For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place:
Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
(b) A secure audit trail must be maintained for all actions performed at the cloud services
(c) A comprehensive change management procedure must be developed to account for future changes to technology with adequate testing of such changes;
(d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
(e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
(f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, subject to the CBB Law.
Added: October 2017