• Cloud Services

    • OM-2.8.6

      For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place and included in the outsourcing agreement:

      (a) Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
      (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing service provider;
      (c) A comprehensive change management procedure must be developed to account for future changes in technology with adequate testing of such changes;
      (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
      (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
      (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, based on the CBB Law and the Personal Data Protection Law (PDPL).
      Added: January 2020

    • OM-2.8.7

      The licensees should consider how the outsourced activity is impacted by the variety of risks associated with the cloud adoptions, for example:

      a) Vendor lock-in (cloud vendor using proprietary technology preventing migration);
      b) Vendor lock-out (cloud going out of business, preventing access to data);
      c) Data and application interoperability;
      d) Segregation of data in SaaS environments;
      e) Distributed denial of service (DDoS) prevention;
      f) Impact of regulatory enforcement processes;
      g) Safeguards for management of cryptographic keys;
      h) Unmonitored access to administrative zones by staff and 3rd parties;
      i) Remote access to administrative zones without strong authentication and accountability;
      j) Single point of failures in connectivity to cloud environments.
      Added: January 2020

    • OM-2.8.8

      The licensees must ensure that the cloud adoption does not result in data being stored in countries that are subject to United Nations sanctions.

      Added: January 2020