Upload
tranque
View
278
Download
18
Embed Size (px)
Citation preview
Confidential
Page 1 of 55
THE PHILIPPINES
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES
INSTITUTIONS USING CLOUD COMPUTING
Last updated: November 2014
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using
cloud computing. In this guidance financial services institutions means banks and other BSP-supervised institutions (“FSIs”).
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7 of this guidance intended to make the process easier for you by providing information, tips and template responses for each of the
questions which are contained in the Cloud Computing Questionnaire. The template responses may provide sufficient detail but if you require further
information, Microsoft will be happy to provide this if you get in touch with your Microsoft contact. Microsoft has, in the relevant places within this
guidance document, inserted some links to relevant laws and guidance for your ease of reference.
Appendix One also contains a list of the mandatory contractual requirements required by relevant regulation.
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of
Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your
technology outsourcing project and your legal regulatory obligations. If you have any questions, please do not hesitate to get in touch with your
Microsoft contact.
2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?
BSP has created the Cloud Computing Questionnaire from its own rules and guidance documents on technology risk management, outsourcing and
cloud computing, and other relevant statute and regulation, including:
Confidential
Page 2 of 55
BSP Guidelines on Information Technology Risk Management for All Banks and Other BSP Supervised Institutions (“IT Guidelines”),
BSP Revised Outsourcing Framework for Banks,
BSP’s “Manual of Operation for Banks” and
other underlying laws and regulations such as the Bank Deposits Secrecy Law.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
Bangko Sentral ng Pilipinas (“BSP”)
4. IS REGULATORY APPROVAL REQUIRED IN THE PHILIPPINES?
Yes.
BSP is aware of the general trend of FSIs wishing to use cloud IT solutions such as Microsoft Office 365. It currently requires that all FSIs obtain the
prior approval of the Monetary Board in order to outsource IT systems and processes.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
Yes.
In order to streamline the process of obtaining approval, BSP has issued the attached “Cloud Computing Questionnaire”, which contains a number of
questions about a FSI’s decision to use a cloud computing solution. The main purpose of the Cloud Computing Questionnaire is to establish that your
organization has carried out appropriate due diligence and that the proposed service complies with applicable regulatory requirements in relation to
issues such as data security, confidentiality and disaster recovery. You are required to complete this questionnaire as part of the approval process.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
Yes.
Confidential
Page 3 of 55
The Cloud Computing Questionnaire itself contains some questions which ask for confirmation that certain specific items are covered in the Bank’s
contract with its service provider. Appendix One contains a comprehensive list and details of where in the Microsoft contractual documents these
points are covered.
Confidential
Page 4 of 55
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the
point raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as
well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref Question/requirement Template response and guidance
A. OVERVIEW OF THE OUTSOURCED ACTIVITIES AND SERVICE PROVIDER/S
1. Describe all proposed activities and operations to be outsourced
to the Cloud Service Provider (“CSP”).
IT Guidelines, Appendix 75e, Section 3, states that “prior to entering into an
outsourcing plan, the FSI should clearly define the business requirements for the
functions or activities to be outsourced”.
Certain IT functions will be outsourced through the use of Microsoft’s “Office 365”
service, which is described in more detail here: Microsoft Office 365.
Amongst other things, the Office 365 service includes:
Microsoft Office applications hosted in the “cloud”;
Hosted email;
Web conferencing, presence and instant messaging;
Data and application hosting;
Confidential
Page 5 of 55
Ref Question/requirement Template response and guidance
Spam and malware protection; and
IT support services.
We will not be outsourcing any core or inherent banking functions such as
services associated with placement of deposits and withdrawals.
2. Who is the CSP? Please provide company profile/background. In
relation to outsourcing of the above activities, identify and provide
background of all the other vendors/subcontractors that are in
critical path of the CSP?
IT Guidelines, Appendix 75e, Section 3, states that “Before selecting a service
provider, the FSI should perform appropriate due diligence”. Details of the
Microsoft corporate entity providing the services, and how Microsoft works with
third party subcontractors, are provided below. If you require further information
about any third parties are involved in Microsoft’s service provision, please reach
out to your Microsoft contact.
The CSP is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft
Corporation, a global provider of information technology devices and services,
which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s full company
profile is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.
Microsoft does use sub-contractors to provide certain ancillary assistance, but not
for any critical path roles. An up-to-date list of all subcontractors used to provide
the ancillary services (including exact services) is available at
http://trustoffice365.com.
3. Describe in detail all the data that would be processed or stored
by the CSP.
IT Guidelines, Annex A to Appendix 75e states that “It is important that FSIs
maintain a comprehensive data inventory and a suitable data classification
process”. You will need to tailor this section depending on what data you intend to
store or process within Office 365.
Confidential
Page 6 of 55
Ref Question/requirement Template response and guidance
Customer data (including customer name, contact details, account
information, payment card data, security credentials and correspondence)
(but not any data to which the Law on Secrecy of Deposits applies – see
question B.1a., below).
Employee data (including employee name, contact details, internal and
external correspondence by email and other means and personal
information relating to their employment with the organization).
Transaction data (data relating to transactions in which the organization is
involved).
Indices (for example, market feeds).
Other personal and non-personal data relating to the organization’s
business operations as a FSI.
We ensure, pursuant to the terms of the contract in place with Microsoft, that all
data (but in particular any customer data) is treated with the highest level of
security so that we can continue to comply with our legal and regulatory
obligations and our commitments to customers. We do of course only collect and
process data that is necessary for our business operations in compliance with all
applicable laws and regulation and this applies whether we process the data on
our own systems or via a cloud solution such as Microsoft Office 365.
4. What type of cloud services/cloud deployment model would the
CSP be implementing for the Bank?
In IT Guidelines, Appendix 75e, Section 4.3, BSP lists four different cloud
deployment models: private, public, community and hybrid.
Confidential
Page 7 of 55
Ref Question/requirement Template response and guidance
Select the following text if using Office 365 multi-tenanted version:
Public Cloud: Office 365 is a multi-tenant service. It hosts multiple tenants in a
secure way through logical data isolation/separation. Data storage and processing
for each tenant is segregated through Active Directory structure and capabilities
specifically developed to help build, manage, and secure multi-tenant
environments. Active Directory isolates customers using security boundaries (also
known as silos). This safeguards a customer’s data so that the data cannot be
accessed or compromised by co-tenants.
Select the following text if using Office 365 dedicated version:
Private Cloud: We have secured an offering that provides for a dedicated hosted
offering, which means that our data is hosted on hardware dedicated to us.
5. Will the proposed outsourcing require offshoring? If so, from
which territory(ies) will the outsourced cloud services be
provided?
IT Guidelines, Annex A to Appendix 75e states that “such concerns [about risks
relating to data ownership and location] can be alleviated if the CSP has some
reliable means to ensure that an organization’s data is stored and processed only
within specific jurisdictions”. Microsoft has provided some additional optional
wording below to explain the location of Microsoft’s data centers in more detail.
Yes. Microsoft is transparent in relation to the location of our data. Microsoft data
center locations are made public on the Microsoft Trust Center.
The table below will need to be amended depending on the specific solution that
you are taking up.
No. Locations of Data Centre Classification of DC: Storing your
Confidential
Page 8 of 55
Ref Question/requirement Template response and guidance
Tier I, II, III or IV organization’s data (Y/N)
1.
2.
a. Political (i.e. cross-broader conflict, political unrest etc). Office 365 offers
data-location transparency so that the organizations and regulators are
informed of the jurisdiction(s) in which data is hosted. We are confident that
Microsoft’s data center locations offer extremely stable political environments.
b. Country/socioeconomic. Office 365 offers data-location transparency so that
the organizations and regulators are informed of the jurisdiction(s) in which
data is hosted. The centers are strategically located around the world taking
into account country and socioeconomic factors. We are confident that
Microsoft’s data center locations offer extremely stable socioeconomic
environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to
exacting standards, designed to protect customer data from harm and
unauthorized access. Data center access is restricted 24 hours per day by job
function so that only essential personnel have access. Physical access control
uses multiple authentication and security processes, including badges and
smart cards, biometric scanners, on-premises security officers, continuous
video surveillance and two-factor authentication. The data centers are
monitored using motion sensors, video surveillance and security breach
Confidential
Page 9 of 55
Ref Question/requirement Template response and guidance
alarms.
d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft Data centers
are built in seismically safe zones. Environmental controls have been
implemented to protect the data centers including temperature control,
heating, ventilation and air-conditioning, fire detection and suppression
systems and power management systems, 24-hour monitored physical
hardware and seismically-braced racks. These requirements are covered by
Microsoft’s ISO/IEC 27001 accreditation for Office 365.
Legal. We will have in place a binding negotiated contractual agreement with
Microsoft in relation to the outsourced service, giving us direct contractual rights.
We also took into account the fact that Office 365 was built based on ISO 27001
standards, a rigorous set of global standards covering physical, logical, process
and management controls. Finally, we took into account the fact that Microsoft
offers access and regulator audit rights thereby allowing us to comply with our
regulatory obligations in this respect.
B. ADDRESSING CLOUD RISKS AND OTHER AREAS OF CONCERN
1. Legal and Regulatory Compliance
a. Law on Secrecy of Deposits (R.A. No. 1405) Law on Secrecy of Deposits.
Not applicable since we will not be sharing with Microsoft any information
regarding deposits. This law is not relevant to the use of Office 365, since it is just
Microsoft Office applications hosted in the cloud.
As required by the Law on Secrecy of Deposits, we will not be sharing with
Confidential
Page 10 of 55
Ref Question/requirement Template response and guidance
Microsoft or any other contractor, information regarding deposits. We will continue
to treat such information in the strictest of confidence in compliance with our legal
obligations. Accordingly, use of Microsoft Office 365 does not create any risk of
non-compliance with the Law of Secrecy of Deposits.
b. Foreign Currency Deposit System (R.A. 6426) Foreign Currency Deposit System.
Not applicable since we will not be using Office 365 to engage in transactions
directly related to foreign currencies.
We will not be using Microsoft Office 365 to engage in transactions related to
foreign currencies, which are the types of transaction that the Foreign Currency
Deposit System regulates. Accordingly, use of Microsoft Office 365 does not
create any risk of non-compliance with the Foreign Currency Deposits System.
c. Anti-Money Laundering Act, particularly on data/ file
retention
Anti-Money Laundering Council guidance.
Not applicable.
Our use of Microsoft Office 365 would not have any negative impact on our ability
to comply with our requirements under the Anti-Money Laundering Act since it
does not change our processes and data and documents will continue to be
available to us on a constant basis.
In particular, our use of Microsoft Office 365 will not change our approach to: (a)
customer identification – we will continue to establish and record the true identity
of our customers in the same way; and (b) covered transactions – we will continue
to have procedures in place to report these in the same way.
Confidential
Page 11 of 55
Ref Question/requirement Template response and guidance
Regarding data and file retention - we are aware of our obligations to keep records
in respect of transactions, customer identification, account files, business
correspondence, etc. Microsoft has in place excellent data backup and recovery
arrangements for data residing within its data centers, so to the extent that any of
the required records are stored within Microsoft’s data centers, we are confident
that we will continue to comply with our record-keeping obligations. Indeed,
additional comfort and security will be assured as a result.
Please find below some further information about the data backup and recovery
arrangements that Microsoft has in place to protect our records and ensure that
they are available to us on a constant basis:
Redundancy
Physical redundancy at server, data center, and service levels;
Data redundancy with robust failover capabilities; and
Functional redundancy with offline functionality.
Resiliency
Active load balancing;
Automated failover with human backup; and
Recovery testing across failure domains.
Confidential
Page 12 of 55
Ref Question/requirement Template response and guidance
Distributed Services
Distributed component services like Exchange Online, SharePoint Online,
and Lync Online limit scope and impact of any failures in a component;
Directory data replicated across component services insulates one service
from another in any failure events; and
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery;
Outside-in monitoring raises alerts about incidents; and
Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
Standardized hardware reduces issue isolation complexities;
Fully automated deployment models; and
Standard built-in management mechanism.
Human backup
Confidential
Page 13 of 55
Ref Question/requirement Template response and guidance
Automated recovery actions with 24/7 on-call support;
Team with diverse skills on the call provides rapid response and
resolution; and
Continuous improvement by learning from the on-call teams.
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every
time; and
Microsoft’s post-incident review consists of analysis of what happened,
Microsoft’s response, and Microsoft’s plan to prevent it in the future.
d. Electronic Commerce Act (R.A. 8792) Electronic Commerce Act.
The Electronic Commerce Act applies to our use of Office 365. The law imposes a
general obligation of confidentiality over “any electronic key, electronic data
message, or electronic document, book, register, correspondence, information, or
other material.”
Our use of Microsoft Office 365 will not have any negative impact on our ability to
comply with the requirements of the Electronic Commerce Act. Indeed, we
consider that our use of Microsoft Office 365 is actually in line with the
requirements of the Act and its obligation of confidentiality.
e. Data Privacy Law Data Privacy Act.
Confidential
Page 14 of 55
Ref Question/requirement Template response and guidance
Our use of Microsoft Office 365 would not cause us to fail to meet any obligation
we may have under the Data Privacy Act. In fact, we think that Microsoft Office
365 has features that will help us comply with certain provisions (including security
obligations). We will continue to maintain overall responsibility and accountability
for compliance with the Privacy Act.
In relation to the specific requirements of the Privacy Act that apply to the use of
cloud services:
a. We have an obligation to implement reasonable and appropriate
organizational, physical and technical measures to protect personal
information. We are satisfied with Microsoft’s security procedures, as
described in its Standard Response to Request for Information – Security
and Privacy (and further described in other parts of this document).
b. We have an obligation to use contractual or other reasonable means to
provide a comparable level of protection while the information is being
processed by Microsoft. We are satisfied that our legally-binding
agreement with Microsoft, and the operational procedures we have in
place to monitor compliance, together with our choice of service provider,
will provide at least a comparable level of protection for personal
information. Our contract with Microsoft ensures that all data (but in
particular any customer data) is treated with the highest level of security
enabling us to continue to comply with our legal and regulatory obligations
and our commitments to customers.
We also took into account the fact that the European Union’s data protection
authorities have found that Microsoft’s enterprise cloud contracts meet the high
Confidential
Page 15 of 55
Ref Question/requirement Template response and guidance
standards of EU privacy law. Microsoft is the first – and so far the only – company
to receive this approval.
f. Regulations concerning IT risk management, electronic
banking and reporting of security incidents.
BSP Guidelines on Information Technology Risk Management, Electronic Banking
Regulations (Circular No. 240 series of 2000; Circular No. 269 series of 2000; and
Circular No. 542 series of 2006) and BSP’s Internet and Wireless Banking
Security Measures (Appendix B to BSP Circular No. 542 s. 2006 on Consumer
Protection for Electronic Banking).
The BSP Guidelines on Information Technology Risk Management
for All Banks and Other BSP Supervised Institutions: Our use of
Microsoft Office 365 would not cause us to fail to meet any obligation we
may have under the IT risk management regulations. Our responses
questions about IT risk management elsewhere in this document are
based on the requirements in the IT risk management regulations. We
considered that Microsoft Office 365 meets these requirements.
Electronic Banking: Electronic Banking Regulations govern e-banking
services and products offered by banks to their customers. They are not
applicable since we will not be using Office 365 for e-banking services.
Reporting of Security Incidents: The existing regulations do not
specifically provide for reporting of security incidents, they do not define
the term “security incident” and there is no prescribed format for reporting
“security incidents”. The BSP’s Internet and Wireless Banking Security
Measures (Appendix B to BSP Circular No. 542 s. 2006 on Consumer
Protection for Electronic Banking) mentions “security incidents” but only in
the context of directing banks to “establish an incident management and
Confidential
Page 16 of 55
Ref Question/requirement Template response and guidance
response plan and test the predetermined action plan relating to security
incidents”. Office 365 includes an incident management and response
plan (that is tested) that goes beyond these regulatory requirements. See
our answer to question B.4.g below for more details.
g. How does the Bank (and its CSP) ensure consumer
protection under a cloud environment?
For example, BSP Handbook on Consumer Laws Covering BSP-Supervised
Financial Institutions. The majority of these rules would not be applicable to the
use of Office 365, since they tend to cover customer-facing functions such as
deposits, credit etc.
We have in place internal processes and procedures to ensure that our
consumers are protected. This will not change through the proposed use of cloud
services. We have reviewed the BSP Handbook on Consumer Laws Covering
BSP-Supervised Financial Institutions and do not believe that our use of Office
365 would inhibit our ability to comply with these requirements. In fact, we believe
that Office 365 will actually have some major benefits for our IT operations and,
accordingly, improve the overall service that we are able to provide to customers.
h. How would the Bank guarantee the grant of BSP
access to CSP’s infrastructure to determine
compliance with applicable laws and regulations and
assess soundness of risk management processes and
controls in place?
IT Guidelines, Annex A to Appendix 75e states that “the CSP should grant BSP
access to its cloud infrastructure to determine compliance with applicable laws
and regulations and assess soundness of risk management processes and
controls in place”. Microsoft does grant this kind of access. Microsoft also offers a
Compliance Framework Program for FSIs. If you take-up the Compliance
Framework Program, you may add this additional information about its key
features: the regulator audit/inspection right, access to Microsoft’s security policy,
the right to participate at events to discuss Microsoft’s compliance program, the
right to receive audit reports and updates on significant events, including security
incidents, risk-threat evaluations and significant changes to the business
Confidential
Page 17 of 55
Ref Question/requirement Template response and guidance
resumption and contingency plans.
We have agreed with Microsoft that the BSP will have an audit/inspection right, so
that the BSP can carry out inspections or examinations of Microsoft’s facilities,
systems, processes and data relating to the services to determine and confirm
that it is in compliance with applicable laws and regulations and assess the
soundness of the risk management processes and controls which it has in place.
The willingness of Microsoft to agree to a regulator audit/inspection is a key
advantage of the Microsoft offering over many of the other CSPs offerings and
one of our reasons for choosing this solution.
2. GOVERNANCE AND RISK MANAGEMENT
a. Has Bank management considered the overall
business and strategic objectives prior to outsourcing
the specific IT operations?
BSP expects that management would need to have considered the overall
business and strategic objectives (IT Guidelines, Annex A to Appendix 75e). The
sample answer above covers legal/regulatory compliance and customer
satisfaction but we would suggest adding to this response details of:
internal processes that were carried out;
who handled the process and which areas of the business were involved
or advised; and
any external consultants or legal counsel involved.
Yes.
Management of our organization has been involved throughout to ensure that the
Confidential
Page 18 of 55
Ref Question/requirement Template response and guidance
project aligns with our organization’s overall business and strategic objectives. At
the center of our objectives are of course legal and regulatory compliance and
customer satisfaction and these were the key objectives that management had in
mind when it considered this project. We are satisfied that this solution will ensure
legal and regulatory compliance because of the key features (including the
security and audit rights) forming part of the Office 365 service. We are also
satisfied that customer satisfaction will be maintained because we believe that
Office 365 will actually have some major benefits for our IT operations and,
accordingly, improve the overall service that we are able to provide to customers.
b. Does your Bank have a written, board-approved
outsourcing policy and rationale for outsourcing?
Please provide a copy of the outsourcing policy and
rationale.
BSP requires that banks have in place a comprehensive policy on outsourcing
duly approved by the board of directors of the bank (IT Guidelines, page 12). This
should be “an effective outsourcing oversight program that provides the framework
for management to understand, monitor, measure and control the risks associated
with outsourcing”. This will differ from one organization to another but would
typically include a framework to address the following:
Risk assessment in respect of the outsourcing (more details of which are
asked about in question d. below);
Selection of service providers (including appropriate due diligence);
Contract review; and
Ongoing review and monitoring.
c. What procedures does the Bank have in place to
ensure that all its relevant business units are fully
You will need to explain how the relevant business units are brought under the
scope of the outsourcing policy.
Confidential
Page 19 of 55
Ref Question/requirement Template response and guidance
aware of, and comply with, the outsourcing policy?
d. Has a proper risk assessment of the elements specific
to the proposed cloud outsourcing been conducted?
Provide details on the risk assessment process.
Appendix 75e, Section 3.1 of the IT Guidelines. Clearly BSP expects that your
organization would have carried out a risk assessment. In summary, the risk
assessment should:
define the business requirements for the functions or activities to be
outsourced;
assess the risk of outsourcing those functions or activities;
establish appropriate measures to manage and control the identified risks;
and
take into account the criticality of the services to be outsourced, the
capability of the service provider and the technology it will use in
delivering the outsourced service.
If you have any questions when putting together a risk assessment, please do not
hesitate to get in touch with your Microsoft contact.
Yes.
Led by our management we have carried out a thorough risk assessment of the
move to Office 365. This risk assessment included:
[ ];
Confidential
Page 20 of 55
Ref Question/requirement Template response and guidance
[ ]; and
[ ].
e. How does the Bank ensure that it maintains ultimate
responsibility for this outsourcing arrangement?
IT Guidelines, Appendix 75e, Section 2.1, which requires the Board and senior
management to maintain ultimate responsibility and accountability.
The handing over of certain day to day responsibility to an outsourcing provider
does present some challenges in relation to control. Essential to us is that, despite
the outsourcing, we retain control over our own business operations, including
control of who can access data and how they can use it. At a contractual level, we
have dealt with this via our contract with Microsoft, which provides us with legal
mechanisms to manage the relationship including appropriate allocation of
responsibilities, oversight and remedies and the mandatory provisions required by
BSP. At a practical level, we have selected the Office 365 product since it
provides us with transparency in relation to data location, authentication and
advanced encryption controls. We (not Microsoft) will continue to own and retain
all rights to our data and our data will not be used for any purpose other than to
provide us with the Office 365 services. As part of Microsoft’s certification
requirements, they are required to undergo regular independent third party
auditing (via the SSAE16 SOC1 Type II audit, a globally-recognized standard),
and Microsoft shares with us the independent third party audit reports. Microsoft
also agrees as part of the compliance program to customer right to monitor and
supervise. We are confident that all of these arrangements ensure that we
maintain ultimate responsibility for this outsourcing arrangement.
3. DUE DILIGENCE
Confidential
Page 21 of 55
Ref Question/requirement Template response and guidance
a. Is the CSP selection process formally defined and
documented? If yes, provide documentation.
IT Guidelines, Appendix 75e, Section 3.2., which states that before selecting a
service provider the FSI should perform appropriate due diligence. The factors it
suggests should be considered are those listed in the sample answer below. The
question also requests that you provide documentation relating to the process.
Yes.
The selection process was formally documented. It covered the service provider’s:
financial soundness;
reputation;
managerial skills
technical capabilities; and
operational capability and capacity in relation to the services to be
performed.
Please see the attached documentation for further information.
b. Provide the CSP selection criteria and elaborate the
reasons for choosing the CSP.
The BSP does not provide a standard set of selection criteria (although the factors
mentioned in the sample answer to question B.3.a., above, will of course be
relevant). The list below includes some common factors that customers have
informed Microsoft are important in their choice of service provider. We would
advise that, in addition to the below, you set out some more detail about how you
ran your specific selection process. This might include details of the number of
CSPs you considered, whether you had a formal tender process, how long the
Confidential
Page 22 of 55
Ref Question/requirement Template response and guidance
process took, etc. This may already be addressed in the documentation you
provide in response to question B.3.a. above.
We followed a rigorous review and selection process. Set out below are the
specific areas we considered and why we decided on Microsoft:
a. Competence and experience. Microsoft is an industry leader in cloud
computing. Office 365 was built based on ISO/IEC 27001 standards and
was the first major business productivity public cloud service to have
implemented the rigorous set of global standards covering physical,
logical, process and management controls.
b. Past track-record. 40% of the world’s top brands use Office 365. We
consulted various case studies relating to Office 365, which are available
on the Microsoft website and also considered the fact that Microsoft has
amongst its customers some of the world’s largest organizations and
financial institutions.
c. Specific financial services credentials. Financial Institution customers
in leading markets, including in the UK, France, Germany, Australia,
Singapore, Canada, the United States and many other countries have
performed their due diligence and, working with their regulators, are
satisfied that Office 365 meets their respective regulatory requirements.
This gives us confidence that Microsoft is able to help meet the high
burden of financial services regulation and is experienced in meeting
these requirements.
d. Microsoft’s staff hiring and screening process. All personnel with
Confidential
Page 23 of 55
Ref Question/requirement Template response and guidance
access to customer data are subject to background screening, security
training and access approvals. In addition, the access levels are reviewed
on a periodic basis to ensure that only users who have appropriate
business justification have access to the systems. User access to data is
also limited by user role. For example, system administrators are not
provided with database administrative access.
e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed
in the United States and is amongst the world’s largest companies by
market capitalization. Microsoft’s audited financial statements indicate that
it has been profitable for each of the past three years. Its market
capitalization is in the region of USD 280 billion. Accordingly, we have no
concerns regarding its financial strength.
f. Business resumption and contingency plan. Microsoft offers
contractually-guaranteed 99.9% uptime, hosted out of world class data
centers with physical redundancy at disk, NIC, power supply and server
levels, constant content replication, robust backup, restoration and failover
capabilities, real-time issue detection and automated response such that
workloads can be moved off any failing infrastructure components with no
perceptible impact on the service, with 24/7 on-call engineering teams.
g. Security and internal controls, audit, reporting and monitoring.
Microsoft is an industry leader in cloud security and implements policies
and controls on par with or better than on-premises data centers of even
the most sophisticated organizations. We have confidence in the security
of the solution and the systems and controls offered by Microsoft. In
addition to the ISO/IEC 27001 certification, Office 365 is designed for
Confidential
Page 24 of 55
Ref Question/requirement Template response and guidance
security with BitLocker Advanced Encryption Standard (“AES”) encryption
of email at rest and secure sockets layer (“SSL”)/transport layer security
(“TLS”) encryption of data in transit. The Microsoft service is subject to the
SSAE16 SOC1 Type II audit, an independent, third party audit.
c. Apart from the current CSP, have other
vendors/service providers been considered?
You will need to respond accordingly based on your specific selection process.
4. VENDOR MANAGEMENT/PERFORMANCE AND CONFORMANCE
a. Does the Service Level Agreement (“SLA”) cover the
minimum provisions required under existing rules and
regulations on outsourcing? (Circular No. 765)
Appendix to BSP Circular No.765, “Revised Outsourcing Framework for Banks”.
Yes. We have reviewed the list in Circular No.765 and are satisfied that the SLA,
in combination with the rest of Microsoft’s Business and Services Agreement
(“MBSA”), satisfies the minimum provisions.
The SLA is available at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&Docu
mentTypeId=37
and the MBSA is available upon request. The SLA is contained within the MBSA.
b. Does the SLA (as defined above) clearly disclose other
parties (i.e. subcontractors) that are involved in the
delivery of cloud services?
Appendix 75e to IT Guidelines. BSP expects that “the extent to which
subcontractors perform additional services should be limited to peripheral or
support functions while the core services should rest with the main service
provider”. This would be the case with Office 365 – the core services remain with
Microsoft.
Confidential
Page 25 of 55
Ref Question/requirement Template response and guidance
Yes.
We are satisfied that this requirement is met. The SLA is a standard document
which Microsoft uses for thousands of customers, so it does not contain details of
the specific subcontractors they propose to work with for this project. However,
Microsoft publishes an up-to-date list of all sub-contractors used as well as the
services they provide. This information is found at http://trustoffice365.com/. As
explained in the response to question A.2., above, no sub-contractors are involved
in critical path roles.
c. Describe CSP’s guarantee of availability and extent of
liability if SLAs are not met.
IT Guidelines, Appendix 75e, Section 3.4 states that “Management should include
SLAs in its outsourcing contracts to specify and clarify performance expectations,
as well as establish accountability for the outsourced activity”.
We are satisfied that our contract with Microsoft adequately specifies the
performance expectations and apportions responsibilities for the outsourced
activities. The availability and extent of liability are as follows:
a. Guarantee of availability: Microsoft provides a contractual financially-backed
99.9% uptime guarantee for the Office 365 product and covers performance
monitoring and reporting requirements which enable us to monitor Microsoft’s
performance on a continuous basis against service levels.
b. Extent of liability if SLAs not met: Under the service credits mechanism in
the SLA, we may be entitled to a service credit of up to 100% of the service
charges. If a failure by Microsoft also constitutes a breach of contract to which
the service credits regime does not apply, we would of course have ordinary
Confidential
Page 26 of 55
Ref Question/requirement Template response and guidance
contractual claims available to us too under the contract.
d. Has the SLA been reviewed by a legal counsel? Microsoft recommends that you do seek legal advice on the use of cloud
computing services in relation to statutory/regulatory/common law requirements.
Yes.
e. What monitoring processes does the Bank have to
manage the cloud outsourcing? Please describe and
provide documentation.
BSP expects that organizations would “establish a monitoring program to ensure
service providers deliver the quantity and quality of services required by the
contract” (IT Guidelines, Appendix 75e, Section 3.5.1). The “template response”
below explains how the Office 365 dashboard could be used by your organization
as part of these monitoring processes but you will need to add details of your own
internal processes.
We have reviewed the monitoring processes (set out in more detail in the following
paragraphs) and we are confident that appropriate processes are in place.
Microsoft’s SLA applies to the Office 365 product. Our IT administrators also have
access to the Office 365 Service Health Dashboard, which provides real-time and
continuous monitoring of the Office 365 service. The Service Health Dashboard
provides our IT administrators with information about the current availability of
each service or tool (and history of availability status) details about service
disruption or outage, scheduled maintenance times. The information is provided
via an RSS feed.
Amongst other things, it provides a contractual 99.9% uptime guarantee for the
Office 365 product and covers performance monitoring and reporting requirements
which enable us to monitor Microsoft’s performance on a continuous basis against
Confidential
Page 27 of 55
Ref Question/requirement Template response and guidance
service levels. We also have access to the independent SSAE16 SOC1 Type II
audit, which enable us to verify their performance.
Please find a copy of the SLA at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&Docu
mentTypeId=37
As part of the support we receive from Microsoft, we also have access to a
technical account manager who is responsible for understanding our challenges
and providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems
functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
f. Do you have a process to audit the CSP to assess its
compliance with your policy, procedures, security
controls and regulatory requirements? Please describe
the process.
IT Guidelines, Appendix 75e, Section 5 and Annex A. This is a question about
your own internal processes and so you will need to supplement this response
with details about that. However, it is of course relevant in this context to mention
that Microsoft permits audit and inspection both by their financial institution
customers and regulators and so we have set out some information about this
below. Microsoft also offers a Compliance Framework Program for FSIs, a key
feature of which is the regulator audit/inspection right.
Yes.
We are satisfied that this requirement is met.
Confidential
Page 28 of 55
Ref Question/requirement Template response and guidance
We are confident that in our choice of Microsoft as CSP we have far more
extensive audit rights than most if not all other CSPs offer. This was an important
factor in our decision to choose this CSP.
In particular, the following audit protections are made available by Microsoft:
a. As part of Microsoft’s certification requirements, they are required to
undergo regular independent third party auditing (via the SSAE16 SOC1
Type II audit, a globally-recognized standard), and Microsoft shares with
us the independent third party audit reports. Microsoft also agrees as
part of the compliance program to customer right to monitor and
supervise. We are confident that such arrangements provide us with the
appropriate level of assessment of Microsoft’s ability to meet our policy,
procedural, security control and regulatory requirements.
b. As detailed in the response to question B.1.h., above, BSP is given a
contractual right of audit/inspection over Microsoft’s facilities, so that it can
assess and examine systems, processes and security and regulatory
compliance.
g. What are the procedures for identifying, reporting and
responding to security incidents and violations?
IT Guidelines, Appendix 75e, Annex A, states that “management processes of the
FSI should include appropriate notification procedures, effective monitoring of
security-related threats, incidents and events on both FSI’s and CSP’s networks;
comprehensive incident response methodologies; and maintenance of appropriate
forensic strategies for investigation and evidence collection”. The following sets
out some of the procedures and techniques that Microsoft has in place. In
addition, we recommend as part of this response that you include details of your
Confidential
Page 29 of 55
Ref Question/requirement Template response and guidance
own processes in particular for responding to security breaches and violations.
This is an issue that we take very seriously. We have therefore checked these
procedures in detail with Microsoft and are confident that they provide excellent
means to enable us to identify, report and respond properly and promptly in the
event of any security incident or violation. We are assured that Microsoft is
committed to protecting the privacy of our and Microsoft makes this statement in
its Office 365 Privacy Statement.
First, there are robust procedures offered by Microsoft that enable the prevention
of security incidents and violations arising in the first place and detection in the
event that they do occur. Specifically:
a. Microsoft implements 24 hour monitored physical hardware. Data center
access is restricted 24 hours per day by job function so that only essential
personnel have access to customer applications and services. Physical
access control uses multiple authentication and security processes,
including badges and smart cards, biometric scanners, on-premises
security officers, continuous video surveillance, and two-factor
authentication.
b. Microsoft implements “prevent, detect, and mitigate breach”, which is a
defensive strategy aimed at predicting and preventing a security breach
before it happens. This involves continuous improvements to built-in
security features, including port scanning and remediation, perimeter
vulnerability scanning, OS patching to the latest updated security
software, network-level DDOS (distributed denial-of-service) detection and
Confidential
Page 30 of 55
Ref Question/requirement Template response and guidance
prevention, and multi-factor authentication for service access.
c. Wherever possible, human intervention is replaced by an automated, tool-
based process, including routine functions such as deployment,
debugging, diagnostic collection, and restarting services. Office 365
continues to invest in systems automation that helps identify abnormal
and suspicious behavior and respond quickly to mitigate security risk.
Microsoft is continuously developing a highly effective system of
automated patch deployment that generates and deploys solutions to
problems identified by the monitoring systems—all without human
intervention. This greatly enhances the security and agility of the service.
d. Microsoft conducts penetration tests to enable continuous improvement of
incident response procedures. These internal tests help Office 365
security experts create a methodical, repeatable, and optimized stepwise
response process and automation.
Second, in the event that a security incident or violation is detected, Microsoft
Customer Service and Support notifies Office 365 subscribers by updating the
Service Health Dashboard that is available on the Office 365 portal. We would
have access to Microsoft’s dedicated support staff, who have a deep knowledge of
the service. Microsoft provides a Recovery Time Objective (“RTO”) of 1 hour or
less for Microsoft Exchange Online and 6 hours of less for SharePoint Online, and
a Recovery Point Objective (“RPO”) of 45 minutes or less for Microsoft Exchange
Online and 2 hours or less for SharePoint Online.
Finally, after the incident, Microsoft provides a thorough post-incident review
Confidential
Page 31 of 55
Ref Question/requirement Template response and guidance
report (“PIR”). The PIR includes:
An incident summary and event timeline.
Broad customer impact and root cause analysis.
Actions being taken for continuous improvement.
Microsoft will provide the PIR within five business days following resolution of the
service incident. Administrators can also request a PIR using a standard online
service request submission through the Office 365 portal or a phone call to
Microsoft Customer Service and Support.
See also the responses to the questions in section B.7 below regarding business
continuity.
h. How would the CSP provide support to the Bank in
handling security incidents?
IT Guidelines, Appendix 75e, Annex A,
In addition to the details set out in response to the question immediately above, as
part of the support we receive from Microsoft, we also have access to a technical
account manager. This manager is responsible for understanding our challenges
and providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems
functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
See also the responses to the questions in section B.7 below regarding business
Confidential
Page 32 of 55
Ref Question/requirement Template response and guidance
continuity.
i. Describe the arrangement if the CSP’s action, faulty
software or hardware contributed to the security
breach?
IT Guidelines, Appendix 75e, Annex A.
The arrangement we have agreed with Microsoft under our Service Level
Agreement is that we will be entitled to service credits of up to 100% of the service
charges if Microsoft’s action, faulty software or hardware contributed to the
security breach.
Regardless of the cause of the breach, we would be entitled to the reporting and
response services described in the responses to questions B.4.g. and B.4.h.
above.
j. Is there a contingency plan for replacing the CSP in the
event of its cessation?
BSP would expect financial institutions to have a contingency plan in place if you
did decide to stop using the Office 365 service.
The agreement with Microsoft contains usual termination provisions. In the event
of cessation, we would either move back on premise or to an alternate CSP.
Microsoft is contractually required to hold our data for an agreed period to enable
such transition to occur in an orderly manner.
k. Do you have the right to terminate the SLA in the event
of default, ownership change, insolvency, change of
security or serious deterioration of service quality?
IT Guidelines, Appendix 75e, Section 3.4, states that “the FSI should link SLA to
the provisions in the contract regarding incentives, penalties and contract
cancellation”. Although Microsoft believes that the scenarios listed in the question
are very unlikely, the rights offered in its contract to terminate for convenience and
material breach provide customers with sufficient control to exit the relationship in
the unlikely event of one of these situations arising.
Confidential
Page 33 of 55
Ref Question/requirement Template response and guidance
Yes.
We are satisfied that this requirement is met. Our main agreement with Microsoft
is called a Microsoft MBSA (as defined above) and that contains usual termination
provisions. The SLA is contained with the MBSA is terminable by us for
convenience at any time by providing not less than 60 days’ notice. Any sub-
agreements to the MBSA are terminable by us for convenience at any time by
providing not less than 30 days’ notice. In addition, we have standard rights of
termination for material breach. This gives us the flexibility and control we need to
manage the relationship with Microsoft because it means that we can terminate
the arrangements whether with or without cause.
l. In the event of contract termination with the service
provider, either on expiry or prematurely, is the Bank
able to have all IT information and assets promptly
removed or destroyed?
IT Guidelines, Appendix 75e, Annex A, reminds FSIs of the importance of
controlling data ownership, data location and retrieval.
Yes.
We are satisfied that this requirement is met. Microsoft will retain our data for 90
days following termination so that we may extract our data. If we request that
Microsoft end the retention period earlier, Microsoft will do so. As set out on page
33 of the OST, upon expiration or termination, the customer may extract its data
and the Service Provider will delete the data.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88
compliant. For hard drives that can’t be wiped it uses a destruction process that
destroys it (i.e. shredding) and renders the recovery of information impossible
(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of
Confidential
Page 34 of 55
Ref Question/requirement Template response and guidance
disposal is determined by the asset type. Records of the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal
management services. Paper documents are destroyed by approved means at
the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under
the ISO/IEC 27001 standards against which Microsoft is certified.
5. SECURITY AND PRIVACY
a. Has the Bank revised/updated its information security
policies to incorporate activities outsourced to CSP?
IT Guidelines, Appendix 75e, Annex A, state that FSIs “may need to revise their
information security policies, standards, and practices to incorporate the activities
related to a CSP”. This can be read as an optional requirement (“may”) but BSP
would probably expect some justification if you have elected not to revise/update
the policies. The IT Guidelines state that policies should address:
1. Operational Risk;
2. Strategic Risk;
3. Reputation Risk; and
4. Compliance Risk.
Each risk area is described in more detail in the IT Guidelines, pages 5-6. If you
require any information from Microsoft in this respect, please do not hesitate to
speak to your Microsoft contact.
Confidential
Page 35 of 55
Ref Question/requirement Template response and guidance
b. Does the Bank maintain a comprehensive data
inventory and a suitable data classification process to
facilitate CSP’s implementation of identity and access
controls?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Yes.
Microsoft logs who accesses all of our data. Microsoft applies strict controls over
which personnel roles and personnel will be granted access to customer data.
Personnel access to the IT systems that store customer data is strictly controlled
via role-based access control (“RBAC”) and lock box processes. Access control
is an automated process that follows the separation of duties principle and the
principle of granting least privilege. This process ensures that the engineer
requesting access to these IT systems has met the eligibility requirements, such
as a background screen, fingerprinting, required security training and access
approvals. In addition, the access levels are reviewed on a periodic basis to
ensure that only users who have appropriate business justification have access to
the systems. User access to data is also limited by user role. For example, system
administrators are not provided with database administrative access.
c. Are there documented security procedures for
safeguarding hardware, software and data in the CSP?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Yes.
The security procedures for safeguarding hardware, software and security are
documented in detail by Microsoft in its Standard Response to Request for
Information – Security and Privacy. This confirms how the following aspects of
Microsoft’s operations safeguard hardware, software and data:
Compliance;
Confidential
Page 36 of 55
Ref Question/requirement Template response and guidance
Data Governance;
Facility;
Human Resources;
Information Security;
Legal;
Operations;
Risk Management;
Release Management;
Resiliency; and
Security Architecture.
Further details of Microsoft’s preventative and detection security procedures are
included in the response to question B.4.g. above and question B.5.d. below.
In choosing Microsoft, we also took into account the fact that the European
Union’s data protection authorities have found that Microsoft’s enterprise cloud
contracts meet the high standards of EU privacy law. Microsoft is the first – and so
far the only – company to receive this approval.
d. What security controls are in place to protect the
transmission and storage of information/data within the
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Confidential
Page 37 of 55
Ref Question/requirement Template response and guidance
CSP infrastructure? Microsoft as an outsourcing partner is an industry leader in cloud security and
implements policies and controls on par with or better than on-premises data
centers of even the most sophisticated organizations. Office 365 was built based
on ISO/IEC 27001 standards, a rigorous set of global standards covering physical,
logical, process and management controls. This makes us confident that there
are very robust security controls in place to protect the transmission and storage
of information/data within Microsoft’s infrastructure.
Some information has already been provided on Microsoft’s security controls in
Section B.4.g. and B.4.c. above. The following security features are also relevant
to protecting the transmission and storage of information/data within the Microsoft
infrastructure:
a. The Microsoft Office 365 security features consist of three parts: (a) built-
in security features; (b) security controls; and (c) scalable security. These
include 24-hour monitored physical hardware, isolated customer data,
automated operations and lock-box processes, secure networks and
encrypted data.
b. Microsoft implements the Microsoft Security Development Lifecycle
(“SDL”) which is a comprehensive security process that informs every
stage of design, development and deployment of Microsoft software and
services, including Office 365. Through design requirements, analysis of
attack surface and threat modeling, the SDL helps Microsoft predict,
identify and mitigate vulnerabilities and threats from before a service is
launched through its entire production lifecycle.
c. Networks within the Office 365 data centers are segmented to provide
Confidential
Page 38 of 55
Ref Question/requirement Template response and guidance
physical separation of critical back-end servers and storage devices from
the public-facing interfaces. Edge router security allows the ability to
detect intrusions and signs of vulnerability. Client connections to
Office 365 use SSL (as defined above)for securing Outlook, Outlook Web
App, Exchange ActiveSync, POP3, and IMAP. Customer access to
services provided over the Internet originates from users’ Internet-enabled
locations and ends at a Microsoft data center. These connections are
encrypted using industry-standard TLS (as defined above)/SSL. The use
of TLS/SSL establishes a highly secure client-to-server connection to help
provide data confidentiality and integrity between the desktop and the
data center. Customers can configure TLS between Office 365 and
external servers for both inbound and outbound email. This feature is
enabled by default. Microsoft also implements traffic throttling to prevent
denial-of-service attacks. It uses the “prevent, detect and mitigate breach”
process, as described in the response to question B.4.g. above.
d. From a people and process standpoint, preventing breach involves
auditing all operator/administrator access and actions, zero standing
permission for administrators in the service, “Just-In-Time (JIT) access
and elevation” (that is, elevation is granted on an as-needed and only-at-
the-time-of-need basis) of engineer privileges to troubleshoot the service,
and segregation of the employee email environment from the production
access environment. Employees who have not passed background
checks are automatically rejected from high privilege access, and
checking employee backgrounds is a highly scrutinized, manual-approval
process. Data is also encrypted.
e. Content is encrypted, as described in the response to question B.5.e.
Confidential
Page 39 of 55
Ref Question/requirement Template response and guidance
below.
e. How is end-to-end application encryption security
implemented to protect confidential/sensitive data
transmitted between terminals and hosts?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy: “A multi-tenant cloud
deployment…increases the need for data protection through encryption”.
Data is encrypted. Customer data in Office 365 exists in two states:
At rest on storage media; and
In transit from a data center over a network to a customer device.
All email content is encrypted on disk using BitLocker AES (as defined above)
encryption. Protection covers all disks on mailbox servers and includes mailbox
database files, mailbox transaction log files, search content index files, transport
database files, transport transaction log files, and page file OS system disk
tracing/message tracking logs.
Office 365 also transports and stores secure/multipurpose Internet mail extensions
(S/MIME) messages. Office 365 will transport and store messages that are
encrypted using client-side, third-party encryption solutions such as Pretty Good
Privacy (PGP).
f. How do the Bank and the CSP address the risk to
compromise of confidential/sensitive information
through unauthorized third-party access or access by
the CSP employees?
IT Guidelines, Appendix 75e, Annex A, Security and Privacy, states that
organizations need to address the risk of compromising confidential information
through third party access. The sample answer below relates to Microsoft’s own
controls. The response should also address and detail your own access controls.
Microsoft has in place the following access controls:
Confidential
Page 40 of 55
Ref Question/requirement Template response and guidance
a. Physical access control uses multiple authentication and security
processes, as described in the response to question B.4.g. above.
b. Microsoft applies strict controls over which personnel roles and personnel
will be granted access to customer data. Personnel access to the IT
systems that store customer data is strictly controlled via RBAC (as
defined above)and lock box processes. Access control is an automated
process that follows the separation of duties principle and the principle of
granting least privilege. This process ensures that the engineer requesting
access to these IT systems has met the eligibility requirements, such as a
background screen, fingerprinting, required security training and access
approvals. In addition, the access levels are reviewed on a periodic basis
to ensure that only users who have appropriate business justification have
access to the systems. User access to data is also limited by user role.
For example, system administrators are not provided with database
administrative access.
c. System level data such as configuration data/file and commands are
managed as part of the configuration management system. Any changes
or updates to or deletion of those data/files/commands will be
automatically deleted by the configuration management system as
anomalies.
g. How are CSP customers/subscribers authenticated? IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Office 365 uses two-factor authentication to enhance security. Typical
authentication practices that require only a password to access resources may not
provide the appropriate level of protection for information that is sensitive or
Confidential
Page 41 of 55
Ref Question/requirement Template response and guidance
vulnerable. Two-factor authentication is an authentication method that applies a
stronger means of identifying the user. The Microsoft phone-based two-factor
authentication solution allows users to receive their PINs sent as messages to
their phones, and then they enter their PINs as a second password to log on to
their services.
h. Describe security controls in the following areas:
I. Security administration/system access functions
II. Password administration and management
III. Privilege accounts
IV. Remote access activities
V. Change management
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
Taking each of the sections in turn:
I. Security administration/system access functions. We are primarily in
charge of security administration and systems. Our service provider,
Microsoft, performs certain of these functions on our behalf and to our
requirements pursuant to the contractual arrangements that we have in
place with Microsoft. Microsoft effectively works alongside our IT and
operations teams to ensure performance to the required standards. We
retain ownership of all data that is hosted by Microsoft. We are also aware
that our primary responsibility, which is to our customers, remains
unchanged by virtue of us using Office 365.
II. Password administration and management. All access to production
and customer data require multi-factor authentication. Use of strong
password is enforced as mandatory and password must be changed on a
regular basis.
III. Privilege accounts are managed as follows:
a. Access to the IT systems that store customer data is strictly controlled via
Confidential
Page 42 of 55
Ref Question/requirement Template response and guidance
RBAC and lock box processes. Access control is an automated process
that follows the separation of duties principle and the principle of granting
least privilege. This process ensures that the engineer requesting access
to these IT systems has met the eligibility requirements, such as a
background screen, fingerprinting, required security training, and access
approvals. In addition, the access levels are reviewed on a periodic basis
to ensure that only users who have appropriate business justification have
access to the systems. User access to data is also limited by user role.
For example, system administrators are not provided with database
administrative access.
b. In emergency situations, a “Just-In-Time (JIT) access and elevation
system” is used (that is, elevation is granted on an as-needed and only-at-
the-time-of-need basis) of engineer privileges to troubleshoot the service.
c. An internal, independent Microsoft team will audit the log at least once per
quarter.
d. All logs are saved to the log management system which a different team
of administrators manages. All logs are automatically transferred from the
production systems to the log management system in a secure manner
and stored in a tamper-protected way.
IV. Remote access activities. Administrators who have access to
applications have no physical access to the production so administrators
have to remotely access the controlled, monitored remote access
facility. All operations through this remote access facility are logged.
V. Change management. The Microsoft Office 365 change management
Confidential
Page 43 of 55
Ref Question/requirement Template response and guidance
team directs the process and procedures related to approval, scheduling,
testing, and deployment of changes in the pre-production and production
Office 365 infrastructure environments. The approach used in this service
management function is built on the Information Technology Infrastructure
Library (ITIL) and Microsoft Operations Framework (MOF) standards,
which aligns with the change management process used in most
organizations.
i. Describe the physical and environmental controls
available at the primary and secondary sites.
IT Guidelines, Appendix 75e, Annex A, Security and Privacy.
a. Physical: Infrastructure/security/terrorism. Microsoft’s data centers are
built to designed to protect customer data from harm and unauthorized
access. Data center access is restricted 24 hours per day by job function
so that only essential personnel have access. Physical access control
uses multiple authentication and security processes, including badges and
smart cards, biometric scanners, on-premises security officers, continuous
video surveillance and two-factor authentication. The data centers are
monitored using motion sensors, video surveillance and security breach
alarms.
b. Environmental (i.e. earthquakes, typhoons, floods). Microsoft data
centers are built in seismically safe zones. Environmental controls have
been implemented to protect the data centers including temperature
control, heating, ventilation and air-conditioning, fire detection and
suppression systems and power management systems, 24-hour
monitored physical hardware and seismically-braced racks. These
requirements are covered by Microsoft’s ISO/IEC 27001 accreditation for
Confidential
Page 44 of 55
Ref Question/requirement Template response and guidance
Office 365.
j. How and who will perform the monitoring and
management for integrity, checking, compliance
checking, security monitoring, network performance?
IT Guidelines, Appendix 75e, Annex A, states that “continuous monitoring of
information security requires maintaining ongoing awareness of security controls,
vulnerabilities, and threats to support risk management decisions”. BSP
acknowledges that FSIs will, to some extent, be dependent on CSPs for some of
the monitoring but does expect that overall responsibility and oversight remains
with the FSI.
Overall responsibility for these matters remains with our organization and we have
procedures in place to monitor overall performance, as described in our response
to question B.4.e., above.
Microsoft will perform the technical monitoring and management functions on our
behalf. System level data such as configuration data/file and commands are
managed as part of the configuration management system. Any changes or
updates to or deletion of those data/files/commands will be automatically deleted
by the configuration management system as anomalies.
We will receive information about system integrity, security monitoring and
network performance through the Office 365 Service Health Dashboard, as
described in our response to question B.4.e., above.
k. Are there procedures established to securely destroy
or remove the data when the need arises?
IT Guidelines, Appendix 75e, Annex A, remind FSIs of the importance of
controlling data ownership, data location and retrieval.
Yes.
Confidential
Page 45 of 55
Ref Question/requirement Template response and guidance
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88
compliant, as described in the response to question B.4.l, above.
6. DATA OWNERSHIP AND DATA LOCATION AND RETRIEVAL
a. Where do data/information actually reside (or is
transitioning through) at a given point in time?
IT Guidelines, Annex A to Appendix 75e states that “the dynamic nature of cloud
computing may result in confusion as to where information actually resides”.
Microsoft is able to alleviate this concern by providing data location transparency.
Microsoft informs us that it takes a regional approach to hosting of Office 365
data. For customers like us with a presence in the Asia-Pacific region, the
applicable Office 365 services will be hosted out of Microsoft’s highly-secure data
centers. Commitments on the location of data at rest are discussed at p 10 of the
OST, and may depend on where a customer provisions its service tenancy or
specify as a Geo for the online service. More details are set out on the Trust
Centers for each applicable online service.
b. Does management fully understand where data are
stored and how much control they have over those
data?
IT Guidelines, Annex A to Appendix 75, “Data Ownership and Data Location and
Retrieval”.
Yes.
Microsoft’s transparency as to data location was a key consideration as part of the
service provider selection process. Microsoft informs us that it takes a regional
approach to hosting of Office 365 data. Microsoft is transparent in relation to the
location of our data. Microsoft data center locations are made public on the
Microsoft Trust Center.
Confidential
Page 46 of 55
Ref Question/requirement Template response and guidance
c. Who has the legal ownership of data? Is ownership of
the data clearly stipulated in the SLA or other related
contract/agreement?
IT Guidelines, Annex A to Appendix 75: “The FSI’s ownership rights over the data
must be firmly established in the contract to enable a basis for trust and privacy of
data”.
We retain ownership of all data that is hosted by Microsoft and this is made clear
in our contract with them.
Microsoft has implemented a formal policy that requires assets (the definition of
asset includes data and hardware) used to provide Microsoft’s services to be
accounted for and have a designated asset owner. Asset owners are responsible
for maintaining up-to-date information regarding their assets.
“Allocation of information security responsibilities and ownership of assets” is
covered under the ISO/IEC 27001 standards, specifically addressed in Annex A,
domains 6.1.3 and 7.1.2. For more information, review of the publicly available
ISO standards that Microsoft is certified against is suggested.
It is also relevant to note that the European Union’s data protection authorities
have found that Microsoft’s enterprise cloud contracts meet the high standards of
EU privacy law. Microsoft is the first – and so far the only – company to receive
this approval.
d. Are the Bank’s data stored in the CSP’s systems
commingled with those of other subscribers? Describe
how the CSP is able to isolate and clearly identify
Bank’s data to protect their confidentiality.
IT Guidelines, Annex A to Appendix 75e states that “the FSI should pay attention
to the CSP’s ability to isolate and clearly identity its customer data”.
Active Directory isolates customers using security boundaries (also known as
silos). This safeguards a customer’s data so that the data cannot be accessed or
Confidential
Page 47 of 55
Ref Question/requirement Template response and guidance
compromised by co-tenants.
7. BUSINESS CONTINUITY PLANNING
a. Does the CSP have a business continuity or disaster
recovery plan? If yes, provide documentation or details.
IT Guidelines, Annex A to Appendix 75e states that “it is critical to ensure the
viability of the CSP’s business continuity and disaster recovery plans to address
broad-based disruptions to its capabilities and infrastructure”.
Yes.
Microsoft offers contractually-guaranteed 99.9% uptime, globally available data
centers for primary and backup storage, physical redundancy at disk, NIC, power
supply and server levels, constant content replication, robust backup, restoration
and failover capabilities, real-time issue detection and automated response such
that workloads can be moved off any failing infrastructure components with no
perceptible impact on the service, 24/7 on-call engineering teams.
See also the response to B.7.c., below.
b. What are the recovery time objectives (RTO) and
recovery point objectives (RPO) of systems or
applications outsourced to the CSP?
IT Guidelines, Annex A to Appendix 75e: “Recovery Time Objectives should also
be clearly stated in the contract”.
RTO: 1 hour or less for Microsoft Exchange Online, 6 hours or less for SharePoint
Online.
RPO: 45 minutes or less for Microsoft Exchange Online, 2 hours or less for
SharePoint Online.
Confidential
Page 48 of 55
Ref Question/requirement Template response and guidance
c. What are the data backup and recovery arrangements
for your Bank’s data that reside with the CSP? In case
the Bank becomes offline, how would the CSP
synchronize data and processes that reside in the
cloud?
IT Guidelines, Annex A to Appendix 75e.
Microsoft’s arrangements are as follows:
Redundancy
Physical redundancy at server, data center, and service levels;
Data redundancy with robust failover capabilities; and
Functional redundancy with offline functionality.
Resiliency
Active load balancing;
Automated failover with human backup; and
Recovery testing across failure domains.
Distributed Services
Distributed component services like Exchange Online, SharePoint Online,
and Lync Online limit scope and impact of any failures in a component;
Directory data replicated across component services insulates one service
from another in any failure events; and
Simplified operations and deployment.
Confidential
Page 49 of 55
Ref Question/requirement Template response and guidance
Monitoring
Internal monitoring built to drive automatic recovery;
Outside-in monitoring raises alerts about incidents; and
Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
Standardized hardware reduces issue isolation complexities;
Fully automated deployment models; and
Standard built-in management mechanism.
Human backup
Automated recovery actions with 24/7 on-call support;
Team with diverse skills on the call provides rapid response and
resolution; and
Continuous improvement by learning from the on-call teams.
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every
Confidential
Page 50 of 55
Ref Question/requirement Template response and guidance
time; and
Microsoft’s post-incident review consists of analysis of what happened,
Microsoft’s response, and Microsoft’s plan to prevent it in the future.
For the avoidance of doubt, the nature of the services provided as part of Office
365 does not give rise to a risk that the Bank itself could become “offline” (i.e.
there would be no implication for core banking functions such as transaction
processing). In the event the Bank was affected by a service incident, the process
described in the response to question B.4.f. above would apply.
d. How frequently does the CSP conduct business
continuity and disaster recovery tests? Describe the
BCP/DRP testing methodology?
IT Guidelines, Annex A to Appendix 75e: “The plans must be well documented
and tested”.
Microsoft carries out disaster recovery testing at least once per year.
Business Continuity Management (“BCM”) forms part of the scope of the
accreditation that Microsoft retains in relation to the online services, and Microsoft
commits to maintain a data security policy that complies with these accreditations
(see OST page 13). BCM also forms part of the scope of Microsoft’s annual third
party compliance audit. If anything further is required we would work with
Microsoft to provide whatever further clarity the regulator may require in this
regard.
e. In relation to the above, describe how test results are
validated?
IT Guidelines, Annex A to Appendix 75e: “The plans must be well documented
and tested”.
As part of Microsoft’s certification requirements, it is required to undergo regular
Confidential
Page 51 of 55
Ref Question/requirement Template response and guidance
independent third party auditing and Microsoft shares with us the independent
third party audit reports. Microsoft also agrees as part of the compliance program
to customer right to monitor and supervise.
f. Describe the prioritization agreements among
subscribers in cases of multiple/simultaneous
disasters?
IT Guidelines, Annex A to Appendix 75e: “Other BCP-related concerns which
must be addressed include…Prioritization agreements in case of
multiple/simultaneous disasters”.
Not applicable. There are no prioritization agreements amongst Microsoft
subscribers. Our organization would be subject to the same prioritization as any
other customer of the same services from Microsoft. Of course, the services are
protected by Microsoft’s SLA and its coinciding terms and conditions. More
information on SLA is available at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&Docu
mentTypeId=37, and more details about Microsoft’s Service Continuity are
available at: http://office.microsoft.com/en-us/business/office-365-online-service-
availability-FX104028266.aspx.
Confidential
Page 52 of 55
APPENDIX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
This table sets out the specific items that must be covered in the FSI’s agreement with the Service Provider.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 53 of 55
Ref. Requirement Microsoft agreement reference
1. Does the SLA cover the
minimum provisions required
under the existing rules and
regulations on outsourcing?
(Circular No.765)
Cloud Computing Questionnaire – section B.4a (see above)
Yes.
We have reviewed the list in Circular No.765 and are satisfied that the SLA, in combination with the rest of the MBSA,
satisfies the minimum provisions.
The SLA is available at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37
and the MBSA is available upon request. The SLA is contained within the MBSA.
2. Does the SLA clearly
disclose other parties (i.e.
subcontractors) that are
involved in the delivery of
cloud services?
Cloud Computing Questionnaire – section B.4b (see above)
Yes.
See page 9 of the OST, under which Microsoft is permitted to hire subcontractors.
Microsoft maintains a list of authorized subcontractors for the online services that have access to our data and
provides us with a mechanism to obtain notice of any updates to that list (OST, page 10). The actual list is published
on the applicable Trust Center. If we do not approve of a subcontractor that is added to the list, then we are entitled to
terminate the affected online services.
The confidentiality of our data is protected when Microsoft uses subcontractors because Microsoft commits that its
subcontractors “will be permitted to obtain Customer Data only to deliver the services Microsoft has retained them to
provide and will be prohibited from using Customer Data for any other purpose” (OST, page 9).
Confidential
Page 54 of 55
Ref. Requirement Microsoft agreement reference
Microsoft commits that any subcontractors to whom Microsoft transfers our data will have entered into written
agreements with Microsoft that are no less protective than the data processing terms in the OST (OST, page 11).
Under the terms of the OST, Microsoft remains contractually responsible (and therefore liable) for its subcontractors’
compliance with Microsoft’s obligations in the OST (OST, page 9). In addition, Microsoft’s commitment to ISO/IEC
27018, requires Microsoft to ensure that its subcontractors are subject to the same security controls as Microsoft is
subject to. Finally, the EU Model Clauses, which are included in the OST, require Microsoft to ensure that its
subcontractors outside of Europe comply with the same requirements as Microsoft and set out in detail how Microsoft
must achieve this.
3. What monitoring processes
does the Bank have to
manage the cloud
outsourcing? Please describe
and provide documentation.
Cloud Computing Questionnaire – section B.4e (see above)
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to verify that the online
services meet appropriate security and compliance standards. This commitment is reiterated in the FSA.
Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online Services Customer
Compliance Program, which is a for-fee program that facilitates the customer’s ability to (a) assess the services’
controls and effectiveness, (b) access data related to service operations, (c) maintain insight into operational risks of
the services, (d) be provided with additional notification of changes that may materially impact Microsoft’s ability to
provide the services, and (e) provide feedback on areas for improvement in the services.
In addition, clauses 1e and 1f of the FSA detail the examination and influence rights that are granted to the customer
and BSP. Clause 1e sets out a process which can culminate in the regulator’s examination of Microsoft’s premises.
Clause 1f gives the customer the opportunity to participate in the Microsoft Online Services Customer Compliance
Program, which is a for-fee program that facilitates the customer’s ability to (a) assess the services’ controls and
effectiveness, (b) access data related to service operations, (c) maintain insight into operational risks of the services,
(d) be provided with additional notification of changes that may materially impact Microsoft’s ability to provide the
Confidential
Page 55 of 55
Ref. Requirement Microsoft agreement reference
services, and (e) provide feedback on areas for improvement in the services.
4. Is ownership of the data
clearly stipulated in the SLA
or other contract/agreement?
Cloud Computing Questionnaire – section B.6c (see above)
Yes.
Ownership of Customer Data remains at all times with the customer (see OST, page 8).
5. Does the service provider
have a business continuity or
disaster recovery plan? If
yes, provide documentation
or details.
Cloud Computing Questionnaire – section B.6d (see above)
Yes.
As set out on page 13 of the OST, Microsoft maintains emergency and contingency plans for the facilities in which
Microsoft information systems that process Customer Data are located. Business Continuity Management forms part of
the scope of the accreditation that Microsoft remains in relation to the online services, and Microsoft commits to
maintain a data security policy that complies with these accreditations (see OST page 13). Business Continuity
Management also forms part of the scope of Microsoft’s annual third party compliance audit.