customers with a mechanism to obtain notice of any updates to that list (OST, page
11), The actual list is published on the applicable Trust Center.
(j) Remedial action and escalation process: See our response below in relation to remedial
action and escalation processes for dealing with inadequate performance.
(k) Contingency planning and business continuity: Business Continuity Management forms
part of the scope of the accreditation that Microsoft remains in relation to the online services,
and Microsoft commits to maintain a data security policy that complies with these accreditations
(see OST page 13). Business Continuity Management also forms part of the scope of
Microsoft’s annual third party compliance audit. See also our response below in relation to
contingency planning.
(l) Management and approval of change: Changes to the MBSA have to be agreed by the
parties in writing. You may also wish to consider your own internal approval/sign-off processes
for changes.
(m) Termination: EA clause 6 deals with termination, and the EA may also be terminated in
accordance with EA clause 7c. If the EA is terminated, this will terminate all products and
services, except to the extent that the customer has perpetual rights. Online services may also
Confidential
Page 18 of 47
10006603-2
Ref. Question/requirement Template response and guidance
be terminated or suspended in the circumstances described in clause 7d of the EA, and as
specified in the OSUR.
(n) Termination issues and transfer: In the event of cessation, we can either move back on
premise or to an alternate Service Provider. Microsoft is contractually required to hold our data
for an agreed period to enable such transition to occur in an orderly manner. In relation to any
data and assets of ours, post termination, Microsoft uses best practice procedures and a wiping
solution that is NIST 800-88 compliant. For hard drives that can’t be wiped it uses a destruction
process that destroys it (i.e. shredding) and renders the recovery of information impossible
(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is
determined by the asset type. Records of the destruction are retained. All Microsoft Online
Services utilize approved media storage and disposal management services. Paper documents
are destroyed by approved means at the pre-determined end-of-life cycle. Secure disposal or
re-use of equipment and disposal of media is also covered under the ISO/IEC 27001 standards
against which Microsoft is certified.
(o) Liability for sub-contracting: MBSA clause 6 deals with liability. Microsoft remains liable for
the actions and inactions of its sub-contractors. MBSA clause 5 sets out Microsoft’s obligation
to defend the regulated entity against third party infringement and breach of confidence claims.
Microsoft’s liability under clause 5 is unlimited.
(p) Insurance requirement: MBSA clause 10 deals with insurance. In practice, Microsoft
maintains self-insurance arrangements for much of the areas where third party insurance is
typically obtained. Microsoft has taken the commercial decision to take this approach, and does
not believe that this detrimentally impacts upon its customers given that Microsoft is an
extremely substantial entity.
Confidential
Page 19 of 47
10006603-2
Ref. Question/requirement Template response and guidance
(q) Disputes handling: MBSA clause 11 contains provisions that describe how a dispute under the
contract is to be conducted.
(r) Auditor access: Microsoft provides extensive audit and examination rights for the IA. This is a
key differentiator as against the rights provided by other service providers and a key reason for
us deciding to use Microsoft. The OST specifies the audit and monitoring mechanisms that
Microsoft puts in place in order to verify that the online services meet appropriate security and
compliance standards. In addition, the FSA details the examination and influence rights that are
granted to the customer and IA. The “Regulator Right to Examine” sets out a process which can
culminate in the regulator’s examination of Microsoft’s premises. The customer also has the
opportunity to participate in the Microsoft Online Services Customer Compliance Program,
which is a for-fee program that facilitates the customer’s ability to (a) assess the services’
controls and effectiveness, (b) access data related to service operations, (c) maintain insight
into operational risks of the services, (d) be provided with additional notification of changes that
may materially impact Microsoft’s ability to provide the services, and (e) provide feedback on
areas for improvement in the services.
Microsoft also offers a Compliance Framework Program. If you take-up the Compliance
Framework Program, you may add this additional information about its key features: the
regulator audit/inspection right, access to Microsoft’s security policy, the right to participate at
events to discuss Microsoft’s compliance program, the right to receive audit reports and
updates on significant events, including security incidents, risk-threat evaluations and significant
changes to the business resumption and contingency plans.
(s) Governing law: Our contract with Microsoft is subject to Washington State law [upon which we
have obtained separate legal advice to ensure that we are comfortable with the protection and
Confidential
Page 20 of 47
10006603-2
Ref. Question/requirement Template response and guidance
control afforded to us].
G. SUB-CONTRACTING
17. The IC should put in place adequate
procedures to control and monitor any sub-
contracting arrangements and ensure that
the Service Provider will take into account
the essential issues covered in this
document as if it was the IC concerned
when further contracting out the service.
IA Guidance Note on Outsourcing, Section 29.
Microsoft does use sub-contractors to provide certain ancillary assistance, but not for any critical path
roles. An up-to-date list of all subcontractors used to provide the ancillary services (including exact
services) is available at http://azure.microsoft.com/en-us/support/trust-center/.
18. The IC should incorporate in the
outsourcing agreement rules and
restrictions on sub-contracting e.g. requiring
IC’s prior consent for the sub-contracting
and making the Service Provider liable for
the capability of the sub-contractor.
IA Guidance Note on Outsourcing, Section 30.
Our contract with Microsoft, as detailed above, states that Microsoft remains responsible for its
subcontractors’ compliance with the contract. All subcontractors used have entered into written
agreements with Microsoft requiring that the subcontractor abide by terms no less protective than the
relevant parts of the contract we have with Microsoft. The list of all subcontractors is available for us to
see.
19. The IC should ensure that its Service
Provider would not engage in sub-
contracting arrangements which may
impede its ability to carry out the provisions
of the outsourcing agreement with the IC, in
particular, the requirements on information
confidentiality, contingency planning and
IA Guidance Note on Outsourcing, Section 30.
Microsoft assures us that it would not engage in sub-contracting arrangements which would impede
such ability. In particular, it assures us that it contractually obligates its subcontractors to security and
privacy standards equivalent to its own and Microsoft subcontractors only handle our data when
required to provide or maintain the services. Nothing in such arrangements would prevent obligations
that we may have in relation to contingency planning and information access rights by the regulator. In
Confidential
Page 21 of 47
10006603-2
Ref. Question/requirement Template response and guidance
information access right by the regulator. particular, our contract with Microsoft states that subcontractors are prohibited from using customer data
other that for the purposes of delivering the specific services they have been retained to provide and
that any subcontractors to whom Microsoft transfers Customer Data, even those used for storage
purposes, will have entered into written agreements with Microsoft requiring that the subcontractor
abide by terms no less protective than this data and confidentiality provisions of our contract with
Microsoft.
H. CUSTOMER DATA CONFIDENTIALITY
20. ICs should ensure that the proposed
outsourcing arrangement complies with
relevant statutory requirements (e.g. the
Personal Data (Privacy) Ordinance
(“PDPO”)) and common law customer
confidentiality.
IA Guidance Note on Outsourcing, Section 21.
We are confident that the proposed use of Azure complies with relevant statutory requirements,
including the PDPO and common law customer confidentiality requirements.
Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and
controls on par with or better than on-premises data centers of even the most sophisticated
organizations. In relation to the PDPO, Azure includes the following features and commitments from
Microsoft to ensure compliance with the requirements of the PDPO: (i) Microsoft will not use our data for
other purposes other than providing the services; (ii) Microsoft has security policies and controls and
security measures which are verified by independent auditors. These measures include security
features on its hardware, software and physical data center, restricted physical data center access,
Azure is ISO/IEC 27001 compliant and data is encrypted via the network as it is transmitted between
data center and a user; (iii) Microsoft will inform us promptly if our data has been accessed improperly;
(iv) our data will be deleted at the end of the service term, once we have been able to take a copy of our
data as necessary.
Azure offers a wide range of data encryption capabilities up to AES-256. Options include .NET
Confidential
Page 22 of 47
10006603-2
Ref. Question/requirement Template response and guidance
cryptographic services, Windows Server public key infrastructure (PKK) components, Active Directory
Rights Management Services (AD RMS), and Bitlocker for data import/export scenarios.
Networks within the Azure data centers are segmented to provide physical separation of critical back-
end servers and storage devices from the public-facing interfaces. Edge router security allows the ability
to detect intrusions and signs of vulnerability. Azure uses industry-standard transport protocols such as
SSL and TLS between user devices and Microsoft data centers, and within data centers themselves.
With virtual networks, industry standard IPsec protocol can be used to encrypt traffic between the
corporate VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end users.
In addition Microsoft commits to comply with ISO/IEC 27018. In February 2015, Microsoft became the
first major cloud provider to adopt the world’s first international standard for cloud privacy, ISO/IEC
27018. The standard was developed by the International Organization for Standardization (ISO) to
establish a uniform, international approach to protecting privacy for personal data stored in the cloud.
The British Standards Institute (BSI) has now independently verified that Microsoft is aligned with the
standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public
cloud. The controls set out in ISO/IEC 27018 match the protections required by the PDPO. For more
information on this, follow this link.
In choosing Microsoft, we also took into account the fact that Microsoft offers access and audit rights,
thereby allowing us to comply with our regulatory obligations in this respect.
21. ICs should have controls in place to ensure
that the requirements of customer data
confidentiality are observed and proper
safeguards are established to protect the
integrity and confidentiality of customer
IA Guidance Note on Outsourcing, Section 21.
As above, Microsoft as an outsourcing partner is an industry leader in cloud security and implements
policies and controls on par with or better than on-premises data centers of even the most sophisticated
organizations. Azure was built based on ISO/IEC 27001 standards, a rigorous set of global standards
Confidential
Page 23 of 47
10006603-2
Ref. Question/requirement Template response and guidance
information. covering physical, logical, process and management controls. In particular:
we have contractual confidentiality terms in our agreements with Microsoft.
we would expect to have a breach of contract claim in the event of a breach of confidentiality.
data storage and processing is segregated through Active Directory structure and capabilities
specifically developed to help build, manage, and secure multi-tenant environments. Active
Directory isolates customers using security boundaries (also known as silos). This safeguards a
customer’s data so that the data cannot be accessed or compromised by other parties.
Microsoft applies strict controls over which personnel roles and personnel will be granted
access to customer data. Personnel access to the IT systems that store customer data is strictly
controlled via role-based access control (“RBAC”) and lock box processes. Access control is
an automated process that follows the separation of duties principle and the principle of
granting least privilege. This process ensures that the engineer requesting access to these IT
systems has met the eligibility requirements, such as a background screen, fingerprinting,
required security training and access approvals. In addition, the access levels are reviewed on
a periodic basis to ensure that only users who have appropriate business justification have
access to the systems.
22. ICs should notify their customers in general
terms of the possibility that their data may
be outsourced and the circumstances under
which their data may be disclosed or lost.
IA Guidance Note on Outsourcing, Section 22. Where you have existing outsourcing arrangements in
place you would already have such notifications in place. If so, contracting for 0365 should not require
additional notifications. Microsoft recommends that you seek legal advice on your privacy policies and
consent mechanisms to ensure that they do comply with applicable law. If you require any information
from Microsoft please do get in touch with your Microsoft contact.
Confidential
Page 24 of 47
10006603-2
Ref. Question/requirement Template response and guidance
23. In the event of a termination of outsourcing
agreement, for whatever reason, ICs should
ensure that all customer data is either
retrieved from the service provider or
destroyed.
IA Guidance Note on Outsourcing, Section 22.
As detailed above, Microsoft uses best practice procedures and a wiping solution that is NIST 800-88
compliant. For hard drives that can’t be wiped it uses a destruction process that destroys it (i.e.
shredding) and renders the recovery of information impossible (e.g., disintegrate, shred, pulverize, or
incinerate). The appropriate means of disposal is determined by the asset type. Records of the
destruction are retained. All Microsoft Online Services utilize approved media storage and disposal
management services. Paper documents are destroyed by approved means at the pre-determined end-
of-life cycle. Secure disposal or re-use of equipment and disposal of media is covered under the
ISO/IEC 27001 standards against which Microsoft is certified.
24. ICs should notify the IA forthwith of any
unauthorized access or breach of
confidentiality by the Service Provider or its
sub-contractor that affects the IC or its
customers.
IA Guidance Note on Outsourcing, Section 23. This is an internal process matter. However, please note
that nothing in your contractual arrangement with Microsoft would prevent or hinder your obligation to do
so.
I. MONITORING AND CONTROL
25. ICs should have sufficient and appropriate
resources in place to monitor and control
the outsourcing arrangements at all times.
Such monitoring should cover, inter alia,
ensuring that the service is being delivered
in the manner expected and to ensure that
the provisions included in the outsourcing
IA Guidance Note on Outsourcing, Section 24 and 24(c). You may also in this context wish to refer to
any internal monitoring procedures you are putting in place.
Our IT administrators also have access to the Azure Service Health Dashboard, which provides real-
time and continuous monitoring of the Azure service. The Service Health Dashboard provides our IT
administrators with information about the current availability of each service or tool (and history of
availability status) details about service disruption or outage, scheduled maintenance times. The
Confidential
Page 25 of 47
10006603-2
Ref. Question/requirement Template response and guidance
agreement are properly effected. information is provided via an RSS feed.
Amongst other things, Microsoft provides a contractual uptime guarantee for the Azure product and
covers performance monitoring and reporting requirements which enable us to monitor Microsoft’s
performance on a continuous basis against service levels.
Please find a copy of the SLA at:
http://azure.microsoft.com/en-us/support/legal/sla/
26. IC should maintain a central list of the
outsourcing arrangements including the
name of the Service Provider, service
outsourced, commencement date, expiry or
renewal date, contact details or key Service
Provider personnel. The list should also
record similar information relating to any
sub-contracting arrangement of the
outsourced service.
IA Guidance Note on Outsourcing, Section 24(b). The IA is looking for assurance that you have these
records. The information we have included at the top of this document will assist with this in conjunction
with the information contained in our contractual arrangements.
27. Responsibility for monitoring the service
provider and the outsourced activity should
be assigned to staff with appropriate
expertise.
IA Guidance Note on Outsourcing, Section 24(a). If requested by IA, Microsoft would suggest that you
provide details of the relevant personnel and a brief summary of their experience.
28. The control procedures over the outsourcing
arrangement should be subject to regular
IA Guidance Note on Outsourcing, Section 21(d) and 25. The IA expects that your internal audit function
would regularly review the outsourcing arrangement so you will need to confirm this. Nothing in your
Confidential
Page 26 of 47
10006603-2
Ref. Question/requirement Template response and guidance
audits by the IC (at least annually). contract with Microsoft would hinder this.
29. ICs should establish reporting procedures
which can promptly escalate problems
relating to the outsourced activity to the
attention of the management of the IC and
their service providers. The IC should then
take appropriate rectification actions
forthwith if deficiencies are identified.
IA Guidance Note on Outsourcing, Section 25. Below are details of the escalation processes that
Microsoft provides. You should add to this your own escalation processes and any commitments to
rectify issues that are identified.
Service Provider Escalation
As part of the support we receive from Microsoft we have access to a technical account manager who is
responsible for understanding our challenges and providing expertise, accelerated support and strategic
advice tailored to our organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems functioning. We are
confident that such arrangements provide us with the appropriate mechanisms for managing
performance and problems.
30. The IC should notify the IA forthwith of any
significant problem that has the potential to
materially affect its financial position,
business operation or compliance with legal
and regulatory requirements.
IA Guidance Note on Outsourcing, Section 25. The IA is looking for a commitment that you will do this.
Nothing in your contract with Microsoft would hinder you from complying with this.
J. CONTINGENCY PLANNING
31. ICs should develop a contingency plan to
ensure that its business would not be
disrupted as a result of undesired
contingencies (e.g. systems failure) of the
IA Guidance Note on Outsourcing, Section 26 and 26(b). The IA clearly expects you to have a
contingency plan in place, covering disaster recovery/business continuity. This would usually include:
Confidential
Page 27 of 47
10006603-2
Ref. Question/requirement Template response and guidance
service provider. This should also include
procedures to be followed and the people
responsible for respective activities if
business continuity problems arise.
performing a business impact analysis of a disaster situation;
considering the internal mechanisms to deal with such a situation; and
considering Azure’s own disaster recovery and business continuity safeguards.
The IA also requires that you specify your internal processes in the contingency plan and set out the
people in your business who will be responsible in the event of issues arising.
The following outlines Azure’s own disaster recovery and business continuity safeguard which should
be useful to incorporate into your contingency plan:
Redundancy
Physical redundancy at server, data center, and service levels.
Data redundancy with robust failover capabilities.
Functional redundancy with offline functionality.
Resiliency
Active load balancing.
Automated failover with human backup.
Recovery testing across failure domains.
Confidential
Page 28 of 47
10006603-2
Ref. Question/requirement Template response and guidance
Distributed Services
Distributed component services limit scope and impact of any failures in a component.
Directory data replicated across component services insulates one service from another in any
failure events.
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery.
Outside-in monitoring raises alerts about incidents.
Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
Standardized hardware reduces issue isolation complexities.
Fully automated deployment models.
Standard built-in management mechanism.
Human backup
Confidential
Page 29 of 47
10006603-2
Ref. Question/requirement Template response and guidance
Automated recovery actions with 24/7 on-call support.
Team with diverse skills on the call provides rapid response and resolution.
Continuous improvement by learning from the on-call teams.
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every time.
Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response,
and Microsoft’s plan to prevent it in the future.
In the event the organization was affected by a service incident, Microsoft shares the post-incident
review with the organization.
32. Procedures should be in place for regular
reviews and testing of the contingency plan.
IA Guidance Note on Outsourcing, Section 26.
Microsoft carries out disaster recovery testing at least once per year. Please see also above for a
summary of the disaster recovery/business continuity safeguards provided as part of the Azure service.
33. Contingency arrangements in respect of
daily operational and systems problems
would normally be covered in the service
provider’s own contingency plan. ICs should
ensure that they have an adequate
understanding of their service provider’s
IA Guidance Note on Outsourcing, Section 26. The IA requirements indicate the importance of you
understanding the disaster recovery/business continuity safeguards forming part of Azure. As such, if
you have any questions about these, please do not hesitate to get in touch with your Microsoft contact.
Please see above for a summary of the disaster recovery/business continuity safeguards provided as
part of the Azure service.
Confidential
Page 30 of 47
10006603-2
Ref. Question/requirement Template response and guidance
contingency plan and consider the
implications for their own contingency
planning in the event that an outsourced
service is interrupted due to failure of the
service provider’s system.
34. In establishing a viable contingency plan,
ICs should consider, among other things,
the availability of alternative service
providers or the possibility of bringing the
outsourced activity back in-house in an
emergency.
IA Guidance Note, Section 26(a). The IA clearly expects you to have a plan in place if you did decide to
stop using the Azure service.
To ensure control, transparency and consistency, it is necessary for the applications and services
forming part of Azure to be provided by one provider (i.e. Microsoft). Because of the due diligence and
risk management processes we have implemented we do not think that our use of Azure represents an
excessive reliance on one partner. Nonetheless, we do have in place contractual rights to exit the
arrangements with Microsoft at any time for convenience, which gives us the flexibility to move to
another provider (or to revert to a local, non-cloud based offering, such as Microsoft Office) should we
choose to do so.
K. ADDITIONAL CONCERNS IN RELATION TO OVERSEAS OUTSOURCING
35. ICs should understand the risks arising from
overseas outsourcing, taking into account
relevant aspects of an overseas country
(e.g. legal system, regulatory regime,
sophistication of technology, infrastructure
and the ability of the IC to monitor the
outsourced service and the SP).
IA Guidance Note on Outsourcing, Section 28(a).
a. Azure is hosted out of […..]. This/These location(s) has/have been vetted for
geopolitical/socioeconomic risks as set out in this checklist requirement. As part of our usual
processes, we constantly monitor the countries in which we operate In particular, we took the
following into account:.Political (i.e. cross-broader conflict, political unrest etc). Azure offers
data-location transparency so that the organizations and regulators are informed of the
jurisdiction(s) in which data is hosted. We are confident that Microsoft’s data center locations offer
Confidential
Page 31 of 47
10006603-2
Ref. Question/requirement Template response and guidance
extremely stable political environments.
b. Country/socioeconomic. Azure offers data-location transparency so that the organizations and
regulators are informed of the jurisdiction(s) in which data is hosted. The centers are strategically
located around the world taking into account country and socioeconomic factors. We are confident
that Microsoft’s data center locations offer extremely stable socioeconomic environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting standards,
designed to protect customer data from harm and unauthorized access. Data center access is
restricted 24 hours per day by job function so that only essential personnel have access. Physical
access control uses multiple authentication and security processes, including badges and smart
cards, biometric scanners, on-premises security officers, continuous video surveillance and two-
factor authentication. The data centers are monitored using motion sensors, video surveillance and
security breach alarms.
d. Environmental (i.e. earthquakes, typhoons, floods). Environmental controls have been
implemented to protect the data centers including temperature control, heating, ventilation and air-
conditioning, fire detection and suppression systems and power management systems, 24-hour
monitored physical hardware and seismically-braced racks. Microsoft Data centers are built in
seismically safe zones. These requirements are covered by Microsoft’s ISO/IEC 27001
accreditation for Azure.
e. Legal and regulatory system. We will have in place a binding negotiated contractual agreement
with Microsoft in relation to the outsourced service, giving us direct contractual rights. We also took
into account the fact that Azure was built based on ISO/IEC 27001 standards, a rigorous set of
global standards covering physical, logical, process and management controls. Finally, we took into
account the fact that Microsoft offers access and regulator audit rights thereby allowing us to comply
Confidential
Page 32 of 47
10006603-2
Ref. Question/requirement Template response and guidance
with our regulatory obligations in this respect.
f. Monitoring. Our contract with Microsoft provides extensive monitoring rights for us and for the IA.
36. Right of access to customers’ data by
overseas authorities such as the police and
tax authorities. ICs should, as considered
appropriate, seek legal advice to clarify the
position. ICs should notify the IA if overseas
authorities seek access to their customers’
data.
IA Guidance Note on Outsourcing, Section 28(b). The answer to this question will depend on the region
you are in. You may wish to obtain a legal opinion from an international or other reputable legal firm in
the country where your data will be hosted on this matter.
Microsoft is transparent in relation to the location of our data. Azure is hosted out of […..]. This/These
location(s) has/have been thoroughly vetted. Microsoft data center locations are made public on the
Microsoft Trust Center. Microsoft’s data center locations are recognized as stable, safe and reliable
jurisdictions in respect of their legal systems, regulatory regimes, technology and infrastructure. The
circumstances in which the relevant local authorities may have rights to access customer information
are not considered to be unwarranted.
37. Notification to customers - ICs should
generally notify their customers of the
country in which the service provider is
located (and of any subsequent changes)
and the right of access, if any, available to
the overseas authorities.
IA Guidance Note on Outsourcing, Section 28(c). Microsoft recommends that you confirm in this section
that you have informed customers where services will be provided from (according to the specification
of your final solution with Microsoft). Microsoft also recommends that you confirm in this section that you
have informed customers of the right of access available to overseas authorities (for example in
Singapore, for the purpose of the Azure service, depending on the specification of your final solution
with Microsoft).
38. ICs should not outsource to a jurisdiction
that may hamper access to data by the IA.
They should ensure that the IA has right of
access the books and records and other
information of the IC as necessary for the IA
IA Guidance Note on Outsourcing, Section 28(d).
We will have in place a binding negotiated contractual agreement with Microsoft in relation to the
outsourced service, giving us direct contractual rights.Access to data by the IA will not be hampered in
the appropriate circumstances. There are provisions in the contract that enable the IA to carry out
Confidential
Page 33 of 47
10006603-2
Ref. Question/requirement Template response and guidance
to be able to carry out its statutory
responsibilities.
inspection or examination of Microsoft’s facilities, systems, processes and data relating to the services.
This is a key advantage of the Microsoft product over competitor products, which often provide only very
limited (or no) audit and inspection rights. Where the IA wishes to access the books and records of the
IC, in the first instance the IA will be directed to the IC by Microsoft. The IC should be able to provide
the IA with access to all the books and records. Where such books and records are hosted by
Microsoft, the IC has access to these by using the services in the normal way.
39. §33 of the PDPO in respect of transfer of
personal data outside Hong Kong –
although §33 has not yet come into
operation, ICs are advised to take account
of the provisions therein and the potential
impact on their plans in respect of overseas
outsourcing.
IA Guidance Note on Outsourcing, Section 28(e). We recommend that you use option (a) OR (b) below,
depending on the specification of your final solution with Microsoft:
(a) [Azure complies with §33 of the PDPO because data is transferred to […] which has laws in place
which are substantially similar to the PDPO and Microsoft has taken precautions to ensure that the
data will not be dealt with in a manner which would breach the PDPO (see the answer to question
20 above for more details about the measures Microsoft has taken to comply with the PDPO.).]
(b) [Microsoft will not transfer our personal data outside of Hong Kong.]
40. Governing law of the outsourcing
agreement – the agreement should
preferably be governed by Hong Kong law.
IA Guidance Note on Outsourcing, Section 28(f).
Our contract with Microsoft is subject to Washington State law [upon which we have obtained separate
legal advice to ensure that we are comfortable with the protection and control afforded to us].
Confidential
Page 34 of 47
10006603-2
ANNEX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
The IA does not specifically mandate contractual requirements that must be agreed by ICs with their service providers. However, the Guidance Note on
Outsourcing does contain a long list of matters that it says that ICs should “consider” when negotiating the contract. The Annex contains a comprehensive list
and details of where in the Microsoft contractual documents these points are covered.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 35 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
1. Scope of the outsourced service. Section 19(a) of the Guidance Note on Outsourcing
Yes.
The contract pack comprehensively sets out the scope of the arrangement and the respective
commitments of the parties.
The services are described, along with the applicable usage rights, in the Product List and OST
(pages 14 and 15). The services are described in detail in the Services Description, which is not
part of the contract. However, Microsoft makes a functionality commitment in the Core Features
Amendment and as a minimum the online services will meet that commitment.
2. Location where the outsourced service will be
performed.
Section 19(b) of the Guidance Note on Outsourcing.
Microsoft informs us that it takes a regional approach to hosting of Azure data. Microsoft is
transparent in relation to the location of our data. Microsoft data center locations are made public
on the Microsoft Trust Center.
Microsoft enables customers to select the region that it is provisioned from. The table below will
need to be amended depending on the specific solution that you are taking up.
# Locations of Data
Centre
Classification of DC: Tier I, II,
III or IV
Storing your organization’s
data (Y/N)
3.
Confidential
Page 36 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
4.
Pages 9-11 of the OST contain general commitments around data location. Microsoft will ensure
that Customer Data will always be stored and processed in accordance with the EU and Swiss
Safe Harbour Frameworks as maintained by the US Government.
Microsoft also commits that Customer Data transfers out of the EU will be governed by the EU
Model Clauses set out at pages 29-33 of the OST. Also, as noted on page 11 of the OST: “Any
subcontractors to whom Microsoft transfers Customer Data, even those used for storage purposes,
will have entered into written agreements with Microsoft that are no less protective than the DPT”.
Commitments on the location of data at rest is discussed at p 9 of the OST, and may depend on
where a customer provisions its service tenancy or specify as a Geo for the online service. More
details are set out, non-contractually, at the Trust Centers for each applicable online service.
3. Effective period of the outsourcing arrangement. Section 19(c) of the Guidance Note on Outsourcing
EAs have a three year term, and may be renewed for a further three year term.
Please insert the proposed start date of the outsourcing service.
4. Contractual obligations and liabilities of the IC and
the Service Provider.
Section 19(d) of the Guidance Note on Outsourcing
Yes.
The contract pack comprehensively sets out the scope of the arrangement and the respective
Confidential
Page 37 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
commitments of the parties.
The services are described, along with the applicable usage rights, in the Product List and OST
(pages 14 and 15). The services are described in detail in the Services Description, which is not
part of the contract. However, Microsoft makes a functionality commitment in the Core Features
Amendment and as a minimum the online services will meet that commitment.
MBSA section 6 deals with liability. MBSA section 5 sets out Microsoft’s obligation to defend the
regulated entity against third party infringement and breach of confidence claims. Microsoft’s
liability under section 5 is unlimited.
5. Performance standards to be attained in respect of
the outsourced service. This is particularly
appropriate when the IC has committed to a service
standard or performance pledge to its customers.
Section 19(e) of the Guidance Note on Outsourcing
Yes.
See in particular the detailed performance standards and commitments set out in the SLA and the
MBSA above. These specify clearly the performance standards of Microsoft (for example, uptime)
and other obligations of Microsoft (for example, its obligations to provide access in the event of an
audit/inspection).
6. Reporting or notification requirements that the IC
may wish to impose on the Service Provider.
Section 19(f) of the Guidance Note on Outsourcing
Yes.
The customer may monitor the performance of the online services via the administrative
dashboard, which includes information as to Microsoft compliance with its SLA commitments.
Confidential
Page 38 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
In addition, Customers can review the manner in which Microsoft provides the online services. As
set out on page 13 of the OST, the customer is entitled to access the Microsoft Online Information
Security Policy, which is the document where Microsoft sets out its information security
management processes. Microsoft also commits to providing the customer with a summary of
Microsoft’s annual audit report, which is performed by an independent third party and measures
compliance against Microsoft’s certifications.
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to
verify that the online services meet appropriate security and compliance standards. This
commitment is reiterated in the FSA.
Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online
Services Customer Compliance Program, which is a for-fee program that facilitates the customer’s
ability to (a) assess the services’ controls and effectiveness, (b) access data related to service
operations, (c) maintain insight into operational risks of the services, (d) be provided with additional
notification of changes that may materially impact Microsoft’s ability to provide the services, and (e)
provide feedback on areas for improvement in the services.
7. The way in which the IC and the Service Provider
should monitor the performance under the
agreement (e.g. evaluation of performance through
service delivery reports, periodic self-certifications,
independent reviews by the IC’s or the service
provider’s auditors).
Section 19(g) of the Guidance Note on Outsourcing
Yes.
Customers can review the manner in which Microsoft provides the online services.
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to
verify that the online services meet appropriate security and compliance standards. This
Confidential
Page 39 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
commitment is reiterated in the FSA.
Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online
Services Customer Compliance Program, which is a for-fee program that facilitates the customer’s
ability to (a) assess the services’ controls and effectiveness, (b) access data related to service
operations, (c) maintain insight into operational risks of the services, (d) be provided with additional
notification of changes that may materially impact Microsoft’s ability to provide the services, and (e)
provide feedback on areas for improvement in the services.
In addition, as part of Microsoft’s certification requirements, they are required to undergo regular
independent third party auditing and Microsoft shares with us the independent third party audit
reports. Under the FSA, section 2c, Microsoft will provide to us copies of its audit reports so that
we can verify Microsoft’s compliance with its obligations.
Finally, as set out on page 13 of the OST, the customer is entitled to access the Microsoft Online
Information Security Policy, which is the document where Microsoft sets out its information security
management processes. Microsoft also commits to providing the customer with a summary of
Microsoft’s annual audit report, which is performed by an independent third party and measures
compliance against Microsoft’s certifications.
8. Information and asset ownership rights, information
technology security and protection of confidential
information.
Section 19(h) of the Guidance Note on Outsourcing
Yes.
The customer retains the ability to access its Customer Data at all times (OST, page 10), and
Microsoft will deal with Customer Data in accordance with Enrollment clause 6c(iv)and the OST.
Confidential
Page 40 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
The Microsoft also makes specific commitments with respect to Customer Data in the OST. In
summary Microsoft commits that:
1. Ownership of Customer Data remains at all times with the customer (see OST, page 8).
2. Customer Data will only be used to provide the online services to the customer. Customer
Data will not be used for any other purposes, including for advertising or other commercial
purposes (see OST, page 8).
3. Microsoft will not disclose Customer Data to law enforcement unless it is legally obliged to do
so, and only after not being able to redirect the request to the customer (see OST, page 8).
4. Microsoft will implement and maintain appropriate technical and organizational measures,
internal controls, and information security routines intended to protect Customer Data against
accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction (see
OST, page 8 and pages 11-13 for more details).
5. Microsoft will notify the customer if it becomes aware of any security incident, and will take
reasonable steps to mitigate the effects and minimize the damage resulting from the security
incident (see OST, page 9).
MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose our
confidential information (which includes our data) to third parties and to only use our confidential
information for the purposes of Microsoft’s business relationship with us. If there is a breach of
confidentiality by Microsoft, we are able to bring a claim for breach of contract against Microsoft.
9. Rules and restrictions on sub-contracting of the Section 19(i) of the Guidance Note on Outsourcing
Confidential
Page 41 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
outsourced service. The IC should retain the ability
to maintain similar control over its outsourcing risks
when a Service Provider uses a sub-contractor.
Yes.
See page 9 of the OST, under which Microsoft is permitted to hire subcontractors.
Microsoft maintains a list of authorized subcontractors for the online services that have access to
our data and provides us with a mechanism to obtain notice of any updates to that list (OST, page
10). The actual list is published on the applicable Trust Center. If we do not approve of a
subcontractor that is added to the list, then we are entitled to terminate the affected online
services.
The confidentiality of our data is protected when Microsoft uses subcontractors because Microsoft
commits that its subcontractors “will be permitted to obtain Customer Data only to deliver the
services Microsoft has retained them to provide and will be prohibited from using Customer Data
for any other purpose” (OST, page 9).
Microsoft commits that any subcontractors to whom Microsoft transfers our data will have entered
into written agreements with Microsoft that are no less protective than the data processing terms in
the OST (OST, page 11).
Under the terms of the OST, Microsoft remains contractually responsible (and therefore liable) for
its subcontractors’ compliance with Microsoft’s obligations in the OST (OST, page 9). In addition,
Microsoft’s commitment to ISO/IEC 27018, requires Microsoft to ensure that its subcontractors are
subject to the same security controls as Microsoft is subject to. Finally, the EU Model Clauses,
which are included in the OST, require Microsoft to ensure that its subcontractors outside of
Europe comply with the same requirements as Microsoft and set out in detail how Microsoft must
achieve this.
Confidential
Page 42 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
10. Remedial action and escalation process for dealing
with inadequate performance.
Section 19(j) of the Guidance Note on Outsourcing
Under the service credits mechanism in the SLA, we may be entitled to a service credit of up to
100% of the service charges. If a failure by Microsoft also constitutes a breach of contract to which
the service credits regime does not apply, we would of course have ordinary contractual claims
available to us too under the contract.
MBSA section 6 deals with liability and rights of action. MBSA section 11e deals with how a
dispute under the contract is to be conducted.
11. Contingency planning of the Service Provider to
provide business continuity for the outsourced
service.
Section 19(k) of the Guidance Note on Outsourcing
Yes.
Business Continuity Management forms part of the scope of the accreditation that Microsoft
remains in relation to the online services, and Microsoft commits to maintain a data security policy
that complies with these accreditations (see OST page 13). Business Continuity Management also
forms part of the scope of Microsoft’s annual third party compliance audit.
12. Management and approval process for changes to
the outsourcing arrangement.
Section 19(l) of the Guidance Note on Outsourcing
Yes.
Section 11k of the MBSA states that the contract may be amended only by a formal written
agreement signed by both parties. However,
There is minimal requirement (if any) for change management provisions for the Microsoft Azure
Confidential
Page 43 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
services. These online services are “commodity” services and are designed to be delivered as a
standardized offering, thereby removing the requirement or need for changes or alterations to be
made at an organization level. Microsoft will manage upgrades and patches to its services and
testing for these will be carried out by Microsoft. Microsoft has its own operational change control
procedure in place. The operational change control procedure includes an assessment process of
possible changes and their impact. The testing of changes takes place in an approved non-
production environment.
13. Conditions under which the IC or Service Provider
can terminate the outsourcing agreement.
Section 19(m) of the Guidance Note on Outsourcing
Yes.
Termination rights for the Enrollment are set out in the Enrollment itself, and in section 6 of the EA.
If the Enrollment is terminated, this will terminate all products and services ordered under the
Enrollment (except to the extent that the customer has perpetual rights).
Online services may also be terminated or suspended in the circumstances described in section 6d
of the EA, and as specified in the OST, pages 5, 11 and 30.
In the event of default, the provisions of the SLA will apply to service level failures and page 9 of
the OST sets out arrangements in the event of security incidents. Other defaults are addressed in
the MBSA and EA. A termination right for cause is set out at section 6c of the EA.
The contract allows the customer to terminate the arrangement with Microsoft for convenience
(MBSA section 8) which means the customer has the right to terminate in the event of default
including change of ownership, insolvency or where there is a breach of security or confidentiality
or demonstrable deterioration in the ability of the Service Provider to perform the service as
Confidential
Page 44 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
contracted.
Note also that customers have control over the use they make of, and data they load into, the
online service.
14. Termination agreement, including intellectual
property and information rights and clarification of
the process to ensure the smooth transfer of the
outsourced service either to another Service
Provider or back to the IC.
Section 19(n) of the Guidance Note on Outsourcing
Yes.
Microsoft contractually commits to retain our data stored in the Online Service in a limited function
account for 90 days after expiration or termination of our subscription so that we may extract the
data. After the 90 day retention period ends, Microsoft will disable our account and delete our data
(OST, page 5).MBSA section 3 deals with confidentiality.
In addition, the customer retains the ability to access its Customer Data at all times (OST, page
10), and Microsoft will deal with Customer Data in accordance with Enrollment clause 6c(iv) and
the OST. Finally, MBSA section 11m states that Microsoft and the customer each commit to
comply with all applicable privacy and data protection laws and regulations.
Note that ownership of documents, records and other data remain with the customer organization
and at no point transfer to Microsoft or anyone else, so this does not need to be addressed through
transition (see OST, page 8). As set out on page 33 of the OST, upon expiration or termination,
the customer may extract its data and the Service Provider will delete the data.
See the response above for more information about the termination rights.
Confidential
Page 45 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
15. Guarantee or indemnity from the Service Provider,
e.g. an indemnity to the effect that any sub-
contracting by the Service Provider of the
outsourced service will be the responsibility of the
Service provider including liability for any failure on
the part of the sub-contractor.
Section 19(o) of the Guidance Note on Outsourcing
Yes.
Under the terms of the OST, Microsoft remains contractually responsible (and therefore liable) for
its subcontractors’ compliance with Microsoft’s obligations in the OST (OST, page 9).
MBSA section 6 deals with liability. Microsoft remains liable for the actions and inactions of its sub-
contractors. MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity against
third party infringement and breach of confidence claims. Microsoft’s liability under section 5 is
unlimited.
16. Requirement for the Service Provide to hold relevant
insurance.
Section 19(p) of the Guidance Note on Outsourcing
Yes.
MBSA section 10 deals with insurance. In practice, Microsoft maintains self-insurance
arrangements for much of the areas where third party insurance is typically obtained. Microsoft has
taken the commercial decision to take this approach, and does not believe that this detrimentally
impacts upon its customers given that Microsoft is an extremely substantial entity.
17. Mechanism to resolve disputes that might arise
under the outsourcing arrangement.
Section 19(q) of the Guidance Note on Outsourcing
Yes.
MBSA section 11 contains provisions that describe how a dispute under the contract is to be
Confidential
Page 46 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
conducted.
MBSA section 11e sets out the jurisdictions in which parties should bring their actions. Microsoft
must bring actions against the customer in the countries where the customer’s contracting party is
headquartered. The customer must bring actions against: (a) in Ireland if the action is against a
Microsoft affiliates in Europe; (b) in the State of Washington, if the action is against a Microsoft
affiliate outside of Europe; or (c) in the country where the Microsoft affiliate delivering the services
has its headquarters if the action is to enforce a Statement of Services.
18. The Service Provider’s agreement to allow the
access by the auditors and actuaries of the IC and
the IA to any books, records and information which
facilitated them to discharge their statutory duties
and obligations.
Section 19(r) of the Guidance Note on Outsourcing
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to
verify that the online services meet appropriate security and compliance standards.
Clauses 1e and 1f of the FSA detail the examination and influence rights that are granted to the
customer and HKMA. Clause 1e sets out a process which can culminate in the regulator’s
examination of Microsoft’s premises.
Clause 1f gives the customer the opportunity to participate in the Microsoft Online Services
Customer Compliance Program, which is a for-fee program that facilitates the customer’s ability to
(a) assess the services’ controls and effectiveness, (b) access data related to service operations,
(c) maintain insight into operational risks of the services, (d) be provided with additional notification
of changes that may materially impact Microsoft’s ability to provide the services, and (e) provide
feedback on areas for improvement in the services.
19. Governing law of the outsourcing agreement. The
agreement should preferably be governed by Hong
Section 19(s) of the Guidance Note on Outsourcing
Confidential
Page 47 of 47
10006603-2
Ref. Requirement Microsoft agreement reference
Kong law. MBSA section 11h deals with what countries laws apply if there is a legal dispute.
The governing law is that of Washington, however the parties have the ability to bring proceedings
in the locations as follows:
If Microsoft brings the action, the jurisdiction will be where we are located (i.e. Hong Kong);
If we bring the action, the jurisdiction will be the state of Washington; and
Both parties can seek injunctive relief with respect to a violation of intellectual property rights
or confidentiality obligations in any appropriate jurisdiction.