For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place and included in the outsourcing agreement:

(a) Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
(b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing service provider;
(c) A comprehensive change management procedure must be developed to account for future changes in technology with adequate testing of such changes;
(d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
(e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
(f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, based on the CBB Law and the Personal Data Protection Law (PDPL).
Added: January 2020