Microsoft Cloud - Checklist For Financial Institutions in Singapore PDF

A Compliance Checklist
for Financial Institutions

in Singapore
December 2021
Contents
INTRODUCTION: A COMPLIANCE CHECKLIST The Need for an Appropriate
FOR FINANCIAL INSTITUTIONS IN SINGAPORE 3 Outsourcing Agreement 30
OVERVIEW OF THE REGULATORY LANDSCAPE 6 Technical and Operational Risk Q&A 34
COMPLIANCE CHECKLIST 10 Privacy 57
PART 1: KEY CONSIDERATIONS 11 PART 2: CONTRACT CHECKLIST 59
Overview 11 FURTHER INFORMATION 68
Offshoring 18
Compliance within your Organisation 21

Introduction: A compliance checklist for
financial institutions in Singapore
OVERVIEW capabilities to meet the needs of financial institutions, underlying a foundation
Singapore is already delivering on its mission of becoming one of the world’s of security and compliance across these services.
leading “Smart Financial Centers.” Cloud computing is fast becoming the norm, Please be aware that this document is based on the current situation at the
not the exception, for financial institutions in Singapore. time of the creation of the document. Taking into account that the regulatory
Like all technological advancements, cloud computing provides substantial environment as well as our catalogue of products and services and their
benefits – but it also creates a complex new environment for financial respective technical features are continuously evolving, we recommend to
institutions to navigate. These financial institutions rightly want and expect always visit the Microsoft Trust Center (https://www.microsoft.com/en-us/
an unprecedented level of assurance from cloud service providers before they trust-center) where Microsoft posts the most recent information related to its
move to the cloud. products and services.
Microsoft is committed to providing a trusted set of cloud services to This checklist is part of Microsoft’s commitment to financial institutions in
financial institutions in Singapore. Our extensive industry experience, Singapore. We developed it to help financial institutions in Singapore adopt
customer understanding, research, and broad partnerships give us a valuable Microsoft Online Services with confidence that they are meeting the applicable
perspective and unique ability to deliver the assurance that our financial regulatory requirements.
institutions customers need.
WHAT DOES THIS CHECKLIST CONTAIN?
This document is intended to serve as a guidepost for financial institution
customers conducting due diligence, including risk assessments, of Microsoft This checklist contains:
Online Services. The Online Services include those online services defined 1. an Overview of the Regulatory Landscape, which introduces the relevant
as “Core Online Services” in the Online Services Privacy and Security Terms regulatory requirements in Singapore; and
(hereinafter, the “Online Services”). Customers are responsible for conducting
appropriate due diligence, and this document does not serve as a substitute 2. a Compliance Checklist, which lists the regulatory issues that need to be
for such diligence or for a customer’s risk assessment. While this paper addressed and maps Microsoft’s cloud services against those issues; and
focuses principally on Azure Core Services (referred to as “Azure”), Office 365
3. details of where you can find Further Information.
Services (referred to as “Office 365”) and Dynamics 365 Services (referred to
as “Dynamics 365”), unless otherwise specified, these principles apply equally
to all Online Services. This includes the Compliance Program for Microsoft
Cloud, which is built on these set of Online Services which provides for a set of Continued Next Page »
3 | Introduction Back to Contents

Introduction: A compliance checklist for
financial institutions in Singapore (continued)
WH0 IS THIS CHECKLIST FOR? HOW SHOULD WE USE THE CHECKLIST?
This checklist is aimed at financial institutions in Singapore that want to use 1. Read: We suggest you begin by reviewing the Overview of the Regulatory
Microsoft Online Services. We use the term “financial institutions” broadly, to Landscape in the next section. This will provide useful context for the
include banks, financial advisers, securities exchanges, futures exchanges, sections that follow.
designated clearing houses, securities trading companies, insurance 2. Conduct a Risk Assessment: Next, we suggest that you review the
companies, registered insurance brokers, licensed trust companies, capital questions set out in the Compliance Checklist and the information provided
investment companies, capital services licensees and other service providers as a tool to measure compliance against the regulatory framework. The
regulated by the Monetary Authority of Singapore. information in this document is provided to help you conduct your risk
assessment. It is not intended to replace, or be a substitute for, the work
WHAT MICROSOFT CLOUD SERVICES DOES THIS CHECKLIST APPLY TO? you must perform in conducting an appropriate risk assessment but rather
This checklist applies to Microsoft Office 365, Microsoft Dynamics 365 and to aid you in that process. Additionally, there are a variety of resources
Microsoft Azure. You can access relevant information about each of these Microsoft makes available to you to obtain relevant information as part
services at any time via the Microsoft Trust Center. of conducting your risk assessment, as well as maintaining ongoing
supervision of our services. The information is accessible via Microsoft
Compliance and the Service Trust Portal.
IS IT MANDATORY TO COMPLETE THE CHECKLIST?
No. In Singapore, there is no mandatory requirement for financial institutions Microsoft provides extensive information enabling self-service audit and
to complete a checklist to adopt Microsoft Online Services. However, through due diligence on performance of risk assessments through the Compliance
conversations with our many cloud customers in Singapore, we understand Manager. This includes extensive detail on the security controls including
that a checklist approach like this is helpful – first, as a way of understanding implementation details and explanation of how the third party auditors
the regulatory requirements; second, as a way of learning more about how evaluated each control. More specifically, Compliance Manager:
Microsoft Online Services can help financial institutions meet those regulatory
requirements; third, as an internal framework for documenting compliance;
and fourth, as a tool to streamline consultations with the MAS, if they are
required. By reviewing and completing the checklist, financial institutions can
adopt Microsoft Online Services with confidence that they are complying with Continued Next Page »
the requirements in Singapore.

Introduction: A compliance checklist
for financial institutions in Singapore (continued)
• Enables customers to conduct risk assessments of Microsoft Online manage evidence and other artefacts related compliance activities, so that
Services. Combines the detailed information provided by Microsoft it can produce richly detailed reports in Microsoft Excel that document
to auditors and regulators as part of various third-party audits of the compliance activities performed by Microsoft and a customer’s
Microsoft‘s cloud services against various standards (such as International organisation, which can be provided to auditors, regulators, and other
Organisation for Standardisation 27001:2013 and ISO 27018:2014) compliance stakeholders.
and information that Microsoft compiles internally for its compliance
3. Reach out for support: If you need any additional support or have any
with regulations (such as the EU General Data Protection Regulation
questions, Microsoft’s expert team is on hand to support you throughout
or mapping to other required controls) with the customer’s own self-
your cloud project, right from the earliest stages of initial stakeholder
assessment of its organisation’s compliance with applicable standards
engagement through to assisting in any required consultation with the
and regulations.
MAS. You can also access more detailed information online, as set out in the
• Provides customers with recommended actions and detailed guidance Further Information section.
to improve controls and capabilities that can help them meet regulatory
requirements for areas they are responsible for.
• Simplifies compliance workflow and enables customers to assign, track,

and record compliance and assessment-related activities, which can help
an organisation overcome team barriers to achieve their compliance
goals. It also provides a secure repository for customers to upload and

Overview of the Regulatory Landscape
Are cloud services Yes.
permitted to be
This means that you can consider Microsoft Online Services for the full range of use-cases across your financial institution.
used?
Who are the The Monetary Authority of Singapore (MAS). Banks, insurers, capital market intermediaries, financial advisors, the stock exchange,
relevant regulators payment service providers and other financial institutions are regulated by MAS. The MAS website provides links to underlying
and authorities? regulations and guidance.
What regulations There are several requirements and guidelines that financial institutions should be aware of when moving to the cloud:
and guidance are
• MAS Outsourcing Guidelines (updated on 5 October 2018)
relevant?
(continued) • MAS Notice on Outsourcing (P018-2014) September 2014
• MAS Notices on Cyber Hygiene
• MAS Technology Risk Management Guidelines (revised January 2021)
• MAS Notices on Technology Risk Management
• MAS Business Continuity Management Guidelines June 2003
• MAS Notice 634, Banking Secrecy – Conditions for Outsourcing

(Appendix)
The latest version of each document can be found on the MAS website.
Certification with the InfoComm Media Development Authority’s (IMDA) Multi-Tier Cloud Security (MTCS) Tier 3 and ISO27001
certification are generally regarded as necessary for providing cloud services to regulated sectors. Microsoft has the necessary
certifications.
Continued Next Page »
6 | Overview Back to Contents

Overview of the Regulatory Landscape (Continued)
What regulations In August 2019, the Association of Banks in Singapore (ABS) issued the ABS Cloud Computing Implementation Guide 2.0, which
and guidance are is designed to help financial institutions with the adoption of cloud services. While this is not binding regulation, it serves as
relevant? a practical guide for financial institutions in respect of the implementation of cloud in compliance with MAS guidelines and
requirements. Microsoft also has the ABS Outsourced Service Provider’s Audit Report certification for Azure and Dynamics 365.
Is regulatory No.
approval required?
There is no requirement for prior notification, consultation or approval.
What is a “material This definition is important, since certain provisions of the Outsourcing Guidelines apply only to “material outsourcing
outsourcing arrangements” (including obligations to perform annual reviews, mandatory contractual clauses addressing audit rights and an
arrangement”? obligation to ensure that outsourcing outside of Singapore does not affect MAS’s supervisory efforts).
An outsourcing arrangement will be “material” if a service failure or security breach has the potential to materially affect the
institution’s business operations, reputation or profitability, or its ability to manage risk and comply with applicable laws and
regulations. An outsourcing will also be “material” if it involves customer information and, in the event of any unauthorised
access or disclosure, loss, or theft of customer information, may have a material impact on an institution’s customers. However,
the definition of “customer information” expressly excludes securely encrypted information. This document includes all the
requirements applicable to “material outsourcing arrangements”, for the sake of completeness.
Are transfers Yes.

of data outside
The use of datacentres outside of Singapore is permitted. Nonetheless, the MAS is clear that institutions should, if services are
of Singapore
provided from outside of Singapore, assess the applicable government policies, political, social and economic conditions, legal and
permitted?
regulatory developments and the institution’s ability to effectively monitor the service provider. Some additional considerations
(continued)
apply to “material outsourcing arrangements”, where the expected standards are higher. These include taking steps to protect
confidentiality and the freedom of the MAS to exercise its regulatory oversight. Institutions are also expected to notify MAS if any
overseas authority seeks access to customer information.

Are transfers The Personal Data Protection Act (PDPA) requires organisations to put in place safeguards (including contractual measures) to
of data outside protect data transferred outside of Singapore. The Personal Data Protection Regulations 2021 specify the conditions under which
of Singapore an organisation may transfer personal data overseas. In particular, an organisation may only transfer personal data overseas if it has
permitted? taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications
to provide the transferred personal data a standard of protection that is comparable to that under the PDPA.
Are public cloud Yes.

services sufficiently
The Outsourcing Guidelines give a clear green light for the use of cloud services, whether private, public or hybrid cloud, by
secure?
financial institutions. In fact, public cloud typically enables customers to take advantage of the most advanced security capabilities
and innovations because public cloud services generally adopt those innovations first and have a much larger pool of threat
intelligence data to draw upon.
An example of this type of innovation in Microsoft Online Services is Office 365 Advanced Threat Protection and the Azure Web
Application Firewall, which provide a very sophisticated model to detect and mitigate previously unknown malware and provide
customers with information security protections and analytics information.
Several financial institutions in Singapore are already using public cloud services. In fact, public cloud typically enables customers
to take advantage of the most advanced security capabilities and innovations because public cloud services generally adopt those
innovations first and have a much larger pool of threat intelligence data to draw upon.

Are there any Yes.
mandatory terms
The MAS does stipulate some specific points that financial institutions must ensure are incorporated in their cloud services
that must be
contracts. These are primarily set out in the Outsourcing Notices and Notice on Banking Secrecy – Conditions for Outsourcing. In
included in the
Part 2 of the Compliance Checklist, below, we have mapped these against the sections in the Microsoft contractual documents
contract with the
where you will find them addressed. The Outsourcing and Technology Risk Management Guidelines also include recommended
services provider?
terms to include in outsourcing contracts. These are also referenced below.
How do The PDPA applies to personal information collected by financial institutions. When it comes to outsourcing arrangements, the
more general financial institution is accountable for complying with the PDPA in respect of the downstream use of the personal information by its
Singaporean service providers on its behalf and for its purposes. In Microsoft’s experience, privacy compliance is an increasingly important issue
privacy laws apply for financial institutions and we address the requirements and provide details of how they apply to use of Microsoft Online Services,
to the use of cloud in the Compliance Checklist below.
services by financial
Additionally, the European privacy law, the General Data Protection Regulation (GDPR) imposes rules on companies, government
institutions?
agencies, non-profits, and other organisations that offer goods and services to residents in the European Union (EU), or that
collect and analyse data tied to EU residents. The GDPR applies no matter where you are located. Microsoft is committed to GDPR
compliance across its cloud services and provides GDPR related assurances in its contractual commitments.

Compliance Checklist
HOW DOES THIS COMPLIANCE CHECKLIST WORK?
In the “Question/requirement” column, we outline the regulatory requirement that needs to be addressed, based on the underlying requirements, along with other
questions that our customers and regulators globally often expect to be addressed.
In the “Guidance” column, we explain how the use of Microsoft Online Services address the requirement. Where applicable, we also provide guidance as to where
the underlying requirement comes from and other issues you may need to consider.
Looking for something specific?
Document
HOW SHOULD WE USE THE COMPLIANCE CHECKLIST?

Every financial institution and every cloud services project is different. We suggest that you tailor and build on the guidance provided to develop your own
responses based on your financial institution and its proposed use of cloud services.
WHICH PART(S) DO WE NEED TO LOOK AT?

There are two parts to this Compliance Checklist:
• in Part 1, we address the key compliance considerations that apply; and
• in Part 2, we list the contractual terms that must be addressed and we indicate where these can be found in Microsoft’s contract documents.
10 | Compliance Checklist Back to Contents

Part 1: Key Considerations
WHO DOES THIS PART 1 APPLY TO?
This Part 1 applies to all deployments of Microsoft cloud services (particularly, Office 365, Dynamics 365 and Azure) by financial institutions in SIngapore.
REF. QUESTION / GUIDANCE

REQUIREMENT
A. OVERVIEW
This section provides a general overview of the Microsoft Online Services.
1 Who is the service

provider?
The service provider is Microsoft Operations Pte. Ltd., the regional licensing entity for, and wholly-owned subsidiary of,
Microsoft Corporation, a global provider of information technology devices and services, which is publicly listed in the USA
(NASDAQ: MSFT).
Microsoft’s full company profile is available here: microsoft.com/en-us/investor/
Microsoft’s Annual Reports are available here: microsoft.com/en-us/Investor/annual-reports.aspx
2 Has your
organisation
Under the Outsourcing Guidelines, some requirements only apply if the outsourcing is material. These requirements
include the requirement to: (i) maintain a register of all material outsourcing agreements and ensure that the register
assessed this to is readily accessible for review by the board and senior management, (ii) establish multi-disciplinary outsourcing
be a material management groups, (iii) establish outsourcing management control groups, (iv) perform periodic reviews on material
outsourcing outsourcing arrangements at least on an annual basis; (v) incorporate contractual clauses to allow the institution and
arrangement MAS to be granted audit access and access to information and any report or finding made on the service provider and its
(as described in sub-contractors; and (vi) ensure that material outsourcing arrangements with service providers located outside Singapore
the Outsourcing are conducted in such a manner so as not to hinder MAS’s supervisory efforts. For the sake of completeness, this guidance
Guidelines)? covers all the requirements under the Outsourcing Guidelines, including those that are only applicable to ‘material
(continued)
11 | Key Considerations | Overview Back to Contents

REQUIREMENT
2 Has your
organisation
outsourcing arrangements’. However, financial institutions will need to make an assessment as to whether the use of cloud
services in a manner is “material.”
assessed this to
A “material outsourcing arrangement” is defined under the Outsourcing Guidelines as ‘an outsourcing arrangement – (a)
be a material
which, in the event of a service failure or security breach, has the potential to either materially impact an institution’s–
outsourcing
(i) business operations, reputation or profitability; or (ii) ability to manage risk and comply with applicable laws and
arrangement
regulations, or (b) which involves customer information and, in the event of any unauthorised access or disclosure, loss or
(as described in
theft of customer information, may have a material impact on an institution’s customers’. “Customer information” does not
the Outsourcing
include information that is public, anonymised or encrypted in a secure manner such that the identities of the customers
Guidelines)?
cannot be readily inferred and, in this respect, please see Question 30 for more detail about the secure encryption
provided by Microsoft’s cloud services. Annex 2 of the Outsourcing Guidelines lists some considerations in determining
whether the outsourcing is “material.”
3 What cloud
services are you
With Microsoft Online Services, a range of options exists, including public and hybrid cloud, but given the operational
and commercial benefits to customers, public cloud is increasingly seen as the standard deployment model for
using? most institutions.
All references to information about your cloud services may be found here: https://www.microsoft.com/en-us/trust-
center/product-overview. Through this link there is access to information about:
• Microsoft Office 365
• Microsoft Dynamics 365
• Microsoft Azure

REQUIREMENT
4 What activities
and operations
This Compliance Checklist is designed for financial institutions using Azure, Dynamics 365, and/or Office 365. Each service
is different and there are many different options and configurations available for each service. The response below will
will be outsourced need to be tailored depending on how you intend to use Microsoft Online Services and which Online Services you use.
to the service The Online Services include those online services defined as “Core Online Services” in the Online Services Privacy and
provider? Are Security Terms (hereinafter, the “Online Services”). Your Microsoft contact can assist as needed.
these critical to
If using Office 365, services would typically include:
your business or
operations? • Microsoft Office applications (Outlook, Word, Excel, PowerPoint, OneNote and Access)
(continued)
• Exchange Online
• OneDrive for Business, SharePoint Online, Microsoft Teams, Yammer Enterprise, Intune
If using Dynamics 365, services would typically include:
• Microsoft Dynamics 365 for Customer Service, Microsoft Dynamics 365 for Field Service, Microsoft Dynamics 365 for
Project Service Automation, Microsoft Dynamics 365 for Sales and Microsoft Social Engagement
• Microsoft Dynamics 365 for Finance and Operations (Enterprise and Business Editions), Microsoft Dynamics 365 for
Retail and Microsoft Dynamics 365 for Talent

REQUIREMENT
4 What activities
and operations
If using Microsoft Azure, services would typically include:
• Virtual Machines, App Service, Cloud Services

will be outsourced
to the service • Virtual Network, Azure DNS, VPN Gateway
provider? Are
these critical to • File Storage, Disk Storage, Site Recovery
your business or
• SQL Database, Machine Learning
operations?
• IoT Hub, IoT Edge
• Data Catalog, Data Factory, API Management
• Security Center, Key Vault, Multi-Factor Authentication
• Azure Blockchain Service

REQUIREMENT
5 What data will be

processed/stored
Typically, the types of data that would be processed and stored by Microsoft Online Services include:
by the service
TYPE OF DATA PROCESSED / SENSITIVE
provider on behalf
STORED / (Y/N)
of the financial
BOTH
institution? Is the
data considered
Customer data (including customer name,
to be sensitive?
contact details, account information, Both Y
payment card data, security credentials and
correspondence)
Employee data (including employee name,

contact details, internal and external
correspondence by email and other means Both Y
and personal information relating to their
employment with the organisation)
Transaction data (data relating to transactions in

which the organisation is involved) Both Y
Indices (for example, market feeds) Both N
Other personal and non-personal data relating

to the organisation’s business operations as a Both Y
financial institution

REQUIREMENT
6 How is the issue of

counterparty risk
Financial institutions should do their due diligence on the service provider to address risks associated with a service
provider failing to meet the terms of any agreement or otherwise to perform as agreed. The following is a summary of
addressed through the factors that our customers typically tell us are important.
your choice of
a. Competence. Microsoft is an industry leader in cloud computing. Microsoft Online Services were built based on
service provider?
ISO/IEC 27001 and ISO/IEC 27018 standards, a rigorous set of global standards covering physical, logical, process
(continued)
and management controls. Microsoft offers the most comprehensive set of compliance offerings of any cloud
service provider. A list of its current certifications is available at microsoft.com/en-us/trustcenter/compliance/
complianceofferings. From a risk assurance perspective, Microsoft’s technical and organisational measures are
designed to meet the needs of financial institutions globally. Microsoft also makes specific commitments across its
Online Services in its Product Terms available at https://www.microsoft.com/en-sg/Licensing/product-licensing/
products.aspx.
b. Track-record. Many of the world’s top companies use Microsoft Online Services. There are various case studies
relating to the use of Microsoft Online Services at customers.microsoft.com. Customers have obtained regulatory
approvals (when required) and are using Online Services in all regions of the globe including Asia, North America,
Latin America, Europe, Middle East and Africa. Key countries of adoption include, by way of example: the United
States, Canada, Hong Kong, Singapore, Australia, Japan, Taiwan, Indonesia, United Arab Emirates, Malaysia, the
United Kingdom, France, Germany, Italy, Spain, the Netherlands, Poland, Belgium, Denmark, Norway, Sweden, Czech
Republic, Brazil, Luxembourg, Hungary, Mexico, Chile, Peru, Argentina, South Africa, and Israel.
Office 365 has grown to have over 300 million users, including some of the world’s largest organisations and financial
institutions. Azure continues to experience rapid growth and has over 400 million users, and over 85% of the largest
financial institutions use or have committed to use Azure services.
c. Specific financial services credentials. Financial institution customers in leading markets, including in the UK,
France, Germany, Australia, Singapore, Canada, the United States and many other countries have performed their
due diligence and, working with their regulators, are satisfied that Microsoft Online Services meet their respective
regulatory requirements. This gives customers confidence that Microsoft can help meet the high burden of financial
services regulation and is experienced in meeting these requirements.

REQUIREMENT
6 How is the issue of

counterparty risk
d. Financial strength of Microsoft. Microsoft Corporation is publicly-listed in the United States and is amongst the
world’s largest companies by market capitalisation. Microsoft has a strong track record of stable profits. Its market
addressed through capitalisation is in excess of USD $2 trillion as of July 1, 2021, making it one of the top three capitalised companies on
your choice of the planet, Microsoft has been in the top 10 global market capitalised countries since 2000, and, indeed, is the only
service provider? company in the world to consistently place in the top 10 of global market capitalised firms in the past twenty years.
Its full company profile is available here: microsoft.com/en-us/investor/ and its Annual Reports are available here:
microsoft.com/en-us/Investor/annual-reports.aspx. Accordingly, customers should have no concerns regarding its
financial strength.
e. Insurance coverage. Microsoft maintains self-insurance arrangements for most of the areas where third party
insurance is typically obtained and can make certificates of insurance available upon request. Microsoft has taken the
commercial decision to take this approach, and considers that this does not detrimentally affect its customers, given
Microsoft’s financial position set out in Microsoft’s Annual Reports.
f. Audit rights. The Microsoft Financial Services Amendment provides for rights of audit, and additional customer
benefits, including (a) access to community events organized by Microsoft related to updates to the Online Services,
Microsoft responses to regulator changes, and to provide additional feedback to Microsoft for further development
of the Online Services; (b) the ability to meet with Microsoft’s external auditors; (c) written responses from Microsoft
to updated regulator guidance; (d) responses from Microsoft about Microsoft responses and changes to services
based on regulatory changes; (e) access to Microsoft personnel to raise questions and escalations relating to
Microsoft Online Services; (f ) communication from Microsoft on (1) the nature, common causes, and resolutions of
security incidents and other circumstances that can reasonably be expected to have a material service impact on
the customer’s use of Microsoft Online Services, (2) Microsoft’s risk-threat evaluations, and (3) significant changes to
Microsoft’s business resumption and contingency plans or other circumstances that might have a serious impact on
the customer’s use of Microsoft Online Services, and (g) access to a summary report of the results of Microsoft’s third
party penetration testing against Microsoft Online Services (e.g., evidence of data isolation among tenants in the
multi-tenanted services).

REQUIREMENT
B. OFFSHORING
Microsoft gives customers the opportunity to choose that certain core categories of data will be stored at-rest within Singapore. The use of datacentres out of
Singapore is permitted by the Outsourcing Guidelines.
7 Where are the

datacentre(s) of the
Outsourcing Guidelines, Paragraph 5.10 (Outsourcing outside Singapore). Note that the use of datacentres out
of Singapore is permitted by the Outsourcing Guidelines.
service provider
Microsoft takes a regional approach to hosting of Azure data. Microsoft is transparent in relation to the location of
located? Indicate
customer data:
the datacentre(s)
in which your • Office 365 customers can view data-at-rest storage locations on Microsoft’s website.
organisation’s
sensitive data • Dynamics 365 customers can view data-at-rest storage locations on Microsoft’s website.
would be stored
• Azure customers can view data-at-rest storage locations on Microsoft’s website.
and/or processed.
You can fill in the table below with your organization’s information.
NO. LOCATION OF CLASSIFICATION OF DC: STORING ORGANISATION

DATACENTRE TIER I, II, III OR IV DATA (Y/N)
18 | Key Considerations | Offshoring Back to Contents

REQUIREMENT
8 Have you obtained a

report on the Threat
TRM Guidelines, Paragraph 8.5 (data centre resilience), Paragraph 13.2 (penetration testing)
Outsourcing Guidelines, Paragraph 5.4
and Vulnerability
To meet the objectives and demands of a robust service, Microsoft regularly conducts penetration testing and
Risk Assessment on
vulnerability assessments against the service through its commitment to Security Development Lifecycle and ISO
the physical security
certification. The output of testing is tracked through a risk register which is audited and reviewed on a regular basis to
and environmental
ensure compliance to Microsoft’s security practices.
controls available at
the datacentre(s)? To protect both the system and customer data, Microsoft does not provide copies of the testing reports however
What were the key the tests conducted typically include the OWASP top ten and include the use of independent verified security teams
risks and security (CRESTcertified). Microsoft is happy to make available the ISO and SSAE 16 audit reports which cover vulnerability
issues raised, and assessments.
how were they
addressed? Further information about datacenter threat, vulnerability and risk assessment methodology and resources is
available here.
9 What other
risks have been
The following are the risk areas that our customers consider important:
a. Political (i.e. cross-border conflict, political unrest etc.)

considered in
Our customers know where their data is hosted. Microsoft reviews the political environments of the relevant
relation to the
jurisdictions where data is hosted, and maintains robust cloud exit planning guidelines and strategies to adjust
proposed offshoring
quickly to instability in political environments or to otherwise respond to challenges within a jurisdiction where data
arrangement?
is hosted.
(continued)
b. Country/socioeconomic
Microsoft’s datacentres are strategically located around the world, taking into account country and socioeconomic
factors. The relevant locations constitute stable socioeconomic environments.
c. Infrastructure/security/terrorism
Microsoft’s datacentres around the world are secured to the same exacting standards, designed to protect customer
data from harm and unauthorised access. This is outlined in more detail at microsoft.com/en-us/trustcenter/
security.

REQUIREMENT
9 What other
risks have been
d. Environmental (i.e. earthquakes, typhoons, floods)
Microsoft datacentres are built in seismically safe zones. Environmental controls have been implemented to
considered protect the datacentres including temperature control, heating, ventilation and air-conditioning, fire detection and
in relation to suppression systems and power management systems, 24-hour monitored physical hardware and seismically-braced
the proposed racks. These requirements are covered by Microsoft’s ISO/IEC 27001 accreditation.
offshoring
e. Legal
arrangement?
Customers will have in place a binding contractual agreement with Microsoft in relation to the outsourced service,
giving them direct contractual rights and maintaining regulatory oversight. The terms are summarised in
Part 2.

REQUIREMENT
C. COMPLIANCE WITHIN YOUR ORGANISATION

Although this is a matter for each financial institution, Microsoft provides some guidance, based on its experience of approaches taken by its customers.
Ultimately this will need to be tailored for your financial institution to reflect its compliance practices.
10 The financial
institution should
Outsourcing Guidelines, Paragraph 5.3.1 (a financial institution should not engage in outsourcing that results
in its risk management, internal control, business conduct or reputation being compromised or weakened).
consider its TRM Guidelines, Paragraphs 3.4 (Management of third party services); 5.3.1 (vendor evaluation and selection).
overall business
The MAS expects that management would need to have considered the overall business and strategic objectives. We
and strategic
would suggest including details of the following:
objectives prior to
outsourcing. Please a) your business case for outsourcing
elaborate on the
factors considered You should prepare a business case for the use of Microsoft Online Services. Where appropriate, this could include
and the rationale specific reference to some of the key benefits of operations and the Microsoft Online Services:
for entering this
The factors listed below may be used to prepare a business case for the use of Microsoft Online Services:
outsourcing
arrangement. • Affordability. Microsoft Online Services make enterprise-class technologies available at an affordable price for
(continued) small and mid-sized companies.
• Security. Microsoft Online Services include extensive security to protect customer data.
• Availability. Microsoft’s datacentres provide firstrate disaster recovery capabilities, are fully redundant, and are
geographically dispersed to ensure the availability of data, thereby protecting data from natural disasters and
other unforeseen complications. Microsoft also provides a financially backed guarantee of 99.9% uptime for most
of its Online Services.
• IT control and efficiency. Microsoft Online Services perform critical IT management tasks—such as retaining
security updates and upgrading back-end systems—that allow company IT employees to focus their energy on
more important business priorities. IT staff retain control over user management and service configuration. The
21 | Key Considerations | Compliance Within Your Organisation Back to Contents

REQUIREMENT
10 The financial
institution should
continuous nature of Microsoft’s cloud services in terms of managing updates, addressing security threats, and
providing real-time improvements to the service are unmatched relative to traditional legacy private hosted
consider its cloud environments.
overall business
• User familiarity and productivity. Because productivity, e-mail, file sharing and other apps are hosted in the
and strategic
cloud, company employees can access information remotely from a laptop, PC, or mobile device.
objectives prior to
outsourcing. Please (b) internal processes that were carried out;
elaborate on the
factors considered You need to describe what internal processes were carried out. The factors listed above in (a) may be used in the
and the rationale description of the selection process used to select the service provider (e.g., Microsoft’s track record and reputation).
for entering this
(c) due diligence review of the chosen service provider, including the ability of the service provider to conduct the
outsourcing
business activity on an ongoing basis;
arrangement.
(continued) Microsoft provides various materials on the Service Trust Portal to help you to perform and assess the compliance of
Microsoft Online Services – including audit reports, security assessment documents, in-depth details of security and
privacy controls, FAQs and technical whitepapers.
(d) who handled the decision-making process, which areas of the business were involved or advised, and any
details of external consultants or legal counsel involved;
We suggest having a list of the key people/roles involved in the selection and any decision-making and approvals
processes used.
(e) details of Board that approval sought risks prior to outsourcing approvals the contract;
Various places in the Outsourcing Guidelines state that approval sought ultimate responsibility for effective
management of risks prior to outsourcing lies with the Board and that appropriate approvals the contract; processes
should be put in place. Each organisation of course has its own internal approval processes. Where this includes Board
sign-off, this will not be an issue. Where it does not, you will need to briefly explain how the sign-off processes work
(e.g., how right of approval has been delegated by the Board). Again, details of the relevant decision-makers should be
included here.

REQUIREMENT
10 The financial
institution should
(f) Effective implementation of internal controls and risk management practices ensured by the Board of Directors
(or a relevant committee of the Board) and senior management;
consider its
Outsourcing Guidelines, Paragraph 5.2 states the responsibilities of the Board including approving the framework for
overall business
evaluating risks. Paragraph 3.1 of the Technology Risk Management Guidelines is also relevant.
and strategic
objectives prior to (g) vetting of the outsourcing agreement by a competent authority;
outsourcing. Please
elaborate on the Outsourcing Guidelines, Paragraph 5.5.1 states that the outsourcing agreement should be vetted by a competent
factors considered authority (such as the organisation’s legal counsel) on its legality and enforceability. If it hasn’t, explain why.
and the rationale
(h) established procedures for monitoring performance under the outsourcing agreement on a continuing basis;
for entering this
outsourcing See Question 14 for relevant information about the measures offered by Microsoft to enable customers to monitor
arrangement. performance.
(i) the renewal process for outsourcing agreements and how the renewal will be conducted;
The outsourcing agreement with Microsoft runs on an ongoing basis. Customers may also terminate an Online Service
at the express direction of a regulator with reasonable notice or to ensure regulatory compliance and by giving 60
days’ prior written notice. Microsoft’s contractual documents anticipate renewal.
(j) contingency plans
While your financial institution is ultimately responsible that would enable for developing its own contingency plans,
based on its the outsourced circumstances, Microsoft has developed a template business activity to that can be used
to help develop a plan. This is be provided by an available from the Service Trust Portal or from your alternative service
provider or brought in-house if required Microsoft contact upon request.
The outsourcing agreement with Microsoft provides customers with the ability to access and extract their customer
data stored in each Online Service at all times during their subscription. Microsoft will retain customer data stored in
the Online Service in a limited function account for 90 days after expiration or termination of customer’s subscription
so that the customer may extract the data. No more than 180 days after expiration or termination of the customer’s
use of an Online Service, Microsoft will disable the account and delete customer data from the account.

REQUIREMENT
11 Has a compliance
check for the
If any “compliance gaps” were identified as part of your risk management processes then these need to be detailed,
indicating how the relevant issues have been resolved.
proposed
Customers should review the MAS Guidelines on Outsourcing and the Technology Risk Management Guidelines and
outsourcing
can obtain confirmation from Microsoft that Microsoft can help customers comply with applicable provisions in these
arrangement been
guidelines. Internally, they should ensure that their own processes also comply with the guidelines.
performed against
the Outsourcing
Guidelines and the
TRM Guidelines?
12 Will all identified

security and
If any “compliance gaps” were identified as part of your risk management processes then you need to state whether
these gaps will be resolved, and if they won’t be, why not.
control gaps be
resolved prior to
the commencement
of this outsourcing
arrangement? If not,
please explain why
and state when they
can be resolved

REQUIREMENT
13 Has your
organisation
MAS expects that your organisation would have carried out a risk assessment. Outsourcing Guidelines, Paragraph 5.3.1
lists the factors that should be considered in a framework for risk evaluation. The TRM Guidelines, Paragraph 3.4.2,
performed a risk requires financial institutions to assess and manage exposure to technology risks that may affect the confidentiality,
assessment of integrity and availability of the IT systems and data at the third party before entering into a contractual agreement
this outsourcing or partnership. The TRM Guidelines Paragraph 4.2 further requires financial institutions to identify the threats and
arrangement, vulnerabilities to its IT environment, including information assets that are maintained or supported by third party
including security service providers. The TRM Guidelines, Paragraph 4.3 list the key considerations of what should be included in a risk
risk assessment assessment. TRM Guidelines, Paragraph 15 (IT Audit) requires IT audit to be performed to assess the effectiveness of the
against the latest controls, risk management and governance process. The Notice on Cyber Hygiene, Paragraph 4 also lists certain cyber
security threats? hygiene practices that must be ensured.
Please elaborate on
You should ensure that you have carried out comprehensive due diligence on the nature, scope and complexity of
the key risks and
the outsourcing to identify the key risks and risk mitigation strategies. We have made suggestions regarding common
threats that have
issues below and you will need to expand on our guidance to describe what you see as the key risks and what risk
been identified for
processes you have carried out as part of this project. You may also want to refer to data isolation here (in the context of
this outsourcing
a multitenanted solution – noting that logical isolation is expressly permitted by the Outsourcing Guidelines).
arrangement and
the actions that If you have any questions when putting together a risk assessment, please do not hesitate to get in touch with your
have been or will Microsoft contact. The following should be considered in your risk assessment:
be taken to address
them. 1. Data security. By transferring certain data processing operations to a third party, customers should be aware that
(continued) they need to ensure that their selected outsourcing partner has in place appropriate and reasonable technical and
organisational measures to protect the data. This is necessary both from a financial services regulatory perspective
as well as the organisation’s compliance with data protection legislation. This should be of utmost importance to
customers and therefore they should carry out a robust assessment as part of their selection process. Customers
that select Microsoft as an outsourcing partner take heavily into account the fact that it is an industry leader in cloud
security and implements policies and controls on par with or better than on-premises datacentres of even the most
sophisticated organisations. Microsoft is ISO/IEC 27001 and ISO/IEC 27018 accredited. In addition, the Microsoft
Online Services achieved the highest-level certification (Tier 3) of the MTCS SS 584 which builds upon recognised
international standards such as ISO/IEC 27001, and covers such areas as data retention, data sovereignty, data
portability, liability, availability, business continuity, disaster recovery, and incident management.

REQUIREMENT
13 Has your
organisation
The Microsoft Online Services security features (being the product that the organisation will be using) consist of
three parts: (a) built-in security features including encryption of data when in transit and at rest; (b) security controls;
performed a risk and (c) scalable security. These include 24-hour monitored physical hardware, isolated customer data, automated
assessment of operations and lock-box processes, secure networks and encrypted data.
this outsourcing
2. Access and audit. In addition to ensuring that relevant security and other safeguards are put in place up front, it is
arrangement,
essential that the outsourcing arrangement provides for customers to ensure that such standards and commitments
including security
and regulatory requirements are adhered to in practice. Customers should be aware that audit and access to verify
risk assessment
this can be a difficult issue in outsourcing and therefore should make this a high priority requirement as part of their
against the latest
outsourcing. Another reason for the selection of Microsoft in this case is that it permits regulator audit and inspection
security threats?
of its datacentres and in agreed circumstances inspection rights for its financial services customers.
Please elaborate on
the key risks and 3. Control. The handing over of a certain amount of day to day responsibility to an outsourcing provider does present
threats that have certain challenges in relation to control of data. What is essential to customers is that despite the outsourcing they
been identified for retain control over their own business operations, including control of who can access data and how they can use it.
this outsourcing At a contractual level, customer would have dealt with this via their agreement with Microsoft, which provides them
arrangement and with legal mechanisms to manage the relationship including appropriate allocation of responsibilities, oversight
the actions that and remedies. At a practical level, customers select Microsoft Online Services because they provide customers with
have been or will control over data location, access and authentication and advanced encryption controls. Customers continue to own
be taken to address and retain all rights to their data and their data will not be used for any purpose other than to provide them with the
them. Microsoft Online Services.

REQUIREMENT
14 Is there a vendor
management
Outsourcing Guidelines, Paragraph 5.8 contains detailed requirements in relation to monitoring and control
of outsourced activities. In addition to your own internal processes, you may in this context also wish to
process to monitor consider the contractual vendor management rights that you have under your agreements with Microsoft,
the performance including the rights of audit and inspection.
of the service
Outsourcing Guidelines, Paragraph 5.9 sets out the audits that MAS expects financial institutions to be
provider? Does
conducting. It is not required that the FSI conducts the audit itself and it may rely on independent third-party
your organisation
audit by obtaining copies of such finding/audit made on the service provider and its subcontractors. This is a
have a process to
question about your own internal processes, although it is of course relevant in this context to mention that
audit the service
Microsoft permits audit and inspection both by their financial institution’s customers and regulators.
provider to assess
its compliance The TRM Guidelines, Paragraph 3.4.3, also provides that the financial institution should ensure on an ongoing
with your policies, basis that the third party service provider employs a high standard of care and diligence in protecting data
procedures, confidentiality and integrity as well as ensuring system resilience. See also Paragraph 4.5 (Risk Monitoring,
security controls Review and Reporting).
and regulatory
requirements and The guidance below sets out certain features of Microsoft Online Services that can make monitoring easier for you. In
obtain reports and addition, you may sign up for Premier Support, in which a designated Technical Account Manager serves as a point of
findings made on contact for day-to-day management of the Microsoft Online Services and your overall relationship with Microsoft.
the service
Microsoft provides access to “service health” dashboards (Office 365 Service Health Dashboard and Azure Status
provider?
Dashboard) providing real-time and continuous updates on the status of Microsoft’s Online Services. This provides our
(continued)
IT administrators with information about the current availability of each service or tool (and history of availability status),
details about service disruption or outage and scheduled maintenance times. The information is provided online and via
an RSS feed.
As part of its certification requirements, Microsoft is required to undergo independent third-party auditing, and it shares
with the customer the independent third party audit reports. Microsoft also makes available a wealth of resources
online to provide transparency and assurance to customers in the Microsoft Compliance dashboard.

REQUIREMENT
14 Is there a vendor
management
The Microsoft Financial Services Amendment provides for rights of audit, and additional customer benefits, including
(a) access to community events organized by Microsoft related to updates to the Online Services, Microsoft responses
process to monitor to regulator changes, and to provide additional feedback to Microsoft for further development of the Online Services;
the performance (b) the right to request to meet with Microsoft’s external auditors; (c) Microsoft written responses to updated regulator
of the service guidance; (d) responses from Microsoft about Microsoft responses and changes to services based on regulatory
provider? Does changes; (e) access Microsoft personnel for raising questions and escalations relating to Microsoft Online Services;
your organisation (f ) communication from Microsoft on (1) the nature, common causes, and resolutions of security incidents and other
have a process to circumstances that can reasonably be expected to have a material service impact on the customer’s use of Microsoft
audit the service Online Services, (2) Microsoft’s risk-threat evaluations, and (3) significant changes to Microsoft’s business resumption
provider to assess and contingency plans or other circumstances that might have a serious impact on the customer’s use of Microsoft
its compliance Online Services, and (g) access to a summary report of the results of Microsoft’s third party penetration testing against
with your policies, Microsoft Online Services (e.g. evidence of data isolation among tenants in the multi-tenanted services).
procedures,
security controls
and regulatory
requirements and
obtain reports and
findings made on
the service
provider?

REQUIREMENT
15 Does the financial

institution have
All customers and potential customers have access to information for monitoring the effectiveness of Microsoft’s
controls, including through the following online sources:
access to adequate,
• Microsoft Compliance, which offers a comprehensive set of compliance offerings as well as resources to gain an
independent
understanding of Microsoft security and privacy practices;
information to
appropriately • The Service Trust Portal, which provides confidential materials, such as third-party audit reports and vulnerability
monitor the cloud assessment reports, to current customers and potential customers testing Microsoft Online Services;
service provider and
the effectiveness of • Compliance Manager, which provides detailed third party audit results enabling self-service audit and due
its controls? diligence;
• a publicly available Trust Center for Microsoft Online Services that includes non-confidential compliance
information;
• a Compliance Program for the Microsoft Cloud, which provides access to engineers with subject matter expertise
concerning underlying controls of the Online Services;
• the Azure Security Center and Office 365 Advanced Threat Analytics, which enable customers to seamlessly
obtain cybersecurity-related information about Online Services deployments;
• Office 365 Secure Score, which provides insight into the strength of customers’ Office 365 deployment based on
the customer’s configuration settings compared with recommendations from Microsoft, and Azure Advisor, which
enables customers to optimise their Azure resources for high availability, security, performance, and cost;
• the Office 365 Service Health Dashboard and Azure Status Dashboard, which broadcast real-time information
regarding the status of Microsoft Online Services; and
• Office 365 Advanced Threat Protection and the Azure Web Application Firewall, which protect customer
email in real-time from cyberattacks and provide customers with information security protections and analytics
information.

REQUIREMENT
D. THE NEED FOR AN APPROPRIATE OUTSOURCING AGREEMENT

Note: See also Part 2 of this Compliance Checklist for a list of the standard contractual terms that MAS expects to be included in the outsourcing agreement
and how these are addressed by the Microsoft contractual documents. This section D also includes reference to certain issues that MAS recommends to be
considered as part of the contractual negotiation, but which are not necessarily mandatory contractual terms that should be included in all cases.
16 Are the outsourcing

arrangements
Microsoft enters into agreements with each of its financial institution customers for Online Services, which includes
a Financial Services Amendment, the Product Terms, and the Service Level Agreement. The agreements clearly define
contained in a the Online Services to be provided. The contractual documents are further outlined in Part 2, below.
documented legally
binding agreement
that is signed by all
parties and addresses
the required matters
set out in the
applicable Notices
and guidelines?
30 | Key Considerations | The Need for an Appropriate Outsourcing Agreement Back to Contents
REQUIREMENT
17 Does the outsourcing

agreement include
Outsourcing Guidelines, Paragraph 5.9.2 requires the inclusion of access to information, inspection and
examination rights in favour of MAS. Such rights are indeed included in Microsoft’s contractual documents.
a clause that
Yes.
allows MAS and its
agents to carry out Microsoft fully commits to unrestricted rights of examination by regulators. The Financial Services Amendment
an inspection or provides the customer’s regulator to examine or audit the Online Services in order to meet the regulator’s supervisory
examination of the obligations of Microsoft as a direct service provider of the customer. These rights enable such customers to comply
service provider and with their regulatory obligations through direct access to business premises, to information, Microsoft personnel and
its sub-contractors, Microsoft’s external auditor.
and to obtain copies
of reports made
on the service
provider or reports or
information given to,
stored at or processed
by the service
provider and its sub-
contractors?
REQUIREMENT

agreement provide a
Yes.
The uptime guarantee given by Microsoft applies to all IT assets, not just a minimum number required to operate in
guarantee of access
a disaster situation. Microsoft guarantees 99.9% of uptime for most of its Online Services. Uptime guarantees are set
to the minimum
forth in Microsoft’s contracts with its customers, and if service levels are not maintained, customers may be eligible for
IT assets required
a credit towards a portion of their monthly service fees.
to operate under a
disaster scenario?

agreement also
Yes.
As referenced in Question 15 above.

include reporting
mechanisms that
ensure adequate
oversight of
IT security risk
management by the
service provider?
REQUIREMENT
20 Is the outsourcing
agreement
Yes.
The customer may terminate an Online Service at the express direction of a regulator with reasonable notice.
sufficiently flexible
The Microsoft Agreement includes rights to terminate early for cause and without cause. Refer to your Microsoft
to accommodate
Agreement. Additionally, the Financial Services Amendment provides for the customer’s right to terminate for
changes to existing
Microsoft’s breach of applicable law or its obligations under the Financial Services Amendment, as well as where
processes and to
customer can reasonably demonstrate that there are weaknesses regarding the management and security of
accommodate
customer data or there are material changes affecting Microsoft’s provision of the Online Services. Additionally, to
new processes
ensure regulatory compliance, Microsoft and the Customer may contemplate adding additional products or services,
in the future to
or if these are unable to satisfy the customer’s new regulatory requirements, the customer may terminate the
meet changing
applicable Online Service by giving 60 days’ prior written notice.
circumstances?
21 In the event of
termination,
Yes.
During the term of the agreement as well as upon expiration or termination, the customer can extract its data related
do transitional
to its use of the Online Services. As set out in the Product Terms, Microsoft will retain customer data stored in the
arrangements
Online Service in a limited function account for 90 days after expiration or termination of the customer’s subscription
address access to,
so that the customer may extract the data. After the 90-day retention period ends, Microsoft will disable the
and ownership
customer’s account and delete the customer data. Microsoft will disable the account and delete customer data from
of, documents,
the account no more than 180 days after expiration or termination of customer’s use of an Online Service. In the event
records, software
of a termination and where a customer chooses to migrate to a different online service, customers may request that
and hardware,
Microsoft provides assistance in such transition through Microsoft’s Professional Services organization. Customers
and the role of the
may also request migration or transition assistance and support from Microsoft’s Professional Services organization at
service provider in
any time during the extended service period.
transitioning the
service?
REQUIREMENT
E. TECHNICAL AND OPERATIONAL RISK Q&A

This section provides some more detailed technical and operational information about Microsoft Online Services which should address many of the technical
and operational questions that may arise. If other questions arise, please do not hesitate to get in touch with your Microsoft contact.
22 Does the service

provider permit
Yes.
audit by the financial
institution and/or The Financial Services Amendment provides customers and their auditors with the unrestricted rights of inspection
MAS or any agent and auditing related to the outsourcing arrangement, which includes specific rights of access to business premises
appointed by MAS? for financial services customers via special contractual provisions designed for regulated customers in the financial
services sector. Additionally, the Financial Services Amendment provides the customer’s regulator to examine or audit
the Online Services in order to meet the regulator’s supervisory obligations of Microsoft as a direct service provider of
the customer. These rights enable such customers to comply with their regulatory obligations through direct access to
business premises, to information, Microsoft personnel and Microsoft’s external auditor.
Customers may also participate in the optional Compliance Program for the Microsoft Cloud to obtain additional
information concerning the Online Services, including the following: (a) access to Microsoft personnel for raising
questions and escalations relating to Online Services, including for support in risk assessments, (b) invitation to
participate in a webcast hosted by Microsoft to discuss audit results and subsequent access to detailed information
regarding planned remediation of any deficiencies identified by the audit, (c) access to Microsoft’s subject matter
experts through group events such as webcasts or in-person meetings (including an annual summit event) where
roadmaps of planned developments or reports of significant events will be discussed and customers will have a
chance to provide structured feedback and/or suggestions regarding the Compliance Program for the Microsoft Cloud
and its desired future evolution. The group events also give customers the opportunity to discuss common issues with
other regulated financial institutions and raise them with Microsoft.
Regulators also have an unrestricted right of examination. See response to Question 17, above.
34 | Key Considerations | Technical and Operational Risk Q&A Back to Contents

REQUIREMENT
23 Are the provider’s

services subject to
Yes.
any third party audit?
Microsoft’s cloud services are subject to regular independent third party audits, including SSAE16 SOC1 Type II, SSAE
SOC2 Type II, ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27018 audits. These rigorous third-party audits validate the
adherence of the Online Services to the strict requirements of these standards.
24 What security controls

are in place to protect
MAS Notice on Cyber Hygiene Paragraph 4.3 (security standards), Paragraph 4.4 (network perimeter defence), 4.6
the transmission
(multi-factor authentication)
and storage of
confidential TRM Guidelines, Paragraph 5.5 (system requirement analysis). Paragraph 11 (data and infrastructure
information such as security), Paragraph 8.5 (data centre resilience),
customer data within
the infrastructure of Paragraph 9 (access control), Paragraph 8 (IT resilience), Paragraph 10 (cryptography), Paragraph 13 (cyber
the service provider? security assessment), Paragraph 13.1 (vulnerability assessment), Paragraph 13.2 (penetration testing),
Paragraph 13.4 (adversarial attack simulation exercise), Paragraph 14 (online financial services)
How does your
organisation protect The Microsoft Online Services security features consist of three parts: (a) built-in security features; (b) security controls;
your networks and and (c) scalable security. These include 24-hour monitored physical hardware, isolated customer data, automated
systems from the operations and lockbox processes, secure networks and encrypted data.
potential threats
Microsoft implements the Microsoft Security Development Lifecycle (SDL) which is a comprehensive security process
arising from the
that informs every stage of design, development and deployment of Microsoft Online Services. Through design
system connectivity?
requirements, analysis of attack surface and threat modelling, the SDL helps Microsoft predict, identify and mitigate
(continued)
vulnerabilities and threats from before a service is launched through its entire production lifecycle.
Networks within Microsoft’s datacenters are segmented to provide physical separation of critical back-end servers
and storage devices from the public-facing interfaces. Edge router security allows the ability to detect intrusions and
signs of vulnerability. Customer access to services provided over the Internet originates from users’ Internet-enabled
locations and ends at a Microsoft datacenter. These connections are encrypted using industry-standard transport layer

REQUIREMENT

security TLS. The use of TLS establishes a highly secure client-to-server connection to help provide data confidentiality
and integrity between the desktop and the datacenter. Customers can configure TLS between Microsoft Online
the transmission Services and external servers for both inbound and outbound email. This feature is enabled by default.
and storage of
Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and
confidential
mitigate breach” process as a defensive strategy to predict and prevent security breaches before they happen. This
information such as
involves continuous improvements to built-in security features, including port-scanning and remediation, perimeter
vulnerability scanning, OS patching to the latest updated security software, network-level DDOS detection and
the infrastructure of
prevention and multi-factor authentication for service access. Use of a strong password is enforced as mandatory, and
the service provider?
the password must be changed on a regular basis. From a people and process standpoint, preventing breach involves
How does your auditing all operator/administrator access and actions, zero standing permission for administrators in the service,
organisation protect “Just-In-Time (JIT) access and elevation” (that is, elevation is granted on an as-needed and only-at-the-time-of-need
your networks and basis) of engineer privileges to troubleshoot the service, and isolation of the employee email environment from the
systems from the production access environment. Employees who have not passed background checks are automatically rejected
potential threats from high privilege access, and checking employee backgrounds is a highly scrutinized, manual- approval process.
arising from the Preventing breach also involves automatically deleting unnecessary accounts when an employee leaves, changes
system connectivity? groups, or does not use the account prior to its expiration.
(continued)
Data is also encrypted. Customer data in Microsoft Online Services exists in two states:
• at rest on storage media; and
• in transit from a datacenter over a network to a customer device.
Microsoft offers a range of built-in encryption capabilities to help protect data at rest.
• For Office 365, Microsoft follows industry cryptographic standards such as TLS/SSL and AES to protect the
confidentiality and integrity of customer data. For data in transit, all customer-facing servers negotiate a secure
session by using TLS/SSL with client machines to secure the customer data. For data at rest, Office 365

REQUIREMENT

deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM
conversations, as well as content stored in SharePoint Online and OneDrive for Business. Additionally, in some
the transmission scenarios, Microsoft uses file- level encryption.
and storage of
• For Azure, technological safeguards such as encrypted communications and operational processes help keep
confidential
customers’ data secure. Microsoft also provides customers the flexibility to implement additional encryption
information such as
and manage their own keys. For data in transit, Azure uses industry-standard secure transport protocols, such
as TLS/SSL, between user devices and Microsoft datacenters. For data at rest, Azure offers many encryption
the infrastructure of
options, such as support for AES-256, giving customers the flexibility to choose the data storage scenario that
the service provider?
best meets the customer’s needs.
How does your
Such policies and procedures are available through Microsoft’s online resources, including Microsoft Compliance, the
organisation protect
Trust Center and the Service Trust Portal.
your networks and
systems from the
potential threats
arising from the
system connectivity?

REQUIREMENT
25 Does the service

provider employ a
Outsourcing Guidelines expressly permit logical segregation. Outsourcing Guidelines, Paragraph 6.7
contains requirements that institutions should be aware of the typical characteristics of cloud computing,
system architecture such as multitenancy and data commingling. Outsourcing Guidelines, Paragraph 5.6.2 (c) contains
that involves requirements for service providers to protect the confidentiality of customer information, documents,
multitenancy and records, and assets, particularly where multi-tenancy arrangements are present.
data commingling
Microsoft Online Services are multi-tenant services (that is, data from different customers shares the same hardware
for the outsourced
resources) but they are designed to host multiple tenants in a highly secure way through data isolation. For all of
service(s)? If so,
its Online Services, Microsoft logically isolates customer data from the other data Microsoft holds. Data storage and
how is the financial
processing for each tenant is segregated through an “Active Directory” structure, which isolates customers using
institution’s data
security boundaries (“silos”). The silos safeguard the customer’s data such that the data cannot be accessed or
isolated from other
compromised by co-tenants. Microsoft further describes its practice of logical isolation of data here.
data held by the
service provider?
26 How are the service

provider’s access logs
MAS Notice on Cyber Hygiene Paragraph 4.6 (multi-factor authentication) requires multi-factor
authentication to be implemented for (a) all administrative accounts in respect of any operating system,
monitored? database, application, security application or network device that is a critical system and (b) all accounts on
any system used by the relevant entity to access customer information through the internet.
Microsoft provides monitoring and logging technologies to give its customers maximum visibility into the activity on
their cloud-based network, applications, and devices, so they can identify potential security gaps. The Online Services
contain features that enable customers to restrict and monitor their employees’ access to the services, including the
Azure AD Privileged Identify Management system and Multi-Factor Authentication.
In addition, the Online Services include built-in approved Windows PowerShell Scripts, which minimise the access
rights needed and the surface area available for misconfiguration.
Microsoft logs, or enables customers to log, access and use of information systems containing customer data,
registering the access ID, time, authorisation granted or denied, and relevant activity. An internal, independent
Microsoft team audits the log at least once per quarter, and customers have access to such audit logs. In addition,
Microsoft periodically reviews access levels to ensure that only users with appropriate business justification have
access to appropriate systems.

REQUIREMENT
27 What policies
does the service
For certain core services of Office 365 and Azure, personnel (including employees and subcontractors) with access
to customer data content are subject to background screening, security training, and access approvals as allowed by
provider have in applicable law. Background screening takes place before Microsoft authorises the employee to access customer data. To
place to monitor the extent permitted by law, any criminal history involving dishonesty, breach of trust, money laundering, or job- related
employees material misrepresentation, falsification, or omission of fact may disqualify a candidate from employment, or, if the
with access to individual has commenced employment, may result in termination of employment. Authorization may also be done via
confidential role-based access controls (“RBAC”) or through Key Vault access policy. RBAC is an access management tool that allows
information? Are the cloud customer to manage who has access to Azure resoruces, what those with access can do with those resources,
access rights and and what areas they have access to. RBAC enables the customer to create role assignments and define each of those
system privileges assignments with differing levels of access and control. The customer may also secure its Azure management ports with
granted based on just-in-time access controls that reduce exposure to cyber-attacks.
job responsibility
and the necessity
to have them to
fulfill one’s duties?
28 How are
customers
MAS Notice on Cyber Hygiene Paragraph 4.6 (multi-factor authentication) requires multi-factor authentication
to be implemented for (a) all administrative accounts in respect of any operating system, database,
authenticated? application, security application or network device that is a critical system and (b) all accounts on any system
(continued) used by the relevant entity to access customer information through the internet.
Microsoft Online Services use two-factor authentication to enhance security. Typical authentication practices that
require only a password to access resources may not provide the appropriate level of protection for information that
is sensitive or vulnerable. Two-factor authentication is an authentication method that applies a stronger means of
identifying the user. The Microsoft phone-based two-factor authentication solution allows users to receive their PINs
sent as messages to their phones, and then they enter their PINs as a second password to log on to their services.

REQUIREMENT
28 How are
customers
Authentication is done via Azure Active Directory. Authorization may be done via role-based access controls (“RBAC”) or
Key Vault access policy. RBAC is an access management tool that allows the cloud customer to manage who has access to
authenticated? Azure resources, what those with access can do with those resources, and what areas they have access to. RBAC enables
the cloud customer to create role assignments and define each of those assignments with differing levels of access and
control. It is used when dealing with the management of the vaults and Key Vault access policy is used when attempting
to access data stored in a vault.
29 What are the

procedures for
First, there are robust procedures offered by Microsoft that enable the prevention of security incidents and violations
arising in the first place and detection if they do occur. Specifically:
identifying,
a. Microsoft implements 24 hour monitored physical hardware. Datacentre access is restricted 24 hours per day by job
reporting and
function so that only essential personnel have access to customer applications and services. Physical access control
responding
uses multiple authentication and security processes, including badges and smart cards, biometric scanners, on-
to suspected
premises security officers, continuous video surveillance, and two-factor authentication.
security incidents
and violations? b. Microsoft implements “prevent, detect, and mitigate breach”, which is a defensive strategy aimed at predicting and
(continued) preventing a security breach before it happens. This involves continuous improvements to built-in security features,
including port scanning and remediation, perimeter vulnerability scanning, OS patching to the latest updated
security software, network-level DDOS (distributed denial-of-service) detection and prevention, and multifactor
authentication for service access. In addition, Microsoft has antimalware controls to help avoid malicious software
from gaining unauthorised access to customer data. Microsoft implements traffic throttling to prevent denial-of-
service attacks and maintains a set of Security Rules for managed code to help ensure that application cybersecurity
threats are detected and mitigated before the code is deployed.
c. Microsoft employs some of the world’s top experts in cybersecurity, cloud compliance, and financial services
regulation. Its Digital Crimes Unit, for example, employs cyber experts, many of whom previously worked for law
enforcement, to use the most advanced tools to detect, protect, and respond to cybercriminals. Its Cyber Defense
Operations Center brings together security response experts from across Microsoft to help protect, detect,
and respond 24/7 to security threats against Microsoft’s infrastructure and Online Services in real-time. General
information on cybersecurity can be found here.

REQUIREMENT
29 What are the

procedures for
d. Microsoft conducts a risk assessment for Azure at least annually to identify internal and external threats and
associated vulnerabilities in the Azure environment. Information is gathered from numerous data sources within
identifying, Microsoft through interviews, workshops, documentation review, and analysis of empirical data. The assessment
reporting and follows a documented process to produce consistent, valid, and comparable results year over year.
responding
e. Wherever possible, human intervention is replaced by an automated, tool-based process, including routine functions
to suspected
such as deployment, debugging, diagnostic collection, and restarting services. Microsoft continues to invest in
security incidents
systems automation that helps identify abnormal and suspicious behaviour and respond quickly to mitigate security
and violations?
risk. Microsoft is continuously developing a highly effective system of automated patch deployment that generates
(continued)
and deploys solutions to problems identified by the monitoring systems—all without human intervention. This
greatly enhances the security and agility of the service.
f. Microsoft allows customers to monitor security threats on their server by providing access to the Azure Security
Center, Office 365 Advanced Threat Analytics, Azure Status Dashboard, and the Office 365 Service Health Dashboard,
among other online resources.
g. Microsoft maintains 24-hour monitoring of its Online Services and records all security breaches. For security breaches
resulting in unlawful or unauthorised access to Microsoft’s equipment, facilities, or customer data, Microsoft notifies
affected parties without unreasonable delay. Microsoft conducts a thorough review of all information security
incidents.
h. Microsoft conducts penetration tests to enable continuous improvement of incident response procedures. These
internal tests help Microsoft cloud services security experts create a methodical, repeatable, and optimised stepwise
response process and automation. In addition, Microsoft provides customers with the ability to conduct their own
penetration testing of the services. This is done in accordance with Microsoft’s rules of engagement, which do not
require Microsoft’s permission in advance of such testing
Second, if a security incident or violation is detected, Microsoft Customer Service and Support notifies customers by
updating the Service Health Dashboard. Customers would have access to Microsoft’s dedicated support staff, who have a
deep knowledge of the service. Microsoft provides Recovery Time Objective (RTO) commitments. These differ depending
on the applicable Microsoft service and are outlined further below.

REQUIREMENT
29 What are the

procedures for
Finally, after the incident, Microsoft provides a thorough post-incident review report (PIR). The PIR includes:
• An incident summary and event timeline.

identifying,
reporting and • Broad customer impact and root cause analysis.
responding
to suspected • Actions being taken for continuous improvement.
security incidents
If the customer is affected by a service incident, Microsoft shares the post-incident review with them.
and violations?
(continued) Microsoft’s commitment to cybersecurity and data privacy, including restrictions on access to customer data, are set
forth in Microsoft’s contracts with customers. In summary:
• Logical Isolation. Microsoft logically isolates customer data from the other data Microsoft holds. This isolation
safeguards customers’ data such that the data cannot be accessed or compromised by co-tenants.
• 24-Hour Monitoring & Review of Information Security Incidents. Microsoft maintains 24-hour monitoring of its
Online Services and records all security breaches. Microsoft conducts a thorough review of all information security
incidents. For security breaches resulting in unlawful or unauthorised access to Microsoft’s equipment, facilities,
or customer data, Microsoft notifies affected parties without unreasonable delay.
• Minimising Service Disruptions—Redundancy. Microsoft makes every effort to minimise service disruptions,
including by implementing physical redundancies at the disk, network, power supply, and server levels; constant
content replication; robust backup, restoration, and failover capabilities; and real-time issue detection and
automated response such that workloads can be moved off any failing infrastructure components with no
perceptible impact on the service.
• Resiliency. Microsoft Online Services offer active load balancing, automated failover and human backup, and
recovery testing across failure domains.
• Distributed Services. Microsoft offers distributed component services to limit the scope and impact of any failures
of a single component, and directory data is replicated across component services to insulate one service from
another in the event of a failure.

REQUIREMENT
29 What are the

procedures for
• Simplification. Microsoft uses standardised hardware to reduce issue isolation complexities. Microsoft also uses
fully automated deployment models and a standard built-in management mechanism.
identifying,
• Human Backup. Microsoft Online Services include automated recovery actions with 24/7 on-call support; a team
reporting and
with diverse skills on call to provide rapid response and resolution; and continuous improvement through learning
responding
from the on-call teams.
to suspected
security incidents • Disaster Recovery Tests. Microsoft conducts disaster recovery tests at least once per year.
and violations?
Customers also have access to the Azure Security Center, Office 365 Advanced Threat Analytics, Azure Status
Dashboard, and the Office 365 Service Health Dashboard, among other online resources, which allow them to monitor
security threats on the cloud service provider’s server.
30 What encryption
protection does
TRM Guidelines, Section 10 (Cryptographic Algorithm & Protocol; Cryptographic Key Management), Paragraph
11.1.1 (Data Security)
the service
Microsoft Online Services use industry-standard secure transport protocols for data as it moves through a network—
provider
whether between user devices and Microsoft datacentres or within datacentres themselves. To help protect data at rest,
employ, and
Microsoft offers a range of built-in encryption capabilities.
what encryption
options (e.g., key There are three key aspects to Microsoft’s encryption:
management
options) are 1. Secure identity: Identity (of a user, computer, or both) is a key element in many encryption technologies. For
available to example, in public key (asymmetric) cryptography, a key pair—consisting of a public and a private key—is issued
customers? to each user. Because only the owner of the key pair has access to the private key, the use of that key identifies the
(continued) associated owner as a party to the encryption/decryption process. Microsoft Public Key Infrastructure is based on
certificates that verify the identity of users and computers.
2. Secure infrastructure: Microsoft uses multiple encryption methods, protocols, and algorithms across its products
and services to help provide a secure path for data to travel through the infrastructure, and to help protect the
confidentiality of data that is stored within the infrastructure. Microsoft uses some of the strongest, most secure

REQUIREMENT
30 What encryption
protection does
encryption protocols in the industry to provide a barrier against unauthorised access to customer data. Proper key
management is an essential element in encryption best practices, and Microsoft helps ensure that encryption keys
the service are properly secured. Protocols and technologies examples include:
provider
• Transport Layer Security (TLS), which uses symmetric cryptography based on a shared secret to encrypt
employ, and
communications as they travel over the network.
what encryption
options (e.g., key • Internet Protocol Security (IPsec), an industry-standard set of protocols used to provide authentication, integrity,
management and confidentiality of data at the IP packet level as it’s transferred across the network.
options) are
available to • Office 365 servers using BitLocker to encrypt the disk drives containing log files and customer data at rest at the
customers? volume-level. BitLocker encryption is a data protection feature built into Windows to safeguard against threats
caused by lapses in controls (e.g., access control or recycling of hardware) that could lead to someone gaining
physical access to disks containing customer data.
• BitLocker deployed with Advanced Encryption Standard (AES) 256bit encryption on disks containing customer
data in Exchange Online, SharePoint Online, and Skype for Business. Advanced Encryption Standard (AES)-256
is the National Institute of Standards and Technology (NIST) specification for a symmetric key data encryption
that was adopted by the US government to replace Data Encryption Standard (DES) and RSA 2048 public key
encryption technology.
• BitLocker encryption that uses AES to encrypt entire volumes on Windows server and client machines, which can
be used to encrypt Hyper-V virtual machines when a virtual Trusted Platform Module (TPM) is added. BitLocker
also encrypts Shielded VMs in Windows Server 2016, to ensure that fabric administrators cannot access the
information inside the virtual machine. The Shielded VMs solution includes the Host Guardian Service feature,
which is used for virtualization host attestation and encryption key release.
3. Secure apps and data: Information concerning security and encryption of Microsoft Online Services may be found
at microsoft.com/en-us/trustcenter/security/encryption. Further information concerning Microsoft controls and
applicable SOC audit reports may be found at: Service Organization Controls (SOC) - Microsoft Compliance |
Microsoft Docs

REQUIREMENT
31 Are there
procedures
Outsourcing Guidelines, Paragraph 5.7.2(c) requires financial institutions to ensure that there are plans and
procedures in place to address the need to have all relevant IT information and assets promptly removed
established to and destroyed upon termination.
securely destroy or
Yes.
remove the data
when the need Microsoft uses best practice procedures and a wiping solution that is NIST 800-88, ISO/IEC 27001, ISO/IEC 27018, SOC1
arises (for example, and SOC2 compliant. For hard drives that cannot be wiped it uses a destruction process that destroys it (i.e., shredding)
when the contract and renders the recovery of information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate
terminates)? means of disposal is determined by the asset type. Records of the destruction are retained. Information regarding
SOC reports is available here: Service Organization Controls (SOC) - Microsoft Compliance | Microsoft Docs. Audit
reports for Microsoft services are available here: MSComplianceGuideV3 (microsoft.com)
All Microsoft online services utilise approved media storage and disposal management services. Paper documents
are destroyed by approved means at the pre-determined end-of-life cycle. In its contracts with customers, Microsoft
commits to disabling a customer’s account and deleting customer data from the account no more than 180 days after
the expiration or termination of the Online Service.
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001 standards against
which Microsoft is certified.
32 Are there
documented
Yes.
Physical access control uses multiple authentication and security processes, including badges and smart cards,
security procedures
biometric scanners, on-premises security officers, continuous video surveillance and two-factor authentication. The
for safeguarding
datacentres are monitored using motion sensors, video surveillance and security breach alarms.
premises and
restricted areas?
If yes, provide
descriptions of
these procedures.

REQUIREMENT
33 Are there
documented
MAS Notice on Cyber Hygiene, Paragraph 4.3(a) (security standards) requires that there is a written set of
security standards for every system.
security procedures
TRM Guidelines, Paragraph 8.5 requires the financial institutions to conduct a Threat and Vulnerability
for safeguarding
Risk Assessment for its datacentres; ensure adequate redundancy for the power, network connectivity,
hardware, software
and cooling, electrical and mechanical systems of the datacentre to eliminate any single point of failure;
and data in the
implement fire detection and suppression devices or systems; geographically separate primay or
datacentre?
production datacentres from secondary or disaster recovery datacentres; monitor physical security and
environmental controls; and ensure adequate controls on physical access to the datacentres.
Yes.
These are described at length in the Microsoft Trust Center at microsoft.com/trust.
For information on:
• design and operational security see https://www.microsoft.com/en-us/security/business/operations
• network security see https://www.microsoft.com/en-us/security/business/operations
• encryption see https://www.microsoft.com/en-us/security/business/operations
• threat management see https://www.microsoft.com/en-us/security/business/operations
• identify and access management see https://www.microsoft.com/en-us/trustcenter/security/identity

REQUIREMENT
34 Does the service

provider have
TRM Guidelines, Paragraph8.5.6 9.1 (access control). Paragraph 9.1.8 specifically provides that the financial
institution should subject its service providers, who are given access to its information assets, to the same
privileged access monitoring and access restrictions as on its personnel.
or remote access
Yes.
to perform system/
user administration Microsoft applies strict controls over access to customer data. Access to the IT systems that store customer data
for the outsourced is strictly controlled via role-based access control (RBAC) and lock box processes. Access control is an automated
service? If so, does process that follows the separation of duties principle and the principle of granting least privilege. This process
the service provider ensures that the engineer requesting access to these IT systems has met the eligibility requirements, such as a
have access to background screen, required security training, and access approvals. In addition, the access levels are reviewed on
your organisation’s a periodic basis to ensure that only users who have appropriate business justification have access to the systems.
sensitive data? Please This process ensures that the engineer requesting access to these IT systems has met the eligibility requirements. In
provide details addition, the Online Services include built-in approved Windows PowerShell Scripts, which minimise the access rights
on the controls needed and the surface area available for misconfiguration.
implemented to
mitigate the risks of Microsoft provides monitoring and logging technologies to give customers maximum visibility into the activity on
unauthorised access their cloud-based network, applications, and devices, so they can identify potential security gaps. The Online Services
to sensitive data by contain features that enable customers to restrict and monitor their employees’ access to the services, including
the service provider, the Azure AD Privileged Identify Management system and Multi-Factor Authentication. Microsoft logs, or enables
or other parties. customers to log, access and use of information systems containing customer data, registering the access ID, time,
authorisation granted or denied, and relevant activity. An internal, independent Microsoft team audits the log at least
once per quarter, and customers have access to such audit logs. In addition, Microsoft periodically reviews access
levels to ensure that only users with appropriate business justification have access to appropriate systems. Microsoft
provides customers with information to reconstruct financial transactions and develop audit trail information
through two primary sources: Azure Active Directory reporting, which is a repository of audit logs and other
information that can be retrieved to determine who has accessed customer transaction information and the actions
they have taken with respect to such information, and Azure Monitor, which provides activity logs and diagnostic
logs that customers can use to determine the “what, who, and when” with respect to changes to customer cloud
information and to obtain information about the operation of the Online Services, respectively.
In emergency situations, a “JIT (as defined above) access and elevation system” is used (that is, elevation is granted on
an as-needed and only-at-the-time-of-need basis) of engineer privileges to troubleshoot the service.

REQUIREMENT
35 Are the activities of

privileged accounts
TRM Guidelines, Paragraph 9.2 (Privileged Access Management)
Yes.
captured (e.g. system
audit logs) and An internal, independent Microsoft team audits the logs at least once per quarter.
reviewed regularly?
Indicate the party
reviewing the logs
and the review
frequency.
36 Are the audit/activity

logs protected
TRM Guidelines, Paragraph 12.2.2 requires the financial institution to establish a process to collect,
process, review and retain system logs, which should be protected against unauthorised access. See also
against tampering by TRM Guidelines Paragraph 9.2 (privileged access management).
users with privileged
Yes.
accounts? Describe
the safeguards Microsoft logs, or enables customers to log, access and use of information systems containing customer data,
implemented. registering the access ID, time, authorization granted or denied, and relevant activity. An internal, independent
Microsoft team audits the log at least once per quarter, and customers have access to such audit logs. In addition,
Microsoft periodically reviews access levels to ensure that only users with appropriate business justification
have access to appropriate systems. All logs are saved to the log management system which a different team of
administrators manages. All logs are automatically transferred from the production systems to the log management
system in a secure manner and stored in a tamper-protected way.

REQUIREMENT
37 Is access to sensitive
files, commands and
TRM Guidelines, Paragraph 9 (access control) and Paragraph 12 (cyber security operations)
Yes.
services restricted
and protected from System level data such as configuration data/file and commands are managed as part of the configuration
manipulation? Are management system. Any changes or updates to or deletion of those data/files/commands will be automatically
integrity checks deleted by the configuration management system as anomalies.
implemented to
detect unauthorised Further, Microsoft applies strict controls over access to customer data. Access to the IT systems that store customer
changes to data is strictly controlled via role-based access control (RBAC) and lock box processes. Access control is an automated
databases, files, process that follows the separation of duties principle and the principle of granting least privilege. This process
programs and system ensures that the engineer requesting access to these IT systems has met the eligibility requirements, such as a
configuration? background screen, required security training, and access approvals. In addition, the access levels are reviewed on
Provide details a periodic basis to ensure that only users who have appropriate business justification have access to the systems.
of controls This process ensures that the engineer requesting access to these IT systems has met the eligibility requirements. In
implemented. addition, the Online Services include built-in approved Windows PowerShell Scripts, which minimise the access rights
needed and the surface area available for misconfiguration.
38 Are password
controls for the
TRM Guidelines, Paragraph 9 (access control)
MAS Notice on Cyber Hygiene, Paragraph 4.6 (multi-factor authentication)

outsourced systems
and applications Yes.
reviewed for
compliance on a All access to production and customer data requires multi-factor authentication. Use of strong passwords is enforced
regular basis? as mandatory, and password must be changed on a regular basis.

REQUIREMENT
39 Are access rights

for the outsourced
TRM Guidelines, Section 9 (access control).
Administrators who have rights to applications have no physical access to the production systems. They must
systems and
securely access the applications remotely via a controlled, and monitored remote process called lockbox. All
applications
operations through this remote access facility are logged.
reviewed for
compliance on a Further, Microsoft applies strict controls over access to customer data. Access to the IT systems that store customer
regular basis? data is strictly controlled via role-based access control (RBAC) and lock box processes. Access control is an automated
process that follows the separation of duties principle and the principle of granting least privilege. This process
ensures that the engineer requesting access to these IT systems has met the eligibility requirements, such as a
background screen, required security training, and access approvals. In addition, the access levels are reviewed on
a periodic basis to ensure that only users who have appropriate business justification have access to the systems.
This process ensures that the engineer requesting access to these IT systems has met the eligibility requirements. In
addition, the Online Services include built-in approved Windows PowerShell Scripts, which minimise the access rights
needed and the surface area available for misconfiguration.
40 Does the service

provider have a
TRM Guidelines, Paragraphs 8.1 (systems availability), 8.2 (system recoverability ), 8.3 (testing of disaster
disaster recovery or recovery plan, 8.4 (system backup and recovery), and 8.5 (data centre resilience)
business continuity Business Continuity Management Guidelines, Principle 2
plan and what
Yes.
is the service
availability? For Microsoft works with its customers to develop exit strategies and exit plans and Microsoft’s best practices, informed
your organisation’s by the EBA, direct that Microsoft coordinate with the financial institution in the event of an exit from the cloud
data residing at the environment. In addition to specific assistance, Microsoft provides guidance and examples of how exit plans could
service provider, play out in execution. Microsoft’s cloud services contracts with financial institutions provide numerous ways in which
what are the backup the cloud service provider relationship may be terminated, coupled with means of data retention and portability
and recovery to a new cloud service provider or in a return to the financial institution’s on-premises solution. Microsoft provides
arrangements? resources for customers to address exit planning, including its exit planning guidelines for financial services
(continued) institutions and exit planning white paper.

REQUIREMENT
40 Does the service

provider have a
The financial institution still needs to examine any critical business or technical processes that rely on cloud services
and establish their own internal end-to-end disaster recovery or business continuity plan (DRP/BCP) to deal with any
disaster recovery or outages that affect access those services. This includes power issues/failures within the organization, network failures
business continuity and 3rd-party supplier outages such as cloud services, ISP, or DNS. Microsoft recommends reviewing the M365
plan and what Resiliency & Customer Guidance white paper for further guidance on incorporating these considerations into
is the service your BCP.
availability? For
Microsoft conducts disaster recovery tests at least once per year. By way of background, Microsoft maintains physical
your organisation’s
redundancy at the server, datacenter, and service levels; data redundancy with robust failover capabilities; and
data residing at the
functional redundancy with offline functionality. Microsoft’s redundant storage and its procedures for recovering
service provider,
data are designed to attempt to reconstruct customer data in its original or last-replicated state from before the time
what are the backup
it was lost or destroyed.
and recovery
arrangements? Microsoft maintains multiple live copies of data at all times. Live data is separated into “fault zones,” which ensure
(continued) continuous access to data. For Office 365, Microsoft maintains multiple copies of customer data across datacenters
for redundancy. For Azure, Microsoft may copy customer data between regions within a given geography for data
redundancy or other operational purposes. For example, Azure Globally-Redundant Storage (“GRS”) replicates certain
data between two regions within the same geography for enhanced data durability in case of a major datacenter
disaster.
To promote data resiliency, Microsoft Online Services offer active load balancing, automated failover and human
backup, and recovery testing across failure domains as further described below. For example, Azure Traffic Manager
provides load balancing between different regions, and the customer can use network virtual appliances in its
Azure Virtual Networks for application delivery controllers (ADC/load balancing) functionality. Load balancing is
also provided by Power BI Services, the Gateway, and Azure API Management roles. Office 365 services have been
designed around specific resiliency principles that are designed to protect data from corruption, to separate data
into different fault zones, to monitor data for failing any part of the ACID test, and to allow customers to recover on
their own. For more information, refer to Microsoft’s white paper “Data Resiliency in Microsoft Office 365,” available at
https://aka.ms/Office365DR.

REQUIREMENT
40 Does the service

provider have a
Redundancy
• Physical redundancy at server, datacenter, and service levels.

disaster recovery or
business continuity • Data redundancy with robust failover capabilities.
plan and what
is the service • Functional redundancy with offline functionality.
availability? For
Microsoft’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct
your organisation’s
customer data in its original or last-replicated state from before the time it was lost or destroyed. Additionally,
Microsoft maintains multiple live copies of data at all times. Live data is separated into “fault zones”, which ensure
service provider,
continuous access to data. For Office 365, Microsoft maintains multiple copies of customer data across for
what are the backup
redundancy. For Azure, Microsoft may copy customer data between regions within a given geography for data
and recovery
redundancy or other operational purposes. For example, Azure Globally-Redundant Storage replicates certain data
arrangements?
between two regions within the same geography for enhanced data durability in case of a major datacenter disaster.
(continued)
Resiliency
• Active/active load balancing.
• Automated failover with human backup.
• Recovery testing across failure domains.
For example, Azure Traffic Manager provides load balancing between different regions, and the customer can use
network virtual appliances in its Azure Virtual Networks for application delivery controllers (ADC/load balancing)
functionality. Load balancing is also provided by Power BI Services, the Gateway, and Azure API Management roles.
Office 365 services have been designed around specific resiliency principles that are designed to protect data from
corruption, to separate data into different fault zones, to monitor data for failing any part of the ACID test, and to
allow customers to recover on their own.

REQUIREMENT
40 Does the service

provider have a
Distributed Services
• Distributed component services like Exchange Online, SharePoint Online, and Skype for Business Online
limit scope and impact of any failures in a component. Directory data replicated across component services
business continuity
insulates one service from another in any failure events.
plan and what
is the service • Simplified operations and deployment.
availability? For
your organisation’s Monitoring
• Internal monitoring built to drive automatic recovery.
service provider,
what are the backup • Outside-in monitoring raises alerts about incidents.
and recovery
arrangements? • Extensive diagnostics provide logging, auditing, and granular tracing.
(continued)
Simplification
• Standardised hardware reduces issue isolation complexities.
• Fully automated deployment models.
• Standard built-in management mechanism
Human Backup
• Automated recovery actions with 24/7 on-call support.
• Team with diverse skills on the call provides rapid response and resolution.
• Continuous improvement by learning from the on-call teams.

REQUIREMENT
40 Does the service

provider have a
Continuous Learning
• If an incident occurs, Microsoft does a thorough post-incident review every time.

business continuity • Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and Microsoft’s
plan and what plan to prevent it in the future.
is the service
availability? For • If the organisation was affected by a service incident, Microsoft shares the post-incident review with the
your organisation’s organisation.
service provider,
what are the backup
and recovery
arrangements?
41 What are the

recovery time
Outsourcing Guidelines, Paragraph 5.7.2(a); TRM Guidelines, Paragraph 8.2.1; Business Continuity
Management Guidelines, Principle 4 (financial institutions should develop recovery strategies and set
objectives (RTO) recovery time objectives for critical business functions).
of systems or
The uptime commitments for each Microsoft Online Service are specified in the Service Level Agreement (SLA).
applications
outsourced to the
service provider?

REQUIREMENT
42 What are the

recovery point
Outsourcing Guidelines, Paragraph 5.7.2(a); TRM Guidelines, Paragraph 8.2.1; Business Continuity Management
Guidelines, Principle 4 (financial institutions should develop recovery strategies and set recovery time
objectives (RPO) objectives for critical business functions)
of systems or
Azure Backup and resiliency RPO is provided on a service-by-service basis, with information on each Azure service
applications
available from the Azure Trust Center.
outsourced to the
service provider? Office 365 Peer replication between datacentres ensures that there are always multiple live copies of any data. Standard
images and scripts are used to recover lost servers, and replicated data is used to restore customer data. Because of
the built-in data resiliency checks and processes, Microsoft maintains backups only of Office 365 information system
documentation (including security-related documentation), using built-in replication in SharePoint Online and our
internal code repository tool, Source Depot. System documentation is stored in SharePoint Online, and Source Depot
contains system and application images. Both SharePoint Online and Source Depot use versioning and are replicated in
near real-time.
43 How frequently
does the service
Outsourcing Guidelines, Paragraph 5.7.2(b) (financial institutions should proactively seek assurance on the
state of the business continuity plans preparedness of the service provider, or participate in joint testing,
provider conduct where possible. It should ensure that the service provider regularly tests its business continuity plans and that
disaster recovery the tests validate the feasibility of the RTOs and the resumption operating capacities. The service provider
tests? should also be required to notify the financial institution of any test finding that may affect the service
(continued) provider’s performance).
See also TRM Guidelines, Paragraph 8.3.4 (financial institution should ensure service providers’ disaster
recovery arrangements are established, tested and verified); Business Continuity Management Guidelines,
Principle 3.
Microsoft conducts disaster recovery tests at least once per year. By way of background, Microsoft maintains physical
redundancy at the server, datacentre, and service levels; data redundancy with robust failover capabilities; and functional
redundancy with offline functionality. Microsoft’s redundant storage and its procedures for recovering data are designed
to attempt to reconstruct customer data in its original or last-replicated state from before the time it was lost or
destroyed.

REQUIREMENT
43 How frequently
does the service
Microsoft maintains multiple live copies of data at all times. Live data is separated into “fault zones,” which ensure
continuous access to data. For Office 365, Microsoft maintains multiple copies of customer data across datacentres for
provider conduct redundancy. For Azure, Microsoft may copy customer data between regions within a given location for data redundancy
disaster recovery or other operational purposes. For example, Azure Globally-Redundant Storage (“GRS”) replicates certain data between
tests? two regions within the same location for enhanced data durability in case of a major datacentre disaster.
To promote data resiliency, Microsoft’s Online Services offer active load balancing, automated failover and human
backup, and recovery testing across failure domains. For example, Azure Traffic Manager provides load balancing
between different regions, and the customer can use network virtual appliances in its Azure Virtual Networks for
application delivery controllers (ADC/load balancing) functionality. Load balancing is also provided by Power BI Services,
the Gateway, and Azure API Management roles. Office 365 services have been designed around specific resiliency
principles that are designed to protect data from corruption, to separate data into different fault zones, to monitor
data for failing any part of the ACID test, and to allow customers to recover on their own. For more information, refer to
Microsoft’s white paper “Data Resiliency in Microsoft Office 365,” available at https://aka.ms/Office365DR.
44 Do you have the

right to terminate
Outsourcing Guidelines, Paragraph 5.5.2(i), which states that the agreement should contain provisions for
default termination and early exit.
the SLA in the
The customer may terminate an Online Service at the express direction of a regulator with reasonable notice. The
event of default,
Microsoft Agreement includes rights to terminate early for cause and without cause. Refer to your Microsoft Agreement.
ownership
Additionally, the Financial Services Amendment provides for the customer’s right to terminate for Microsoft’s breach of
change,
applicable law or its obligations under the Financial Services Amendment, as well as where customer can reasonably
insolvency,
demonstrate that there are weaknesses regarding the management and security of customer data or there are material
change of
changes affecting Microsoft’s provision of the Online Services. Additionally, to ensure regulatory compliance, Microsoft
security or serious
and the customer may contemplate adding additional products or services, or if these are unable to satisfy the customer’s
deterioration of
new regulatory requirements, the customer may terminate the applicable Online Service without cause by giving 60 days’
service quality?
prior written notice.

REQUIREMENT
F. PRIVACY
In addition to the sector-specific requirements imposed by MAS, the financial institution also needs to comply with the Personal Data Protection Act in respect
of any personal information that Microsoft hosts for the financial institution in the course of providing the Microsoft Online Services.
45 Will use of the

cloud service
The Personal Data Protection Act (PDPA) will generally apply to personal information collected by financial institutions.
Microsoft has prepared a mapping document which indicates how Microsoft’s compliance with ISO/IEC 27018 enables
enable the
the customer to continue to comply with its key privacy obligations under the PDPA.
institution
to continue Microsoft is committed to protect the privacy of its customers and is constantly working to help strengthen privacy and
complying with compliance protections for its customers. Not only does Microsoft have robust and industry leading security practices
the PDPA? in place to protect its customers’ data and robust data protection clauses included, as standard, in its Product Terms,
Microsoft has gone further.
In February 2015, Microsoft became the first major cloud provider to adopt the world’s first international standard for
cloud privacy, ISO/IEC 27018. The standard was developed by the International Organization for Standardization (ISO)
to establish a uniform, international approach to protecting privacy for personal data stored in the cloud. The British
Standards Institute (BSI) has now independently verified that Microsoft is aligned with the standard’s code of practice for
the protection of Personally Identifiable Information (PII) in the public cloud.
Learn more at Microsoft Data Privacy Principles | Microsoft Trust Center.
57 | Key Considerations | Privacy Back to Contents

REQUIREMENT
46 Does the service

provider agree to
The financial institution is responsible for complying with obligations under the PDPA in respect of personal data
processed by the service provider on its behalf and for its purposes. For information transferred outside of Singapore,
comply with the the financial institution is responsible for complying with the Transfer Limitation Obligation, which includes the need
PDPA? to ensure that it obtains sufficient legally enforceable obligations from its service provider to ensure that standard of
protection comparable to the PDPA is provided by the overseas recipient to the transferred personal data.
Yes.
Microsoft will comply with the PDPA in respect of any personal information hosted by Microsoft while providing the
cloud services.
More general principles that are expressly stated in the Microsoft online services contract include commitments that:
• Microsoft will use customer data only for the purposes of providing the services;
• Customers retain all rights in, and effective control of, their data;
• Customers can extract, verify, amend or delete their data at any time;
• Microsoft will not provide any third-party access to customer data except as directed by a customer or required by
law; and
• After a customer terminates its use of the service, customer data is held for at least 90 days to allow data to be
extracted or migrated to a new service, and after this period it is deleted.
The Microsoft online services contract also includes the standard contractual data protection clauses created by the
European Union (called the “EU Model Clauses”), and the contract has also expressly been endorsed by the Article
29 Working Group (which comprises representatives from the Data Protection Authorities of the EU member states).
Microsoft is also committed to GDPR compliance across their cloud services, and that is why we provide GDPR related
assurances in our contractual commitments. More information regarding GDPR compliance can be found here.
Microsoft’s contractual commitments, in combination with its independent certification process and the functionality of
the Microsoft online services, collectively represent binding commitments which meet the threshold required by
the PDPA.
58 | Key Considerations | Privacy Back to Contents

Part 2: Contract Checklist
WHAT ARE OUR CONTRACT DOCUMENTS?
The following table sets out the relevant Microsoft documents:
CORE MICROSOFT CONTRACT DOCUMENTS DOCUMENTS INCORPORATED IN MICROSOFT CONTRACTS 1

Microsoft Business and Services Agreement (MBSA); Product Terms (Product Terms), incorporating the Data Protection Addendum
including the EU Model Clauses (DPA);
Enterprise Agreement (EA); and the enabling Enrollment, which is likely
to be either an Enterprise Enrollment or a Server and Cloud Enrollment. Product Terms
Online Services Service Level Agreement (SLA).
AMENDMENT PROVIDED BY MICROSOFT TO ADD TO CORE CONTRACT SUPPORTING DOCUMENTS AND INFORMATION THAT DO NOT FORM PART
DOCUMENTS FOR FINANCIAL SERVICES CUSTOMERS OF THE CONTRACT 2
Financial Services Amendment (FSA) Materials available from the relevant Trust Center
WHAT DOES THIS PART 2 COVER?

Part 2 sets out the specific items that should be covered in the financial institution’s outsourcing agreement with the service provider, pursuant to the Outsourcing
Guidelines and Notice 634 Banking Secrecy – Conditions for Outsourcing (Appendix). It also contains useful information on how Microsoft’s contractual documents
address each of said items. Microsoft is confident that all relevant requirements specified in the Guidelines on Outsourcing and Notice 634 Banking Secrecy –
Conditions for Outsourcing are addressed in Microsoft’s contractual documents, as shown below.
1
Available at www.microsoft.com/contracts.
2
Available at www.microsoft.com/trustcenter.
59 | Contract Checklist Back to Contents

REFERENCE REQUIREMENT HOW AND WHERE IS THIS DEALT WITH IN MICROSOFT’S CONTRACT?
Outsourcing (a) The outsourcing agreement should This depends on the results of your risk evaluation and due diligence exercises.
Guidelines, address the risks identified at the risk
Paragraph evaluation and due diligence stages.
5.5.2
Outsourcing (b) The outsourcing agreement should In order to facilitate your continued and ongoing legal and regulatory compliance
Guidelines, allow for timely renegotiation and needs, and as part of its standard offering to you (i.e. the FSA that automatically applies
Paragraph renewal to enable the institution to retain to regulated financial services institution customers), Microsoft agrees to discuss how to
5.5.2 an appropriate level of control over the meet new or additional requirements should you become subject to.
outsourcing arrangement and the right to
Furthermore, Microsoft’s contractual documents anticipate renewal. More information
intervene with appropriate measures to
on your termination rights is available under Requirement (k) below.
meet its legal and regulatory obligations.
Meanwhile, Microsoft enables financial institution customers to retain an appropriate
level of control to meet their legal and regulatory obligations. Not only do you have
full control and ownership over your data at all times, under the FSA Microsoft (i)
makes available to you the written cloud services data security policy that complies
with certain control standards and frameworks, along with descriptions of the security
controls in place for Azure and other information that you reasonably request regarding
Microsoft’s security practices and policies; and (ii) causes the performance of audits,
on your behalf, of the security of the computers, computing environment and physical
datacentres that it uses in processing your data (including personal data) for the cloud
services, and provides the audit report to you upon request. These arrangements are
offered to you to provide you with the appropriate level of assessment of Microsoft’s
ability to facilitate compliance against your policy, procedural, security control and
regulatory requirements.

Outsourcing (c) The outsourcing agreement should The Online Services are described in the Microsoft Agreement. An online description is
Guidelines, have provisions to address the scope of also available here:
Paragraph the outsourcing arrangement.
• Microsoft 365 Service Description
5.5.2(a)
• Dynamics 365 Service Description
• Directory of Azure Cloud Services
The support services, including Professional Services, are described in the DPA and in
the Master Business Services Agreement.
Outsourcing (d) The outsourcing agreement should The SLA sets outs Microsoft’s service level commitments for Online Services, as well as
Guidelines, have provisions to address performance, the service credit remedies for the customer if Microsoft does not meet
Paragraph operational, internal control and risk the commitment.
5.5.2(b) management standards.
Refer to:
• Microsoft 365 Service Level Agreement
• Dynamics 365 Service Level Agreement
• Azure Service Level Agreements

Outsourcing (e) The outsourcing agreement should The Microsoft Agreement includes various confidentiality, privacy and security
Guidelines, have provisions to address confidentiality protections.
Paragraph and security.
For information about how Microsoft Online Services protect your data, and how you
5.5.2(c); 5.6.2
can manage cloud data security and compliance for your organisation, refer to the
Notice 634 Service Trust Portal (Data Protection Resources).
Banking
The customer owns, and retains the ability to access, its data that is stored on Microsoft
Secrecy -
Online Services at all times. Refer to the Trust Center for further information.
Conditions
for
Outsourcing,
Paragraph
8 of the
Appendix
Outsourcing (f ) The outsourcing agreement should Microsoft has and will maintain adequate business continuity and disaster recovery
Guidelines, have provisions to address business con- plans intended to restore normal operations and proper provision of the Online Services
Paragraphs tinuity management. in the event of an emergency. Such plans are documented, reviewed and tested at least
5.5.2(d) and annually. Microsoft will communicate with customers regarding significant changes to
5.7 and Microsoft’s business resumption and contingency plans.
Notice 634 See the Financial Services Amendment for further assurances regarding business
Banking continuity management.
Secrecy –
Conditions For further information about Microsoft’s approach to business continuity and disaster
for recovery, refer to our Enterprise Business Continuity Management (EBCM) Program
Outsourcing, description. We continually publish validation reports on our EBCM on a quarterly basis
Paragraph on our website.
11 of the
Appendix

Outsourcing (g) The outsourcing agreement should Microsoft provides access to “service health” dashboards (Office 365 Service Health
Guidelines, have provisions to address monitoring Dashboard and Azure Status Dashboard) providing real-time and continuous
Paragraphs and control. updates on the status of Microsoft Online Services. This provides your IT administrators
5.5.2(e) and with information about the current availability of each service or tool (and history
5.8.1 of availability status), details about service disruption or outage and scheduled
maintenance times. The information is provided online and via an RSS feed. As part of
its certification requirements, Microsoft is required to undergo independent third-party
auditing, and it shares with the customer the independent third party audit reports.
Microsoft also makes available a wealth of resources online to provide transparency and
assurance to customers in the Microsoft compliance documentation dashboard.
The Financial Services Amendment provides customers and their auditors with the
unrestricted rights of inspection and auditing related to the outsourcing arrangement,
which includes specific rights of access to business premises for financial services
customers via special contractual provisions designed for regulated customers in
the financial services sector. Additionally, Financial Services Amendment provides
the customer’s regulator to examine or audit the Online Services in order to meet
the regulator’s supervisory obligations of Microsoft as a direct service provider of
the customer. These rights enable such customers to comply with their regulatory
obligations through direct access to business premises, to information, Microsoft
personnel and Microsoft’s external auditor.

Outsourcing (h) The outsourcing agreement should Microsoft provides customers with the ability to access and extract customer data,
Guidelines, have provisions to address audit and as well audit and monitoring mechanisms, to enable customers to comply with
Paragraphs inspection. their regulatory obligations. These rights of access and audit extend to regulators of
5.5.2(f), 5.9.1, customers. The Financial Services Amendment grants the customer unrestricted rights
5.9.2 and 5.9.3, of inspection and auditing related to the outsourcing arrangement.
5.10.2(b),
for material
outsourcing
and
Notice 634
Banking
Secrecy –
Conditions for
Outsourcing,
Paragraph 8(a)
of the Appendix
Outsourcing (i) The outsourcing agreement should Notification of significant events

Guidelines, have provisions to address notification
Microsoft will notify the customer of the nature, common causes and resolution of
Paragraphs of adverse developments.
security incidents and other circumstances that can reasonably be expected to have a
5.5.2(g) and 4.2
material service impact on the customer’s use of the Online Services, and will provide
communications regarding Microsoft’s risk-threat evaluations and other circumstances
that may have a serious impact.
Internal reports
Microsoft commissions independent audits of the security of the computers, computing

environment and physical data centres that it uses in processing customer/ personal
data for each Online Service, the reports of which are available to customers on request.
Customers also have access to the results of Microsoft’s penetration testing.
The Financial Services Amendment has provisions addressing each of these points.

Outsourcing (j) The outsourcing agreement should If a financial institution and Microsoft have a dispute, the choice-of-law and dispute
Guidelines, have provisions to address dispute resolution provisions would be clearly described in the agreement between Microsoft
Paragraph resolution. and the financial institution. MBSA clauses 10(g) and 10(h) contains terms that describe
5.5.2(h) how a dispute under the contract is to be conducted.
Outsourcing (k) The outsourcing agreement should The Microsoft Agreement includes rights to terminate early for cause and without cause.
Guidelines, have provisions to address default Refer to your Microsoft Agreement. Additionally, the Financial Services Amendment
Paragraph termination and early exit. provides for the customer’s right to terminate for Microsoft’s breach of applicable law
5.5.2(i) and or its obligations under the Financial Services Amendment, as well as where customer
Notice 634 can reasonably demonstrate that there are weaknesses regarding the management and
Banking security of customer data or there are material changes affecting Microsoft’s provision of
Secrecy – the Online Services.
Conditions for
Customers will at all times have access to customer data using the standard
Outsourcing,
features of the Online Services, including in the case of the insolvency, resolution
Paragraph 10 of
or discontinuation of business operations of Microsoft where the Data Retention
the Appendix
and Deletion provisions in the DPA will apply. Additionally, the Financial Services
Amendment requires Microsoft to continue to provide services in the event a regulator
requires such continuance, including in the event of a termination of the agreement or a
resolution of the financial institution.

Outsourcing (l) The outsourcing agreement Microsoft’s enterprise cloud services process various categories of data, including
Guidelines, should have provisions to address customer data and personal data. Where Microsoft hires a subcontractor to perform
Paragraph subcontracting. work that may require access to such data, they are considered a subprocessor.
5.5.2(j) Subprocessors may access data only to deliver the functions in support of Online
Services that Microsoft has hired them to provide and are prohibited from using data for
any other purpose.
The Microsoft Online Services Subprocessor List identifies subprocessors authorized

to subprocess customer data or personal data in Microsoft Online Services. This list is
applicable for the Microsoft Online Services referred to in the Product Terms for which
Microsoft is a data processor. This list of subprocessors includes all subcontractors who
may perform critical or important functions and, in fact, discloses a set of subcontractors
that perform staff augmentation, which itself is neither critical or important in the
context of the provision of Online Services.
For further information, refer to the Trust Center and the Subprocessor and Data
Privacy White Paper.
Microsoft gives customers notice of new subprocessors (by updating the Microsoft
Online Services Subprocessor List and providing customers with a mechanism to obtain
notice of that update) at least six months in advance of the subprocessor’s authorization
to perform services that may involve secure access to customer data and at least thirty
days in advance of potential access to personal data within Microsoft Online Services.
This advance notice enables customers to investigate the subprocessor, perform a risk
assessment, and ask questions of Microsoft about the subprocessing engagement. (See
DPA, “Notice and Controls on use of Subprocessors”)
To ensure subcontractor accountability, Microsoft requires all of its vendors that handle
customer personal information to join the Microsoft Supplier Security and Privacy
Assurance Program, which is an initiative designed to standardise and strengthen the
handling of customer personal information, and to bring vendor business processes
and systems into compliance with those of Microsoft. For more information regarding
Microsoft’s Supplier Security and Privacy Program, see microsoft.com/en-us/
procurement/msp-requirements.aspx.

Outsourcing (m) The outsourcing agreement Refer to the Microsoft Agreement regarding compliance with applicable laws.
Guidelines, should have provisions to address
Paragraph applicable laws
5.5.2(k)
Outsourcing (n) The outsourcing agreement should The Financial Services Amendment details the parties’ acknowledgment of the relevant
Guidelines, be tailored to address issues arising from regulators’ and resolution authorities’ information gathering and investigatory powers
Paragraphs country risks and potential obstacles in under applicable laws and that nothing in the Financial Services Amendment will limit
5.5.3 and 5.10 exercising oversight and management or restrict such powers. In addition to the audit rights discussed immediately above, the
of the outsourcing arrangements Financial Services Amendment provides the customer’s regulator to examine or audit
made with a service provider outside the Online Services in order to meet the regulator’s supervisory obligations of Microsoft
Singapore. as a direct service provider of the customer.
Upon intervention by a national resolution authority, Microsoft will comply with the
requirements of such national resolution authority. Further detail is set out in the
Financial Services Amendment, which also provides for the continuation of services in
the event of a resolution of the financial institution.
Information about the locations of customer data at rest for Core Online Services is
available in the Product Terms and the DPA, which provides commitments on the
location at which Microsoft will store customer data at rest. Additional information
pertaining to the data residency and transfer policies specific to the Online Service
is available at the Trust Center. This website lets you validate for each Online Service
individually how data is stored and processed by Microsoft.

Further Information
• Navigating Your Way to the Cloud: microsoft.com/en-sg/apac/trustedcloud
• Trust Center: microsoft.com/trust
• Service Trust Portal: aka.ms/trustportal
• Customer Stories: customers.microsoft.com
• Product Terms: Microsoft.com/contracts
• Service Level Agreements: microsoft.com/contracts
• SAFE Handbook: aka.ms/safehandbook
• A Cloud for Global Good | Microsoft: news.microsoft.com/cloudforgood/
© Microsoft Corporation 2019. This document is not legal or regulatory advice and does not constitute
any warranty or contractual commitment on the part of Microsoft. You should seek independent legal
advice on your cloud services project and your legal and regulatory obligations.
68 | Further Information Back to Contents

Microsoft Cloud - Checklist For Financial Institutions in Singapore PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Cloud - Checklist For Financial Institutions in Singapore PDF

Uploaded by

Copyright:

Available Formats

A Compliance Checklist

for Financial Institutions

OVERVIEW OF THE REGULATORY LANDSCAPE 6 Technical and Operational Risk Q&A 34

COMPLIANCE CHECKLIST 10 Privacy 57

PART 1: KEY CONSIDERATIONS 11 PART 2: CONTRACT CHECKLIST 59

Overview 11 FURTHER INFORMATION 68

Compliance within your Organisation 21

3 | Introduction Back to Contents

4 | Introduction Back to Contents

• Simplifies compliance workflow and enables customers to assign, track,

5 | Introduction Back to Contents

• MAS Notices on Cyber Hygiene

• MAS Technology Risk Management Guidelines (revised January 2021)

• MAS Notices on Technology Risk Management

• MAS Business Continuity Management Guidelines June 2003

• MAS Notice 634, Banking Secrecy – Conditions for Outsourcing

Continued Next Page »

6 | Overview Back to Contents

Are transfers Yes.

Continued Next Page »

7 | Overview Back to Contents

Are public cloud Yes.

8 | Overview Back to Contents

9 | Overview Back to Contents

Looking for something specific?

HOW SHOULD WE USE THE COMPLIANCE CHECKLIST?

WHICH PART(S) DO WE NEED TO LOOK AT?

• in Part 1, we address the key compliance considerations that apply; and

10 | Compliance Checklist Back to Contents

REF. QUESTION / GUIDANCE

1 Who is the service

Microsoft’s full company profile is available here: microsoft.com/en-us/investor/

Microsoft’s Annual Reports are available here: microsoft.com/en-us/Investor/annual-reports.aspx

Continued Next Page »

11 | Key Considerations | Overview Back to Contents

• Microsoft Office 365

• Microsoft Dynamics 365

12 | Key Considerations | Overview Back to Contents

If using Dynamics 365, services would typically include:

Continued Next Page »

13 | Key Considerations | Overview Back to Contents

• Virtual Machines, App Service, Cloud Services

• Data Catalog, Data Factory, API Management

• Security Center, Key Vault, Multi-Factor Authentication

• Azure Blockchain Service

14 | Key Considerations | Overview Back to Contents

5 What data will be

Employee data (including employee name,

Transaction data (data relating to transactions in

Indices (for example, market feeds) Both N

Other personal and non-personal data relating

15 | Key Considerations | Overview Back to Contents

6 How is the issue of

Continued Next Page »

16 | Key Considerations | Overview Back to Contents

6 How is the issue of

17 | Key Considerations | Overview Back to Contents

7 Where are the

NO. LOCATION OF CLASSIFICATION OF DC: STORING ORGANISATION

18 | Key Considerations | Offshoring Back to Contents

8 Have you obtained a

a. Political (i.e. cross-border conflict, political unrest etc.)

Continued Next Page »