Open Data Center Alliance Usage: RegulatORY Framework

sm

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Legal Notice
2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED. This Open Data Center AllianceSM Usage: Regulatory Framework is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS WHO ARE NOT OPEN DATA CENTER ALLIANCE PARTICIPANTS : Non-Open Data Center Alliance Participants only have the right to review, and make reference or cite, this document. Any such references or citations to this document must give the Open Data Center Alliance, Inc. full attribution and must acknowledge the Open Data Center Alliance, Inc.s copyright in this document. Such users are not permitted to revise, alter, modify, make any derivatives of, or otherwise amend this document in any way. NOTICE TO USERS WHO ARE OPEN DATA CENTER ALLIANCE PARTICIPANTS : Use of this document by Open Data Center Alliance Participants is subject to the Open Data Center Alliances bylaws and its other policies and procedures. OPEN CENTER DATA ALLIANCESM, ODCA SM, and the OPEN DATA CENTER ALLIANCE logoSM are service marks owned by Open Data Center Alliance, Inc. and all rights are reserved therein. Unauthorized use is strictly prohibited. This document and its contents are provided AS IS and are to be used subject to all of the limitations set forth herein. This document is provided for informational purposes only and is not intended to provide any legal counseling whatsoever to the user. Thus, this document is not intended to replace each users independent legal analysis of the specic legal and regulatory obligations that may apply to that user in a particular nation or jurisdiction. Also, this document does not grant any user of this document any rights to use any of the Alliances trademarks. All other service marks, trademarks and trade names referenced herein are those of their respective owners.

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage: Regulatory framework

sm

Executive Summary
There are hundreds, if not more, of regulatory bodies, regulations and standards that organizations must track and obey. Organizations spend millions of dollars to ensure they are in compliance and face steep penalties consisting of nes and fees, as well as damage to overall business, if failures occur. Studies have shown, for example, that a $1 billion company having just one Sarbanes-Oxley compliance failure could incur tens of millions of dollars in costs from settlement fees, lost business, nes, remediation, and business interruption. The Open Data Center AllianceSM recognizes the need for specifying clear mandates and obligations that must be met by providers of cloud services, as well as mechanisms that enable service providers to demonstrate their ability to meet regulatory obligations in an auditable manner. The Regulation Usage Model is aimed at helping organizations assess and monitor their regulatory obligations when engaging and acquiring cloud services.

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Purpose
Regulatory compliance requires proactive focus from both the customer and the provider of cloud services. To that end, this Usage Model describes at a high level the framework of the regulatory bodies, regulations, applicable laws and standards, and their implications for both the customers and providers of cloud services, irrespective of sectors. It also describes an illustrative process ow for engaging with regulators and managing associated governance and compliance through the cloud service lifecycle. In addition to business-dened requirements and obligations for providers of cloud services, regulation and standards play a key role in inuencing the denition and ongoing management of cloud services. The implications include, but are not limited to: The nature of the outsourcing contract and its terms and conditions The maintenance of effective business and technology controls with respect to service levels, privacy, information security, service availability, etc. The maintenance of appropriate records and access provisions The management of service in response to business interruptions and in providing effective disaster recovery The ownership of data and its geo-location, taking into account privacy, cross border, and availability-based regulations and mandates Since cloud services generally cross jurisdictional boundaries, the services are usually inuenced and governed by regulatory obligations at local, federal, international and industry levels. To help organizations meet these obligations, this Usage Model offers a high-level framework for navigating the regulatory compliance and governance steps from both a geographical and industry perspective. This should assist in identication of regulatory obligations, as well as potential barriers to adoption (such as sovereign risk, industry regulator compliance, government regulatory compliance, data ownership and condentiality, etc.) and help manage the process for performing due diligence, cloud service engagement and ongoing risk management of regulatory compliance needs. The current Usage Model provides a reference to a sample of industry, local, federal and international regulatory bodies, regulations, laws and standards spanning industry domains such as government, banking brokerage and nancial services, health/pharmaceuticals and telecommunications. NOTE : The initial survey of regulators, regulations, applicable laws and standards provided in this document is an illustrative list. It is not intended to be a comprehensive guide to all potential regulators, regulations and standards. Cloud-Providers and Cloud-Subscribers should take this into consideration when reviewing the usage model for heterogeneous and multi-data center deployments. NOTE : It is intended in subsequent releases of this Usage Model that details of regulators, regulations and standards will be expanded and categorized by region and industry sector. Service (VPDCaaS).

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

taxonomy
Actor
Cloud-Subscriber

Description
A person or organization that has been authenticated to a cloud and maintains a business relationship with a cloud. An organization providing network services and charging Cloud-Subscribers. A (public) Cloud-Provider provides services over the Internet. An agency (government or industry) responsible for exercising autonomous authority over a specic area or market. Entity that creates, enacts and/or enforces laws. External agencies and/or individuals which perform audits over a specic area or market.

Cloud-Provider

Regulator

Legislator/Law Enforcement Auditor

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

FUNCTION MAP
The following ow chart shows the processes and relationships between the actors ( Cloud-Subscriber, Cloud-Provider, Regulator, Auditor) when considering regulation and compliance.

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

ONGOING CORPORATE COMPLIANCE PROGRAM IN CLOUD ENVIRONMENTS

Cloud-Subscribers and Cloud-Providers should develop an ongoing corporate compliance and risk management program that ensures periodic review of regulatory requirements and changes, industry standards, internal processes, and Cloud-Provider operations, including audit and compliance. It is expected that new legislation, regulatory approaches or enhancements to existing legislative mandates will be implemented to modernize existing data protection laws, update privacy requirements within several regions and govern key aspects of cloud-based services. A corporate compliance program should therefore include processes for: Monitoring laws, regulations and standards Performing impact analysis of compliance obligations resulting from regulations, laws, standards, etc. Updating risk and compliance frameworks Implementing controls to manage compliance risk Monitoring, auditing and reporting on compliance posture Taking corrective action as required NOTE : For Cloud-Providers, the key requirement is to be transparent and forthcoming in dealing with Cloud-Subscribers, Regulators and Auditors. Cloud-Providers have an obligation to notify Cloud-Subscribers of material changes to local laws and regulations. Assessments of both materiality and risk necessitates a detailed understanding of the extent and nature of the business processes, the technology architecture, the impacted information assets, and the controls being implemented as part of any outsourcing arrangement. As part of consultations with the relevant (industry and geographic) Regulator(s), Cloud-Subscribers are expected to undertake a comprehensive risk assessment and develop a plan to manage risk based on risk appetite, regulatory obligations, and commerciality. This would typically include an assessment of the specic arrangements underlying the services offered, the controlled environment of the Cloud-Providers, the location from which the services are to be provided, and the criticality and sensitivity of the information assets involved. The Regulator would expect regular review, assessment and management of risks as part of a management framework. NOTE: Accountability for risks and risk management cannot be outsourced. Cloud-Subscribers should ensure they have a boardapproved policy on outsourcing and a risk management framework in place to manage the risks of cloud environments, including regulatory and compliance risk.

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

USAGE MODEL
Actors : Cloud-Subscriber, Cloud-Provider, Regulator, External Auditor. Goals: 1. 2. 3.

To ensure that Cloud-Subscribers have the ability to efciently assess their local, federal, international and industry regulatory obligations using a standardized, repeatable approach when engaging and acquiring services from Cloud-Providers. To ensure that Cloud-Subscribers can mandate or specify key requirements and regulatory obligations to be met by Cloud-Providers for the industry verticals they wish to service. To ensure that Cloud-Providers can efciently demonstrate their ability to meet local, federal, international and industry regulatory obligations from both a geographical and industry perspective in an auditable manner.

Considerations: 1. Assumes primary industry, local, federal and international regulators, regulatory obligations, and standards can be readily identied (noting that there will be some necessary ongoing monitoring and maintenance of regulatory requirements). 2. Ultimately the onus is on the Cloud-Subscriber to ensure compliance with all geographical and industry-based regulation.

Success Scenario 1: The Cloud-Provider shall efciently demonstrate compliance to applicable geographical and industry-based regulations for their Cloud-Subscribers needs. This compliance should be auditable and consistent upon application. The Cloud-Provider is able to demonstrably deploy/adhere to changes and new regulatory requirements with minimum impact to existing Cloud-Subscribers. The Cloud-Subscriber and/or Cloud-Provider is notied of any material changes to regulations, laws and compliance requirements applicable to their geography and industry in a formal and timely manner (this is so that the partnership of the Cloud-Subscriber and Cloud-Provider can agree what service changes, if any, are needed to become compliant with the material changes in regulation or law). NOTE : Industry efciency will be improved if Cloud-Providers have a legal statement that Cloud-Subscribers can rely on in respect to compliance with specic local/national laws and regulations. Failure Conditions 1: The Cloud-Provider is unable to demonstrate or maintain the applicable regulatory or standards compliance requirements (such as privacy, security, business continuity, etc.) or meet Cloud-Subscriber policy requirements. Failure Handling: For all failure conditions, both the Cloud-Provider and the Cloud-Subscriber should assess their inability to meet applicable regulatory and standards compliance requirements and take remedial actions.

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Requirements: Cloud-Subscribers should develop an ongoing corporate compliance and risk management program. Cloud-Subscribers should understand the implications of the geo-location of data, data ownership considerations, access restrictions and provisions, as well as regulatory obligations driving data protection, privacy, ownership, and data flows. Cloud-Providers should develop an understanding of the legal, regulatory and compliance needs of each sector of their Cloud-Subscriber target market, in order to be able to tailor services to meet the specific needs of that sector. To the extent that Cloud-Providers can assist Cloud-Subscribers to better meet their obligations, Cloud-Providers will be better positioned to attract and retain business and develop a strong reputation with the applicable Regulator(s). Good practice regulatory requirements on Cloud-Subscriber institutions include obligations to: Have a policy relating to outsourcing of material business activities Have an adequate risk management plan to meet obligations and manage risk posed by the outsourcing arrangement Have sufficient monitoring processes in place to manage the outsourcing of material business activities Have a legally binding agreement in place for all outsourcing of material business activities, unless otherwise agreed by the relevant Regulator(s) Ensure compliance with all applicable laws and statutes governing the location and type of business being transacted (e.g., data privacy laws, banking secrecy laws, Gramm-Leach-Bliley Act) Consult with the relevant Regulator(s) prior to entering into agreements to outsource material business activities to Cloud-Providers who conduct their activities outside the Cloud-Subscribers country Notify the relevant Regulator before entering into agreements to outsource material business activities In the interest of giving guidance on how to create and deploy solutions that are open, multi-vendor and interoperable, we have identied specic areas where the Alliance believes there should open specications, formal or de facto standards, or common IPfree implementations. The specic areas in this Usage Model where we recommend that these specications, standards and open implementations be developed are agged with an asterisk (*) below. Where the Alliance has a specic recommendation on the specication, standard or open implementation, it is called out in this Usage Model. In other cases, we will be working with the industry to evaluate and recommend specications in future releases of this document.

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

SUMMARY OF INDUSTRY ACTIONS REQUIRED:

In the interest of giving guidance on how to create and deploy solutions that are open, multi-vendor and interoperable, we have identied specic areas where the Alliance believes there should be open specications, formal or de facto standards, or common IP-free implementations. The specic areas in this usage model where we recommend that these specications, standards and open implementations be developed are agged with an asterisk (*). Where the Alliance has a specic recommendation on the specication, standard or open implementation, it is called out in this usage model. In other cases, we will be working with the industry to evaluate and recommend specications in future releases of this document. The following are industry actions required to rene this usage model: Cloud-Providers, Cloud-Subscribers, Solution-Providers and industry bodies are encouraged to submit additional regulatory, regulations and standards references to the Open Data Center Alliance for edification and enhancement of the usage model.* Cloud-Subscribers should submit examples of successful cloud deployments that meet regulatory requirements and have had regulatory signoff in the Cloud-Subscribers specific jurisdiction(s). Both Cloud-Providers and Cloud-Subscribers should develop robust governance models to meet regulatory and standards compliance, regardless of the service or deployment model.* Regulated organizations need to understand the effect of any differences in processes and systems at each of their locations, particularly if they are in different countries, including jurisdictional issues with respect to international transfer of personal data. NOTE : As organizations adopt cloud computing to a greater extent, additional regulatory attention can be expected.

Solution Stack
Self Service Portal Audit Compliance Security OS VMM Server, Storage, Network
User Regulation Library Regulation Liaison Alignment Regulatory Reports Governance Regulatory Definition (HIPPA, FISMA, FINRA, Basel II) Service Response Logs Data Access and Privilege Files Audit APIs (e.g., log, detect, monitor)

Audit API, Patch/Image Management Asset Tags and Location Reporting Encryption Protection

10

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

SURVEY OF REGULATORS, REGULATIONS AND STANDARDS

The following survey provides an initial list of key regulators, regulations, laws and standards applicable to industry domains such as government, banking, brokerage and nancial services, health/pharmaceuticals, and telecommunications.

Banking, Brokerage and Financial Services Regulator or Governing Abbreviation Body

Prudential Control Authority Netherlands Authority for the Financial Markets Securities and Exchange Commission Autorite Des marches Financiers Australia National Audit Office Australian Prudential Regulation Authority Australian Securities & Investments Commission Australian Securities Exchange Australian Taxation office aka Australian Tax Authority Australian Transaction Reports and Analyses Centre Bundesanstalt fr Finanzdienstleistungsaufsicht Banco de Mexico The Bankers Association of the Republic of China Deustche Bundesbank (Central Bank of Germany) Central Bank of Brazil aka BACEN Banque Centrale du Luxembourg Banco Central de la Repblica Argentina ACP AFM AFM AMF ANOA APRA ASIC ASX ATO AUSTRAC BaFin BANXICO BAROC BBK BCB BCL BCRA AU AU AU AU AU AU Bafin Mexico China Germany Brazil
Luxembourg

Country
France Netherlands Nigeria

More Information
http://www.banque-france.fr/acp/index.htm http://www.afm.nl/en.aspx http://www.sec.gov.ng http://www.amf-france.org/Default.asp?lang=en http://www.anao.gov.au/ http://www.apra.gov.au/ http://www.asic.gov.au/ http://www.asx.com.au/ http://www.ato.gov.au/ http://www.austrac.gov.au/ http://www.bafin.de/EN/Home/homepage__node.html?__nnn=true http://www.banxico.org.mx/sitioingles/index.html http://www.ba.org.tw/index-eng.aspx http://www.bundesbank.de/index.en.php http://www.bcb.gov.br/ http://www.bcl.lu/en/index.php http://www.bcra.gov.ar/index_i.htm

Argentina

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

11

Open Data Center Alliance Usage : Regulatory Framework

Banking Regulation and Supervision Agency Banque du Liban Bank Indonesia Banca dItalia (Bank of Italy) Brazilian Mercantile & Futures Exchange Bolsa Mexicana de Valores Bank Negara Malaysia Bank of Japan Bank of Korea Bank of Spain Bank of Thailand Bombay Stock Exchange Limited Bangko Sentral Ng Pilipinas BURSA Malaysia Central Bank of Bahrain Central Bank of China (Taiwan) Belgian Finance and Insurance Commission The Central Bank of the Russian Federation China Banking Regulatory Commission Central Depository Services (India) Limited CETIP - OTC Clearing House China Financial Futures Exchange Capital Markets Authority Comissao Do Mercado De Valores Mobiliarios Security and Exchange Commission Comisin Nacional del Mercado de Valores Consejero Commission Nationale de la Protection des Donnees

BDDK BDL BI BI BM&F BMV BNM BOJ BOK BOS BOT BSE BSP BURSA CBB CBC CBFA CBR CBRC CDSL CETIP CFFEX CMA CMVM CNBV CNVM CNPD

Turkey Liban Indonesia Italy Brazil Mexico Malaysia Japan Korea Spain Thailand India Philippines Malaysia Bahraib China Belgium Russia China India Chile

http://www.bddk.org.tr/WebSitesi/English.aspx http://www.bdl.gov.lb/bfs/index.htm http://www.bi.go.id/web/id/ http://www.bancaditalia.it/;internal&action=_setlanguage action?LANGUAGE=en http://www.bmf.com.br/IndexEnglish.asp http://www.bmv.com.mx/ http://www.bnm.gov.my/ http://www.boj.or.jp/en/ http://eng.bok.or.kr/eng/engMain.action http://www.bde.es/ http://www.bot.or.th/english/ http://www.bseindia.com/ http://www.bsp.gov.ph/ http://www.klse.com.my/website/bm/ http://www.bahrain.com/central-bank-bahrain.aspx http://www.cbc.gov.tw/mp2.html http://www.cbfa.be/eng/index.asp http://www.cbr.ru/eng/v http://www.cbrc.gov.cn/english/home/jsp/index.jsp http://www.cdslindia.com/ http://www.cetip.com.br/index.asp?lang=english http://www.cffex.com.cn/en_new/sspz/hs300zs/

Kenya Spain Mexico Spain

Luxembourg

http://www.cma.or.ke/ http://www.cmvm.pt/en/Pages/default.aspx http://cnbv.gob.mx/ http://www.cnmv.es/index_en.htm http://www.cnpd.public.lu/fr/index.html

12

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Commissione Nazionale per le Societa e la Borsa Centre for Coordination and Control over Functioning of Securities Market China Securities Regulatory Commission Commission de Surveillance du Secteur Financier Dubai Financial Services Authority Egyptian Financial Supervisory Authority Federal Deposit Insurance Corporation FSC - Financial Examination Bureau The Financial Futures Association of Japan Federal Home Loan Bank System Federal Home Loan Mortgage Corporation (Freddie Mac) South African Financial Intelligence Centre Swedish Financial Services Authority (FSA) Financial Supervisory Authority (FIN-FSA) Security and Exchange Commission Danish Financial Supervisory Authority Financial Supervisory Authority of Norway Swiss Financial Market Supervisory Authority Financial Industry Regulatory Authority Financial Market Authority Federal National Mortgage Association (Fannie Mae) Federal Reserve Bank

CONSOB CSM

Italy Russia

http://www.consob.it/mainen/index.html?mode=gfx http://www.csm.gov.uz/

CSRC CSSF DFSA EFSA FDIC FEB FFAJ FHLB FHLMC FIC Finansinspektionen FIN-FSA

China
Luxembourg

http://www.csrc.gov.cn/pub/csrc_en/ http://www.cssf.lu/index.php?&L=1 http://www.dfsa.ae/Pages/default.aspx http://www.efsa.gov.eg/jtags/efsa2_en/index_en.jsp http://www.fdic.gov/ http://www.feb.gov.tw/Layout/main_en/index.aspx?frame=12 http://www.ffaj.or.jp/en/index.html http://www.fhlbanks.com/ http://www.freddiemac.com/ https://www.fic.gov.za/ http://www.fi.se/Folder-EN/Startpage/ http://www.finanssivalvonta.fi/en/Pages/Default.aspx http://www.cvm.gov.br/ingl/indexing.asp http://www.dfsa.dk/en.aspx http://www.finanstilsynet.no/en/ http://www.finma.ch/e/pages/default.aspx http://www.finra.org/ http://www.fma.gv.at/cms/site/EN/index.html http://www.fanniemae.com/kb/index?page=home http://www.federalreserve.gov/bankinforeg/default.htm

Dubai Egypt USA Taiwan Japan USA USA South Africa Sweden Finland Brazil Denmark Norway

FINMA FINRA FMA FNMA FRB

Sweden USA Germany USA USA

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

13

Open Data Center Alliance Usage : Regulatory Framework

Financial Services Authority Bank & Financial Services Authority of Ireland Financial Supervision Authority (AFN) Financial Services Authority Federal Security Service of the Russian Federation Financial Services Board Financial Supervisory Commission Financial Supervisory Service Guernsey Financial Services Commission GreTai Securities Market Hellenic Republic Capital Market Commission Hong Kong Monetary Authority Indonesia Stock Exchange Ireland Financial Regulator (aka IFSRA) Investment Industry Regulatory Organization of Canada Indonesian Financial Transaction Reports and Analysis Center (PPATK) Israel Securities Authority Jersey Financial Services Commission Japan Securities Dealers Association Johannesburg Stock Exchange Korean Futures Exchange Korea Exchange Ministry of Law & Justice London Metal Exchange Monetary Authority of Singapore Ministry of Information & Broadcasting

FSA FSA FSA FSA FSB FSB FSC FSS GFSC GTSM HCMC HKMA IDX IFR IIROC INTRAC

Japan Ireland Kazakhstan UK Russia South Africa Taiwan South Korea Channel Islands Taiwan Helenic Hong Kong Indonesia Ireland Canada Indonesia

http://www.fsa.go.jp/en/index.html http://www.centralbank.ie/ http://www.afn.kz/en http://www.fsa.gov.uk/ http://www.fsb.ru/ http://www.fsb.co.za/ http://www.fscey.gov.tw/Layout/main_en/index.aspx?frame=16 http://english.fss.or.kr/fss/en/main.jsp http://www.gfsc.gg/The-Commission/Pages/Home.aspx http://www.otc.org.tw/en/index.php http://www.hcmc.gr/pages/index.asp http://www.info.gov.hk/hkma/ http://www.idx.co.id/ http://www.financialregulator.ie/Pages/home.aspx http://www.iiroc.ca/English/Pages/home.aspx http://www.ppatk.go.id/index_eng.php

ISA JFSC JSDA JSE KOFE KRX LAWMIN LME MAS MIB

Israel Channel Islands Japan South Africa Korea Korea UK UK Singapore India

http://www.isa.gov.il/ http://www.jerseyfsc.org/index.asp http://www.jsda.or.jp/html/eigo/index.html http://www.jse.co.za/Home.aspx http://english.kofa.or.kr/ http://eng.krx.co.kr/ http://lawmin.nic.in/ http://www.lme.com/ http://www.mas.gov.sg/ http://www.mib.nic.in/

14

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Ministry of Information and Communication Technology

MICT

Thailand

http://www.mict.go.th http://en.wikipedia.org/wiki/Ministry_of_Information_and_ Communication_Technology_(Thailand)

Ministry of Finance Montreal Exchange National Securities Depository Limited National Stock Exchange of India National Stock Exchange National Tax Agency Japan New York Mercantile Exchange New York Stock Exchange Ofce of the Comptroller of the Currency Osaka Securities Exchange The Ofce of the Superintendent of Financial Institutions Canada Peoples Bank of China Philippine Deposit Insurance Corporation Polish Financial Supervision Authority Public Security Bureau Philippine Stock Exchange Reserve Bank of India Standardization Administration of PRC Superintendencia de Bancos e Instituciones Financieras Securities Commission Securities & Exchange Board of India Securities & Exchange Commission Securities & Exchange Surveillance Commission Securities Exchange Commission

MOF MX NSDL NSE NSE NTA NYMEX NYSE OCC OSE OSFI

Taiwan Canada India India USA Janpan USA USA USA Japan Canada

http://www.mof.gov.tw/engweb/mp.asp?mp=2 http://www.m-x.ca/accueil_en.php https://nsdl.co.in/ http://www.nse-india.com/ http://www.nsx.com/ http://www.nta.go.jp/foreign_language/index.htm http://www.cmegroup.com/company/nymex.html http://www.nyse.com/ http://occ.treas.gov/ http://www.ose.or.jp/e/ http://www.osfi-bsif.gc.ca/osfi/index_e.aspx?ArticleID=3

PBOC PDIC PFSA PSB PSE RBI SAC

China Philippines Poland Phillippines India

http://www.pbc.gov.cn/publish/english/963/index.html http://www.pdic.gov.ph/ http://www.knf.gov.pl/en/index.html http://en.wikipedia.org/wiki/Public_security_bureau http://www.pse.com.ph/ http://www.rbi.org.in/home.aspx

China

http://www.sac.gov.cn/templet/english/

Saudi Arabian Monetary Agency SAMA SBIF SC SEBI SEC SESC SET

Saudi Arabia http://www.sama.gov.sa/sites/SAMAEN/Pages/Home.aspx Chile Malaysia India USA Japan Thailand http://www.sbif.cl/sbifweb/servlet/Portada?indice=0.0 http://www.sc.com.my/ http://www.sebi.gov.in/ http://www.sec.gov/ http://www.fsa.go.jp/sesc/english/index.htm http://www.sec.or.th/view/view.jsp?lang=en

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

15

Open Data Center Alliance Usage : Regulatory Framework

FSC - Securities and Futures Bureau Securities & Futures Commission Singapore Exchange Secretaria de Hacienda y Credito Publico Software Technology Parks of India Taiwan Futures Exchange Thai Bond Market Association Tokyo Financial Exchange Tokyo Metropolitan Government Inspection

SFB SFC SGX SHCP STPI TAIFEX TBMA TFX TMGI TSA

Taiwan Hong Kong Singapore Mexico India Taiwan Thailand Japan Japan Taiwan

http://www.sfb.gov.tw/Layout/main_en/index.aspx?frame=15 http://www.sfc.hk/sfc/html/EN/ http://www.sgx.com/wps/portal/marketplace/mp-en/home http://www.shcp.gob.mx/Paginas/Default.aspx http://www.stpi.in/index.php?langid=1 http://www.taifex.com.tw/eng/eng_home.htm http://www.thaibma.or.th/ http://www.tfx.co.jp/en/ http://www.metro.tokyo.jp/ENGLISH/PROFILE/appendix03.htm http://www.csa.org.tw/CSAENG.asp

Taiwan Securities Association (aka CTSA or CSA) Tokyo Stock Exchange Taiwan Trust Association Tokyo Tax Bureau Taiwan Stock Exchange

TSE TTA TTB TWSE

Japan Taiwan Japan Taiwan

http://www.tse.or.jp/english/ http://www.tta.org.tw/index.html http://www.nta.go.jp/foreign_language/index.htm http://www.twse.com.tw/en/

16

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Telecommunications Regulator or Governing Body

Afghanistan Telecom Regulatory Authority Electronic and Postal Communications Authority ([1]) Autorite de Regulation des Postes et Telecommunications Telecomunicaes Ministrio das Telecomunicaes e Tecnologias Secretara de Comunicaciones Australian Communications and Media Authority Austrian Regulatory Authority for Broadcasting and Telecommunications Utilities Regulation & Competition Authority Telecommunications Regulatory Authority of Bahrain Bangladesh Telecommunication Regulatory Commission Telecommunications Unit Ministry of Posts and Telecommunications Belgian Institute for Postal services and Telecommunication Transitory Authority for the Regulation of Posts and Telecommunication MPT BIPT ATRPT ARPT MTTI SECOM ACMA RTR-GmbH URCA TRA BTRC

Abbreviation Country
ATRA Afghanistan Albania Algeria Angola Argentina Australia Austia Bahamas Bahrain India Barbados Belarus Belgium Benin

More Information
http://www.atra.gov.af/index.php?lang=en http://www.akep.al/ http://www.arpt.dz/ http://www.mtti.gov.ao/ http://www.secom.gov.ar/ http://www.acma.gov.au/WEB/HOMEPAGE/PC=HOME http://www.rtr.at/ http://www.urcabahamas.bs/ http://www.tra.org.bh/ http://www.btrc.gov.bd/ http://www.telecoms.gov.bb/ http://www.mpt.gov.by/new/modules/news/ http://www.bipt.be/nl/1/Home/Home/Welkom.aspx http://www.atrpt.bj/

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

17

Open Data Center Alliance Usage : Regulatory Framework

Superintendencia de Telecomunicaciones Botswana Telecommunications Authority Agencia Nacional de Telecomunicacoes Authority for Info-Communications Technology Industry Communications Regulatory Agency of BosniaHerzegovina Communications Regulation Commission Autorite Nationale de Regulation des Telecommunications Agence de Rgulation et de Contrle des Tlcommunications Agence de Regulation des Telecommunication Industry Canada Canadian Radio-television & Telecommunications Commission National Communications Agency Agence charge de la Rgulation des Tlcommunications Office Tchadien de Regulation des Telecoms Comisin de Regulacin de Comunicaciones Autorit Nationale de Rgulation des Tics Agence des Telecommunications de Cote dIvoire Croatian Post and Electronic Communications Agency Subsecretaria de Telecommunicacaiones The Czech Telecommunication Office Autorite de Regulation de la Poste et des Telecommunications du Congo National IT & Telecom Agency Ministere de la Communication et de la Culture, charg des Postes et Tlcommincations, Porte-Parole du Gouvernement

SITTEL BTA ANATEL AITI CRA

Bolivia Botswana Brazil Brunei Darussalam Bosnia & Herzegovina Bulgaria Burkina Faso Burundi Cameroon Canada Canada Cape Verde Central African Republic Chad Columbia Comoros Cote dIvoire Croatia Chile Czech Republic Democratic Republic of the Congo Denmark Dijbouti

http://www.sittel.gov.bo/ (Webpage temporarily unavailable.) http://www.bta.org.bw/

http://www.anatel.gov.br/

http://www.aiti.gov.bn/ http://www.cra.ba/

CRC ARCE ARCT ART ICRST CRTC ANAC ART OTRT CRCO ANRTIC ATCI HAKOM SUBTEL T ARPTC

http://www.crc.bg/index.php?lang=en http://www.artel.bf/ http://burundibwiza.com/ http://www.art.cm/ http://www.ic.gc.ca/ic_wp-pa.htm http://www.crtc.gc.ca/eng/home-accueil.htm http://www.anac.cv/ http://www.art-rca.org/ http://www.otrt.td/ http://www.crcom.gov.co/ http://www.alwatwan.net/index.php?home=actu. php&actu_id=983 http://www.atci.ci/ http://www.hakom.hr/default.aspx?id=7 http://www.subtel.cl/prontus_subtel/site/edic/base/ port/inicio.html http://www.ctu.eu/main.php?pageid=178 http://www.arptc.cd/

ITST MCCPT

http://en.itst.dk/ http://www.mccpt.dj/

18

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Eastern Caribbean Telecommunications Authority Consejo Nacional de Telecomunicaciones del Ecuador Ministerio de Telecomunicaciones y de la Sociedad de la Informacin Superintendencia General de Electricidad y Telecommunicaciones National Telecommunications Regulatory Authority Ethiopian Telecommunications Agency Ministry of Transport and Communications Autorit de Regulation des Communications Electroniques et des Postes Agence de Regulation des Telecommunications Gambian Public Utilities Regulatory Authority

ECTEL CONATEL MINTEL SIGET NTRA ETA LVM ARCEP ARTEL PURA

Dominica Ecuador Ecuador El Salvador Egypt Ethiopia Finland France Gabon Gambia Georgia Germany Ghana Greece Grenada Guatemala Guinea Guinea Bissau Honduras Hong Kong Hungary Iceland

http://www.ectel.int/ntrcdominica.htm http://www.conatel.gov.ec/ http://www.mintel.gob.ec/ http://www.siget.gob.sv/ http://www.tra.gov.eg/english/Main.asp http://www.eta.gov.et/ http://www.lvm.fi/web/en/home http://www.arcep.fr/ http://www.artel.ga/ http://www.pura.gm/ http://www.gncc.ge/?lang_id=ENG http://www.bundesnetzagentur.de/cln_1911/DE/Home/ home_node.html http://www.nca.org.gh/ http://www.eett.gr/ http://www.ectel.int/ http://www.sit.gob.gt/ http://www.arptguinee.org/ http://www.icgb.org/ (Website currently not available.) http://www.conatel.gob.hn/ http://www.ofta.gov.hk/ http://www.nmhh.hu/ http://eng.samgonguraduneyti.is/ http://www.trai.gov.in/ http://www.cra.ir/Portal/Home/ http://www.comreg.ie/ http://www.brti.or.id/ (Website currently not available.)

Georgian National Communications Commission GNCC Bundesnetzagentur National Communications Authority Hellenic Telecommunications & Post Commission Eastern Caribbean Telecommunications Authority Superintendencia de Telecomunicaciones Regulatory Authority for Posts & Telecommunications Ministry of Telecommunications Comisin Nacional de Telecomunicaciones Office of the Telecommunications Authority National Media & Infocommunication Authority Ministry of Transport, Communications & Local Gov. Telecom Regulatory Authority of India Communication Regulatory Authority Commission for Communications Regulation Badan Regulasi Telekomunikasi Indonesia / Indonesian Telecommunications Regulatory Authority
TRAI CRA ODTR BRTI

BNA NCA EETT ECTEL SIT ARPT ICGB CONATEL OFTA NMHH

India Iran Ireland Indonesia

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

19

Open Data Center Alliance Usage : Regulatory Framework

Commission for Communications Regulation Ministry of Communications Autorit per le Garanzie nelle Comunicazioni Ministry of Internal Affairs & Communications Telecommunications Regulatory Commission Communications Commission of Kenya Ministry of Communications and Information Elektronisko sakaru direkcija Telecommunications Regulatory Authority Lesotho Communications Authority Liberia Telecommunications Authority General Telecommunications Authority Institut luxembourgeois de rgulation Bureau of Telecommunications Regulation Office Malagasy detudes et de Regulation des Telecommunications Communications Regulatory Authority Malaysian Communications & Multimedia Commission Ministere de la Communication et des TIC Malta Communications Authority Autorite de Regulation Information and Communication Technologies Authority Federal Telecommunications Commission National Regulatory Agency for Electronic Communications and Information Technolog LAgence Nationale de Rglementation des Tlcommunications Instituto Nacional das Communicacoes de Mozambique Namibian Communications Commission Nepal Telecommunications Authority Onafhankelijke Post en Telecommunicatie Autoriteit Commerce Commission of New Zealand LAutorite de Regulation Multisectorielle

ComReg
MOC AGCOM MIC TRC

Ireland Israel Italy Japan Jordan Kenya South Korea Latvia Lebanon Lesotho Liberia Libya Luxembourg Macau Madagascar Malawi Malaysia Mali Malta Mauritania Mauritius Mexico Moldova Morocco Mozambique Namibia Nepal Netherlands New Zealand Niger

http://www.comreg.ie/ http://www.moc.gov.il/ http://www.agcom.it/ http://www.soumu.go.jp/english/index.html http://www.trc.gov.jo/ http://www.cck.go.ke/ http://www.kcc.go.kr/user/ehpMain.do http://www.esd.lv/index.php?lang=en http://www.tra.org.bh/ http://www.lca.org.ls/ http://www.lta.gov.lr/ http://www.gta.ly/ http://www.ilr.public.lu/ http://www.gdtti.gov.mo/eng/News/index.html http://www.omert.mg/ http://www.macra.org.mw/ http://www.skmm.gov.my/

CCK KCC ESD TRA LCA LTA GTA ILR DSRT OMERT MACRA MCMC MTCMTL MCA ARE ICTA COFETEL ANRCETI ANRT INCM NCC NTA OPTA ComCom
ARM

http://www.mca.org.mt/ http://www.are.mr/ http://www.icta.mu/home/ http://www.cft.gob.mx/wb/Cofetel_2008/idioma http://en.anrceti.md/front http://www.anrt.net.ma/ http://www.incm.gov.mz/ http://www.ncc.org.na/ http://www.nta.gov.np/en/ http://www.opta.nl/nl/ http://www.comcom.govt.nz/ http://www.arm-niger.org/

20

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Nigerian Communications Commission Norwegian Post & Telecom Authority Pakistan Telecommunication Authority Papua New Guinea Radiocommunication &Telecommunication Technical Authority Organismo Supervisor de Inversin Privada en Telecomunicaciones National Telecommunications Commission Prezes Urzdu Komunikacji Elektronicznej Autoridade Nacional de Comunicaes National Authority for Management & Regulation in Communications of Romania Ministry for Communications & Informatization of the Russian Federation Regulatory Agency for Public Utility Services of Rwanda Communications & Information Technology Commission ART/Sngal Republic Agency for Electronic Communication Ministry of Information Technology and Communication National Telecommunications Commission Infocomm Development Authority of Singapore Ministry of Posts & Communication Independent Communications Authority of South Africa Telecommunications Regulatory Commission of Sri Lanka National Telecommunications Corporation Swaziland Posts and Telecommunications Corporation National Communications Commission Tanzania Communications Regulatory Authority National Telecommunications Commission Autorite de Reglementation des Secteurs de Postes et Telecommunications

NCC NPT PTA PANGTEL

Nigeria Norway Pakistan Papau New Guinea Peru Philippines Poland Portugal Romania Russia Rwanda SA Senegal Serbia Seychelles Sierra Leone Singapore Somalia S. Africa Sri Lanka Sudan Swaziland Taiwan Tanzania Thailand Togo

http://www.ncc.gov.ng/ http://www.npt.no/ http://pta.gov.pk/ http://www.pangtel.gov.pg/ http://www.osiptel.gob.pe/WebSiteAjax/ Website currently not available. Parent organization website: http://www.cict.gov.ph/ http://www.uke.gov.pl/uke/index.jsp? http://www.anacom.pt/ http://www.anrcti.ro/index.aspx http://www.minsvyaz.ru/ http://www.rura.gov.rw/ http://www.citc.gov.sa/english/Pages/default.aspx http://www.artp-senegal.org/
http://www.ratel.rs/home.136.html

OSIPTEL
NTC UKE ANACOM ANCOM

Minsvyaz
RURA CITC ARTP RATL MISD NATCOM IDA MPC

http://www.misd.gov.sc/ http://www.natcomsl.com/natcom/natcom6.htm http://www.ida.gov.sg/home/index.aspx http://www.mopc.somaligov.net/ http://www.icasa.org.za/ http://www.trc.gov.lk/ http://www.ntc.gov.sd/ http://www.sptc.co.sz/ http://www.ncc.gov.tw/english/ http://www.tcra.go.tz/ http://www.ntc.gov.ph/ http://www.artp.tg/

CASA
TRC NTC SPTC NCC TCRA NTC ART&P

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

21

Open Data Center Alliance Usage : Regulatory Framework

de lInstance Nationale des Tlcommunications INTT de Tunisie Information & Communication Technologies Authority Uganda Communications Commission National Communications Regulating Commission Telecommunications Regulatory Authority Ofcom Federal Communications Commission Unidad Reguladora de Servicios de Telecomunicaciones Telecommunications Regulator Comisin Nacional de Telecomunicaciones Communications Authority Postal & Telecommunications Regulatory Authority
ICTA UCC NCRC TRA

Tunisia Turkey Uganda Ukraine UAE UK USA Uruguay Vanatu Venezuela Zambia Zimbabwe

http://www.intt.tn/ http://www.btk.gov.tr/ http://www.ucc.co.ug/ http://www.nkrz.gov.ua/uk/ http://www.tra.ae/ http://www.ofcom.org.uk/ http://www.fcc.gov/ http://www.ursec.gub.uy/ (website currently unavailable) http://www.telecomregulator.gov.vu/ http://www.conatel.gob.ve/ http://www.caz.zm/ http://www.potraz.gov.zw/

OFCOM
FCC URSEC
Telecom Regulator

CONATEL CAZ POTRAZ

22

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Other Regulators Regulator or Governing Body

Department for Business Innovation and Skills Department for Environment Food and Rural Affairs European code of conduct for ICT Department of Energy Environment Protection Agency Federal Energy Regulatory Commission Federal Communications Commission Federal Deposit Insurance Corporation Federal Financial Institutions Examination Council Nuclear Regulatory Commission North American Electric Reliability Corporation Data breach notification laws (for US states) Belgian Institute for Postal services and Telecommunication Transitory Authority for the Regulation of Posts and Telecommunication BIPT ATRPT DOE EPA FERC FCC FDIC FFIEC NRC NERC

Abbreviation Country
BIS DEFRA UK UK EU USA USA USA USA USA USA USA USA USA Belgium Benin

More Information
http://www.bis.gov.uk/about http://www.defra.gov.uk/ http://re.jrc.ec.europa.eu/energyefficiency/html/ standby_initiative_main.htm http://www.energy.gov/ http://www.epa.gov/ http://www.ferc.gov/ http://www.fcc.gov/ http://www.fdic.gov/ http://www.ffiec.gov/ http://www.nrc.gov/ http://www.nerc.com/ http://www.ncsl.org/Default.aspx?TabId=13489 http://www.bipt.be/nl/1/Home/Home/Welkom.aspx http://www.atrpt.bj/

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

23

Open Data Center Alliance Usage : Regulatory Framework

Regulations, Acts, and Law Regulator or Governing Body

Health Insurance Portability and Accountability Act Data Protection Act Sarbanes-Oxley Act Gramm-Leach-Bliley Act Federal Information Security Management Act DoD Information Assurance Certification and Accreditation Process Privacy Act of 1974 Electronic Communications Privacy Act Privacy Act 1988 Data Protection Directive FDIC HIPAA DPA SOX GLBA FISMA DIACAP

Country
USA UK USA USA USA USA USA USA

More Information
http://en.wikipedia.org/wiki/Health_Insurance_ Portability_and_Accountability_Act http://www.legislation.gov.uk/ukpga/1998/29/contents http://en.wikipedia.org/wiki/ Sarbanes%E2%80%93Oxley_Act http://business.ftc.gov/legal-resources/46/33 http://csrc.nist.gov/groups/SMA/fisma/index.html http://www.usa.gov/Agencies/Federal/Executive/ Defense.shtml http://en.wikipedia.org/wiki/Privacy_Act_of_1974 http://en.wikipedia.org/wiki/Electronic_ Communications_Privacy_Act http://en.wikipedia.org/wiki/Privacy_Act_1988 http://en.wikipedia.org/wiki/Data_Protection_Directive

USA EU

24

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

Open Data Center Alliance Usage : Regulatory Framework

Defacto and Related Industry Standards Regulator or Governing Body

ISO/IEC 27001:2005 SAS 70 The Green Grid COBIT (IT Governance and Control) PCI Data Security Standards Telecommunications Industry Association National Institute of Standards and Technology Cloud Security Alliance PCI DSS TIA 942

Abbreviation Country
ISO SAS 70 USA

More Information
http://www.iso.org/iso/catalogue_ detail?csnumber=42103 http://sas70.com/ http://www.thegreengrid.org/ http://www.isaca.org/Knowledge-Center/COBIT/Pages/ Overview.aspx https://www.pcisecuritystandards.org/security_ standards/index.php http://www.tiaonline.org/standards/catalog/search. cfm?standards_criteria=942

NIST
CSA

USA USA

http://www.nist.gov/index.html https://cloudsecurityalliance.org/

2011 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

25