CCM v3.0.1 Addendum - ABS CCIG 2.0

Description
This document is an addendum to the CCM V3.0.1 and contains a controls mapping between the CSA CCM and the Association of Banks in Singapore (A
Implementation Guide (CCIG) 2.0 (https://abs.org.sg/docs/library/abs-cloud-computing-implementation-guide.pdf). It aims to help organizations adhering
meet CCM requirements. This is achieved by identifying compliance gaps in the ABS CCIG 2.0 document in relation to the CCM. This document contains
information:
• Controls Mapping
• Gap Analysis
• Gap Identification (i.e. Partial, Full or No Gap)
The document is structured as follows. The tab 'Mapping-ABS CCIG 2.0' contains the mappings and gap analysis between the CCM and the ABS CCIG 2
A-B-C contain details of the CCM, Column D provides the gap identification, Column E contains the controls mapping, Column F provides the gap analys
"Terminology" tab provides a list of terms used in this document and their definitions.
The CSA and the CCM working group hope that organizations will find this document useful for their cloud security compliance programs.
The contents of this document could contain technical inaccuracies, typographical errors and out-of-date information.
If you would like to volunteer in CSA working groups, please sign up here: https://cloudsecurityalliance.org/research/join-working-group/
Acknowledgements
Contributors
Arun Vivek (Co-Chair)
Victor Chin
Francis Lee
Paul Lee
Anthony Lim
Moorthi Rathinam
Terence Siau
Steven Sim
Alex Siow
Yao Sing Tao
CSA Staff
Hing-Yan Lee
Ekta Mishra
Haojie Zhuang
Change Log
Date Version Notes
7/30/2020 1 Publication of first version of the CCM v3.0.1 addendum for ABS CCIG 2.0
© Copyright 2020, Cloud Security Alliance. All rights reserved

Description
and contains a controls mapping between the CSA CCM and the Association of Banks in Singapore (ABS)'s Cloud Computing
g/docs/library/abs-cloud-computing-implementation-guide.pdf). It aims to help organizations adhering to the ABS CCIG 2.0 to
fying compliance gaps in the ABS CCIG 2.0 document in relation to the CCM. This document contains the following
ap)
pping-ABS CCIG 2.0' contains the mappings and gap analysis between the CCM and the ABS CCIG 2.0. In this tab, columns
des the gap identification, Column E contains the controls mapping, Column F provides the gap analysis details. The
his document and their definitions.
ganizations will find this document useful for their cloud security compliance programs.
al inaccuracies, typographical errors and out-of-date information.
ps, please sign up here: https://cloudsecurityalliance.org/research/join-working-group/
Acknowledgements
Change Log
Notes
e CCM v3.0.1 addendum for ABS CCIG 2.0
d
CCM V3.0
Control
Control ID
Application & Interface Security AIS-01

Application Security

Customer Access Requirements

Data Integrity
Data Security
Audit Assurance/ Integrity
& Compliance AAC-01
Audit Planning
Audit Assurance & Compliance AAC-02
Independent Audits
Audit Assurance & Compliance AAC-03

Information System Regulatory Mapping
Business Continuity Management & BCR-01

Operational Resilience
Business Continuity Planning
Business Continuity Testing

Operational
Business Resilience
Continuity Management & BCR-04
Datacenter
Operational
Business Utilities
Resilience
Continuity / Environmental
Management & BCR-05
Conditions
Documentation
Environmental
Operational
Business Risks
Resilience
Equipment Location
Equipment Maintenance

Equipment
Operational Power Failures
Resilience
Impact Analysis
Operational
Business Resilience
Policy
Retention Policy
Change Control & Configuration CCC-01

Management
New Development / Acquisition

Management
Outsourced Development
Management
Quality Testing
Management
Unauthorized Software Installations

Management
Data Security & Information Lifecycle DSI-01
Production
Management
Data Changes
Security & Information Lifecycle DSI-02
Classification
Management
DataSecurity
Inventory
Management
Data & /Information
Flows Lifecycle DSI-04
Ecommerce
Management Transactions
Handling / Labeling / Security Policy

Management
Non-Production Data
Management
Ownership / Stewardship

Management
Secure Disposal
Datacenter Security DCS-01
Asset Management

Controlled Security
Datacenter Access Points DCS-03
Equipment Identification

Off-Site Authorization

Off-Site Equipment
Policy
Secure Area
Datacenter Authorization
Security DCS-08
Unauthorized
Datacenter Persons Entry
Security DCS-09
User Access
Encryption & Key Management EKM-01
Entitlement& Key Management
Encryption EKM-02
Key Generation
Encryption & Key Management EKM-03
Sensitive Data
Encryption Protection
& Key Management EKM-04
Storage and and
Governance Access
Risk Management GRM-01
Baseline Requirements
Governance and Risk Management GRM-02
Data Focus Risk Assessments

Management Oversight

Management Program

Managementand
Governance Support/Involvement
Risk Management GRM-06
Policy

Policy Enforcement

Policy Impact
Governance andonRisk
RiskManagement
Assessments GRM-09
Policy Reviews

Risk Assessments
Risk Management Framework
Human Resources HRS-01

Asset Returns
Background Screening
Employment
Human Agreements
Resources HRS-04
Employment
Human Termination
Resources HRS-05
Mobile Resources
Human Device Management HRS-06
Non-Disclosure
Human ResourcesAgreements HRS-07
Roles / Responsibilities

Technology
Human Acceptable Use
Resources HRS-09
TrainingResources
Human / Awareness HRS-10
User Responsibility
Workspace
Identity & Access Management IAM-01
Audit Tools
Identity Access
& Access Management IAM-02
Credential Lifecycle / Provision
Management
Diagnostic
Identity / Configuration
& Access Ports Access
Management IAM-04
Policies&and
Identity Procedures
Access Management IAM-05
Segregation of Duties
Source Code
Identity & AccessAccess Restriction
Management IAM-07
Third Party Access

Trusted &
Identity Sources
Access Management IAM-09
User Access
Identity Authorization
User Access
Identity Reviews
User Access Revocation
User ID Credentials

Utility Programs
Infrastructure Access
& Virtualization Security IVS-01
Audit Logging / Intrusion Detection
Infrastructure & Virtualization Security IVS-02
Change Detection
Clock Synchronization
Information System Documentation

Vulnerability Management
Network Security

OS Hardening and Base Controls

Production / Non-Production
Environments

Segmentation

VM Security - Data Protection
Hypervisor Hardening

Wireless Security
Network Architecture
Interoperability & Portability IPY-01

APIs
Data Request

Policy & Legal & Portability
Interoperability IPY-04
Standardized Network Protocols

Virtualization
Mobile Security MOS-01

Anti-Malware
Application Stores
Approved
Mobile Applications
Security MOS-04
Approved
Mobile Software for BYOD
Security MOS-05
Cloud Based Services

Compatibility
Device Security
Mobile Eligibility MOS-09
Device Inventory
Device Security
Mobile Management MOS-11
Encryption
Jailbreaking
Mobile Securityand Rooting MOS-13
Legal Security
Mobile MOS-14
LockoutSecurity
Mobile Screen MOS-15
Operating
Mobile Systems
Security MOS-16
Passwords
Policy
RemoteSecurity
Mobile Wipe MOS-19
SecuritySecurity
Mobile Patches MOS-20
Users Incident Management, E-
Security SEF-01
Discovery,
Security & Cloud
Incident Forensics E-
Management, SEF-02
Contact / Authority Maintenance
Discovery, & Cloud Forensics
Incident Management
Security Incident Management, E- SEF-03

Discovery, & Cloud
Security Incident Forensics E-
Management, SEF-04
Incident Incident
Discovery,
Security Reporting
& Cloud Forensics E-
Management, SEF-05
IncidentChain
Discovery,
Supply Response
& Cloud Legal Preparation
Forensics
Management, Transparency, STA-01
Incident
and Response Metrics
Accountability
Data Quality and Integrity
Supply Chain Management, Transparency, STA-02
and Accountability
Incident Reporting

and Accountability
Network
Supply / Infrastructure
and Accountability
Chain Management, Services
Transparency, STA-05
Provider
and Internal Assessments
Accountability
Supply Chain Agreements

and Accountability
Supply Chain Governance Reviews
and Accountability
Supply Chain Metrics

and Accountability
Third Party Assessment

and Accountability
Third Party Audits
Threat and Vulnerability Management TVM-01
Anti-Virus / Malicious Software

Vulnerability / Patch Management

Mobile Code
© Copyright 2020, Cloud Security

Alliance. All rights reserved
CLOUD CONTROLS MATRIX VERSION 3.0.1
Control Description
Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in
accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable
legal, statutory, or regulatory compliance obligations.
Prior to granting customers access to data, assets, and information systems, identified security, contractual,
and regulatory requirements for customer access shall be addressed.
Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for
application
Policies andinterfaces
proceduresand databases
shall to prevent
be established andmanual or systematic
maintained in supportprocessing errors, to
of data security corruption
include of data,
or misuse.
(confidentiality,
Audit plans shallintegrity, and availability)
be developed across
and maintained multiplebusiness
to address system interfaces, jurisdictions,
process disruptions. and business
Auditing plans shall
functions
focus on to prevent
reviewing improper
the disclosure,
effectiveness of alteration,
the or destruction.
implementation of security operations. All audit activities
Independent reviews and assessments shall be performed at least annually to ensure that the organization must
be agreed upon prior to executing any audits.
addresses nonconformities of established policies, standards, procedures, and compliance obligations.
Organizations shall create and maintain a control framework which captures standards, regulatory, legal,
and statutory requirements relevant for their business needs. The control framework shall be reviewed at
least annually to ensure changes that could affect the business processes are reflected.
A consistent unified framework for business continuity planning and plan development shall be established,
documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for
testing, maintenance, and information security requirements.
Requirements for business continuity plans include the following:
• Defined purpose and scope, aligned with relevant dependencies
• Accessible to and understood by those who will use them
Business continuity and security incident response plans shall be subject to testing at planned intervals or
upon significant organizational or environmental changes. Incident response plans shall involve impacted
customers (tenant) and other business relationships that represent critical intra-supply chain business
process dependencies.
Data center utilities services and environmental conditions (e.g., water, power, temperature and humidity
controls, telecommunications,
Information system documentationand internet connectivity)and
(e.g., administrator shall beguides,
user secured,
andmonitored, maintained,
architecture diagrams)andshall be
tested for continual
made available
Physical effectiveness
to authorized
protection at planned
personnel
against damage intervals
fromtonatural
ensure causes to ensure
the following: protection from unauthorized interception
and disasters, as well as deliberate attacks,
or• damage, and
Configuring,
including designed with
installing, and automated
operating fail-over
the or
information other redundancies
system in the event of planned or
To reducefire, flood,from
the risks atmospheric electrical
environmental discharge,
threats, hazards, solar
and induced geomagnetic
opportunities storm,
for unauthorizedwind, earthquake,
access,
unplanned
tsunami, disruptions.
• Effectively using
explosion, the system’s
nuclear security
accident, features
volcanic activity,
equipment
Policies and shall be kept
procedures away
shall from
be locations
established, subject
and to biological
supporting hazard,
high business
probability civil unrest,
environmental
processes mudslide,
risks and
and technical tectonic
measures
activity, and
supplemented for
implemented, other forms
by redundantof natural
equipmentequipment or
maintenance man-made
located disaster shall
at a reasonable
ensuring continuity andbe anticipated,
distance. designed, and have
availability of operations and support
countermeasures
personnel. applied.
Protection measures shall be put into place to react to natural and man-made threats based upon a
geographically-specific
There shall be a definedbusiness impact assessment.
and documented method for determining the impact of any disruption to the
organization (cloud provider, cloud consumer)
Policies and procedures shall be established, and that must incorporate
supporting businessthe following:
processes and technical measures
• Identify
implemented,critical
for products
appropriate and
IT services
governance and service management to ensure
Policies and procedures shall be established, and supporting business processes and appropriate
technicalplanning,
measures
• Identify
delivery, all
and dependencies,
support of the including processes,
organization's IT applications,
capabilities business
supporting partners,
business and third
functions,
implemented, for defining and adhering to the retention period of any critical asset as per party service
workforce,
established and/or
providers
customers
policies andbased on industry
procedures, acceptable
as well standards
as applicable (i.e.,
legal, ITIL v4orand
statutory, COBIT compliance
regulatory 5). Additionally, policiesBackup
obligations. and
• Understand
procedures shallthreats to
include critical
defined products
roles and and services
responsibilities supported by regular workforce training.
and recovery measures shall be incorporated as part of business continuity planning and tested accordingly
• Determine
for impacts resulting from planned or unplanned disruptions and how these vary over time
effectiveness.
• Establish the maximum tolerable period for disruption
• Establish priorities for recovery
• Establish recovery time objectives for resumption of critical products and services within their maximum
tolerable period of disruption
• Estimate the resources required for resumption
Policies and procedures shall be established, and supporting business processes and technical measures
implemented, to ensure the development and/or acquisition of new data, physical or virtual applications,
infrastructure network, and systems components, or any corporate, operations and/or data center facilities
have been pre-authorized by the organization's business leadership or other accountable business role or
function.
External business partners shall adhere to the same policies and procedures for change management,
release, and testing
Organizations shall as internal
follow developers
a defined within
quality the control
change organization (e.g., process
and testing ITIL service
(e.g.,management
ITIL Service
processes).
Management) with established baselines, testing, and release standards that focus on system availability,
confidentiality, and integrity of systems and services.
implemented, to restrict the installation of unauthorized software on organizationally-owned or managed
user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure
network and systems components.
Policies and procedures shall be established for managing the risks associated with applying changes to:
• Business-critical
Data or customer
and objects containing data(tenant)-impacting
shall be assigned a(physical and virtual)
classification applications
by the data owner basedand system-system
on data type,
interface
value, (API)
sensitivity,designs
and and configurations.
criticality to the organization.
• Infrastructure
implemented, network and systems components.
Data related totoelectronic
inventory, document,
commerce and maintainthat
(ecommerce) data flows for
traverses data networks
public that is resident (permanently
shall be appropriately or
Technical
temporarily) measures
within shall
the be implemented
service's to provide
geographically assurance
distributed that all
(physical andchanges
virtual)directly correspond
applications and to a
classified
Policies
registered and
and protected
procedures
change from
request,shall fraudulent activity,
be established
business-critical unauthorized
orforcustomer
the labeling, disclosure,
handling,
(tenant), and/or and or modification
security
authorizationofby, inand
datathe such a manner
objects
customer
infrastructure
to prevent
which network
contract
contain data. and
dispute systems
and
Mechanisms components
compromise
for label of and/or
data. shared with other third parties to ascertain
inheritance shall be implemented for objects that act as aggregate any
(tenant) as per
regulatory, agreement
statutory, (SLA) prior to deployment.
containers for data. or supply chain agreement (SLA) compliance impact, and to address any other
business risks associated with the data. Upon request, provider shall inform customer (tenant) of
compliance impact and risk, especially if customer data is used as part of the services.
Production data shall not be replicated or used in non-production environments. Any use of customer data
in
Allnon-production environments
data shall be designated with requires explicit,
stewardship, withdocumented approval fromdefined,
assigned responsibilities all customers whose and
documented, data is
affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data
communicated.
elements.
Policies and procedures shall be established with supporting business processes and technical measures
implemented for the secure disposal and complete removal of data from all storage media, ensuring data is
not recoverable by any computer forensic means.
Assets must be classified in terms of business criticality, service-level expectations, and operational
continuity requirements. A complete inventory of business-critical assets located at all sites and/or
geographical locations and their usage over time shall be maintained and updated regularly, and assigned
ownership by defined roles and responsibilities.
Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical
authentication mechanisms,
Automated equipment receptionshall
identification desks,
be and
usedsecurity patrols)
as a method shall be implemented
of connection to safeguard
authentication. Location-
sensitive data and information systems.
aware technologies may be used to validate connection authentication integrity based on known equipment
location.
Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite
premises.
Policies and procedures shall be established for the secure disposal of equipment (by asset type) used
outside
Policiesthe
andorganization's
procedures shall premises. This shalland
be established, include a wiping
supporting solution
business or destruction
processes processfor
implemented, that renders
recovery
maintaining
Ingress andof information
a safe and
egress impossible.
secure
to secure working
areas The
shall beerasure
environment shall
constrained inconsist
offices,
and ofrooms,
a full by
monitored overwrite
facilities, ofaccess
physicaland the drive
secure to ensure
areas
control that
storing
the erased
sensitive
mechanisms drive is
information.released
to ensure to
thatsuch inventory
onlyasauthorized for reuse
personneland deployment,
are points
allowed or securely
access. stored until it can be
Ingress and egress points service areas and other where unauthorized personnel may enter
destroyed.
the premises shall be monitored, controlled and, if possible, isolated
Physical access to information assets and functions by users and support personnel from data storage and
shall beprocessing
restricted.
facilities to prevent unauthorized data corruption, compromise, and loss.
Keys must have identifiable owners (binding keys to identities) and there shall be key management
policies.
Policies and procedures shall be established for the management of cryptographic keys in the service's
cryptosystem
Policies (e.g., lifecycle
and procedures shallmanagement
be established, fromandkey generation
supporting to revocation
business processes andandreplacement, public key
technical measures
infrastructure,
implemented,
Platform cryptographic protocol
for the use of encryption
and data-appropriate encryptiondesign and
protocols algorithms
for protection
(e.g., AES-256) used, access controls
of sensitive data
in open/validated in place
in storage
formats for
(e.g., file key
and standardsecure
generation,
servers,
algorithms and exchange
databases,
shall be and
required.and
end-user storage
Keys including
workstations),
shall segregation
datafor
not be stored ininuse of keys
the(memory),
cloud or used
and
(i.e., for encrypted
datacloud
at the provider or
data
in transmission sessions).
in (e.g., system
question),
Baseline
Upon security
request, requirements
provider shall shall
inform be
the established
customer developed
(tenant) of changes acquired,
within organizationally-owned
the cryptosystem, especiallyor if
interfaces,
but
managed, over
maintained public
by
physical the networks,
cloud
or data
virtual, and
consumer electronic
applicationsor trusted messaging)
key as
management per applicable
provider. legal,
Key statutory,
management and
and key
the customer
regulatory
usage be(tenant)
shallcompliance
separated is used
obligations.
duties. as part ofand theinfrastructure
service, and/or system and network
the customer components
(tenant) has somethat comply
shared
with applicable legal, statutory, and regulatory compliance obligations. Deviations from standard baseline
responsibility over implementation of the control.
configurations must be authorized following change management policies and procedures prior to
deployment, provisioning, or use. Compliance with security baseline requirements must be reassessed at
least annually unless an alternate frequency has been established and authorized based on business needs.
Risk assessments associated with data governance requirements shall be conducted at planned intervals and
shall consider the following:
• Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and
network infrastructure
• Compliance with defined retention periods and end-of-life disposal requirements
• Data classification and protection from unauthorized use, access, loss, destruction, and falsification
Managers are responsible for maintaining awareness of, and complying with, security policies, procedures,
and standards that are relevant to their area of responsibility.
An Information Security Management Program (ISMP) shall be developed, documented, approved, and
implemented that includes administrative, technical, and physical safeguards to protect assets and data from
loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall
include, but not be limited to, the following areas insofar as they relate to the characteristics of the
business:
• Risk management
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information
Executive systems
and line acquisition,
management shalldevelopment, and maintenance
take formal action to support information security through clearly-
documented directionpolicies
Information security and commitment, and shall
and procedures shallensure the action
be established has
and beenreadily
made assigned.
available for review by
all impacted personnel and external business relationships. Information security policies must be authorized
by the organization's business leadership (or other accountable business role or function) and supported by
a strategic business plan and an information security management program inclusive of defined information
security roles and responsibilities for business leadership.
A formal disciplinary or sanction policy shall be established for employees who have violated security
policies and procedures. Employees shall be made aware of what action might be taken in the event of a
violation, and disciplinary measures must be stated in the policies and procedures.
Risk assessment results shall include updates to security policies, procedures, standards, and controls to
ensure that they remain
The organization's relevant
business and effective.
leadership (or other accountable business role or function) shall review the
information security policy at planned intervals or as a result of changes to the organization to ensure its
continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to
legal, statutory, or regulatory compliance obligations.
Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually
or at planned intervals, (and in conjunction with any changes to information systems) to determine the
likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and
impact associated with inherent and residual risk shall be determined independently, considering all risk
categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).
Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established
and documented in accordance with reasonable resolution time frames and stakeholder approval.
Upon termination of workforce personnel and/or expiration of external business relationships, all
organizationally-owned assets shallethics,
Pursuant to local laws, regulations, be returned within an established
and contractual constraints,period.
all employment candidates,
contractors, and third parties shall be subject to background verification
Employment agreements shall incorporate provisions and/or terms for adherence proportional to the datainformation
to established
classification
governance to be
and accessed,
security
Roles and responsibilities for the
policies business requirements,
and mustemployment
performing and acceptable
be signed bytermination
newly risk. in employment
hiredororchange
on-boarded workforceprocedures
personnel
(e.g.,
shall fullassigned,
be
Policies or part-time
and employee
documented,
procedures shall beandor contingent
communicated.
established, staff)
and prior to granting
supporting business workforce personnel
processes and usermeasures
technical access to
corporate
implemented, facilities, resources, and assets.
Requirements to formanage businessorrisks
non-disclosure associated with
confidentiality permitting
agreements mobilethe
reflecting device access to corporate
organization's needs for the
resources
Roles and responsibilities of contractors, employees, and third-party users shall be documentedacceptable-
protection and
of may
data require
and the
operationalimplementation
details shall of
be higher assurance
identified, compensating
documented, and controls
reviewed at and
planned
as they
use policies
intervals.
relate and procedures
to information (e.g.,
assets and mandated security training, stronger identity, entitlement and access
security.
controls, and device monitoring).
implemented,
A for defining
security awareness trainingallowances
programand shallconditions
be establishedfor permitting usage of organizationally-owned
for all contractors, third-party users, and or
managed
employees
All user
personnel end-point
of the
shallorganizationdevices
be made aware (e.g., issued
and mandated
of their roles workstations,
when andappropriate. laptops,
responsibilities and mobile
All individuals
for: devices)
with accessandtoIT
infrastructure
organizational
• Maintaining network
data
awareness and
shallshall systems
receive
andbe components.
appropriate
compliance with Additionally,
awareness
established training defining
and and
policies allowances
regular updatesdo
procedures and
innot
and conditions
organizational
applicable to
legal,
Policies and procedures established to require that unattended workspaces have openly
permit usage
procedures,
statutory, or of personal
processes,
regulatory andmobile
policies
compliance devices
relatingandtoassociated
obligations. their applications
professional with relative
function access totocorporate
the resources
organization.
visible (e.g.,
Access to, and onusea desktop)
auditsensitive
of, considered thatdocuments
tools and interact with andthe user computing sessions
organization's information are disabled
systems after
shallan be
(i.e.,
• BYOD)
Maintaining shall
a be
safe and secure incorporated
working environment as appropriate.
established
appropriately
User period
access policies of
segregated inactivity.
and access restricted
and procedures to prevent inappropriate
shall be established, and supportingdisclosure
business and tampering
processes of log
and technical
data.
measures
User access to diagnostic and configuration ports shall be restricted to authorized individuals and all
implemented, for ensuring appropriate identity, entitlement, and access management for
internal
Policies corporate
applications.
and procedures and customer
shall be (tenant)
established usersto with
storeaccess
and manageto dataidentity
and organizationally-owned
information about every or managed
person
(physical
who and
accesses virtual)
IT application
infrastructure and interfaces
to determine and infrastructure
their level of network
access. and
Policies systems
shall components.
also be developedThese to
User access policies and procedures shall be established, and supporting business processes and technical
policies,
control procedures,
access processes,
to network and measures must incorporate the following:
measures
Access to implemented,
the organization's forresources
restricting
ownand based
useron
developed user as
access identity.
applications, per defined
program, segregation
orandobject of duties
source to address
code, or any business
other form
• Procedures, supporting roles, responsibilities for provisioning de-provisioning user account
risks
of
The associated
intellectual
identification,
entitlements with
property
following a user-role
(IP),
assessment, and
the rule of conflict
use
andleastof of interest.
proprietary
prioritization
privilege based software
of risks onposed shall be appropriately
by business
job function (e.g.,processes restricted following
requiringand
internal employee the
third-party
rule
accessof to
least
contingent the privilege
staff basedchanges,
organization's
personnel on job function
information as per
systems
customer-controlled andestablishedshalluser
dataaccess, access policies
besuppliers'
followed and
by coordinated
business procedures.
application
relationships, of
or other
resources to minimize, monitor,
third-party business relationships) and measure likelihood and impact of unauthorized or inappropriate
access. Compensating
• Business controls derived
case considerations for higherfrom the risk
levels analysis shall
of assurance be implemented
and multi-factor prior to provisioning
authentication secrets (e.g.,
access.
management interfaces, key generation, remote access, segregation of duties, emergency access, large-scale
provisioning or geographically-distributed deployments, and personnel redundancy for critical systems)
• Access segmentation to sessions and data in multi-tenant architectures by any third party (e.g., provider
and/or other customer (tenant))
• Identity trust verification and service-to-service application (API) and information processing
interoperability (e.g., SSO and federation)
• Account credential lifecycle management from instantiation through revocation
• Account credential and/or identity store minimization or re-use when feasible
Policies and procedures
• Authentication, are established
authorization, for permissible
and accounting (AAA)storagerules forandaccess
accesstoofdata identities used for
and sessions (e.g.,
authentication
encryption and to ensure identities
strong/multi-factor, are only
expireable, accessible
non-shared based on rules of
authentication
Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or least privilege
secrets) and replication
limitation
User only
• Permissions
supplier to
and
relationships)
access shall users
be toexplicitly
supporting
data and
authorized anddefined
capabilities asforbusiness
customer
organizationally-owned
revalidated necessary.
(tenant)
for entitlement controls
or managed over authentication,
(physical
appropriateness, atand virtual)
planned authorization,
applications,
intervals, by the
and accounting
infrastructure
organization's
Timely (AAA)
systems, rules
and
business leadership
de-provisioning for
networkaccess
(revocationororother to data
components and
accountable
modification) sessions
shall be authorized
of business
user access by the
roletoordata organization's
function management
supported by evidence or
and organizationally-owned to
• Adherence
prior to access
demonstrate theto applicable
being granted
organization legal,
and
is statutory,
appropriately
adhering to or
the regulatory
restricted
rule of leastcompliance
as per
privilege
managed (physical and virtual) applications, infrastructure systems, and network components, shall be requirements
established
based policies
on job and procedures.
function. For Upon
identified
Internal corporate or customer (tenant) user account credentials shall be restricted as per the following,
ensuring appropriate identity, entitlement, and access management and in accordance with established
policies and procedures:
• Identity trust verification and service-to-service application (API) and information processing
interoperability (e.g., SSO and Federation)
• Account credential lifecycle management from instantiation through revocation
• Account credential and/or identity store minimization or re-use when feasible
• Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and
accounting (AAA) rules (e.g., strong/multi-factor, expireable, non-shared authentication secrets)
Utility programs capable of potentially overriding system, object, network, virtual machine, and application
controls shall be
Higher levels restricted. are required for protection, retention, and lifecycle management of audit logs,
of assurance
adhering
The providerto applicable legal,
shall ensure thestatutory
integrityor
ofregulatory compliance
all virtual machine obligations
images and providing
at all times. Any changesunique
madeuser
to
access
A reliable and mutually agreed upon external time source shall be used to synchronize the system clocksand
virtual accountability
machine images to detect
must bepotentially
logged and suspicious
an alert network
raised behaviors
regardless of and/or
their file
runningintegrity
state anomalies,
(e.g., dormant, of
to
off,
all support
or
relevant forensic
running). investigative
The
informationresults of a
processing capabilities
change or
systems infacilitate
move
to theofevent
an of a security
image
tracingand
andthe breach.
subsequent
reconstitution validation
of activityof the image's
timelines.
The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to
integrity
deliver themust be immediately
required available toincustomers
system performance accordancethrough electronic
with legal, methods
statutory, (e.g., portals
and regulatory or alerts).
compliance
obligations. Projections of future capacity requirements shall be made to mitigate the risk of system
overload.
Implementers shall ensure that the security vulnerability assessment tools or services accommodate the
virtualization technologies used (e.g., virtualization aware).
Network environments and virtual instances shall be designed and configured to restrict and monitor traffic
between trusted and untrusted connections. These configurations shall be reviewed at least annually, and
supported by a documented justification for use for all allowed services, protocols, ports, and by
compensating controls.
Each operating system shall be hardened to provide only necessary ports, protocols, and services to meet
business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring,
and logging as part of their baseline operating build standard or template.
Production and non-production environments shall be separated to prevent unauthorized access or changes
to information assets. Separation of the environments may include: stateful inspection firewalls,
domain/realm authentication sources, and clear segregation of duties for personnel accessing these
environments as part of their job duties.
Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure

system and network components, shall be designed, developed, deployed, and configured such that
provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the
following considerations:
• Established policies and procedures
• Isolation of business critical assets and/or sensitive user data, and sessions that mandate stronger internal
controls and high levels of assurance
• Compliance with legal, statutory, and regulatory compliance obligations
Secured and encrypted communication channels shall be used when migrating physical servers,
applications, or data to virtualized servers and, where possible, shall use a network segregated from
production-level networks for such migrations.
Access to all hypervisor management functions or administrative consoles for systems hosting virtualized
systems shall be restricted to personnel based upon the principle of least privilege and supported through
technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls, and TLS
encapsulated communications to the administrative consoles).
implemented, to protect
Network architecture wirelessshall
diagrams network environments,
clearly including
identify high-risk the following:
environments and data flows that may have
• Perimeter
legal firewalls
compliance implemented
impacts. Technicaland configured
measures shallto
berestrict unauthorized
implemented traffic
and shall apply defense-in-depth
• Security settings enabled with strong encryption for authentication and transmission,
techniques (e.g., deep packet analysis, traffic throttling, and black-holing) for detection and replacing
timelyvendor
response
default settings (e.g., encryption keys, passwords, and SNMP community strings)
to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing
• User
and ARPaccess to wireless
poisoning network
attacks) and/or devices restricted
distributed to authorized
denial-of-service personnel
(DDoS) attacks.
• The capability to detect the presence of unauthorized (rogue) wireless network devices for a timely
disconnect from the network
The provider shall use open and published APIs to ensure support for interoperability between components
and structured
All to facilitateand
migrating applications.
unstructured data shall be available to the customer and provided to them upon request
in an industry-standard format (e.g., .doc, .xls, .pdf, logs, and flat files).
Policies, procedures, and mutually-agreed upon provisions and/or terms shall be established to satisfy
customer
The (tenant)
provider shallrequirements for service-to-service
use secure (e.g., non-clear text and application (API)
authenticated) and information
standardized processing
network protocols for the
interoperability, and portability for application development and information exchange, usage, and integrity
import and export of data and to manage the service, and shall make available a document to consumers
persistence.
(tenants) detailing the relevant interoperability and portability standards that are involved.
The provider shall use an industry-recognized virtualization platform and standard virtualization formats
(e.g., OVF) to help ensure interoperability, and shall have documented custom changes made to any
hypervisor in use and all solution-specific virtualization hooks available for customer review.
Anti-malware awareness training, specific to mobile devices, shall be included in the provider's information
security awareness
A documented training.
list of approved application stores has been defined as acceptable for mobile devices
accessing or storing provider managed data.
The company shall have a documented policy prohibiting the installation of non-approved applications or
approved
The BYOD policy and supporting awarenessa training
applications not obtained through pre-identified
clearlyapplication store.
states the approved applications, application
stores, and application extensions and plugins that may be used for BYOD usage.
The provider shall have a documented mobile device policy that includes a documented definition for
All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved for usage
and the storage of company business data.
The company shall have a documented application validation process to test for mobile device, operating
system,
The BYODand policy
application
shall compatibility issues.
define the device and eligibility requirements to allow for BYOD usage.
An inventory of all mobile devices used to store and access company data shall be kept and maintained. All
changes to the mobile
A centralized, status ofdevice
these management
devices (i.e., solution
operatingshallsystem and patchtolevels,
be deployed lost or
all mobile decommissioned
devices permitted to
status,
The mobile device policy shall require the use of encryption either for the entire device or forfor
store, and to
transmit, whom
or the
process device is
customer assigned
data. or approved for usage (BYOD)) will be included each device
data
in the inventory.
identified asdevice
sensitive on all mobile devices, and shall be enforced through technology controls.
The mobile policy shall prohibit the circumvention of built-in security controls on mobile devices
(e.g., jailbreaking or rooting) and shall enforce the prohibition through detective
The BYOD policy includes clarifying language for the expectation of privacy, requirements for litigation, and preventative controls
on
BYODthe device
e-discovery,
and/orandor through
company-owned a centralized
legal holds. Thedevices
BYOD device management
policy
are shall clearly
configured system (e.g.,
statean
to require the mobilelockout
expectations
automatic device management).
regarding
screen,the loss
and theof
non-company
requirement
Changes to mobile databein
shall the case
enforced
device that a wipe
through
operating of the
technical
systems, device is required.
controls.
patch levels, and/or applications shall be managed through
the company's change management processes.
Password policies, applicable to mobile devices, shall be documented and enforced through technical
controls
The mobile on all company
device policydevices or devices
shall require approved
the BYOD userfortoBYOD
performusage,
backupsandofshall
data,prohibit thethe
prohibit changing
usage ofof
password/PIN
unapproved
All mobile devices lengths
application and
permitted authentication
stores,foranduserequire
throughrequirements.
thethe
usecompany
of anti-malware softwareor
BYOD program (where supported).
a company-assigned mobile
device shall
Mobile allow
devices for remote
connecting to wipe by thenetworks,
corporate company's or corporate
storing andITaccessing
or shall have all company-provided
company information, shalldata
wiped
allowBYOD
The by remote
for thepolicy
company's
software corporate
shall clarify the IT.
version/patch
systems validation. All mobile
and servers alloweddevices
for use shall have on
or access thealatest available
BYOD-enabled
security-related
device. patches installed upon general release by the device manufacturer
Points of contact for applicable regulation authorities, national and local law enforcement, and or carrier andother
authorized
legal
IT personnel
jurisdictional shall be able
authoritiesshall to perform
shallbe these
beestablished,
maintained andupdates remotely.
Policies and procedures and regularly
supportingupdated
business (e.g., changeand
processes in impacted-scope
technical measuresand/or a
change in any compliance obligation) to ensure direct compliance liaisons have
implemented, to triage security-related events and ensure timely and thorough incident management, as been established and to be
per
prepared for a forensic investigation requiring
established IT service management policies and procedures. rapid engagement with law enforcement.
Workforce personnel and external business relationships shall be informed of their responsibilities and, if
required, shall consent
Proper forensic and/or
procedures, contractually
including chain agree to report
of custody, areall information
required for thesecurity eventsofinevidence
presentation a timely to
manner.
support
MechanismsInformation
potential be security
shalllegal action
put events
subject
in place shall
to theberelevant
to monitor reported
and through
jurisdiction
quantify predefined communications
aftervolumes,
the types, an information channels
security
and costs in a
incident.
of information
timely
Upon manner adhering
notification, to
customersapplicable
and/or legal,
otherworkstatutory,
external or regulatory compliance obligations.
security
Providersincidents.
shall inspect, account for, and with business
their cloudpartners impacted
supply-chain by a security
partners breach
to correct datashall be
quality
given the opportunity to participate as is legally permissible in the forensic investigation.
errors and associated risks. Providers shall design and implement controls to mitigate and contain data
security risks through proper separation of duties, role-based access, and least-privilege access for all
personnel within their supply chain.
The provider shall make security incident information available to all affected customers and providers
periodically through electronic methods (e.g., portals).
Business-critical or customer (tenant) impacting (physical and virtual) application and system-system
interface
The (API)
provider designs
shall and annual
perform configurations, and infrastructure
internal assessments network and
of conformance to, systems components,
and effectiveness shall be
of, its
designed, developed,
policies,chain
Supply procedures, and deployed
and supporting
agreements in accordance
(e.g., SLAs)measures
betweenand with mutually
metrics.
providers agreed-upon service and capacity-level
and customers (tenants) shall incorporate at least
expectations,
the following as well as IT governance
mutually-agreed and service
upon provisions management
and/or terms: policies and procedures.
• Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange
and usage, feature sets and functionality, personnel and infrastructure network and systems components for
service delivery and support, roles and responsibilities of provider and customer (tenant) and any
subcontracted or outsourced business relationships, physical geographical location of hosted services, and
any known regulatory compliance considerations)
Providers shall security
• Information review the risk management
requirements, andand
provider governance
customer processes of theirpoints
(tenant) primary partners
of so that practices
contact for the are
consistent
duration and
Policies and
of the aligned to account
business shall
procedures for
relationship, risks inherited
and references
be implemented from other
to detailed
to ensure members
supporting
the consistent of
review that partner's
andofrelevant cloud
service business supply
agreements processes
(e.g.,
chain.
and technical
SLAs) between measures
providersimplemented
and customersto enable effectively
(tenants) across thegovernance, risk management,
relevant supply assurance and
chain (upstream/downstream).
legal, statutory
Reviews shall beand regulatory
performed at compliance obligations
least annually by all
and identify anyimpacted business relationships
non-conformance to established agreements.
• Notification
The and/or
reviews should pre-authorization
result of any changes
in actions to address controlled
service-level by the
conflicts provider with customer
or inconsistencies resulting (tenant)
from
impacts supplier relationships.
disparate
• Timely notification of a security incident (or confirmed breach) to all customers (tenants) and other
business relationships impacted (i.e., up- and down-stream impacted supply chain)
• Assessment and independent verification of compliance with agreement provisions and/or terms (e.g.,
industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing
an unacceptable business risk of exposure to the organization being assessed
Providers shallofassure
• Expiration reasonable
the business information
relationship security across
and treatment their information
of customer (tenant) datasupply chain by performing
impacted
an• Customer
annual review. Theservice-to-service
(tenant) review shall include all partners/third
application (API) andparty-providers upon which
data interoperability their information
and portability
supply chain depends on.
requirements for application development and information exchange, usage, and integrity persistence
Third-party service providers shall demonstrate compliance with information security and confidentiality,
access control, service definitions, and delivery level agreements included in third-party contracts. Third-
party reports, records, and services shall undergo audit and review at least annually to govern and maintain
compliance with the service delivery agreements.
implemented, to prevent the execution of malware on organizationally-owned or managed user end-point
devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems
components.
Policies and procedures shall be established, and supporting processes and technical measures
implemented, for timely detection of vulnerabilities within organizationally-owned or managed
applications, infrastructure network and system components (e.g., network vulnerability assessment,
penetration testing) to ensure the efficiency of implemented security controls. A risk-based model for
prioritizing remediation of identified vulnerabilities shall be used. Changes shall be managed through a
change management process for all vendor-supplied patches, configuration changes, or changes to the
organization's internally developed software. Upon request, the provider informs customer (tenant) of
policies and procedures and identified weaknesses especially if customer (tenant) data is used as part the
service and/or customer (tenant) has some shared responsibility over implementation of control.
implemented, to prevent the execution of unauthorized mobile code, defined as software transferred
between systems over a trusted or untrusted network and executed on a local system without explicit
installation or execution by the recipient, on organizationally-owned or managed user end-point devices
(e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems
components.
Gap Identification (Full,
Controls Mapping Gap Analysis
Partial or No Gap)
Full Gap - -
3.3.Data Confidentiality
and Control Ownership
No Gap -
4.A.2
4.B.8
4.B.2.Considerations for
3.3.Data Retention
Material Workloads
No Gap 4.B.3 -
4.B.6
No Gap 4.B.6
3.2
4.B.8 -
No Gap 4.B.7
3.3
4.B.9 -
4.B.8
4.A.1
4.A.2
4.B.9 Candidate scheme does not indicate 'annually' as
Partial Gap minimum frequency for review
3.3
4.B.11
3.2 Candidate scheme does not indicate 'annually' as

Partial Gap minimum frequency for review
4.A.2
No Gap 4.B.6 Encryption

3.3.Business Continuity
Management Candidate scheme does not specify
requirement for re-testing of business
Partial Gap 4.B.14.Considerations continuity and security incident response plans
for Material Workloads
3.2.Physical Security upon significant organizational or
Risk Assessment environmental changes.
4.C.7
No Gap -
Management
4.B.10.Considerations
3.2.Physical Security
No Gap -
for
RiskStandard Workloads
Assessment
No Gap 4.C.7 -
No Gap 4.B.3
4.C.7 -
While the candidate scheme refers to ensuring

3.3. Business Continuity
business continuity, there are no specific
Management
Partial Gap requirements stipulated for equipment
3.2
3.2.Physical Security maintenance and availability of operations and
4.C.7
Risk Assessment support personnel
No Gap Management
3.2.Due Diligence -
No Gap Process
4.A.1 -
3.3.Exit Plan
No Gap -
4.B.3
4.A.2
4.C.7
Management
3.3.Data Retention
No Gap -
3.3.Exit Plan
4.C.7
Although candidate scheme describes the need

for governance bodies for critical outsourced
4.A.1
services, strictly controlling access rights to
create non-standard architectures, having
appropriate approval workflow in place to
Standard Workloads
Partial Gap deploy cloud reference architectures,
implementing robust change management
4.B.2
process, pre-approval for DevOps practices;
they are in the general and do not explicitly
4.C.1
mention and cover development and
acquisition of new assets
Full Gap - -
No Gap 4.C.1 -
Candidate scheme disallows the use of
unsanctioned cloud services but does not cover
Standard Workloads
Partial Gap the general case of restricting installation of
unauthorized software on other endpoints and
4.B.11
devices as required by the base control
Standard Workloads
3.3.Data Transfers and
No Gap -
No Gap Location
3.1.Asset of Data
Classification -
4.C.1
No Gap -
Location
3.3.Data of Data
Confidentiality
Full Gap -3.3.Audit and Inspection -
and Control Owership
4.B.11
Candidate scheme does not specify details on
Partial Gap Location of Data
inheritance of labels
3.3.Data Retention
3.3.Exit Plan
No Gap 4.B.2
4.B.11 -
No Gap -
Material Workloads
3.3.Data Retention
No Gap -
3.3.Exit Plan
Candidate scheme requires having a clear
policy on asset classification in order to assess
3.1.Asset Classification
and determine controls necessary for
4.A.3.Considerations for
protecting data confidentiality and integrity
Standard Workloads -
Partial Gap and the location where the data should be
Point 2
hosted. However, classification categories as
4.B.11.Considerations
required in this control are not explicitly stated,
for Standard Workloads
nor is the maintenace and updating of
inventory over time.
No Gap -
Risk Assessment
Standard Workloads Candidate scheme recommends multi factor
4.B.8.Considerations for authentication and IP source & destination
Standard Workloads restrictions when performing connection /
Partial Gap
4.B.9.Considerations for access over a network. However, automated
Material Workloads equipment identification was not explicitly
4.B.10.Considerations required
for Standard Workloads
Full Gap - -
3.3.Data Retention
No Gap -
3.3.Exit
Risk Plan
Assessment
No Gap -
3.3.Due Diligence
No Gap Process -
Risk Assessment
No Gap -
Risk Assessment
No Gap -
Risk
4.B.5Assessment
No Gap -
4.B.6
4.B.5
No Gap -
4.B.6
No Gap 4.B.5 -
No Gap 4.B.6 -
3.2 No mention in CCIG that compliance with

Partial Gap baseline requirements should assessed at least
4.C.1 annually.
Although risk assessment is covered in the
candidate scheme, it only mentioned that 'risk
assesment of key controls should be
Partial Gap 4.A.2
performed', but does not specify assessment
intervals nor any of the data-specific
requirements in GRM-02
Candidate scheme covers organizational

considerations for management of CSPs
generically, but does not specifically require
Partial Gap 4.A.1 'maintaining awareness of, complying with,
security policies, procuedures, and standards
that are relevant to their area of responsiblity'
for managers
Candidate scheme makes no mention of the requirement

Partial Gap 3.2 for Human resources security
3.2
No Gap -
4.A.1
Candidate scheme stipulates the establishment

of information security policieis and
procedures, but does not elaborate on further
Partial Gap 3.2 steps to make them available to impacted
personnel and external buiness relationships.
Candidate scheme also does not stiuplate who
should authorize or support the policies.
Candidate scheme does not mention requirement to have

Full Gap 3.2 a disciplinary policy for employees who have violated
3.2.Physical Security security policies and procedures
Risk Assessment
No Gap -
3.2.Pre and Post
Implementation Review
Full Gap - -
3.2 Candidate scheme does not stipulate any

Partial Gap
4.A.2 interval for risk assessments.
Candidate scheme requires for risks to be
mitigated to acceptable levels, but does not
3.2
Partial Gap elaborate on how acceptance levels are
3.3
determined and how they should be
documented
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Candidate scheme describes the need for risk

management frameworks with the use of
3.2.Subcontracting subcontractors, but does not explicitly state
Partial Gap
3.3.Subcontractors requirement to document roles &
resposibilities for contracctors, employees and
third party users
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
No Gap 4.B.2
4.B.15 -
4.B.8
No Gap 4.B.9 -
No Gap 4.B.2
4.B.8
4.B.10 -
4.B.8
No Gap 4.B.9 -
4.B.8
No Gap 4.B.10
4.B.9 -
No Gap 4.B.12 -
Candidate scheme described the need to

manage third party risks and reduce the
amount of data shared with third parties
(through tokenisation), but does not provide
3.1 further controls on monitoring, measurement
Partial Gap
4.B.7 of likelihood and impact of unauthorized or
inappropriate access. There was also no
mention of the need to implement
compensating controls arising from a risk
analysis exercise
4.B.8
No Gap 4.B.2 -
4.B.9
No Gap 4.B.8 -
4.B.8
4.B.9
No Gap -
4.B.9
No Gap 4.B.8 -
4.B.8
No Gap 4.B.9 -
No Gap 4.B.4
4.B.8 -
4.B.14
No Gap 4.B.2 -
4.B.15
No Gap 4.C.1
4.C.4 -
Full Gap 4.C.2
- -
3.1.Key Performance
Indicators / Key Risk
Indicators
No Gap -
4.B.1
4.B.3
4.C.5
4.B.2
No Gap -
4.B.13
Candidate scheme stipulates regular review of
Partial Gap 4.B.4 configurations but does not indicate a
minimum frequency of 1 year
Candidate scheme covered security hardening through

the patching of vulnerabilities identified in penetration
testing exercises. However, it does not elaborate on
details specificed in the base control of opening 'only
4.B.2
Partial Gap necessary ports, protocols, and services'.
4.B.13
Integrity checks on templates is required by the
candidate scheme, but antivirus and logging were not
included.
4.B.2
No Gap 4.B.4.Considerations for -
Standard Workloads
Candidate scheme requires CSP to protect the

confidentialy, integrity of customers
infomation and assets when multi-tenancy and
comingling arrangements or practices are
adopted by CSPs. Other than network
segregation of workloads based on type
Partial Gap 4.B.2.Control
(production, test, development) and purpose
Objectives
(user, server, interface, critical infrastructure
4.B.4
segements), candidate scheme does not
elaborate further on other considerations such
compliance with legal, statutory and regulatory
compliance obligations
Although candidate scheme requires network

segregation, it does not specifically mention
Partial Gap 4.B.4 use of secure or encrypted channels to
move/migrate VM image or data between
physical and virtualised servers.
Full Gap - -
Full Gap - -
Candidate scheme requires protection against

network based attacks (eg. DDOS). However,
Partial Gap 4.B.4
it does not require indication of high risk areas
in network architecture
Full Gap - -
Candidate scheme requires that data is always

available to the customer. However, its
and Control ownership
controls are focused on the return of data /
Partial Gap deletion of data / rendering data inacessible by
3.3.Data Retention
3rd parties upon contract termination.
Candidate scheme does not specify that data is
3.3.Exit Plan
to be returned in industry-standard formats.
Full Gap - -
Full Gap - -
Candidate scheme specified that a standard set

of tools and processes be used to manage
containers, images and release management.
However, the control intent and objective of
Partial Gap 4.B.2 doing so in order to ensure interoperability is
not mentioned in the candidate scheme.
Candidate scheme also did not cover the
documentation of custom changes made to the
virtualization tools / software.
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
Full Gap - -
No Gap 4.C.4 -
No Gap 4.C.4 -
No Gap 4.C.4 -
Full Gap - -
No Gap 4.C.4 -
Candidate scheme does not stipulate
4.B.8 requirement for inspection, accounting for and
Partial Gap
working with supply-chain partners to correct
4.B.10 data quality errors and associated risks.
4.B.11
Candidate scheme does not explcitly require the incident
reporting requirements of STA-02. But it provides the
means for such a requirement to be met via the
Partial Gap 4.C.4 following statement "Access to appropriate reports on
3.1.Contractual relevant incidents and root cause analysis should be
agreed between the FI and the CSP. "
Agreement
3.1.Key Performance
Indicators
4.B.3 / Key Risk
No Gap Indicators -
4.C.5
Full Gap -
3.2.Data Centre -
3.2.Subcontracting
3.3.Service Level Candidate scheme does not stipulate customer
Agreements service-to-service application (API) and data
Partial Gap 3.3.Data Confidentiality interoperability and portability requirements
and Control Ownership for application development and information
4.A.1.Considerations for exchange, usage, and integrity persistence
Standard Workloads
No Gap 4.C.1
3.2.Subcontracting -
3.1.Key
4.C.4 Performance
3.2.Due Diligence
Indicators
Process
3.3.Data
Retention Candidate scheme requires policies and
and Control
3.3.Exit PlanOwnership procedures to handle SLAs and compound
Partial Gap 3.3.Service Level SLAs, require periodic reviews based on
Agreements materiality of workloads, but does not state an
4.A.1.Considerations for annual review as minimum
Standard Workloads
4.A.3.Considerations
3.1.Key Performance for
Material
IndicatorsWorkloads
/ Key Risk
Indicators
3.1.Third Party Risk Candidate scheme provides guidelines on third
Management party and subcontractor management, and
3.2.Subcontracting ensuring effectiveness of key info security
Partial Gap
3.3.Data Confidentiality controls via SLAs subjected to periodic
and Control Ownership review, but does not explicitly stipulate any
3.3.Service Level minimum periods for review
Agreements
4.A.3.Considerations for
3.1.Key
Material Performance
Workloads
Candidate scheme requires ensuring
Indicators
effectiveness of key info security controls via
3.1.Third Party Risk
Partial Gap SLAs subjected to periodic review, but does
Management
not explicitly stipulate any minimum periods
3.2.Subcontracting
for review
3.3.Service Level
Agreements
Candidate scheme recommends technical
measures - implementation of end user
computing device controls (eg. access only
Partial Gap 4.B.10 from recognized hardware using machine
authentication, or VDIs) to reduce risk of
malware. It however does not cover business
processes and policies.
Candidate scheme does not mention the

4.B.12
requirement for provider to inform customer
4.B.13
Partial Gap (tenant) of policies and procedures and
4.C.1
identified weaknesses from their own
4.C.6
vulnerabilty scans / testing
Full Gap - -
Control Domain Control ID
Section 3 : Activities recommended as part of due diligence
3.1.Overview
3.1.Cloud Computing Due Diligence
Framework
3.1 3.1.Contractual Agreement
Governance 3.1.Key Performance Indicators / Key Risk
Indicators
3.1.Third Party Risk Management
3.1.Asset Classification
3.2.Overview
3.2.Materiality Assessment
3.2.Financials
3.2.Corporate Governance and Entity
Controls
3.2.Data Centre
3.2
Assessment of the CSP
3.2.Physical Security Risk Assessment
3.2.Due Diligence Process

3.2.Subcontracting
3.2.Pre and Post Implementation Review
3.3.Overview
3.3.Data Confidentiality and Control
Ownership
3.3.Data Transfers and Location of Data
3.3.Audit and Inspection
3.3.Business Continuity Management
3.3.Subcontractors
3.3.Service Level Agreements
3.3
Contractual Considerations
3.3
Contractual Considerations
3.3.Data Retention
3.3.Default Termination
3.3.Exit Plan
Section 4: Key controls recommended when entering into a cloud
outsourcing arrangement
4.A Govern the Cloud
4.A.1.Overview
4.A.1
Organisational Considerations 4.A.1.Control Objectives
for the Management of Cloud 4.A.1.Considerations for Standard
Service Providers Workloads
4.A.1.Considerations for Material Workloads
4.A.2.Overview
4.A.2 4.A.2.Control Objectives
Control Assessment & 4.A.2.Considerations for Standard
Monitoring Workloads
4.A.3.Overview
4.A.3 4.A.3.Control Objectives

Billing Models 4.A.3.Considerations for Standard
Workloads
4.B Design and Secure the Cloud
4.B.1.Overview
4.B.1
Cloud Architectural Reference 4.B.1.Control Objectives
Solutions & Practices 4.B.1.Considerations for Standard
Workloads
4.B.2.Overview
4.B.2 4.B.2.Control Objectives
Virtualisation, 4.B.2.Considerations for Standard
Containerisation and DevOps Workloads
4.B.2
Virtualisation,
Containerisation and DevOps
4.B.2.Considerations for Material Workloads
4.B.3.Overview
Resiliency in Cloud 4.B.3.Considerations for Standard
Architectures Workloads
4.B.4.Overview

Network Architectures 4.B.4.Considerations for Standard
Workloads
4.B.5.Overivew
Cryptographic Key 4.B.5.Considerations for Standard
Management Workloads
4.B.6.Overview

Encryption 4.B.6.Considerations for Standard
Workloads
4.B.7.Overview
4.B.7
4.B.7.Control Objectives
Tokenisation
4.B.7.Considerations for Standard
Workloads
4.B.8.Overview
User Access Management and 4.B.8.Considerations for Standard
Authentication Workloads
4.B.9.Overview
Priviledged User Access 4.B.9.Considerations for Standard
4.B.10.Overview

Administrative Remote Access 4.B.10.Considerations for Standard
Workloads
4.B.10.Considerations for Material
Workloads
4.B.11.Overview
4.B.11.Control Objectives
4.B.11.Considerations for Standard
Workloads
4.B.11
Data Loss Prevention
Workloads
4.B.12.Overview

Source Code Reviews 4.B.12.Considerations for Standard
Workloads
Workloads
4.B.13.Overview

Penetration Testing 4.B.13.Considerations for Standard
Workloads
Workloads
4.B.14.Overview

Security Events Monitoring 4.B.14.Considerations for Standard
Workloads
Workloads
4.B.15.Overview

Securing Logs and Backups 4.B.15.Considerations for Standard
Workloads
Workloads
4.C Run the Cloud
4.C.1.Overview
4.C.1 4.C.1.Control Objectives

Change Management 4.C.1.Considerations for Standard
Workloads
4.C.1.Considerations for Material Workloads
4.C.2.Overview

Configuration Management 4.C.2.Considerations for Standard
Workloads
4.C.3.Overview

Event Management 4.C.3.Considerations for Standard
Workloads
4.C.4.Overview
Incident and Problem 4.C.4.Considerations for Standard
4.C.5.Overview

Capacity Management 4.C.5.Considerations for Standard
Workloads
4.C.6.Overview
Patching and Vulnerability 4.C.6.Considerations for Standard
4.C.7.Overview
Collaborative Disaster 4.C.7.Considerations for Standard
Recovery Testing Workloads
Control Description
Expectations should be agreed
Section 3 between the CSPrecommended
: Activities and the FI, in particular with regard
as part of due to operational
diligence contract management, SLA management, technology risk management, business continuity
management
The structure andand contract exit.an
manner that These are covered
on-going in details
outsourcing in other sections;
arrangement is managedhowever CSPs should
is paramount provide assurance
to maximising to FIs
the benefits that there
derived from is
it, stringent governance
and minimising on their daily
and managing operational
the inherent risksprocedures,
associated and
withis
validated
outsourcing.via independent assurance process.
FIs should establish a risk management framework and conduct appropriate due diligence to manage the risks associated with CSPs as well as their material sub-contracting arrangements. It is
recommended
The that an that
FI should ensure FI develop a framework
contractual terms andtoconditions
assist in the identification
governing and monitoring
the roles, relationships, of obligations
risks duringand
cloud adoption. of all contracting parties are set out fully in written agreements.
responsibilities
Once responsibilities are understood and agreed KPIs, key activities, inputs and outputs should be defined in an SLA, along with accountabilities. The governance of the SLA as well as the tools
It is recognizedfor
recommended that
themoving
trackingtechnology
should alsoinfrastructure
be defined in into
thethe cloud creates
contract. a shared
KRIs should responsibility
indicate model between
the effectiveness of key the consumersecurity
information and thecontrols,
CSP for which
the operation and to
are subject management of security
periodic review. controls.
The control testing
Keeping in mind
interval should bethat the FI will
determined byremain accountable
the FI based for protecting
on a risk-based its information,
approach. it is strongly
The FI’s service recommended
level requirements andtothe
ensure thatby
metrics roles andthe
which responsibilities for relevant
relevant service IT and operations
is to be measured departments
should also are
be documented
The CSP
clearly
clearly. should bedefined
understood, able to demonstrate that itagreed
and contractually implements
beforeand maintainsany
transferring a robust riskthe
data into management
cloud. and governance framework that effectively manages the cloud service arrangements including any
sub-contracting arrangements.
The FI should have a clear policy on the classification of the assets that are outsourced to CSP as part of its risk profiling. Such policy should include the FI’s ability to assess and determine the controls
FI should perform
necessary due diligence
for protecting the data to understand the
confidentiality andservices
integritythey
andare
theadopting
locationand what
where thetheir
dataand the CSPs
should responsibilities are.
be hosted.
The due diligence on the cloud service provider must take into consideration data confidentiality, financial, operational and reputational factors including the level of ethical and professional standards
held by the CSP and the CSP’s ability to comply with its obligation under the outsourcing arrangement.
Prior to engagement with a CSP, FIs need to establish the CSP’s ability to comply with necessary minimum controls based on the intended workloads (see section 2 Cloud Outsourcing Classification)
The financial strength and resources should be assessed to ensure that the viability of the service provider to service commitments even under adverse conditions.
The good corporate practices and control consciousness of CSP’s staff sets the priority and culture, and is the foundation for all the other components of internal control, providing discipline and
structure.
It is important for FI to be in position to ascertain and agree on which countries are acceptable for an FIs’ data to be processed and reside. This determines the nature of the risk that exists in the
outsourcing arrangement, and is a basic requirement to demonstrate that the FI has sufficient oversight of its outsourcing arrangement.
A Threat & Vulnerability Risk Assessment (TVRA) or equivalent independent assessments should be conducted on data centres in Singapore and overseas where these data centres support the FI’s
Singapore operations. The purpose of this assessment is to identify security threats to and operational weaknesses in a data centre in order to determine the level and type of protection that should be
established to safeguard it.
The scope of assessment is dependent on many factors such as the criticality and the type of systems hosted at the DC. Nevertheless, the scope should minimally include the DC’s perimeter, physical and
environmental security, natural disasters, and the political and economic climate of the country in which the DC resides. This assessment is commonly undertaken by the CSP. FI should obtain and
Due diligence
validate
The FI the TVRA
should of
ensuretheorCSP should
equivalent
that cover
independent
the outsourcing all agreement
locations
reportsthat from support
includes thethe the
CSP. FI’s
The processing
following assessment
requirements: and
mustdata storage requirements.
be performed periodicallyIttoshould identify notany
be assumed
security and that operational
controls areweaknesses.
consistent across The CSP all locations. If the CSP
should promptly
confirms
remedy any thatthreats,
controls risksareor consistent
security across all relevantaslocations,
issues identified being materialthen ainsingle assessmentreport.
the assessment report for such locations should suffice.
(a) State the responsibilities of contracting parties in the outsourcing agreement to address the scope of the services and the applicable baseline security policies and practices, including the circumstances
The
The Association
under assessment
which each ofparty
Banks
criterions hasareinthe
Singapore
available (ABS)
at
right to change latesthas MAS established
security Technology guidelines
requirements. RiskThe on Control Objectives
Management
outsourcing agreementand
Guidelines under Procedures
should data
also for protection
centres
address: the FIs’ Outsourced
and controls. Service Providers (OSPs) operating in Singapore, also known as
OSPAR.
(i) the issue of the party liable for losses in the event of a breach of security or confidentiality and the CSP’s obligation to inform FI; and the FIs should have in place.
These guidelines form the minimum/baseline controls that OSPs (which may include CSPs where relevant) which wish to service
(ii) the issue of access to and disclosure of FIs’ information assets by the CSP. FIs’ information should only be used by the CSP and its staff strictly for the purpose of the contracted service, and in
It is the FI'swith
accordance responsibility
the their
terms to assess
ofthepertainingthe appropriateness of the scope and controls covered by the report. Domains such as information security policies and awareness, due diligence and risk assessment
The
FIs MAS expects
should
of practices relatedFIs
establish retainown
to sub-contracting, outsourcing totomaintain
ability system such use similar
riskvulnerability
management control
frameworkover the
assessments andrisks
and the from its testing,
necessary
penetration outsourcing
policies andand arrangements
procedures
technology when
with
refresh a CSPtouses
respect
management ascope
the of sub-contractor
end ofof their pretoand
life systems support material services.
post-implementation
are particularly relevant. As such,
reviews. FIs should
These should
establish risk management
commensurate with the materiality frameworks of the and conduct appropriate
outsourcing arrangement. due diligence to manage the risks associated with sub-contracting arrangements. FIs should retain the ability to monitor and control its
(b)
FIs Disclose
outsourcing the
theFI’s
should atagreements outset information
obtain alegal to the
advice CSP toonly on aaneed-to-know
ascertain that the servicebasis; cloud provider is operating inAnjurisdictions that generallymethodupholdshouldconfidentiality clauses andthe agreement.
FI and theAn FI for
should enterininto
The also ensure when
FI must arrangements that service
thewith
controls provider
covered uses
by the sub-contractor
report provide to
thesupport
necessary material services.
assurance to support appropriate
compliance notification
with the be agreed between CSP changes
andMAS
Technology Risk Management Guidelines (TRMG) and Outsourcing
outsourcing
material subcontracting so only
that the FI service
can
Pre-implementation reviews should not be limited to the due-diligence providers
exercise operating
oversight. in jurisdictions
on the CSP thatbutgenerally
also include uphold confidentiality
checks and controls clauses
to ensure agreements.
a smooth handover of the functions from FIs and/or other service
Guidelines.
MAS consider cloud services operated theby CSPs aswith
a form ofintegrity
outsourcing. When negotiating athecontract with a CSP, the
(c)
An Ensure tothe
outsourcing
providers theCSPnewisservice
arrangement able toproviders.
protect
should not confidentiality
interfere
Post implementation theandability
reviewsof FIs of to
may FI’s information,
effectively
include manage
reviewing documents,
its records,
business
effectiveness activities,
and riskFIorparticularly
and adequacy
assets, should
of theensure
impede MAS that
where it has
in carrying
institutions’ theout
multi-tenancy
controls ability to contractually
and/or
initsmonitoring data the
supervisory commingling
functionsenforce
performance agreed
of the and
andarrangements
objectives.serviceor
measurable
practices
Where
provider theare information
FI adopted
does
and recommended
checks not by security
the
control
to evaluate
ensure CSP;
the
thatand
and operational
location of its requirements.
data the FI and Without
CSP such
should authority,
come to an any controls
agreement that
where are
the put
FI’sin place
data as
can part
reside of inthe outsourcing
respect of which arrangement
countries may
or not
states ifbe enforced,
there are as the
differences FI will be
between
andthe
It risks associated with the outsourcing activity are managed appropriately as planned. Post-implementation reviews theare usually conducted andshortly after the
theis
FI
relying
If an
strongly
should ontake
audit
commencement good
jurisdiction steps
of
inspectionfaith
of
to efforts
federal
the cannot and toofstate
outsourcing
review
be the
the
satisfy
CSP.
courts.
performed
arrangement.
scope
itself
(For
by
ofthat
such
example,
FI’sMAS
the
appointed
reports to ensurelike
interdependency
in federations
expect auditors,
institutions
that
FIsto risk
maythethe sample
arising
United
rely
determine onfrom
setthe
States,
the
an
selected
audit areas
appropriate ofby
outsourcing
opinion
the arrangement
independent
jurisdiction
of a service
timeframe forapply auditor
can provides
be external
adequately
topost-implementation
provider’s
these local, state, and assurance
mitigated
federal
auditor.
ofsuch
party that
Thelevels.).
reviews.
services,
A contractual
performing
facilities
FI remains able
the clause
locations
audittoshould
conduct
requiring that
its
advance
possess
the FI with
business
the
intends
integrity
(d) Review
notificationtoand
utilise.
and
bycompetence
monitor
the CSP theinanytheto event
security oftoa the
practices serviceand disruption
controlshould or be
failure,
processes or unexpected
of the service termination
provider onfunctionsof theinvolved
aagreement.
regular outsourcing
basis, including arrangement
commissioning orarrangement.
liquidation
audits orofobtaining
the CSP. These
rightperiodic should
expert include
reports taking
on the
to following
confidentiality,
requisite knowledge andof skills changes
perform these locations
engagement, and beindependent
included in of
thethe outsourcing
units or Where inthe
the FIoutsourcing
does not have the contractual to reject any proposed change the location
steps:
security
of its data,adequacy and compliance
it is recommended in respect
that the FI should of the
retainoperations
a right toofterminate
the CSP, the andoutsourcing
requiring the CSP to promptly
agreement in the event disclose
of antounsatisfactory
the FI any breaches changeor orserious incidents that may impact FI’s data confidentiality.
new location.
CSP
A rightshould havebya the
to audit defined
MASframework for assessment
should be included of incidents
as a stipulation (e.g.contract.
in the near-miss events resulting from repeated unsuccessful attempts or application errors resulting in data breaches) so that FI can take
(a)
the
To Determine
necessary
ensure that
thatprecautions
data the CSPtohas
remains in place
safeguard
protected satisfactory
their
even ifdata.
it leaves business continuityofplans
the jurisdiction (“BCP”).
Singapore, Prior
unless to contracting
prohibited byimpact with thelaws,
applicable CSP, itthe is FI should verify theFIs
recommended CSP’s abilitycontractually
to recover the outsourced systems and/or
Subcontractors.
IT services within Wherethe a CSP
stipulated elects
RTO. to use subcontractors to perform the services which have a material to the provision of the Cloud that service, establish
an appropriate notification binding requirements
method should bethat agreed
require
CSP the
should CSP
provide to notify
reasonable the FI in the
access event
to the
necessary local legal
informationrequirements
to assist compel
in any FIthe CSP to
investigation disclose
arisingthe data
due totoana 3rd party,
incident
between the FI and the CSP for changes in material subcontracting so that the FI can exercise oversight. The CSP remains primarily accountable to the FI for the provision of service, and effectiveness in bearing
the cloud in mind
or auditthe section
inspection, 47 toof the
the Singapore
extent that Banking
it is does Act.
not contravene any of
FI should
other
agreed legal understand
obligations.
controls including and FIsagree
IT would with
Securitybe CSPrequired
and on the change
to follow
Contractor management
up with thecontrols.
On-boarding CSPprocess
to ensure
The in outsourcing
relation
that alltoappropriate
the servicesand
agreement provided,
timely
should and the
remediation
include impact
clauses assessment
actions
making arethetaken
CSPcriterions in relation
tocontractually
address any liable
audit tofindings.
thethe
for SLA in the contract.
performance and The FI
risk
(b) Proactively
Enforceable
should ensureand seek
that assurance
measurable
the outsourcing on the
Service state
Level
agreement of BCP
Agreements
includes preparedness
an(SLAs) of providers
shouldthe
forCSP,
be or
in participate
thenegotiated where innotification
joint testing
possible, toin specific
particularly for nature
material ofofoutsourced
MAS services
outsourcing arrangements.(such as SaaS
These or
shouldPaaS),
includewhere possible.
a does
definition FIs
of should
the
An FI should
management
ensure the CSP
not
of its
and
enter
FI
into outsourcing
sub-contractor.
regularly The
test its
arrangements
CSP
BCP should
plans also
and
withbeobligation
that
service
accountable
the tests for
validate
CSP
managing
the
to provide
jurisdictions where
their subcontractors
feasibility of the
prompt
RTO, RPO
the
and FI
access intothe
remediating
and
event
information
resumption any any
by significant
non-performance
operating capacities.
changes
or agents issues that
appointed may
identified.by impact
MAS
Where toservice
act
the on
FI availability
its behalf,
not have at(including
theservice
governance
controls
provider,
Consideration
contractual and/or
may to
rightbe
should put
location).
impeded
to rejectin place
alsoany by to
legal
be given manage
proposedor the contract
administrative
to the support provided
subcontractor, on an ongoing
restrictions.
by a CSP during
it is recommended basis. This
thatanthe should
audit, define
including
FI should any
retain management
resources,
a right tocosts, information
and turn-around
terminate and
the outsourcingother deliverables
timesagreement
for requests that will
for event
in the form
information. the basis for that governance.
Typically thisperformance
of an unsatisfactory will be a value FIs should
add
of the
be awarebyofthe
service
subcontractors, compound
CSP.
or the SLAs and ensure
subcontractor is or they
has meet their
become overall requirements.
prohibited by the regulator. Where SLAs are negotiated, these must be aligned with business requirements, and where possible appropriate contractual
(c) Ensure
remedies
In the orthat
event there aretermination
enforceable
of contract plans and procedures
liquidated damages
with the clauses in place
CSP, toonaddress
included.
either expiryadverse conditions
or prematurely, theorFItermination
should have of the
the contractual
outsourcingright arrangement
to promptly suchrender
that thedata FIinaccessible
will be able at to the
continue
CSP’sbusiness
systems operations
(including and that
backups).
all documents, records of transactions and information previously given to the CSP should be promptly removed from the possession of the service provider or deleted, destroyed or rendered unusable.
Provision to address specific regulatory requirements, such as the right to audit by the MAS and prompt notification of security incidents or technology outages that have a material impact, must also be
included in the outsourcing agreement if relevant.
FI must be able to stipulate access to its data, both those used for daily operational purposes as well as for contingency, disaster recovery or backups.
An area of concern would be the management of data in online or offline backups. Where data can be isolated or logically segregated this is simpler to manage. However in a shared environment, the FI
should ensure that its data is protected by verified and appropriate technical means through assessment as part of the due diligence process.
For encrypted data, FI must ensure that appropriate cryptographic key management is in place, as well as validate the CSP’s ability to restore the service from backups effectively.
The
Uponcontract
exitingshould
a contractclearly
withstipulate
a CSP wherethe situations
FI does not in which FIs should
have direct access have
to itsthedata,
rightFItoneeds
terminate the outsourcing
to ensure that the CSP agreement
covers theindesign
the event
andofprocess
default, forordata
under circumstances
deletion where:
in the scope of an independent audit
and that the operational effectiveness of these controls are tested. In this way, CSP can provide assurance to the FI that its data is rendered permanently inaccessible in a timely manner, in particular any
The
-backupextent
the CSP of exit planning should be dependent on the materiality of the outsourcing arrangement and potential impact to the on-going operations of the FI. The following considerations should be taken
or undergoes
distributedaonlinechangemedia in ownership;
after the exit of the contract.
into account:
- the CSP becomes insolvent or goes into liquidation
- the CSP goes into receivership or judicial management whether in Singapore or elsewhere;
1. Agreed
- there has procedure
been a breach and tools used for
of security deletion of data or
or confidentiality; in a manner that data is rendered irrecoverable.
2. Costsisassociated
- there a demonstrable with the exfiltrationinofthe
deterioration anability
FI's data.of the service provider to perform the contracted service.
3.
1. Removal
A FI should of all financial
design institution’s
and implement data (e.g.governance
a suitable customer data)
body and and confirmation that all data with
roles, where appropriate has been rendered irrecoverable
representatives of both the CSP on termination
and the FI. of Thethegovernance
outsourcingbodyarrangement.
should be empowered to oversee
4. Transferability of review
outsourced services (e.g. to a thirdsecurity
party orincidents
back to the
andFI)
for relevant
the purpose of continuity ofassociated
service. For recovery ofshould
dataThis
for the purposeprovisions
of continuity of service, FIstransition
should
The minimum
adherence Section
period
to SLAs, 4:
to execute Key
KPIs aandcontrols
termination
KRIs, recommended
provision
incidents, should be when
specified entering
in the
other into
outsourcingmattersa cloud
agreement. The
to the risks outsourcing withagreement
outsourcing. also contain
governance body to ensure
should meet smooth
periodically, the ensure
when the
frequency
that the following
agreement isbyterminated
determined are in
the materialityplace where
or amended. appropriate:
of the arrangement.
5. A legal agreement that commits the CSP outsourcing
to assist in the exitarrangement
process so as not to unreasonably impede the exit, or the testing of an exit plan. These should include the format and manner in which data

is
FIsExecute
to be
which robust
returned
are to and
the
planning timely
FI,
to as
scaleoversight
well as
their support
outsourcing
4.A
of risksfrom Govern
associated
the CSP
arrangementswith
to the cloud
ensure
may
Cloud
outsourcing
the
need accessibility
to consider arrangements
of the
adapting data.
their
Refer
2. It istorecommended
the MAS outsourcingthat metrics guidelines
providefor details pertaining
a complete view, bothto default
where termination
controls and
are owned early
and exit.
operated by the FI or the CSP. Interfaces to internal governance bodies should also be considered for FI
6. Data elements
organizational
owned controls. to be extracted and returned to the FI should be agreed
structure to ensure effective and timely oversight of 3rd parties, particularly upon at the start ofwith
the outsourcing
regard arrangement and reviewed whenever there are material changes to the outsourcing
 Ensure
arrangement.
to there is accountability and governance
performance, operational effectiveness of controls and remediation in place that bridges the FI and CSPs
3.
 Execution thatofthe
Ensure critical oversight
FI has the of cloud outsourcing
appropriate skills andarrangements
knowledgerequiresto a specific skill-set. FIs should be mindful that when outsourcing that key staff and roles are identified and that their knowledge is
1. Where
kept up to date byservicestraininghave beenmethods.
or other outsourced representation onexecute oversight
the governance and manage
body should be demand
of appropriately senior technology and business representatives.
The

2. FI should
Have establish
a consistent, an appropriate
empowered control
interface framework
between be FI's to manage
business and the risks
operations associated
divisions with the
the intended
and mandate.CSP workloads. The controls should be defined in line with corporate policies and regulatory
4. A
FIssingle
should
expectations
point
and
of contact
consider
support creatingfrom the CSP
a specific
compliance withrole
should
these
formally
to requirements.
execute identified
oversightWhere of cloudand
possible
given
outsourcinga sufficient
arrangements.
control testing should be automated and tested at a frequency determined by the FI's risk appetite.
 Demonstrate compliance position against regulatory requirements, corporate policies and standards
3.
5. A
Whendefined escalation procedure should be put in placeAudits
for both the CSP andinspections
the FI to use.
Risk
1.
1. Prior
It is toperforming
Assessment
embarking
recommended
due
shouldon be
that
diligence
any
the
considered
cloud
FI have
activities,
from two
outsourcing
a
or during
centralised
angles: firstly
arrangement
governance a and regulatory
to assess
thorough
structure
the CSP, risk
technical
to manage
it is recommended
and secondly
assessment
master
to of
subscription
assess
keyand to use appointed
a particular
controls service
controlshould
individuals
or
be performed
howprocedural
that
to and
pattern based
is provisioned
ensureaoncentral
the usepoint
required to coordinate
controls
cases. activities between
are implemented the CSP,
and operating FI
within

1. Regularly
andFIstheshould
acceptable test
auditor. key controls provide assurance of the effectiveness
assess their existing controls assurance framework for the suitability of
thresholds. of the overall control framework
managing cloud outsourcing. Key controls for
must specific workloads
be identified, mapped and effectiveness thresholds
defined.
2. Where possible an FI in should ensure that a control failure triggers an automated response and for
notification.
2.
6. Ensure
 Where
Any that all assets
non-compliance
incremental changes theto
is cloud
detected are identified,
trigger
outsourcing have
an appropriate
controls shouldclear
and
be ownership
timely
managed assigned
response
via and
for are rated
remediation
the governance forum. their asset classification.
2.
3. Establish
The FI shouldManagement
consider Information
leveraging andcontrols
the dashboard material
available for cloud
inthethe reporting on controltoassessments.
environment enforce Definesecurity
an appropriate oversight and escalation model to execute remediation activities which takes
3. Do
into
 not use
clearthe
consideration
Strategic
Ensure adoption CSP's
both
ownership master
FI
of cloud and account
CSP
ofiscloud
usually owned to costs
centrally
supported
usage by amanage
activities. business costs,
case. create
Additionally sub accounts whichconsistent
with a distributed aremodel
alignedof to
standards
the finance
consumption
and baselines
itstructure
as well as
of thetoFI.
is important
automated remediation where possible.
track usage to ensure clear ownership of costs and facilitate
internal distribution of these expenses.
4.
3. Ensure
 FI should
Ensure there is training
thatconsider
excessive theor and
use ofeducational
analyticsusage
unnecessary material
with machine
is for users orofidentified
learning
prevented, the
(ML)cloudand environment
andother best inwhich
managed inbreed istechnologies
a timely tailored
manner to help them understand
to develop baselines for thecompliance
best adoption methods
checks and prevent
to highlight wasteful
and avoid use of cloud resources.
noncompliance.

By
1. Facilitate
its naturetransparency
cloud in overall
is services
a distributed cloud
basedenvironment usage forthe
so management
bemanagement information
of and strategic
the underlying softwaredecision to making
images, containers and approachparticularly
to release management is a key consideration
exist. thatwhen architecting a cloud
5. Monitoring
Work
CSPs with CSPs
provide
of key
the FIstothe
create usage
ability
on SLAs
reports
to host their
should
at workloads
regular in place and
intervals
in theirwhich
regularly
cloudare made reviewed
environment available by account
the FI
with atomyriad
identify
ofowners
optionsand
usage anomalies,
for presentation
to cater for diverse to appropriate
workloads
where compound
andgovernance
SLAs
needs. As aforums.
result ofEnsure
the foreignthese
nature reports
of theare consumed
cloud
solution.
in line with technology financials and internal billing standards.
environment
1.
2. It is
Protocols coupled
recommended
should be with
to
in usethe
the
place availability
FI's
with existing
the CSPof multiple
technology
to prevent implementation
architecture
cessation of options,
governance
services initial
basedto set
on attempts
standards
quotas to
beingadopt
and the cloud
approve
exceeded. services
cloud can
patterns be
but daunting
the FI to
should
1. The FI should define a standard for containerization and DevOps methodologies. While the CSP may provide the tools for the FIs to manage and administer containers, the FIs are responsible many.
leverage the CSP expertise for Cloud design patterns.
CSPs willquotas
authorizing usually
whichfor provide
ones segregation
aresub
available 4.B
for Design
viause.
logical and Secure
controls in or
a virtual the Cloud an FI should risk assess these in combination with other controls such as encryption or tokenisation.
environment,
6.
ToDefine
ease the cloud each
adoption account
journey manyand put requirements
CSPs inhave
place alerts
developed triggers
cloud for accounts
architecture once a threshold of
to spending hasRequirement
been reached.
2. FIs should review business and technology when developing cloudreference
reference solutions
architectures.help customer
Business jumpstart their cloud implementation.
Documents (BRDs) and System TheseRequirement
references are collections(SRDs)
Documents of solutions
and

should
In design
Design
certainbeand ideas
and
published to
circumstances,solve
implement common
cloud
and periodically
such cloud
services adoption
which
reviewed.
segregation may are
be problems.
optimised
bypassed to
or create
in the the
event largest
of a financial
system and
failure, non-financial
data could be benefits
accessible to the
by FI
exploiting data dumps and accessing infrastructure shared memory.
2. Roles responsibilities between the CSP and FI for the
7. Cloud usage MI should consider both software licensing, compute and storage costs. container strategy must be agreed upon and documented for operational references. Ensure that source code repositories are defined and
Operational
managed at both complexity
the FI and of virtual
CSP. architectural models can also result in a weakened security model.
Additionally

3. Create aend
Where due
service
userstocatalogue
the able
are commoditized
toofselect
cloudand nature
products
deployofthat
cloud service
adheres
these toconsumption,
the FI's
architectures internal
directly thepolicies
an importance
appropriate of architecting
and approval
regulatory a standard
should catalogue
requirements
workflow be in place.of services which adhere to the business, technology and security
8. Organisations
standards of the should
FI is ensure that sufficient funds are available to cover licensing costs, and that controls are in place to prevent key services being shut down.
paramount.
To
3. assist in development of Cloud infrastructure, FIs should assess the level of maturity, information and support
users who have the abilitywith
available to assist virtual architectural models.
 The
4. Manage
A
FI should
user roletheshouldcarefully define
confidentiality
exist which andits user access
integrity
allows risks and
designated
authentication
associated
staff to with
develop datastrategy, particularly
co-mingling
and or shared
maintain cloud
for administrative
tenancy environments.
architectural
to manage and change these fundamental tools supporting its cloud
patterns. Access rights to create non-standard architectures should be strictly controlled.
ecosystem.
Potential compromise of hardware, Operating System (OS) images or virtualisation management software such as hypervisors must be considered and managed.

5. In the event of a software orthehardware failure, ensure that information assets remain secure or are securelyresiliency,
removed security, authentication, performance, operations and management.
4. FIs
Themay consider
container adopting
images should commonly
contain available
a standard architectural
set of configurations references
that areindesigned
the area of
andavailability
signed off andby the FI. Standards should be created for both production and non-production images.
The traditional virtual machine is not the only option available to FIs to host their workloads. Containers enable FIs to decouple applications from operating systems by using a lightweight image that

6. Definethe
The a standard set for
of tools and processes to manage containers,
takes images and release management
5. The security
includes toarchitecture
abilitynecessities
add security deployed
an application
and in theatCloud
vulnerability runtime. environment
patching This can include
where applicableinto account
binaries,
to the risks
the libraries
containers and associated
andsettings. withability
virtual The Cloud
machine aretoconnectivity,
decouple
done to thethelogical
base segregation
application
image in from andoperating
the
a controlledpublic
manneraccess.
system allowsto
and adheres FIsthetostandard
focus purely on
change
managing theprocess.
management application. Serverless is another offering that the CSPs are providing to FIs dynamically manage the allocation of systems to the workload processing requirements. The adoption of these
new offerings combined with DevOps allows FIs to easily administer their Cloud environment in a more automated manner
6. Ensure that changes to the container images are fully audited.
DevOps is a hybrid of development and operations that is becoming more mainstream and the heart of agile development is to improve the quality of the software being delivered. It is also best suited
developing
7. The CI/CD andpipeline
testing should
for security and vulnerabilities.
be configured to performThere are various
the correct actionstools
and that can beagainst
activities used for theDevOps and environments.
designated DevSecOps but it iscould
This up tobe
thetoFIs to containers
both determine which one ismachines.
and virtual best suited.
Cloud services providers design the architecture of their cloud services to offer high resiliency and availability to their customers. In most set ups, the computing capacity of two or more data centres are
1. If the source
grouped code repository
into a cluster and multiple is hosted
clusters at the
are FI, the binaries
further groupedshould into a region be compiled to achieve on premise
the resiliencyand only andtheavailability
source code artefacts Each
objectives. need to be promoted
cluster and sent to
is geographically the CSP.by a physical distance to avoid
separated
systemic
1. FIs should failure designdue to theirenvironmental
workload to hazards leverageasonpower available outages, fires, floods
functionalities such etc.asFault isolation is further
containerization implemented
and auto-scaling within each
to automate theregion to prevent
swift recovery ofthetheirrisk of contagion effect in an event of a fault or
services.
2. Integrity
service outage. checks should be performed on container templates and any inconsistencies made detectable prior to use.
1. FI should implement measures to secure the cloud and on premise environments to mitigate contagion risks. Controls should be implemented between the cloud and the FI’s on premise environment
2.
and FIs should
at the also adopt fault tolerant techniques such
suchasthreats.Retry, Circuit Breakers and Bulkhead Isolation in their design of their workload which are sensitive to faults or failures.
3. The
Customers FIs ingress/egress
should
of the cloud have the points
services tocan
appropriate mitigate checks
choose against
to to prevent
distribute production
their workload dataacrossbeingmultiple
used during regions testing in non-production
to improve the latencyenvironments.
for their usersThe use of masked
or mitigate against or synthetic
regional dataof
outage is the
strongly
cloudrecommended.
services. However,
Ensure
1.
customers that
FIs couldcan the resiliency,
maximize
alsothat choose recoverability
the redundancy
to constrain by and
their availability
designing
workload and design
a singleofregion
distributing
toimplement the workload
their orproduction
cluster. is This workloads
allows that across thewith
customers available
specific clusters within each
requirements suchregion.
as data sovereignty tocustomer
control the residency of their data. FIs
3.
2. For workloads
It is considered
commensurate withbest itsare sensitive
practice
criticality for to latency
administrative FIs should
interfaces toresiliency the
be on a segregated workload in the
management region network is closest
that to their customers or consider
is not accessible from the operational subnets. options to optimise experience (such as content
should
delivery be cognizant
networks). that such a design potentially negates the and availability offered by cloud services.
2. FIs should implement automated health checks and monitoring to detect service faults or outages in the cloud environment.
3. Network access and security controls such as firewalls, IPS, advance threat protection and web proxy should be implemented to secure the on premise environment from the cloud.
Hence,
4. For FIs
workloadsneed tothat
carefully
require consider
higher and
FI’splan
theavailability, their
FIscloudcan adoption
consider to ensure that
distributing the the resiliency
workload andmultiple
availability of the Atcloud services commensurate with theirtoneeds.
 Reducepossible,
3. Where contagion FIs risk between
should design their on premise
workload and andapplications
cloud environment to automatically handleacross known exceptions regions.or failures minimum,
to ensure thetheir
FIs should make
cloud service plans
can recover recover theirinservices
swiftly an eventinofa an different region
incident.
to mitigate
Network
4. Dedicated
1. The FI should against
architecture
network the isregional
a
have connectivitykey
network access service
consideration
should outages.
and be especially
advance
implemented given
threat protection the
from the FI nature of
controls open access
to the implemented
cloud environment,and shared services
in the security
and remote of
networkpublic cloud.
segment access
administrator FI should
to filtertoand plan
thesecure and implement
access to the over
cloud environment security
cloudthe controls
environment. to secure the
Internet should be restricted. cloud workload
against
 Account common for theinternet
use andbased adoption attacks (e.g. network
of cloud servicesintrusionto prevent attempts,
shadowDDoS IT attacks) and cloud specific attacks.
5.
5. While
2. The ordata
VPNcontrols directwithin theeach
innetwork cloud region
connection
environmentis automatically
should should replicated
be implemented
be equivalent across notthe
toifsecure moreavailable
trafficclusters,
the secure between
than theFIs theshould
FI’s cloud
on premise consider
and strategies
onenvironment.
premise for replicating
environments where data across regions
possible. IP source to and
ensure data availability
destination restrictionsin anshould
eventalso
of failures
be
The
or cloud access
service
 Ensure
considered. environment
faults within
to the cloud leverages
each region. on the cryptographic
environment are granted on controls
a needtotocontrol basis access, and segregate and secure the customers’ data. The security of the cryptographic keys are critical to ensure that the
1. FIs should
information generate
at rest their own unique cryptographic keys and secure the keys in the Cloud environment.
3. Alternatively, FIsare can secure
consider and rerouting
the encrypted the cloudinformation,
traffic through especially thearchival
FIs’ on premiseinformation, are accessible
environment retrievable.
to benefit from their existing on premise security controls.
6.
 FIs
6. Ensure
FI
Controls should
should for put
thatmonitor
cloud
encryptionin place
work
and aload
resumption
control
and is the
tokenisationprotected plan
access, can for
against
where
be its
used critical
network
possible, services
based
interchangeablyto their incloud
attacks an
and event
e.g.
can of used
a totalin
network
environment.
be outage
intrusion
a ofattempts,
complementary cloud services.
application
or Some
stand-alone and offashion
the options
DDoS attacks
dependingthat theonFIthe cloud consider include implementing critical workload
solution.
2.
CSP
on At
two minimum,
environments
different the
CSPs cloud
typically
or based
offer
retention HSMa of onshould
number premiseof meet the
configurations
capabilities FIPS and
for
for Common
key
added managementCriteria
resiliency. for cryptographic
including a CSP products.
managed option, an option to "Bring Your Own Key" where an FI's key can be injected into the CSP
4. FI should set up a dedicated security network segment to control all ingress and egress traffic from the cloud environment.
Hardware
7. FIs
Encryptionshould Security
is implement
the Module
process anof (HSM)
internal
encoding infrastructure,
monitoring
messages or orinformation
control an to entirely
detect inFI
the managed
ways unauthorized
such option
that where
adoption
the output itofis cloud
is possible
rendered to
services.deploy an FIEncryption
unintelligent. owned HSM can into
be the Cloud.
used to protect the confidentiality of sensitive data, provide some
1.
3. Keys should
Where
Manage encryption
cryptographicbe rotated regularly
is material
used, the encryptionin accordance keys shouldwith the beandindustry
stored bestofpractices.
separately from Certificate
virtual images revocation should also
and information be tested from time to time.
assets.
assurance
5. If possible thatMicro
data has not beenso
Segmentation that
tampered
to bethe confidentiality
with,
considered andwith is also useful
Software integrity
for
Defined the
non-repudiation.FI's data
Networks. is not
Conversely, improper design of encryption systems and processes can lead to insecure implementations that
These deployment
compromised
8. FI should consider offer advantages
network segregation and disadvantages:
of workloads in the keycase of FItype owned and deployed HSMs this typically means(user,that the cloudinterface,
environment caninfrastructure
only be managed and operated by the FI, thus is
provide
2.
4.
lessDetailed
FIs maya false
suitable consider
for
sense
policies PaaS
of
and
HSM
or
security.
procedures
SaaS
This
as aenvironments,
service shouldcan also
beand
or deploying inoccur
place
can theirtobased
when
restrictgovern
own on
HSM
the
their
management
the
adoptionlifecycle
for (production,
isofweak.
particularly
of cloud cryptographic
critical
services.
test, development)
material from
workloads.
Furthermore, if
and
keys
purpose
generation,
are storage,
compromised
server,
usage,
or lost,revocation,
the
critical
entire expiration,
Cloud renewal,
environment
segments).
to
may archival
become of inaccessible.
cryptographicThe keys.
6. AllFIinternet
The should traffic
ensure should that thebefollowing routed through controlsa dedicated
are considered security when network
implementingsegment.encryptionAll other network in cloud segments
outsourcing in the cloud environment should not have direct access to the
arrangement: Internet.
benefit
9. of this model is that it provides the highest level of control for the FI over the Cloud environment.
3. While
Encryption
5. Backups
Carefully most can
of CSPs will
be applied
cryptographic
designed provide
processes in material
most network
cloud
including should layer be DDoS
computing
appropriate use
considered. attack
key cases protection,
Theseand should
ceremonies should FIs
shouldbe should
anbeintegral
ensure that consider
thecontrol
keys the toimplementation
cannot secure sensitive
be compromised ofinformation
application
and layer
such
are subject asDDoS attack
authentication
to strict protection
oversight credentials,
and andFIweb needapplication
personally
segregation toofbe firewall
identifiable
duties to secure
information,
principles. No
the one the
key
be in
place
aifcomplementary
cryptographic keys and SSL private key containers
onbelonging
to the introduced into CSP
Controls
cloud
credit
1. based
card
Sensitive
custodian for encryption
application
information,
data
should including
have and
as
access tokenisation
required.
financial
data to information,
backups
the entire can
should
key. beemails,
used
be interchangeably
and computer
subjected to appropriate and
source cancode.
encryption used in
controls both in-motion or stand-alone
and at-rest. fashion depending the solution.
environment.
 Provide assurance that only authorized parties can gain access to the data in transit and at rest
1. Stringent control should be exercised over cryptographic keys to ensure that secret keys are generated and managed securely, for instance within a Hardware Security Module (HSM).
Cloud
10.
CSP FIs computing
should
environments generally
regularly
typically review involves
offer firewall the corresponding
a number transmission
rules aof and access
configurationsofkey-lengths,
data
lists,to the
especially
for key CSP for
after
management processing
network oruse
or
including storage.
architectural
a CSP Inmanaged
some bycases,
changes that
option, data annot
may makeessential
option certain forrules
to "Bring the delivery
Yourredundant.
Own of
Key"the cloud should
Rulesets
where service
antheFI's is
have
keytransmitted
defined
can be to andinto
owners. stored
andby the
2.
1.
6.

CSP,
Details
For each
Offline
Provide on the
Cloud
storage
resultingassurance encryption
deployment
in
inlocation,athat
excessivesuitably algorithms,
the(HSM) there
secure
confidentiality
sharing
will
and and befireproof
master
and/or
unnecessary
account.
environment
integrity
exposure ofItof isshould
the data
recommended
data
potentially
flows,
be
has and
considered
not been
sensitive
onlyprocessing
to
for
compromised this
critical
information.
logic
accountshould
cryptographic be appropriately
exception.
material, the reviewed
loss of which by subject
may matter
materially experts
impact to identify
FI's potential
ability to injected
recover data the
weaknesses or CSP
Hardware
points
2. Detailsof Security
exposure.
on the Module ownership infrastructure,
and
operate. This should be included in disaster recovery planning scenarios. management or an ofentirely
the FI
encryption managed keys option
and HSMwhere it
should is possible
be agreed to deploy
between antheFI FIowned
and HSM
the CSP. intoThe theFICloud.
should take into consideration the need and ability to
administer
2.
 Identity
Provide the cryptographic
and Access management
authentication of keys and
source the
should
and HSMs themselves.
be a paramount
non-repudiation consideration when performing a cloud outsourcing arrangement, and should incorporate both technical and business user access management.
of message
It is in deployment
the best interest of the FIbeadvantages
tomaterial
minimise
toits
These options offer and databe footprint
disadvantages: onso asthe
into toandreduce
case of FI theowned
vulnerability
andwhere surface
deployed and
HSMs is potential
this threat means
vectors. Tokenisation can provide effective riskmanaged
byreduction benefits by by the
3.
A
7. HSMs
clear
FIs
minimising
and
business
should the
other owner
leverage
amount
cryptographic
onshould
of a FIPS
potentially
identified
140-2 Level
sensitive
should3 ensure
validated
data
stored
accountability,
exposed HSMs to
segregated
the secure
public.
secure
ownership
their networks
of each
cryptographic role
keys, access
defined.
and access to typically
carefully thecontrolled,
HSM should andthat
beare thenot
securedcloud environment
accessible
with multi-factor can
from subnets only be
used
authentication. CSP’sand otheroperated
customers FI,
or for
thus
every
3. is less
day staff
If using suitable
a Contentaccess. for PaaS or SaaS environments, and can restrict the adoption of cloud services. There
Delivery Network (CDNs) ensure there are appropriate controls in place for encryption key and certificate management. It is recommended that Extended Validation (EV) or is also an associated cost, and in the event that keys are lost, all data in the Cloud maybe
unrecoverable.
The
3.
8. An security
Organisation
Where and
FI’spossible,
Identity robustness
Validation and Access
access (OV)
toofof
the amanagement
tokenisation
certificates
HSM should system
arepolicies
used toand
be secured is dependent
ensure robust
standards
using on manybeauthentication.
organisational
should
multi-factor factors
applied and inthe
identity FIinshould
fullcontrols the CSP areensure
in thatSecure
forplace.
Productionfollowing controls
certificate
and UAT are considered
management
environments inbythe
protocols
used theimplementation
should of tokenisation in a cloud
also beconsistency.
FI to ensure considered.
Tokenisation
 iskeys
Minimise arrangement:
outsourcing
4. Encryption the the
amountprocess
used of
fordatathereplacing
that needs
encryption thetoofsensitive
be data data
FI shared with
should with aunique
abethird non-sensitive
party and not equivalent
shared by other valueusers (also of referred
the cloud to asservice.
token) that has no correlation or meaning with the dataset. A tokenised dataset retains
structural
endcompatibility
CSPs will
Carefully usually
designed provide with
processes the including
segregation processing system
via appropriate
logical andconcerned,
controls keyallows thefederation
in a virtual
ceremonies dataenvironment,
to beof
should processed
beActive without
an Directory
in place FI ifshould anyriskcontext
cryptographic assesskeysor
theseknowledge
and in of
combination the keysensitive
with other data, thereby
controls such potentially
as the
encryption allowing
need or a different
to tokenisation. setinto
of security
4.
UserFor Access users, especially
Management where
provides corporate
controlled users
access are to information systems allowing staff, business credentials could beSSLusedprivate
to allow ancontainers
FI’s belonging
existing processes to andFIinfrastructure be introduced
to be leveraged. the CSP
requirements

1.
5. Provide
Careful
Other
environment. risk
guidance to
assurance be imposed
assessment
on that only
encryptionandon the
authorized
evaluationrecipient
requirements of
parties
should the can
be
should tokenised
gain
performed
be drawn data.
access on to
from The
the thetheFIdatacan
tokenisation
MAS de-tokenise
solution
Technology andto
Risk restore
identify context
Management unique to the processed
characteristics
Guidelines. andtokenised
all data
interactions by replacing
and access the
to tokens
the with
sensitive their
data. original values.
partners and suppliers to perform their business activities, while protecting the information and
5. Where
systems
 Ensure federation
from
the can unauthorised is used,access.
confidentiality or
and another cloud based directory leveraged, the directory synchronization model, security requirements and redundancy controls for any synchronization tools should be
Tokenisation
2. The
reviewed Cloudand servicebe applied
approved provider
by theto allintegrity
must
FI's data
notthathave
technology
ofisFI’s
not
any data
required
means
architecture to to be processed
restore
governance the tokens by to thethe service
original provider,
data values and issuch commonly
as accessused to protect
or control over sensitive information
the tokenisation suchorastokenisation
system account numbers, logic. phone numbers, email
The full life-cycle
addresses, and other of personal
user access management
identifiable must be considered
information. whencommittee.
implementing a cloud
outsourcing

3. Permit user
Systems arrangement.
that access
perform only This
to theincludes
tokenisation information
shouldthe definition
assets they
remain underof require
identity
the and to
directand accesstheir
perform management
role
6. Where access
requirements, is via the
approval, internet multi
provisioning, factor
credential authentication
management, access IP management
source
review restrictionsof the are FI. strongly recommended.
Tokenisation does not reduce the security or compliance requirements, but it and could revocation.
reduce the complexity of their implementation.
1.
 Multifactor
Whether
Ensurewith authentication
infrastructure
segregation ofandduties should
applications
is in placebe considered
arefor supported
sensitivefor user
byroles access to critical workloads.
the CSP of the FI, there should be a framework in place to define which system components are considered critical and what controls should be
1.
7. Users
in Where
place toidentity
manageprivileged
and system
access
privileged oraccess
management should
administrative assets beaccess
clearly
reside toindefined
the cloud,
them. and strategies
subject toshould regularbeuser createdaccess and reviews.
tested for migration or exit planning.
2. Where CSPs have access to the FI’s systems or software, this should be captured in an identity and access management document, which should be reviewed at least annually for the accuracy of

2. Ensure
8. Privileged
Scenarios
requirements,
The FI shouldthewhichconfidentiality
User
and
ensure access
that theshould
address
that and be
recovery
configuration
privileged integrity
clearly
from inof
accounts athe FI’s
tracked
Cloud data
and reported,
directory
document
are managed thatand
socompromise
matches thebe
the system
CSP linked
and to an agreed
synchronisation
state.
should only haveand with
accessapproved
on
to premise change request
platforms
its information when
should
assets related
be added
by authorized to the FI's data.
toexception.
disaster Note it and
recovery is not always
cyber necessary
security for the CSP to
runbooks.
disclose change requests to the FI
 Manage
9. Detailed
Integration
Remote
Where
1. access
PaaS, privileged
with
or isSaaS
documentation tooluser
a personnel
is often
used,access
of system
used appropriately
thesystems
all FI directory
byshould
the remote ortools
FIconsider the CSP
accessshould to
theprocedures
mode be considered
allow byconnectivity
whichincluding to ensure
they from
are atimely
remote
notified
security controlsofdisabling
location
material
management.of
touser's
allowThis
changes primary access,
administration,
to the CSP’s
documentation IT or toshould
system trigger
environment beaand
maintenance review
have
regularlyoroftheaccess
software
ability
reviewed rights
releases, for potentially
to ensure
to review asaccuracy
well
the toxic
as system
changes.
and CSPs combinations.
support.
can help FIs
currency.
3. The Privileged User
maintain appropriate oversight of materialAdministration function
changes should be subject todedicated
by establishing segregation of duties programs
compliance and separate thatfrom any user
facilitate administrator
engagement between function.
the FIs and the CSPs.

1.
The Detect
10.There
User
inherent unauthorised
should
Access riskbe ofcloud or computing
aallowing
mechanism
Administration erroneous
accessshould changes
in place
from betoasubject
detect to
remote when strict
location unauthorised
segregation
means thataccounts
of are
andcreated
dutiespossible
information maker
and that can
/ checker access
controls,criticality of rated
especially information
where the CSP assets.
has
be access to orso is strict
managing systems or software.
if it isChanges
to be in role
2. All interfaces to infrastructure should be consistent where sophysical
that remotesecurity accesscontrols
controls the
are Data Centre
uniformly can
controlled. by-passed, controls are required
4. Privileged
access
permitted. User Access
rights should be regularlyshould reviewedbe in lineby with an the "never alone"
independent assurance principles function laid or outthein role’s
the MAS owner. Technology Risk Management guidelines. There may be high risk situations where a break glass
procedure
2.
 Multifactor
3. is
Provideinterfaces
These required
authentication
assurance and remote
that
should dual
provide controls
should access
discrete circumvented.
be mandated
to systems
segregated for These
is privileged
secured
data flows situations
access
against to ensure should
to
threats ofbe
material
that defined
there workloads.
impersonation in advance
is a secured andand subjectmethod
auditable to rigorous after thesystems
of accessing face reviews to provide assurance that no erroneous or unauthorized
and data.
changes
11.
There Access
are were
twoand introduced.
usage
aspects of
to service,
cloud generic
environments and administrator
that need to be accounts
considered: should be controlled
1. FIs should implement a direct private connection from their data centre to the cloud environment, and restrict all direct remote access to the cloud environment via appropriate privileged user access management controls and activitiesover logged for review.
the Internet.
 Remote
4. Provide accessassurance that user
security measuresmanagement such as controls
two factor areauthentication,
present and monitored and Virtual for Private
suspicious Networkactivity (VPN) encryption should be implemented.
5.
2. Multifactor
12.
 WhereInternet
Remote
Where access authentication
development, to QAthe
the systems
access to should
and CSPby be strongly
production
the
cloud CSP to considered
environments
manage
management its own
console for all
exist inprivileged
systems
cannot the Cloud, access.
be disabled, accessFIs shouldshould be implement
strictly controlled.
a complex Developers
passwords and andTesters should authentication
multi-factor not have any write for the access
logintoaccount.
productionThese environments.
accounts
Production
 Where
5.
should supportto
Grantbeprivileges
possible
limited should
in
remoteaccordance
emergencies have limited
access with and
network
only read
the notaccess
requirement
traffic should
used in
to accordance
ofhave
support day with
the defined
role, with
to source
day their responsibilities.
appropriate
and
operations. segregation of duties
destination.
 The various levels of remote access by the FI to both the platform and the systems that are in the cloud environment
6. As
3. Endthe User Computingaccount
administrator device controls to the CSP should
cloud bemanagement
considered, for consoleinstance cannot access only from
be locked out,recognized
FI should monitor hardware forusing machine access
unauthorized authentication, or virtual
to the accounts desktops interfaces
or password to reducetorisk
guessing attempts of malware
break into the
contamination
account. FIs should or unauthorized
consider changing access. the password periodically.
7.
4. Privileged remote
The FI should accessrestricting
consider should only be permitted
access to certain by authorized
parts exception
of the network or breakaccess
by remote glass users.
procedures
Jumpand be should
boxes time bound. Privileged
also be remote
considered access is inherently
for additional security. risky and must be strictly controlled.
8. All privileged remote access is to be reviewed for appropriateness by independent and qualified personnel.
The adoption of cloud services requires that an FI's data is transferred from the enterprise perimeter and control environment into the cloud. The cloud presents unique challenges where misconfiguration
of the environment may result in data being exposed and accessible to the public. Controls should be implemented to secure the data in the cloud environment from unauthorized or inadvertent
exfiltration.
 Enforce the use of sanctioned cloud services
In addition, the adoption of cloud services also makes it a challenge to detect and differentiate between the legitimate and unauthorized data exfiltration. Shadow IT use of unapproved cloud applications
1.
 The FI should
introduces
Manage reviewand
compliance
data processed their information
security
and storedrisk asset
where
in the classification
the
cloud services doframework
environment not adhere to
to ensure
in accordance to thethat
FI’sencompasses
compliance and security considerations
information policyItforis the
requirements.
security cloud. essential
therefore The FI maythatwish to consider
FIs monitor and enhanced controls
control both for high
sanctioned andvalue
unsanctioned
information
data transfersassets that reside
and access to theincloud
the cloud such as strong encryption, tokenization and logical segregation.
services.
 Permit users access only to information assets they require to perform their role
2. Where data infor
Considerations transit crosses cloud
the protection deployments
of data transmittedcontent
to and inspection technologies
stored in the cloud mustshould
includebealldeployed
methodstoofidentify
ingress and, where appropriate,
and egress. quarantine
The FI should information
have in place assets
a holistic datathat
losscontain personally
prevention strategy which
identifying
includes
 information
Preventdata (PII)
in transit, at
unauthorized orand
orrest customer information
end dissemination
unintended point of(CI).
dataPolicies containing the identification criteria should have defined owners and be subject to periodic review.
security controls.
1.
3. The FI cloud
Where shouldservices
performare periodic reviews
accessible of the
via the users that
Internet, dataare
lossable to approve
prevention exceptions
controls to cloud
such as DLP policies.
access security broker should be implemented to monitor and control the access of the information.
2. FIs should monitor the ingress and egress points for the use or adoption of unsanctioned cloud services or shadow IT to support internal business processes or operations.
3. Data loss prevention controls should be implemented to secure access from the internet to the cloud services, and control downloading and extraction of information from the cloud services.
4. FIs should analyse changes in the use of the cloud services to detect suspicious and anomalous activities in cloud environment and unusual access to the data.
1.
5. Guidelines
FI should have for secure
a Databy Lossdesign softwareand
Governance development
risk management should be clearly defined
framework definedand all developers
which should integrate trainedwith on these approaches.
its capabilities Common
in the cloud. considerations
Templates and includepatternscoding approaches
for sensitive to ensure
data should be that
defined,
OWASP
and metrics Topregularly
10 security risks do
reviewed. Annot occur, andconsequence
appropriate that applications fail safe framework
management in the eventshould of unexpected behaviour.
also be defined and agreed between the CSP and the FI
Above and beyond the typical secure SDLC the methodology for cloud applications, new methodologies such as DevOps requires explicit consideration of the integrity of code artefacts and of
environments
2. Content version where applications
controls, are developed
and strict processes and for the tested throughout
migration each development
of source code from oneiteration.environment The ability to compile,
to another should be change
clearlyanddefined
deployasthepartsource code butmanagement
of a release also be ableprocess.
to secure the destruction of
data and perform a clean breakdown of environments must also be considered.
 Ensure confidentiality and integrity of source codes, other code artefacts (e.g. compiled and non-compiled codes, libraries, runtime modules)
3. CSP
1. Segregation
penetrationof duties
test can be can accomplished in an assurance
automatedover fashion by introducing a CI/CD pipeline forthecontrolled testing
be across the to
different environments
arereports
be used towithin gain the security of underlying systems but scope should reviewed fully understand whatforhasmore
beendetail)
tested to ensure that the final
Source
1. For code
source reviews
code relating typically
to materialautomated
systems itinisthe formalized
recommended release management processes byofthe FI development codeteams use(please see the section onassessments
DevOps
Testing
testing
 Prevent theunauthorized
security
encompasses of
allapplications
of the
alteration ofand
systems infrastructure
involved
code and system provides
configurations ofthat
provisionassurance the enhanced
service(s). reviews
of the security including
posture amanual
service. source
Through review
the ofare performed.
regular vulnerability and penetration tests, assurance can
4. Access
also to source
be gained as to code repositories of
the effectiveness andsecurity
privileged access and
hardening to the development
patching. Cloudand testing environments
environments provide a unique are restricted
challengeto only specific
as testing authorized on
is performed individuals.
a shared platform. Test tools are not able to
2.
2. The
The source
differentiate code take
between
tests should should intobe
flaws updated
that can beand
consideration tested
threatsregularly
exploited tothat
cause for newtoand
are damage
unique security
those
cloud and
thatvulnerabilities.
computing, cannot. Penetration
such as hypervisor tests jumping
attempt to andexploit
weak the vulnerabilities
application program in ainterfaces.
system to determine whether unauthorized access or
5. Unencrypted
other malicious customer
activity isdata should
possible andnot be used
identify for testing
which flaws pose in theaCloud
threat environment.
to the application. Test data must be de-personalised before it is transferred into the CSP’s environment.
3.
3. Where
Testers source
should code
be aware is used of for any security
typical material issuespurposes, that itare is particular
strongly recommended
to cloudposture to perform
environments and a risk assessmentintoorder
virtualisation determine
to haveifan it is necessary to of
understanding compile binaries
the types within
of issue thatthe
mayFI’s own
exist in networks
such an and copy

6. Identify
theThe
binaries
Penetration vulnerable
processes supporting
into the
Testing configurations
Cloud.
(PT) release
The and
andprovide
management
recommendation
is necessary applicable assurance
should
is towhere ensure
compile as to
cloudon the
that security
thesource code
host which
FI’s network
providers and ofhas
external afacing
service
push been subjectedtotothe
the applications
artefacts reviews
and cloud.
process(automated
essentialorcustomer
manual)data.
and cannot be tampered
Some cloud with byhave
environments the author after on
restrictions it has
thebeen
type
environment.
reviewed.
and times of PT that can be conducted.
 Provide assurance of security processes including security patching and hardening
4. An
1. FIs FI
should
should engage
consider the CSP usingprior
a Red to Teaming
engaging approach
PT to understandto testingany thetechnical limitations of
CSP's environment. testing
It is and ensure awareness.
also recommended that testing is performed on live systems subject to safety protocols to prevent any
7. Automated
Please source
referoftoservice.
the ABS code applications
guidelines should be Testing
of Penetration regularlyand updated
Red Team: and reviewed
Adversarial to ensure
Attackcurrency
Simulation and Guidelines
accuracy offor their findings.
further details.
disruption
5. All vulnerabilities should be risk assessed, tracked and managed / treated appropriately.
The monitoring of the cloud environment for security events and incidents should be centralized to provide the FIs a single pane of glass for situational awareness and incident response. The activities in

1.
the Ensure
2. Appropriate
PT scope
cloud logshould
information
monitoring
environment include
shouldare secured
infrastructure
application
be logged against
such
upstream
at unauthorized
as aand
granular Security
downstream
levels accessprovide
Incident
which andandtampering
Event
usefulMonitoring
dependencies, as well as (SIEM)
information any thesystem
forcentralised should
releaseof
investigation be in placeevents
management
security to or
provide
source automatic
code systems
and incidents. analysis,
Such that correlation,
the
information andutilises
application
should triage
be of security
consolidated andlogs from
correlated
1.
the
6. Secure
various
Where and
the robust
monitoring security
vulnerability systems.
is logging
on a system infrastructure
not
centrally for security incident monitoring and detection. This would allowmanaged should
by be
the leveraged.
FI, there Consolidation
needsFIs’ totobeleverage of logs
an agreed onupon to aremediation
existing centralized
incident system
SLA that
response should
the CSP be inaligns
processes place
for thetoto ensure
and that the
disclose
security integrity
to the
incidents FIs.
and andinavailability
events the cloud. of the logs are
 Verify that activities in the cloud are logged and correlated to detect security events and scenarios
maintained.
2.
7. FIs should
In case identify specific
responsibility cloud security
for penetration tests on incident
CSP side scenarios
(i.e. inand develop
a SaaS model)specific
proper correlation
governance rules
overto this
detect such events.
program shouldWhere necessary,
be in place. The FIlogshould
parsers and correlation
ensure rules should
that all weaknesses andbe customized for
vulnerabilities are

2.
suchEnsure
Theevents
identified, security
centralized events
log
andassessment
risk incident. serverand incidents
is should
conducted in
be secured
andthegaps
cloud
and environment
segregated
closed with priority are the
from detected
adequate and
operationalforresponded
environment
specific to in
risk a timely
to
rating prevent
and in manner
unauthorized
agreed timelines. or accidental
Closing gaps purging of the log
conditions may information.
be regulated with the service contract between
1.
CSP FI and
application
FI. In case development
of gaps that teams
cannot should ensure that
be mitigated an no CID (Customer
exception process shouldIdentifiable data) is logged.
be triggered.
3.
Most
 Logs
An should
approach
Logsystems be
to streamed
leverage
can produce
data should have robust back
the to
data
logs controls the
from FI
and maytorequire for
the security
CSP’s
ensurebackups. SIEMincident and
architecture
Whilst oftenand
their confidentiality event correlation.
into the
overlooked, FI’s core
integrity. securing Intrusion
these logsDetection capability
and backups needshould
carefulbe consideration
considered if possible.
to ensure the confidentiality, integrity and availability of
2.
thisThe FI Both
data. should establish
data requirements
in the direct control for of FI forensic
and theinvestigation
CSP must beincluding appropriatelyhow to ensure that log data can be acquired in a streamlined sound manner.
secured.
4.
 FIs
Logshould consider
data should not the use of
contain securityinformation
sensitive analytics with machine learning capabilities to develop baseline to detect potential anomalies in the cloud environment.
3. The FI should have the appropriate access control in place for backups and log data.
5.
 The
EnsureFIstheshould ensure thatand
confidentiality CSPs have snapshots
integrity of backupofdata critical databases or systems of record for disaster recovery / business continuity.
4. Snapshots
1. FIs should should
consider bethe contents to
considered of enhance
backups RPO and encrypt
capabilities sensitive data where
particularly appropriate.
for critical databases or systems of record. These should be timed ahead of key activities such as cut off times or End of Day
batch procedures.
It
5. is expected
FIs should givethat thedueFI maintains effective
consideration control overof
to the management their data although
encryption keys used it resides at the purposes.
for backup CSP. The CSP should have in place controls that facilitate management, near real time capability to review
anyEnsure
 privileged
that allactivities
the changes to ensurefollow they are in line
a robust
4.Cwith
change
Runmanagement
the Cloud
approved processes. process that Consideration should be
provides oversight given to Application,
commensurate with theirOS, risk.Database and Network
This includes changeslayers.
controlled by the CSP for IaaS, PaaS and SaaS
1.
6. FI
Theshould
ensure
to that
theredata is ainprocess inbeform
place and scenarios defined where the CSP is
FI.required notify in must
advance offormalised,
changessecurely
to and
critical
to services.
environments
1. Change management procedures Where appropriate, the FI should consider
capability recover ashould
usable mutually
should agreed between
be regularly the
tested CSP
by theandFI.theSuch Such procedures
restoration tests shouldbe be
conducted include change
minimise request
any risk ofand approval
data leakage. procedures, as well as a
opportunities
Where PaaS,
reporting to SaaS
or
component.test the is deployment
used, the FI before should those consider changesthe mode are implemented
by which they in are
their environment.
notified of material changes to critical features or functions. CSPs can help FIs maintain appropriate oversight of
material
 Ensurechanges
oversight by of establishing
major changes dedicated compliance
that could impact programs
the stability thatand/or
facilitate engagement
security of the cloudbetween the FIs
operating and the CSPs, and support notification of such changes.
environment.
2.
2. Change
Procedures management
for emergency governance
and standardshouldchanges
be incorporated
should beinto regular
agreed, Service the
including Level
rolesManagement meetings.and defined change windows for patching and software releases.
and responsibilities,
 Detection of unauthorised or erroneous changes
3.
3. FIs
Whereshould
DevOpsreview the change
practices management
are being procedures
used, conditions andofscenarios
the CSP, that which allowshould be independently
automated testing andassessedreleases in line with
should OSPAR,
be defined. It SOC2 or other
is important to controls
ensure thatassessments.
there is a full audit trail, record of the
changes and evidence of pre-approval.
4. FI should ensure that CSPs have well-defined change windows, testing and rollback plans, and an internal signoff procedure for any material changes that need to be implemented by the CSP. This can
be evidenced via independent control testing.
5. FI should consider conducting post change testing where critical business functions may be impacted, including documented and evidenced test cases.
1. Roles for the configuration of the cloud environment should be clearly defined, and segregation of duties should be considered for the design of the cloud roles for both the FIs and CSP.
Cloud is a dynamic environment where the core infrastructure can be set up and modified rapidly in response to business and operational needs. Hence the configuration management of the software
defined
2. environment
At minimum, is critical for the
the infrastructure, safe and
security and secure
applicationoperations of the cloud
roles should and information
be segregated to prevent assets. FIs should changes
environmental implement monitoring
which to detect
would allow unauthorized
the security controls changes to the cloud environment. Where
to be bypassed.
possible, FIs should implement automated recovery to mitigate high risk changes.
Prevent unauthorized changes to the cloud environment, and ensure such changes are detected and remediated to prevent high impact incidents
3. Privilege for the infrastructure changes should be managed centrally, and the configuration of the environment should be closely monitored for unauthorized changes.
1. FIs should create environmental baselines, establish a process to review the baselines periodically, and monitor deviations from the baselines. These metrics should be reported at the Cloud
4. FIs shouldforum
governance consider
and establishing
to appropriate standard
serviceserver
owners. images for consistent and secure creation of new servers.
The monitoring of infrastructure events is a responsibility that both the FIs and the CSP share. The FIs are responsible for monitoring events that can impact the stability and or availability of their

5. Define
Key andandmonitor
environment key
changes events totheensure the model,
confidentiality, availability and be integrity ofevents
the cloud environment iswhere
not compromised
2.
1. Where
applicationspossible,
FIs should FIs
systems.
ensure there is ashould
should
Basedimplement
on
framework be monitored
service
for event and
auto-remediation automated
the CSP
categorization, is alerts
to revert the should
usually
impact,environment
responsible triggered
responsibility to
forthe
and tothe
alert
baseline
thatthe security
configurations
impact
actions theto
taken or the infrastructure
underlying
address strict team.of the
enforcement
infrastructure
them. of the
FI'sbaselines
workloads, is required.
which could include the virtual
environment, containers or customer workloads.
1.

6. Criteria
Provide
FIs shouldand
earlyperformance
detection
consider ofrequirements
network andfor
auto-remediation i.e. SLA
system
high for the escalation,
anomalies IT notification,
in thesuch environment containment,
to facilitate and
timely closure
response of
or relevant security
to potentially and technology
developing technologyincidents should be
and security appropriately defined and agreed
incidents
2. Appropriate
between FI detection
the critical
and the mechanisms
CSP, especially should inimpact
whereberegulatory place changes
at the network, assystem,
configuration of internet
and application gateways
level to analyse server
eventsimages.
that could affect the security and stability of the cloud service.
1. SLAs for events should be established between instruments
the FI and the suchCSP.as Directives
This should andbeNotices
done instipulate
accordance timelines
with an escalation matrix to notify the appropriate parties.

1. Manage
A
TimelyComputer and escalate
detection Emergency events
of critical appropriately
Response
incidents Team (CERT)according or to their criticality
Security Incident and assigned
Response Team ownership
(SIRT) should be inprocesses
place to canprovide timely response toremediated
security incidents.
speedily,Coordination between the CSP
or and
3.
2. Security
Learning and technology
points captured events
from andcoupled
past the various
incidents
withlevels
as
tight integration
knowledgeof severity
articles
with
should
for
incident response
be appropriately
continuous
and
improvement
management
defined to and
the ownership
process. agreed allow
betweenincidents to bethe
the FI and CSP. thereby limiting downtime
FIs’
2. teams
Events
potential should
that
data have be
breaches. formalised.
been rated as material should be immediately visible in network or technology operations
 Provide a reasonable level of retrospective detection of security incidents in the IT environment as and when new threat intelligence is available centres so that they can be responded to in a timely manner.
4.
3. FIs should
Access consider
toassurance
appropriate the use ofand
reports automated
on relevant ticketing
incidents asupon
and the cause
root detection of incident tobeimprove turnaround for theweb
response team.
2.
3. Appropriate
 The FI should
Cyber-attacks,
Provide security
thedefine systems
playbooks
compromise
that of
technology aformeasures,
recovery
computer
and securitysuch
scenarios
system, network
and
incidents along
unplannedwith analysis
intrusion
key
are appropriately roles
outages should
detection/prevention
andonly
can task
escalated agreed
ownership.
be
and between
systems
detected
notified intoathe therelevant
timelyFI fashion
(NIDPS), and theapplication
CSP.
if there
stakeholders Where
isfor the CSP
firewall
effective has commercial,
(WAF),
monitoring
management DDoS
actionof the ITsecurity
mitigation,
systems ortointellectual
and data leakageproperty
differentiate reasons
prevention
legitimate and to
systems,
not disclose
should be such
deployed reports
at directly
strategic to the
locations FI,
to the use
detect of
and a mutually
mitigate acceptable
security independent
breaches and 3rd
ongoing party can
attacks. be agreed.
abnormal activities. As attack sophistication increases with the complexities of modern IT systems, it is imperative that monitoring of IT systems progresses beyond typical health and performance
metrics
 Provide to include
assurancesecurity events and
the incidents in theadvanced
environment analytics to correlate
are properly events and
reviewed across various gaps
identified systems at the network,
are remediated infrastructure,
to prevent and application layers of the IT environment.
a reoccurrence
4. Based
3. CSP should
on theprovide reasonable
materiality access to necessary
of the outsourcing arrangement, information to assist
integration intoin any FI investigation
a Security Operations Centrearising (SOC)
due to and
an incident in the cloud,
/ or Technology to the extent
Operations Centrethat it is does
(TOC) not contravene
operating on a 24x7 any
basisother legal
should be
obligations.
strongly
 Ability recommended
to adhere to provide active monitoring of security events, technology incidents and ensure timely escalation and management of issues.
The FI should have atoclear
the relevant
view of regulatory requirements
its requirements to operate (i.e.itsNotice 644 to
resources Technology
ensure thatRisk Management)
business functions can proceed without any interruptions. The FI and CSP both have clear lines of responsibility
but

5. it is imperative
Business
Incidents volumes
that that
have are the
wellFI
considered have to insight
understoodhave and
a into their
that
material workloads
capacity
impact exists
to therunning
to
FI on
support
should the
them
be
4. While it is recognized that it is usually the FI's responsibility to identify a relevant incident under Notice cloud
subject and
to an SLA
formalized defined.
post incident reviews
644, there and problem
are situations management.
where systems or applications designated MAS Critical may be fully
managed by the CSP, particularly SaaS or white-labelling. In these situations a contractual requirement should be included to ensure notification to the FI as soon as possible after the detection of a
Business

1.
6. The
Where
relevantFIsfunctions
Resources should
commonly
incident. may
The FIhave
are monitored
define
occurring period
aismonitoring
then spikes
appropriately
incidents
required to or
andbecome strategic
tometrics
understand
notify formally
the growth
average
strategy
MAS withambitions
utilisation
the
recognized
within CSP
60m as ofwhich
and
and
systemic technology
peaks
leverage
receiving issues,
this shouldManagement
thenotification.
monitoring
Problem be capabilities
aware
The CSPof. should
provided
should by in
be put
include the CSP to
asplace
much and definethat
ensure
information appropriate
as metrics
anpossible
appropriate
in this for its applications.
remediation is identified
notification and
to allow for the
implemented.
required regulatory submission. If all data points are not available at that time the CSP should ensure these are delivered within a reasonable timeframe, which should not exceed 24 hours after the

2.
1. Systems
The FI's
Automated
original have appropriate
technology
increase
notification resources
operations
for quotas team
for to allowworkloads
should
material for resiliency
monitor and in the
review
should event ofutilisation
be capacity
considered failure or unplanned
and review
and thresholds outage
wherereviewed
regularly capacity for
may be at risk. Planning for upgrades, enhancements including funding requests should
appropriateness
be regularlyondiscussed
7. Metrics incidentsinandinternal
problem governance
tickets shouldforums. be regularly reviewed and discussed at the Cloud governance boards.
1.
5. FIs
2.
The
 The should
FIsthere
security
Review
Ensure andmaintain
need
of toclear
the
is an
ensure
systems
testing of inventory
that
the and ofofall
business the
infrastructure
incident
ownership responsesoftware
strategies
assets of and
in the
plan the used
cloud
should
cloudinenvironment
theconducted
be cloudincluding
requirements,
environment,environment,
ison special
a ashared
and regular
that and track
events the
responsibility
theirbasis thevulnerabilities
bysuch
criticality as index
especially
CSP
is rated announced
and rebalancing,
for platform
involve are
the FIandby theappropriate.
taken respective
into
infrastructure
where astechnology
consideration when
a service vendors.
reviewing the
engagements. capacity
Given of their
the ease workloads.
of software purchase
and implementation in the cloud environment, FIs need to detect and remediate the vulnerabilities in the cloud environment swiftly.
2.
1. The
 FIs SWidentify
should
Swiftly inventory
conduct should alsoassessment
a periodic
potential be used toand
vulnerabilities track software
to identify
system newlife cycle so that and
vulnerabilities,
instabilities informed
schedule decisions can beactivities
the patching made to replace or have
to remediate themitigating controls.
vulnerabilities in accordance with their criticality.
3.
2. Where
 In eventspossible,
where FIsdeploy
the shouldsecurity
patches containerized
cannot their applications
be applied invulnerabilities
the cloud environment toFIs facilitate prompt patching while minimizing impactnetwork
to the cloud workload.
1. Swiftly
The and
FI shouldsafely
develop disaster and
recovery plans to
operatingforaddress
system thein
patches
its assets the Cloud, andpromptly, should
test these at least consider
annually. the use
Tests of
should security controls
be validated for (e.g. access control,
accuracy, completeness, and intrusion
validity ofprevention systems) to
recovery procedures.
mitigate the risk of exploit.
4.
2. The
DisasterFIrecovery
FI and should
CSP work
personnel with
testing theessential
is an
involved CSPin and understand
part
disaster of
recoverycapabilities
developing inshould
an effective
procedures theirdisaster
offerings that
recovery
be aware would help Where
strategy.
of their best with
responsibilities vulnerability
there
and ofand
is business
capable patching
critical
executing management.
function,
them. the FIshould
These shouldbe
plan andatperform
tested their own simulated disaster
least annually.
3.
1. The
recovery
The FIs
CSP should
testing,
should ensure
testing
developthat
jointly there
with
disaster is a
the robust
CSP
recovery process
where
and in place
possible.
business Ifto review
relevant,
continuity and
plansthe remediate
outsourcing
and where any vulnerabilities
arrangement
appropriate share in
should
the a timely
contain
plans withmanner
Business
the FI. and prioritise
Continuity over the(BCP)
Planning vulnerabilities of standard
requirements on the workloads
CSP, in particular

5. Ensure
The
RecoveryCSP the
Timecontinued
should be
Objectives availability
able to
(RTO) of services
demonstrate
and the
Recovery commensurate
status of
Point their with(RPO).
compliance
Objectives their with
criticality in thevulnerabilities
published cloud environment
and their ability to patch when required.
3. CSPs should obtain necessary certifications for disaster recovery (e.g. ISO27001 and validated against ISO27018) and their processes should be audited by independent third parties with such audit
4.
2. An exception process toneeds tocomputing
be created for any vulnerabilities thatincannot be remediated.
 Ensure
reports made
Ensure that all changes
thatavailable
data, systems in and
the the
FI. applicationsenvironment are reflected
can be recovered within the the disaster
time-frame recovery
required plan,
by theand
FI that all facilities are available.
3. When
4. There should be a DR
performing communications plan
testing with the or an
CSP, automated
consider callspot
doing treechecks
that covers both on
or testing CSP andnotice
short FI staff.
to validate their level of readiness for an actual disaster event.
4. Ensure that any

5. the FI’s crisis Management
deficiencies team
noted during is fully
testing are aware of the
recorded, andCSP’s recovery plan. of corrective actions is monitored via the appropriate governance bodies.
the implementation
6. Various disaster recovery scenarios including both component failure, full site loss and partial failures should be incorporated into the testing plan. These scenarios should be tested according to a
strategy defined by the bank in line with its business continuity policy
7. The scalable and redundant nature of cloud outsourcing arrangements allows for more rigorous testing, including the failure of active-active configurations. It is recommended to regularly test these
capabilities, and to keep services failed over for an extended period of time to validate operational stability.
Term Description
The breakdown of additional indicators and efforts needed to bridge a control

Gap Analysis
requirement from one framework to another.
Controls that would help bridge a full or partial gap between the base framework (i.e.
Compensating Controls
CCM) and the candidate framework.
Controls Mapping The association of controls between the base and candidate framework.
The determintion of whether a gap between two frameworks is a full, partial or no

Gap Identification
gap.
The relevant control requirement in one framework is fully semantically equivalent

No Gap
to a requirement(s) of another framework.
Partial Gap Controls in two frameworks are similar, but not fully equivalent.
Full Gap A similar criteria (control) does not exist in the other framework.
An addendum to CCM refers the additional controls that serves to fill the gap
CCM Addendum
between the base framework (i.e CCM) and the candidate frameworks.
© Copyright 2020, Cloud Security Alliance. All rights reserved

CCM v3.0.1 Addendum - ABS CCIG 2.0

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CCM v3.0.1 Addendum - ABS CCIG 2.0

Hochgeladen von

Copyright:

Verfügbare Formate

Description

© Copyright 2020, Cloud Security Alliance. All rights reserved

al inaccuracies, typographical errors and out-of-date information.

ps, please sign up here: https://cloudsecurityalliance.org/research/join-working-group/

e CCM v3.0.1 addendum for ABS CCIG 2.0

Application & Interface Security AIS-01

Application & Interface Security AIS-02

Application & Interface Security AIS-03

Audit Assurance & Compliance AAC-03

Business Continuity Management & BCR-01

Business Continuity Management & BCR-03

Business Continuity Management & BCR-08

Change Control & Configuration CCC-01

Change Control & Configuration CCC-02

Change Control & Configuration CCC-05

Data Security & Information Lifecycle DSI-05

Data Security & Information Lifecycle DSI-07

Datacenter Security DCS-02

Datacenter Security DCS-04

Datacenter Security DCS-05

Governance and Risk Management GRM-03

Governance and Risk Management GRM-04

Governance and Risk Management GRM-05

Governance and Risk Management GRM-07

Governance and Risk Management GRM-08

Governance and Risk Management GRM-10

Human Resources HRS-01

Human Resources HRS-08

Identity & Access Management IAM-08

Identity & Access Management IAM-13

Infrastructure & Virtualization Security IVS-05

Infrastructure & Virtualization Security IVS-07

Infrastructure & Virtualization Security IVS-08

Infrastructure & Virtualization Security IVS-09

Infrastructure & Virtualization Security IVS-10

Infrastructure & Virtualization Security IVS-12

Interoperability & Portability IPY-01

Interoperability & Portability IPY-03

Interoperability & Portability IPY-05

Mobile Security MOS-01

Mobile Security MOS-07

Security Incident Management, E- SEF-03

Supply Chain Management, Transparency, STA-03

Supply Chain Management, Transparency, STA-06

Supply Chain Management, Transparency, STA-08

Supply Chain Management, Transparency, STA-09

Threat and Vulnerability Management TVM-02

Threat and Vulnerability Management TVM-03

© Copyright 2020, Cloud Security

Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure

3.2 Candidate scheme does not indicate 'annually' as

No Gap 4.B.6 Encryption

While the candidate scheme refers to ensuring

Although candidate scheme describes the need

3.2 No mention in CCIG that compliance with

Candidate scheme covers organizational

Candidate scheme makes no mention of the requirement

Candidate scheme stipulates the establishment

Candidate scheme does not mention requirement to have

3.2 Candidate scheme does not stipulate any

Candidate scheme describes the need for risk

Candidate scheme described the need to

Candidate scheme covered security hardening through

Candidate scheme requires CSP to protect the