Skip to main content Cloud Computing
Materiality
- 3.24A Cloud Computing arrangement is considered material when a disruption in service or breach of security or confidentiality of systems and/or Data may have the potential to materially impact:
- a.The Institution’s business operations;
- b.The Institution’s ability to manage risks;
- c.The Institution’s ability to comply with applicable laws and regulations; or
- d.The confidentiality or integrity of an Institution’s or Customer’s Personal Data (i.e. if the arrangement may lead to unauthorized access, disclosure, loss or theft of Personal Data).
- 3.25Institutions should conduct an assessment to determine the materiality and the associated risks of a Cloud Computing arrangement. When conducting such an assessment, Institutions should consider:
- a.The criticality and inherent risk profile of the Cloud Computing arrangement i.e. activities that are critical to the business continuity/viability of the Institution and its obligations to Customers;
- b.The impact and likelihood of a service failure, security breach or other event on an Institution’s business operations or reputation;
- c.The impact and likelihood of a confidentiality breach, loss or theft of Customer Data or breach of Data integrity of the Institution and its Customers; and
- d.The cost and other resources to support a Cloud Computing arrangement.
- 3.26Institutions should engage the relevant Supervisory Authority of any material Cloud Computing plans in order to address any concerns and expectations early in the design process before implementing any material Cloud Computing arrangement. This approach must comply with existing outsourcing requirements set by the relevant Supervisory Authority, including, where appropriate, the need to seek approval for material Cloud Computing plans.
Governance
- 3.27Institutions considering the use of Cloud Computing should define a clear strategy and architectural roadmap which covers the target IT environment, the transition from the current environment to the target and the operating model, including any organisational change or additional skillsets that maybe necessary.
- 3.28Institutions should establish an approved and documented governance framework for effective decision-making and proper management and control of risks arising from the use of Cloud Computing and Outsourcing of Cloud Computing to Outsourcing Service Providers. The governance framework should:
- a.Define the roles and responsibilities for the operation and management of the Cloud Computing arrangement, security controls and risk management controls. Where an Outsourcing Service Provider is involved, the division of roles and responsibility between the Institution and the Outsourcing Service Provider should be clearly defined;
- b.Define the process to conduct a risk-based analysis to identify and classify the IT Assets involved in or deployed by the Cloud Computing arrangement based on criticality and confidentiality;
- c.Require the maintenance and updating of the log of IT Assets in the cloud environment including their ownership;
- d.Establish appropriate policies, procedures, and controls to govern the use of Cloud Computing covering risk management, due diligence on the Outsourcing Service Providers and access, confidentiality, integrity, and recoverability of IT Assets outsourced; and
- e.Set out the steps for management and review of the contract between the Institution and the Outsourcing Service Provider, where Cloud Computing services are outsourced.
- 3.29Senior Management of the Institution should be responsible for the assessment, understanding and monitoring of the Institution’s reliance on Outsourcing Service Providers for material Cloud Computing services.
- 3.30Institutions should maintain up-to-date and accurate documentation pertaining to the Cloud Computing arrangement for review, audit, supervision, and other purposes, including but not limited to:
- a.Rationale and an appropriate strategy for implementing the Cloud Computing arrangement;
- b.Materiality and risk assessment and conclusion;
- c.Outsourcing risk assessment, other initial security-related risk assessments and their conclusions (further guidance on assessments provided in subsection “Outsourcing”);
- d.Due diligence or suitability assessments conducted on the Outsourcing Service Provider and conclusions;
- e.Description of the Cloud Computing arrangement including but not limited to:
- i.Name of Outsourcing Service Provider and any sub-contractors;
- ii.Level of reliance on Outsourcing Service Providers;
- iii.Type of Cloud Computing service models (i.e. Software as a service - SaaS, Infrastructure as a service - IaaS etc.) and deployment models used (i.e. private, public etc.);
- iv.IT Assets in scope including their criticality and ownership;
- v.Services/products selected;
- vi.Parties involved; and
- vii.Delivery locations.
- f.Contract and other legal documentation pertaining to the arrangement with the Outsourcing Service Provider (further guidance provided in subsection “Outsourcing”).
Outsourcing
- 3.31Prior to engaging an Outsourcing Service Provider to provide Cloud Computing services, Institutions should perform a comprehensive Outsourcing risk assessment covering:
- a.The role and materiality of the service to be outsourced in the Institution’s business operations;
- b.Due diligence on prospective Outsourcing Service Providers (further guidance on the due diligence process provided in Clause Institutions should verify the maturity, adequacy and appropriateness of the prospective Outsourcing Service Provider and services selected, taking into account the intended usage of the Cloud Computing service. Institutions should consider the following specific factors when conducting due diligence on Outsourcing Service Providers providing Cloud Computing services, including but not limited to:); and
- c.Assessing the benefits of the Outsourcing arrangement against the risks.
- 3.32Institutions should verify the maturity, adequacy and appropriateness of the prospective Outsourcing Service Provider and services selected, taking into account the intended usage of the Cloud Computing service. Institutions should consider the following specific factors when conducting due diligence on Outsourcing Service Providers providing Cloud Computing services, including but not limited to:
- a.Materiality: The results of the materiality assessment. The depth of the due diligence undertaken and risk mitigating controls established should be commensurate with the materiality of the Cloud Computing arrangement and the level of reliance the Institution places on the provider to maintain effective security controls;
- b.Due diligence scope: The scope of the due diligence assessment should be appropriate and cover an adequate set of controls and individual assessments of all locations expected to be relevant in the arrangement. In particular, the Institution should consider the track record of the Outsourcing Service Provider in achieving acceptable outcomes in areas such as information security policies and awareness, due diligence and risk assessment of practices related to sub-contracting, system vulnerability assessments, penetration testing, and technology refresh management;
- c.Data centers: Evaluation of whether the data centers are located in countries that the Institution deems suitable and acceptable to store and process Data (further guidance outlined in the subsection “Design”);
- d.Controls: Institutions should ensure that Outsourcing Service Providers implement strong authentication, access controls, Data encryption and other security and technical controls (further guidance outlined in the subsections “Design” and “Management and monitoring”) to meet the Institutions’ requirements. Controls implemented by Outsourcing Service Providers should be at least as strong as those which the Institutions would have implemented had the operations been performed in-house;
- e.Security risk assessments: Prior to implementing Cloud Computing services and undertaking an Outsourcing arrangement, Institutions should conduct an initial security and risk assessment of the service to identify any information security, cybersecurity and other IT control weaknesses. The risk assessment will identify security threats including information security threats and operational weaknesses and develop safeguards to mitigate those threats and weaknesses. The factors considered during the risk assessment should include but not be limited to:
- i.Nature of the service (including specific underlying arrangements);
- ii.Provider and the location of the service;
- iii.Criticality and confidentiality of the IT Assets involved;
- iv.Transition process including handover from the Institution and/or other service providers to the potential Outsourcing Service Provider;
- v.Target operating model; and
- vi.Adherence to recognised technical security standards.
- vii.Compliance with standards and external assurance: The Outsourcing Service Provider’s adherence to international standards as relevant to the provision of services (for e.g. ISO/EIC etc.). Institutions may take into consideration any external assurance that has already been provided by independent auditors when conducting their own due diligence.
- 3.33When conducting risk assessments of Cloud Computing services, Institutions should consider key risks including but not limited to:
- a.Cybersecurity risk;
- b.Operational risks, specifically information security, Outsourcing and business continuity risk. In particular, Institutions in an outsourced Cloud Computing arrangement should consider the impact of the Outsourcing arrangement on the Institution’s risk profile i.e. the potential heightened operational, legal, compliance, reputational, concentration and other risks associated with the arrangement;
- c.Reputational risk; and
- d.Specific risks arising from the design and operating model of the Cloud Computing arrangement.
- 3.34Institutions should ensure that the written contract governing the Cloud Computing arrangement between the Institution and Outsourcing Service Provider covers the following issues including, but not limited to:
- a.The roles, relationships, obligations and responsibilities of all contracting parties;
- b.Location of the data centres;
- c.Ownership and control over IT Assets, if the Outsourcing Service Provider is expected to be given some level of control over IT Assets;
- d.Liability in the event of losses or breaches in security or confidentiality;
- e.Measures to protect the Institution’s Data and confidential information and limits to disclosure of such information;
- f.Data recovery and access to Data used for daily operational purposes as well as for contingency, disaster recovery or backups;
- g.Advance notice to the Institutions regarding any changes to data centre locations;
- h.Access to information held by the Institution;
- i.The right to monitor, review and audit Cloud Computing arrangements by the Institution’s internal control functions, and regulators, or persons employed by them, including for the purposes of supervisory reviews by the respective Supervisory Authority;
- j.With respect to Outsourcing Service Providers use of sub-contracting arrangements:
- i.Disclosure of all material and service-related sub-contracting arrangements;
- ii.Advance notification of any new sub-contracting arrangements or changes to existing arrangements by the Outsourcing Service Provider;
- iii.Outsourcing Service Provider’s accountability to the Institution for the provision of service and effectiveness of agreed controls;
- iv.Outsourcing Service Provider’s contractual liability for the performance and risk management of any sub-contractor(s) it employs and, where this is the case, the full compliance of the sub-contractor(s) with the obligations existing between the Institution and Outsourcing Service Provider.
- k.Scenarios or events in which Institutions have the right to terminate the contractual agreement, such as where new or modifications to existing sub-contracting arrangements have an adverse effect on the Institution’s security or risk assessment of the Cloud Computing arrangement; and
- l.The exit plan and process to be followed in the event of termination of the Cloud Computing arrangement including, but not limited to:
- i.A reasonable transition period;
- ii.Procedures for returning Data to the Institution;
- iii.Permanent Data deletion by the Outsourcing Service Provider; and
- iv.Any arrangements to transfer the outsourced service to another Outsourcing Service Provider or reincorporate it into the Institution with sufficient handover and support from the previous Outsourcing Service Provider.
- 3.35Institutions should understand their roles and those of the Outsourcing Service Provider providing Cloud Computing services. Roles and owners should be defined and agreed upon as part of the shared responsibility model which should specifically cover roles with respect to cybersecurity, information security and related controls.
- 3.36Where a material Outsourcing arrangement involves the transfer of Data, Institutions should:
- a.Classify Data based on criticality and confidentiality;
- b.Identify potential risks relating to outsourced Data and their impact; and
- c.Agree on an appropriate level of confidentiality, integrity, and availability.
Design
- 3.37Institutions should ensure that the design and architectural aspects of the Cloud Computing services, or arrangement are optimised to cater to the needs of the Institution, adhere to the Institution’s internal policies and procedures and minimise risks.
- 3.38Institutions and Outsourcing Service Providers should consider the following principles when developing the design and architecture of the Cloud Computing arrangement:
- a.Availability: To reduce the likelihood of IT Assets becoming unavailable in the event of failure of individual components and improve the ability for users to request and use IT Assets;
- b.Resilience: To improve resilience through implementation of security controls, implementation of regular testing and checks to detect security and service issues, and use of multiple data centres distributed across multiple locations, or where appropriate, use of multiple Outsourcing Service Providers to provide Cloud Computing services;
- c.Recoverability: To allow for swift and effective recovery and restoration of IT Assets to a specified level of service in the event of a compromise of integrity or availability;
- d.Capacity: To ensure the Cloud Computing arrangement’s capacity is commensurate with the Institution’s needs; and
- e.Encapsulation: To ensure re-usability of network and system components.
- 3.39Institutions should carefully determine and choose the type of cloud(s) deployed based on an assessment of the business operations performed on the cloud(s) and the risks associated with each type of cloud.
- 3.40Institutions should evaluate and assess the location of data centres while determining the design of the Cloud Computing arrangement to select data centres appropriate to the Institution’s needs. The assessment should address the location’s:
- a.Potential risks, including information security, legal and compliance risks;
- b.Wider political and security issues; and
- c.Legislation and legal framework including law enforcement and insolvency law provisions that would apply in the event of an Outsourcing Service Provider’s failure.
- 3.41Institutions should implement appropriate and effective network access and security controls such as firewalls, Intrusion Prevention System, advanced threat protection and web proxy so that other on-premise environments are not exposed to unauthorized access from the cloud.
- 3.42Institutions should define a standard set of tools and processes to manage containers, images and release management and ensure consideration of any risks posed by shared virtual environments or Data co-mingling.
- 3.43Institutions should implement preventative and detective Data controls to keep Data secure and prevent Data loss. Institutions should ensure that the Data controls including those outlined in this section cover all Data, whether it is Data in storage, Data in transmission (i.e. Data that is actively moving from one location to another) or Data in use.
- 3.44Institutions should ensure that Data processed or stored through the Cloud Computing arrangement are recoverable within a pre-defined timeframe and appropriate and secure backups of Data are maintained.
- 3.45Where the Cloud Computing arrangement is using a multi-tenancy environment or Data comingling arrangement, Institutions should ensure its Data and information is segregated and the Outsourcing Service Provider is able to protect the confidentiality and integrity of the Data and information.
- 3.46Institutions should introduce controls to prevent unauthorised access to Data and permit access to IT Assets only when appropriate.
- 3.47Institutions should establish security controls to protect against attacks (e.g. network intrusion attempts, DoS attacks) including cloud specific attacks.
- 3.48Institutions should introduce cryptographic key management to control access to, segregate and secure Customer’s Data.
- 3.49Institutions should utilise encryption or tokenisation to protect confidentiality of Personal Data, such as authentication credentials and emails etc., being processed, or in transit including Data in Data back-ups.
- 3.50Institutions should introduce user identity and access management and authentication (including Multi-Factor Authentication) to provide controlled access to information systems allowing Staff and Outsourcing Service Providers to perform their business activities, while protecting Data and systems from unauthorised access.
- 3.51Institutions should ensure that user access and activities are logged and reviewed on an “as needed” basis.
- 3.52Institutions should develop controls to ensure confidentiality and integrity of source codes and prevent alteration of source codes and system configurations (particularly when the Institution uses models such as DevOps).
- 3.53Institutions should conduct vulnerability assessments and penetration tests specific to the Cloud Computing arrangement to identify weaknesses or flaws in the security processes.
Management and Monitoring
- 3.54Institutions should establish change management processes to ensure any changes in the Cloud Computing arrangement by the Institution or the Outsourcing Service Provider are appropriately governed and implemented.
- 3.55Institutions should ensure that they define the conditions and scenarios in which automated testing and releases can take place for changes to their Cloud Computing arrangements, and that there is a full audit trail, record of the changes and evidence of pre-approval.
- 3.56Institutions should develop a mechanism by which they are notified of material changes to the Cloud Computing arrangement in a timely manner.
- 3.57Institutions should develop a configuration management process which includes regular monitoring to detect unauthorised changes to the cloud environment and ensure such changes can be appropriately remediated.
- 3.58Institutions should ensure that the Cloud Computing arrangement has the capacity to run the Institution’s workloads. Institutions should regularly monitor utilisation and proactively plan for upgrades or enhancements based on anticipated spikes in workloads or resulting from strategic business initiatives.
- 3.59Institutions should establish a monitoring framework to define, monitor, report and remediate key infrastructure, technology and security related incidents and events in the cloud environment in a timely and effective manner to minimise detriment. The framework should:
- a.Cover incidents and events that may impact the stability or availability of the Institution’s applications, networks and systems or the confidentiality or integrity of cloud environments;
- b.Be centralised to promote clarity of process and enable consolidation and analysis of threat intelligence, incident and event related Data;
- c.Manage incidents and events according to their frequency, criticality and assigned ownership;
- d.Identify, monitor and manage systemic issues;
- e.Monitor and identify vulnerabilities, incidents, and events on an on-going basis by:
- i.Defining a standard set of health and performance metrics;
- ii.Utilising analytics and Data from previous security incidents and events to enable retrospective detection;
- f.Categorise and record Data associated with incidents and events;
- g.Report and escalate incidents and events to relevant stakeholders for notification or action; and
- h.Ensure that incidents and events are properly reviewed and identified gaps are remediated to prevent a reoccurrence.
- 3.60Institutions should be able to swiftly and safely:
- a.Detect vulnerabilities in the software used in the cloud environment; and
- b.Deploy security and operating system patches.
- 3.61After implementation of the Cloud Computing arrangement, Institutions should re-assess the risks associated with the Cloud Computing arrangement when there is a material change to existing arrangements and on a regular basis through ongoing:
- a.Outsourcing risk assessments to assess adequacy of controls in managing the risks arising from the Outsourcing arrangement; and
- b.Security and risk assessments to assess the adequacy of the security and risk controls in managing the risks arising from Cloud Computing. These should include conducting vulnerability assessments and penetration tests specific to the Cloud Computing arrangement on at least an annual basis.
- 3.62Institutions should establish risk mitigation controls to address any shortcomings of the Cloud Computing arrangement. The degree of risk should inform the stringency of controls and mitigation procedures implemented.
Business Continuity
- 3.63Institutions’ business continuity management functions and crisis management teams should develop and implement a business continuity plan for material Cloud Computing arrangements. If Cloud Computing arrangements are outsourced, the Outsourcing Service Provider should have a business continuity plan in place that is acceptable to the Institution.
- 3.64Institutions should define key risk indicators, performance metrics and adverse conditions that can trigger the business continuity plan for the Cloud Computing arrangement during its on-going monitoring and oversight of any services provided by the Outsourcing Service Provider.
- 3.65As part of an Institution’s own business continuity planning for Cloud Computing services, it should tailor the plan to:
- a.Account for any dependency on one Outsourcing Service Provider;
- b.Define the division of roles and responsibilities;
- c.Define recovery objectives;
- d.Identify alternative solutions/develop transition plans; and
- e.Test their business continuity plans for their Cloud Computing arrangement (jointly with the Outsourcing Service Provider if the Cloud Computing arrangement is outsourced) on at least an annual basis.
Exit and Resolution Planning
- 3.66Institutions should consider the possibility of a stressed exit wherein an event of disruption cannot be managed through business continuity measures.
- 3.67Institutions should define and maintain specific exit plans for their outsourced Cloud Computing arrangements, taking into account, developments (such as new technology) that may change the feasibility of an exit in stressed and non-stressed scenarios.
- 3.68Institutions should account for outsourced Cloud Computing arrangements when developing resolution plans or strategies to identify and address any impediments to its resolvability and to prepare for its possible resolution.
- 3.69Institutions should establish procedures for Data recovery by the Institution and permanent Data deletion by the Outsourcing Service Provider in the event of a termination of services.