singapore microsoft guidance on …download.microsoft.com/download/c/d/d/cdda963e-b5a8-4fdd...this...

Confidential

of 38

10070299-1

SINGAPORE

MICROSOFT GUIDANCE ON COMPLYING WITH REGULATORY GUIDELINES APPLICABLE TO FINANCIAL SERVICES

INSTITUTIONS USING MICROSOFT AZURE

Last updated: 4 October 2016

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document is a guide to complying with the regulatory requirements and guidelines applicable to financial services institutions using Microsoft

Azure in Singapore1. In this guidance, “financial services institutions” means financial institutions, banks, financial advisers, securities exchanges, futures

exchanges, designated clearing houses, securities trading companies, insurance companies, registered insurance brokers, licensed trust companies,

capital investment companies, capital markets services licensees and other regulated service providers in the financial industry (“FSIs”).

Sections 2 to 6 of this guidance document set out information about the regulatory requirements and guidelines that apply. Section 7 is a checklist to help

FSIs ensure that their use of cloud services complies with the relevant requirements and guidelines. Appendix One is a list of the requirements that, under

the relevant guidelines, should be addressed in the cloud contract.

2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?

This guidance document draws upon the MAS’s notices and guidelines on technology risk management, outsourcing and cloud computing, including:

Guidelines on Outsourcing2

Technology Risk Management Guidelines

1 Note that this guidance document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of Microsoft or its affiliates. Instead, it is

intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your Microsoft contact. 2 Note that, as at the date of publication of this guidance document, the MAS Notice of Outsourcing has not been updated. Once this is updated and issued, it will also need to be considered by FSIs

adopting cloud services (please see Q8 in the FAQ on MAS Guidelines on Outsourcing, published on 27 July 2016).

http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/Outsourcing%20Guidelines_Jul%202016.pdf

http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/TRM%20Guidelines%20%2021%20June%202013.pdf

http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdf

Confidential

of 38

10070299-1

Business Continuity Management Guidelines

Notice 634, Banking Act

Whether a use of cloud computing is considered to be a ‘material outsourcing’ will determine the extent to which the applicable guidelines need to be

complied with. This guidance includes all of the requirements applicable to ‘material outsourcing’, for the sake of completeness.

3. WHO IS/ARE THE RELEVANT REGULATOR(S)?

The Monetary Authority of Singapore (“MAS”)

4. IS REGULATORY APPROVAL REQUIRED IN SINGAPORE?

No, regulatory approval is not required. In fact, the latest MAS Guidelines on Outsourcing provide a clear green light to the use of cloud services, including

public cloud services. There is no requirement for prior notification, consultation or approval. There are, however, various risk management and

compliance requirements to address – and this guidance document is intended to help.

5. IS THERE STILL A REQUIREMENT TO SUBMIT AN MAS TECHNOLOGY QUESTIONNAIRE?

No, there is no longer such a requirement. With the release of the new Guidelines on Outsourcing on 27 July 2016, FSIs are not required to submit the

MAS Technology Questionnaire to MAS before signing up for any outsourcing arrangement, including a material outsourcing arrangement. Nevertheless,

Section 7 of this guidance is intended to assist you in carrying out thorough and comprehensive due diligence and to make the process of adopting cloud

services easier for you by providing information, tips and suggested responses to address the matters set out in the Guidelines on Outsourcing. The

suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to provide this if you get in touch with your

Microsoft contact. Microsoft has, in the relevant places within this guidance document, inserted some links to relevant laws and guidance for your ease of

reference which may help inform your answers.

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

Yes. Some obligations that MAS requires FSIs to ensure are reflected in contracts with service providers can be found in the Guidelines on Outsourcing

http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/BCMGuidelines.pdf

http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing/commercial-banks/notices/2004/notice-634--banking-secrecy-_-conditions-for-outsourcing.aspx

http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing/commercial-banks/notices/2004/notice-634--banking-secrecy-_-conditions-for-outsourcing.aspx

http://www.mas.gov.sg/

Confidential

of 38

10070299-1

and Notice 634, Banking Act (Appendix). Appendix One to this guidance document (Contractual requirements) contains a comprehensive list of such

requirements and sets out details of where in the Microsoft contractual documents these points are covered.

7. OUTSOURCING COMPLIANCE CHECKLIST

The questions and requirements set out in this Outsourcing Compliance Checklist address the key issues that one should consider in a thorough and

comprehensive risk assessment of a cloud computing service.

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point

raised in the checklist. Some points are specific to your own internal operations and processes and you will need to address them as well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist, both for your discussions internally with your Board, senior

management and compliance experts, and externally with regulators such as MAS.

Ref. Question/requirement Template response and guidance

A. OVERVIEW OF OUTSOURCING

1. Indicate the name of the

service provider for this

outsourcing arrangement. If

there are any other parties

involved in the outsourcing

arrangement, also provide the

names of those parties and

state their role in the

outsourcing arrangement.

The service provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation, a global

provider of information technology devices and services, which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s

full company profile is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.

Confidential

of 38

10070299-1


2. When is the proposed start

date of this outsourcing

arrangement?

Please insert the proposed start date of the outsourcing service.

3. Has your organization

assessed this to be a material

outsourcing arrangement (as

described in the MAS

Guidelines on Outsourcing)?

Under the Guidelines on Outsourcing, some requirements only apply if the outsourcing is ‘material’. These requirements

include the requirement to: (i) perform periodic reviews on material outsourcing arrangements at least on an annual basis;

(ii) incorporate contractual clauses to allow the institution and MAS to be granted audit access and access to information

and any report or finding made on the service provider and its sub-contractors; and (iii) ensure that material outsourcing

arrangements with service providers located outside Singapore are conducted in such a manner so as not to hinder MAS's

supervisory efforts. For the sake of completeness, this guidance covers all of the requirements under the Guidelines on

Outsourcing, including those that are only applicable to ‘material outsourcing arrangements’. However, FSIs will need to

make an assessment as to whether the use of cloud services in a particular manner is ‘material’ or not.

A "material outsourcing arrangement" is defined under the Guidelines on Outsourcing as ‘an outsourcing arrangement –

(a) which, in the event of a service failure or security breach, has the potential to either materially impact an institution’s– (i)

business operations, reputation or profitability; or (ii) ability to manage risk and comply with applicable laws and

regulations, or (b) which involves customer information and, in the event of any unauthorized access or disclosure, loss or

theft of customer information, may have a material impact on an institution’s customers’. “Customer information” does not

include information that is public, anonymized or securely encrypted and, in this respect, please see question F2 for more

detail about the secure encryption provided by Microsoft’s cloud services. Annex 2 of the Guidelines on Outsourcing lists

some considerations in determining whether or not the outsourcing is ‘material’.

4. Is the outsourcing

arrangement a cloud

computing arrangement?

Yes.

5. List all proposed service(s) to Service(s) to be outsourced Critical (Y/N)

Confidential

of 38

10070299-1


be outsourced to the service

provider, and indicate if the

outsourced service is critical to

your business or operations.

1. Compute Y

2. Data & Storage Y

3. Networking Y

4. Identity & Access Management Y

5. IT Support Services Y

6. List all the types of data that

would be processed or stored

by the service provider, and

indicate if the data is

considered to be sensitive.

When you choose a Microsoft Azure solution the types of data impacted are within your control so the template response

will need to be tailored depending on what data you have selected is relevant to the solution.

We ensure that all data (but in particular any customer data) is treated with the highest level of security in accordance with

good industry practice to ensure that we and our service provider comply with our legal and regulatory obligations and our

commitments to customers. We do of course only collect and process data that is necessary for our business operations in

compliance with all applicable laws and regulation and this applies whether we process the data on our own systems or via

a cloud solution such as Microsoft Azure. Typically the types of data that would be processed and stored by the Azure

service would include:

Type of Data Processed/Stored/Both Sensitive (Y/N)

1. Customer data (including

customer name, contact details,

account information, payment

card data, security credentials

Both Y

Confidential

of 38

10070299-1


and correspondence).

2. Employee data (including

employee name, contact details,

internal and external

correspondence by email and

other means and personal

information relating to their

employment with the

organization).

Both Y

3. Transaction data (data relating

to transactions in which the

organization is involved).

Both Y

4. Indices (for example, market

feeds).

Both N

5. Other personal and non-

personal data relating to the

organization’s business

operations as an FSI.

Both Y

7. Please provide the

background on why your

organization has decided to

outsource the service(s). What

were the business and

In articulating the business and operational considerations that led to the outsourcing, the below could be used as an

introduction.

Cloud computing enables on-demand network access to a pool of servers, storage and services “in the cloud”. In the case

of Microsoft Azure, it means accessing Microsoft applications and storing data not on our own servers at our own premises

Confidential

of 38

10070299-1


operational considerations? but on Microsoft’s servers at Microsoft’s data centers.

When managed properly, cloud computing offers security and functionality that is on par with or better than on-premises

data centers of even the most sophisticated organizations.

B. REGULATORY COMPLIANCE

1. Has a compliance check for

the proposed outsourcing

arrangement been performed

against the MAS Guidelines on

Outsourcing and the

Technology Risk Management

Guidelines? Provide the list of

all gaps identified and explain

in details how each gap is

addressed by your

organization.

If any “compliance gaps” were identified as part of your risk management processes then these will need to be detailed

here, indicating how the relevant issues have now been resolved.

Yes.

We have reviewed the MAS Guidelines on Outsourcing and the Technology Risk Management Guidelines and have

obtained confirmation from Microsoft that the Azure service complies with these guidelines. Internally, we ensure that our

own processes also comply with the guidelines.

2. Will all identified security and

control gaps be resolved prior

to the commencement of this

outsourcing arrangement? If

not, please explain why and

state when they can be

resolved.

N/A

If any “compliance gaps” were identified as part of your risk management processes then you will need to confirm here that

these gaps will be resolved (or if not, why not).

Confidential

of 38

10070299-1


3. Has the outsourcing

agreement been vetted by a

competent authority (e.g. the

institution's legal counsel) on

its legality and enforceability?

Guidelines on Outsourcing, Paragraph 5.5.1 (The outsourcing agreement should be vetted by a competent authority on its

legality and enforceability)

Yes/No (if no, explain why)

C. BOARD & MANAGEMENT OVERSIGHT

1. Has your management

considered the overall

business and strategic

objectives prior to outsourcing

the specific IT operations?

Please elaborate on the

factors considered and the

rationale for entering this

outsourcing arrangement.

Guidelines on Outsourcing, Paragraph 5.3 (an FSI should not engage in outsourcing that results in its risk management,

internal control, business conduct or reputation being compromised or weakened).

The MAS expects that management would need to have considered the overall business and strategic objectives. The

sample answer below covers legal/regulatory compliance and customer satisfaction but we would suggest tailoring this

with details of:

information about the factors considered for using the Microsoft cloud services;

internal processes that were carried out;

who handled the process and which areas of the business were involved or advised; and

any external consultants or legal counsel involved.

Management of our organization has been involved throughout to ensure that the project aligns with our organization’s

overall business and strategic objectives. At the center of our objectives are of course legal and regulatory compliance and

customer satisfaction and these were the key objectives that management had in mind when it considered this project. We

are satisfied that this solution will ensure legal and regulatory compliance because of the key features (including the

security and regulator audit rights) forming part of the Azure service. We are also satisfied that customer satisfaction will

Confidential

of 38

10070299-1


be maintained because we believe that Azure will actually have some major benefits for our IT operations and,

accordingly, improve the overall service that we are able to provide to customers.

2. Has the Board approval been

sought prior to signing the

outsourcing contract?

Various places in the Guidelines on Outsourcing state that ultimate responsibility for effective management of risks lies

with the Board and that appropriate approvals processes should be put in place. Each organization will of course have its

own internal approval processes. Where this does include Board sign-off then this will not be an issue. Where it does not,

you will need to briefly explain how the sign-off processes work (i.e. how a right of approval has effectively been delegated

by the Board). Again, details of the relevant decision-makers should be included here.


3. Has the Board of Directors or

a relevant committee of the

Board been apprised and

acknowledged the risks

presented to them?

Paragraph 5.2, Guidelines on Outsourcing states the responsibilities of the Board including approving the framework for

evaluating risks. Paragraph 3 of the Technology Risk Management Guidelines is also relevant.


D. RISK ASSESSMENT AND MANAGEMENT

1. Has your organization

performed a risk assessment

of this outsourcing

arrangement, including

security risk assessment

against the latest security

threats? Please elaborate on

The MAS expects that your organization would have carried out a risk assessment. Paragraph 5.3, Guidelines on

Outsourcing lists the factors that should be considered in a framework for risk evaluation. The MAS Technology Risk

Management Guidelines also list the key principles and an indication of what the MAS would consider to be a “proper risk

assessment”.

You should ensure that you have carried out comprehensive due diligence on the nature, scope and complexity of the

outsourcing to identify the key risks and risk mitigation strategies. We have made suggestions regarding common issues

Confidential

of 38

10070299-1


the key risks and threats that

have been identified for this

outsourcing arrangement and

the actions that have been or

will be taken to address them.

below and you will need to expand on or tailor the template response to describe what you see as the key risks and what

risk processes you have carried out as part of this project. You may also want to refer to data segregation here (in the

context of a multi-tenanted solution – noting that logical segregation is expressly permitted by the Guidelines on

Outsourcing).

identifying the role of outsourcing in the overall business strategy and objectives of the institution;

risk identification;

analysis and quantification of the potential impact and consequences of these risks;

risk mitigation and control strategy; and

ongoing risk monitoring and reporting.

If you have any questions when putting together a risk assessment, please do not hesitate to get in touch with your

Microsoft contact.

Yes.

Led by our management we have carried out a thorough risk assessment of the move to Azure. This risk assessment

included:

[ ];

[ ]; and

[ ].

Confidential

of 38

10070299-1


1. Data security: By transferring certain data processing operations to a third party, we are aware that we need to ensure

that our selected outsourcing partner has in place appropriate and reasonable technical and organizational measures to

protect the data. This is necessary both from a financial services regulatory perspective as well as the organization’s

compliance with data protection legislation. It is of utmost importance to us. We have therefore carried out a robust

assessment as part of our selection process. We have selected Microsoft as an outsourcing partner taking heavily into

account the fact that it is an industry leader in cloud security and implements policies and controls on par with or better

than on-premises data centers of even the most sophisticated organizations. Microsoft is ISO/IEC 27001 and ISO/IEC

27018 accredited. In addition, the Microsoft Azure service has achieved the highest level certification (Tier 3) of the Multi

Tier Cloud Security Standard ("MTCS") for Singapore (MTCS SS 584) which builds upon recognized international

standards such as ISO/IEC 27001, and covers such areas as data retention, data sovereignty, data portability, liability,

availability, business continuity, disaster recovery, and incident management. The Microsoft Azure security features (being

the product that the organization will be using) consist of three parts: (a) built-in security features including encryption of

data when in transit and at rest; (b) security controls; and (c) scalable security. These include 24-hour monitored physical

hardware, isolated customer data, automated operations and lock-box processes, secure networks and encrypted data.

2. Access and audit: In addition to ensuring that relevant security and other safeguards are put in place up front, it is

essential that the outsourcing arrangement provides for us to ensure that such standards and commitments and regulatory

requirements are adhered to in practice. We are aware that audit and access in order to verify this can be a difficult issue

in outsourcing and therefore we have made this a high priority requirement as part of this outsourcing. Another reason for

the selection of Microsoft in this case is that it permits regulator audit and inspection of its data centers and in agreed

circumstances inspection rights for its financial services customers.

3. Control: The handing over of a certain amount of day to day responsibility to an outsourcing provider does present

certain challenges in relation to control of data. Essential to us is that despite the outsourcing we retain control over our

own business operations, including control of who can access data and how they can use it. At a contractual level, we

have dealt with this via our agreement with Microsoft, which provides us with legal mechanisms to manage the relationship

including appropriate allocation of responsibilities, oversight and remedies. At a practical level, we have selected the Azure

Confidential

of 38

10070299-1


product because it provides us with control over data location, access and authentication and advanced encryption

controls. We (not Microsoft) will continue to own and retain all rights to our data and our data will not be used for any

purpose other than to provide us with the Azure services.

The Azure service was built based on ISO/IEC 27001 and ISO/IEC 27018 standards, a rigorous set of global standards

covering physical, logical, process and management controls. In addition, the Microsoft Azure service has achieved the

highest level certification (Tier 3) of the Multi Tier Cloud Security Standard ("MTCS") for Singapore (MTCS SS 584) which

builds upon recognized international standards such as ISO/IEC 27001, and covers such areas as data retention, data

sovereignty, data portability, liability, availability, business continuity, disaster recovery, and incident management. The

Azure service is certified in healthcare (HIPPA), education (FIRPA) and government (FISMA) standards and Microsoft can

meet strict European privacy requirements through the EU Model Clauses and data processing agreements.

2. If the outsourcing arrangement

requires system connectivity

between your organization and

the service provider, how does

your organization protect your

networks and systems from

the potential threats arising

from the system connectivity?

You need to demonstrate that you protect your networks and systems from the potential threats arising from the system

connectivity. We have made suggestions regarding measures taken below and you will need to expand on or tailor the

template response to describe any further measures taken by your organization.

Azure uses industry-standard transport protocols such as SSL and TLS between user devices and Microsoft data centers,

and within data centers themselves. With virtual networks, industry standard IPsec protocol can be used to encrypt traffic

between the corporate VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end users.

Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and mitigate

breach” process as a defensive strategy to predict and prevent security breaches before they happen. This involves

continuous improvements to built-in security features, including port-scanning and remediation, perimeter vulnerability

scanning, OS patching to the latest updated security software, network-level DDOS detection and prevention and multi-

factor authentication for service access.

3. What security controls are put

in place to protect the

Paragraph 5.6, Guidelines on Outsourcing. Paragraph 9 (operational infrastructure security management), Paragraph 10

Confidential

of 38

10070299-1


transmission and storage of

any sensitive production and

backup data (e.g. customer

data) within the infrastructure

of the service provider and

how does your organization

address the risk of

unauthorized disclosure as

well as intentional or

unintentional leakage of those

information? Please provide

details of the preventive and

detective measures in place, if

any.

(data centers protection and controls) and Paragraph 11 (access control) of the Technology Risk Management Guidelines.

Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls on par with

or better than on-premises data centers of even the most sophisticated organizations. Microsoft Azure was built based on

ISO/IEC 27001 and ISO/IEC 27018 standards, a rigorous set of global standards covering physical, logical, process and

management controls. In addition, the Microsoft Azure service has achieved the highest level certification (Tier 3) of the

Multi Tier Cloud Security Standard ("MTCS") for Singapore (MTCS SS 584) which builds upon recognized international

standards such as ISO/IEC 27001, and covers such areas as data retention, data sovereignty, data portability, liability,

availability, business continuity, disaster recovery, and incident management.

The Microsoft Azure security features consist of three parts: (a) built-in security features; (b) security controls; and (c)

scalable security. These include 24-hour monitored physical hardware, isolated customer data, automated operations and

lock-box processes, secure networks and encrypted data.

Microsoft implements the Microsoft Security Development Lifecycle (“SDL”) which is a comprehensive security process

that informs every stage of design, development and deployment of Microsoft software and services, including Azure.

Through design requirements, analysis of attack surface and threat modeling, the SDL helps Microsoft predict, identify and

mitigate vulnerabilities and threats from before a service is launched through its entire production lifecycle.

Networks within the Azure data centers are segmented to provide physical separation of critical back-end servers and

storage devices from the public-facing interfaces. Edge router security allows the ability to detect intrusions and signs of

vulnerability. Azure uses industry-standard transport protocols such as SSL and TLS between user devices and Microsoft

data centers, and within data centers themselves. With virtual networks, industry standard IPsec protocol can be used to

encrypt traffic between the corporate VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end

users.

Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and mitigate

breach” process as a defensive strategy to predict and prevent security breaches before they happen. This involves

Confidential

of 38

10070299-1


continuous improvements to built-in security features, including port-scanning and remediation, perimeter vulnerability

scanning, OS patching to the latest updated security software, network-level DDOS detection and prevention and multi-

factor authentication for service access. From a people and process standpoint, preventing breach involves auditing all

operator/administrator access and actions, zero standing permission for administrators in the service, “Just-In-Time (JIT)

access and elevation” (that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of engineer

privileges to troubleshoot the service, and segregation of the employee email environment from the production access

environment. Employees who have not passed background checks are automatically rejected from high privilege access,

and checking employee backgrounds is a highly scrutinized, manual-approval process.

Azure offers a wide range of data encryption capabilities up to AES-256. Options include .NET cryptographic services,

Windows Server public key infrastructure (PKK) components, Active Directory Rights Management Services (AD RMS),

and Bitlocker for data import/export scenarios.

4. Does the service provider

employ a system architecture

that involves multi-tenancy and

data commingling for the

outsourced service(s)? If so,

does the service provider

possess the ability to clearly

identify and segregate

customer data using strong

physical controls or logical

controls? How are the

associated risks addressed?

The Guidelines on Outsourcing expressly permit logical segregation. Paragraph 6.7, Guidelines on Outsourcing contains

requirements that institutions should be aware of the typical characteristics of cloud computing, such as multi-tenancy and

data commingling. Paragraph 5.2.3 (Management of IT outsourcing risks), Technology Risk Management Guidelines

contains requirement for service provider to isolate and clearly identify its customer data and other information system

assets for protection.

Azure is a multi-tenant service (that is, data from different customers shares the same hardware resources) but it is

designed to host multiple tenants in a highly secure way through data isolation. Data storage and processing for each

tenant is segregated through Active Directory structure and capabilities specifically developed to help build, manage, and

secure multi-tenant environments. Active Directory isolates customers using security boundaries (also known as silos).

This safeguards a customer’s data so that the data cannot be accessed or compromised by co-tenants.

5. Are the outsourced operations

using hardware (i.e.

Please see also our response to question D4.

Confidential

of 38

10070299-1


servers/network devices)

dedicated to the organization?

E. VENDOR MANAGEMENT & MONITORING

1. Is there a vendor management

process to monitor the

performance of the service

provider? Please elaborate.

Paragraph 5.8, Guidelines on Outsourcing, contains detailed requirements in relation to monitoring and control of

outsourced activities. In addition to your own internal processes, you may in this context also wish to consider the

contractual vendor management rights that you have under your agreements with Microsoft, including the rights of audit

and inspection.

As part of the support we receive from Microsoft we have access to a technical account manager who is responsible for

understanding our challenges and providing expertise, accelerated support and strategic advice tailored to our

organization. This includes both continuous hands-on assistance and immediate escalation of urgent issues to speed

resolution and keep mission-critical systems functioning. We are confident that such arrangements provide us with the

appropriate mechanisms for managing performance and problems.

2. Does your organization have a

process to audit the service

provider to assess its

compliance with your policies,

procedures, security controls

and regulatory requirements

and obtain reports and findings

made on the service provider?

Please elaborate.

Paragraph 5.9, Guidelines on Outsourcing sets out the audits that MAS expects FSIs to be conducting. It is not required

that the FSI conducts the audit itself and it may rely on independent third party audit by obtaining copies of such

finding/audit made on the service provider and its subcontractors. This is a question about your own internal processes,

although it is of course relevant in this context to mention that Microsoft permits audit and inspection both by their FSI

customers and regulators.

We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to Azure. As part of its

certification requirements, Microsoft is required to undergo independent third party auditing, and it shares with us the

independent third party audit reports. As part of its standard offering to us (i.e. the Financial Services Amendment that

automatically applies to regulated financial services institutions like ourselves), Microsoft gives us a right to examine,

monitor and audit its provision of Azure. Specifically, Microsoft (i) makes available to us the written Azure data security

policy that complies with certain control standards and frameworks, along with descriptions of the security controls in place

Confidential

of 38

10070299-1


for Azure and other information that we reasonably request regarding Microsoft’s security practices and policies; and (ii)

causes the performance of audits, on our behalf, of the security of the computers, computing environment and physical

data centers that it uses in processing our data (including personal data) for Azure, and provides the audit report to us

upon request. We are confident that such arrangements provide us with the appropriate level of assessment of Microsoft’s

ability to facilitate compliance against our policy, procedural, security control and regulatory requirements.

The Financial Services Amendment further gives us the opportunity to participate in the optional FSI Customer Compliance

Program at any time, which enables us to have additional monitoring, supervisory and audit rights and additional controls

over Azure, such as (a) access to Microsoft personnel for raising questions and escalations relating to Azure, (b) invitation

to participate in a webcast hosted by Microsoft to discuss audit results that leads to subsequent access to detailed

information regarding planned remediation of any deficiencies identified by the audit, (c) receipt of communication from

Microsoft on (1) the nature, common causes, and resolutions of security incidents and other circumstances that can

reasonably be expected to have a material service impact on our use of Azure, (2) Microsoft’s risk-threat evaluations, and

(3) significant changes to Microsoft’s business resumption and contingency plans or other circumstances that might have a

serious impact on our use of Azure, (d) access to a summary report of the results of Microsoft’s third party penetration

testing against Azure (e.g. evidence of data isolation among tenants), and (e) access to Microsoft’s subject matter experts

through group events such as webcasts or in-person meetings (including an annual summit event) where roadmaps of

planned developments or reports of significant events will be discussed and we will have a chance to provide structured

feedback and/or suggestions regarding the FSI Customer Compliance Program and its desired future evolution. The group

events will also give us the opportunity to discuss common issues with other regulated financial institutions and raise them

with Microsoft.

3. Has explicit provision been

made in the outsourcing

agreement to enable MAS and

its agents to carry out an

inspection or examination of

the service provider and its

Paragraph 5.9.2 of the Guidelines on Outsourcing requires the inclusion of access to information, inspection and

examination rights in favor of MAS. Such rights are indeed included in Microsoft’s contractual documents, and this is a key

advantage of the Microsoft product over competitor products, which often provide only very limited (or no) regulator

inspection rights.

Confidential

of 38

10070299-1


sub-contractors, and to obtain

copies of reports made on the

service provider or reports or

information given to, stored at

or processed by the service

provider and its sub-

contractors? Please explain in

detail if explicit provision has

not been made.

Yes.

There are provisions in the contract that enable MAS to carry out inspection or examination of Microsoft’s facilities,

systems, processes and data relating to the services. As part of its standard offering to us (i.e. the Financial Services

Amendment that automatically applies to regulated financial services institutions like ourselves), Microsoft will, upon a

regulator’s request, provide the regulator a direct right to examine the relevant service, including the ability to conduct an

on-premise examination; to meet with Microsoft personnel and Microsoft’s external auditors; and to access related

information, records, reports and documents. Microsoft will not disclose customer data to the regulator except as described

in the OST. Customer will at all times have access to its data using the standard features of Azure, and may delegate its

access to its data to representatives of the MAS.

F. IT SECURITY

- PROTECTION OF SENSITIVE / CONFIDENTIAL INFORMATION

1. Have you obtained from the

service provider a written

undertaking to protect and

maintain the confidentiality of

your sensitive data? If yes,

provide documentation.

Yes. It is part of the standard contractual commitments made by Microsoft.

Note that “Confidentiality agreements and non-disclosure agreements” are covered under the ISO/IEC 27001 and ISO/IEC

27018 standards against which Microsoft is certified. and audited annually by a third party, independent and accredited

certification body.

2. Is end-to-end application layer

encryption implemented to

protect the transmission of

PINs?

Paragraph 9.1 and Appendix E (Paragraph E.2.5), Technology Risk Management Guidelines.

Yes.

Azure offers a wide range of data encryption capabilities up to AES-256. Options include .NET cryptographic services,

Windows Server public key infrastructure (PKK) components, Active Directory Rights Management Services (AD RMS),

Confidential

of 38

10070299-1


and Bitlocker for data import/export scenarios.

Networks within the Azure data centers are segmented to provide physical separation of critical back-end servers and

storage devices from the public-facing interfaces. Edge router security allows the ability to detect intrusions and signs of

vulnerability. Azure uses industry-standard transport protocols such as SSL and TLS between user devices and Microsoft

data centers, and within data centers themselves. With virtual networks, industry standard IPsec protocol can be used to

encrypt traffic between the corporate VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end

users.

3. Are there procedures

established to securely destroy

or remove the organization’s

production and backup data

stored at the service provider

when the need arises? Please

elaborate.

Paragraph 5.2.4 (Management of IT outsourcing risks), Technology Risk Management Guidelines.

Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be

wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible

(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type.

Records of the destruction are retained.

All Microsoft Online Services utilize approved media storage and disposal management services. Paper documents are

destroyed by approved means at the pre-determined end-of-life cycle.

“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001, ISO/IEC 27018 and

MTCS SS 584 standards, against which Microsoft is certified.

- DATA CENTER PHYSICAL & ENVIRONMENTAL CONTROLS

4. Where are the data center(s) Paragraph 5.10 (Outsourcing outside Singapore), Guidelines on Outsourcing. Note that the use of data centers out of

Confidential

of 38

10070299-1


of the service provider

located? Indicate the data

center(s) in which your

organization’s sensitive data

would be stored and/or

processed.

Singapore is permitted by the Guidelines on Outsourcing.

Microsoft informs us that it takes a regional approach to hosting of Azure data. Microsoft is transparent in relation to the

location of our data. Microsoft data center locations are made public on the Microsoft Trust Center.

The table below will need to be amended depending on the specific solution that you are taking up.

No. Locations of Data Center Classification of DC: Tier I, II, III or

IV

Storing your organization’s data

(Y/N)

1.

2.

5. Have you obtained a report on

the Threat and Vulnerability

Risk Assessment on the

physical security and

environmental controls

available at the data center(s)?

What were the key risks and

security issues raised, and

how were they addressed?

Paragraph 10, Technology Risk Management Guidelines.

In order to meet the objectives and demands of a robust service, Microsoft regularly conducts penetration testing and

vulnerability assessments against the service through its commitment to Security Development Lifecycle and ISO

certification. The output of testing is tracked through a risk register which is audited and reviewed on a regular basis to

ensure compliance to Microsoft’s security practices. In order to protect both the system and customer data, Microsoft does

not provide copies of the testing reports however the tests conducted typically include the OWASP top ten and also include

the use of independent verified security teams (CREST certified). Microsoft is happy to make available the ISO and SSAE

16 audit reports which cover vulnerability assessments.

- USER AUTHENTICATION & ACCESS MANAGEMENT

Confidential

of 38

10070299-1



have privileged access or

remote access to perform

system/user administration for

the outsourced service? If so,

does the service provider have

access to your organization’s

sensitive data? Please provide

details on the controls

implemented to mitigate the

risks of unauthorized access to

sensitive data by the service

provider, or other parties.

Paragraphs 10.2 (physical security) and 11 (access control), Technology Risk Management Guidelines.

Yes.

Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer data.

Personnel access to the IT systems that store customer data is strictly controlled via role-based access control (“RBAC”)

and lock box processes that involve not only approvals from within Microsoft but also explicit approval from the customer.

Access control is an automated process that follows the separation of duties principle and the principle of granting least

privilege. This process ensures that the engineer requesting access to these IT systems has met the eligibility

requirements, such as a background screen, fingerprinting, required security training and access approvals. In addition,

the access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification

have access to the systems. User access to data is also limited by user role. For example, system administrators are not

provided with database administrative access. In emergency situations, a “Just-In-Time (JIT) access and elevation system”

is used (that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of engineer privileges to

troubleshoot the service.

7. Are the following controls and

measures put in place at the

service provider?

a. The activities of privileged accounts are logged and reviewed regularly.

Paragraph 11.1.4 (Access Controls), Technology Risk Management Guidelines.

Yes.

An internal, independent Microsoft team will audit the log at least once per quarter.

b. Audit and activity logs are protected against tampering by privileged users.

Paragraph 11 (Access Controls), Technology Risk Management Guidelines.

Confidential

of 38

10070299-1


Yes.

All logs are saved to the log management system which a different team of administrators manages. All logs are

automatically transferred from the production systems to the log management system in a secure manner and stored in a

tamper-protected way.

c. Access to sensitive files, commands and services are restricted and protected from manipulation.


Yes.

System level data such as configuration data/file and commands are managed as part of the configuration management

system. Any changes or updates to or deletion of those data/files/commands will be automatically deleted by the

configuration management system as anomalies.

d. Integrity checks are implemented to detect unauthorized changes to databases, files, programs and system

configuration.


Yes.

System level data such as configuration data/file and commands are managed as part of the configuration management

system. Any changes or updates to or deletion of those data/files/commands will be automatically deleted by the

configuration management system as anomalies.

e. Password controls for the outsourced systems and applications are reviewed for compliance on a regular

Confidential

of 38

10070299-1


basis.

Paragraph 11.1.5 (Access Controls), Technology Risk Management Guidelines.

Yes.

All access to production and customer data require multi-factor authentication. Use of strong password is enforced as

mandatory and password must be changed on a regular basis.

f. Access rights for the outsourced systems and applications are reviewed for compliance on a regular basis.

Paragraph 11 (Access Controls) Technology Risk Management Guidelines (it is recommended that FSIs implement strong

controls over remote access by privileged users).

Yes.

Administrators who have access to applications have no physical access to the production so administrators have to

remotely access the controlled, monitored remote access facility. All operations through this remote access facility are

logged. In addition, the access levels are reviewed on a periodic basis to ensure that only users who have appropriate

business justification have access to the systems.

G. IT SERVICE AVAILABILITY & DISASTER RECOVERY


have a disaster recovery or

business continuity plan and

what is the service availability?

For your organization’s data

Paragraph 5.7, Guidelines on Outsourcing. Paragraphs 8.1 (Systems Availability), 8.2 (Disaster Recovery Plan), 8.3

(Disaster Recovery Testing) and 8.4 (Data Backup Management), Technology Risk Management Guidelines. Principle 2,

Business Continuity Management Guidelines.

Yes. Microsoft offers contractually-guaranteed uptime, globally available data centers for primary and backup storage,

Confidential

of 38

10070299-1


residing at the service

provider, what are the backup

and recovery arrangements?

physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust backup, restoration

and failover capabilities, real-time issue detection and automated response such that workloads can be moved off any

failing infrastructure components with no perceptible impact on the service, 24/7 on-call engineering teams.

Redundancy

Physical redundancy at server, data center, and service levels

Data redundancy with robust failover capabilities

Functional redundancy with offline functionality

Resiliency

Active load balancing

Automated failover with human backup

Recovery testing across failure domains

Distributed Services

Distributed component services limit scope and impact of any failures in a component.

Directory data replicated across component services insulates one service from another in any failure events.

Simplified operations and deployment.

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

Confidential

of 38

10070299-1


Monitoring

Internal monitoring built to drive automatic recovery

Outside-in monitoring raises alerts about incidents

Extensive diagnostics provide logging, auditing, and granular tracing

Simplification

Standardized hardware reduces issue isolation complexities

Fully automated deployment models.

Standard built-in management mechanism

Human backup

Automated recovery actions with 24/7 on-call support

Team with diverse skills on the call provides rapid response and resolution

Continuous improvement by learning from the on-call teams

Continuous learning

If an incident occurs, Microsoft does a thorough post-incident review every time

Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and Microsoft’s plan

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

Confidential

of 38

10070299-1


to prevent it in the future

In the event the organization was affected by a service incident, Microsoft shares the post-incident review with the

organization.

2. What are the recovery time

objectives (“RTO”) of systems

or applications outsourced to

the service provider?

Paragraph 5.7.2(a), Guidelines on Outsourcing. Paragraph 8.2.4 of the Technology Risk Management Guidelines.

Principle 4, Business Continuity Management Guidelines (FSI should develop recovery strategies and set recovery time

objectives for critical business functions).

30 min or less for Virtual Machines and Storage, 1 hour or less for Virtual Network.

3. What are the recovery point

objectives (“RPO”) of systems

or applications outsourced to

the service provider?

Paragraph 5.7.2(a), Guidelines on Outsourcing. Paragraph 8.2.4 of the Technology Risk Management Guidelines.

Principle 4, Business Continuity Management Guidelines (FSI should develop recovery strategies and set recovery time

objectives for critical business functions).

1 minute or less for Storage.

4. How frequently does the

service provider conduct

disaster recovery tests?

Paragraph 5.7.2(b), Guidelines on Outsourcing (FSIs should ensure that the service provider regularly tests its business

continuity plans and that the tests validate the feasibility of the RTOs and the resumption operating capacities. The service

provider should also be required to notify the FSI of any test finding that may affect the service provider’s performance).

Paragraph 8.3, Technology Risk Management Guidelines, contains details around expectations of disaster recovery tests

(with paragraph 8.3.2 referring to this being done at least annually). Principle 3, Business Continuity Management

Guidelines.

At least once per year.

H. EXIT STRATEGY

Confidential

of 38

10070299-1


1. Do you have the right to

terminate the SLA in the event

of default, ownership change,

insolvency, change of security

or serious deterioration of

service quality?

Paragraph 5.5.2(i) Guidelines on Outsourcing, which states that the agreement should contain provisions for default

termination and early exit.

The SLA is only one part of the contractual arrangement with Microsoft. It is not terminable in itself as a stand-alone

document (the remedies available to us under the SLA are financial) but our main agreement with Microsoft, the Microsoft

Business and Services Agreement (“MBSA”), is terminable by us for convenience at any time by providing not less than 60

days’ notice. In addition, we have standard rights of termination for material breach. This gives us the flexibility and control

we need to manage the relationship with Microsoft because it means that we can terminate the arrangements whether with

or without cause.

2. In the event of contract

termination with the service

provider, either on expiry or

prematurely, are you able to

have all IT information and

assets promptly removed or

destroyed?

Paragraph 5.7.2(c), Guidelines on Outsourcing (requires FSIs to ensure that there are plans and procedures in place to

address the need to have all relevant IT information and assets promptly removed and destroyed upon termination).

Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be

wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible

(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type.

Records of the destruction are retained.

All Microsoft Online Services utilize approved media storage and disposal management services. Paper documents are

destroyed by approved means at the pre-determined end-of-life cycle.

“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001, ISO/IEC 27018 and

MTCS SS 584 standards, against which Microsoft is certified.

Confidential

of 38

10070299-1

APPENDIX ONE

CONTRACTUAL REQUIREMENTS

This table sets out the specific items that should be covered in the FSI’s outsourcing agreement with the service provider, pursuant to the Guidelines on

Outsourcing and Notice 634. Banking Act (Appendix). It also contains useful information on how Microsoft’s contractual documents address each of said items.

In summary: Microsoft is pleased to conclude that all relevant requirements specified in the Guidelines on Outsourcing and Notice 634, Banking Act are

addressed in Microsoft's contractual documents, as shown below.

Key:

Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft explains how Microsoft’s contractual documents address the contractual requirements, with references to where they are covered.

Terms used below as follows:

OST = Online Services Terms

EA = Enterprise Agreement

Enrollment = Enterprise Enrollment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PUR = Product Use Rights

Confidential

of 38

10070299-1

SLA = Online Services Service Level Agreement

Confidential

of 38

10070299-1

Ref. Requirement Microsoft agreement reference

1. The outsourcing agreement should

address the risks identified at the

risk evaluation and due diligence

stages.

Guidelines on Outsourcing, Paragraphs 5.5.2.

This would depend on the results of your risk evaluation and due diligence exercises.


allow for timely renegotiation and

renewal to enable the institution to

retain an appropriate level of

control over the outsourcing

arrangement and the right to

intervene with appropriate

measures to meet its legal and

regulatory obligations.

Guidelines on Outsourcing, Paragraphs 5.5.2.

In order to facilitate your continued and ongoing legal and regulatory compliance needs, and as part of its standard

offering to you (i.e. the FSA that automatically applies to regulated financial services institution customers), Microsoft

agrees to discuss how to meet new or additional requirements imposed on you should you become subject to Future

Applicable Law (as defined in the FSA).

Furthermore, Microsoft’s contractual documents anticipate renewal. For instance, Enrollments have a three-year term,

and may be renewed for a further three-year term. If necessary, you have a right to terminate the services at your

convenience. More information on your termination rights is available under Requirement 11 below.

Meanwhile, Microsoft enables financial institution customers to retain an appropriate level of control to meet their legal

and regulatory obligations. Not only do you have full control and ownership over your data at all times, under the FSA

Microsoft (i) makes available to you the written Azure data security policy that complies with certain control standards

and frameworks, along with descriptions of the security controls in place for Azure and other information that you

reasonably request regarding Microsoft’s security practices and policies; and (ii) causes the performance of audits, on

your behalf, of the security of the computers, computing environment and physical data centers that it uses in

processing your data (including personal data) for Azure, and provides the audit report to you upon request. These

arrangements are offered to you in order to provide you with the appropriate level of assessment of Microsoft’s ability

to facilitate compliance against your policy, procedural, security control and regulatory requirements.

You can further elect to participate in the FSI Customer Compliance Program. This program allows you to engage with

Microsoft during the term of the outsourcing contract to ensure that you have oversight over the services in order to

Confidential

of 38

10070299-1


ensure that the services meet your legal and regulatory obligations. Specifically, it enables you to have additional

monitoring, supervisory and audit rights and additional controls over Azure, such as (a) access to Microsoft personnel

for raising questions and escalations relating to Azure, (b) invitation to participate in a webcast hosted by Microsoft to

discuss audit results and subsequent access to detailed information regarding planned remediation of any deficiencies

identified by the audit, (c) receipt of communication from Microsoft on (1) the nature, common causes, and resolutions

of security incidents and other circumstances that can reasonably be expected to have a material service impact on

your use of Azure, (2) Microsoft’s risk-threat evaluations, and (3) significant changes to Microsoft’s business

resumption and contingency plans or other circumstances that might have a serious impact on your use of Azure, (d)

access to a summary report of the results of Microsoft’s third party penetration testing against Azure (e.g. evidence of

data isolation among tenants), and (e) access to Microsoft’s subject matter experts through group events such as

webcasts or in-person meetings (including an annual summit event) where roadmaps of planned developments or

reports of significant events will be discussed and you will have a chance to provide structured feedback and/or

suggestions regarding the FSI Customer Compliance Program and its desired future evolution. The group events will

also give you the opportunity to discuss common issues with other regulated financial institutions and raise them with

Microsoft.


have provisions to address the

scope of the outsourcing

arrangement.

Guidelines on Outsourcing, Paragraph 5.5.2(a).

Microsoft's contractual documents comprehensively set out the scope of the outsourcing arrangement and the

respective commitments of the parties.

The services are broadly described, along with the applicable usage rights, in the Product List and OST. The services

are described in more detail in the OST, which includes a list of service functionality and core features of the Azure

services in particular

The SLA contains Microsoft’s service level commitment, as well as the remedies for the customer in the event that

Microsoft does not meet the commitment. The terms of the SLA current at the start of the applicable initial or renewal

Confidential

of 38

10070299-1


term of the Enrollment are fixed for the duration of that term.

Please find a copy of the OST at:

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46

Please find a copy of the SLA at:

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37


have provisions to address

performance, operational, internal

control and risk management

standards.

Guidelines on Outsourcing, Paragraph 5.5.2(b).

All of these aspects are covered in the OST and the SLA. The OST contains the privacy and security practices, and

internal controls that Microsoft implements, and the SLA contains Microsoft’s service level commitment, as well as the

remedies for the customer in the event that Microsoft does not meet the commitment. The SLA is fixed for the initial

term of the Enrollment.



confidentiality and security.

Guidelines on Outsourcing, Paragraph 5.5.2(c).

MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose your confidential

information (which includes your data) to third parties and to only use your confidential information for the purposes of

Microsoft’s business relationship with you. Further, Microsoft commits to take reasonable steps to protect your

confidential information, to notify you if there is any unauthorized use or disclosure of your confidential information and

to cooperate with you to help to regain control of your confidential information and prevent further unauthorized use or

disclosure of it.

The OST states that Microsoft and the customer each commit to comply with all applicable privacy and data protection

laws and regulations. The customer owns its data that is stored on Microsoft cloud services at all times. The customer

also retains the ability to access its customer data at all times, and Microsoft will deal with customer data in

accordance with the terms and conditions of the Enrollment and the OST. Following termination, Microsoft will (unless

Confidential

of 38

10070299-1


otherwise directed by the customer) delete the customer data after a 90-day retention period.

Guidelines on Outsourcing, Paragraph 5.6.2(a). The outsourcing agreement should address the issue of access to

and disclosure of customer information by the service provider. Customer information should be used by the service

provider and its staff strictly for the purpose of the contracted service.

And

Notice 634, Banking Act, Paragraph 8 of the Appendix. The agreement should contain obligations relating to the

following: (i) access to customer data is limited to employees of service provider who strictly require the information to

perform their duties: (ii) customer data is used strictly for a specified and disclosed purpose; and (iii) further disclosure

of customer data to any other party is restricted unless required by law.

Microsoft makes specific commitments with respect to safeguarding your data in the OST. In summary, Microsoft

commits that:

1. Your data will only be used to provide the online services to you and your data will not be used for any other

purposes, including for advertising or other commercial purposes.

2. Microsoft will not disclose your data to law enforcement unless it is legally obliged to do so, and only after not

being able to redirect the request to you.

3. Microsoft will implement and maintain appropriate technical and organizational measures, internal controls, and

information security routines intended to protect your data against accidental, unauthorized or unlawful access,

disclosure, alteration, loss, or destruction. Technical support personnel are only permitted to have access to

customer information when needed.

Guidelines on Outsourcing, Paragraph 5.6.2(a). The outsourcing agreement should address the issue of the party

Confidential

of 38

10070299-1


liable for losses in the event of a breach of security or confidentiality and the service provider’s obligation to inform the

institution.

The OST states the responsibilities of the contracting parties that ensure the effectiveness of security policies. To the

extent that a security incident results from Microsoft’s failure to comply with its contractual obligations, and subject to

the applicable limitations of liability, Microsoft reimburses you for reasonable and third-party validated, out-of-pocket

remediation costs you incurred in connection with the security incident, including actual costs of court- or

governmental body-imposed payments, fines or penalties for a Microsoft-caused security incident and additional,

commercially-reasonable, out-of-pocket expenses you incurred to manage or remedy the Microsoft-caused security

incident (FSA, Section 3). Applicable limitation of liability provisions can be found in the MBSA.

Microsoft further agrees to notify you if it comes aware of any security incident, and to take reasonable steps to

mitigate the effects and minimize the damage resulting from the security incident (OST).



business continuity management.

Guidelines on Outsourcing, Paragraphs 5.5.2(d) and 5.7.2.

And

Notice 634, Banking Act, Paragraph 11 of the Appendix.

Business Continuity Management forms part of the scope of the accreditation that Microsoft retains in relation to the

online services, and Microsoft commits to maintain a data security policy that complies with these accreditations (see

OST). Business Continuity Management also forms part of the scope of Microsoft’s annual third party compliance

audit. Business Continuity Plans (BCPs) are documented and reviewed at least annually, and the BCPs provide roles

and responsibilities and detailed procedures for recovery and reconstitution of systems to a known state per defined

Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Microsoft also maintains emergency and contingency plans for the facilities in which Microsoft information systems

Confidential

of 38

10070299-1


that process customer data are located. Microsoft’s redundant storage and its procedures for recovering data are

designed to attempt to reconstruct customer data in its original or last-replicated state from before the time it was lost

or destroyed.

Data Recovery Procedures

On an ongoing basis, but in no case less frequently than once a week (unless no customer data has been

updated during that period), Microsoft maintains multiple copies of customer data from which customer data can

be recovered.

Microsoft stores copies of customer data and data recovery procedures in a different place from where the

primary computer equipment processing the customer data is located.

Microsoft has specific procedures in place governing access to copies of customer data.

Microsoft reviews data recovery procedures at least every six months, except for data recovery procedures for

Azure Government Services , which are reviewed every twelve months.

Microsoft logs data restoration efforts, including the person responsible, the description of the restored data and

where applicable, the person responsible and which data (if any) had to be input manually in the data recovery

process.



monitoring and control.

Guidelines on Outsourcing, Paragraphs 5.5.2(e) and 5.8.1

The OST allows customer to have the ability to access and extract customer data, and specifies the audit and

monitoring mechanisms that Microsoft puts in place in order to verify that the online services meet appropriate security

and compliance standards.

The FSA further gives regulated financial institution customers, i.e. you, the opportunity to participate in the Microsoft

FSI Customer Compliance Program. This program allows you to engage with Microsoft during the term of the

outsourcing contract to ensure that you have oversight over the services in order to ensure that the services meet

Confidential

of 38

10070299-1


your legal and regulatory obligations. Specifically, it enables you to have additional monitoring, supervisory and audit

rights and additional controls over Azure, such as (a) access to Microsoft personnel for raising questions and

escalations relating to Azure, (b) invitation to participate in a webcast hosted by Microsoft to discuss audit results and

subsequent access to detailed information regarding planned remediation of any deficiencies identified by the audit,

(c) receipt of communication from Microsoft on (1) the nature, common causes, and resolutions of security incidents

and other circumstances that can reasonably be expected to have a material service impact on your use of Azure, (2)

Microsoft’s risk-threat evaluations, and (3) significant changes to Microsoft’s business resumption and contingency

plans or other circumstances that might have a serious impact on your use of Azure, (d) access to a summary report

of the results of Microsoft’s third party penetration testing against Azure (e.g. evidence of data isolation among

tenants), and (e) access to Microsoft’s subject matter experts through group events such as webcasts or in-person

meetings (including an annual summit event) where roadmaps of planned developments or reports of significant

events will be discussed and you will have a chance to provide structured feedback and/or suggestions regarding the

FSI Customer Compliance Program and its desired future evolution. The group events will also give you the

opportunity to discuss common issues with other regulated financial institutions and raise them with Microsoft.


have provisions to address audit

and inspection.

Guidelines on Outsourcing, Paragraphs 5.5.2(f), 5.9.2 and 5.10.2(b), for material outsourcing.

And

Notice 634, Banking Act, Paragraph 8a of the Appendix.

The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to verify that the online

services meet appropriate security and compliance standards. This commitment is reiterated in the FSA as a standard

offering to regulated financial institutions. Under the FSA, Microsoft gives you a right to examine, monitor and audit its

provision of Azure. Specifically, Microsoft (i) makes available to you the written Azure data security policy that

complies with certain control standards and frameworks, along with descriptions of the security controls in place for

Azure and other information that you reasonably request regarding Microsoft’s security practices and policies; and (ii)

Confidential

of 38

10070299-1


causes the performance of audits, on your behalf, of the security of the computers, computing environment and

physical data centers that it uses in processing your data (including personal data) for Azure, and provides the audit

report to you upon request. These arrangements are offered to you in order to provide you with the appropriate level

of assessment of Microsoft’s ability to facilitate compliance against your policy, procedural, security control and

regulatory requirements. Please refer to the optional FSI Customer Compliance Program described in Requirement 7

above for opportunities to gain further visibility and influence into Microsoft’s practices.

The FSA further describes that if a regulator requests, Microsoft will provide the regulator a direct right to examine the

relevant service, including the ability to conduct an on-premise examination; to meet with Microsoft personnel and

Microsoft’s external auditors; and to access related information, records, reports and documents. Microsoft will not

disclose customer data to the regulator except as described in the OST. Customer will at all times have access to its

data using the standard features of Azure, and may delegate its access to its data to representatives of the MAS.



notification of adverse

developments.

Guidelines on Outsourcing, Paragraphs 5.5.2(g) and 4.2.

Microsoft will notify the customer if it becomes aware of any security incident, and will take reasonable steps to

mitigate the effects and minimize the damage resulting from the security incident (see OST).


have provisions to address dispute

resolution.

Guidelines on Outsourcing, Paragraph 5.5.2(h).

The MBSA covers dispute resolution process (Section 10.e.), warranties (Section 5), defense of third party claims

(Section 6), limitation of liability (Section 7), and term and termination (Section 9). It further offers country-specific

provisions determined by applicable law (Section 11).


have provisions to address default

termination and early exit.

Guidelines on Outsourcing, Paragraph 5.5.2(i).

And

Confidential

of 38

10070299-1


Notice 634, Banking Act, Paragraph 10 of the Appendix.

You can terminate the MBSA or the EA for convenience at any time by providing not less than 60 days’ notice. In

addition, you have standard rights of termination for material breach. This gives us the flexibility and control we need

to manage the relationship with Microsoft because it means that we can terminate the arrangements whether with or

without cause.


have provisions to address sub-

contracting.

Guidelines on Outsourcing, Paragraph 5.5.2(j).

Microsoft is permitted to hire subcontractors under the OST. The confidentiality of your data is protected when

Microsoft uses subcontractors because Microsoft commits that its subcontractors “will be permitted to obtain

Customer Data only to deliver the services Microsoft has retained them to provide and will be prohibited from using

Customer Data for any other purpose” (OST).

Microsoft commits that any subcontractors to whom Microsoft transfers your data will have entered into written

agreements with Microsoft that are no less protective than the data processing terms in the OST (OST).

Microsoft remains contractually responsible (and therefore liable) for its subcontractors’ compliance with Microsoft’s

obligations in the OST (OST). In addition, Microsoft’s commitment to ISO/IEC 27001, ISO/IEC 27018 and MTCS SS

584, requires Microsoft to ensure that its subcontractors are subject to the same security controls as Microsoft is

subject to. Microsoft maintains a list of authorized subcontractors for the online services that have access to your data

and provides you with a mechanism to obtain notice of any updates to that list (OST). The actual list can be accessed

via https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-

terms#subcontractors. If you do not approve of a subcontractor that is added to the list, then you are entitled to

terminate the affected online services.



Guidelines on Outsourcing, Paragraph 5.5.2(k).

https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-terms%23subcontractors

https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-terms%23subcontractors

Confidential

of 38

10070299-1


applicable laws. MBSA section 10.h. sets out the applicable law provision.


be tailored to address issues

arising from country risks and

potential obstacles in exercising

oversight and management of the

outsourcing arrangements made

with a service provider outside

Singapore.

Guidelines on Outsourcing, Paragraphs 5.5.3 and 5.10.2(b).

Azure offers data-location transparency so that the organizations and regulators are informed of the jurisdiction(s) in

which data is hosted. The data centers are strategically located around the world taking into account country and

socioeconomic factors. Microsoft’s data center locations are selected to offer stable socioeconomic environments.

Please refer to the Microsoft Trust Center for Azure data center locations at

http://o365datacentermap.azurewebsites.net/.

The OST contains general commitments around data location. Microsoft commits that customer data transfers out of

the EU will be governed by the EU Model Clauses set out in the OST to represent a high standard of care in relation

to data transfers. Also, as noted in the OST: “Any subcontractors to whom Microsoft transfers Customer Data, even

those used for storage purposes, will have entered into written agreements with Microsoft that are no less protective

than the Data Processing Terms”.

http://o365datacentermap.azurewebsites.net/

singapore microsoft guidance on …download.microsoft.com/download/c/d/d/cdda963e-b5a8-4fdd...this...

Documents