new zealand guidance on complying with regulatory...

Confidential

of 35

10004323-2

NEW ZEALAND

GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES

INSTITUTIONS USING CLOUD COMPUTING

Last update: November 2014.

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using

cloud computing. In this guidance financial services institutions means financial institutes, securities trading companies, insurance companies, capital

investment companies and other financial services institutions (“FSIs”).

Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.

Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to

the use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from FSIs that a

checklist approach like this is very helpful. The checklist can be used:

(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2);

and

(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to

compliance with their requirements.

Appendix One also contains a list of the items that the Privacy Commissioner states are useful to include in a contract with a cloud services provider

(but note these items are not mandatory.

Note that the RBNZ Outsourcing Policy does not contain detailed technical and operational requirements relating to the use of cloud services but,

rather, focuses more generally on issues such as risk management. However, on the basis that technical and operational factors (specifically

Confidential

of 35

10004323-2

security) are directly relevant to risk strategy (and therefore compliance with the RBNZ Outsourcing Policy and Privacy Act), we have included some

specific detail on this point which should be useful for the purposes outlined above.

Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of

Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your

technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your

Microsoft contact.

2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?

RBNZ is not against outsourcing or the use of cloud services and recognizes that well-designed arrangements may make useful contributions to

improved efficiency for FSIs. However, its policy is to ensure that FSIs and their customers are not exposed to new or increased risks by virtue of

using outsourced services. Whilst there are no forms that must be completed, there are certain requirements that FSIs should be aware of. In

particular:

(i) large banks1 using cloud services need to consider the RBNZ Outsourcing Policy of January 2006 (“RBNZ Outsourcing Policy”);

(ii) all FSIs (whether large or small) need to consider their general RBNZ obligations to manage their business risks properly; and

(iii) all FSIs (whether large or small) need to consider the Privacy Act in relation to any outsourcing that may involve the processing of personal

data.

3. WHO IS/ARE THE RELEVANT REGULATOR(S)?

The Reserve Bank of New Zealand (“RBNZ”)

1 RBNZ will consider a bank as “large” if its liabilities net of amounts due to related parties exceed $10 billion. Currently, BNZ, ASB, ANZ National and Westpac are the only banks that are

considered “large”.

http://www.rbnz.govt.nz/regulation_and_supervision/banks/prudential_requirements/4559621.html

http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html

http://www.rbnz.govt.nz/

Confidential

of 35

10004323-2

4. IS REGULATORY APPROVAL REQUIRED IN NEW ZEALAND?

No.

RBNZ does not require approval before FSI outsource IT functionality to a cloud services solution such as Microsoft Office 365.

5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?

No.

Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an FSI must complete when considering cloud

computing solutions.

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

No.

RBNZ does not stipulate any mandatory contractual requirements that FSIs must ensure are included in their outsourcing contracts.

The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains

some useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in Appendix One to this

document and mapped them against where in the Microsoft documentation these are covered for ease of reference.

http://privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February-2013.pdf

Confidential

of 35

10004323-2

7. CHECKLIST

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the

point raised in the checklist. The suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to

provide this if you get in touch with your Microsoft contact. Some points are specific to your own internal operations and processes and you will need

to complete these answers as well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist.

Ref. Question/requirement Template response and guidance

A. OVERVIEW

This section provides a general overview of the Microsoft Office 365 solution.

1. Who is the service provider? The service provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation, a

global provider of information technology devices and services, which is publicly-listed in the USA (NASDAQ:

MSFT). Microsoft’s full company profile is available here: https://www.microsoft.com/en-

us/news/inside_ms.aspx.

2. What type of cloud services would

your organization be using?

RBNZ guidance does not distinguish between different types of cloud solution but an understanding of the type

of solution (i.e. multi-tenant or dedicated) is relevant for your organization’s own risk management purposes.

Select the following text if using Office 365 multi-tenanted version:

Microsoft’s “Office 365” service, which is described in more detail here: Microsoft’s Office 365. Office 365 is a

multi-tenant service. Data storage and processing for each tenant is segregated through Active Directory

structure and capabilities specifically developed to help build, manage, and secure multi-tenant environments.

https://www.microsoft.com/en-us/news/inside_ms.aspx

https://www.microsoft.com/en-us/news/inside_ms.aspx

http://office.microsoft.com/en-us/business/what-is-office-365-for-business-FX102997580.aspx

Confidential

of 35

10004323-2


Active Directory isolates customers using security boundaries (also known as silos). This safeguards a

customer’s data so that the data cannot be accessed or compromised by co-tenants.

Select the following text if using Office 365 dedicated version:

Microsoft’s “Office 365” service, which is described in more detail here: Microsoft’s Office 365. We have

secured an offering that provides for a dedicated hosted offering, which means that our data is hosted on

hardware dedicated to us.

3. What activities and operations will be

outsourced to the service provider?

1. Microsoft Office applications hosted in the cloud

2. Hosted email

3. Web conferencing, presence, and instant messaging

4. Data and application hosting

5. Spam and malware protection

6. IT support services

B. COMPLIANCE WITH A BANK’S CONDITIONS OF REGISTRATION

New Zealand Banks are subject to various standard and non-standard conditions of registration. You will need to ensure that the proposed use of

Office 365 complies with any such conditions.

4. Please confirm whether the FSI is a

“large bank” for the purposes of

Many of the RBNZ requirements only apply to “large banks”. RBNZ will consider a bank as “large” if its

liabilities net of amounts due to related parties exceed $10 billion. Currently, BENZ, ABS, AN National and

http://office.microsoft.com/en-us/business/what-is-office-365-for-business-FX102997580.aspx

Confidential

of 35

10004323-2


RBNZ policy. Westpac are the only banks that are considered “large”. Note that since all large banks in New Zealand are

currently owned by parent banks in Australia, those parent banks will be subject to Australian law and

regulation (including the outsourcing and cloud computing requirements of the Australian Prudential Regulatory

Authority (“APRA”)). Microsoft has prepared a similar Q&A for APRA requirements in Australia and can share

this with you on request.

5. Please confirm whether any of the

following activities will be affected by

the proposed outsourcing:

(a) clearing and settlement

obligations;

(b) identification of financial risk

positions;

(c) monitoring and management

of financial risk positions; or

(d) access by existing

customers to payments

facilities.

RBNZ Outsourcing Policy, Sections A’S and A1. One of the key objectives of the RBNZ Outsourcing Policy is

to ensure that banks have the legal and practical ability to control each of these activities.

None of these core banking functions will be outsourced or affected by the outsourcing. Only the services and

operations described in response to question A.3, above, are being outsourced. Management will retain the

legal and practical ability to control and execute any outsourced functions.

6. Will the proposed outsourcing have

any impact on the ability of the board

to manage, direct or supervise the

business and affairs of the FSI?

RBNZ Outsourcing Policy, Section A.5(a). The ability of the board to manage/direct/supervise is a condition of

registration.

The board will still have ultimate control of the business and affairs of the FSI and the proposed use of Office

365 will not change this. The contract that we have in place with Microsoft contains various contractual and

Confidential

of 35

10004323-2


technical means for us to ensure that we have due supervision and control. See for example, the details set out

in our response to questions 8 (1(g) and 2) and 10 below.

7. Is the proposed outsourcing

compliant with any other standard or

non-standard conditions of

registration imposed on the FSI?

RBNZ Outsourcing Policy, Section A.6. Some large banks are subject to non-standard conditions of registration

which may apply to their outsourcing arrangements. You will need to consider whether such conditions exist

and, if so, how (if at all) they may apply to the proposed use of Office 365.

C. RISK MANAGEMENT

RBNZ is particularly interested in the controls that the FSI has in place in respect of the outsourcing and how risks are managed. This section

looks at these requirements in more detail.

8. How do the proposed arrangements

ensure that the outsourcing does not

create a risk that the operation and

management of the FSI might be

interrupted for a material length of

time?

RBNZ Outsourcing Policy, Section B.10.

We have minimized the risks in the following ways:

1. Through our choice of service provider

a. Competence and experience. Microsoft is an industry leader in cloud computing. Office 365 was built

based on ISO/IEC 27001 standards and was the first major business productivity public cloud service to

have implemented the rigorous set of global standards covering physical, logical, process and

management controls.

b. Past track-record. 40% of the world’s top brands use Office 365. We consulted various case studies

relating to Office 365, which are available on the Microsoft website and also considered the fact that

Microsoft has amongst its customers some of the world’s largest organizations and FSIs.

http://office.microsoft.com/en-us/business/office-365-customer-stories-office-testimonials-FX103045622.aspx

Confidential

of 35

10004323-2


c. Specific financial services credentials. FSI customers in leading markets, including in the UK, France,

Germany, Australia, Singapore, Canada, the United States and many other countries have performed their

due diligence and, working with their regulators, are satisfied that Office 365 meets their respective

regulatory requirements. This gives us confidence that Microsoft is able to help meet the high burden of

financial services regulation and is experienced in meeting these requirements.

d. Microsoft’s staff hiring and screening process. All personnel with access to customer data are subject

to background screening, security training and access approvals. In addition, the access levels are

reviewed on a periodic basis to ensure that only users who have appropriate business justification have

access to the systems. User access to data is also limited by user role. For example, system administrators

are not provided with database administrative access.

e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed in the United States and is

amongst the world’s largest companies by market capitalization. Microsoft’s audited financial statements

indicate that it has been profitable for each of the past three years. Its market capitalization is in the region

of USD 280 billion. Accordingly, we have no concerns regarding its financial strength.

f. Business resumption and contingency plan. Microsoft offers contractually-guaranteed 99.9% uptime,

hosted out of world class data centers with physical redundancy at disk, NIC, power supply and server

levels, constant content replication, robust backup, restoration and failover capabilities, real-time issue

detection and automated response such that workloads can be moved off any failing infrastructure

components with no perceptible impact on the service, with 24/7 on-call engineering teams.

g. Security and internal controls, audit, reporting and monitoring. Microsoft is an industry leader in cloud

security and implements policies and controls on par with or better than on-premises data centers of even

the most sophisticated organizations. We have confidence in the security of the solution and the systems

and controls offered by Microsoft. In addition to the ISO/IEC 27001 certification, Office 365 is designed for

security with BitLocker Advanced Encryption Standard (AES)encryption of email at rest and secure

Confidential

of 35

10004323-2


sockets layer (“SSL”)/transport layer security (“TLS”) encryption of data in transit. The Microsoft service is

subject to the SSAE16 SOC1 Type II audit, an independent, third party audit.

2. Through specific technical measures in place to ensure that operation and management not affected

Microsoft offers contractually-guaranteed 99.9% uptime, globally available data centers for primary and backup

storage, physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust

backup, restoration and failover capabilities, real-time issue detection and automated response such that

workloads can be moved off any failing infrastructure components with no perceptible impact on the service,

24/7 on-call engineering teams. See also the response to question 40 below.

9. What contractual controls does the

FSI have in respect of the

outsourcing? Is the documentation

clear on the rights and obligations of

each party to the contract and on

service levels and pricing, to a level

commensurate with the function’s

time criticality, materiality and

substitutability?

RBNZ Outsourcing Policy, Sections C.20 and D.36.

The provision of Office 365 is subject to the following contractual documents:

Microsoft Online Business and Services Agreement (a copy of which is available on request); and

Service Level Agreement (“SLA”), a copy of which is available at:

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37

Both of these documents and the documents referred to therein very clearly set out the rights and obligations of

each party, the service levels and the pricing.

The documents provide us with a number of other contractual controls in respect of the outsourcing, notably:

Microsoft is only contractually permitted to use our data to provide the online services. Microsoft is not

permitted to use our data for any other purposes, including for advertising or other commercial


Confidential

of 35

10004323-2


purposes.

Microsoft commits that it will implement and maintain appropriate technical and organizational

measures, internal controls, and information security routines intended to protect our data against

accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction.

Microsoft commits that it has in place audit mechanisms in order to verify that the online services meet

appropriate security and compliance standards.

In addition, the contractual process can culminate in the regulator’s examination of Microsoft’s

premises. We also have the opportunity to participate in the Microsoft Online Services Customer

Compliance Program, which is a for-fee program that facilitates our ability to: (a) assess the services’

controls and effectiveness; (b) access data related to service operations; (c) maintain insight into

operational risks of the services; (d) be provided with additional notification of changes that may

materially impact Microsoft’s ability to provide the services; and (e) provide feedback on areas for

improvement in the services.

The SLA contains Microsoft’s service level commitment, as well as the remedies for us in the event

that Microsoft does not meet the commitment. Microsoft commits that it will not modify the terms of the

SLA during the initial term of our subscription.

10. What practical controls does the FSI

have in respect of the outsourcing?

RBNZ Outsourcing Policy, Section C.19 and C.21.

The solution provides a lot of tools which mean that we remain in practical control.

Microsoft’s SLA (as defined above) applies to the Office 365 product (linked in question 10 above and the

details of which are summarized in the response to question 36 below). Our IT administrators also have access

to the Office 365 Service Health Dashboard, which provides real-time and continuous monitoring of the Office

Confidential

of 35

10004323-2


365 service. The Service Health Dashboard provides our IT administrators with information about the current

availability of each service or tool (and history of availability status) details about service disruption or outage,

scheduled maintenance times. The information is provided via an RSS feed.

Amongst other things, it provides a contractual 99.9% uptime guarantee for the Office 365 product and covers

performance monitoring and reporting requirements which enable us to monitor Microsoft’s performance on a

continuous basis against service levels. We also have very extensive contractual audit and inspection rights,

plus access to the independent SSAE16 SOC1 Type II audit, which enable us to verify their performance (as

detailed further in section F below).

As part of the support we receive from Microsoft, we also have access to a technical account manager who is

responsible for understanding our challenges and providing expertise, accelerated support and strategic advice

tailored to our organization. This includes both continuous hands-on assistance and immediate escalation of

urgent issues to speed resolution and keep mission-critical systems functioning. We are confident that such

arrangements provide us with the appropriate mechanisms for managing performance and problems.

Our contract with Microsoft clearly provides that ownership of our data remains with us and we retain rights to

access our data at all times. On top of this, as mentioned above, Microsoft’s services are audited by an

independent third party (see our response 8(1)(g) above) and there are various audit and inspection rights (as

detailed in section F below).

Our contractual agreements also allow to terminate the arrangements with Microsoft for our convenience,

which would enable us to move to another provider if required.

11. What internal processes does the

FSI have in place to manage the

risks to the business associated with

RBNZ Outsourcing Policy, Section D.33. This requires you to have in place and explain your internal

processes. The RBNZ Outsourcing Policy states that a wider range of outsourcing arrangements could be

acceptable where a bank has established a “credible internal process to manage the risks to its business

Confidential

of 35

10004323-2


any outsourcing arrangements? associated with any outsourcing arrangements”. There are no minimum requirements or detail provided when it

comes to internal processes but it would be usual to expect this to include:

processes for management review and sign off by the board;

risk management policies;

business continuity and disaster recovery plans; and

outsourcing policies.

D. PRIVACY AND DATA PROTECTION

In addition to RBNZ requirements, FSIs in New Zealand are of course subject to privacy and data protection requirements under New Zealand law.

This section looks at how the use of Office 365 complies with these requirements.

12. What data will be processed by the

service provider on behalf of the

FSI?

Customer data (including customer name, contact details, account information, payment card data, security

credentials and correspondence).

Employee data (including employee name, contact details, internal and external correspondence by email

and other means and personal information relating to their employment with the organization).

Transaction data (data relating to transactions in which the organization is involved).

Indices (for example, market feeds).

Other personal and non-personal data relating to the organization’s business operations as an FSI.

We ensure, pursuant to the terms of the contract in place with the service provider, that all data (but in

Confidential

of 35

10004323-2


particular any customer data) is treated with the highest level of security so that we can continue to comply with

our legal and regulatory obligations and our commitments to customers. We do of course only collect and

process data that is necessary for our business operations in compliance with all applicable laws and

regulation and this applies whether we process the data on our own systems or via a cloud solution such as

Microsoft Office 365.

13. How does the service provider and

the proposed solution comply with

New Zealand privacy law

requirements relating to the cloud?

The Office of the Privacy Commissioner (“OPC”) published a cloud computing checklist and “Cloud Computing

– A guide to making the right choices”. Microsoft New Zealand Limited has prepared a standard response to

help organizations assess the Office 365 cloud service against the OPC checklist and guide. Please see the

standard response here. Note that this response is in relation to the checklist for small businesses contained in

the OPC guide but may still provide useful information relevant to FSIs.

http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-components-postattachments/00-10-41-34-76/Standard-Response-to-OPC-Cloud-Computing-Checklist-for-Office-365-_2D00_-24-April-2013.pdf

http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-components-postattachments/00-10-41-34-76/Standard-Response-to-OPC-Cloud-Computing-Checklist-for-Office-365-_2D00_-24-April-2013.pdf

Confidential

of 35

10004323-2


E. OFFSHORING

RBNZ has no issue in principle with the use of service providers located outside of New Zealand. However, it does consider that use of non-NZ

service providers can, in some circumstances, give rise to some additional risks. This section looks at how any potential risks are mitigated.

14. Will the proposed outsourcing

require offshoring? If so, from which

territory(ies) will the outsourced

cloud services be provided?

RBNZ Outsourcing Policy, Section C.23 to C.26.

Microsoft informs us that it takes a regional approach to hosting of Office 365 data. Microsoft is transparent in

relation to the location of our data. Microsoft data center locations are made public on the Microsoft Trust

Center.

Microsoft enables customers to select the region that it is provisioned from. Under the OST, Microsoft commits

that if a customer provisions its tenant in the United States or EU, Microsoft will store the customer’s data at

rest in the United States or EU, as applicable.

The table below will need to be amended depending on the specific solution that you are taking up.

# Locations of Data

Centre

Classification of DC: Tier I, II, III or

IV

Storing your organization’s data

(Y/N)

1.

2.

15. Would proceedings relating to the

outsourcing have to be brought in

another jurisdiction’s court under that

RBNZ Outsourcing Policy, Section C.23.

The governing law is that of Washington, however the parties have the ability to bring proceedings in the

https://products.office.com/en/business/office-365-trust-center-cloud-computing-security


Confidential

of 35

10004323-2


jurisdiction’s laws? locations as follows:

If Microsoft brings the action, the jurisdiction will be where we are located (i.e. New Zealand);

If we bring the action, the jurisdiction will be the state of Washington; and

Both parties can seek injunctive relief with respect to a violation of intellectual property rights or

confidentiality obligations in any appropriate jurisdiction.

16. Is there a risk that the duties and

powers of the service provider’s own

regulator(s) in the country(ies) in

which the service will be hosted

could cause the regulator(s) to

intervene in such a way as to

intervene with the provider’s

performance?


Microsoft’s data center locations are recognized as stable, safe and reliable jurisdictions in respect of their

legal systems, regulatory regime, technology and infrastructure. The circumstances in which authorities in

these countries may have rights to access customer information are not considered to be unwarranted.

The data center locations have been selected by Microsoft taking into careful account the country and socio-

economic factors. We are confident that the data center locations offer extremely stable political and socio-

economic environments with robust and transparent legal frameworks. Microsoft data center locations are

made public on the Microsoft Trust Center.

17. What measures are in place to

ensure that performance by the

service provider of the outsourced

functions outside of New Zealand

would not complicate the logistics of

ensuring timely performance? For

example, due to time zone

differences, differences in statutory


Microsoft works with customers around the world (including many in New Zealand) and its operations are set

up to ensure that logistical issues for international customers do not arise. For example, time zones and

statutory holidays will not be an issue, since Microsoft’s services are provided 24/7 without reference to

statutory holidays. We do not see any issue in terms of needing extra time to access essential staff and

systems, since we have audit and inspection rights (as detailed in section F below).

http://azure.microsoft.com/en-us/support/trust-center/

Confidential

of 35

10004323-2


holidays, the extra time needed to

access essential staff and systems.

Commitments on the location of data at rest is discussed at p 9 of the OST, and may depend on where a

customer provisions its service tenancy or specify as a Geo for the online service. More details are set out,

non-contractually, on the Trust Center for each applicable online service. The other considerations are also

relevant to the location of Microsoft’s data centers:

a. Political (i.e. cross-broader conflict, political unrest etc). Office 365 offers data-location transparency

so that the organizations and regulators are informed of the jurisdiction(s) in which data is hosted. We are

confident that Microsoft’s data center locations offer extremely stable political environments.

b. Country/socioeconomic. Office 365 offers data-location transparency so that the organizations and

regulators are informed of the jurisdiction(s) in which data is hosted. The centers are strategically located

around the world taking into account country and socioeconomic factors. We are confident that Microsoft’s

data center locations offer extremely stable socioeconomic environments.

c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting standards, designed to

protect customer data from harm and unauthorized access. Data center access is restricted 24 hours per

day by job function so that only essential personnel have access. Physical access control uses multiple

authentication and security processes, including badges and smart cards, biometric scanners, on-premises

security officers, continuous video surveillance and two-factor authentication. The data centers are

monitored using motion sensors, video surveillance and security breach alarms.

d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft data centers are built in seismically safe

zones. Environmental controls have been implemented to protect the data centers including temperature

control, heating, ventilation and air-conditioning, fire detection and suppression systems and power

management systems, 24-hour monitored physical hardware and seismically-braced racks. These

requirements are covered by Microsoft’s ISO/IEC 27001 accreditation for Office 365.


Confidential

of 35

10004323-2


18. What measures are in place to avoid

the risk that competition for the

service provider’s resources could

impede the performance of functions

for the FSI?


Microsoft is one of the largest providers of cloud services globally and has capacity to service a large number

of customers without the risk of competition for resources. Our organization would be subject to the same

prioritization as any other customer of the same services from Microsoft. Of course, the services are protected

by Microsoft’s SLA and its coinciding terms and conditions. More information on SLA is available at:

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37, and more

details about Microsoft’s Service Continuity are available at: http://office.microsoft.com/en-us/business/office-

365-online-service-availability-FX104028266.aspx.

Microsoft provides a contractual, financially-backed 99.9% uptime guarantee for the Office 365 product.

Microsoft also ensures that a raft of different safeguards and arrangements are in place to prevent and

minimize the impact of any technology failure. Microsoft is subject to very high international auditing standards

in this regard which provide us with a great deal of comfort. The resources that Microsoft has in place also

mean that we do not foresee risks in relation to the adequacy of Microsoft to fulfill obligations or provide

remedies and restitution.

Microsoft is an industry leader in cloud computing. Office 365 was built based on ISO/IEC 27001 standards and

was the first major business productivity public cloud service to have implemented the rigorous set of global

standards covering physical, logical, process and management controls. FSI customers in leading markets,

including in the UK, France, Germany, Australia, Singapore, Canada, the United States and many other

countries have performed their due diligence and, working with their regulators, are satisfied that Office 365

meets their respective regulatory requirements. This gives us confidence that Microsoft is able to help meet

the high burden of financial services regulation and is experienced in meeting these requirements.

F. TECHNICAL AND OPERATIONAL RISK Q&A


http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx


Confidential

of 35

10004323-2


RBNZ guidance does not focus on detailed technical and operational requirements relating to the use of cloud services but, rather, focuses more

generally on issues such as risk management. However, on the basis that technical and operational factors (for example, data security) are

directly relevant to risk management strategy, this section provides some detailed information about the Office 365 service.

19. Does the service provider permit

audit by RBNZ?

Yes.

We are confident that in our choice of Microsoft as Cloud Service Provider (“CSP”) we have far more extensive

audit rights than most if not all other service providers offer. This was an important factor in our decision to

choose Microsoft. Microsoft offers the right for RBNZ to conduct audits. There is a contractual audit/inspection

right, so that RBNZ can carry out inspections or examinations of Microsoft’s facilities, systems, processes and

data relating to the services to determine and confirm that it is in compliance with applicable laws and

regulations and assess the soundness of the risk management processes and controls which it has in place. In

addition, Microsoft is subject to third party audits (see our response to question 20 below).

Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework Program,

you may add this additional information about its key features: the regulator audit/inspection right, access to

Microsoft’s security policy, the right to participate at events to discuss Microsoft’s compliance program, the right

to receive audit reports and updates on significant events, including security incidents, risk-threat evaluations

and significant changes to the business resumption and contingency plans.

20. Are the provider’s services subject to

any third party audit?

Yes.

As part of Microsoft’s certification requirements, they are required to undergo regular independent third party

auditing (via the SSAE16 SOC1 Type II audit, a globally-recognized standard), and Microsoft shares with us

the independent third party audit reports.

21. What security controls are in place to Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls

Confidential

of 35

10004323-2


protect the transmission and storage

of confidential information such as

customer data within the

infrastructure of the service provider?

on par with or better than on-premises data centers of even the most sophisticated organizations, as described

elsewhere in this document.

The Microsoft Office 365 security features consist of three parts: (a) built-in security features; (b) security

controls; and (c) scalable security. These include 24-hour monitored physical hardware, isolated customer

data, automated operations and lock-box processes, secure networks and encrypted data.

Microsoft implements the Microsoft Security Development Lifecycle (“SDL”) which is a comprehensive security

process that informs every stage of design, development and deployment of Microsoft software and services,

including Office 365. Through design requirements, analysis of attack surface and threat modeling, the SDL

helps Microsoft predict, identify and mitigate vulnerabilities and threats from before a service is launched

through its entire production lifecycle.

Networks within the Office 365 data centers are segmented to provide physical separation of critical back-end

servers and storage devices from the public-facing interfaces. Edge router security allows the ability to detect

intrusions and signs of vulnerability. Client connections to Office 365 use SSL (as defined above) for securing

Outlook, Outlook Web App, Exchange ActiveSync, POP3, and IMAP. Customer access to services provided

over the Internet originates from users’ Internet-enabled locations and ends at a Microsoft data center. These

connections are encrypted using industry-standard TLS (as defined above)/SSL. The use of TLS/SSL

establishes a highly secure client-to-server connection to help provide data confidentiality and integrity between

the desktop and the data center. Customers can configure TLS between Office 365 and external servers for

both inbound and outbound email. This feature is enabled by default.

Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and

mitigate breach” process as a defensive strategy to predict and prevent security breaches before they happen.

This involves continuous improvements to built-in security features, including port-scanning and remediation,

perimeter vulnerability scanning, OS patching to the latest updated security software, network-level DDOS

Confidential

of 35

10004323-2


(distributed denial-of-service) detection and prevention and multi-factor authentication for service access. From

a people and process standpoint, preventing breach involves auditing all operator/administrator access and

actions, zero standing permission for administrators in the service, “Just-In-Time (JIT) access and elevation”

(that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of engineer privileges to

troubleshoot the service, and segregation of the employee email environment from the production access

environment. Employees who have not passed background checks are automatically rejected from high

privilege access, and checking employee backgrounds is a highly scrutinized, manual-approval process.

Data is also encrypted. Customer data in Office 365 exists in two states:

At rest on storage media

In transit from a data center over a network to a customer device

All email content is encrypted on disk using BitLocker AES (as defined above) encryption. Protection covers all

disks on mailbox servers and includes mailbox database files, mailbox transaction log files, search content

index files, transport database files, transport transaction log files, and page file OS system disk

tracing/message tracking logs.

Office 365 also transports and stores secure/multipurpose Internet mail extensions (“S/MIME”) messages.

Office 365 will transport and store messages that are encrypted using client-side, third-party encryption

solutions such as Pretty Good Privacy (“PGP”).

22. How are customers authenticated? Office 365 uses two-factor authentication to enhance security. Typical authentication practices that require only

a password to access resources may not provide the appropriate level of protection for information that is

sensitive or vulnerable. Two-factor authentication is an authentication method that applies a stronger means of

identifying the user. The Microsoft phone-based two-factor authentication solution allows users to receive their

PINs sent as messages to their phones, and then they enter their PINs as a second password to log on to their

Confidential

of 35

10004323-2


services.

23. What are the procedures for

identifying, reporting and responding

to suspected security incidents and

violations?

This is an issue that we take very seriously. We have therefore checked these procedures in detail with

Microsoft and are confident that they provide excellent means to enable us to identify, report and respond

properly and promptly in the event of any security incident or violation.

First, there are robust procedures offered by Microsoft that enable the prevention of security incidents and

violations arising in the first place and detection in the event that they do occur. Specifically:

a. Microsoft implements 24 hour monitored physical hardware. Data center access is restricted 24 hours

per day by job function so that only essential personnel have access to customer applications and

services. Physical access control uses multiple authentication and security processes, including badges

and smart cards, biometric scanners, on-premises security officers, continuous video surveillance, and two-

factor authentication.

b. Microsoft implements “prevent, detect, and mitigate breach”, which is a defensive strategy aimed at

predicting and preventing a security breach before it happens. This involves continuous improvements to

built-in security features, including port scanning and remediation, perimeter vulnerability scanning, OS

patching to the latest updated security software, network-level DDOS (distributed denial-of-service)

detection and prevention, and multi-factor authentication for service access.

c. Wherever possible, human intervention is replaced by an automated, tool-based process, including

routine functions such as deployment, debugging, diagnostic collection, and restarting services. Office 365

continues to invest in systems automation that helps identify abnormal and suspicious behavior and

respond quickly to mitigate security risk. Microsoft is continuously developing a highly effective system of

automated patch deployment that generates and deploys solutions to problems identified by the monitoring

systems—all without human intervention. This greatly enhances the security and agility of the service.

Confidential

of 35

10004323-2


d. Microsoft conducts penetration tests to enable continuous improvement of incident response

procedures. These internal tests help Office 365 security experts create a methodical, repeatable, and

optimized stepwise response process and automation.

Second, in the event that a security incident or violation is detected, Microsoft Customer Service and Support

notifies Office 365 subscribers by updating the Service Health Dashboard that is available on the Office 365

portal. We would have access to Microsoft’s dedicated support staff, who have a deep knowledge of the

service. Microsoft provides a Recovery Time Objective (“RTO”) of 1 hour or less for Microsoft Exchange

Online and 6 hours of less for SharePoint Online, and a Recovery Point Objective (“RPO”) of 45 minutes or

less for Microsoft Exchange Online and 2 hours or less for SharePoint Online.

Finally, after the incident, Microsoft provides a thorough post-incident review report (“PIR”). The PIR includes:

An incident summary and event timeline.

Broad customer impact and root cause analysis.

Actions being taken for continuous improvement.

Microsoft will provide the PIR within five business days following resolution of the service incident.

Administrators can also request a PIR using a standard online service request submission through the Office

365 portal or a phone call to Microsoft Customer Service and Support.

24. How is end-to-end application

encryption security implemented to

protect PINs and other sensitive data

transmitted between terminals and

Data is encrypted. Customer data in Office 365 exists in two states:

At rest on storage media

Confidential

of 35

10004323-2


hosts? In transit from a data center over a network to a customer device

All email content is encrypted on disk using BitLocker AES encryption. Protection covers all disks on mailbox

servers and includes mailbox database files, mailbox transaction log files, search content index files, transport

database files, transport transaction log files, and page file OS system disk tracing/message tracking logs.

Office 365 also transports and stores S/MIME (as defined above) messages. Office 365 will transport and store

messages that are encrypted using client-side, third-party encryption solutions such as PGP (as defined

above).

25. Are there procedures established to

securely destroy or remove the data

when the need arises?

Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives

that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of

information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is

determined by the asset type. Records of the destruction are retained.

All Microsoft Online Services utilize approved media storage and disposal management services. Paper

documents are destroyed by approved means at the pre-determined end-of-life cycle.

“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001 standards

against which Microsoft is certified.

26. Are there procedures to ensure that

access to production data is

restricted on a 'least privilege' basis?

If yes, provide a description of these

Yes.

Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer

data. Personnel access to the IT systems that store customer data is strictly controlled via role-based access

control (“RBAC”) and lock box processes. Access control is an automated process that follows the separation

Confidential

of 35

10004323-2


procedures. of duties principle and the principle of granting least privilege. This process ensures that the engineer

requesting access to these IT systems has met the eligibility requirements, such as a background screen,

fingerprinting, required security training and access approvals. In addition, the access levels are reviewed on a

periodic basis to ensure that only users who have appropriate business justification have access to the

systems.

27. Are there documented security

procedures for safeguarding

premises and restricted areas? If

yes, provide descriptions of these

procedures.

Yes.

Physical access control uses multiple authentication and security processes, including badges and smart

cards, biometric scanners, on-premises security officers, continuous video surveillance and two-factor

authentication. The data centers are monitored using motion sensors, video surveillance and security breach

alarms.

28. Are there documented security

procedures for safeguarding

hardware, software and data in the

data center?

Yes.

The security procedures for safeguarding hardware, software and security are documented by Microsoft in its

Standard Response to Request for Information – Security and Privacy. This confirms how the following aspects

of Microsoft’s operations safeguard hardware, software and data:

Compliance

Data Governance

Facility

Human Resources

http://www.microsoft.com/en-sg/download/details.aspx?id=26647

Confidential

of 35

10004323-2


Information Security

Legal

Operations

Risk Management

Release Management

Resiliency

Security Architecture

29. How are privileged system

administration accounts managed?

Describe the procedures governing

the issuance (including emergency

usage), protection, maintenance and

destruction of these accounts.

Access to the IT systems that store customer data is strictly controlled via RBAC (as defined above) and lock

box processes. Access control is an automated process that follows the separation of duties principle and the

principle of granting least privilege. This process ensures that the engineer requesting access to these IT

systems has met the eligibility requirements, such as a background screen, fingerprinting, required security

training, and access approvals. In addition, the access levels are reviewed on a periodic basis to ensure that

only users who have appropriate business justification have access to the systems. User access to data is also

limited by user role. For example, system administrators are not provided with database administrative access.

In emergency situations, a “Just-In-Time (JIT) access and elevation system” is used (that is, elevation is

granted on an as-needed and only-at-the-time-of-need basis) of engineer privileges to troubleshoot the service.

30. Are the activities of privileged

accounts captured (e.g. system audit

logs) and reviewed regularly?

Indicate the party reviewing the logs

Yes.

An internal, independent Microsoft team will audit the log at least once per quarter.

Confidential

of 35

10004323-2


and the review frequency.

31. Are the audit/activity logs protected

against tampering by users with

privileged accounts? Describe the

safeguards implemented.

Yes.

All logs are saved to the log management system which a different team of administrators manages. All logs

are automatically transferred from the production systems to the log management system in a secure manner

and stored in a tamper-protected way.

32. Is access to sensitive files,

commands and services restricted

and protected from manipulation?

Provide details of controls

implemented.

Yes.

System level data such as configuration data/file and commands are managed as part of the configuration

management system. Any changes or updates to or deletion of those data/files/commands will be

automatically deleted by the configuration management system as anomalies.

33. Are file integrity checks in place to

detect unauthorized changes to

databases, files, programs and

system configuration? Provide

details of checks implemented.

Yes.

System level data such as configuration data/file and commands are managed as part of the configuration

management system. Any changes or updates to or deletion of those data/files/commands will be

automatically deleted by the configuration management system as anomalies.

34. Are password controls for critical

applications/systems reviewed for

compliance on a regular basis?

Yes.

All access to production and customer data require multi-factor authentication. Use of strong password is

enforced as mandatory and password must be changed on a regular basis.

35. Are remote access activities tracked

and reviewed? Provide details of

Yes.

Administrators who have access to applications have no physical access to the production so administrators

Confidential

of 35

10004323-2


controls implemented. have to remotely access the controlled, monitored remote access facility. All operations through this remote

access facility are logged.

36. Does the service provider have a

disaster recovery or business

continuity plan? If yes, provide

documentation or details.

Yes.

Microsoft offers contractually-guaranteed 99.9% uptime, globally available data centers for primary and backup

storage, physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust

backup, restoration and failover capabilities, real-time issue detection and automated response such that

workloads can be moved off any failing infrastructure components with no perceptible impact on the service,

24/7 on-call engineering teams. See also the response to question 40 below.

37. What are the recovery time

objectives (RTO) of systems or

applications outsourced to the

service provider?

1 hour or less for Microsoft Exchange Online, 6 hours or less for SharePoint Online.

38. What are the recovery point

objectives (RPO) of systems or

applications outsourced to the

service provider?

45 minutes or less for Microsoft Exchange Online, 2 hours or less for SharePoint Online.

39. What are the data backup and

recovery arrangements for your

organization’s data that resided with

the service provider?

Microsoft’s arrangements are as follows:

Redundancy

Physical redundancy at server, data center, and service levels

Confidential

of 35

10004323-2


Data redundancy with robust failover capabilities

Functional redundancy with offline functionality

Resiliency

Active load balancing

Automated failover with human backup

Recovery testing across failure domains

Distributed Services

Distributed component services like Exchange Online, SharePoint Online, and Lync Online limit scope

and impact of any failures in a component.

Directory data replicated across component services insulates one service from another in any failure

events.

Simplified operations and deployment.

Monitoring

Internal monitoring built to drive automatic recovery

Outside-in monitoring raises alerts about incidents


Confidential

of 35

10004323-2


Extensive diagnostics provide logging, auditing, and granular tracing

Simplification

Standardized hardware reduces issue isolation complexities

Fully automated deployment models.

Standard built-in management mechanism

Human backup

Automated recovery actions with 24/7 on-call support

Team with diverse skills on the call provides rapid response and resolution

Continuous improvement by learning from the on-call teams

Continuous learning

If an incident occurs, Microsoft does a thorough post-incident review every time

Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and

Microsoft’s plan to prevent it in the future

40. How frequently does the service

provider conduct disaster recovery

tests?

At least once per year.


Confidential

of 35

10004323-2


41. Have you jointly tailored and tested

your disaster recovery or business

continuity plan with the service

provider? If yes, please provide a

report on the test results.

You are welcome to raise this with your Microsoft contact if you have any questions about how your disaster

recovery/business continuity plan would interface with that of Microsoft.

In general, it would be Microsoft that would need to take action to recover the Office 365 service in a

disaster/business continuity situation. Any internal actions can be carried out by our organization without

coordinating with Microsoft.

42. In the event of contract termination

with the service provider, either on

expiry or prematurely, are you able

to have all IT information and assets

promptly removed or destroyed?

Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives

that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of

information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is

determined by the asset type. Records of the destruction are retained.

All Microsoft Online Services utilize approved media storage and disposal management services. Paper

documents are destroyed by approved means at the pre-determined end-of-life cycle.

“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001 standards

against which Microsoft is certified.

Confidential

of 35

10004323-2

APPENDIX ONE

MANDATORY CONTRACTUAL REQUIREMENTS

The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains some

useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in the table below and mapped them against

where in the Microsoft documentation these are covered for ease of reference.

Key:

Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.

Terms used below as follows:

OST = Online Services Terms

EA = Enterprise Agreement

Enrolment = Enterprise Enrolment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PUR = Product Use Rights

SLA = Online Services Service Level Agreement

http://privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February-2013.pdf

Confidential

of 35

10004323-2

Ref. Requirement Microsoft agreement reference

1. Check the contract. Make sure your key concerns are covered in

the contract or in the standard terms and conditions. In particular

check:

(i) Whether the provider has to tell you if something

goes wrong (for instance if there is a security

breach);

(ii) How would you notify your customers if their

data is lost or stolen?

(iii) How you’re going to know whether the provider

is living up to the terms of the agreement (for

example does it get regular independent audits

done that you’ll be able to check?);

(iv) Who is liable and what the penalties are if

something goes wrong?

(v) What country’s laws apply if there is a legal

dispute and who the appropriate regulator might

be?

(vi) Whether mediation or arbitration is available;

(vii) Whether your provider is insured against privacy

breaches;

Privacy Commissioner Cloud Computing: A guide to making the right choices,

February 2013, p9.

Taking each of the points in turn:

(i) Microsoft will notify us if it becomes aware of any security incident, and will

take reasonable steps to mitigate the effects and minimize the damage resulting

from the security incident (see OST, page 9). In addition, as set out on page 13

of the OST, Microsoft maintains a record of security breaches with a description

of the breach, the time period, the consequences of the breach, the name of the

reporter, and to whom the breach was reported, and the procedure for recovering

data. Finally, see (iii) below in terms of monitoring which allows for real-time

monitoring so that breaches would be apparent.

Furthermore, Microsoft commits to comply with (and is audited against) ISO/IEC

27018. Under paragraph A.9 of this international standard Microsoft is required

to promptly notify customers of any unauthorized access to personal information

or unauthorized access to processing equipment or facilities resulting in loss,

disclosure or alteration to personal information.

(ii) This is more an internal matter for the FSI.

(iii) The OST specifies the monitoring mechanisms that Microsoft puts in place in

order to verify that the online services meet appropriate security and compliance

standards. This commitment is reiterated in the FSA.

Clause 1f of the Financial Services Amendment gives the customer the

Confidential

of 35

10004323-2


(viii) What the provider’s disaster recovery plans

cover.

opportunity to participate in the Microsoft Online Services Customer Compliance

Program, which is a for-fee program that facilitates the customer’s ability to (a)

assess the services’ controls and effectiveness, (b) access data related to

service operations, (c) maintain insight into operational risks of the services, (d)

be provided with additional notification of changes that may materially impact

Microsoft’s ability to provide the services, and (e) provide feedback on areas for

improvement in the services.

Clauses 1e and 1f of the FSA detail the examination and influence rights that are

granted to the customer and the regulator. Clause 1e sets out a process which

can culminate in the regulator’s examination of Microsoft’s premises.

In addition, under paragraph 18 of ISO/IEC 27018 Microsoft is required, where

individual customer audit rights are impractical or may increase risks to security,

to make available, before and during our contract with Microsoft, independent

evidence that information security is implemented and operated in accordance

with Microsoft’s policies and procedures.

(iv) The SLA contains Microsoft’s service level commitment, as well as the

remedies for the customer in the event that Microsoft does not meet the

commitment, including services credits. MBSA section 6 deals with liability.

MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity

against third party infringement and breach of confidence claims. Microsoft’s

liability under section 5 is unlimited.

(v) MBSA section 11h sets out the choice of law provision. Either, the contract is

governed by the laws of the State of Washington if the contract is with a Microsoft

Confidential

of 35

10004323-2


affiliate located outside of Europe; or the contract is governed by the laws of

Ireland if the contract is with a European Microsoft affiliate.In addition, as

mentioned above, Clause 1e sets out a process which can culminate in the

regulator’s examination of Microsoft’s premises.

(vi) MBSA section 11e sets out the jurisdictions in which parties should bring their

actions. Microsoft must bring actions against the customer in the countries

where the customer’s contracting party is headquartered. The customer must

bring actions against: (a) in Ireland if the action is against a Microsoft affiliates in

Europe; (b) in the State of Washington, if the action is against a Microsoft affiliate

outside of Europe; or (c) in the country where the Microsoft affiliate delivering the

services has its headquarters if the action is to enforce a Statement of Services.

(vii) MBSA section 10 deals with insurance. In practice, Microsoft maintains self-

insurance arrangements for much of the areas where third party insurance is

typically obtained. Microsoft has taken the commercial decision to take this

approach, and does not believe that this detrimentally impacts upon its

customers given that Microsoft is an extremely substantial entity.

(viii) As set out on page 13 of the OST Microsoft maintains emergency and

contingency plans for the facilities in which Microsoft information systems that

process Customer Data are located. Business Continuity Management (“BCM”)

forms part of the scope of the accreditation that Microsoft remains in relation to

the online services, and Microsoft commits to maintain a data security policy that

complies with these accreditations (see OST page 13). BCM also forms part of

the scope of Microsoft’s annual third party compliance audit.

Confidential

of 35

10004323-2

new zealand guidance on complying with regulatory...

Documents