singapore microsoft guidance on …download.microsoft.com/download/c/d/d/cdda963e-b5a8-4fdd...this...
TRANSCRIPT
Confidential
Page 1 of 38
10070299-1
SINGAPORE
MICROSOFT GUIDANCE ON COMPLYING WITH REGULATORY GUIDELINES APPLICABLE TO FINANCIAL SERVICES
INSTITUTIONS USING MICROSOFT AZURE
Last updated: 4 October 2016
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document is a guide to complying with the regulatory requirements and guidelines applicable to financial services institutions using Microsoft
Azure in Singapore1. In this guidance, “financial services institutions” means financial institutions, banks, financial advisers, securities exchanges, futures
exchanges, designated clearing houses, securities trading companies, insurance companies, registered insurance brokers, licensed trust companies,
capital investment companies, capital markets services licensees and other regulated service providers in the financial industry (“FSIs”).
Sections 2 to 6 of this guidance document set out information about the regulatory requirements and guidelines that apply. Section 7 is a checklist to help
FSIs ensure that their use of cloud services complies with the relevant requirements and guidelines. Appendix One is a list of the requirements that, under
the relevant guidelines, should be addressed in the cloud contract.
2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?
This guidance document draws upon the MAS’s notices and guidelines on technology risk management, outsourcing and cloud computing, including:
Guidelines on Outsourcing2
Technology Risk Management Guidelines
1 Note that this guidance document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of Microsoft or its affiliates. Instead, it is
intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your Microsoft contact. 2 Note that, as at the date of publication of this guidance document, the MAS Notice of Outsourcing has not been updated. Once this is updated and issued, it will also need to be considered by FSIs
adopting cloud services (please see Q8 in the FAQ on MAS Guidelines on Outsourcing, published on 27 July 2016).
Confidential
Page 2 of 38
10070299-1
Business Continuity Management Guidelines
Notice 634, Banking Act
Whether a use of cloud computing is considered to be a ‘material outsourcing’ will determine the extent to which the applicable guidelines need to be
complied with. This guidance includes all of the requirements applicable to ‘material outsourcing’, for the sake of completeness.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Monetary Authority of Singapore (“MAS”)
4. IS REGULATORY APPROVAL REQUIRED IN SINGAPORE?
No, regulatory approval is not required. In fact, the latest MAS Guidelines on Outsourcing provide a clear green light to the use of cloud services, including
public cloud services. There is no requirement for prior notification, consultation or approval. There are, however, various risk management and
compliance requirements to address – and this guidance document is intended to help.
5. IS THERE STILL A REQUIREMENT TO SUBMIT AN MAS TECHNOLOGY QUESTIONNAIRE?
No, there is no longer such a requirement. With the release of the new Guidelines on Outsourcing on 27 July 2016, FSIs are not required to submit the
MAS Technology Questionnaire to MAS before signing up for any outsourcing arrangement, including a material outsourcing arrangement. Nevertheless,
Section 7 of this guidance is intended to assist you in carrying out thorough and comprehensive due diligence and to make the process of adopting cloud
services easier for you by providing information, tips and suggested responses to address the matters set out in the Guidelines on Outsourcing. The
suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to provide this if you get in touch with your
Microsoft contact. Microsoft has, in the relevant places within this guidance document, inserted some links to relevant laws and guidance for your ease of
reference which may help inform your answers.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
Yes. Some obligations that MAS requires FSIs to ensure are reflected in contracts with service providers can be found in the Guidelines on Outsourcing
Confidential
Page 3 of 38
10070299-1
and Notice 634, Banking Act (Appendix). Appendix One to this guidance document (Contractual requirements) contains a comprehensive list of such
requirements and sets out details of where in the Microsoft contractual documents these points are covered.
7. OUTSOURCING COMPLIANCE CHECKLIST
The questions and requirements set out in this Outsourcing Compliance Checklist address the key issues that one should consider in a thorough and
comprehensive risk assessment of a cloud computing service.
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point
raised in the checklist. Some points are specific to your own internal operations and processes and you will need to address them as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist, both for your discussions internally with your Board, senior
management and compliance experts, and externally with regulators such as MAS.
Ref. Question/requirement Template response and guidance
A. OVERVIEW OF OUTSOURCING
1. Indicate the name of the
service provider for this
outsourcing arrangement. If
there are any other parties
involved in the outsourcing
arrangement, also provide the
names of those parties and
state their role in the
outsourcing arrangement.
The service provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation, a global
provider of information technology devices and services, which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s
full company profile is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.
Confidential
Page 4 of 38
10070299-1
Ref. Question/requirement Template response and guidance
2. When is the proposed start
date of this outsourcing
arrangement?
Please insert the proposed start date of the outsourcing service.
3. Has your organization
assessed this to be a material
outsourcing arrangement (as
described in the MAS
Guidelines on Outsourcing)?
Under the Guidelines on Outsourcing, some requirements only apply if the outsourcing is ‘material’. These requirements
include the requirement to: (i) perform periodic reviews on material outsourcing arrangements at least on an annual basis;
(ii) incorporate contractual clauses to allow the institution and MAS to be granted audit access and access to information
and any report or finding made on the service provider and its sub-contractors; and (iii) ensure that material outsourcing
arrangements with service providers located outside Singapore are conducted in such a manner so as not to hinder MAS's
supervisory efforts. For the sake of completeness, this guidance covers all of the requirements under the Guidelines on
Outsourcing, including those that are only applicable to ‘material outsourcing arrangements’. However, FSIs will need to
make an assessment as to whether the use of cloud services in a particular manner is ‘material’ or not.
A "material outsourcing arrangement" is defined under the Guidelines on Outsourcing as ‘an outsourcing arrangement –
(a) which, in the event of a service failure or security breach, has the potential to either materially impact an institution’s– (i)
business operations, reputation or profitability; or (ii) ability to manage risk and comply with applicable laws and
regulations, or (b) which involves customer information and, in the event of any unauthorized access or disclosure, loss or
theft of customer information, may have a material impact on an institution’s customers’. “Customer information” does not
include information that is public, anonymized or securely encrypted and, in this respect, please see question F2 for more
detail about the secure encryption provided by Microsoft’s cloud services. Annex 2 of the Guidelines on Outsourcing lists
some considerations in determining whether or not the outsourcing is ‘material’.
4. Is the outsourcing
arrangement a cloud
computing arrangement?
Yes.
5. List all proposed service(s) to Service(s) to be outsourced Critical (Y/N)
Confidential
Page 5 of 38
10070299-1
Ref. Question/requirement Template response and guidance
be outsourced to the service
provider, and indicate if the
outsourced service is critical to
your business or operations.
1. Compute Y
2. Data & Storage Y
3. Networking Y
4. Identity & Access Management Y
5. IT Support Services Y
6. List all the types of data that
would be processed or stored
by the service provider, and
indicate if the data is
considered to be sensitive.
When you choose a Microsoft Azure solution the types of data impacted are within your control so the template response
will need to be tailored depending on what data you have selected is relevant to the solution.
We ensure that all data (but in particular any customer data) is treated with the highest level of security in accordance with
good industry practice to ensure that we and our service provider comply with our legal and regulatory obligations and our
commitments to customers. We do of course only collect and process data that is necessary for our business operations in
compliance with all applicable laws and regulation and this applies whether we process the data on our own systems or via
a cloud solution such as Microsoft Azure. Typically the types of data that would be processed and stored by the Azure
service would include:
Type of Data Processed/Stored/Both Sensitive (Y/N)
1. Customer data (including
customer name, contact details,
account information, payment
card data, security credentials
Both Y
Confidential
Page 6 of 38
10070299-1
Ref. Question/requirement Template response and guidance
and correspondence).
2. Employee data (including
employee name, contact details,
internal and external
correspondence by email and
other means and personal
information relating to their
employment with the
organization).
Both Y
3. Transaction data (data relating
to transactions in which the
organization is involved).
Both Y
4. Indices (for example, market
feeds).
Both N
5. Other personal and non-
personal data relating to the
organization’s business
operations as an FSI.
Both Y
7. Please provide the
background on why your
organization has decided to
outsource the service(s). What
were the business and
In articulating the business and operational considerations that led to the outsourcing, the below could be used as an
introduction.
Cloud computing enables on-demand network access to a pool of servers, storage and services “in the cloud”. In the case
of Microsoft Azure, it means accessing Microsoft applications and storing data not on our own servers at our own premises
Confidential
Page 7 of 38
10070299-1
Ref. Question/requirement Template response and guidance
operational considerations? but on Microsoft’s servers at Microsoft’s data centers.
When managed properly, cloud computing offers security and functionality that is on par with or better than on-premises
data centers of even the most sophisticated organizations.
B. REGULATORY COMPLIANCE
1. Has a compliance check for
the proposed outsourcing
arrangement been performed
against the MAS Guidelines on
Outsourcing and the
Technology Risk Management
Guidelines? Provide the list of
all gaps identified and explain
in details how each gap is
addressed by your
organization.
If any “compliance gaps” were identified as part of your risk management processes then these will need to be detailed
here, indicating how the relevant issues have now been resolved.
Yes.
We have reviewed the MAS Guidelines on Outsourcing and the Technology Risk Management Guidelines and have
obtained confirmation from Microsoft that the Azure service complies with these guidelines. Internally, we ensure that our
own processes also comply with the guidelines.
2. Will all identified security and
control gaps be resolved prior
to the commencement of this
outsourcing arrangement? If
not, please explain why and
state when they can be
resolved.
N/A
If any “compliance gaps” were identified as part of your risk management processes then you will need to confirm here that
these gaps will be resolved (or if not, why not).
Confidential
Page 8 of 38
10070299-1
Ref. Question/requirement Template response and guidance
3. Has the outsourcing
agreement been vetted by a
competent authority (e.g. the
institution's legal counsel) on
its legality and enforceability?
Guidelines on Outsourcing, Paragraph 5.5.1 (The outsourcing agreement should be vetted by a competent authority on its
legality and enforceability)
Yes/No (if no, explain why)
C. BOARD & MANAGEMENT OVERSIGHT
1. Has your management
considered the overall
business and strategic
objectives prior to outsourcing
the specific IT operations?
Please elaborate on the
factors considered and the
rationale for entering this
outsourcing arrangement.
Guidelines on Outsourcing, Paragraph 5.3 (an FSI should not engage in outsourcing that results in its risk management,
internal control, business conduct or reputation being compromised or weakened).
The MAS expects that management would need to have considered the overall business and strategic objectives. The
sample answer below covers legal/regulatory compliance and customer satisfaction but we would suggest tailoring this
with details of:
information about the factors considered for using the Microsoft cloud services;
internal processes that were carried out;
who handled the process and which areas of the business were involved or advised; and
any external consultants or legal counsel involved.
Management of our organization has been involved throughout to ensure that the project aligns with our organization’s
overall business and strategic objectives. At the center of our objectives are of course legal and regulatory compliance and
customer satisfaction and these were the key objectives that management had in mind when it considered this project. We
are satisfied that this solution will ensure legal and regulatory compliance because of the key features (including the
security and regulator audit rights) forming part of the Azure service. We are also satisfied that customer satisfaction will
Confidential
Page 9 of 38
10070299-1
Ref. Question/requirement Template response and guidance
be maintained because we believe that Azure will actually have some major benefits for our IT operations and,
accordingly, improve the overall service that we are able to provide to customers.
2. Has the Board approval been
sought prior to signing the
outsourcing contract?
Various places in the Guidelines on Outsourcing state that ultimate responsibility for effective management of risks lies
with the Board and that appropriate approvals processes should be put in place. Each organization will of course have its
own internal approval processes. Where this does include Board sign-off then this will not be an issue. Where it does not,
you will need to briefly explain how the sign-off processes work (i.e. how a right of approval has effectively been delegated
by the Board). Again, details of the relevant decision-makers should be included here.
Yes/No (if no, explain why)
3. Has the Board of Directors or
a relevant committee of the
Board been apprised and
acknowledged the risks
presented to them?
Paragraph 5.2, Guidelines on Outsourcing states the responsibilities of the Board including approving the framework for
evaluating risks. Paragraph 3 of the Technology Risk Management Guidelines is also relevant.
Yes/No (if no, explain why)
D. RISK ASSESSMENT AND MANAGEMENT
1. Has your organization
performed a risk assessment
of this outsourcing
arrangement, including
security risk assessment
against the latest security
threats? Please elaborate on
The MAS expects that your organization would have carried out a risk assessment. Paragraph 5.3, Guidelines on
Outsourcing lists the factors that should be considered in a framework for risk evaluation. The MAS Technology Risk
Management Guidelines also list the key principles and an indication of what the MAS would consider to be a “proper risk
assessment”.
You should ensure that you have carried out comprehensive due diligence on the nature, scope and complexity of the
outsourcing to identify the key risks and risk mitigation strategies. We have made suggestions regarding common issues
Confidential
Page 10 of 38
10070299-1
Ref. Question/requirement Template response and guidance
the key risks and threats that
have been identified for this
outsourcing arrangement and
the actions that have been or
will be taken to address them.
below and you will need to expand on or tailor the template response to describe what you see as the key risks and what
risk processes you have carried out as part of this project. You may also want to refer to data segregation here (in the
context of a multi-tenanted solution – noting that logical segregation is expressly permitted by the Guidelines on
Outsourcing).
identifying the role of outsourcing in the overall business strategy and objectives of the institution;
risk identification;
analysis and quantification of the potential impact and consequences of these risks;
risk mitigation and control strategy; and
ongoing risk monitoring and reporting.
If you have any questions when putting together a risk assessment, please do not hesitate to get in touch with your
Microsoft contact.
Yes.
Led by our management we have carried out a thorough risk assessment of the move to Azure. This risk assessment
included:
[ ];
[ ]; and
[ ].
Confidential
Page 11 of 38
10070299-1
Ref. Question/requirement Template response and guidance
1. Data security: By transferring certain data processing operations to a third party, we are aware that we need to ensure
that our selected outsourcing partner has in place appropriate and reasonable technical and organizational measures to
protect the data. This is necessary both from a financial services regulatory perspective as well as the organization’s
compliance with data protection legislation. It is of utmost importance to us. We have therefore carried out a robust
assessment as part of our selection process. We have selected Microsoft as an outsourcing partner taking heavily into
account the fact that it is an industry leader in cloud security and implements policies and controls on par with or better
than on-premises data centers of even the most sophisticated organizations. Microsoft is ISO/IEC 27001 and ISO/IEC
27018 accredited. In addition, the Microsoft Azure service has achieved the highest level certification (Tier 3) of the Multi
Tier Cloud Security Standard ("MTCS") for Singapore (MTCS SS 584) which builds upon recognized international
standards such as ISO/IEC 27001, and covers such areas as data retention, data sovereignty, data portability, liability,
availability, business continuity, disaster recovery, and incident management. The Microsoft Azure security features (being
the product that the organization will be using) consist of three parts: (a) built-in security features including encryption of
data when in transit and at rest; (b) security controls; and (c) scalable security. These include 24-hour monitored physical
hardware, isolated customer data, automated operations and lock-box processes, secure networks and encrypted data.
2. Access and audit: In addition to ensuring that relevant security and other safeguards are put in place up front, it is
essential that the outsourcing arrangement provides for us to ensure that such standards and commitments and regulatory
requirements are adhered to in practice. We are aware that audit and access in order to verify this can be a difficult issue
in outsourcing and therefore we have made this a high priority requirement as part of this outsourcing. Another reason for
the selection of Microsoft in this case is that it permits regulator audit and inspection of its data centers and in agreed
circumstances inspection rights for its financial services customers.
3. Control: The handing over of a certain amount of day to day responsibility to an outsourcing provider does present
certain challenges in relation to control of data. Essential to us is that despite the outsourcing we retain control over our
own business operations, including control of who can access data and how they can use it. At a contractual level, we
have dealt with this via our agreement with Microsoft, which provides us with legal mechanisms to manage the relationship
including appropriate allocation of responsibilities, oversight and remedies. At a practical level, we have selected the Azure
Confidential
Page 12 of 38
10070299-1
Ref. Question/requirement Template response and guidance
product because it provides us with control over data location, access and authentication and advanced encryption
controls. We (not Microsoft) will continue to own and retain all rights to our data and our data will not be used for any
purpose other than to provide us with the Azure services.
The Azure service was built based on ISO/IEC 27001 and ISO/IEC 27018 standards, a rigorous set of global standards
covering physical, logical, process and management controls. In addition, the Microsoft Azure service has achieved the
highest level certification (Tier 3) of the Multi Tier Cloud Security Standard ("MTCS") for Singapore (MTCS SS 584) which
builds upon recognized international standards such as ISO/IEC 27001, and covers such areas as data retention, data
sovereignty, data portability, liability, availability, business continuity, disaster recovery, and incident management. The
Azure service is certified in healthcare (HIPPA), education (FIRPA) and government (FISMA) standards and Microsoft can
meet strict European privacy requirements through the EU Model Clauses and data processing agreements.
2. If the outsourcing arrangement
requires system connectivity
between your organization and
the service provider, how does
your organization protect your
networks and systems from
the potential threats arising
from the system connectivity?
You need to demonstrate that you protect your networks and systems from the potential threats arising from the system
connectivity. We have made suggestions regarding measures taken below and you will need to expand on or tailor the
template response to describe any further measures taken by your organization.
Azure uses industry-standard transport protocols such as SSL and TLS between user devices and Microsoft data centers,
and within data centers themselves. With virtual networks, industry standard IPsec protocol can be used to encrypt traffic
between the corporate VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end users.
Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and mitigate
breach” process as a defensive strategy to predict and prevent security breaches before they happen. This involves
continuous improvements to built-in security features, including port-scanning and remediation, perimeter vulnerability
scanning, OS patching to the latest updated security software, network-level DDOS detection and prevention and multi-
factor authentication for service access.
3. What security controls are put
in place to protect the
Paragraph 5.6, Guidelines on Outsourcing. Paragraph 9 (operational infrastructure security management), Paragraph 10
Confidential
Page 13 of 38
10070299-1
Ref. Question/requirement Template response and guidance
transmission and storage of
any sensitive production and
backup data (e.g. customer
data) within the infrastructure
of the service provider and
how does your organization
address the risk of
unauthorized disclosure as
well as intentional or
unintentional leakage of those
information? Please provide
details of the preventive and
detective measures in place, if
any.
(data centers protection and controls) and Paragraph 11 (access control) of the Technology Risk Management Guidelines.
Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls on par with
or better than on-premises data centers of even the most sophisticated organizations. Microsoft Azure was built based on
ISO/IEC 27001 and ISO/IEC 27018 standards, a rigorous set of global standards covering physical, logical, process and
management controls. In addition, the Microsoft Azure service has achieved the highest level certification (Tier 3) of the
Multi Tier Cloud Security Standard ("MTCS") for Singapore (MTCS SS 584) which builds upon recognized international
standards such as ISO/IEC 27001, and covers such areas as data retention, data sovereignty, data portability, liability,
availability, business continuity, disaster recovery, and incident management.
The Microsoft Azure security features consist of three parts: (a) built-in security features; (b) security controls; and (c)
scalable security. These include 24-hour monitored physical hardware, isolated customer data, automated operations and
lock-box processes, secure networks and encrypted data.
Microsoft implements the Microsoft Security Development Lifecycle (“SDL”) which is a comprehensive security process
that informs every stage of design, development and deployment of Microsoft software and services, including Azure.
Through design requirements, analysis of attack surface and threat modeling, the SDL helps Microsoft predict, identify and
mitigate vulnerabilities and threats from before a service is launched through its entire production lifecycle.
Networks within the Azure data centers are segmented to provide physical separation of critical back-end servers and
storage devices from the public-facing interfaces. Edge router security allows the ability to detect intrusions and signs of
vulnerability. Azure uses industry-standard transport protocols such as SSL and TLS between user devices and Microsoft
data centers, and within data centers themselves. With virtual networks, industry standard IPsec protocol can be used to
encrypt traffic between the corporate VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end
users.
Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and mitigate
breach” process as a defensive strategy to predict and prevent security breaches before they happen. This involves
Confidential
Page 14 of 38
10070299-1
Ref. Question/requirement Template response and guidance
continuous improvements to built-in security features, including port-scanning and remediation, perimeter vulnerability
scanning, OS patching to the latest updated security software, network-level DDOS detection and prevention and multi-
factor authentication for service access. From a people and process standpoint, preventing breach involves auditing all
operator/administrator access and actions, zero standing permission for administrators in the service, “Just-In-Time (JIT)
access and elevation” (that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of engineer
privileges to troubleshoot the service, and segregation of the employee email environment from the production access
environment. Employees who have not passed background checks are automatically rejected from high privilege access,
and checking employee backgrounds is a highly scrutinized, manual-approval process.
Azure offers a wide range of data encryption capabilities up to AES-256. Options include .NET cryptographic services,
Windows Server public key infrastructure (PKK) components, Active Directory Rights Management Services (AD RMS),
and Bitlocker for data import/export scenarios.
4. Does the service provider
employ a system architecture
that involves multi-tenancy and
data commingling for the
outsourced service(s)? If so,
does the service provider
possess the ability to clearly
identify and segregate
customer data using strong
physical controls or logical
controls? How are the
associated risks addressed?
The Guidelines on Outsourcing expressly permit logical segregation. Paragraph 6.7, Guidelines on Outsourcing contains
requirements that institutions should be aware of the typical characteristics of cloud computing, such as multi-tenancy and
data commingling. Paragraph 5.2.3 (Management of IT outsourcing risks), Technology Risk Management Guidelines
contains requirement for service provider to isolate and clearly identify its customer data and other information system
assets for protection.
Azure is a multi-tenant service (that is, data from different customers shares the same hardware resources) but it is
designed to host multiple tenants in a highly secure way through data isolation. Data storage and processing for each
tenant is segregated through Active Directory structure and capabilities specifically developed to help build, manage, and
secure multi-tenant environments. Active Directory isolates customers using security boundaries (also known as silos).
This safeguards a customer’s data so that the data cannot be accessed or compromised by co-tenants.
5. Are the outsourced operations
using hardware (i.e.
Please see also our response to question D4.
Confidential
Page 15 of 38
10070299-1
Ref. Question/requirement Template response and guidance
servers/network devices)
dedicated to the organization?
E. VENDOR MANAGEMENT & MONITORING
1. Is there a vendor management
process to monitor the
performance of the service
provider? Please elaborate.
Paragraph 5.8, Guidelines on Outsourcing, contains detailed requirements in relation to monitoring and control of
outsourced activities. In addition to your own internal processes, you may in this context also wish to consider the
contractual vendor management rights that you have under your agreements with Microsoft, including the rights of audit
and inspection.
As part of the support we receive from Microsoft we have access to a technical account manager who is responsible for
understanding our challenges and providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate escalation of urgent issues to speed
resolution and keep mission-critical systems functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
2. Does your organization have a
process to audit the service
provider to assess its
compliance with your policies,
procedures, security controls
and regulatory requirements
and obtain reports and findings
made on the service provider?
Please elaborate.
Paragraph 5.9, Guidelines on Outsourcing sets out the audits that MAS expects FSIs to be conducting. It is not required
that the FSI conducts the audit itself and it may rely on independent third party audit by obtaining copies of such
finding/audit made on the service provider and its subcontractors. This is a question about your own internal processes,
although it is of course relevant in this context to mention that Microsoft permits audit and inspection both by their FSI
customers and regulators.
We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to Azure. As part of its
certification requirements, Microsoft is required to undergo independent third party auditing, and it shares with us the
independent third party audit reports. As part of its standard offering to us (i.e. the Financial Services Amendment that
automatically applies to regulated financial services institutions like ourselves), Microsoft gives us a right to examine,
monitor and audit its provision of Azure. Specifically, Microsoft (i) makes available to us the written Azure data security
policy that complies with certain control standards and frameworks, along with descriptions of the security controls in place
Confidential
Page 16 of 38
10070299-1
Ref. Question/requirement Template response and guidance
for Azure and other information that we reasonably request regarding Microsoft’s security practices and policies; and (ii)
causes the performance of audits, on our behalf, of the security of the computers, computing environment and physical
data centers that it uses in processing our data (including personal data) for Azure, and provides the audit report to us
upon request. We are confident that such arrangements provide us with the appropriate level of assessment of Microsoft’s
ability to facilitate compliance against our policy, procedural, security control and regulatory requirements.
The Financial Services Amendment further gives us the opportunity to participate in the optional FSI Customer Compliance
Program at any time, which enables us to have additional monitoring, supervisory and audit rights and additional controls
over Azure, such as (a) access to Microsoft personnel for raising questions and escalations relating to Azure, (b) invitation
to participate in a webcast hosted by Microsoft to discuss audit results that leads to subsequent access to detailed
information regarding planned remediation of any deficiencies identified by the audit, (c) receipt of communication from
Microsoft on (1) the nature, common causes, and resolutions of security incidents and other circumstances that can
reasonably be expected to have a material service impact on our use of Azure, (2) Microsoft’s risk-threat evaluations, and
(3) significant changes to Microsoft’s business resumption and contingency plans or other circumstances that might have a
serious impact on our use of Azure, (d) access to a summary report of the results of Microsoft’s third party penetration
testing against Azure (e.g. evidence of data isolation among tenants), and (e) access to Microsoft’s subject matter experts
through group events such as webcasts or in-person meetings (including an annual summit event) where roadmaps of
planned developments or reports of significant events will be discussed and we will have a chance to provide structured
feedback and/or suggestions regarding the FSI Customer Compliance Program and its desired future evolution. The group
events will also give us the opportunity to discuss common issues with other regulated financial institutions and raise them
with Microsoft.
3. Has explicit provision been
made in the outsourcing
agreement to enable MAS and
its agents to carry out an
inspection or examination of
the service provider and its
Paragraph 5.9.2 of the Guidelines on Outsourcing requires the inclusion of access to information, inspection and
examination rights in favor of MAS. Such rights are indeed included in Microsoft’s contractual documents, and this is a key
advantage of the Microsoft product over competitor products, which often provide only very limited (or no) regulator
inspection rights.
Confidential
Page 17 of 38
10070299-1
Ref. Question/requirement Template response and guidance
sub-contractors, and to obtain
copies of reports made on the
service provider or reports or
information given to, stored at
or processed by the service
provider and its sub-
contractors? Please explain in
detail if explicit provision has
not been made.
Yes.
There are provisions in the contract that enable MAS to carry out inspection or examination of Microsoft’s facilities,
systems, processes and data relating to the services. As part of its standard offering to us (i.e. the Financial Services
Amendment that automatically applies to regulated financial services institutions like ourselves), Microsoft will, upon a
regulator’s request, provide the regulator a direct right to examine the relevant service, including the ability to conduct an
on-premise examination; to meet with Microsoft personnel and Microsoft’s external auditors; and to access related
information, records, reports and documents. Microsoft will not disclose customer data to the regulator except as described
in the OST. Customer will at all times have access to its data using the standard features of Azure, and may delegate its
access to its data to representatives of the MAS.
F. IT SECURITY
- PROTECTION OF SENSITIVE / CONFIDENTIAL INFORMATION
1. Have you obtained from the
service provider a written
undertaking to protect and
maintain the confidentiality of
your sensitive data? If yes,
provide documentation.
Yes. It is part of the standard contractual commitments made by Microsoft.
Note that “Confidentiality agreements and non-disclosure agreements” are covered under the ISO/IEC 27001 and ISO/IEC
27018 standards against which Microsoft is certified. and audited annually by a third party, independent and accredited
certification body.
2. Is end-to-end application layer
encryption implemented to
protect the transmission of
PINs?
Paragraph 9.1 and Appendix E (Paragraph E.2.5), Technology Risk Management Guidelines.
Yes.
Azure offers a wide range of data encryption capabilities up to AES-256. Options include .NET cryptographic services,
Windows Server public key infrastructure (PKK) components, Active Directory Rights Management Services (AD RMS),
Confidential
Page 18 of 38
10070299-1
Ref. Question/requirement Template response and guidance
and Bitlocker for data import/export scenarios.
Networks within the Azure data centers are segmented to provide physical separation of critical back-end servers and
storage devices from the public-facing interfaces. Edge router security allows the ability to detect intrusions and signs of
vulnerability. Azure uses industry-standard transport protocols such as SSL and TLS between user devices and Microsoft
data centers, and within data centers themselves. With virtual networks, industry standard IPsec protocol can be used to
encrypt traffic between the corporate VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end
users.
3. Are there procedures
established to securely destroy
or remove the organization’s
production and backup data
stored at the service provider
when the need arises? Please
elaborate.
Paragraph 5.2.4 (Management of IT outsourcing risks), Technology Risk Management Guidelines.
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be
wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible
(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type.
Records of the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal management services. Paper documents are
destroyed by approved means at the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001, ISO/IEC 27018 and
MTCS SS 584 standards, against which Microsoft is certified.
- DATA CENTER PHYSICAL & ENVIRONMENTAL CONTROLS
4. Where are the data center(s) Paragraph 5.10 (Outsourcing outside Singapore), Guidelines on Outsourcing. Note that the use of data centers out of
Confidential
Page 19 of 38
10070299-1
Ref. Question/requirement Template response and guidance
of the service provider
located? Indicate the data
center(s) in which your
organization’s sensitive data
would be stored and/or
processed.
Singapore is permitted by the Guidelines on Outsourcing.
Microsoft informs us that it takes a regional approach to hosting of Azure data. Microsoft is transparent in relation to the
location of our data. Microsoft data center locations are made public on the Microsoft Trust Center.
The table below will need to be amended depending on the specific solution that you are taking up.
No. Locations of Data Center Classification of DC: Tier I, II, III or
IV
Storing your organization’s data
(Y/N)
1.
2.
5. Have you obtained a report on
the Threat and Vulnerability
Risk Assessment on the
physical security and
environmental controls
available at the data center(s)?
What were the key risks and
security issues raised, and
how were they addressed?
Paragraph 10, Technology Risk Management Guidelines.
In order to meet the objectives and demands of a robust service, Microsoft regularly conducts penetration testing and
vulnerability assessments against the service through its commitment to Security Development Lifecycle and ISO
certification. The output of testing is tracked through a risk register which is audited and reviewed on a regular basis to
ensure compliance to Microsoft’s security practices. In order to protect both the system and customer data, Microsoft does
not provide copies of the testing reports however the tests conducted typically include the OWASP top ten and also include
the use of independent verified security teams (CREST certified). Microsoft is happy to make available the ISO and SSAE
16 audit reports which cover vulnerability assessments.
- USER AUTHENTICATION & ACCESS MANAGEMENT
Confidential
Page 20 of 38
10070299-1
Ref. Question/requirement Template response and guidance
6. Does the service provider
have privileged access or
remote access to perform
system/user administration for
the outsourced service? If so,
does the service provider have
access to your organization’s
sensitive data? Please provide
details on the controls
implemented to mitigate the
risks of unauthorized access to
sensitive data by the service
provider, or other parties.
Paragraphs 10.2 (physical security) and 11 (access control), Technology Risk Management Guidelines.
Yes.
Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer data.
Personnel access to the IT systems that store customer data is strictly controlled via role-based access control (“RBAC”)
and lock box processes that involve not only approvals from within Microsoft but also explicit approval from the customer.
Access control is an automated process that follows the separation of duties principle and the principle of granting least
privilege. This process ensures that the engineer requesting access to these IT systems has met the eligibility
requirements, such as a background screen, fingerprinting, required security training and access approvals. In addition,
the access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification
have access to the systems. User access to data is also limited by user role. For example, system administrators are not
provided with database administrative access. In emergency situations, a “Just-In-Time (JIT) access and elevation system”
is used (that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of engineer privileges to
troubleshoot the service.
7. Are the following controls and
measures put in place at the
service provider?
a. The activities of privileged accounts are logged and reviewed regularly.
Paragraph 11.1.4 (Access Controls), Technology Risk Management Guidelines.
Yes.
An internal, independent Microsoft team will audit the log at least once per quarter.
b. Audit and activity logs are protected against tampering by privileged users.
Paragraph 11 (Access Controls), Technology Risk Management Guidelines.
Confidential
Page 21 of 38
10070299-1
Ref. Question/requirement Template response and guidance
Yes.
All logs are saved to the log management system which a different team of administrators manages. All logs are
automatically transferred from the production systems to the log management system in a secure manner and stored in a
tamper-protected way.
c. Access to sensitive files, commands and services are restricted and protected from manipulation.
Paragraph 11 (Access Controls), Technology Risk Management Guidelines.
Yes.
System level data such as configuration data/file and commands are managed as part of the configuration management
system. Any changes or updates to or deletion of those data/files/commands will be automatically deleted by the
configuration management system as anomalies.
d. Integrity checks are implemented to detect unauthorized changes to databases, files, programs and system
configuration.
Paragraph 11 (Access Controls), Technology Risk Management Guidelines.
Yes.
System level data such as configuration data/file and commands are managed as part of the configuration management
system. Any changes or updates to or deletion of those data/files/commands will be automatically deleted by the
configuration management system as anomalies.
e. Password controls for the outsourced systems and applications are reviewed for compliance on a regular
Confidential
Page 22 of 38
10070299-1
Ref. Question/requirement Template response and guidance
basis.
Paragraph 11.1.5 (Access Controls), Technology Risk Management Guidelines.
Yes.
All access to production and customer data require multi-factor authentication. Use of strong password is enforced as
mandatory and password must be changed on a regular basis.
f. Access rights for the outsourced systems and applications are reviewed for compliance on a regular basis.
Paragraph 11 (Access Controls) Technology Risk Management Guidelines (it is recommended that FSIs implement strong
controls over remote access by privileged users).
Yes.
Administrators who have access to applications have no physical access to the production so administrators have to
remotely access the controlled, monitored remote access facility. All operations through this remote access facility are
logged. In addition, the access levels are reviewed on a periodic basis to ensure that only users who have appropriate
business justification have access to the systems.
G. IT SERVICE AVAILABILITY & DISASTER RECOVERY
1. Does the service provider
have a disaster recovery or
business continuity plan and
what is the service availability?
For your organization’s data
Paragraph 5.7, Guidelines on Outsourcing. Paragraphs 8.1 (Systems Availability), 8.2 (Disaster Recovery Plan), 8.3
(Disaster Recovery Testing) and 8.4 (Data Backup Management), Technology Risk Management Guidelines. Principle 2,
Business Continuity Management Guidelines.
Yes. Microsoft offers contractually-guaranteed uptime, globally available data centers for primary and backup storage,
Confidential
Page 23 of 38
10070299-1
Ref. Question/requirement Template response and guidance
residing at the service
provider, what are the backup
and recovery arrangements?
physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust backup, restoration
and failover capabilities, real-time issue detection and automated response such that workloads can be moved off any
failing infrastructure components with no perceptible impact on the service, 24/7 on-call engineering teams.
Redundancy
Physical redundancy at server, data center, and service levels
Data redundancy with robust failover capabilities
Functional redundancy with offline functionality
Resiliency
Active load balancing
Automated failover with human backup
Recovery testing across failure domains
Distributed Services
Distributed component services limit scope and impact of any failures in a component.
Directory data replicated across component services insulates one service from another in any failure events.
Simplified operations and deployment.
Confidential
Page 24 of 38
10070299-1
Ref. Question/requirement Template response and guidance
Monitoring
Internal monitoring built to drive automatic recovery
Outside-in monitoring raises alerts about incidents
Extensive diagnostics provide logging, auditing, and granular tracing
Simplification
Standardized hardware reduces issue isolation complexities
Fully automated deployment models.
Standard built-in management mechanism
Human backup
Automated recovery actions with 24/7 on-call support
Team with diverse skills on the call provides rapid response and resolution
Continuous improvement by learning from the on-call teams
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every time
Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and Microsoft’s plan
Confidential
Page 25 of 38
10070299-1
Ref. Question/requirement Template response and guidance
to prevent it in the future
In the event the organization was affected by a service incident, Microsoft shares the post-incident review with the
organization.
2. What are the recovery time
objectives (“RTO”) of systems
or applications outsourced to
the service provider?
Paragraph 5.7.2(a), Guidelines on Outsourcing. Paragraph 8.2.4 of the Technology Risk Management Guidelines.
Principle 4, Business Continuity Management Guidelines (FSI should develop recovery strategies and set recovery time
objectives for critical business functions).
30 min or less for Virtual Machines and Storage, 1 hour or less for Virtual Network.
3. What are the recovery point
objectives (“RPO”) of systems
or applications outsourced to
the service provider?
Paragraph 5.7.2(a), Guidelines on Outsourcing. Paragraph 8.2.4 of the Technology Risk Management Guidelines.
Principle 4, Business Continuity Management Guidelines (FSI should develop recovery strategies and set recovery time
objectives for critical business functions).
1 minute or less for Storage.
4. How frequently does the
service provider conduct
disaster recovery tests?
Paragraph 5.7.2(b), Guidelines on Outsourcing (FSIs should ensure that the service provider regularly tests its business
continuity plans and that the tests validate the feasibility of the RTOs and the resumption operating capacities. The service
provider should also be required to notify the FSI of any test finding that may affect the service provider’s performance).
Paragraph 8.3, Technology Risk Management Guidelines, contains details around expectations of disaster recovery tests
(with paragraph 8.3.2 referring to this being done at least annually). Principle 3, Business Continuity Management
Guidelines.
At least once per year.
H. EXIT STRATEGY
Confidential
Page 26 of 38
10070299-1
Ref. Question/requirement Template response and guidance
1. Do you have the right to
terminate the SLA in the event
of default, ownership change,
insolvency, change of security
or serious deterioration of
service quality?
Paragraph 5.5.2(i) Guidelines on Outsourcing, which states that the agreement should contain provisions for default
termination and early exit.
The SLA is only one part of the contractual arrangement with Microsoft. It is not terminable in itself as a stand-alone
document (the remedies available to us under the SLA are financial) but our main agreement with Microsoft, the Microsoft
Business and Services Agreement (“MBSA”), is terminable by us for convenience at any time by providing not less than 60
days’ notice. In addition, we have standard rights of termination for material breach. This gives us the flexibility and control
we need to manage the relationship with Microsoft because it means that we can terminate the arrangements whether with
or without cause.
2. In the event of contract
termination with the service
provider, either on expiry or
prematurely, are you able to
have all IT information and
assets promptly removed or
destroyed?
Paragraph 5.7.2(c), Guidelines on Outsourcing (requires FSIs to ensure that there are plans and procedures in place to
address the need to have all relevant IT information and assets promptly removed and destroyed upon termination).
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be
wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible
(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type.
Records of the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal management services. Paper documents are
destroyed by approved means at the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001, ISO/IEC 27018 and
MTCS SS 584 standards, against which Microsoft is certified.
Confidential
Page 27 of 38
10070299-1
APPENDIX ONE
CONTRACTUAL REQUIREMENTS
This table sets out the specific items that should be covered in the FSI’s outsourcing agreement with the service provider, pursuant to the Guidelines on
Outsourcing and Notice 634. Banking Act (Appendix). It also contains useful information on how Microsoft’s contractual documents address each of said items.
In summary: Microsoft is pleased to conclude that all relevant requirements specified in the Guidelines on Outsourcing and Notice 634, Banking Act are
addressed in Microsoft's contractual documents, as shown below.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft explains how Microsoft’s contractual documents address the contractual requirements, with references to where they are covered.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrollment = Enterprise Enrollment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
Confidential
Page 28 of 38
10070299-1
SLA = Online Services Service Level Agreement
Confidential
Page 29 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
1. The outsourcing agreement should
address the risks identified at the
risk evaluation and due diligence
stages.
Guidelines on Outsourcing, Paragraphs 5.5.2.
This would depend on the results of your risk evaluation and due diligence exercises.
2. The outsourcing agreement should
allow for timely renegotiation and
renewal to enable the institution to
retain an appropriate level of
control over the outsourcing
arrangement and the right to
intervene with appropriate
measures to meet its legal and
regulatory obligations.
Guidelines on Outsourcing, Paragraphs 5.5.2.
In order to facilitate your continued and ongoing legal and regulatory compliance needs, and as part of its standard
offering to you (i.e. the FSA that automatically applies to regulated financial services institution customers), Microsoft
agrees to discuss how to meet new or additional requirements imposed on you should you become subject to Future
Applicable Law (as defined in the FSA).
Furthermore, Microsoft’s contractual documents anticipate renewal. For instance, Enrollments have a three-year term,
and may be renewed for a further three-year term. If necessary, you have a right to terminate the services at your
convenience. More information on your termination rights is available under Requirement 11 below.
Meanwhile, Microsoft enables financial institution customers to retain an appropriate level of control to meet their legal
and regulatory obligations. Not only do you have full control and ownership over your data at all times, under the FSA
Microsoft (i) makes available to you the written Azure data security policy that complies with certain control standards
and frameworks, along with descriptions of the security controls in place for Azure and other information that you
reasonably request regarding Microsoft’s security practices and policies; and (ii) causes the performance of audits, on
your behalf, of the security of the computers, computing environment and physical data centers that it uses in
processing your data (including personal data) for Azure, and provides the audit report to you upon request. These
arrangements are offered to you in order to provide you with the appropriate level of assessment of Microsoft’s ability
to facilitate compliance against your policy, procedural, security control and regulatory requirements.
You can further elect to participate in the FSI Customer Compliance Program. This program allows you to engage with
Microsoft during the term of the outsourcing contract to ensure that you have oversight over the services in order to
Confidential
Page 30 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
ensure that the services meet your legal and regulatory obligations. Specifically, it enables you to have additional
monitoring, supervisory and audit rights and additional controls over Azure, such as (a) access to Microsoft personnel
for raising questions and escalations relating to Azure, (b) invitation to participate in a webcast hosted by Microsoft to
discuss audit results and subsequent access to detailed information regarding planned remediation of any deficiencies
identified by the audit, (c) receipt of communication from Microsoft on (1) the nature, common causes, and resolutions
of security incidents and other circumstances that can reasonably be expected to have a material service impact on
your use of Azure, (2) Microsoft’s risk-threat evaluations, and (3) significant changes to Microsoft’s business
resumption and contingency plans or other circumstances that might have a serious impact on your use of Azure, (d)
access to a summary report of the results of Microsoft’s third party penetration testing against Azure (e.g. evidence of
data isolation among tenants), and (e) access to Microsoft’s subject matter experts through group events such as
webcasts or in-person meetings (including an annual summit event) where roadmaps of planned developments or
reports of significant events will be discussed and you will have a chance to provide structured feedback and/or
suggestions regarding the FSI Customer Compliance Program and its desired future evolution. The group events will
also give you the opportunity to discuss common issues with other regulated financial institutions and raise them with
Microsoft.
3. The outsourcing agreement should
have provisions to address the
scope of the outsourcing
arrangement.
Guidelines on Outsourcing, Paragraph 5.5.2(a).
Microsoft's contractual documents comprehensively set out the scope of the outsourcing arrangement and the
respective commitments of the parties.
The services are broadly described, along with the applicable usage rights, in the Product List and OST. The services
are described in more detail in the OST, which includes a list of service functionality and core features of the Azure
services in particular
The SLA contains Microsoft’s service level commitment, as well as the remedies for the customer in the event that
Microsoft does not meet the commitment. The terms of the SLA current at the start of the applicable initial or renewal
Confidential
Page 31 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
term of the Enrollment are fixed for the duration of that term.
Please find a copy of the OST at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46
Please find a copy of the SLA at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37
4. The outsourcing agreement should
have provisions to address
performance, operational, internal
control and risk management
standards.
Guidelines on Outsourcing, Paragraph 5.5.2(b).
All of these aspects are covered in the OST and the SLA. The OST contains the privacy and security practices, and
internal controls that Microsoft implements, and the SLA contains Microsoft’s service level commitment, as well as the
remedies for the customer in the event that Microsoft does not meet the commitment. The SLA is fixed for the initial
term of the Enrollment.
5. The outsourcing agreement should
have provisions to address
confidentiality and security.
Guidelines on Outsourcing, Paragraph 5.5.2(c).
MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose your confidential
information (which includes your data) to third parties and to only use your confidential information for the purposes of
Microsoft’s business relationship with you. Further, Microsoft commits to take reasonable steps to protect your
confidential information, to notify you if there is any unauthorized use or disclosure of your confidential information and
to cooperate with you to help to regain control of your confidential information and prevent further unauthorized use or
disclosure of it.
The OST states that Microsoft and the customer each commit to comply with all applicable privacy and data protection
laws and regulations. The customer owns its data that is stored on Microsoft cloud services at all times. The customer
also retains the ability to access its customer data at all times, and Microsoft will deal with customer data in
accordance with the terms and conditions of the Enrollment and the OST. Following termination, Microsoft will (unless
Confidential
Page 32 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
otherwise directed by the customer) delete the customer data after a 90-day retention period.
Guidelines on Outsourcing, Paragraph 5.6.2(a). The outsourcing agreement should address the issue of access to
and disclosure of customer information by the service provider. Customer information should be used by the service
provider and its staff strictly for the purpose of the contracted service.
And
Notice 634, Banking Act, Paragraph 8 of the Appendix. The agreement should contain obligations relating to the
following: (i) access to customer data is limited to employees of service provider who strictly require the information to
perform their duties: (ii) customer data is used strictly for a specified and disclosed purpose; and (iii) further disclosure
of customer data to any other party is restricted unless required by law.
Microsoft makes specific commitments with respect to safeguarding your data in the OST. In summary, Microsoft
commits that:
1. Your data will only be used to provide the online services to you and your data will not be used for any other
purposes, including for advertising or other commercial purposes.
2. Microsoft will not disclose your data to law enforcement unless it is legally obliged to do so, and only after not
being able to redirect the request to you.
3. Microsoft will implement and maintain appropriate technical and organizational measures, internal controls, and
information security routines intended to protect your data against accidental, unauthorized or unlawful access,
disclosure, alteration, loss, or destruction. Technical support personnel are only permitted to have access to
customer information when needed.
Guidelines on Outsourcing, Paragraph 5.6.2(a). The outsourcing agreement should address the issue of the party
Confidential
Page 33 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
liable for losses in the event of a breach of security or confidentiality and the service provider’s obligation to inform the
institution.
The OST states the responsibilities of the contracting parties that ensure the effectiveness of security policies. To the
extent that a security incident results from Microsoft’s failure to comply with its contractual obligations, and subject to
the applicable limitations of liability, Microsoft reimburses you for reasonable and third-party validated, out-of-pocket
remediation costs you incurred in connection with the security incident, including actual costs of court- or
governmental body-imposed payments, fines or penalties for a Microsoft-caused security incident and additional,
commercially-reasonable, out-of-pocket expenses you incurred to manage or remedy the Microsoft-caused security
incident (FSA, Section 3). Applicable limitation of liability provisions can be found in the MBSA.
Microsoft further agrees to notify you if it comes aware of any security incident, and to take reasonable steps to
mitigate the effects and minimize the damage resulting from the security incident (OST).
6. The outsourcing agreement should
have provisions to address
business continuity management.
Guidelines on Outsourcing, Paragraphs 5.5.2(d) and 5.7.2.
And
Notice 634, Banking Act, Paragraph 11 of the Appendix.
Business Continuity Management forms part of the scope of the accreditation that Microsoft retains in relation to the
online services, and Microsoft commits to maintain a data security policy that complies with these accreditations (see
OST). Business Continuity Management also forms part of the scope of Microsoft’s annual third party compliance
audit. Business Continuity Plans (BCPs) are documented and reviewed at least annually, and the BCPs provide roles
and responsibilities and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Microsoft also maintains emergency and contingency plans for the facilities in which Microsoft information systems
Confidential
Page 34 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
that process customer data are located. Microsoft’s redundant storage and its procedures for recovering data are
designed to attempt to reconstruct customer data in its original or last-replicated state from before the time it was lost
or destroyed.
Data Recovery Procedures
On an ongoing basis, but in no case less frequently than once a week (unless no customer data has been
updated during that period), Microsoft maintains multiple copies of customer data from which customer data can
be recovered.
Microsoft stores copies of customer data and data recovery procedures in a different place from where the
primary computer equipment processing the customer data is located.
Microsoft has specific procedures in place governing access to copies of customer data.
Microsoft reviews data recovery procedures at least every six months, except for data recovery procedures for
Azure Government Services , which are reviewed every twelve months.
Microsoft logs data restoration efforts, including the person responsible, the description of the restored data and
where applicable, the person responsible and which data (if any) had to be input manually in the data recovery
process.
7. The outsourcing agreement should
have provisions to address
monitoring and control.
Guidelines on Outsourcing, Paragraphs 5.5.2(e) and 5.8.1
The OST allows customer to have the ability to access and extract customer data, and specifies the audit and
monitoring mechanisms that Microsoft puts in place in order to verify that the online services meet appropriate security
and compliance standards.
The FSA further gives regulated financial institution customers, i.e. you, the opportunity to participate in the Microsoft
FSI Customer Compliance Program. This program allows you to engage with Microsoft during the term of the
outsourcing contract to ensure that you have oversight over the services in order to ensure that the services meet
Confidential
Page 35 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
your legal and regulatory obligations. Specifically, it enables you to have additional monitoring, supervisory and audit
rights and additional controls over Azure, such as (a) access to Microsoft personnel for raising questions and
escalations relating to Azure, (b) invitation to participate in a webcast hosted by Microsoft to discuss audit results and
subsequent access to detailed information regarding planned remediation of any deficiencies identified by the audit,
(c) receipt of communication from Microsoft on (1) the nature, common causes, and resolutions of security incidents
and other circumstances that can reasonably be expected to have a material service impact on your use of Azure, (2)
Microsoft’s risk-threat evaluations, and (3) significant changes to Microsoft’s business resumption and contingency
plans or other circumstances that might have a serious impact on your use of Azure, (d) access to a summary report
of the results of Microsoft’s third party penetration testing against Azure (e.g. evidence of data isolation among
tenants), and (e) access to Microsoft’s subject matter experts through group events such as webcasts or in-person
meetings (including an annual summit event) where roadmaps of planned developments or reports of significant
events will be discussed and you will have a chance to provide structured feedback and/or suggestions regarding the
FSI Customer Compliance Program and its desired future evolution. The group events will also give you the
opportunity to discuss common issues with other regulated financial institutions and raise them with Microsoft.
8. The outsourcing agreement should
have provisions to address audit
and inspection.
Guidelines on Outsourcing, Paragraphs 5.5.2(f), 5.9.2 and 5.10.2(b), for material outsourcing.
And
Notice 634, Banking Act, Paragraph 8a of the Appendix.
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to verify that the online
services meet appropriate security and compliance standards. This commitment is reiterated in the FSA as a standard
offering to regulated financial institutions. Under the FSA, Microsoft gives you a right to examine, monitor and audit its
provision of Azure. Specifically, Microsoft (i) makes available to you the written Azure data security policy that
complies with certain control standards and frameworks, along with descriptions of the security controls in place for
Azure and other information that you reasonably request regarding Microsoft’s security practices and policies; and (ii)
Confidential
Page 36 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
causes the performance of audits, on your behalf, of the security of the computers, computing environment and
physical data centers that it uses in processing your data (including personal data) for Azure, and provides the audit
report to you upon request. These arrangements are offered to you in order to provide you with the appropriate level
of assessment of Microsoft’s ability to facilitate compliance against your policy, procedural, security control and
regulatory requirements. Please refer to the optional FSI Customer Compliance Program described in Requirement 7
above for opportunities to gain further visibility and influence into Microsoft’s practices.
The FSA further describes that if a regulator requests, Microsoft will provide the regulator a direct right to examine the
relevant service, including the ability to conduct an on-premise examination; to meet with Microsoft personnel and
Microsoft’s external auditors; and to access related information, records, reports and documents. Microsoft will not
disclose customer data to the regulator except as described in the OST. Customer will at all times have access to its
data using the standard features of Azure, and may delegate its access to its data to representatives of the MAS.
9. The outsourcing agreement should
have provisions to address
notification of adverse
developments.
Guidelines on Outsourcing, Paragraphs 5.5.2(g) and 4.2.
Microsoft will notify the customer if it becomes aware of any security incident, and will take reasonable steps to
mitigate the effects and minimize the damage resulting from the security incident (see OST).
10. The outsourcing agreement should
have provisions to address dispute
resolution.
Guidelines on Outsourcing, Paragraph 5.5.2(h).
The MBSA covers dispute resolution process (Section 10.e.), warranties (Section 5), defense of third party claims
(Section 6), limitation of liability (Section 7), and term and termination (Section 9). It further offers country-specific
provisions determined by applicable law (Section 11).
11. The outsourcing agreement should
have provisions to address default
termination and early exit.
Guidelines on Outsourcing, Paragraph 5.5.2(i).
And
Confidential
Page 37 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
Notice 634, Banking Act, Paragraph 10 of the Appendix.
You can terminate the MBSA or the EA for convenience at any time by providing not less than 60 days’ notice. In
addition, you have standard rights of termination for material breach. This gives us the flexibility and control we need
to manage the relationship with Microsoft because it means that we can terminate the arrangements whether with or
without cause.
12. The outsourcing agreement should
have provisions to address sub-
contracting.
Guidelines on Outsourcing, Paragraph 5.5.2(j).
Microsoft is permitted to hire subcontractors under the OST. The confidentiality of your data is protected when
Microsoft uses subcontractors because Microsoft commits that its subcontractors “will be permitted to obtain
Customer Data only to deliver the services Microsoft has retained them to provide and will be prohibited from using
Customer Data for any other purpose” (OST).
Microsoft commits that any subcontractors to whom Microsoft transfers your data will have entered into written
agreements with Microsoft that are no less protective than the data processing terms in the OST (OST).
Microsoft remains contractually responsible (and therefore liable) for its subcontractors’ compliance with Microsoft’s
obligations in the OST (OST). In addition, Microsoft’s commitment to ISO/IEC 27001, ISO/IEC 27018 and MTCS SS
584, requires Microsoft to ensure that its subcontractors are subject to the same security controls as Microsoft is
subject to. Microsoft maintains a list of authorized subcontractors for the online services that have access to your data
and provides you with a mechanism to obtain notice of any updates to that list (OST). The actual list can be accessed
via https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-
terms#subcontractors. If you do not approve of a subcontractor that is added to the list, then you are entitled to
terminate the affected online services.
13. The outsourcing agreement should
have provisions to address
Guidelines on Outsourcing, Paragraph 5.5.2(k).
Confidential
Page 38 of 38
10070299-1
Ref. Requirement Microsoft agreement reference
applicable laws. MBSA section 10.h. sets out the applicable law provision.
14. The outsourcing agreement should
be tailored to address issues
arising from country risks and
potential obstacles in exercising
oversight and management of the
outsourcing arrangements made
with a service provider outside
Singapore.
Guidelines on Outsourcing, Paragraphs 5.5.3 and 5.10.2(b).
Azure offers data-location transparency so that the organizations and regulators are informed of the jurisdiction(s) in
which data is hosted. The data centers are strategically located around the world taking into account country and
socioeconomic factors. Microsoft’s data center locations are selected to offer stable socioeconomic environments.
Please refer to the Microsoft Trust Center for Azure data center locations at
http://o365datacentermap.azurewebsites.net/.
The OST contains general commitments around data location. Microsoft commits that customer data transfers out of
the EU will be governed by the EU Model Clauses set out in the OST to represent a high standard of care in relation
to data transfers. Also, as noted in the OST: “Any subcontractors to whom Microsoft transfers Customer Data, even
those used for storage purposes, will have entered into written agreements with Microsoft that are no less protective
than the Data Processing Terms”.