Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Confidential
Page 1 of 38
10063894-1
SINGAPORE
MICROSOFT GUIDANCE ON COMPLYING WITH REGULATORY GUIDELINES APPLICABLE TO FINANCIAL SERVICES
INSTITUTIONS USING OFFICE 365
Last updated: 4 October 2016
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document is a guide to complying with the regulatory requirements and guidelines applicable to financial services institutions using Office
365 in Singapore1. In this guidance, “financial services institutions” means financial institutions, banks, financial advisers, securities exchanges, futures
exchanges, designated clearing houses, securities trading companies, insurance companies, registered insurance brokers, licensed trust companies,
capital investment companies, capital markets services licensees and other regulated service providers in the financial industry (“FSIs”).
Sections 2 to 6 of this guidance document set out information about the regulatory requirements and guidelines that apply. Section 7 is a checklist to help
FSIs ensure that their use of cloud services complies with the relevant requirements and guidelines. Appendix One is a list of the requirements that, under
the relevant guidelines, should be addressed in the cloud contract.
2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?
This guidance document draws upon the MAS’s notices and guidelines on technology risk management, outsourcing and cloud computing, including:
Guidelines on Outsourcing2
Technology Risk Management Guidelines
1 Note that this guidance document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of Microsoft or its affiliates. Instead, it is
intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your Microsoft contact. 2 Note that, as at the date of publication of this guidance document, the MAS Notice of Outsourcing has not been updated. Once this is updated and issued, it will also need to be considered by FSIs
adopting cloud services (please see Q8 in the FAQ on MAS Guidelines on Outsourcing, published on 27 July 2016).
Confidential
Page 2 of 38
10063894-1
Business Continuity Management Guidelines
Notice 634, Banking Act
Whether a use of cloud computing is considered to be a ‘material outsourcing’ will determine the extent to which the applicable guidelines need to be
complied with. This guidance includes all of the requirements applicable to ‘material outsourcing’, for the sake of completeness.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Monetary Authority of Singapore (“MAS”)
4. IS REGULATORY APPROVAL REQUIRED IN SINGAPORE?
No, regulatory approval is not required. In fact, the latest MAS Guidelines on Outsourcing provide a clear green light to the use of cloud services, including
public cloud services. There is no requirement for prior notification, consultation or approval. There are, however, various risk management and
compliance requirements to address – and this guidance document is intended to help.
5. IS THERE STILL A REQUIREMENT TO SUBMIT AN MAS TECHNOLOGY QUESTIONNAIRE?
No, there is no longer such a requirement. With the release of the new Guidelines on Outsourcing on 27 July 2016, FSIs are not required to submit the
MAS Technology Questionnaire to MAS before signing up for any outsourcing arrangement, including a material outsourcing arrangement. Nevertheless,
Section 7 of this guidance is intended to assist you in carrying out thorough and comprehensive due diligence and to make the process of adopting cloud
services easier for you by providing information, tips and suggested responses to address the matters set out in the Guidelines on Outsourcing. The
suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to provide this if you get in touch with your
Microsoft contact. Microsoft has, in the relevant places within this guidance document, inserted some links to relevant laws and guidance for your ease of
reference which may help inform your answers.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
Yes. Some obligations that MAS requires FSIs to ensure are reflected in contracts with service providers can be found in the Guidelines on Outsourcing,
Confidential
Page 3 of 38
10063894-1
and Notice 634, Banking Act (Appendix). Appendix One to this guidance document (Contractual requirements) contains a comprehensive list of such
requirements and sets out details of where in the Microsoft contractual documents these points are covered.
7. OUTSOURCING COMPLIANCE CHECKLIST
The questions and requirements set out in this Outsourcing Compliance Checklist address the key issues that one should consider in a thorough and
comprehensive risk assessment of a cloud computing service.
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point
raised in the checklist. Some points are specific to your own internal operations and processes and you will need to address them as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist, both for your discussions internally with your Board, senior
management and compliance experts, and externally with regulators such as MAS.
Ref. Question/requirement Template response and guidance
A. OVERVIEW OF OUTSOURCING
1. Indicate the name of the
service provider for this
outsourcing arrangement. If
there are any other parties
involved in the outsourcing
arrangement, also provide the
names of those parties and
state their role in the
outsourcing arrangement.
The service provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation, a global provider of
information technology devices and services, which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s full company profile
is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.
Confidential
Page 4 of 38
10063894-1
Ref. Question/requirement Template response and guidance
2. When is the proposed start
date of this outsourcing
arrangement?
Please insert the proposed start date of the outsourcing service.
3. Has your organization
assessed this to be a material
outsourcing arrangement (as
described in the MAS
Guidelines on Outsourcing)?
Under the Guidelines on Outsourcing, some requirements only apply if the outsourcing is ‘material’. These requirements include
the requirement to: (i) perform periodic reviews on material outsourcing arrangements at least on an annual basis; (ii) incorporate
contractual clauses to allow the institution and MAS to be granted audit access and access to information and any report or finding
made on the service provider and its sub-contractors; and (iii) ensure that material outsourcing arrangements with service
providers located outside Singapore are conducted in such a manner so as not to hinder MAS's supervisory efforts. For the sake
of completeness, this guidance covers all of the requirements under the Guidelines on Outsourcing, including those that are only
applicable to ‘material outsourcing arrangements’. However, FSIs will need to make an assessment as to whether the use of cloud
services in a particular manner is ‘material’ or not.
A "material outsourcing arrangement" is defined under the Guidelines on Outsourcing as ‘an outsourcing arrangement – (a) which,
in the event of a service failure or security breach, has the potential to either materially impact an institution’s– (i) business
operations, reputation or profitability; or (ii) ability to manage risk and comply with applicable laws and regulations, or (b) which
involves customer information and, in the event of any unauthorized access or disclosure, loss or theft of customer information,
may have a material impact on an institution’s customers’. “Customer information” does not include information that is public,
anonymized or securely encrypted and, in this respect, please see question F2 for more detail about the secure encryption
provided by Microsoft’s cloud services. Annex 2 of the Guidelines on Outsourcing lists some considerations in determining
whether or not the outsourcing is ‘material’.
4. Is the outsourcing
arrangement a cloud
computing arrangement?
Yes.
5. List all proposed service(s) to Service(s) to be outsourced Critical (Y/N)
Confidential
Page 5 of 38
10063894-1
Ref. Question/requirement Template response and guidance
be outsourced to the service
provider, and indicate if the
outsourced service is critical
to your business or
operations.
1. Microsoft Office applications Y
2. Hosted email Y
3. Web conferencing, presence, and instant messaging Y
4. Data and application hosting Y
5. Spam and malware protection Y
6. IT support services Y
6. List all the types of data that
would be processed or stored
by the service provider, and
indicate if the data is
considered to be sensitive.
When you choose a Microsoft Office 365 solution the types of data impacted are within your control so the template response will
need to be tailored depending on what data you have selected is relevant to the solution.
We ensure that all data (but in particular any customer data) is treated with the highest level of security in accordance with good
industry practice to ensure that we and our service provider comply with our legal and regulatory obligations and our commitments
to customers. We do of course only collect and process data that is necessary for our business operations in compliance with all
applicable laws and regulation and this applies whether we process the data on our own systems or via a cloud solution such as
Microsoft Office 365. Typically the types of data that would be processed and stored by the Office 365 service would include:
Type of Data Processed/Stored/Both Sensitive (Y/N)
1. Customer data (including
customer name, contact details,
account information, payment
card data, security credentials
Both Y
Confidential
Page 6 of 38
10063894-1
Ref. Question/requirement Template response and guidance
and correspondence).
2. Employee data (including
employee name, contact details,
internal and external
correspondence by email and
other means and personal
information relating to their
employment with the
organization).
Both Y
3. Transaction data (data relating
to transactions in which the
organization is involved).
Both Y
4. Indices (for example, market
feeds).
Both N
5. Other personal and non-
personal data relating to the
organization’s business
operations as an FSI.
Both Y
7. Please provide the
background on why your
organization has decided to
outsource the service(s).
What were the business and
In articulating the business and operational considerations that led to the outsourcing, the below could be used as an introduction.
Cloud computing enables on-demand network access to a pool of servers, storage and services “in the cloud”. In the case of
Microsoft Office 365, it means accessing Microsoft applications and storing data not on our own servers at our own premises but
on Microsoft’s servers at Microsoft’s data centers. When managed properly, cloud computing offers security and functionality that
Confidential
Page 7 of 38
10063894-1
Ref. Question/requirement Template response and guidance
operational considerations? is on par with or better than on-premises data centers of even the most sophisticated organizations.
B. REGULATORY COMPLIANCE
1. Has a compliance check for
the proposed outsourcing
arrangement been performed
against the MAS Guidelines
on Outsourcing and the
Technology Risk
Management Guidelines?
Provide the list of all gaps
identified and explain in
details how each gap is
addressed by your
organization.
If any “compliance gaps” were identified as part of your risk management processes then these will need to be detailed here,
indicating how the relevant issues have now been resolved.
Yes.
We have reviewed the MAS Guidelines on Outsourcing and the Technology Risk Management Guidelines and have obtained
confirmation from Microsoft that the Office 365 service complies with these guidelines. Internally, we ensure that our own
processes also comply with the guidelines.
2. Will all identified security and
control gaps be resolved prior
to the commencement of this
outsourcing arrangement? If
not, please explain why and
state when they can be
resolved.
N/A
If any “compliance gaps” were identified as part of your risk management processes then you will need to confirm here that these
gaps will be resolved (or if not, why not).
3. Has the outsourcing
agreement been vetted by a
competent authority (e.g. the
Guidelines on Outsourcing, Paragraph 5.5.1 (The outsourcing agreement should be vetted by a competent authority on its legality
and enforceability)
Confidential
Page 8 of 38
10063894-1
Ref. Question/requirement Template response and guidance
institution's legal counsel) on
its legality and enforceability?
Yes/No (if no, explain why)
C. BOARD & MANAGEMENT OVERSIGHT
1. Has your management
considered the overall
business and strategic
objectives prior to outsourcing
the specific IT operations?
Please elaborate on the
factors considered and the
rationale for entering this
outsourcing arrangement.
Guidelines on Outsourcing, Paragraph 5.3 (an FSI should not engage in outsourcing that results in its risk management, internal
control, business conduct or reputation being compromised or weakened).
The MAS expects that management would need to have considered the overall business and strategic objectives. The sample
answer below covers legal/regulatory compliance and customer satisfaction but we would suggest tailoring this with details of:
information about the factors considered for using the Microsoft cloud services;
internal processes that were carried out;
who handled the process and which areas of the business were involved or advised; and
any external consultants or legal counsel involved.
Management of our organization has been involved throughout to ensure that the project aligns with our organization’s overall
business and strategic objectives. At the center of our objectives are of course legal and regulatory compliance and customer
satisfaction and these were the key objectives that management had in mind when it considered this project. We are satisfied that
this solution will ensure legal and regulatory compliance because of the key features (including the security and regulator audit
rights) forming part of the Office 365 service. We are also satisfied that customer satisfaction will be maintained because we
believe that Office 365 will actually have some major benefits for our IT operations and, accordingly, improve the overall service
that we are able to provide to customers.
2. Has the Board approval been
sought prior to signing the
Various places in the Guidelines on Outsourcing state that ultimate responsibility for effective management of risks lies with the
Board and that appropriate approvals processes should be put in place. Each organization will of course have its own internal
Confidential
Page 9 of 38
10063894-1
Ref. Question/requirement Template response and guidance
outsourcing contract? approval processes. Where this does include Board sign-off then this will not be an issue. Where it does not, you will need to
briefly explain how the sign-off processes work (i.e. how a right of approval has effectively been delegated by the Board). Again,
details of the relevant decision-makers should be included here.
Yes/No (if no, explain why)
3. Has the Board of Directors or
a relevant committee of the
Board been apprised and
acknowledged the risks
presented to them?
Paragraph 5.2, Guidelines on Outsourcing states the responsibilities of the Board including approving the framework for evaluating
risks. Paragraph 3 of the Technology Risk Management Guidelines is also relevant.
Yes/No (if no, explain why)
D. RISK ASSESSMENT AND MANAGEMENT
1. Has your organization
performed a risk assessment
of this outsourcing
arrangement, including
security risk assessment
against the latest security
threats? Please elaborate on
the key risks and threats that
have been identified for this
outsourcing arrangement and
the actions that have been or
will be taken to address them.
The MAS expects that your organization would have carried out a risk assessment. Paragraph 5.3, Guidelines on Outsourcing lists
the factors that should be considered in a framework for risk evaluation. The MAS Technology Risk Management Guidelines also
list the key principles and an indication of what the MAS would consider to be a “proper risk assessment”.
You should ensure that you have carried out comprehensive due diligence on the nature, scope and complexity of the outsourcing
to identify the key risks and risk mitigation strategies. We have made suggestions regarding common issues below and you will
need to expand on or tailor the template response to describe what you see as the key risks and what risk processes you have
carried out as part of this project. You may also want to refer to data segregation here (in the context of a multi-tenanted solution –
noting that logical segregation is expressly permitted by the Guidelines on Outsourcing).
identifying the role of outsourcing in the overall business strategy and objectives of the institution;
risk identification;
Confidential
Page 10 of 38
10063894-1
Ref. Question/requirement Template response and guidance
analysis and quantification of the potential impact and consequences of these risks;
risk mitigation and control strategy; and
ongoing risk monitoring and reporting.
If you have any questions when putting together a risk assessment, please do not hesitate to get in touch with your Microsoft
contact.
Yes.
Led by our management we have carried out a thorough risk assessment of the move to Office 365. This risk assessment
included:
[ ];
[ ]; and
[ ].
1. Data security: By transferring certain data processing operations to a third party, we are aware that we need to ensure that our
selected outsourcing partner has in place appropriate and reasonable technical and organizational measures to protect the data.
This is necessary both from a financial services regulatory perspective as well as the organization’s compliance with data
protection legislation. It is of utmost importance to us. We have therefore carried out a robust assessment as part of our selection
process. We have selected Microsoft as an outsourcing partner taking heavily into account the fact that it is an industry leader in
cloud security and implements policies and controls on par with or better than on-premises data centers of even the most
sophisticated organizations. Microsoft is ISO/IEC 27001 and ISO/IEC 27018 accredited. In addition, the Microsoft Office 365
service has achieved the highest level certification (Tier 3) of the Multi Tier Cloud Security Standard ("MTCS") for Singapore
Confidential
Page 11 of 38
10063894-1
Ref. Question/requirement Template response and guidance
(MTCS SS 584) which builds upon recognized international standards such as ISO/IEC 27001, and covers such areas as data
retention, data sovereignty, data portability, liability, availability, business continuity, disaster recovery, and incident management.
The Microsoft Office 365 security features (being the product that the organization will be using) consist of three parts: (a) built-in
security features including encryption of data when in transit and at rest; (b) security controls; and (c) scalable security. These
include 24-hour monitored physical hardware, isolated customer data, automated operations and lock-box processes, secure
networks and encrypted data.
2. Access and audit: In addition to ensuring that relevant security and other safeguards are put in place up front, it is essential
that the outsourcing arrangement provides for us to ensure that such standards and commitments and regulatory requirements are
adhered to in practice. We are aware that audit and access in order to verify this can be a difficult issue in outsourcing and
therefore we have made this a high priority requirement as part of this outsourcing. Another reason for the selection of Microsoft in
this case is that it permits regulator audit and inspection of its data centers and in agreed circumstances inspection rights for its
financial services customers.
3. Control: The handing over of a certain amount of day to day responsibility to an outsourcing provider does present certain
challenges in relation to control of data. Essential to us is that despite the outsourcing we retain control over our own business
operations, including control of who can access data and how they can use it. At a contractual level, we have dealt with this via our
agreement with Microsoft, which provides us with legal mechanisms to manage the relationship including appropriate allocation of
responsibilities, oversight and remedies. At a practical level, we have selected the Office 365 product because it provides us with
control over data location, access and authentication and advanced encryption controls. We (not Microsoft) will continue to own
and retain all rights to our data and our data will not be used for any purpose other than to provide us with the Office 365 services.
Office 365 was built based on ISO/IEC 27001 and ISO/IEC 27018 standards, a rigorous set of global standards covering physical,
logical, process and management controls. In addition, the Microsoft Office 365 service has achieved the highest level certification
(Tier 3) of the Multi Tier Cloud Security Standard ("MTCS") for Singapore (MTCS SS 584) which builds upon recognized
international standards such as ISO/IEC 27001, and covers such areas as data retention, data sovereignty, data portability,
liability, availability, business continuity, disaster recovery, and incident management. Office 365 is certified in healthcare (HIPPA),
education (FIRPA) and government (FISMA) standards and Microsoft can meet strict European privacy requirements through the
Confidential
Page 12 of 38
10063894-1
Ref. Question/requirement Template response and guidance
EU Model Clauses and data processing agreements.
2. If the outsourcing
arrangement requires system
connectivity between your
organization and the service
provider, how does your
organization protect your
networks and systems from
the potential threats arising
from the system connectivity?
You need to demonstrate that you protect your networks and systems from the potential threats arising from the system
connectivity. We have made suggestions regarding measures taken below and you will need to expand on or tailor the template
response to describe any further measures taken by your organization.
Client connections to Office 365 use secure sockets layer (“SSL”) for securing Outlook, Outlook Web App, Exchange ActiveSync,
POP3, and IMAP. Customer access to services provided over the Internet originates from users’ Internet-enabled locations and
ends at a Microsoft data center. These connections are encrypted using industry-standard transport layer security (“TLS”)/SSL.
The use of TLS/SSL establishes a highly secure client-to-server connection to help provide data confidentiality and integrity
between the desktop and the data center. Customers can configure TLS between Office 365 and external servers for both inbound
and outbound email. This feature is enabled by default.
Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and mitigate breach”
process as a defensive strategy to predict and prevent security breaches before they happen. This involves continuous
improvements to built-in security features, including port-scanning and remediation, perimeter vulnerability scanning, OS patching
to the latest updated security software, network-level DDOS detection and prevention and multi-factor authentication for service
access.
3. What security controls are put
in place to protect the
transmission and storage of
any sensitive production and
backup data (e.g. customer
data) within the infrastructure
of the service provider and
how does your organization
Paragraph 5.6, Guidelines on Outsourcing. Paragraph 9 (operational infrastructure security management), Paragraph 10 (data
centers protection and controls) and Paragraph 11 (access control) of the Technology Risk Management Guidelines.
Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls on par with or
better than on-premises data centers of even the most sophisticated organizations. Office 365 was built based on ISO/IEC 27001
and ISO/IEC 27018 standards, a rigorous set of global standards covering physical, logical, process and management controls. In
addition, the Microsoft Office 365 service has achieved the highest level certification (Tier 3) of the Multi Tier Cloud Security
Standard ("MTCS") for Singapore (MTCS SS 584) which builds upon recognized international standards such as ISO/IEC 27001,
Confidential
Page 13 of 38
10063894-1
Ref. Question/requirement Template response and guidance
address the risk of
unauthorized disclosure as
well as intentional or
unintentional leakage of those
information? Please provide
details of the preventive and
detective measures in place, if
any.
and covers such areas as data retention, data sovereignty, data portability, liability, availability, business continuity, disaster
recovery, and incident management.
The Microsoft Office 365 security features consist of three parts: (a) built-in security features; (b) security controls; and (c) scalable
security. These include 24-hour monitored physical hardware, isolated customer data, automated operations and lock-box
processes, secure networks and encrypted data.
Microsoft implements the Microsoft Security Development Lifecycle (“SDL”) which is a comprehensive security process that
informs every stage of design, development and deployment of Microsoft software and services, including Office 365. Through
design requirements, analysis of attack surface and threat modeling, the SDL helps Microsoft predict, identify and mitigate
vulnerabilities and threats from before a service is launched through its entire production lifecycle.
Networks within the Office 365 data centers are segmented to provide physical separation of critical back-end servers and storage
devices from the public-facing interfaces. Edge router security allows the ability to detect intrusions and signs of vulnerability.
Client connections to Office 365 use secure sockets layer (“SSL”) for securing Outlook, Outlook Web App, Exchange ActiveSync,
POP3, and IMAP. Customer access to services provided over the Internet originates from users’ Internet-enabled locations and
ends at a Microsoft data center. These connections are encrypted using industry-standard transport layer security (“TLS”)/SSL.
The use of TLS/SSL establishes a highly secure client-to-server connection to help provide data confidentiality and integrity
between the desktop and the data center. Customers can configure TLS between Office 365 and external servers for both inbound
and outbound email. This feature is enabled by default.
Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and mitigate breach”
process as a defensive strategy to predict and prevent security breaches before they happen. This involves continuous
improvements to built-in security features, including port-scanning and remediation, perimeter vulnerability scanning, OS patching
to the latest updated security software, network-level DDOS detection and prevention and multi-factor authentication for service
access. From a people and process standpoint, preventing breach involves auditing all operator/administrator access and actions,
zero standing permission for administrators in the service, “Just-In-Time (JIT) access and elevation” (that is, elevation is granted
on an as-needed and only-at-the-time-of-need basis) of engineer privileges to troubleshoot the service, and segregation of the
Confidential
Page 14 of 38
10063894-1
Ref. Question/requirement Template response and guidance
employee email environment from the production access environment. Employees who have not passed background checks are
automatically rejected from high privilege access, and checking employee backgrounds is a highly scrutinized, manual-approval
process.
Data is also encrypted. Customer data in Office 365 exists in two states:
At rest on storage media
In transit from a data center over a network to a customer device
All email content is encrypted on disk using BitLocker AES (as defined above) encryption. Protection covers all disks on mailbox
servers and includes mailbox database files, mailbox transaction log files, search content index files, transport database files,
transport transaction log files, and page file OS system disk tracing/message tracking logs.
Office 365 also transports and stores secure/multipurpose Internet mail extensions (“S/MIME”) messages. Office 365 will
transport and store messages that are encrypted using client-side, third-party encryption solutions such as Pretty Good Privacy
(“PGP”).
4. Does the service provider
employ a system architecture
that involves multi-tenancy
and data commingling for the
outsourced service(s)? If so,
does the service provider
possess the ability to clearly
identify and segregate
customer data using strong
physical controls or logical
The Guidelines on Outsourcing expressly permit logical segregation. Paragraph 6.7, Guidelines on Outsourcing contains
requirements that institutions should be aware of the typical characteristics of cloud computing, such as multi-tenancy and data
commingling. Paragraph 5.2.3 (Management of IT outsourcing risks), Technology Risk Management Guidelines contains
requirement for service provider to isolate and clearly identify its customer data and other information system assets for protection.
Select the following text if using Office 365 multi-tenanted version:
Office 365 has a multi-tenant service (that is, data from different customers shares the same hardware resources) but it is
designed to host multiple tenants in a highly secure way through data isolation. Data storage and processing for each tenant is
segregated through Active Directory structure and capabilities specifically developed to help build, manage, and secure multi-
tenant environments. Active Directory isolates customers using security boundaries (also known as silos). This safeguards a
Confidential
Page 15 of 38
10063894-1
Ref. Question/requirement Template response and guidance
controls? How are the
associated risks addressed?
customer’s data so that the data cannot be accessed or compromised by co-tenants.
Select the following text if using Office 365 dedicated version:
We have secured an offering that provides for a dedicated hosted offering, which means that our data is hosted on hardware
dedicated to us.
5. Are the outsourced operations
using hardware (i.e.
servers/network devices)
dedicated to the organization?
This will need to be amended depending on the specific solution that you are taking up. Select the following text if using Office 365
multi-tenanted version:
Please see also our response to question D4.
Select the following text if using Office 365 dedicated version:
Please see also our response to question D4.
E. VENDOR MANAGEMENT & MONITORING
1. Is there a vendor
management process to
monitor the performance of
the service provider? Please
elaborate.
Paragraph 5.8, Guidelines on Outsourcing, contains detailed requirements in relation to monitoring and control of outsourced
activities. In addition to your own internal processes, you may in this context also wish to consider the contractual vendor
management rights that you have under your agreements with Microsoft, including the rights of audit and inspection.
As part of the support we receive from Microsoft we have access to a technical account manager who is responsible for
understanding our challenges and providing expertise, accelerated support and strategic advice tailored to our organization. This
includes both continuous hands-on assistance and immediate escalation of urgent issues to speed resolution and keep mission-
critical systems functioning. We are confident that such arrangements provide us with the appropriate mechanisms for managing
performance and problems.
Confidential
Page 16 of 38
10063894-1
Ref. Question/requirement Template response and guidance
2. Does your organization have
a process to audit the service
provider to assess its
compliance with your policies,
procedures, security controls
and regulatory requirements
and obtain reports and
findings made on the service
provider? Please elaborate.
Paragraph 5.9, Guidelines on Outsourcing sets out the audits that MAS expects FSIs to be conducting. It is not required that the
FSI conducts the audit itself and it may rely on independent third party audit by obtaining copies of such finding/audit made on the
service provider and its subcontractors. This is a question about your own internal processes, although it is of course relevant in
this context to mention that Microsoft permits audit and inspection both by their FSI customers and regulators.
We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to Office 365. As part of its
certification requirements, Microsoft is required to undergo independent third party auditing, and it shares with us the independent
third party audit reports. As part of its standard offering to us (i.e. the Financial Services Amendment that automatically applies to
regulated financial services institutions like ourselves), Microsoft gives us a right to examine, monitor and audit its provision of
Office 365. Specifically, Microsoft (i) makes available to us the written Office 365 data security policy that complies with certain
control standards and frameworks, along with descriptions of the security controls in place for Office 365 and other information that
we reasonably request regarding Microsoft’s security practices and policies; and (ii) causes the performance of audits, on our
behalf, of the security of the computers, computing environment and physical data centers that it uses in processing our data
(including personal data) for Office 365, and provides the audit report to us upon request. We are confident that such
arrangements provide us with the appropriate level of assessment of Microsoft’s ability to facilitate compliance against our policy,
procedural, security control and regulatory requirements.
The Financial Services Amendment further gives us the opportunity to participate in the optional FSI Customer Compliance
Program at any time, which enables us to have additional monitoring, supervisory and audit rights and additional controls over
Office 365, such as (a) access to Microsoft personnel for raising questions and escalations relating to Office 365, (b) invitation to
participate in a webcast hosted by Microsoft to discuss audit results that leads to subsequent access to detailed information
regarding planned remediation of any deficiencies identified by the audit, (c) receipt of communication from Microsoft on (1) the
nature, common causes, and resolutions of security incidents and other circumstances that can reasonably be expected to have a
material service impact on our use of Office 365, (2) Microsoft’s risk-threat evaluations, and (3) significant changes to Microsoft’s
business resumption and contingency plans or other circumstances that might have a serious impact on our use of Office 365, (d)
access to a summary report of the results of Microsoft’s third party penetration testing against Office 365 (e.g. evidence of data
isolation among tenants in the multi-tenanted services); and (e) access to Microsoft’s subject matter experts through group events
Confidential
Page 17 of 38
10063894-1
Ref. Question/requirement Template response and guidance
such as webcasts or in-person meetings (including an annual summit event) where roadmaps of planned developments or reports
of significant events will be discussed and we will have a chance to provide structured feedback and/or suggestions regarding the
FSI Customer Compliance Program and its desired future evolution. The group events will also give us the opportunity to discuss
common issues with other regulated financial institutions and raise them with Microsoft.
3. Has explicit provision been
made in the outsourcing
agreement to enable MAS
and its agents to carry out an
inspection or examination of
the service provider and its
sub-contractors, and to obtain
copies of reports made on the
service provider or reports or
information given to, stored at
or processed by the service
provider and its sub-
contractors? Please explain in
detail if explicit provision has
not been made.
Paragraph 5.9.2 of the Guidelines on Outsourcing requires the inclusion of access to information, inspection and examination
rights in favor of MAS. Such rights are indeed included in Microsoft’s contractual documents, and this is a key advantage of the
Microsoft product over competitor products, which often provide only very limited (or no) regulator inspection rights.
Yes.
There are provisions in the contract that enable MAS to carry out inspection or examination of Microsoft’s facilities, systems,
processes and data relating to the services. As part of its standard offering to us (i.e. the Financial Services Amendment that
automatically applies to regulated financial services institutions like ourselves), Microsoft will, upon a regulator’s request, provide
the regulator a direct right to examine the relevant service, including the ability to conduct an on-premise examination; to meet with
Microsoft personnel and Microsoft’s external auditors; and to access related information, records, reports and documents.
Microsoft will not disclose customer data to the regulator except as described in the OST. Customer will at all times have access to
its data using the standard features of Office 365, and may delegate its access to its data to representatives of the MAS.
F. IT SECURITY
- PROTECTION OF SENSITIVE / CONFIDENTIAL INFORMATION
1. Have you obtained from the
service provider a written
undertaking to protect and
Yes. It is part of the standard contractual commitments made by Microsoft.
Note that “Confidentiality agreements and non-disclosure agreements” are covered under the ISO/IEC 27001 and ISO/IEC 27018
Confidential
Page 18 of 38
10063894-1
Ref. Question/requirement Template response and guidance
maintain the confidentiality of
your sensitive data? If yes,
provide documentation.
standards against which Microsoft is certified and audited annually by a third party, independent and accredited certification body.
2. Is end-to-end application layer
encryption implemented to
protect the transmission of
PINs?
Paragraph 9.1 and Appendix E (Paragraph E.2.5), Technology Risk Management Guidelines.
Yes.
Data is encrypted. Customer data in Office 365 exists in two states:
At rest on storage media
In transit from a data center over a network to a customer device
All email content is encrypted on disk using BitLocker AES encryption. Protection covers all disks on mailbox servers and includes
mailbox database files, mailbox transaction log files, search content index files, transport database files, transport transaction log
files, and page file OS system disk tracing/message tracking logs.
Office 365 also transports and stores S/MIME (as defined above) messages. Office 365 will transport and store messages that are
encrypted using client-side, third-party encryption solutions such as PGP.
3. Are there procedures
established to securely
destroy or remove the
organization’s production and
backup data stored at the
service provider when the
need arises? Please
Paragraph 5.2.4 (Management of IT outsourcing risks), Technology Risk Management Guidelines.
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped it
uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible (e.g., disintegrate,
shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type. Records of the destruction are
Confidential
Page 19 of 38
10063894-1
Ref. Question/requirement Template response and guidance
elaborate. retained.
All Microsoft Online Services utilize approved media storage and disposal management services. Paper documents are destroyed
by approved means at the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001, ISO/IEC 27018 and MTCS
SS 584 standards, against which Microsoft is certified.
- DATA CENTER PHYSICAL & ENVIRONMENTAL CONTROLS
4. Where are the data center(s)
of the service provider
located? Indicate the data
center(s) in which your
organization’s sensitive data
would be stored and/or
processed.
Paragraph 5.10 (Outsourcing outside Singapore), Guidelines on Outsourcing. Note that the use of data centers outside of
Singapore is permitted by the Guidelines on Outsourcing.
Microsoft informs us that it takes a regional approach to hosting of Office 365 data. Microsoft is transparent in relation to the
location of our data. Microsoft data center locations are made public on the Microsoft Trust Center.
The table below will need to be amended depending on the specific solution that you are taking up.
No. Locations of Data Center Classification of DC: Tier I, II, III or
IV
Storing your organization’s data (Y/N)
1.
2.
5. Have you obtained a report on
the Threat and Vulnerability
Paragraph 10, Technology Risk Management Guidelines.
Confidential
Page 20 of 38
10063894-1
Ref. Question/requirement Template response and guidance
Risk Assessment on the
physical security and
environmental controls
available at the data
center(s)? What were the key
risks and security issues
raised, and how were they
addressed?
In order to meet the objectives and demands of a robust service, Microsoft regularly conducts penetration testing and vulnerability
assessments against the service through its commitment to Security Development Lifecycle and ISO certification. The output of
testing is tracked through a risk register which is audited and reviewed on a regular basis to ensure compliance to Microsoft’s
security practices. In order to protect both the system and customer data, Microsoft does not provide copies of the testing reports
however the tests conducted typically include the OWASP top ten and also include the use of independent verified security teams
(CREST certified). Microsoft is happy to make available the ISO and SSAE 16 audit reports which cover vulnerability
assessments.
- USER AUTHENTICATION & ACCESS MANAGEMENT
6. Does the service provider
have privileged access or
remote access to perform
system/user administration for
the outsourced service? If so,
does the service provider
have access to your
organization’s sensitive data?
Please provide details on the
controls implemented to
mitigate the risks of
unauthorized access to
sensitive data by the service
provider, or other parties.
Paragraphs 10.2 (physical security) and 11 (access control), Technology Risk Management Guidelines.
Yes.
Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer data. Personnel
access to the IT systems that store customer data is strictly controlled via role-based access control (“RBAC”) and lock box
processes that involve not only approvals from within Microsoft but also explicit approval from the customer. Access control is an
automated process that follows the separation of duties principle and the principle of granting least privilege. This process ensures
that the engineer requesting access to these IT systems has met the eligibility requirements, such as a background screen,
fingerprinting, required security training and access approvals. In addition, the access levels are reviewed on a periodic basis to
ensure that only users who have appropriate business justification have access to the systems. User access to data is also limited
by user role. For example, system administrators are not provided with database administrative access. In emergency situations, a
“Just-In-Time (JIT) access and elevation system” is used (that is, elevation is granted on an as-needed and only-at-the-time-of-
need basis) of engineer privileges to troubleshoot the service.
7. Are the following controls and
measures put in place at the
a. The activities of privileged accounts are logged and reviewed regularly.
Confidential
Page 21 of 38
10063894-1
Ref. Question/requirement Template response and guidance
service provider? Paragraph 11.1.4 (Access Controls), Technology Risk Management Guidelines.
Yes.
An internal, independent Microsoft team will audit the log at least once per quarter.
b. Audit and activity logs are protected against tampering by privileged users.
Paragraph 11 (Access Controls), Technology Risk Management Guidelines.
Yes.
All logs are saved to the log management system which a different team of administrators manages. All logs are automatically
transferred from the production systems to the log management system in a secure manner and stored in a tamper-protected
way.
c. Access to sensitive files, commands and services are restricted and protected from manipulation.
Paragraph 11 (Access Controls), Technology Risk Management Guidelines.
Yes.
System level data such as configuration data/file and commands are managed as part of the configuration management system.
Any changes or updates to or deletion of those data/files/commands will be automatically deleted by the configuration
management system as anomalies.
d. Integrity checks are implemented to detect unauthorized changes to databases, files, programs and system
Confidential
Page 22 of 38
10063894-1
Ref. Question/requirement Template response and guidance
configuration.
Paragraph 11 (Access Controls), Technology Risk Management Guidelines.
Yes.
System level data such as configuration data/file and commands are managed as part of the configuration management system.
Any changes or updates to or deletion of those data/files/commands will be automatically deleted by the configuration
management system as anomalies.
e. Password controls for the outsourced systems and applications are reviewed for compliance on a regular basis.
Paragraph 11.1.5 (Access Controls), Technology Risk Management Guidelines.
Yes.
All access to production and customer data require multi-factor authentication. Use of strong password is enforced as mandatory
and password must be changed on a regular basis.
f. Access rights for the outsourced systems and applications are reviewed for compliance on a regular basis.
Paragraph 11 (Access Controls) Technology Risk Management Guidelines (it is recommended that FSIs implement strong
controls over remote access by privileged users).
Yes.
Administrators who have access to applications have no physical access to the production so administrators have to remotely
access the controlled, monitored remote access facility. All operations through this remote access facility are logged. In addition,
Confidential
Page 23 of 38
10063894-1
Ref. Question/requirement Template response and guidance
the access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification have
access to the systems.
G. IT SERVICE AVAILABILITY & DISASTER RECOVERY
1. Does the service provider
have a disaster recovery or
business continuity plan and
what is the service
availability? For your
organization’s data residing at
the service provider, what are
the backup and recovery
arrangements?
Paragraph 5.7, Guidelines on Outsourcing. Paragraphs 8.1 (Systems Availability), 8.2 (Disaster Recovery Plan), 8.3 (Disaster
Recovery Testing) and 8.4 (Data Backup Management), Technology Risk Management Guidelines. Principle 2, Business
Continuity Management Guidelines.
Yes. Microsoft offers contractually-guaranteed 99.9% uptime, globally available data centers for primary and backup storage,
physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust backup, restoration and
failover capabilities, real-time issue detection and automated response such that workloads can be moved off any failing
infrastructure components with no perceptible impact on the service, 24/7 on-call engineering teams.
Redundancy
Physical redundancy at server, data center, and service levels
Data redundancy with robust failover capabilities
Functional redundancy with offline functionality
Resiliency
Active load balancing
Automated failover with human backup
Confidential
Page 24 of 38
10063894-1
Ref. Question/requirement Template response and guidance
Recovery testing across failure domains
Distributed Services
Distributed component services like Exchange Online, SharePoint Online, and Lync Online limit scope and impact of any
failures in a component.
Directory data replicated across component services insulates one service from another in any failure events.
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery
Outside-in monitoring raises alerts about incidents
Extensive diagnostics provide logging, auditing, and granular tracing
Simplification
Standardized hardware reduces issue isolation complexities
Fully automated deployment models.
Standard built-in management mechanism
Human backup
Confidential
Page 25 of 38
10063894-1
Ref. Question/requirement Template response and guidance
Automated recovery actions with 24/7 on-call support
Team with diverse skills on the call provides rapid response and resolution
Continuous improvement by learning from the on-call teams
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every time
Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and Microsoft’s plan to
prevent it in the future
In the event the organization was affected by a service incident, Microsoft shares the post-incident review with the
organization.
2. What are the recovery time
objectives (“RTO”) of
systems or applications
outsourced to the service
provider?
Paragraph 5.7.2(a), Guidelines on Outsourcing. Paragraph 8.2.4 of the Technology Risk Management Guidelines. Principle 4,
Business Continuity Management Guidelines (FSI should develop recovery strategies and set recovery time objectives for critical
business functions).
1 hour or less for Microsoft Exchange Online, 6 hours or less for SharePoint Online.
3. What are the recovery point
objectives (“RPO”) of
systems or applications
outsourced to the service
Paragraph 5.7.2(a), Guidelines on Outsourcing. Paragraph 8.2.4 of the Technology Risk Management Guidelines. Principle 4,
Business Continuity Management Guidelines (FSI should develop recovery strategies and set recovery time objectives for critical
business functions).
Confidential
Page 26 of 38
10063894-1
Ref. Question/requirement Template response and guidance
provider? 45 minutes or less for Microsoft Exchange Online, 2 hours or less for SharePoint Online.
4. How frequently does the
service provider conduct
disaster recovery tests?
Paragraph 5.7.2(b), Guidelines on Outsourcing (FSIs should ensure that the service provider regularly tests its business continuity
plans and that the tests validate the feasibility of the RTOs and the resumption operating capacities. The service provider should
also be required to notify the FSI of any test finding that may affect the service provider’s performance). Paragraph 8.3,
Technology Risk Management Guidelines, contains details around expectations of disaster recovery tests (with paragraph 8.3.2
referring to this being done at least annually). Principle 3, Business Continuity Management Guidelines.
At least once per year.
H. EXIT STRATEGY
1. Do you have the right to
terminate the SLA in the event
of default, ownership change,
insolvency, change of security
or serious deterioration of
service quality?
Paragraph 5.5.2(i) Guidelines on Outsourcing, which states that the agreement should contain provisions for default termination
and early exit.
The SLA is only one part of the contractual arrangement with Microsoft. It is not terminable in itself as a stand-alone document (the
remedies available to us under the SLA are financial) but our main agreement with Microsoft, the Microsoft Business and Services
Agreement (“MBSA”), is terminable by us for convenience at any time by providing not less than 60 days’ notice. In addition, we
have standard rights of termination for material breach. This gives us the flexibility and control we need to manage the relationship
with Microsoft because it means that we can terminate the arrangements whether with or without cause.
2. In the event of contract
termination with the service
provider, either on expiry or
prematurely, are you able to
have all IT information and
assets promptly removed or
Paragraph 5.7.2(c), Guidelines on Outsourcing (requires FSIs to ensure that there are plans and procedures in place to address
the need to have all relevant IT information and assets promptly removed and destroyed upon termination).
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped it
uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible (e.g., disintegrate,
Confidential
Page 27 of 38
10063894-1
Ref. Question/requirement Template response and guidance
destroyed? shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type. Records of the destruction are
retained.
All Microsoft Online Services utilize approved media storage and disposal management services. Paper documents are destroyed
by approved means at the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001, ISO/IEC 27018 and MTCS
SS 584 standards against which Microsoft is certified.
Confidential
Page 28 of 38
10063894-1
APPENDIX ONE
CONTRACTUAL REQUIREMENTS
This table sets out the specific items that should be covered in the FSI’s outsourcing agreement with the service provider, pursuant to the Guidelines on
Outsourcing and Notice 634, Banking Act (Appendix). It also contains useful information on how Microsoft’s contractual documents address each of said items.
In summary: Microsoft is pleased to conclude that all relevant requirements specified in the Guidelines on Outsourcing and Notice 634, Banking Act are
addressed in Microsoft's contractual documents, as shown below.
Key
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft explains how Microsoft’s contractual documents address the contractual requirements, with references to where they are covered.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrollment = Enterprise Enrollment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
Confidential
Page 29 of 38
10063894-1
SLA = Online Services Service Level Agreement
Ref. Requirement Microsoft agreement reference
1. The outsourcing agreement
should address the risks
identified at the risk evaluation
and due diligence stages.
Guidelines on Outsourcing, Paragraphs 5.5.2.
This would depend on the results of your risk evaluation and due diligence exercises.
2. The outsourcing agreement
should allow for timely
renegotiation and renewal to
enable the institution to retain
an appropriate level of control
over the outsourcing
arrangement and the right to
intervene with appropriate
measures to meet its legal
and regulatory obligations.
Guidelines on Outsourcing, Paragraphs 5.5.2.
In order to facilitate your continued and ongoing legal and regulatory compliance needs, and as part of its standard offering
to you (i.e. the FSA that automatically applies to regulated financial services institution customers), Microsoft agrees to
discuss how to meet new or additional requirements imposed on you should you become subject to Future Applicable Law
(as defined in the FSA).
Furthermore, Microsoft’s contractual documents anticipate renewal. For instance, Enrollments have a three-year term, and
may be renewed for a further three-year term. If necessary, you have a right to terminate the services at your convenience.
More information on your termination rights is available under Requirement 11 below.
Meanwhile, Microsoft enables financial institution customers to retain an appropriate level of control to meet their legal and
regulatory obligations. Not only do you have full control and ownership over your data at all times, under the FSA Microsoft
(i) makes available to you the written Office 365 data security policy that complies with certain control standards and
frameworks, along with descriptions of the security controls in place for Office 365 and other information that you
reasonably request regarding Microsoft’s security practices and policies; and (ii) causes the performance of audits, on your
behalf, of the security of the computers, computing environment and physical data centers that it uses in processing your
data (including personal data) for Office 365, and provides the audit report to you upon request. These arrangements are
offered to you in order to provide you with the appropriate level of assessment of Microsoft’s ability to facilitate compliance
against your policy, procedural, security control and regulatory requirements.
Confidential
Page 30 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
You can further elect to participate in the FSI Customer Compliance Program. This program allows you to engage with
Microsoft during the term of the outsourcing contract to ensure that you have oversight over the services in order to ensure
that the services meet your legal and regulatory obligations. Specifically, it enables you to have additional monitoring,
supervisory and audit rights and additional controls over Office 365, such as (a) access to Microsoft personnel for raising
questions and escalations relating to Office 365, (b) invitation to participate in a webcast hosted by Microsoft to discuss
audit results and subsequent access to detailed information regarding planned remediation of any deficiencies identified by
the audit, (c) receipt of communication from Microsoft on (1) the nature, common causes, and resolutions of security
incidents and other circumstances that can reasonably be expected to have a material service impact on your use of Office
365, (2) Microsoft’s risk-threat evaluations, and (3) significant changes to Microsoft’s business resumption and contingency
plans or other circumstances that might have a serious impact on your use of Office 365, (d) access to a summary report of
the results of Microsoft’s third party penetration testing against Office 365 (e.g. evidence of data isolation among tenants in
the multi-tenanted services), and (e) access to Microsoft’s subject matter experts through group events such as webcasts
or in-person meetings (including an annual summit event) where roadmaps of planned developments or reports of
significant events will be discussed and you will have a chance to provide structured feedback and/or suggestions
regarding the FSI Customer Compliance Program and its desired future evolution. The group events will also give you the
opportunity to discuss common issues with other regulated financial institutions and raise them with Microsoft.
3. The outsourcing agreement
should have provisions to
address the scope of the
outsourcing arrangement.
Guidelines on Outsourcing, Paragraph 5.5.2(a).
Microsoft’s contractual documents comprehensively set out the scope of the outsourcing arrangement and the respective
commitments of the parties. The services are broadly described, along with the applicable usage rights, in the Product List
and OST. The services are described in more detail in the OST, which includes a list of service functionality and core
features of the Office 365 services in particular.
The SLA contains Microsoft’s service level commitment, as well as the remedies for the customer in the event that
Microsoft does not meet the commitment. The terms of the SLA current at the start of the applicable initial or renewal term
Confidential
Page 31 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
of the Enrollment are fixed for the duration of that term.
Please find a copy of the OST at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46
Please find a copy of the SLA at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37
4. The outsourcing agreement
should have provisions to
address performance,
operational, internal control
and risk management
standards.
Guidelines on Outsourcing, Paragraph 5.5.2(b).
All of these aspects are covered in the OST and the SLA. The OST contains the privacy and security practices and internal
controls that Microsoft implements, and the SLA contains Microsoft’s service level commitment, as well as the remedies for
the customer in the event that Microsoft does not meet the commitment. The SLA is fixed for the initial term of the
Enrollment.
5. The outsourcing agreement
should have provisions to
address confidentiality and
security.
Guidelines on Outsourcing, Paragraph 5.5.2(c)
MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose your confidential information
(which includes your data) to third parties and to only use your confidential information for the purposes of Microsoft’s
business relationship with you. Further, Microsoft commits to take reasonable steps to protect your confidential information,
to notify you if there is any unauthorized use or disclosure of your confidential information and to cooperate with you to help
to regain control of your confidential information and prevent further unauthorized use or disclosure of it.
The OST states that Microsoft and the customer each commit to comply with all applicable privacy and data protection laws
and regulations. The customer owns its data that is stored on Microsoft cloud services at all times. The customer also
retains the ability to access its customer data at all times, and Microsoft will deal with customer data in accordance with the
Confidential
Page 32 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
terms and conditions of the Enrollment and the OST. Following termination, Microsoft will (unless otherwise directed by the
customer) delete the customer data after a 90-day retention period.
Guidelines on Outsourcing, Paragraph 5.6.2(a). The outsourcing agreement should address the issue of access to and
disclosure of customer information by the service provider. Customer information should be used by the service provider
and its staff strictly for the purpose of the contracted service.
And
Notice 634, Banking Act, Paragraph 8 of the Appendix. The agreement should contain obligations relating to the following:
(i) access to customer data is limited to employees of service provider who strictly require the information to perform their
duties: (ii) customer data is used strictly for a specified and disclosed purpose; and (iii) further disclosure of customer data
to any other party is restricted unless required by law.
Microsoft makes specific commitments with respect to safeguarding your data in the OST. In summary, Microsoft commits
that:
1. Your data will only be used to provide the online services to you and your data will not be used for any other purposes,
including for advertising or other commercial purposes.
2. Microsoft will not disclose your data to law enforcement unless it is legally obliged to do so, and only after not being
able to redirect the request to you.
3. Microsoft will implement and maintain appropriate technical and organizational measures, internal controls, and
information security routines intended to protect your data against accidental, unauthorized or unlawful access,
disclosure, alteration, loss, or destruction. Technical support personnel are only permitted to have access to customer
information when needed.
Confidential
Page 33 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
Guidelines on Outsourcing, Paragraph 5.6.2(a). The outsourcing agreement should address the issue of the party liable for
losses in the event of a breach of security or confidentiality and the service provider’s obligation to inform the institution.
The OST states the responsibilities of the contracting parties that ensure the effectiveness of security policies. To the
extent that a security incident results from Microsoft’s failure to comply with its contractual obligations, and subject to the
applicable limitations of liability, Microsoft reimburses you for reasonable and third-party validated, out-of-pocket
remediation costs you incurred in connection with the security incident, including actual costs of court- or governmental
body-imposed payments, fines or penalties for a Microsoft-caused security incident and additional, commercially-
reasonable, out-of-pocket expenses you incurred to manage or remedy the Microsoft-caused security incident (FSA,
Section 3). Applicable limitation of liability provisions can be found in the MBSA.
Microsoft further agrees to notify you if it comes aware of any security incident, and to take reasonable steps to mitigate the
effects and minimize the damage resulting from the security incident (OST).
6. The outsourcing agreement
should have provisions to
address business continuity
management.
Guidelines on Outsourcing, Paragraphs 5.5.2(d) and 5.7.2.
And
Notice 634, Banking Act, Paragraph 11 of the Appendix.
Business Continuity Management forms part of the scope of the accreditation that Microsoft retains in relation to the online
services, and Microsoft commits to maintain a data security policy that complies with these accreditations (see OST).
Business Continuity Management also forms part of the scope of Microsoft’s annual third party compliance audit. Business
Continuity Plans (BCPs) are documented and reviewed at least annually, and the BCPs provide roles and responsibilities
and detailed procedures for recovery and reconstitution of systems to a known state per defined Recovery Time Objectives
(RTO) and Recovery Point Objectives (RPO).
Microsoft also maintains emergency and contingency plans for the facilities in which Microsoft information systems that
Confidential
Page 34 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
process customer data are located. Microsoft’s redundant storage and its procedures for recovering data are designed to
attempt to reconstruct customer data in its original or last-replicated state from before the time it was lost or destroyed.
Data Recovery Procedures
On an ongoing basis, but in no case less frequently than once a week (unless no customer data has been updated
during that period), Microsoft maintains multiple copies of customer data from which customer data can be recovered.
Microsoft stores copies of customer data and data recovery procedures in a different place from where the primary
computer equipment processing the customer data is located.
Microsoft has specific procedures in place governing access to copies of customer data.
Microsoft reviews data recovery procedures at least every six months.
Microsoft logs data restoration efforts, including the person responsible, the description of the restored data and where
applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
7. The outsourcing agreement
should have provisions to
address monitoring and
control.
Guidelines on Outsourcing, Paragraphs 5.5.2(e) and 5.8.1.
The OST allows customer to have the ability to access and extract customer data, and specifies the audit and monitoring
mechanisms that Microsoft puts in place in order to verify that the online services meet appropriate security and compliance
standards.
The FSA further gives regulated financial institution customers, i.e. you, the opportunity to participate in the Microsoft FSI
Customer Compliance Program. This program allows you to engage with Microsoft during the term of the outsourcing
contract to ensure that you have oversight over the services in order to ensure that the services meet your legal and
regulatory obligations. Specifically, it enables you to have additional monitoring, supervisory and audit rights and additional
controls over Office 365, such as (a) access to Microsoft personnel for raising questions and escalations relating to Office
365, (b) invitation to participate in a webcast hosted by Microsoft to discuss audit results and subsequent access to detailed
information regarding planned remediation of any deficiencies identified by the audit, (c) receipt of communication from
Microsoft on (1) the nature, common causes, and resolutions of security incidents and other circumstances that can
Confidential
Page 35 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
reasonably be expected to have a material service impact on your use of Office 365, (2) Microsoft’s risk-threat evaluations,
and (3) significant changes to Microsoft’s business resumption and contingency plans or other circumstances that might
have a serious impact on your use of Office 365, (d) access to a summary report of the results of Microsoft’s third party
penetration testing against Office 365 (e.g. evidence of data isolation among tenants in the multi-tenanted services), and
(e) access to Microsoft’s subject matter experts through group events such as webcasts or in-person meetings (including
an annual summit event) where roadmaps of planned developments or reports of significant events will be discussed and
you will have a chance to provide structured feedback and/or suggestions regarding the FSI Customer Compliance
Program and its desired future evolution. The group events will also give you the opportunity to discuss common issues
with other regulated financial institutions and raise them with Microsoft.
8. The outsourcing agreement
should have provisions to
address audit and inspection
Guidelines on Outsourcing, Paragraphs 5.5.2(f), 5.9.2, 5.9.3 and 5.10.2(b), for material outsourcing.
And
Notice 634, Banking Act, Paragraph 8a of the Appendix.
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to verify that the online
services meet appropriate security and compliance standards. This commitment is reiterated in the FSA as a standard
offering to regulated financial institutions. Under the FSA, Microsoft gives you a right to examine, monitor and audit its
provision of Office 365. Specifically, Microsoft (i) makes available to you the written Office 365 data security policy that
complies with certain control standards and frameworks, along with descriptions of the security controls in place for Office
365 and other information that you reasonably request regarding Microsoft’s security practices and policies; and (ii) causes
the performance of audits, on your behalf, of the security of the computers, computing environment and physical data
centers that it uses in processing your data (including personal data) for Office 365, and provides the audit report to you
upon request. These arrangements are offered to you in order to provide you with the appropriate level of assessment of
Microsoft’s ability to facilitate compliance against your policy, procedural, security control and regulatory requirements.
Please refer to the optional FSI Customer Compliance Program described in Requirement 7 above for opportunities to gain
Confidential
Page 36 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
further visibility and influence into Microsoft’s practices.
The FSA further describes that if a regulator requests, Microsoft will provide the regulator a direct right to examine the
relevant service, including the ability to conduct an on-premise examination; to meet with Microsoft personnel and
Microsoft’s external auditors; and to access related information, records, reports and documents. Microsoft will not disclose
customer data to the regulator except as described in the OST. Customer will at all times have access to its data using the
standard features of Office 365, and may delegate its access to its data to representatives of the MAS.
9. The outsourcing agreement
should have provisions to
address notification of
adverse developments.
Guidelines on Outsourcing, Paragraphs 5.5.2(g) and 4.2.
Microsoft will notify the customer if it becomes aware of any security incident, and will take reasonable steps to mitigate the
effects and minimize the damage resulting from the security incident (see OST).
10. The outsourcing agreement
should have provisions to
address dispute resolution.
Guidelines on Outsourcing, Paragraph 5.5.2(h).
The MBSA covers dispute resolution process (Section 10.e.), warranties (Section 5), defense of third party claims (Section
6), limitation of liability (Section 7), and term and termination (Section 9). It further offers country-specific provisions
determined by applicable law (Section 11).
11. The outsourcing agreement
should have provisions to
address default termination
and early exit.
Guidelines on Outsourcing, Paragraph 5.5.2(i)
And
Notice 634, Banking Act, Paragraph 10 of the Appendix.
You can terminate the MBSA or the EA for convenience at any time by providing not less than 60 days’ notice. In addition,
you have standard rights of termination for material breach. This gives us the flexibility and control we need to manage the
Confidential
Page 37 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
relationship with Microsoft because it means that we can terminate the arrangements whether with or without cause.
12. The outsourcing agreement
should have provisions to
address sub-contracting.
Guidelines on Outsourcing, Paragraph 5.5.2(j).
Microsoft is permitted to hire subcontractors under the OST. The confidentiality of your data is protected when Microsoft
uses subcontractors because Microsoft commits that its subcontractors “will be permitted to obtain Customer Data only to
deliver the services Microsoft has retained them to provide and will be prohibited from using Customer Data for any other
purpose” (OST).
Microsoft commits that any subcontractors to whom Microsoft transfers your data will have entered into written agreements
with Microsoft that are no less protective than the data processing terms in the OST (OST).
Microsoft remains contractually responsible (and therefore liable) for its subcontractors’ compliance with Microsoft’s
obligations in the OST (OST). In addition, Microsoft’s commitment to ISO/IEC 27001, ISO/IEC 27018 and MTCS SS 584,
requires Microsoft to ensure that its subcontractors are subject to the same security controls as Microsoft is subject to.
Microsoft maintains a list of authorized subcontractors for the online services that have access to your data and provides
you with a mechanism to obtain notice of any updates to that list (OST). The actual list can be accessed via
https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-terms#subcontractors. If you
do not approve of a subcontractor that is added to the list, then you are entitled to terminate the affected online services.
13. The outsourcing agreement
should have provisions to
address applicable laws.
Guidelines on Outsourcing, Paragraph 5.5.2(k).
MBSA section 10.h. sets out the applicable law provision.
14. The outsourcing agreement
should be tailored to address
issues arising from country
risks and potential obstacles
Guidelines on Outsourcing, Paragraphs 5.5.3 and 5.10.2(b).
Office 365 offers data-location transparency so that the organizations and regulators are informed of the jurisdiction(s) in
which data is hosted. The data centers are strategically located around the world taking into account country and
Confidential
Page 38 of 38
10063894-1
Ref. Requirement Microsoft agreement reference
in exercising oversight and
management of the
outsourcing arrangements
made with a service provider
outside Singapore.
socioeconomic factors. Microsoft’s data center locations are selected to offer stable socioeconomic environments. Please
refer to the Microsoft Trust Center for Office 365 data center locations at http://o365datacentermap.azurewebsites.net/.
The OST contains general commitments around data location. Microsoft commits that customer data transfers out of the
EU will be governed by the EU Model Clauses set out in the OST to represent a high standard of care in relation to data
transfers. Also, as noted in the OST: “Any subcontractors to whom Microsoft transfers Customer Data, even those used for
storage purposes, will have entered into written agreements with Microsoft that are no less protective than the Data
Processing Terms”.