تجاوز إلى المحتوى الرئيسي
قسم كامل طباعة مخصصة نص فقط النص الغني الطباعة

Outsourcing

  1. 3.31Prior to engaging an Outsourcing Service Provider to provide Cloud Computing services, Institutions should perform a comprehensive Outsourcing risk assessment covering:
    1. a.The role and materiality of the service to be outsourced in the Institution’s business operations;
    2. b.Due diligence on prospective Outsourcing Service Providers (further guidance on the due diligence process provided in Clause Institutions should verify the maturity, adequacy and appropriateness of the prospective Outsourcing Service Provider and services selected, taking into account the intended usage of the Cloud Computing service. Institutions should consider the following specific factors when conducting due diligence on Outsourcing Service Providers providing Cloud Computing services, including but not limited to:); and
    3. c.Assessing the benefits of the Outsourcing arrangement against the risks.
  2. 3.32Institutions should verify the maturity, adequacy and appropriateness of the prospective Outsourcing Service Provider and services selected, taking into account the intended usage of the Cloud Computing service. Institutions should consider the following specific factors when conducting due diligence on Outsourcing Service Providers providing Cloud Computing services, including but not limited to:
    1. a.Materiality: The results of the materiality assessment. The depth of the due diligence undertaken and risk mitigating controls established should be commensurate with the materiality of the Cloud Computing arrangement and the level of reliance the Institution places on the provider to maintain effective security controls;
    2. b.Due diligence scope: The scope of the due diligence assessment should be appropriate and cover an adequate set of controls and individual assessments of all locations expected to be relevant in the arrangement. In particular, the Institution should consider the track record of the Outsourcing Service Provider in achieving acceptable outcomes in areas such as information security policies and awareness, due diligence and risk assessment of practices related to sub-contracting, system vulnerability assessments, penetration testing, and technology refresh management;
    3. c.Data centers: Evaluation of whether the data centers are located in countries that the Institution deems suitable and acceptable to store and process Data (further guidance outlined in the subsection “Design”);
    4. d.Controls: Institutions should ensure that Outsourcing Service Providers implement strong authentication, access controls, Data encryption and other security and technical controls (further guidance outlined in the subsections “Design” and “Management and monitoring”) to meet the Institutions’ requirements. Controls implemented by Outsourcing Service Providers should be at least as strong as those which the Institutions would have implemented had the operations been performed in-house;
    5. e.Security risk assessments: Prior to implementing Cloud Computing services and undertaking an Outsourcing arrangement, Institutions should conduct an initial security and risk assessment of the service to identify any information security, cybersecurity and other IT control weaknesses. The risk assessment will identify security threats including information security threats and operational weaknesses and develop safeguards to mitigate those threats and weaknesses. The factors considered during the risk assessment should include but not be limited to:
      1.  i.Nature of the service (including specific underlying arrangements);
      2.  ii.Provider and the location of the service;
      3. iii.Criticality and confidentiality of the IT Assets involved;
      4. iv.Transition process including handover from the Institution and/or other service providers to the potential Outsourcing Service Provider;
      5.  v.Target operating model; and
      6. vi.Adherence to recognised technical security standards.
      7. vii.Compliance with standards and external assurance: The Outsourcing Service Provider’s adherence to international standards as relevant to the provision of services (for e.g. ISO/EIC etc.). Institutions may take into consideration any external assurance that has already been provided by independent auditors when conducting their own due diligence.
  3. 3.33When conducting risk assessments of Cloud Computing services, Institutions should consider key risks including but not limited to:
    1. a.Cybersecurity risk;
    2. b.Operational risks, specifically information security, Outsourcing and business continuity risk. In particular, Institutions in an outsourced Cloud Computing arrangement should consider the impact of the Outsourcing arrangement on the Institution’s risk profile i.e. the potential heightened operational, legal, compliance, reputational, concentration and other risks associated with the arrangement;
    3. c.Reputational risk; and
    4. d.Specific risks arising from the design and operating model of the Cloud Computing arrangement.
  4. 3.34Institutions should ensure that the written contract governing the Cloud Computing arrangement between the Institution and Outsourcing Service Provider covers the following issues including, but not limited to:
    1. a.The roles, relationships, obligations and responsibilities of all contracting parties;
    2. b.Location of the data centres;
    3. c.Ownership and control over IT Assets, if the Outsourcing Service Provider is expected to be given some level of control over IT Assets;
    4. d.Liability in the event of losses or breaches in security or confidentiality;
    5. e.Measures to protect the Institution’s Data and confidential information and limits to disclosure of such information;
    6. f.Data recovery and access to Data used for daily operational purposes as well as for contingency, disaster recovery or backups;
    7. g.Advance notice to the Institutions regarding any changes to data centre locations;
    8. h.Access to information held by the Institution;
    9. i.The right to monitor, review and audit Cloud Computing arrangements by the Institution’s internal control functions, and regulators, or persons employed by them, including for the purposes of supervisory reviews by the respective Supervisory Authority;
    10. j.With respect to Outsourcing Service Providers use of sub-contracting arrangements:
      1.  i.Disclosure of all material and service-related sub-contracting arrangements;
      2.  ii.Advance notification of any new sub-contracting arrangements or changes to existing arrangements by the Outsourcing Service Provider;
      3. iii.Outsourcing Service Provider’s accountability to the Institution for the provision of service and effectiveness of agreed controls;
      4. iv.Outsourcing Service Provider’s contractual liability for the performance and risk management of any sub-contractor(s) it employs and, where this is the case, the full compliance of the sub-contractor(s) with the obligations existing between the Institution and Outsourcing Service Provider.
    11. k.Scenarios or events in which Institutions have the right to terminate the contractual agreement, such as where new or modifications to existing sub-contracting arrangements have an adverse effect on the Institution’s security or risk assessment of the Cloud Computing arrangement; and
    12. l.The exit plan and process to be followed in the event of termination of the Cloud Computing arrangement including, but not limited to:
      1.  i.A reasonable transition period;
      2.  ii.Procedures for returning Data to the Institution;
      3. iii.Permanent Data deletion by the Outsourcing Service Provider; and
      4. iv.Any arrangements to transfer the outsourced service to another Outsourcing Service Provider or reincorporate it into the Institution with sufficient handover and support from the previous Outsourcing Service Provider.
  5. 3.35Institutions should understand their roles and those of the Outsourcing Service Provider providing Cloud Computing services. Roles and owners should be defined and agreed upon as part of the shared responsibility model which should specifically cover roles with respect to cybersecurity, information security and related controls.
  6. 3.36Where a material Outsourcing arrangement involves the transfer of Data, Institutions should:
    1. a.Classify Data based on criticality and confidentiality;
    2. b.Identify potential risks relating to outsourced Data and their impact; and
    3. c.Agree on an appropriate level of confidentiality, integrity, and availability.