The Association of Banks in Singapore (ABS) has recently released the second version of the implementation guide for Financial Institutions (FIs) when entering into Cloud outsourcing arrangements, as well as the on-going maintenance. The first version was released in 2016 and significant technological advancements since then have prompted the ABS to release an update to address these changes. It is also intended to further support the practice of migrating material workloads to the Cloud, including systems of record and those classified as Monetary Authority of Singapore (MAS) Critical. Please refer to MAS Notice 644 for the definition of MAS Critical.<\/p>\n
The Guide is intended to assist Financial Institutions in understanding approaches to due diligence, vendor management and key controls that should be implemented on an on-going basis in Cloud outsourcing arrangements. It can also be used by Cloud Service Providers (CSPs) to better understand what is required to achieve successful Cloud outsourcing arrangements with FIs.<\/p>\n
ABS has also provided guidance as to the definition of differing risk categories in Cloud outsourcing arrangements and what is likely to constitute material and non-material outsourcing in the context of cloud. This guidance helps FIs understand the inherent risk profile of a Cloud Outsourcing arrangement, and then ensure that appropriate controls are in place.<\/p>\n
A broad guideline for the classification of material and non-material outsourcing is given as below. This is to be used as only a broad guideline and the final decision should be made based on the FI\u2019s risk appetite.<\/p>\n
\u2022 Staff data which does not include bank account or credit card data (e.g. information on name cards)
\n\u2022 Development and Test environments
\n\u2022 Services not defined as \u2018critical\u2019<\/p>\n
\u2022 Application binaries, or risk management quant libraries that are being tested on masked data (i.e. performance & volume testing, regression testing, or Monte Carlo simulations)
\n\u2022 Information Security solutions such as Managed Security Services \/ Operations Centres, where information assets are encrypted and logically segregated
\n\u2022 Websites for accessing information that is classified as \u2018public\u2019
\n\u2022 Service Management applications<\/p>\n
\u2022 Use of customer information, the unauthorized access or disclosure, loss or theft of which may have a material impact on the customer
\n\u2022 Use of staff data, including Personally Identifiable Information (PII), payroll and bank account or credit card data
\n\u2022 Software used for the trading of financial instruments or other transactions
\n\u2022 Financial Risk management systems (Market, Credit and Liquidity)
\n\u2022 Non-public commercially sensitive information that could influence financial markets
\n\u2022 Regulatory reporting or accounting data
\n\u2022 Outsourced business activity as defined as critical by the FI
\n\u2022 Systems of record, including core banking applications
\n\u2022 Any Cloud based implementation of a system classified as \u2018MAS Critical\u2019<\/p>\n
\u2022 Email and document storage
\n\u2022 Authentication services providing One Time Passwords (OTP) or 2 Factor Authentication (2FA)
\n\u2022 Vulnerability Scanning Services<\/p>\n
ABS has further laid out recommended due diligence process and vendor management activities for Cloud outsourcing arrangements. The recommendations cover pre-engagement of the CSP as well as on-going risk assessment and oversight. Again, FIs are recommended to take a risk-based approach and understand the applicability for their specific outsourcing arrangement.<\/p>\n
FIs are encouraged to establish a risk management and governance framework to assist in the identification and monitoring of risks during cloud adoption. Expectations should be agreed between the CSP and the FI, in particular with regard to operational contract management, SLA management, technology risk management, business continuity management and contract exit. The contractual terms and conditions governing the roles, relationships, obligations and responsibilities of all contracting parties are set out fully in written agreements.<\/p>\n
ABS has highlighted data confidentiality, financial, operational and reputational factors including the ethical and professional standards held by the CSP and the CSP\u2019s ability to comply with its obligation under the outsourcing arrangement as top considerations while assessing a CSP.<\/p>\n
The scope of assessment of a CSP should minimally include the DC\u2019s perimeter, physical and environmental security, natural disasters, and the political and economic climate of the country in which the Data Centre resides.<\/p>\n
When negotiating a contract with a CSP, the FI should ensure that it has the ability to contractually enforce agreed and measurable information security and operational requirements. FI is directed to ensure that outsourcing contract includes:<\/p>\n
FI should understand and agree with CSP on the change management process in relation to the services provided, and the impact assessment criterions in relation to the SLA in the contract. The FI should ensure that the outsourcing agreement includes an obligation for the CSP to provide notification to the FI in the event of any significant changes that may impact service availability (including controls and\/or location).<\/p>\n
As financial institutions scale up the use of Cloud services, the updated guidelines reflects industry best practices to facilitate responsible and secure adoption by setting clear expectations for both banks and service providers.<\/p>\n
Cloud Kinetics has a proven track record of working with global banks and facilitating their cloud journeys. Contact Us for cloud outsourcing.<\/p>\n","protected":false},"excerpt":{"rendered":"
The Association of Banks in Singapore (ABS) has recently released the second version of the implementation guide for Financial Institutions (FIs) when entering into Cloud outsourcing arrangements, as well as the on-going maintenance. The first version was released in 2016 and significant technological advancements since then have prompted the ABS to release an update to … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":6207,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59,61,42],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/posts\/1536"}],"collection":[{"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/comments?post=1536"}],"version-history":[{"count":2,"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/posts\/1536\/revisions"}],"predecessor-version":[{"id":1677,"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/posts\/1536\/revisions\/1677"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/media\/6207"}],"wp:attachment":[{"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/media?parent=1536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/categories?post=1536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloud-kinetics.com\/wp-json\/wp\/v2\/tags?post=1536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}