THE PHILIPPINES GUIDANCE ON COMPLYING …download.microsoft.com/download/F/1/1/F11BF195-2233-479C...Confidential Page 1 of 55 THE PHILIPPINES GUIDANCE ON COMPLYING WITH REGULATORY

Confidential

Page 1 of 55

THE PHILIPPINES

GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES

INSTITUTIONS USING CLOUD COMPUTING

Last updated: November 2014

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using

cloud computing. In this guidance financial services institutions means banks and other BSP-supervised institutions (“FSIs”).

Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.

Section 7 of this guidance intended to make the process easier for you by providing information, tips and template responses for each of the

questions which are contained in the Cloud Computing Questionnaire. The template responses may provide sufficient detail but if you require further

information, Microsoft will be happy to provide this if you get in touch with your Microsoft contact. Microsoft has, in the relevant places within this

guidance document, inserted some links to relevant laws and guidance for your ease of reference.

Appendix One also contains a list of the mandatory contractual requirements required by relevant regulation.

Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of

Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your

technology outsourcing project and your legal regulatory obligations. If you have any questions, please do not hesitate to get in touch with your

Microsoft contact.

2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?

BSP has created the Cloud Computing Questionnaire from its own rules and guidance documents on technology risk management, outsourcing and

cloud computing, and other relevant statute and regulation, including:

Confidential

Page 2 of 55

BSP Guidelines on Information Technology Risk Management for All Banks and Other BSP Supervised Institutions (“IT Guidelines”),

BSP Revised Outsourcing Framework for Banks,

BSP’s “Manual of Operation for Banks” and

other underlying laws and regulations such as the Bank Deposits Secrecy Law.

3. WHO IS/ARE THE RELEVANT REGULATOR(S)?

Bangko Sentral ng Pilipinas (“BSP”)

4. IS REGULATORY APPROVAL REQUIRED IN THE PHILIPPINES?

Yes.

BSP is aware of the general trend of FSIs wishing to use cloud IT solutions such as Microsoft Office 365. It currently requires that all FSIs obtain the

prior approval of the Monetary Board in order to outsource IT systems and processes.

5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?

Yes.

In order to streamline the process of obtaining approval, BSP has issued the attached “Cloud Computing Questionnaire”, which contains a number of

questions about a FSI’s decision to use a cloud computing solution. The main purpose of the Cloud Computing Questionnaire is to establish that your

organization has carried out appropriate due diligence and that the proposed service complies with applicable regulatory requirements in relation to

issues such as data security, confidentiality and disaster recovery. You are required to complete this questionnaire as part of the approval process.

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

Yes.

Confidential

Page 3 of 55

The Cloud Computing Questionnaire itself contains some questions which ask for confirmation that certain specific items are covered in the Bank’s

contract with its service provider. Appendix One contains a comprehensive list and details of where in the Microsoft contractual documents these

points are covered.

Confidential

Page 4 of 55

7. CHECKLIST

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the

point raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as

well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist.

Ref Question/requirement Template response and guidance

A. OVERVIEW OF THE OUTSOURCED ACTIVITIES AND SERVICE PROVIDER/S

1. Describe all proposed activities and operations to be outsourced

to the Cloud Service Provider (“CSP”).

IT Guidelines, Appendix 75e, Section 3, states that “prior to entering into an

outsourcing plan, the FSI should clearly define the business requirements for the

functions or activities to be outsourced”.

Certain IT functions will be outsourced through the use of Microsoft’s “Office 365”

service, which is described in more detail here: Microsoft Office 365.

Amongst other things, the Office 365 service includes:

Microsoft Office applications hosted in the “cloud”;

Hosted email;

Web conferencing, presence and instant messaging;

Data and application hosting;

http://www.bsp.gov.ph/downloads/regulations/attachments/2013/c808.pdf

http://office.microsoft.com/en-us/business/what-is-office-365-for-business-FX102997580.aspx

Confidential

Page 5 of 55


Spam and malware protection; and

IT support services.

We will not be outsourcing any core or inherent banking functions such as

services associated with placement of deposits and withdrawals.

2. Who is the CSP? Please provide company profile/background. In

relation to outsourcing of the above activities, identify and provide

background of all the other vendors/subcontractors that are in

critical path of the CSP?

IT Guidelines, Appendix 75e, Section 3, states that “Before selecting a service

provider, the FSI should perform appropriate due diligence”. Details of the

Microsoft corporate entity providing the services, and how Microsoft works with

third party subcontractors, are provided below. If you require further information

about any third parties are involved in Microsoft’s service provision, please reach

out to your Microsoft contact.

The CSP is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft

Corporation, a global provider of information technology devices and services,

which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s full company

profile is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.

Microsoft does use sub-contractors to provide certain ancillary assistance, but not

for any critical path roles. An up-to-date list of all subcontractors used to provide

the ancillary services (including exact services) is available at

http://trustoffice365.com.

3. Describe in detail all the data that would be processed or stored

by the CSP.

IT Guidelines, Annex A to Appendix 75e states that “It is important that FSIs

maintain a comprehensive data inventory and a suitable data classification

process”. You will need to tailor this section depending on what data you intend to

store or process within Office 365.


https://www.microsoft.com/en-us/news/inside_ms.aspx

http://trustoffice365.com/


Confidential

Page 6 of 55


Customer data (including customer name, contact details, account

information, payment card data, security credentials and correspondence)

(but not any data to which the Law on Secrecy of Deposits applies – see

question B.1a., below).

Employee data (including employee name, contact details, internal and

external correspondence by email and other means and personal

information relating to their employment with the organization).

Transaction data (data relating to transactions in which the organization is

involved).

Indices (for example, market feeds).

Other personal and non-personal data relating to the organization’s

business operations as a FSI.

We ensure, pursuant to the terms of the contract in place with Microsoft, that all

data (but in particular any customer data) is treated with the highest level of

security so that we can continue to comply with our legal and regulatory

obligations and our commitments to customers. We do of course only collect and

process data that is necessary for our business operations in compliance with all

applicable laws and regulation and this applies whether we process the data on

our own systems or via a cloud solution such as Microsoft Office 365.

4. What type of cloud services/cloud deployment model would the

CSP be implementing for the Bank?

In IT Guidelines, Appendix 75e, Section 4.3, BSP lists four different cloud

deployment models: private, public, community and hybrid.


Confidential

Page 7 of 55


Select the following text if using Office 365 multi-tenanted version:

Public Cloud: Office 365 is a multi-tenant service. It hosts multiple tenants in a

secure way through logical data isolation/separation. Data storage and processing

for each tenant is segregated through Active Directory structure and capabilities

specifically developed to help build, manage, and secure multi-tenant

environments. Active Directory isolates customers using security boundaries (also

known as silos). This safeguards a customer’s data so that the data cannot be

accessed or compromised by co-tenants.

Select the following text if using Office 365 dedicated version:

Private Cloud: We have secured an offering that provides for a dedicated hosted

offering, which means that our data is hosted on hardware dedicated to us.

5. Will the proposed outsourcing require offshoring? If so, from

which territory(ies) will the outsourced cloud services be

provided?

IT Guidelines, Annex A to Appendix 75e states that “such concerns [about risks

relating to data ownership and location] can be alleviated if the CSP has some

reliable means to ensure that an organization’s data is stored and processed only

within specific jurisdictions”. Microsoft has provided some additional optional

wording below to explain the location of Microsoft’s data centers in more detail.

Yes. Microsoft is transparent in relation to the location of our data. Microsoft data

center locations are made public on the Microsoft Trust Center.

The table below will need to be amended depending on the specific solution that

you are taking up.

No. Locations of Data Centre Classification of DC: Storing your


https://products.office.com/en/business/office-365-trust-center-cloud-computing-security?tab=d1f6ec18-0f9b-0fef-3203-3d7d52bc1437

Confidential

Page 8 of 55


Tier I, II, III or IV organization’s data (Y/N)

1.

2.

a. Political (i.e. cross-broader conflict, political unrest etc). Office 365 offers

data-location transparency so that the organizations and regulators are

informed of the jurisdiction(s) in which data is hosted. We are confident that

Microsoft’s data center locations offer extremely stable political environments.

b. Country/socioeconomic. Office 365 offers data-location transparency so that

the organizations and regulators are informed of the jurisdiction(s) in which

data is hosted. The centers are strategically located around the world taking

into account country and socioeconomic factors. We are confident that

Microsoft’s data center locations offer extremely stable socioeconomic

environments.

c. Infrastructure/security/terrorism. Microsoft’s data centers are built to

exacting standards, designed to protect customer data from harm and

unauthorized access. Data center access is restricted 24 hours per day by job

function so that only essential personnel have access. Physical access control

uses multiple authentication and security processes, including badges and

smart cards, biometric scanners, on-premises security officers, continuous

video surveillance and two-factor authentication. The data centers are

monitored using motion sensors, video surveillance and security breach

Confidential

Page 9 of 55


alarms.

d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft Data centers

are built in seismically safe zones. Environmental controls have been

implemented to protect the data centers including temperature control,

heating, ventilation and air-conditioning, fire detection and suppression

systems and power management systems, 24-hour monitored physical

hardware and seismically-braced racks. These requirements are covered by

Microsoft’s ISO/IEC 27001 accreditation for Office 365.

Legal. We will have in place a binding negotiated contractual agreement with

Microsoft in relation to the outsourced service, giving us direct contractual rights.

We also took into account the fact that Office 365 was built based on ISO 27001

standards, a rigorous set of global standards covering physical, logical, process

and management controls. Finally, we took into account the fact that Microsoft

offers access and regulator audit rights thereby allowing us to comply with our

regulatory obligations in this respect.

B. ADDRESSING CLOUD RISKS AND OTHER AREAS OF CONCERN

1. Legal and Regulatory Compliance

a. Law on Secrecy of Deposits (R.A. No. 1405) Law on Secrecy of Deposits.

Not applicable since we will not be sharing with Microsoft any information

regarding deposits. This law is not relevant to the use of Office 365, since it is just

Microsoft Office applications hosted in the cloud.

As required by the Law on Secrecy of Deposits, we will not be sharing with

http://www.pdic.gov.ph/index.php?nid1=10&nid2=3

Confidential

Page 10 of 55


Microsoft or any other contractor, information regarding deposits. We will continue

to treat such information in the strictest of confidence in compliance with our legal

obligations. Accordingly, use of Microsoft Office 365 does not create any risk of

non-compliance with the Law of Secrecy of Deposits.

b. Foreign Currency Deposit System (R.A. 6426) Foreign Currency Deposit System.

Not applicable since we will not be using Office 365 to engage in transactions

directly related to foreign currencies.

We will not be using Microsoft Office 365 to engage in transactions related to

foreign currencies, which are the types of transaction that the Foreign Currency

Deposit System regulates. Accordingly, use of Microsoft Office 365 does not

create any risk of non-compliance with the Foreign Currency Deposits System.

c. Anti-Money Laundering Act, particularly on data/ file

retention

Anti-Money Laundering Council guidance.

Not applicable.

Our use of Microsoft Office 365 would not have any negative impact on our ability

to comply with our requirements under the Anti-Money Laundering Act since it

does not change our processes and data and documents will continue to be

available to us on a constant basis.

In particular, our use of Microsoft Office 365 will not change our approach to: (a)

customer identification – we will continue to establish and record the true identity

of our customers in the same way; and (b) covered transactions – we will continue

to have procedures in place to report these in the same way.

http://www.lawphil.net/statutes/repacts/ra1974/ra_6426_1974.html

http://www.amlc.gov.ph/amla.html

Confidential

Page 11 of 55


Regarding data and file retention - we are aware of our obligations to keep records

in respect of transactions, customer identification, account files, business

correspondence, etc. Microsoft has in place excellent data backup and recovery

arrangements for data residing within its data centers, so to the extent that any of

the required records are stored within Microsoft’s data centers, we are confident

that we will continue to comply with our record-keeping obligations. Indeed,

additional comfort and security will be assured as a result.

Please find below some further information about the data backup and recovery

arrangements that Microsoft has in place to protect our records and ensure that

they are available to us on a constant basis:

Redundancy

Physical redundancy at server, data center, and service levels;

Data redundancy with robust failover capabilities; and

Functional redundancy with offline functionality.

Resiliency

Active load balancing;

Automated failover with human backup; and

Recovery testing across failure domains.

Confidential

Page 12 of 55


Distributed Services

Distributed component services like Exchange Online, SharePoint Online,

and Lync Online limit scope and impact of any failures in a component;

Directory data replicated across component services insulates one service

from another in any failure events; and

Simplified operations and deployment.

Monitoring

Internal monitoring built to drive automatic recovery;

Outside-in monitoring raises alerts about incidents; and

Extensive diagnostics provide logging, auditing, and granular tracing.

Simplification

Standardized hardware reduces issue isolation complexities;

Fully automated deployment models; and

Standard built-in management mechanism.

Human backup

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

Confidential

Page 13 of 55


Automated recovery actions with 24/7 on-call support;

Team with diverse skills on the call provides rapid response and

resolution; and

Continuous improvement by learning from the on-call teams.

Continuous learning

If an incident occurs, Microsoft does a thorough post-incident review every

time; and

Microsoft’s post-incident review consists of analysis of what happened,

Microsoft’s response, and Microsoft’s plan to prevent it in the future.

d. Electronic Commerce Act (R.A. 8792) Electronic Commerce Act.

The Electronic Commerce Act applies to our use of Office 365. The law imposes a

general obligation of confidentiality over “any electronic key, electronic data

message, or electronic document, book, register, correspondence, information, or

other material.”

Our use of Microsoft Office 365 will not have any negative impact on our ability to

comply with the requirements of the Electronic Commerce Act. Indeed, we

consider that our use of Microsoft Office 365 is actually in line with the

requirements of the Act and its obligation of confidentiality.

e. Data Privacy Law Data Privacy Act.


http://www.lawphil.net/statutes/repacts/ra2000/ra_8792_2000.html

http://www.gov.ph/2012/08/15/republic-act-no-10173/

Confidential

Page 14 of 55


Our use of Microsoft Office 365 would not cause us to fail to meet any obligation

we may have under the Data Privacy Act. In fact, we think that Microsoft Office

365 has features that will help us comply with certain provisions (including security

obligations). We will continue to maintain overall responsibility and accountability

for compliance with the Privacy Act.

In relation to the specific requirements of the Privacy Act that apply to the use of

cloud services:

a. We have an obligation to implement reasonable and appropriate

organizational, physical and technical measures to protect personal

information. We are satisfied with Microsoft’s security procedures, as

described in its Standard Response to Request for Information – Security

and Privacy (and further described in other parts of this document).

b. We have an obligation to use contractual or other reasonable means to

provide a comparable level of protection while the information is being

processed by Microsoft. We are satisfied that our legally-binding

agreement with Microsoft, and the operational procedures we have in

place to monitor compliance, together with our choice of service provider,

will provide at least a comparable level of protection for personal

information. Our contract with Microsoft ensures that all data (but in

particular any customer data) is treated with the highest level of security

enabling us to continue to comply with our legal and regulatory obligations

and our commitments to customers.

We also took into account the fact that the European Union’s data protection

authorities have found that Microsoft’s enterprise cloud contracts meet the high

http://www.microsoft.com/en-sg/download/details.aspx?id=26647


Confidential

Page 15 of 55


standards of EU privacy law. Microsoft is the first – and so far the only – company

to receive this approval.

f. Regulations concerning IT risk management, electronic

banking and reporting of security incidents.

BSP Guidelines on Information Technology Risk Management, Electronic Banking

Regulations (Circular No. 240 series of 2000; Circular No. 269 series of 2000; and

Circular No. 542 series of 2006) and BSP’s Internet and Wireless Banking

Security Measures (Appendix B to BSP Circular No. 542 s. 2006 on Consumer

Protection for Electronic Banking).

The BSP Guidelines on Information Technology Risk Management

for All Banks and Other BSP Supervised Institutions: Our use of

Microsoft Office 365 would not cause us to fail to meet any obligation we

may have under the IT risk management regulations. Our responses

questions about IT risk management elsewhere in this document are

based on the requirements in the IT risk management regulations. We

considered that Microsoft Office 365 meets these requirements.

Electronic Banking: Electronic Banking Regulations govern e-banking

services and products offered by banks to their customers. They are not

applicable since we will not be using Office 365 for e-banking services.

Reporting of Security Incidents: The existing regulations do not

specifically provide for reporting of security incidents, they do not define

the term “security incident” and there is no prescribed format for reporting

“security incidents”. The BSP’s Internet and Wireless Banking Security

Measures (Appendix B to BSP Circular No. 542 s. 2006 on Consumer

Protection for Electronic Banking) mentions “security incidents” but only in

the context of directing banks to “establish an incident management and


Confidential

Page 16 of 55


response plan and test the predetermined action plan relating to security

incidents”. Office 365 includes an incident management and response

plan (that is tested) that goes beyond these regulatory requirements. See

our answer to question B.4.g below for more details.

g. How does the Bank (and its CSP) ensure consumer

protection under a cloud environment?

For example, BSP Handbook on Consumer Laws Covering BSP-Supervised

Financial Institutions. The majority of these rules would not be applicable to the

use of Office 365, since they tend to cover customer-facing functions such as

deposits, credit etc.

We have in place internal processes and procedures to ensure that our

consumers are protected. This will not change through the proposed use of cloud

services. We have reviewed the BSP Handbook on Consumer Laws Covering

BSP-Supervised Financial Institutions and do not believe that our use of Office

365 would inhibit our ability to comply with these requirements. In fact, we believe

that Office 365 will actually have some major benefits for our IT operations and,

accordingly, improve the overall service that we are able to provide to customers.

h. How would the Bank guarantee the grant of BSP

access to CSP’s infrastructure to determine

compliance with applicable laws and regulations and

assess soundness of risk management processes and

controls in place?

IT Guidelines, Annex A to Appendix 75e states that “the CSP should grant BSP

access to its cloud infrastructure to determine compliance with applicable laws

and regulations and assess soundness of risk management processes and

controls in place”. Microsoft does grant this kind of access. Microsoft also offers a

Compliance Framework Program for FSIs. If you take-up the Compliance

Framework Program, you may add this additional information about its key

features: the regulator audit/inspection right, access to Microsoft’s security policy,

the right to participate at events to discuss Microsoft’s compliance program, the

right to receive audit reports and updates on significant events, including security

incidents, risk-threat evaluations and significant changes to the business

http://www.bsp.gov.ph/downloads/Regulations/consumerlaws.pdf





Confidential

Page 17 of 55


resumption and contingency plans.

We have agreed with Microsoft that the BSP will have an audit/inspection right, so

that the BSP can carry out inspections or examinations of Microsoft’s facilities,

systems, processes and data relating to the services to determine and confirm

that it is in compliance with applicable laws and regulations and assess the

soundness of the risk management processes and controls which it has in place.

The willingness of Microsoft to agree to a regulator audit/inspection is a key

advantage of the Microsoft offering over many of the other CSPs offerings and

one of our reasons for choosing this solution.

2. GOVERNANCE AND RISK MANAGEMENT

a. Has Bank management considered the overall

business and strategic objectives prior to outsourcing

the specific IT operations?

BSP expects that management would need to have considered the overall

business and strategic objectives (IT Guidelines, Annex A to Appendix 75e). The

sample answer above covers legal/regulatory compliance and customer

satisfaction but we would suggest adding to this response details of:

internal processes that were carried out;

who handled the process and which areas of the business were involved

or advised; and

any external consultants or legal counsel involved.

Yes.

Management of our organization has been involved throughout to ensure that the


Confidential

Page 18 of 55


project aligns with our organization’s overall business and strategic objectives. At

the center of our objectives are of course legal and regulatory compliance and

customer satisfaction and these were the key objectives that management had in

mind when it considered this project. We are satisfied that this solution will ensure

legal and regulatory compliance because of the key features (including the

security and audit rights) forming part of the Office 365 service. We are also

satisfied that customer satisfaction will be maintained because we believe that

Office 365 will actually have some major benefits for our IT operations and,

accordingly, improve the overall service that we are able to provide to customers.

b. Does your Bank have a written, board-approved

outsourcing policy and rationale for outsourcing?

Please provide a copy of the outsourcing policy and

rationale.

BSP requires that banks have in place a comprehensive policy on outsourcing

duly approved by the board of directors of the bank (IT Guidelines, page 12). This

should be “an effective outsourcing oversight program that provides the framework

for management to understand, monitor, measure and control the risks associated

with outsourcing”. This will differ from one organization to another but would

typically include a framework to address the following:

Risk assessment in respect of the outsourcing (more details of which are

asked about in question d. below);

Selection of service providers (including appropriate due diligence);

Contract review; and

Ongoing review and monitoring.

c. What procedures does the Bank have in place to

ensure that all its relevant business units are fully

You will need to explain how the relevant business units are brought under the

scope of the outsourcing policy.


Confidential

Page 19 of 55


aware of, and comply with, the outsourcing policy?

d. Has a proper risk assessment of the elements specific

to the proposed cloud outsourcing been conducted?

Provide details on the risk assessment process.

Appendix 75e, Section 3.1 of the IT Guidelines. Clearly BSP expects that your

organization would have carried out a risk assessment. In summary, the risk

assessment should:

define the business requirements for the functions or activities to be

outsourced;

assess the risk of outsourcing those functions or activities;

establish appropriate measures to manage and control the identified risks;

and

take into account the criticality of the services to be outsourced, the

capability of the service provider and the technology it will use in

delivering the outsourced service.

If you have any questions when putting together a risk assessment, please do not

hesitate to get in touch with your Microsoft contact.

Yes.

Led by our management we have carried out a thorough risk assessment of the

move to Office 365. This risk assessment included:

[ ];


Confidential

Page 20 of 55


[ ]; and

[ ].

e. How does the Bank ensure that it maintains ultimate

responsibility for this outsourcing arrangement?

IT Guidelines, Appendix 75e, Section 2.1, which requires the Board and senior

management to maintain ultimate responsibility and accountability.

The handing over of certain day to day responsibility to an outsourcing provider

does present some challenges in relation to control. Essential to us is that, despite

the outsourcing, we retain control over our own business operations, including

control of who can access data and how they can use it. At a contractual level, we

have dealt with this via our contract with Microsoft, which provides us with legal

mechanisms to manage the relationship including appropriate allocation of

responsibilities, oversight and remedies and the mandatory provisions required by

BSP. At a practical level, we have selected the Office 365 product since it

provides us with transparency in relation to data location, authentication and

advanced encryption controls. We (not Microsoft) will continue to own and retain

all rights to our data and our data will not be used for any purpose other than to

provide us with the Office 365 services. As part of Microsoft’s certification

requirements, they are required to undergo regular independent third party

auditing (via the SSAE16 SOC1 Type II audit, a globally-recognized standard),

and Microsoft shares with us the independent third party audit reports. Microsoft

also agrees as part of the compliance program to customer right to monitor and

supervise. We are confident that all of these arrangements ensure that we

maintain ultimate responsibility for this outsourcing arrangement.

3. DUE DILIGENCE


Confidential

Page 21 of 55


a. Is the CSP selection process formally defined and

documented? If yes, provide documentation.

IT Guidelines, Appendix 75e, Section 3.2., which states that before selecting a

service provider the FSI should perform appropriate due diligence. The factors it

suggests should be considered are those listed in the sample answer below. The

question also requests that you provide documentation relating to the process.

Yes.

The selection process was formally documented. It covered the service provider’s:

financial soundness;

reputation;

managerial skills

technical capabilities; and

operational capability and capacity in relation to the services to be

performed.

Please see the attached documentation for further information.

b. Provide the CSP selection criteria and elaborate the

reasons for choosing the CSP.

The BSP does not provide a standard set of selection criteria (although the factors

mentioned in the sample answer to question B.3.a., above, will of course be

relevant). The list below includes some common factors that customers have

informed Microsoft are important in their choice of service provider. We would

advise that, in addition to the below, you set out some more detail about how you

ran your specific selection process. This might include details of the number of

CSPs you considered, whether you had a formal tender process, how long the


Confidential

Page 22 of 55


process took, etc. This may already be addressed in the documentation you

provide in response to question B.3.a. above.

We followed a rigorous review and selection process. Set out below are the

specific areas we considered and why we decided on Microsoft:

a. Competence and experience. Microsoft is an industry leader in cloud

computing. Office 365 was built based on ISO/IEC 27001 standards and

was the first major business productivity public cloud service to have

implemented the rigorous set of global standards covering physical,

logical, process and management controls.

b. Past track-record. 40% of the world’s top brands use Office 365. We

consulted various case studies relating to Office 365, which are available

on the Microsoft website and also considered the fact that Microsoft has

amongst its customers some of the world’s largest organizations and

financial institutions.

c. Specific financial services credentials. Financial Institution customers

in leading markets, including in the UK, France, Germany, Australia,

Singapore, Canada, the United States and many other countries have

performed their due diligence and, working with their regulators, are

satisfied that Office 365 meets their respective regulatory requirements.

This gives us confidence that Microsoft is able to help meet the high

burden of financial services regulation and is experienced in meeting

these requirements.

d. Microsoft’s staff hiring and screening process. All personnel with

http://office.microsoft.com/en-us/business/office-365-customer-stories-office-testimonials-FX103045622.aspx

Confidential

Page 23 of 55


access to customer data are subject to background screening, security

training and access approvals. In addition, the access levels are reviewed

on a periodic basis to ensure that only users who have appropriate

business justification have access to the systems. User access to data is

also limited by user role. For example, system administrators are not

provided with database administrative access.

e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed

in the United States and is amongst the world’s largest companies by

market capitalization. Microsoft’s audited financial statements indicate that

it has been profitable for each of the past three years. Its market

capitalization is in the region of USD 280 billion. Accordingly, we have no

concerns regarding its financial strength.

f. Business resumption and contingency plan. Microsoft offers

contractually-guaranteed 99.9% uptime, hosted out of world class data

centers with physical redundancy at disk, NIC, power supply and server

levels, constant content replication, robust backup, restoration and failover

capabilities, real-time issue detection and automated response such that

workloads can be moved off any failing infrastructure components with no

perceptible impact on the service, with 24/7 on-call engineering teams.

g. Security and internal controls, audit, reporting and monitoring.

Microsoft is an industry leader in cloud security and implements policies

and controls on par with or better than on-premises data centers of even

the most sophisticated organizations. We have confidence in the security

of the solution and the systems and controls offered by Microsoft. In

addition to the ISO/IEC 27001 certification, Office 365 is designed for

Confidential

Page 24 of 55


security with BitLocker Advanced Encryption Standard (“AES”) encryption

of email at rest and secure sockets layer (“SSL”)/transport layer security

(“TLS”) encryption of data in transit. The Microsoft service is subject to the

SSAE16 SOC1 Type II audit, an independent, third party audit.

c. Apart from the current CSP, have other

vendors/service providers been considered?

You will need to respond accordingly based on your specific selection process.

4. VENDOR MANAGEMENT/PERFORMANCE AND CONFORMANCE

a. Does the Service Level Agreement (“SLA”) cover the

minimum provisions required under existing rules and

regulations on outsourcing? (Circular No. 765)

Appendix to BSP Circular No.765, “Revised Outsourcing Framework for Banks”.

Yes. We have reviewed the list in Circular No.765 and are satisfied that the SLA,

in combination with the rest of Microsoft’s Business and Services Agreement

(“MBSA”), satisfies the minimum provisions.

The SLA is available at:

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&Docu

mentTypeId=37

and the MBSA is available upon request. The SLA is contained within the MBSA.

b. Does the SLA (as defined above) clearly disclose other

parties (i.e. subcontractors) that are involved in the

delivery of cloud services?

Appendix 75e to IT Guidelines. BSP expects that “the extent to which

subcontractors perform additional services should be limited to peripheral or

support functions while the core services should rest with the main service

provider”. This would be the case with Office 365 – the core services remain with

Microsoft.


http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37



Confidential

Page 25 of 55


Yes.

We are satisfied that this requirement is met. The SLA is a standard document

which Microsoft uses for thousands of customers, so it does not contain details of

the specific subcontractors they propose to work with for this project. However,

Microsoft publishes an up-to-date list of all sub-contractors used as well as the

services they provide. This information is found at http://trustoffice365.com/. As

explained in the response to question A.2., above, no sub-contractors are involved

in critical path roles.

c. Describe CSP’s guarantee of availability and extent of

liability if SLAs are not met.

IT Guidelines, Appendix 75e, Section 3.4 states that “Management should include

SLAs in its outsourcing contracts to specify and clarify performance expectations,

as well as establish accountability for the outsourced activity”.

We are satisfied that our contract with Microsoft adequately specifies the

performance expectations and apportions responsibilities for the outsourced

activities. The availability and extent of liability are as follows:

a. Guarantee of availability: Microsoft provides a contractual financially-backed

99.9% uptime guarantee for the Office 365 product and covers performance

monitoring and reporting requirements which enable us to monitor Microsoft’s

performance on a continuous basis against service levels.

b. Extent of liability if SLAs not met: Under the service credits mechanism in

the SLA, we may be entitled to a service credit of up to 100% of the service

charges. If a failure by Microsoft also constitutes a breach of contract to which

the service credits regime does not apply, we would of course have ordinary


Confidential

Page 26 of 55


contractual claims available to us too under the contract.

d. Has the SLA been reviewed by a legal counsel? Microsoft recommends that you do seek legal advice on the use of cloud

computing services in relation to statutory/regulatory/common law requirements.

Yes.

e. What monitoring processes does the Bank have to

manage the cloud outsourcing? Please describe and

provide documentation.

BSP expects that organizations would “establish a monitoring program to ensure

service providers deliver the quantity and quality of services required by the

contract” (IT Guidelines, Appendix 75e, Section 3.5.1). The “template response”

below explains how the Office 365 dashboard could be used by your organization

as part of these monitoring processes but you will need to add details of your own

internal processes.

We have reviewed the monitoring processes (set out in more detail in the following

paragraphs) and we are confident that appropriate processes are in place.

Microsoft’s SLA applies to the Office 365 product. Our IT administrators also have

access to the Office 365 Service Health Dashboard, which provides real-time and

continuous monitoring of the Office 365 service. The Service Health Dashboard

provides our IT administrators with information about the current availability of

each service or tool (and history of availability status) details about service

disruption or outage, scheduled maintenance times. The information is provided

via an RSS feed.

Amongst other things, it provides a contractual 99.9% uptime guarantee for the

Office 365 product and covers performance monitoring and reporting requirements

which enable us to monitor Microsoft’s performance on a continuous basis against


Confidential

Page 27 of 55


service levels. We also have access to the independent SSAE16 SOC1 Type II

audit, which enable us to verify their performance.

Please find a copy of the SLA at:


mentTypeId=37

As part of the support we receive from Microsoft, we also have access to a

technical account manager who is responsible for understanding our challenges

and providing expertise, accelerated support and strategic advice tailored to our

organization. This includes both continuous hands-on assistance and immediate

escalation of urgent issues to speed resolution and keep mission-critical systems

functioning. We are confident that such arrangements provide us with the

appropriate mechanisms for managing performance and problems.

f. Do you have a process to audit the CSP to assess its

compliance with your policy, procedures, security

controls and regulatory requirements? Please describe

the process.

IT Guidelines, Appendix 75e, Section 5 and Annex A. This is a question about

your own internal processes and so you will need to supplement this response

with details about that. However, it is of course relevant in this context to mention

that Microsoft permits audit and inspection both by their financial institution

customers and regulators and so we have set out some information about this

below. Microsoft also offers a Compliance Framework Program for FSIs, a key

feature of which is the regulator audit/inspection right.

Yes.

We are satisfied that this requirement is met.




Confidential

Page 28 of 55


We are confident that in our choice of Microsoft as CSP we have far more

extensive audit rights than most if not all other CSPs offer. This was an important

factor in our decision to choose this CSP.

In particular, the following audit protections are made available by Microsoft:

a. As part of Microsoft’s certification requirements, they are required to

undergo regular independent third party auditing (via the SSAE16 SOC1

Type II audit, a globally-recognized standard), and Microsoft shares with

us the independent third party audit reports. Microsoft also agrees as

part of the compliance program to customer right to monitor and

supervise. We are confident that such arrangements provide us with the

appropriate level of assessment of Microsoft’s ability to meet our policy,

procedural, security control and regulatory requirements.

b. As detailed in the response to question B.1.h., above, BSP is given a

contractual right of audit/inspection over Microsoft’s facilities, so that it can

assess and examine systems, processes and security and regulatory

compliance.

g. What are the procedures for identifying, reporting and

responding to security incidents and violations?

IT Guidelines, Appendix 75e, Annex A, states that “management processes of the

FSI should include appropriate notification procedures, effective monitoring of

security-related threats, incidents and events on both FSI’s and CSP’s networks;

comprehensive incident response methodologies; and maintenance of appropriate

forensic strategies for investigation and evidence collection”. The following sets

out some of the procedures and techniques that Microsoft has in place. In

addition, we recommend as part of this response that you include details of your


Confidential

Page 29 of 55


own processes in particular for responding to security breaches and violations.

This is an issue that we take very seriously. We have therefore checked these

procedures in detail with Microsoft and are confident that they provide excellent

means to enable us to identify, report and respond properly and promptly in the

event of any security incident or violation. We are assured that Microsoft is

committed to protecting the privacy of our and Microsoft makes this statement in

its Office 365 Privacy Statement.

First, there are robust procedures offered by Microsoft that enable the prevention

of security incidents and violations arising in the first place and detection in the

event that they do occur. Specifically:

a. Microsoft implements 24 hour monitored physical hardware. Data center

access is restricted 24 hours per day by job function so that only essential

personnel have access to customer applications and services. Physical

access control uses multiple authentication and security processes,

including badges and smart cards, biometric scanners, on-premises

security officers, continuous video surveillance, and two-factor

authentication.

b. Microsoft implements “prevent, detect, and mitigate breach”, which is a

defensive strategy aimed at predicting and preventing a security breach

before it happens. This involves continuous improvements to built-in

security features, including port scanning and remediation, perimeter

vulnerability scanning, OS patching to the latest updated security

software, network-level DDOS (distributed denial-of-service) detection and

http://www.microsoft.com/online/legal/v2/?docid=22&langid=en%2Dus

Confidential

Page 30 of 55


prevention, and multi-factor authentication for service access.

c. Wherever possible, human intervention is replaced by an automated, tool-

based process, including routine functions such as deployment,

debugging, diagnostic collection, and restarting services. Office 365

continues to invest in systems automation that helps identify abnormal

and suspicious behavior and respond quickly to mitigate security risk.

Microsoft is continuously developing a highly effective system of

automated patch deployment that generates and deploys solutions to

problems identified by the monitoring systems—all without human

intervention. This greatly enhances the security and agility of the service.

d. Microsoft conducts penetration tests to enable continuous improvement of

incident response procedures. These internal tests help Office 365

security experts create a methodical, repeatable, and optimized stepwise

response process and automation.

Second, in the event that a security incident or violation is detected, Microsoft

Customer Service and Support notifies Office 365 subscribers by updating the

Service Health Dashboard that is available on the Office 365 portal. We would

have access to Microsoft’s dedicated support staff, who have a deep knowledge of

the service. Microsoft provides a Recovery Time Objective (“RTO”) of 1 hour or

less for Microsoft Exchange Online and 6 hours of less for SharePoint Online, and

a Recovery Point Objective (“RPO”) of 45 minutes or less for Microsoft Exchange

Online and 2 hours or less for SharePoint Online.

Finally, after the incident, Microsoft provides a thorough post-incident review

Confidential

Page 31 of 55


report (“PIR”). The PIR includes:

An incident summary and event timeline.

Broad customer impact and root cause analysis.

Actions being taken for continuous improvement.

Microsoft will provide the PIR within five business days following resolution of the

service incident. Administrators can also request a PIR using a standard online

service request submission through the Office 365 portal or a phone call to

Microsoft Customer Service and Support.

See also the responses to the questions in section B.7 below regarding business

continuity.

h. How would the CSP provide support to the Bank in

handling security incidents?

IT Guidelines, Appendix 75e, Annex A,

In addition to the details set out in response to the question immediately above, as

part of the support we receive from Microsoft, we also have access to a technical

account manager. This manager is responsible for understanding our challenges

and providing expertise, accelerated support and strategic advice tailored to our

organization. This includes both continuous hands-on assistance and immediate

escalation of urgent issues to speed resolution and keep mission-critical systems

functioning. We are confident that such arrangements provide us with the

appropriate mechanisms for managing performance and problems.

See also the responses to the questions in section B.7 below regarding business


Confidential

Page 32 of 55


continuity.

i. Describe the arrangement if the CSP’s action, faulty

software or hardware contributed to the security

breach?

IT Guidelines, Appendix 75e, Annex A.

The arrangement we have agreed with Microsoft under our Service Level

Agreement is that we will be entitled to service credits of up to 100% of the service

charges if Microsoft’s action, faulty software or hardware contributed to the

security breach.

Regardless of the cause of the breach, we would be entitled to the reporting and

response services described in the responses to questions B.4.g. and B.4.h.

above.

j. Is there a contingency plan for replacing the CSP in the

event of its cessation?

BSP would expect financial institutions to have a contingency plan in place if you

did decide to stop using the Office 365 service.

The agreement with Microsoft contains usual termination provisions. In the event

of cessation, we would either move back on premise or to an alternate CSP.

Microsoft is contractually required to hold our data for an agreed period to enable

such transition to occur in an orderly manner.

k. Do you have the right to terminate the SLA in the event

of default, ownership change, insolvency, change of

security or serious deterioration of service quality?

IT Guidelines, Appendix 75e, Section 3.4, states that “the FSI should link SLA to

the provisions in the contract regarding incentives, penalties and contract

cancellation”. Although Microsoft believes that the scenarios listed in the question

are very unlikely, the rights offered in its contract to terminate for convenience and

material breach provide customers with sufficient control to exit the relationship in

the unlikely event of one of these situations arising.



Confidential

Page 33 of 55


Yes.

We are satisfied that this requirement is met. Our main agreement with Microsoft

is called a Microsoft MBSA (as defined above) and that contains usual termination

provisions. The SLA is contained with the MBSA is terminable by us for

convenience at any time by providing not less than 60 days’ notice. Any sub-

agreements to the MBSA are terminable by us for convenience at any time by

providing not less than 30 days’ notice. In addition, we have standard rights of

termination for material breach. This gives us the flexibility and control we need to

manage the relationship with Microsoft because it means that we can terminate

the arrangements whether with or without cause.

l. In the event of contract termination with the service

provider, either on expiry or prematurely, is the Bank

able to have all IT information and assets promptly

removed or destroyed?

IT Guidelines, Appendix 75e, Annex A, reminds FSIs of the importance of

controlling data ownership, data location and retrieval.

Yes.

We are satisfied that this requirement is met. Microsoft will retain our data for 90

days following termination so that we may extract our data. If we request that

Microsoft end the retention period earlier, Microsoft will do so. As set out on page

33 of the OST, upon expiration or termination, the customer may extract its data

and the Service Provider will delete the data.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88

compliant. For hard drives that can’t be wiped it uses a destruction process that

destroys it (i.e. shredding) and renders the recovery of information impossible

(e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of


Confidential

Page 34 of 55


disposal is determined by the asset type. Records of the destruction are retained.

All Microsoft Online Services utilize approved media storage and disposal

management services. Paper documents are destroyed by approved means at

the pre-determined end-of-life cycle.

“Secure disposal or re-use of equipment and disposal of media” is covered under

the ISO/IEC 27001 standards against which Microsoft is certified.

5. SECURITY AND PRIVACY

a. Has the Bank revised/updated its information security

policies to incorporate activities outsourced to CSP?

IT Guidelines, Appendix 75e, Annex A, state that FSIs “may need to revise their

information security policies, standards, and practices to incorporate the activities

related to a CSP”. This can be read as an optional requirement (“may”) but BSP

would probably expect some justification if you have elected not to revise/update

the policies. The IT Guidelines state that policies should address:

1. Operational Risk;

2. Strategic Risk;

3. Reputation Risk; and

4. Compliance Risk.

Each risk area is described in more detail in the IT Guidelines, pages 5-6. If you

require any information from Microsoft in this respect, please do not hesitate to

speak to your Microsoft contact.




Confidential

Page 35 of 55


b. Does the Bank maintain a comprehensive data

inventory and a suitable data classification process to

facilitate CSP’s implementation of identity and access

controls?

IT Guidelines, Appendix 75e, Annex A, Security and Privacy.

Yes.

Microsoft logs who accesses all of our data. Microsoft applies strict controls over

which personnel roles and personnel will be granted access to customer data.

Personnel access to the IT systems that store customer data is strictly controlled

via role-based access control (“RBAC”) and lock box processes. Access control

is an automated process that follows the separation of duties principle and the

principle of granting least privilege. This process ensures that the engineer

requesting access to these IT systems has met the eligibility requirements, such

as a background screen, fingerprinting, required security training and access

approvals. In addition, the access levels are reviewed on a periodic basis to

ensure that only users who have appropriate business justification have access to

the systems. User access to data is also limited by user role. For example, system

administrators are not provided with database administrative access.

c. Are there documented security procedures for

safeguarding hardware, software and data in the CSP?


Yes.

The security procedures for safeguarding hardware, software and security are

documented in detail by Microsoft in its Standard Response to Request for

Information – Security and Privacy. This confirms how the following aspects of

Microsoft’s operations safeguard hardware, software and data:

Compliance;





Confidential

Page 36 of 55


Data Governance;

Facility;

Human Resources;

Information Security;

Legal;

Operations;

Risk Management;

Release Management;

Resiliency; and

Security Architecture.

Further details of Microsoft’s preventative and detection security procedures are

included in the response to question B.4.g. above and question B.5.d. below.

In choosing Microsoft, we also took into account the fact that the European

Union’s data protection authorities have found that Microsoft’s enterprise cloud

contracts meet the high standards of EU privacy law. Microsoft is the first – and so

far the only – company to receive this approval.

d. What security controls are in place to protect the

transmission and storage of information/data within the



Confidential

Page 37 of 55


CSP infrastructure? Microsoft as an outsourcing partner is an industry leader in cloud security and

implements policies and controls on par with or better than on-premises data

centers of even the most sophisticated organizations. Office 365 was built based

on ISO/IEC 27001 standards, a rigorous set of global standards covering physical,

logical, process and management controls. This makes us confident that there

are very robust security controls in place to protect the transmission and storage

of information/data within Microsoft’s infrastructure.

Some information has already been provided on Microsoft’s security controls in

Section B.4.g. and B.4.c. above. The following security features are also relevant

to protecting the transmission and storage of information/data within the Microsoft

infrastructure:

a. The Microsoft Office 365 security features consist of three parts: (a) built-

in security features; (b) security controls; and (c) scalable security. These

include 24-hour monitored physical hardware, isolated customer data,

automated operations and lock-box processes, secure networks and

encrypted data.

b. Microsoft implements the Microsoft Security Development Lifecycle

(“SDL”) which is a comprehensive security process that informs every

stage of design, development and deployment of Microsoft software and

services, including Office 365. Through design requirements, analysis of

attack surface and threat modeling, the SDL helps Microsoft predict,

identify and mitigate vulnerabilities and threats from before a service is

launched through its entire production lifecycle.

c. Networks within the Office 365 data centers are segmented to provide

Confidential

Page 38 of 55


physical separation of critical back-end servers and storage devices from

the public-facing interfaces. Edge router security allows the ability to

detect intrusions and signs of vulnerability. Client connections to

Office 365 use SSL (as defined above)for securing Outlook, Outlook Web

App, Exchange ActiveSync, POP3, and IMAP. Customer access to

services provided over the Internet originates from users’ Internet-enabled

locations and ends at a Microsoft data center. These connections are

encrypted using industry-standard TLS (as defined above)/SSL. The use

of TLS/SSL establishes a highly secure client-to-server connection to help

provide data confidentiality and integrity between the desktop and the

data center. Customers can configure TLS between Office 365 and

external servers for both inbound and outbound email. This feature is

enabled by default. Microsoft also implements traffic throttling to prevent

denial-of-service attacks. It uses the “prevent, detect and mitigate breach”

process, as described in the response to question B.4.g. above.

d. From a people and process standpoint, preventing breach involves

auditing all operator/administrator access and actions, zero standing

permission for administrators in the service, “Just-In-Time (JIT) access

and elevation” (that is, elevation is granted on an as-needed and only-at-

the-time-of-need basis) of engineer privileges to troubleshoot the service,

and segregation of the employee email environment from the production

access environment. Employees who have not passed background

checks are automatically rejected from high privilege access, and

checking employee backgrounds is a highly scrutinized, manual-approval

process. Data is also encrypted.

e. Content is encrypted, as described in the response to question B.5.e.

Confidential

Page 39 of 55


below.

e. How is end-to-end application encryption security

implemented to protect confidential/sensitive data

transmitted between terminals and hosts?

IT Guidelines, Appendix 75e, Annex A, Security and Privacy: “A multi-tenant cloud

deployment…increases the need for data protection through encryption”.

Data is encrypted. Customer data in Office 365 exists in two states:

At rest on storage media; and

In transit from a data center over a network to a customer device.

All email content is encrypted on disk using BitLocker AES (as defined above)

encryption. Protection covers all disks on mailbox servers and includes mailbox

database files, mailbox transaction log files, search content index files, transport

database files, transport transaction log files, and page file OS system disk

tracing/message tracking logs.

Office 365 also transports and stores secure/multipurpose Internet mail extensions

(S/MIME) messages. Office 365 will transport and store messages that are

encrypted using client-side, third-party encryption solutions such as Pretty Good

Privacy (PGP).

f. How do the Bank and the CSP address the risk to

compromise of confidential/sensitive information

through unauthorized third-party access or access by

the CSP employees?

IT Guidelines, Appendix 75e, Annex A, Security and Privacy, states that

organizations need to address the risk of compromising confidential information

through third party access. The sample answer below relates to Microsoft’s own

controls. The response should also address and detail your own access controls.

Microsoft has in place the following access controls:



Confidential

Page 40 of 55


a. Physical access control uses multiple authentication and security

processes, as described in the response to question B.4.g. above.

b. Microsoft applies strict controls over which personnel roles and personnel

will be granted access to customer data. Personnel access to the IT

systems that store customer data is strictly controlled via RBAC (as

defined above)and lock box processes. Access control is an automated

process that follows the separation of duties principle and the principle of

granting least privilege. This process ensures that the engineer requesting

access to these IT systems has met the eligibility requirements, such as a

background screen, fingerprinting, required security training and access

approvals. In addition, the access levels are reviewed on a periodic basis

to ensure that only users who have appropriate business justification have

access to the systems. User access to data is also limited by user role.

For example, system administrators are not provided with database

administrative access.

c. System level data such as configuration data/file and commands are

managed as part of the configuration management system. Any changes

or updates to or deletion of those data/files/commands will be

automatically deleted by the configuration management system as

anomalies.

g. How are CSP customers/subscribers authenticated? IT Guidelines, Appendix 75e, Annex A, Security and Privacy.

Office 365 uses two-factor authentication to enhance security. Typical

authentication practices that require only a password to access resources may not

provide the appropriate level of protection for information that is sensitive or


Confidential

Page 41 of 55


vulnerable. Two-factor authentication is an authentication method that applies a

stronger means of identifying the user. The Microsoft phone-based two-factor

authentication solution allows users to receive their PINs sent as messages to

their phones, and then they enter their PINs as a second password to log on to

their services.

h. Describe security controls in the following areas:

I. Security administration/system access functions

II. Password administration and management

III. Privilege accounts

IV. Remote access activities

V. Change management


Taking each of the sections in turn:

I. Security administration/system access functions. We are primarily in

charge of security administration and systems. Our service provider,

Microsoft, performs certain of these functions on our behalf and to our

requirements pursuant to the contractual arrangements that we have in

place with Microsoft. Microsoft effectively works alongside our IT and

operations teams to ensure performance to the required standards. We

retain ownership of all data that is hosted by Microsoft. We are also aware

that our primary responsibility, which is to our customers, remains

unchanged by virtue of us using Office 365.

II. Password administration and management. All access to production

and customer data require multi-factor authentication. Use of strong

password is enforced as mandatory and password must be changed on a

regular basis.

III. Privilege accounts are managed as follows:

a. Access to the IT systems that store customer data is strictly controlled via


Confidential

Page 42 of 55


RBAC and lock box processes. Access control is an automated process

that follows the separation of duties principle and the principle of granting

least privilege. This process ensures that the engineer requesting access

to these IT systems has met the eligibility requirements, such as a

background screen, fingerprinting, required security training, and access

approvals. In addition, the access levels are reviewed on a periodic basis

to ensure that only users who have appropriate business justification have

access to the systems. User access to data is also limited by user role.

For example, system administrators are not provided with database

administrative access.

b. In emergency situations, a “Just-In-Time (JIT) access and elevation

system” is used (that is, elevation is granted on an as-needed and only-at-

the-time-of-need basis) of engineer privileges to troubleshoot the service.

c. An internal, independent Microsoft team will audit the log at least once per

quarter.

d. All logs are saved to the log management system which a different team

of administrators manages. All logs are automatically transferred from the

production systems to the log management system in a secure manner

and stored in a tamper-protected way.

IV. Remote access activities. Administrators who have access to

applications have no physical access to the production so administrators

have to remotely access the controlled, monitored remote access

facility. All operations through this remote access facility are logged.

V. Change management. The Microsoft Office 365 change management

Confidential

Page 43 of 55


team directs the process and procedures related to approval, scheduling,

testing, and deployment of changes in the pre-production and production

Office 365 infrastructure environments. The approach used in this service

management function is built on the Information Technology Infrastructure

Library (ITIL) and Microsoft Operations Framework (MOF) standards,

which aligns with the change management process used in most

organizations.

i. Describe the physical and environmental controls

available at the primary and secondary sites.


a. Physical: Infrastructure/security/terrorism. Microsoft’s data centers are

built to designed to protect customer data from harm and unauthorized

access. Data center access is restricted 24 hours per day by job function

so that only essential personnel have access. Physical access control

uses multiple authentication and security processes, including badges and

smart cards, biometric scanners, on-premises security officers, continuous

video surveillance and two-factor authentication. The data centers are

monitored using motion sensors, video surveillance and security breach

alarms.

b. Environmental (i.e. earthquakes, typhoons, floods). Microsoft data

centers are built in seismically safe zones. Environmental controls have

been implemented to protect the data centers including temperature

control, heating, ventilation and air-conditioning, fire detection and

suppression systems and power management systems, 24-hour

monitored physical hardware and seismically-braced racks. These

requirements are covered by Microsoft’s ISO/IEC 27001 accreditation for


Confidential

Page 44 of 55


Office 365.

j. How and who will perform the monitoring and

management for integrity, checking, compliance

checking, security monitoring, network performance?

IT Guidelines, Appendix 75e, Annex A, states that “continuous monitoring of

information security requires maintaining ongoing awareness of security controls,

vulnerabilities, and threats to support risk management decisions”. BSP

acknowledges that FSIs will, to some extent, be dependent on CSPs for some of

the monitoring but does expect that overall responsibility and oversight remains

with the FSI.

Overall responsibility for these matters remains with our organization and we have

procedures in place to monitor overall performance, as described in our response

to question B.4.e., above.

Microsoft will perform the technical monitoring and management functions on our

behalf. System level data such as configuration data/file and commands are

managed as part of the configuration management system. Any changes or

updates to or deletion of those data/files/commands will be automatically deleted

by the configuration management system as anomalies.

We will receive information about system integrity, security monitoring and

network performance through the Office 365 Service Health Dashboard, as

described in our response to question B.4.e., above.

k. Are there procedures established to securely destroy

or remove the data when the need arises?

IT Guidelines, Appendix 75e, Annex A, remind FSIs of the importance of

controlling data ownership, data location and retrieval.

Yes.



Confidential

Page 45 of 55


Microsoft uses best practice procedures and a wiping solution that is NIST 800-88

compliant, as described in the response to question B.4.l, above.

6. DATA OWNERSHIP AND DATA LOCATION AND RETRIEVAL

a. Where do data/information actually reside (or is

transitioning through) at a given point in time?

IT Guidelines, Annex A to Appendix 75e states that “the dynamic nature of cloud

computing may result in confusion as to where information actually resides”.

Microsoft is able to alleviate this concern by providing data location transparency.

Microsoft informs us that it takes a regional approach to hosting of Office 365

data. For customers like us with a presence in the Asia-Pacific region, the

applicable Office 365 services will be hosted out of Microsoft’s highly-secure data

centers. Commitments on the location of data at rest are discussed at p 10 of the

OST, and may depend on where a customer provisions its service tenancy or

specify as a Geo for the online service. More details are set out on the Trust

Centers for each applicable online service.

b. Does management fully understand where data are

stored and how much control they have over those

data?

IT Guidelines, Annex A to Appendix 75, “Data Ownership and Data Location and

Retrieval”.

Yes.

Microsoft’s transparency as to data location was a key consideration as part of the

service provider selection process. Microsoft informs us that it takes a regional

approach to hosting of Office 365 data. Microsoft is transparent in relation to the

location of our data. Microsoft data center locations are made public on the

Microsoft Trust Center.


https://products.office.com/en/business/office-365-trust-center-cloud-computing-security



https://products.office.com/en/business/office-365-trust-center-cloud-computing-security?tab=d1f6ec18-0f9b-0fef-3203-3d7d52bc1437

Confidential

Page 46 of 55


c. Who has the legal ownership of data? Is ownership of

the data clearly stipulated in the SLA or other related

contract/agreement?

IT Guidelines, Annex A to Appendix 75: “The FSI’s ownership rights over the data

must be firmly established in the contract to enable a basis for trust and privacy of

data”.

We retain ownership of all data that is hosted by Microsoft and this is made clear

in our contract with them.

Microsoft has implemented a formal policy that requires assets (the definition of

asset includes data and hardware) used to provide Microsoft’s services to be

accounted for and have a designated asset owner. Asset owners are responsible

for maintaining up-to-date information regarding their assets.

“Allocation of information security responsibilities and ownership of assets” is

covered under the ISO/IEC 27001 standards, specifically addressed in Annex A,

domains 6.1.3 and 7.1.2. For more information, review of the publicly available

ISO standards that Microsoft is certified against is suggested.

It is also relevant to note that the European Union’s data protection authorities

have found that Microsoft’s enterprise cloud contracts meet the high standards of

EU privacy law. Microsoft is the first – and so far the only – company to receive

this approval.

d. Are the Bank’s data stored in the CSP’s systems

commingled with those of other subscribers? Describe

how the CSP is able to isolate and clearly identify

Bank’s data to protect their confidentiality.

IT Guidelines, Annex A to Appendix 75e states that “the FSI should pay attention

to the CSP’s ability to isolate and clearly identity its customer data”.

Active Directory isolates customers using security boundaries (also known as

silos). This safeguards a customer’s data so that the data cannot be accessed or



Confidential

Page 47 of 55


compromised by co-tenants.

7. BUSINESS CONTINUITY PLANNING

a. Does the CSP have a business continuity or disaster

recovery plan? If yes, provide documentation or details.

IT Guidelines, Annex A to Appendix 75e states that “it is critical to ensure the

viability of the CSP’s business continuity and disaster recovery plans to address

broad-based disruptions to its capabilities and infrastructure”.

Yes.

Microsoft offers contractually-guaranteed 99.9% uptime, globally available data

centers for primary and backup storage, physical redundancy at disk, NIC, power

supply and server levels, constant content replication, robust backup, restoration

and failover capabilities, real-time issue detection and automated response such

that workloads can be moved off any failing infrastructure components with no

perceptible impact on the service, 24/7 on-call engineering teams.

See also the response to B.7.c., below.

b. What are the recovery time objectives (RTO) and

recovery point objectives (RPO) of systems or

applications outsourced to the CSP?

IT Guidelines, Annex A to Appendix 75e: “Recovery Time Objectives should also

be clearly stated in the contract”.

RTO: 1 hour or less for Microsoft Exchange Online, 6 hours or less for SharePoint

Online.

RPO: 45 minutes or less for Microsoft Exchange Online, 2 hours or less for

SharePoint Online.



Confidential

Page 48 of 55


c. What are the data backup and recovery arrangements

for your Bank’s data that reside with the CSP? In case

the Bank becomes offline, how would the CSP

synchronize data and processes that reside in the

cloud?

IT Guidelines, Annex A to Appendix 75e.

Microsoft’s arrangements are as follows:

Redundancy

Physical redundancy at server, data center, and service levels;

Data redundancy with robust failover capabilities; and

Functional redundancy with offline functionality.

Resiliency

Active load balancing;

Automated failover with human backup; and

Recovery testing across failure domains.

Distributed Services

Distributed component services like Exchange Online, SharePoint Online,

and Lync Online limit scope and impact of any failures in a component;

Directory data replicated across component services insulates one service

from another in any failure events; and

Simplified operations and deployment.



Confidential

Page 49 of 55


Monitoring

Internal monitoring built to drive automatic recovery;

Outside-in monitoring raises alerts about incidents; and

Extensive diagnostics provide logging, auditing, and granular tracing.

Simplification

Standardized hardware reduces issue isolation complexities;

Fully automated deployment models; and

Standard built-in management mechanism.

Human backup

Automated recovery actions with 24/7 on-call support;

Team with diverse skills on the call provides rapid response and

resolution; and

Continuous improvement by learning from the on-call teams.

Continuous learning

If an incident occurs, Microsoft does a thorough post-incident review every


Confidential

Page 50 of 55


time; and

Microsoft’s post-incident review consists of analysis of what happened,

Microsoft’s response, and Microsoft’s plan to prevent it in the future.

For the avoidance of doubt, the nature of the services provided as part of Office

365 does not give rise to a risk that the Bank itself could become “offline” (i.e.

there would be no implication for core banking functions such as transaction

processing). In the event the Bank was affected by a service incident, the process

described in the response to question B.4.f. above would apply.

d. How frequently does the CSP conduct business

continuity and disaster recovery tests? Describe the

BCP/DRP testing methodology?

IT Guidelines, Annex A to Appendix 75e: “The plans must be well documented

and tested”.

Microsoft carries out disaster recovery testing at least once per year.

Business Continuity Management (“BCM”) forms part of the scope of the

accreditation that Microsoft retains in relation to the online services, and Microsoft

commits to maintain a data security policy that complies with these accreditations

(see OST page 13). BCM also forms part of the scope of Microsoft’s annual third

party compliance audit. If anything further is required we would work with

Microsoft to provide whatever further clarity the regulator may require in this

regard.

e. In relation to the above, describe how test results are

validated?

IT Guidelines, Annex A to Appendix 75e: “The plans must be well documented

and tested”.

As part of Microsoft’s certification requirements, it is required to undergo regular



Confidential

Page 51 of 55


independent third party auditing and Microsoft shares with us the independent

third party audit reports. Microsoft also agrees as part of the compliance program

to customer right to monitor and supervise.

f. Describe the prioritization agreements among

subscribers in cases of multiple/simultaneous

disasters?

IT Guidelines, Annex A to Appendix 75e: “Other BCP-related concerns which

must be addressed include…Prioritization agreements in case of

multiple/simultaneous disasters”.

Not applicable. There are no prioritization agreements amongst Microsoft

subscribers. Our organization would be subject to the same prioritization as any

other customer of the same services from Microsoft. Of course, the services are

protected by Microsoft’s SLA and its coinciding terms and conditions. More

information on SLA is available at:


mentTypeId=37, and more details about Microsoft’s Service Continuity are

available at: http://office.microsoft.com/en-us/business/office-365-online-service-

availability-FX104028266.aspx.






Confidential

Page 52 of 55

APPENDIX ONE

MANDATORY CONTRACTUAL REQUIREMENTS

This table sets out the specific items that must be covered in the FSI’s agreement with the Service Provider.

Key:

Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.

Terms used below as follows:

OST = Online Services Terms

EA = Enterprise Agreement

Enrolment = Enterprise Enrolment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PUR = Product Use Rights

SLA = Online Services Service Level Agreement

Confidential

Page 53 of 55

Ref. Requirement Microsoft agreement reference

1. Does the SLA cover the

minimum provisions required

under the existing rules and

regulations on outsourcing?

(Circular No.765)

Cloud Computing Questionnaire – section B.4a (see above)

Yes.

We have reviewed the list in Circular No.765 and are satisfied that the SLA, in combination with the rest of the MBSA,

satisfies the minimum provisions.

The SLA is available at:


and the MBSA is available upon request. The SLA is contained within the MBSA.

2. Does the SLA clearly

disclose other parties (i.e.

subcontractors) that are

involved in the delivery of

cloud services?

Cloud Computing Questionnaire – section B.4b (see above)

Yes.

See page 9 of the OST, under which Microsoft is permitted to hire subcontractors.

Microsoft maintains a list of authorized subcontractors for the online services that have access to our data and

provides us with a mechanism to obtain notice of any updates to that list (OST, page 10). The actual list is published

on the applicable Trust Center. If we do not approve of a subcontractor that is added to the list, then we are entitled to

terminate the affected online services.

The confidentiality of our data is protected when Microsoft uses subcontractors because Microsoft commits that its

subcontractors “will be permitted to obtain Customer Data only to deliver the services Microsoft has retained them to

provide and will be prohibited from using Customer Data for any other purpose” (OST, page 9).



Confidential

Page 54 of 55


Microsoft commits that any subcontractors to whom Microsoft transfers our data will have entered into written

agreements with Microsoft that are no less protective than the data processing terms in the OST (OST, page 11).

Under the terms of the OST, Microsoft remains contractually responsible (and therefore liable) for its subcontractors’

compliance with Microsoft’s obligations in the OST (OST, page 9). In addition, Microsoft’s commitment to ISO/IEC

27018, requires Microsoft to ensure that its subcontractors are subject to the same security controls as Microsoft is

subject to. Finally, the EU Model Clauses, which are included in the OST, require Microsoft to ensure that its

subcontractors outside of Europe comply with the same requirements as Microsoft and set out in detail how Microsoft

must achieve this.

3. What monitoring processes

does the Bank have to

manage the cloud

outsourcing? Please describe

and provide documentation.

Cloud Computing Questionnaire – section B.4e (see above)

The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to verify that the online

services meet appropriate security and compliance standards. This commitment is reiterated in the FSA.

Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online Services Customer

Compliance Program, which is a for-fee program that facilitates the customer’s ability to (a) assess the services’

controls and effectiveness, (b) access data related to service operations, (c) maintain insight into operational risks of

the services, (d) be provided with additional notification of changes that may materially impact Microsoft’s ability to

provide the services, and (e) provide feedback on areas for improvement in the services.

In addition, clauses 1e and 1f of the FSA detail the examination and influence rights that are granted to the customer

and BSP. Clause 1e sets out a process which can culminate in the regulator’s examination of Microsoft’s premises.

Clause 1f gives the customer the opportunity to participate in the Microsoft Online Services Customer Compliance

Program, which is a for-fee program that facilitates the customer’s ability to (a) assess the services’ controls and

effectiveness, (b) access data related to service operations, (c) maintain insight into operational risks of the services,

(d) be provided with additional notification of changes that may materially impact Microsoft’s ability to provide the

Confidential

Page 55 of 55


services, and (e) provide feedback on areas for improvement in the services.

4. Is ownership of the data

clearly stipulated in the SLA

or other contract/agreement?

Cloud Computing Questionnaire – section B.6c (see above)

Yes.

Ownership of Customer Data remains at all times with the customer (see OST, page 8).

5. Does the service provider

have a business continuity or

disaster recovery plan? If

yes, provide documentation

or details.

Cloud Computing Questionnaire – section B.6d (see above)

Yes.

As set out on page 13 of the OST, Microsoft maintains emergency and contingency plans for the facilities in which

Microsoft information systems that process Customer Data are located. Business Continuity Management forms part of

the scope of the accreditation that Microsoft remains in relation to the online services, and Microsoft commits to

maintain a data security policy that complies with these accreditations (see OST page 13). Business Continuity

Management also forms part of the scope of Microsoft’s annual third party compliance audit.

Documents

THE PHILIPPINES GUIDANCE ON COMPLYING …download.microsoft.com/download/F/1/1/F11BF195-2233-479C...Confidential Page 1 of 55 THE PHILIPPINES GUIDANCE ON COMPLYING WITH REGULATORY