THE PHILIPPINES GUIDANCE ON COMPLYING WITH...
Transcript of THE PHILIPPINES GUIDANCE ON COMPLYING WITH...
Confidential
Page 1 of 54
THE PHILIPPINES
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES
INSTITUTIONS USING CLOUD COMPUTING (AZURE)
Last updated: November 2014
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using
cloud computing. In this guidance financial services institutions means banks and other BSP-supervised institutions (“FSIs”).
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7 of this guidance intended to make the process easier for you by providing information, tips and template responses for each of the
questions which are contained in the Cloud Computing Questionnaire. The template responses may provide sufficient detail but if you require further
information, Microsoft will be happy to provide this if you get in touch with your Microsoft contact. Microsoft has, in the relevant places within this
guidance document, inserted some links to relevant laws and guidance for your ease of reference.
Appendix One also contains a list of the mandatory contractual requirements required by relevant regulation.
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of
Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your
technology outsourcing project and your legal regulatory obligations. If you have any questions, please do not hesitate to get in touch with your
Microsoft contact.
2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?
BSP has created the Cloud Computing Questionnaire from its own rules and guidance documents on technology risk management, outsourcing and
cloud computing, and other relevant statute and regulation, including:
Confidential
Page 2 of 54
BSP Guidelines on Information Technology Risk Management for All Banks and Other BSP Supervised Institutions (“IT Guidelines”),
BSP Revised Outsourcing Framework for Banks,
BSP’s “Manual of Operation for Banks” and
other underlying laws and regulations such as the Bank Deposits Secrecy Law.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
Bangko Sentral ng Pilipinas (“BSP”)
4. IS REGULATORY APPROVAL REQUIRED IN THE PHILIPPINES?
Yes.
BSP is aware of the general trend of FSIs wishing to use cloud IT solutions such as Microsoft Azure. It currently requires that all FSIs obtain the prior
approval of the Monetary Board in order to outsource IT systems and processes.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
Yes.
In order to streamline the process of obtaining approval, BSP has issued the attached “Cloud Computing Questionnaire”, which contains a number of
questions about a FSI’s decision to use a cloud computing solution. The main purpose of the Cloud Computing Questionnaire is to establish that your
organization has carried out appropriate due diligence and that the proposed service complies with applicable regulatory requirements in relation to
issues such as data security, confidentiality and disaster recovery. You are required to complete this questionnaire as part of the approval process.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
Yes.
Confidential
Page 3 of 54
The Cloud Computing Questionnaire itself contains some questions which ask for confirmation that certain specific items are covered in the Bank’s
contract with its service provider. Appendix One contains a comprehensive list and details of where in the Microsoft contractual documents these
points are covered.
Confidential
Page 4 of 54
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the
point raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as
well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref Question/requirement Template response and guidance
A. OVERVIEW OF THE OUTSOURCED ACTIVITIES AND SERVICE PROVIDER/S
1. Describe all proposed activities and operations to be outsourced
to the Cloud Service Provider (“CSP”).
IT Guidelines, Appendix 75e, Section 3, states that “prior to entering into an
outsourcing plan, the FSI should clearly define the business requirements for the
functions or activities to be outsourced”.
Certain IT functions will be outsourced through the use of Microsoft’s “Azure”
service, which is described in more detail here: Microsoft Azure.
Amongst other things, the Azure service includes:
Compute
Data & Storage
Networking
Identity & Access Management
Confidential
Page 5 of 54
Ref Question/requirement Template response and guidance
IT support services.
We will not be outsourcing any core or inherent banking functions such as
services associated with placement of deposits and withdrawals.
2. Who is the CSP? Please provide company profile/background. In
relation to outsourcing of the above activities, identify and provide
background of all the other vendors/subcontractors that are in
critical path of the CSP?
IT Guidelines, Appendix 75e, Section 3, states that “Before selecting a service
provider, the FSI should perform appropriate due diligence”. Details of the
Microsoft corporate entity providing the services, and how Microsoft works with
third party subcontractors, are provided below. If you require further information
about any third parties are involved in Microsoft’s service provision, please reach
out to your Microsoft contact.
The CSP is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft
Corporation, a global provider of information technology devices and services,
which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s full company
profile is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.
Microsoft does use sub-contractors to provide certain ancillary assistance, but not
for any critical path roles. An up-to-date list of all subcontractors used to provide
the ancillary services (including exact services) is available at
http://azure.microsoft.com/en-us/support/trust-center/.
3. Describe in detail all the data that would be processed or stored
by the CSP.
IT Guidelines, Annex A to Appendix 75e states that “It is important that FSIs
maintain a comprehensive data inventory and a suitable data classification
process”. You will need to tailor this section depending on what data you intend to
store or process within Azure.
Customer data (including customer name, contact details, account
Confidential
Page 6 of 54
Ref Question/requirement Template response and guidance
information, payment card data, security credentials and correspondence)
(but not any data to which the Law on Secrecy of Deposits applies – see
question B.1a., below).
Employee data (including employee name, contact details, internal and
external correspondence by email and other means and personal
information relating to their employment with the organization).
Transaction data (data relating to transactions in which the organization is
involved).
Indices (for example, market feeds).
Other personal and non-personal data relating to the organization’s
business operations as a FSI.
We ensure, pursuant to the terms of the contract in place with Microsoft, that all
data (but in particular any customer data) is treated with the highest level of
security so that we can continue to comply with our legal and regulatory
obligations and our commitments to customers. We do of course only collect and
process data that is necessary for our business operations in compliance with all
applicable laws and regulation and this applies whether we process the data on
our own systems or via a cloud solution such as Microsoft Azure.
4. What type of cloud services/cloud deployment model would the
CSP be implementing for the Bank?
In IT Guidelines, Appendix 75e, Section 4.3, BSP lists four different cloud
deployment models: private, public, community and hybrid.
Public Cloud: Azure is a multi-tenant service. It hosts multiple tenants in a secure
way through logical data isolation/separation. Data storage and processing for
Confidential
Page 7 of 54
Ref Question/requirement Template response and guidance
each tenant is segregated through Active Directory structure and capabilities
specifically developed to help build, manage, and secure multi-tenant
environments. Active Directory isolates customers using security boundaries (also
known as silos). This safeguards a customer’s data so that the data cannot be
accessed or compromised by co-tenants.
5. Will the proposed outsourcing require offshoring? If so, from
which territory(ies) will the outsourced cloud services be
provided?
IT Guidelines, Annex A to Appendix 75e states that “such concerns [about risks
relating to data ownership and location] can be alleviated if the CSP has some
reliable means to ensure that an organization’s data is stored and processed only
within specific jurisdictions”. Microsoft has provided some additional optional
wording below to explain the locations of Microsoft’s data centers in more detail..
Azure is hosted out of […..]. This/These location(s) has/have been vetted for
geopolitical/socioeconomic risks as set out in this checklist requirement. As part
of our usual processes, we constantly monitor the countries in which we operate.
a. Political (i.e. cross-broader conflict, political unrest etc.). Azure offers
data-location transparency so that the organizations and regulators are
informed of the jurisdiction(s) in which data is hosted. We are confident that
Microsoft’s data center locations offer extremely stable political environments.
b. Country/socioeconomic. Azure offers data-location transparency so that the
organizations and regulators are informed of the jurisdiction(s) in which data is
hosted. The centers are strategically located around the world taking into
account country and socioeconomic factors. We are confident that Microsoft’s
data center locations offer extremely stable socioeconomic environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to the
same exacting standards, designed to protect customer data from harm and
Confidential
Page 8 of 54
Ref Question/requirement Template response and guidance
unauthorized access. Data center access is restricted 24 hours per day by job
function so that only essential personnel have access. Physical access control
uses multiple authentication and security processes, including badges and
smart cards, biometric scanners, on-premises security officers, continuous
video surveillance and two-factor authentication. The data centers are
monitored using motion sensors, video surveillance and security breach
alarms.
d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft Data centers
are built in seismically safe zones. Environmental controls have been
implemented to protect the data centers including temperature control,
heating, ventilation and air-conditioning, fire detection and suppression
systems and power management systems, 24-hour monitored physical
hardware and seismically-braced racks. These requirements are covered by
Microsoft’s ISO/IEC 27001 accreditation for Azure.
Legal. We will have in place a binding negotiated contractual agreement with
Microsoft in relation to the outsourced service, giving us direct contractual rights.
We also took into account the fact that Azure was built based on ISO/IEC 27001
standards, a rigorous set of global standards covering physical, logical, process
and management controls. Finally, we took into account the fact that Microsoft
offers access and regulator audit rights thereby allowing us to comply with our
regulatory obligations in this respect..
B. ADDRESSING CLOUD RISKS AND OTHER AREAS OF CONCERN
1. Legal and Regulatory Compliance
Confidential
Page 9 of 54
Ref Question/requirement Template response and guidance
a. Law on Secrecy of Deposits (R.A. No. 1405) Law on Secrecy of Deposits.
Not applicable since we will not be sharing with Microsoft any information
regarding deposits. As required by the Law on Secrecy of Deposits, we will not be
sharing with Microsoft or any other contractor, information regarding deposits. We
will continue to treat such information in the strictest of confidence in compliance
with our legal obligations. Accordingly, use of Microsoft Azure does not create any
risk of non-compliance with the Law of Secrecy of Deposits.
b. Foreign Currency Deposit System (R.A. 6426) Foreign Currency Deposit System.
Not applicable since we will not be using Azure to engage in transactions directly
related to foreign currencies.
We will not be using Microsoft Azure to engage in transactions related to foreign
currencies, which are the types of transaction that the Foreign Currency Deposit
System regulates. Accordingly, use of Microsoft Azure does not create any risk of
non-compliance with the Foreign Currency Deposits System.
c. Anti-Money Laundering Act, particularly on data/ file
retention
Anti-Money Laundering Council guidance.
Not applicable.
Our use of Microsoft Azure would not have any negative impact on our ability to
comply with our requirements under the Anti-Money Laundering Act since it does
not change our processes and data and documents will continue to be available to
us on a constant basis.
Confidential
Page 10 of 54
Ref Question/requirement Template response and guidance
In particular, our use of Microsoft Azure will not change our approach to: (a)
customer identification – we will continue to establish and record the true identity
of our customers in the same way; and (b) covered transactions – we will continue
to have procedures in place to report these in the same way.
Regarding data and file retention - we are aware of our obligations to keep records
in respect of transactions, customer identification, account files, business
correspondence, etc. Microsoft has in place excellent data backup and recovery
arrangements for data residing within its data centers, so to the extent that any of
the required records are stored within Microsoft’s data centers, we are confident
that we will continue to comply with our record-keeping obligations. Indeed,
additional comfort and security will be assured as a result.
Please find below some further information about the data backup and recovery
arrangements that Microsoft has in place to protect our records and ensure that
they are available to us on a constant basis:
Redundancy
Physical redundancy at server, data center, and service levels;
Data redundancy with robust failover capabilities; and
Functional redundancy with offline functionality.
Resiliency
Active load balancing;
Confidential
Page 11 of 54
Ref Question/requirement Template response and guidance
Automated failover with human backup; and
Recovery testing across failure domains.
Distributed Services
Distributed component services limit scope and impact of any failures in a
component;
Directory data replicated across component services insulates one service
from another in any failure events; and
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery;
Outside-in monitoring raises alerts about incidents; and
Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
Standardized hardware reduces issue isolation complexities;
Fully automated deployment models; and
Standard built-in management mechanism.
Confidential
Page 12 of 54
Ref Question/requirement Template response and guidance
Human backup
Automated recovery actions with 24/7 on-call support;
Team with diverse skills on the call provides rapid response and
resolution; and
Continuous improvement by learning from the on-call teams.
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every
time; and
Microsoft’s post-incident review consists of analysis of what happened,
Microsoft’s response, and Microsoft’s plan to prevent it in the future.
d. Electronic Commerce Act (R.A. 8792) Electronic Commerce Act.
The Electronic Commerce Act applies to our use of Azure. The law imposes a
general obligation of confidentiality over “any electronic key, electronic data
message, or electronic document, book, register, correspondence, information, or
other material.”
Our use of Microsoft Azure will not have any negative impact on our ability to
comply with the requirements of the Electronic Commerce Act. Indeed, we
consider that our use of Microsoft Azure is actually in line with the requirements of
the Act and its obligation of confidentiality.
Confidential
Page 13 of 54
Ref Question/requirement Template response and guidance
e. Data Privacy Law Data Privacy Act.
Our use of Microsoft Azure would not cause us to fail to meet any obligation we
may have under the Data Privacy Act. In fact, we think that Microsoft Azure has
features that will help us comply with certain provisions (including security
obligations). We will continue to maintain overall responsibility and accountability
for compliance with the Privacy Act.
In relation to the specific requirements of the Privacy Act that apply to the use of
cloud services:
a. We have an obligation to implement reasonable and appropriate
organizational, physical and technical measures to protect personal
information. We are satisfied with Microsoft’s security procedures, as
described in its Standard Response to Request for Information – Security
and Privacy (and further described in other parts of this document).
b. We have an obligation to use contractual or other reasonable means to
provide a comparable level of protection while the information is being
processed by Microsoft. We are satisfied that our legally-binding
agreement with Microsoft, and the operational procedures we have in
place to monitor compliance, together with our choice of service provider,
will provide at least a comparable level of protection for personal
information. Our contract with Microsoft ensures that all data (but in
particular any customer data) is treated with the highest level of security
enabling us to continue to comply with our legal and regulatory obligations
and our commitments to customers.
Confidential
Page 14 of 54
Ref Question/requirement Template response and guidance
We also took into account the fact that the European Union’s data protection
authorities have found that Microsoft’s enterprise cloud contracts meet the high
standards of EU privacy law. Microsoft is the first – and so far the only – company
to receive this approval.
f. Regulations concerning IT risk management, electronic
banking and reporting of security incidents.
BSP Guidelines on Information Technology Risk Management, Electronic Banking
Regulations (Circular No. 240 series of 2000; Circular No. 269 series of 2000; and
Circular No. 542 series of 2006) and BSP’s Internet and Wireless Banking
Security Measures (Appendix B to BSP Circular No. 542 s. 2006 on Consumer
Protection for Electronic Banking).
The BSP Guidelines on Information Technology Risk Management
for All Banks and Other BSP Supervised Institutions: Our use of
Microsoft Azure would not cause us to fail to meet any obligation we may
have under the IT risk management regulations. Our responses
questions about IT risk management elsewhere in this document are
based on the requirements in the IT risk management regulations. We
considered that Microsoft Azure meets these requirements.
Electronic Banking: Electronic Banking Regulations govern e-banking
services and products offered by banks to their customers. They are not
applicable since we will not be using Azure for e-banking services.
Reporting of Security Incidents: The existing regulations do not
specifically provide for reporting of security incidents, they do not define
the term “security incident” and there is no prescribed format for reporting
“security incidents”. The BSP’s Internet and Wireless Banking Security
Measures (Appendix B to BSP Circular No. 542 s. 2006 on Consumer
Confidential
Page 15 of 54
Ref Question/requirement Template response and guidance
Protection for Electronic Banking) mentions “security incidents” but only in
the context of directing banks to “establish an incident management and
response plan and test the predetermined action plan relating to security
incidents”. Azure includes an incident management and response plan
(that is tested) that goes beyond these regulatory requirements. See our
answer to question B.4.g below for more details.
g. How does the Bank (and its CSP) ensure consumer
protection under a cloud environment?
For example, BSP Handbook on Consumer Laws Covering BSP-Supervised
Financial Institutions. The majority of these rules would not be applicable to the
use of Azure, since they tend to cover customer-facing functions such as deposits,
credit etc.
We have in place internal processes and procedures to ensure that our
consumers are protected. This will not change through the proposed use of cloud
services. We have reviewed the BSP Handbook on Consumer Laws Covering
BSP-Supervised Financial Institutions and do not believe that our use of Azure
would inhibit our ability to comply with these requirements. In fact, we believe that
Azure will actually have some major benefits for our IT operations and,
accordingly, improve the overall service that we are able to provide to customers.
h. How would the Bank guarantee the grant of BSP
access to CSP’s infrastructure to determine
compliance with applicable laws and regulations and
assess soundness of risk management processes and
controls in place?
IT Guidelines, Annex A to Appendix 75e states that “the CSP should grant BSP
access to its cloud infrastructure to determine compliance with applicable laws
and regulations and assess soundness of risk management processes and
controls in place”. Microsoft does grant this kind of access. Microsoft also offers a
Compliance Framework Program for FSIs. If you take-up the Compliance
Framework Program, you may add this additional information about its key
features: the regulator audit/inspection right, access to Microsoft’s security policy,
the right to participate at events to discuss Microsoft’s compliance program, the
Confidential
Page 16 of 54
Ref Question/requirement Template response and guidance
right to receive audit reports and updates on significant events, including security
incidents, risk-threat evaluations and significant changes to the business
resumption and contingency plans.
We have agreed with Microsoft that the BSP will have an audit/inspection right, so
that the BSP can carry out inspections or examinations of Microsoft’s facilities,
systems, processes and data relating to the services to determine and confirm
that it is in compliance with applicable laws and regulations and assess the
soundness of the risk management processes and controls which it has in place.
The willingness of Microsoft to agree to a regulator audit/inspection is a key
advantage of the Microsoft offering over many of the other CSPs offerings and
one of our reasons for choosing this solution.
2. GOVERNANCE AND RISK MANAGEMENT
a. Has Bank management considered the overall
business and strategic objectives prior to outsourcing
the specific IT operations?
BSP expects that management would need to have considered the overall
business and strategic objectives (IT Guidelines, Annex A to Appendix 75e). The
sample answer above covers legal/regulatory compliance and customer
satisfaction but we would suggest adding to this response details of:
internal processes that were carried out;
who handled the process and which areas of the business were involved
or advised; and
any external consultants or legal counsel involved.
Confidential
Page 17 of 54
Ref Question/requirement Template response and guidance
Yes.
Management of our organization has been involved throughout to ensure that the
project aligns with our organization’s overall business and strategic objectives. At
the center of our objectives are of course legal and regulatory compliance and
customer satisfaction and these were the key objectives that management had in
mind when it considered this project. We are satisfied that this solution will ensure
legal and regulatory compliance because of the key features (including the
security and audit rights) forming part of the Azure service. We are also satisfied
that customer satisfaction will be maintained because we believe that Azure will
actually have some major benefits for our IT operations and, accordingly, improve
the overall service that we are able to provide to customers.
b. Does your Bank have a written, board-approved
outsourcing policy and rationale for outsourcing?
Please provide a copy of the outsourcing policy and
rationale.
BSP requires that banks have in place a comprehensive policy on outsourcing
duly approved by the board of directors of the bank (IT Guidelines, page 12). This
should be “an effective outsourcing oversight program that provides the framework
for management to understand, monitor, measure and control the risks associated
with outsourcing”. This will differ from one organization to another but would
typically include a framework to address the following:
Risk assessment in respect of the outsourcing (more details of which are
asked about in question d. below);
Selection of service providers (including appropriate due diligence);
Contract review; and
Ongoing review and monitoring.
Confidential
Page 18 of 54
Ref Question/requirement Template response and guidance
c. What procedures does the Bank have in place to
ensure that all its relevant business units are fully
aware of, and comply with, the outsourcing policy?
You will need to explain how the relevant business units are brought under the
scope of the outsourcing policy.
d. Has a proper risk assessment of the elements specific
to the proposed cloud outsourcing been conducted?
Provide details on the risk assessment process.
Appendix 75e, Section 3.1 of the IT Guidelines. Clearly BSP expects that your
organization would have carried out a risk assessment. In summary, the risk
assessment should:
define the business requirements for the functions or activities to be
outsourced;
assess the risk of outsourcing those functions or activities;
establish appropriate measures to manage and control the identified risks;
and
take into account the criticality of the services to be outsourced, the
capability of the service provider and the technology it will use in
delivering the outsourced service.
If you have any questions when putting together a risk assessment, please do not
hesitate to get in touch with your Microsoft contact.
Yes.
Led by our management we have carried out a thorough risk assessment of the
move to Azure. This risk assessment included:
Confidential
Page 19 of 54
Ref Question/requirement Template response and guidance
[ ];
[ ]; and
[ ].
e. How does the Bank ensure that it maintains ultimate
responsibility for this outsourcing arrangement?
IT Guidelines, Appendix 75e, Section 2.1, which requires the Board and senior
management to maintain ultimate responsibility and accountability.
The handing over of certain day to day responsibility to an outsourcing provider
does present some challenges in relation to control. Essential to us is that, despite
the outsourcing, we retain control over our own business operations, including
control of who can access data and how they can use it. At a contractual level, we
have dealt with this via our contract with Microsoft, which provides us with legal
mechanisms to manage the relationship including appropriate allocation of
responsibilities, oversight and remedies and the mandatory provisions required by
BSP. At a practical level, we have selected the Azure product since it provides us
with transparency in relation to data location, authentication and advanced
encryption controls. We (not Microsoft) will continue to own and retain all rights to
our data and our data will not be used for any purpose other than to provide us
with the Azure services. As part of Microsoft’s certification requirements, they are
required to undergo regular independent third party auditing (via the SSAE16
SOC1 Type II audit, a globally-recognized standard), and Microsoft shares with us
the independent third party audit reports. Microsoft also agrees as part of the
compliance program to customer right to monitor and supervise. We are confident
that all of these arrangements ensure that we maintain ultimate responsibility for
this outsourcing arrangement.
Confidential
Page 20 of 54
Ref Question/requirement Template response and guidance
3. DUE DILIGENCE
a. Is the CSP selection process formally defined and
documented? If yes, provide documentation.
IT Guidelines, Appendix 75e, Section 3.2., which states that before selecting a
service provider the FSI should perform appropriate due diligence. The factors it
suggests should be considered are those listed in the sample answer below. The
question also requests that you provide documentation relating to the process.
Yes.
The selection process was formally documented. It covered the service provider’s:
financial soundness;
reputation;
managerial skills
technical capabilities; and
operational capability and capacity in relation to the services to be
performed.
Please see the attached documentation for further information.
b. Provide the CSP selection criteria and elaborate the
reasons for choosing the CSP.
The BSP does not provide a standard set of selection criteria (although the factors
mentioned in the sample answer to question B.3.a., above, will of course be
relevant). The list below includes some common factors that customers have
informed Microsoft are important in their choice of service provider. We would
advise that, in addition to the below, you set out some more detail about how you
Confidential
Page 21 of 54
Ref Question/requirement Template response and guidance
ran your specific selection process. This might include details of the number of
CSPs you considered, whether you had a formal tender process, how long the
process took, etc. This may already be addressed in the documentation you
provide in response to question B.3.a. above.
We followed a rigorous review and selection process. Set out below are the
specific areas we considered and why we decided on Microsoft:
a. Competence and experience. Microsoft is an industry leader in cloud
computing. Azure was built based on ISO/IEC 27001 standards and was
the first major business productivity public cloud service to have
implemented the rigorous set of global standards covering physical,
logical, process and management controls.
b. Past track-record. 40% of the world’s top brands use Azure. We
consulted various case studies relating to Azure, which are available on
the Microsoft website and also considered the fact that Microsoft has
amongst its customers some of the world’s largest organizations and
financial institutions.
c. Specific financial services credentials. Financial Institution customers
in leading markets, including in the UK, France, Germany, Australia,
Singapore, Canada, the United States and many other countries have
performed their due diligence and, working with their regulators, are
satisfied that Azure meets their respective regulatory requirements. This
gives us confidence that Microsoft is able to help meet the high burden of
financial services regulation and is experienced in meeting these
Confidential
Page 22 of 54
Ref Question/requirement Template response and guidance
requirements.
d. Microsoft’s staff hiring and screening process. All personnel with
access to customer data are subject to background screening, security
training and access approvals. In addition, the access levels are reviewed
on a periodic basis to ensure that only users who have appropriate
business justification have access to the systems. User access to data is
also limited by user role. For example, system administrators are not
provided with database administrative access.
e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed
in the United States and is amongst the world’s largest companies by
market capitalization. Microsoft’s audited financial statements indicate that
it has been profitable for each of the past three years. Its market
capitalization is in the region of USD 280 billion. Accordingly, we have no
concerns regarding its financial strength.
f. Business resumption and contingency plan. Microsoft offers
contractually-guaranteed uptime, hosted out of world class data centers
with physical redundancy at disk, NIC, power supply and server levels,
constant content replication, robust backup, restoration and failover
capabilities, real-time issue detection and automated response such that
workloads can be moved off any failing infrastructure components with no
perceptible impact on the service, with 24/7 on-call engineering teams.
g. Security and internal controls, audit, reporting and monitoring.
Microsoft is an industry leader in cloud security and implements policies
and controls on par with or better than on-premises data centers of even
Confidential
Page 23 of 54
Ref Question/requirement Template response and guidance
the most sophisticated organizations. We have confidence in the security
of the solution and the systems and controls offered by Microsoft. In
addition to the ISO/IEC 27001 certification, Azure is designed for security
with controls for encryption of data at rest and secure sockets layer
(“SSL”)/transport layer security (“TLS”) encryption of data in transit. The
Microsoft service is subject to the SSAE16 SOC1 Type II audit, an
independent, third party audit.
c. Apart from the current CSP, have other
vendors/service providers been considered?
You will need to respond accordingly based on your specific selection process.
4. VENDOR MANAGEMENT/PERFORMANCE AND CONFORMANCE
a. Does the Service Level Agreement (“SLA”) cover the
minimum provisions required under existing rules and
regulations on outsourcing? (Circular No. 765)
Appendix to BSP Circular No.765, “Revised Outsourcing Framework for Banks”.
Yes. We have reviewed the list in Circular No.765 and are satisfied that the SLA,
in combination with the rest of Microsoft’s Business and Services Agreement
(“MBSA”), satisfies the minimum provisions.
The SLA is available at:
http://azure.microsoft.com/en-us/support/legal/sla/
and the MBSA is available upon request. The SLA is contained within the MBSA.
b. Does the SLA (as defined above) clearly disclose other
parties (i.e. subcontractors) that are involved in the
delivery of cloud services?
Appendix 75e to IT Guidelines. BSP expects that “the extent to which
subcontractors perform additional services should be limited to peripheral or
support functions while the core services should rest with the main service
provider”. This would be the case with Azure – the core services remain with
Confidential
Page 24 of 54
Ref Question/requirement Template response and guidance
Microsoft.
Yes.
We are satisfied that this requirement is met. The SLA is a standard document
which Microsoft uses for thousands of customers, so it does not contain details of
the specific subcontractors they propose to work with for this project. However,
Microsoft publishes an up-to-date list of all sub-contractors used as well as the
services they provide. This information is found at http://azure.microsoft.com/en-
us/support/trust-center/. As explained in the response to question A.2., above, no
sub-contractors are involved in critical path roles.
c. Describe CSP’s guarantee of availability and extent of
liability if SLAs are not met.
IT Guidelines, Appendix 75e, Section 3.4 states that “Management should include
SLAs in its outsourcing contracts to specify and clarify performance expectations,
as well as establish accountability for the outsourced activity”.
We are satisfied that our contract with Microsoft adequately specifies the
performance expectations and apportions responsibilities for the outsourced
activities. The availability and extent of liability are as follows:
a. Guarantee of availability: Microsoft provides a contractual financially-backed
uptime guarantee for the Azure product and covers performance monitoring
and reporting requirements which enable us to monitor Microsoft’s
performance on a continuous basis against service levels.
b. Extent of liability if SLAs not met: Under the service credits mechanism in
the SLA, we may be entitled to a service credit of up to 100% of the service
charges. If a failure by Microsoft also constitutes a breach of contract to which
Confidential
Page 25 of 54
Ref Question/requirement Template response and guidance
the service credits regime does not apply, we would of course have ordinary
contractual claims available to us too under the contract.
d. Has the SLA been reviewed by a legal counsel? Microsoft recommends that you do seek legal advice on the use of cloud
computing services in relation to statutory/regulatory/common law requirements.
Yes.
e. What monitoring processes does the Bank have to
manage the cloud outsourcing? Please describe and
provide documentation.
BSP expects that organizations would “establish a monitoring program to ensure
service providers deliver the quantity and quality of services required by the
contract” (IT Guidelines, Appendix 75e, Section 3.5.1). The “template response”
below explains how the Azure dashboard could be used by your organization as
part of these monitoring processes but you will need to add details of your own
internal processes.
We have reviewed the monitoring processes (set out in more detail in the following
paragraphs) and we are confident that appropriate processes are in place.
Microsoft’s SLA applies to the Azure product. Our IT administrators also have
access to the Azure Service Health Dashboard, which provides real-time and
continuous monitoring of the Azure service. The Service Health Dashboard
provides our IT administrators with information about the current availability of
each service or tool (and history of availability status) details about service
disruption or outage, scheduled maintenance times. The information is provided
via an RSS feed.
Amongst other things, it provides a contractual uptime guarantee for the Azure
product and covers performance monitoring and reporting requirements which
Confidential
Page 26 of 54
Ref Question/requirement Template response and guidance
enable us to monitor Microsoft’s performance on a continuous basis against
service levels. We also have access to the independent SSAE16 SOC1 Type II
audit, which enable us to verify their performance.
Please find a copy of the SLA at:
http://azure.microsoft.com/en-us/support/legal/sla/
As part of the support we receive from Microsoft, we also have access to a
technical account manager who is responsible for understanding our challenges
and providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems
functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
f. Do you have a process to audit the CSP to assess its
compliance with your policy, procedures, security
controls and regulatory requirements? Please describe
the process.
IT Guidelines, Appendix 75e, Section 5 and Annex A. This is a question about
your own internal processes and so you will need to supplement this response
with details about that. However, it is of course relevant in this context to mention
that Microsoft permits audit and inspection both by their financial institution
customers and regulators and so we have set out some information about this
below. Microsoft also offers a Compliance Framework Program for FSIs, a key
feature of which is the regulator audit/inspection right.
Yes.
We are satisfied that this requirement is met.
Confidential
Page 27 of 54
Ref Question/requirement Template response and guidance
We are confident that in our choice of Microsoft as CSP we have far more
extensive audit rights than most if not all other CSPs offer. This was an important
factor in our decision to choose this CSP.
In particular, the following audit protections are made available by Microsoft:
a. As part of Microsoft’s certification requirements, they are required to
undergo regular independent third party auditing (via the SSAE16 SOC1
Type II audit, a globally-recognized standard), and Microsoft shares with
us the independent third party audit reports. Microsoft also agrees as
part of the compliance program to customer right to monitor and
supervise. We are confident that such arrangements provide us with the
appropriate level of assessment of Microsoft’s ability to meet our policy,
procedural, security control and regulatory requirements.
b. As detailed in the response to question B.1.h., above, BSP is given a
contractual right of audit/inspection over Microsoft’s facilities, so that it can
assess and examine systems, processes and security and regulatory
compliance.
g. What are the procedures for identifying, reporting and
responding to security incidents and violations?
IT Guidelines, Appendix 75e, Annex A, states that “management processes of the
FSI should include appropriate notification procedures, effective monitoring of
security-related threats, incidents and events on both FSI’s and CSP’s networks;
comprehensive incident response methodologies; and maintenance of appropriate
forensic strategies for investigation and evidence collection”. The following sets
out some of the procedures and techniques that Microsoft has in place. In
addition, we recommend as part of this response that you include details of your
Confidential
Page 28 of 54
Ref Question/requirement Template response and guidance
own processes in particular for responding to security breaches and violations.
This is an issue that we take very seriously. We have therefore checked these
procedures in detail with Microsoft and are confident that they provide excellent
means to enable us to identify, report and respond properly and promptly in the
event of any security incident or violation. We are assured that Microsoft is
committed to protecting the privacy of our and Microsoft makes this statement in
its Azure Privacy Statement.
First, there are robust procedures offered by Microsoft that enable the prevention
of security incidents and violations arising in the first place and detection in the
event that they do occur. Specifically:
a. Microsoft implements 24 hour monitored physical hardware. Data center
access is restricted 24 hours per day by job function so that only essential
personnel have access to customer applications and services. Physical
access control uses multiple authentication and security processes,
including badges and smart cards, biometric scanners, on-premises
security officers, continuous video surveillance, and two-factor
authentication.
b. Microsoft implements “prevent, detect, and mitigate breach”, which is a
defensive strategy aimed at predicting and preventing a security breach
before it happens. This involves continuous improvements to built-in
security features, including port scanning and remediation, perimeter
vulnerability scanning, OS patching to the latest updated security
software, network-level DDOS (distributed denial-of-service) detection and
Confidential
Page 29 of 54
Ref Question/requirement Template response and guidance
prevention, and multi-factor authentication for service access.
c. Wherever possible, human intervention is replaced by an automated, tool-
based process, including routine functions such as deployment,
debugging, diagnostic collection, and restarting services. Azure continues
to invest in systems automation that helps identify abnormal and
suspicious behavior and respond quickly to mitigate security risk.
Microsoft is continuously developing a highly effective system of
automated patch deployment that generates and deploys solutions to
problems identified by the monitoring systems—all without human
intervention. This greatly enhances the security and agility of the service.
d. Microsoft conducts penetration tests to enable continuous improvement of
incident response procedures. These internal tests help Azure security
experts create a methodical, repeatable, and optimized stepwise
response process and automation.
Second, in the event that a security incident or violation is detected, Microsoft
Customer Service and Support notifies Azure subscribers by updating the Service
Health Dashboard that is available on the Azure portal. We would have access to
Microsoft’s dedicated support staff, who have a deep knowledge of the service.
Microsoft provides a Recovery Time Objective (“RTO”) of 30 min or less for
Virtual Machines and Storage, 1 hour or less for Virtual Network, and a Recovery
Point Objective (“RPO”) of 1 minute or less for Storage.
Finally, after the incident, Microsoft provides a thorough post-incident review
report (“PIR”). The PIR includes:
Confidential
Page 30 of 54
Ref Question/requirement Template response and guidance
An incident summary and event timeline.
Broad customer impact and root cause analysis.
Actions being taken for continuous improvement.
Microsoft will provide the PIR within five business days following resolution of the
service incident. Administrators can also request a PIR using a standard online
service request submission through the Azure portal or a phone call to Microsoft
Customer Service and Support.
See also the responses to the questions in section B.7 below regarding business
continuity.
h. How would the CSP provide support to the Bank in
handling security incidents?
IT Guidelines, Appendix 75e, Annex A,
In addition to the details set out in response to the question immediately above, as
part of the support we receive from Microsoft, we also have access to a technical
account manager. This manager is responsible for understanding our challenges
and providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems
functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
See also the responses to the questions in section B.7 below regarding business
continuity.
Confidential
Page 31 of 54
Ref Question/requirement Template response and guidance
i. Describe the arrangement if the CSP’s action, faulty
software or hardware contributed to the security
breach?
IT Guidelines, Appendix 75e, Annex A.
The arrangement we have agreed with Microsoft under our Service Level
Agreement is that we will be entitled to service credits of up to 100% of the service
charges if Microsoft’s action, faulty software or hardware contributed to the
security breach.
Regardless of the cause of the breach, we would be entitled to the reporting and
response services described in the responses to questions B.4.g. and B.4.h.
above.
j. Is there a contingency plan for replacing the CSP in the
event of its cessation?
BSP would expect financial institutions to have a contingency plan in place if you
did decide to stop using the Azure service.
The agreement with Microsoft contains usual termination provisions. In the event
of cessation, we would either move back on premise or to an alternate CSP.
Microsoft is contractually required to hold our data for an agreed period to enable
such transition to occur in an orderly manner.
k. Do you have the right to terminate the SLA in the event
of default, ownership change, insolvency, change of
security or serious deterioration of service quality?
IT Guidelines, Appendix 75e, Section 3.4, states that “the FSI should link SLA to
the provisions in the contract regarding incentives, penalties and contract
cancellation”. Although Microsoft believes that the scenarios listed in the question
are very unlikely, the rights offered in its contract to terminate for convenience and
material breach provide customers with sufficient control to exit the relationship in
the unlikely event of one of these situations arising.
Yes.
Confidential
Page 32 of 54
Ref Question/requirement Template response and guidance
We are satisfied that this requirement is met. Our main agreement with Microsoft
is called a Microsoft MBSA (as defined above) and that contains usual termination
provisions. The SLA is contained with the MBSA is terminable by us for
convenience at any time by providing not less than 60 days’ notice. Any sub-
agreements to the MBSA are terminable by us for convenience at any time by
providing not less than 30 days’ notice. In addition, we have standard rights of
termination for material breach. This gives us the flexibility and control we need to
manage the relationship with Microsoft because it means that we can terminate
the arrangements whether with or without cause.
l. In the event of contract termination with the service
provider, either on expiry or prematurely, is the Bank
able to have all IT information and assets promptly
removed or destroyed?
IT Guidelines, Appendix 75e, Annex A, reminds FSIs of the importance of
controlling data ownership, data location and retrieval.
Yes.
We are satisfied that this requirement is met. Microsoft will retain our data for 90
days following termination so that we may extract our data. If we request that
Microsoft end the retention period earlier, Microsoft will do so. As set out on page
33 of the OST, upon expiration or termination, the customer may extract its data
and the Service Provider will delete the data.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88
compliant. For hard drives that can’t be wiped it uses a destruction process that
destroys it (i.e. shredding) and renders the recovery of information impossible
(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of
disposal is determined by the asset type. Records of the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal
Confidential
Page 33 of 54
Ref Question/requirement Template response and guidance
management services. Paper documents are destroyed by approved means at
the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under
the ISO/IEC 27001 standards against which Microsoft is certified.
5. SECURITY AND PRIVACY
a. Has the Bank revised/updated its information security
policies to incorporate activities outsourced to CSP?
IT Guidelines, Appendix 75e, Annex A, state that FSIs “may need to revise their
information security policies, standards, and practices to incorporate the activities
related to a CSP”. This can be read as an optional requirement (“may”) but BSP
would probably expect some justification if you have elected not to revise/update
the policies. The IT Guidelines state that policies should address:
1. Operational Risk;
2. Strategic Risk;
3. Reputation Risk; and
4. Compliance Risk.
Each risk area is described in more detail in the IT Guidelines, pages 5-6. If you
require any information from Microsoft in this respect, please do not hesitate to
speak to your Microsoft contact.
b. Does the Bank maintain a comprehensive data
inventory and a suitable data classification process to
facilitate CSP’s implementation of identity and access
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Confidential
Page 34 of 54
Ref Question/requirement Template response and guidance
controls? Yes.
Microsoft logs who accesses all of our data. Microsoft applies strict controls over
which personnel roles and personnel will be granted access to customer data.
Personnel access to the IT systems that store customer data is strictly controlled
via role-based access control (“RBAC”) and lock box processes. Access control
is an automated process that follows the separation of duties principle and the
principle of granting least privilege. This process ensures that the engineer
requesting access to these IT systems has met the eligibility requirements, such
as a background screen, fingerprinting, required security training and access
approvals. In addition, the access levels are reviewed on a periodic basis to
ensure that only users who have appropriate business justification have access to
the systems. User access to data is also limited by user role. For example, system
administrators are not provided with database administrative access.
c. Are there documented security procedures for
safeguarding hardware, software and data in the CSP?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Yes.
The security procedures for safeguarding hardware, software and security are
documented in detail by Microsoft in its Standard Response to Request for
Information – Security and Privacy. This confirms how the following aspects of
Microsoft’s operations safeguard hardware, software and data:
Compliance;
Data Governance;
Confidential
Page 35 of 54
Ref Question/requirement Template response and guidance
Facility;
Human Resources;
Information Security;
Legal;
Operations;
Risk Management;
Release Management;
Resiliency; and
Security Architecture.
Further details of Microsoft’s preventative and detection security procedures are
included in the response to question B.4.g. above and question B.5.d. below.
In choosing Microsoft, we also took into account the fact that the European
Union’s data protection authorities have found that Microsoft’s enterprise cloud
contracts meet the high standards of EU privacy law. Microsoft is the first – and so
far the only – company to receive this approval.
d. What security controls are in place to protect the
transmission and storage of information/data within the
CSP infrastructure?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Microsoft as an outsourcing partner is an industry leader in cloud security and
implements policies and controls on par with or better than on-premises data
Confidential
Page 36 of 54
Ref Question/requirement Template response and guidance
centers of even the most sophisticated organizations. Azure was built based on
ISO/IEC 27001 standards, a rigorous set of global standards covering physical,
logical, process and management controls. This makes us confident that there
are very robust security controls in place to protect the transmission and storage
of information/data within Microsoft’s infrastructure.
Some information has already been provided on Microsoft’s security controls in
Section B.4.g. and B.4.c. above. The following security features are also relevant
to protecting the transmission and storage of information/data within the Microsoft
infrastructure:
a. The Microsoft Azure security features consist of three parts: (a) built-in
security features; (b) security controls; and (c) scalable security. These
include 24-hour monitored physical hardware, isolated customer data,
automated operations and lock-box processes, secure networks and
encrypted data.
b. Microsoft implements the Microsoft Security Development Lifecycle
(“SDL”) which is a comprehensive security process that informs every
stage of design, development and deployment of Microsoft software and
services, including Azure. Through design requirements, analysis of
attack surface and threat modeling, the SDL helps Microsoft predict,
identify and mitigate vulnerabilities and threats from before a service is
launched through its entire production lifecycle.
c. Networks within the Azure data centers are segmented to provide physical
separation of critical back-end servers and storage devices from the
public-facing interfaces. Edge router security allows the ability to detect
Confidential
Page 37 of 54
Ref Question/requirement Template response and guidance
intrusions and signs of vulnerability. Azure uses industry-standard
transport protocols such as SSL and TLS between user devices and
Microsoft data centers, and within data centers themselves. With virtual
networks, industry standard IPsec protocol can be used to encrypt traffic
between the corporate VPN gateway and Azure. Encryption can be
enabled for traffic between VMs and end users. Microsoft also implements
traffic throttling to prevent denial-of-service attacks. It uses the “prevent,
detect and mitigate breach” process, as described in the response to
question B.4.g. above.
d. From a people and process standpoint, preventing breach involves
auditing all operator/administrator access and actions, zero standing
permission for administrators in the service, “Just-In-Time (JIT) access
and elevation” (that is, elevation is granted on an as-needed and only-at-
the-time-of-need basis) of engineer privileges to troubleshoot the service,
and segregation of the employee email environment from the production
access environment. Employees who have not passed background
checks are automatically rejected from high privilege access, and
checking employee backgrounds is a highly scrutinized, manual-approval
process.
e. Content is encrypted, as described in the response to question B.5.e.
below.
e. How is end-to-end application encryption security
implemented to protect confidential/sensitive data
transmitted between terminals and hosts?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy: “A multi-tenant cloud
deployment…increases the need for data protection through encryption”.
Azure offers a wide range of data encryption capabilities up to AES-256. Options
Confidential
Page 38 of 54
Ref Question/requirement Template response and guidance
include .NET cryptographic services, Windows Server public key infrastructure
(PKK) components, Active Directory Rights Management Services (AD RMS), and
Bitlocker for data import/export scenarios.
Networks within the Azure data centers are segmented to provide physical
separation of critical back-end servers and storage devices from the public-facing
interfaces. Edge router security allows the ability to detect intrusions and signs of
vulnerability. Azure uses industry-standard transport protocols such as SSL and
TLS between user devices and Microsoft data centers, and within data centers
themselves. With virtual networks, industry standard IPsec protocol can be used
to encrypt traffic between the corporate VPN gateway and Azure. Encryption can
be enabled for traffic between VMs and end users.
f. How do the Bank and the CSP address the risk to
compromise of confidential/sensitive information
through unauthorized third-party access or access by
the CSP employees?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy, states that
organizations need to address the risk of compromising confidential information
through third party access. The sample answer below relates to Microsoft’s own
controls. The response should also address and detail your own access controls.
Microsoft has in place the following access controls:
a. Physical access control uses multiple authentication and security
processes, as described in the response to question B.4.g. above.
b. Microsoft applies strict controls over which personnel roles and personnel
will be granted access to customer data. Personnel access to the IT
systems that store customer data is strictly controlled via RBAC (as
defined above)and lock box processes. Access control is an automated
process that follows the separation of duties principle and the principle of
Confidential
Page 39 of 54
Ref Question/requirement Template response and guidance
granting least privilege. This process ensures that the engineer requesting
access to these IT systems has met the eligibility requirements, such as a
background screen, fingerprinting, required security training and access
approvals. In addition, the access levels are reviewed on a periodic basis
to ensure that only users who have appropriate business justification have
access to the systems. User access to data is also limited by user role.
For example, system administrators are not provided with database
administrative access.
c. System level data such as configuration data/file and commands are
managed as part of the configuration management system. Any changes
or updates to or deletion of those data/files/commands will be
automatically deleted by the configuration management system as
anomalies.
g. How are CSP customers/subscribers authenticated? IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Azure can use two-factor authentication to enhance security. Typical
authentication practices that require only a password to access resources may not
provide the appropriate level of protection for information that is sensitive or
vulnerable. Two-factor authentication is an authentication method that applies a
stronger means of identifying the user. The Microsoft phone-based two-factor
authentication solution allows users to receive their PINs sent as messages to
their phones, and then they enter their PINs as a second password to log on to
their services.
h. Describe security controls in the following areas: IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Confidential
Page 40 of 54
Ref Question/requirement Template response and guidance
I. Security administration/system access functions
II. Password administration and management
III. Privilege accounts
IV. Remote access activities
V. Change management
Taking each of the sections in turn:
I. Security administration/system access functions. We are primarily in
charge of security administration and systems. Our service provider,
Microsoft, performs certain of these functions on our behalf and to our
requirements pursuant to the contractual arrangements that we have in
place with Microsoft. Microsoft effectively works alongside our IT and
operations teams to ensure performance to the required standards. We
retain ownership of all data that is hosted by Microsoft. We are also aware
that our primary responsibility, which is to our customers, remains
unchanged by virtue of us using Azure.
II. Password administration and management. All access to production
and customer data require multi-factor authentication. Use of strong
password is enforced as mandatory and password must be changed on a
regular basis.
III. Privilege accounts are managed as follows:
a. Access to the IT systems that store customer data is strictly controlled via
RBAC and lock box processes. Access control is an automated process
that follows the separation of duties principle and the principle of granting
least privilege. This process ensures that the engineer requesting access
to these IT systems has met the eligibility requirements, such as a
background screen, fingerprinting, required security training, and access
approvals. In addition, the access levels are reviewed on a periodic basis
to ensure that only users who have appropriate business justification have
access to the systems. User access to data is also limited by user role.
Confidential
Page 41 of 54
Ref Question/requirement Template response and guidance
For example, system administrators are not provided with database
administrative access.
b. In emergency situations, a “Just-In-Time (JIT) access and elevation
system” is used (that is, elevation is granted on an as-needed and only-at-
the-time-of-need basis) of engineer privileges to troubleshoot the service.
c. An internal, independent Microsoft team will audit the log at least once per
quarter.
d. All logs are saved to the log management system which a different team
of administrators manages. All logs are automatically transferred from the
production systems to the log management system in a secure manner
and stored in a tamper-protected way.
IV. Remote access activities. Administrators who have access to
applications have no physical access to the production so administrators
have to remotely access the controlled, monitored remote access
facility. All operations through this remote access facility are logged.
V. Change management. The Microsoft Azure change management team
directs the process and procedures related to approval, scheduling,
testing, and deployment of changes in the pre-production and production
Azure infrastructure environments. The approach used in this service
management function is built on the Information Technology Infrastructure
Library (ITIL) and Microsoft Operations Framework (MOF) standards,
which aligns with the change management process used in most
organizations.
Confidential
Page 42 of 54
Ref Question/requirement Template response and guidance
i. Describe the physical and environmental controls
available at the primary and secondary sites.
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
a. Physical: Infrastructure/security/terrorism. Microsoft’s data centers are
built to exacting standards, designed to protect customer data from harm
and unauthorized access. Data center access is restricted 24 hours per
day by job function so that only essential personnel have access. Physical
access control uses multiple authentication and security processes,
including badges and smart cards, biometric scanners, on-premises
security officers, continuous video surveillance and two-factor
authentication. The data centers are monitored using motion sensors,
video surveillance and security breach alarms.
b. Environmental (i.e. earthquakes, typhoons, floods). Microsoft data
centers are built in seismically safe zones. Environmental controls have
been implemented to protect the data centers including temperature
control, heating, ventilation and air-conditioning, fire detection and
suppression systems and power management systems, 24-hour
monitored physical hardware and seismically-braced racks. These
requirements are covered by Microsoft’s ISO/IEC 27001 accreditation for
Azure.
j. How and who will perform the monitoring and
management for integrity, checking, compliance
checking, security monitoring, network performance?
IT Guidelines, Appendix 75e, Annex A, states that “continuous monitoring of
information security requires maintaining ongoing awareness of security controls,
vulnerabilities, and threats to support risk management decisions”. BSP
acknowledges that FSIs will, to some extent, be dependent on CSPs for some of
the monitoring but does expect that overall responsibility and oversight remains
with the FSI.
Confidential
Page 43 of 54
Ref Question/requirement Template response and guidance
Overall responsibility for these matters remains with our organization and we have
procedures in place to monitor overall performance, as described in our response
to question B.4.e., above.
Microsoft will perform the technical monitoring and management functions on our
behalf. System level data such as configuration data/file and commands are
managed as part of the configuration management system. Any changes or
updates to or deletion of those data/files/commands will be automatically deleted
by the configuration management system as anomalies.
We will receive information about system integrity, security monitoring and
network performance through the Azure Service Health Dashboard, as described
in our response to question B.4.e., above.
k. Are there procedures established to securely destroy
or remove the data when the need arises?
IT Guidelines, Appendix 75e, Annex A, remind FSIs of the importance of
controlling data ownership, data location and retrieval.
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88
compliant, as described in the response to question B.4.l, above.
6. DATA OWNERSHIP AND DATA LOCATION AND RETRIEVAL
a. Where do data/information actually reside (or is
transitioning through) at a given point in time?
IT Guidelines, Annex A to Appendix 75e states that “the dynamic nature of cloud
computing may result in confusion as to where information actually resides”.
Microsoft is able to alleviate this concern by providing data location transparency.
Microsoft informs us that it takes a regional approach to hosting of Azure data.
Confidential
Page 44 of 54
Ref Question/requirement Template response and guidance
Microsoft is transparent in relation to the location of our data. Microsoft data
center locations are made public on the Microsoft Trust Center.
b. Does management fully understand where data are
stored and how much control they have over those
data?
IT Guidelines, Annex A to Appendix 75, “Data Ownership and Data Location and
Retrieval”.
Yes.
Microsoft’s transparency as to data location was a key consideration as part of the
service provider selection process. Microsoft informs us that it takes a regional
approach to hosting of Azure data.
Microsoft enables customers to select the region that it is provisioned from. Under
the OST, Microsoft commits that if a customer provisions its tenant in the United
States or EU, Microsoft will store the customer’s data at rest in the United States
or EU, as applicable.
The table below will need to be amended depending on the specific solution that
you are taking up.
# Locations of Data Centre
Classification of DC: Tier I, II, III or IV
Storing your organization’s data (Y/N)
1.
2.
Confidential
Page 45 of 54
Ref Question/requirement Template response and guidance
c. Who has the legal ownership of data? Is ownership of
the data clearly stipulated in the SLA or other related
contract/agreement?
IT Guidelines, Annex A to Appendix 75: “The FSI’s ownership rights over the data
must be firmly established in the contract to enable a basis for trust and privacy of
data”.
We retain ownership of all data that is hosted by Microsoft and this is made clear
in our contract with them.
Microsoft has implemented a formal policy that requires assets (the definition of
asset includes data and hardware) used to provide Microsoft’s services to be
accounted for and have a designated asset owner. Asset owners are responsible
for maintaining up-to-date information regarding their assets.
“Allocation of information security responsibilities and ownership of assets” is
covered under the ISO/IEC 27001 standards, specifically addressed in Annex A,
domains 6.1.3 and 7.1.2. For more information, review of the publicly available
ISO standards that Microsoft is certified against is suggested.
It is also relevant to note that the European Union’s data protection authorities
have found that Microsoft’s enterprise cloud contracts meet the high standards of
EU privacy law. Microsoft is the first – and so far the only – company to receive
this approval.
d. Are the Bank’s data stored in the CSP’s systems
commingled with those of other subscribers? Describe
how the CSP is able to isolate and clearly identify
Bank’s data to protect their confidentiality.
IT Guidelines, Annex A to Appendix 75e states that “the FSI should pay attention
to the CSP’s ability to isolate and clearly identity its customer data”.
Active Directory isolates customers using security boundaries (also known as
silos). This safeguards a customer’s data so that the data cannot be accessed or
Confidential
Page 46 of 54
Ref Question/requirement Template response and guidance
compromised by co-tenants.
7. BUSINESS CONTINUITY PLANNING
a. Does the CSP have a business continuity or disaster
recovery plan? If yes, provide documentation or details.
IT Guidelines, Annex A to Appendix 75e states that “it is critical to ensure the
viability of the CSP’s business continuity and disaster recovery plans to address
broad-based disruptions to its capabilities and infrastructure”.
Yes.
Microsoft offers contractually-guaranteed uptime, globally available data centers
for primary and backup storage, physical redundancy at disk, NIC, power supply
and server levels, constant content replication, robust backup, restoration and
failover capabilities, real-time issue detection and automated response such that
workloads can be moved off any failing infrastructure components with no
perceptible impact on the service, 24/7 on-call engineering teams.
See also the response to B.7.c., below.
b. What are the recovery time objectives (RTO) and
recovery point objectives (RPO) of systems or
applications outsourced to the CSP?
IT Guidelines, Annex A to Appendix 75e: “Recovery Time Objectives should also
be clearly stated in the contract”.
RTO: 30 min or less for Virtual Machines and Storage, 1 hour or less for Virtual
Network.
RPO: 1 minute or less for Storage.
c. What are the data backup and recovery arrangements
for your Bank’s data that reside with the CSP? In case
IT Guidelines, Annex A to Appendix 75e.
Confidential
Page 47 of 54
Ref Question/requirement Template response and guidance
the Bank becomes offline, how would the CSP
synchronize data and processes that reside in the
cloud?
Microsoft’s arrangements are as follows:
Redundancy
Physical redundancy at server, data center, and service levels;
Data redundancy with robust failover capabilities; and
Functional redundancy with offline functionality.
Resiliency
Active load balancing;
Automated failover with human backup; and
Recovery testing across failure domains.
Distributed Services
Distributed component services limit scope and impact of any failures in a
component;
Directory data replicated across component services insulates one service
from another in any failure events; and
Simplified operations and deployment.
Confidential
Page 48 of 54
Ref Question/requirement Template response and guidance
Monitoring
Internal monitoring built to drive automatic recovery;
Outside-in monitoring raises alerts about incidents; and
Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
Standardized hardware reduces issue isolation complexities;
Fully automated deployment models; and
Standard built-in management mechanism.
Human backup
Automated recovery actions with 24/7 on-call support;
Team with diverse skills on the call provides rapid response and
resolution; and
Continuous improvement by learning from the on-call teams.
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every
Confidential
Page 49 of 54
Ref Question/requirement Template response and guidance
time; and
Microsoft’s post-incident review consists of analysis of what happened,
Microsoft’s response, and Microsoft’s plan to prevent it in the future.
For the avoidance of doubt, the nature of the services provided as part of Azure
does not give rise to a risk that the Bank itself could become “offline” (i.e. there
would be no implication for core banking functions such as transaction
processing). In the event the Bank was affected by a service incident, the process
described in the response to question B.4.f. above would apply.
d. How frequently does the CSP conduct business
continuity and disaster recovery tests? Describe the
BCP/DRP testing methodology?
IT Guidelines, Annex A to Appendix 75e: “The plans must be well documented
and tested”.
Microsoft carries out disaster recovery testing at least once per year.
Business Continuity Management (“BCM”) forms part of the scope of the
accreditation that Microsoft retains in relation to the online services, and Microsoft
commits to maintain a data security policy that complies with these accreditations
(see OST page 13). BCM also forms part of the scope of Microsoft’s annual third
party compliance audit. If anything further is required we would work with
Microsoft to provide whatever further clarity the regulator may require in this
regard.
e. In relation to the above, describe how test results are
validated?
IT Guidelines, Annex A to Appendix 75e: “The plans must be well documented
and tested”.
As part of Microsoft’s certification requirements, it is required to undergo regular
Confidential
Page 50 of 54
Ref Question/requirement Template response and guidance
independent third party auditing and Microsoft shares with us the independent
third party audit reports. Microsoft also agrees as part of the compliance program
to customer right to monitor and supervise.
f. Describe the prioritization agreements among
subscribers in cases of multiple/simultaneous
disasters?
IT Guidelines, Annex A to Appendix 75e: “Other BCP-related concerns which
must be addressed include…Prioritization agreements in case of
multiple/simultaneous disasters”.
Not applicable. There are no prioritization agreements amongst Microsoft
subscribers. Our organization would be subject to the same prioritization as any
other customer of the same services from Microsoft. Of course, the services are
protected by Microsoft’s SLA and its coinciding terms and conditions. More
information on SLA is available at: http://azure.microsoft.com/en-
us/support/legal/sla/.
Confidential
Page 51 of 54
APPENDIX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
This table sets out the specific items that must be covered in the FSI’s agreement with the Service Provider.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 52 of 54
Ref. Requirement Microsoft agreement reference
1. Does the SLA cover the minimum provisions
required under the existing rules and
regulations on outsourcing? (Circular
No.765)
Cloud Computing Questionnaire – section B.4a (see above)
Yes.
We have reviewed the list in Circular No.765 and are satisfied that the SLA, in combination with the rest
of the MBSA, satisfies the minimum provisions.
The SLA is available at:
http://azure.microsoft.com/en-us/support/legal/sla/
and the MBSA is available upon request. The SLA is contained within the MBSA.
2. Does the SLA clearly disclose other parties
(i.e. subcontractors) that are involved in the
delivery of cloud services?
Cloud Computing Questionnaire – section B.4b (see above)
Yes.
See page 9 of the OST, under which Microsoft is permitted to hire subcontractors.
Microsoft maintains a list of authorized subcontractors for the online services that have access to our
data and provides us with a mechanism to obtain notice of any updates to that list (OST, page 10). The
actual list is published on the applicable Trust Center. If we do not approve of a subcontractor that is
added to the list, then we are entitled to terminate the affected online services.
The confidentiality of our data is protected when Microsoft uses subcontractors because Microsoft
commits that its subcontractors “will be permitted to obtain Customer Data only to deliver the services
Microsoft has retained them to provide and will be prohibited from using Customer Data for any other
purpose” (OST, page 9).
Confidential
Page 53 of 54
Ref. Requirement Microsoft agreement reference
Microsoft commits that any subcontractors to whom Microsoft transfers our data will have entered into
written agreements with Microsoft that are no less protective than the data processing terms in the OST
(OST, page 11).
Under the terms of the OST, Microsoft remains contractually responsible (and therefore liable) for its
subcontractors’ compliance with Microsoft’s obligations in the OST (OST, page 9). In addition,
Microsoft’s commitment to ISO/IEC 27018, requires Microsoft to ensure that its subcontractors are
subject to the same security controls as Microsoft is subject to. Finally, the EU Model Clauses, which
are included in the OST, require Microsoft to ensure that its subcontractors outside of Europe comply
with the same requirements as Microsoft and set out in detail how Microsoft must achieve this.
3. What monitoring processes does the Bank
have to manage the cloud outsourcing?
Please describe and provide documentation.
Cloud Computing Questionnaire – section B.4e (see above)
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to verify
that the online services meet appropriate security and compliance standards. This commitment is
reiterated in the FSA.
Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online Services
Customer Compliance Program, which is a for-fee program that facilitates the customer’s ability to (a)
assess the services’ controls and effectiveness, (b) access data related to service operations, (c)
maintain insight into operational risks of the services, (d) be provided with additional notification of
changes that may materially impact Microsoft’s ability to provide the services, and (e) provide feedback
on areas for improvement in the services.
In addition, clauses 1e and 1f of the FSA detail the examination and influence rights that are granted to
the customer and BSP. Clause 1e sets out a process which can culminate in the regulator’s
examination of Microsoft’s premises. Clause 1f gives the customer the opportunity to participate in the
Microsoft Online Services Customer Compliance Program, which is a for-fee program that facilitates the
Confidential
Page 54 of 54
Ref. Requirement Microsoft agreement reference
customer’s ability to (a) assess the services’ controls and effectiveness, (b) access data related to
service operations, (c) maintain insight into operational risks of the services, (d) be provided with
additional notification of changes that may materially impact Microsoft’s ability to provide the services,
and (e) provide feedback on areas for improvement in the services.
4. Is ownership of the data clearly stipulated in
the SLA or other contract/agreement?
Cloud Computing Questionnaire – section B.6c (see above)
Yes.
Ownership of Customer Data remains at all times with the customer (see OST, page 8).
5. Does the service provider have a business
continuity or disaster recovery plan? If yes,
provide documentation or details.
Cloud Computing Questionnaire – section B.6d (see above)
Yes.
As set out on page 13 of the OST, Microsoft maintains emergency and contingency plans for the
facilities in which Microsoft information systems that process Customer Data are located. Business
Continuity Management forms part of the scope of the accreditation that Microsoft remains in relation to
the online services, and Microsoft commits to maintain a data security policy that complies with these
accreditations (see OST page 13). Business Continuity Management also forms part of the scope of
Microsoft’s annual third party compliance audit.