new zealand guidance on complying with regulatory...
TRANSCRIPT
Confidential
Page 1 of 35
10004323-2
NEW ZEALAND
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES
INSTITUTIONS USING CLOUD COMPUTING
Last update: November 2014.
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using
cloud computing. In this guidance financial services institutions means financial institutes, securities trading companies, insurance companies, capital
investment companies and other financial services institutions (“FSIs”).
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to
the use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from FSIs that a
checklist approach like this is very helpful. The checklist can be used:
(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2);
and
(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to
compliance with their requirements.
Appendix One also contains a list of the items that the Privacy Commissioner states are useful to include in a contract with a cloud services provider
(but note these items are not mandatory.
Note that the RBNZ Outsourcing Policy does not contain detailed technical and operational requirements relating to the use of cloud services but,
rather, focuses more generally on issues such as risk management. However, on the basis that technical and operational factors (specifically
Confidential
Page 2 of 35
10004323-2
security) are directly relevant to risk strategy (and therefore compliance with the RBNZ Outsourcing Policy and Privacy Act), we have included some
specific detail on this point which should be useful for the purposes outlined above.
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of
Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your
technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your
Microsoft contact.
2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?
RBNZ is not against outsourcing or the use of cloud services and recognizes that well-designed arrangements may make useful contributions to
improved efficiency for FSIs. However, its policy is to ensure that FSIs and their customers are not exposed to new or increased risks by virtue of
using outsourced services. Whilst there are no forms that must be completed, there are certain requirements that FSIs should be aware of. In
particular:
(i) large banks1 using cloud services need to consider the RBNZ Outsourcing Policy of January 2006 (“RBNZ Outsourcing Policy”);
(ii) all FSIs (whether large or small) need to consider their general RBNZ obligations to manage their business risks properly; and
(iii) all FSIs (whether large or small) need to consider the Privacy Act in relation to any outsourcing that may involve the processing of personal
data.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Reserve Bank of New Zealand (“RBNZ”)
1 RBNZ will consider a bank as “large” if its liabilities net of amounts due to related parties exceed $10 billion. Currently, BNZ, ASB, ANZ National and Westpac are the only banks that are
considered “large”.
Confidential
Page 3 of 35
10004323-2
4. IS REGULATORY APPROVAL REQUIRED IN NEW ZEALAND?
No.
RBNZ does not require approval before FSI outsource IT functionality to a cloud services solution such as Microsoft Office 365.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
No.
Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an FSI must complete when considering cloud
computing solutions.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
No.
RBNZ does not stipulate any mandatory contractual requirements that FSIs must ensure are included in their outsourcing contracts.
The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains
some useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in Appendix One to this
document and mapped them against where in the Microsoft documentation these are covered for ease of reference.
Confidential
Page 4 of 35
10004323-2
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the
point raised in the checklist. The suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to
provide this if you get in touch with your Microsoft contact. Some points are specific to your own internal operations and processes and you will need
to complete these answers as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref. Question/requirement Template response and guidance
A. OVERVIEW
This section provides a general overview of the Microsoft Office 365 solution.
1. Who is the service provider? The service provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation, a
global provider of information technology devices and services, which is publicly-listed in the USA (NASDAQ:
MSFT). Microsoft’s full company profile is available here: https://www.microsoft.com/en-
us/news/inside_ms.aspx.
2. What type of cloud services would
your organization be using?
RBNZ guidance does not distinguish between different types of cloud solution but an understanding of the type
of solution (i.e. multi-tenant or dedicated) is relevant for your organization’s own risk management purposes.
Select the following text if using Office 365 multi-tenanted version:
Microsoft’s “Office 365” service, which is described in more detail here: Microsoft’s Office 365. Office 365 is a
multi-tenant service. Data storage and processing for each tenant is segregated through Active Directory
structure and capabilities specifically developed to help build, manage, and secure multi-tenant environments.
Confidential
Page 5 of 35
10004323-2
Ref. Question/requirement Template response and guidance
Active Directory isolates customers using security boundaries (also known as silos). This safeguards a
customer’s data so that the data cannot be accessed or compromised by co-tenants.
Select the following text if using Office 365 dedicated version:
Microsoft’s “Office 365” service, which is described in more detail here: Microsoft’s Office 365. We have
secured an offering that provides for a dedicated hosted offering, which means that our data is hosted on
hardware dedicated to us.
3. What activities and operations will be
outsourced to the service provider?
1. Microsoft Office applications hosted in the cloud
2. Hosted email
3. Web conferencing, presence, and instant messaging
4. Data and application hosting
5. Spam and malware protection
6. IT support services
B. COMPLIANCE WITH A BANK’S CONDITIONS OF REGISTRATION
New Zealand Banks are subject to various standard and non-standard conditions of registration. You will need to ensure that the proposed use of
Office 365 complies with any such conditions.
4. Please confirm whether the FSI is a
“large bank” for the purposes of
Many of the RBNZ requirements only apply to “large banks”. RBNZ will consider a bank as “large” if its
liabilities net of amounts due to related parties exceed $10 billion. Currently, BENZ, ABS, AN National and
Confidential
Page 6 of 35
10004323-2
Ref. Question/requirement Template response and guidance
RBNZ policy. Westpac are the only banks that are considered “large”. Note that since all large banks in New Zealand are
currently owned by parent banks in Australia, those parent banks will be subject to Australian law and
regulation (including the outsourcing and cloud computing requirements of the Australian Prudential Regulatory
Authority (“APRA”)). Microsoft has prepared a similar Q&A for APRA requirements in Australia and can share
this with you on request.
5. Please confirm whether any of the
following activities will be affected by
the proposed outsourcing:
(a) clearing and settlement
obligations;
(b) identification of financial risk
positions;
(c) monitoring and management
of financial risk positions; or
(d) access by existing
customers to payments
facilities.
RBNZ Outsourcing Policy, Sections A’S and A1. One of the key objectives of the RBNZ Outsourcing Policy is
to ensure that banks have the legal and practical ability to control each of these activities.
None of these core banking functions will be outsourced or affected by the outsourcing. Only the services and
operations described in response to question A.3, above, are being outsourced. Management will retain the
legal and practical ability to control and execute any outsourced functions.
6. Will the proposed outsourcing have
any impact on the ability of the board
to manage, direct or supervise the
business and affairs of the FSI?
RBNZ Outsourcing Policy, Section A.5(a). The ability of the board to manage/direct/supervise is a condition of
registration.
The board will still have ultimate control of the business and affairs of the FSI and the proposed use of Office
365 will not change this. The contract that we have in place with Microsoft contains various contractual and
Confidential
Page 7 of 35
10004323-2
Ref. Question/requirement Template response and guidance
technical means for us to ensure that we have due supervision and control. See for example, the details set out
in our response to questions 8 (1(g) and 2) and 10 below.
7. Is the proposed outsourcing
compliant with any other standard or
non-standard conditions of
registration imposed on the FSI?
RBNZ Outsourcing Policy, Section A.6. Some large banks are subject to non-standard conditions of registration
which may apply to their outsourcing arrangements. You will need to consider whether such conditions exist
and, if so, how (if at all) they may apply to the proposed use of Office 365.
C. RISK MANAGEMENT
RBNZ is particularly interested in the controls that the FSI has in place in respect of the outsourcing and how risks are managed. This section
looks at these requirements in more detail.
8. How do the proposed arrangements
ensure that the outsourcing does not
create a risk that the operation and
management of the FSI might be
interrupted for a material length of
time?
RBNZ Outsourcing Policy, Section B.10.
We have minimized the risks in the following ways:
1. Through our choice of service provider
a. Competence and experience. Microsoft is an industry leader in cloud computing. Office 365 was built
based on ISO/IEC 27001 standards and was the first major business productivity public cloud service to
have implemented the rigorous set of global standards covering physical, logical, process and
management controls.
b. Past track-record. 40% of the world’s top brands use Office 365. We consulted various case studies
relating to Office 365, which are available on the Microsoft website and also considered the fact that
Microsoft has amongst its customers some of the world’s largest organizations and FSIs.
Confidential
Page 8 of 35
10004323-2
Ref. Question/requirement Template response and guidance
c. Specific financial services credentials. FSI customers in leading markets, including in the UK, France,
Germany, Australia, Singapore, Canada, the United States and many other countries have performed their
due diligence and, working with their regulators, are satisfied that Office 365 meets their respective
regulatory requirements. This gives us confidence that Microsoft is able to help meet the high burden of
financial services regulation and is experienced in meeting these requirements.
d. Microsoft’s staff hiring and screening process. All personnel with access to customer data are subject
to background screening, security training and access approvals. In addition, the access levels are
reviewed on a periodic basis to ensure that only users who have appropriate business justification have
access to the systems. User access to data is also limited by user role. For example, system administrators
are not provided with database administrative access.
e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed in the United States and is
amongst the world’s largest companies by market capitalization. Microsoft’s audited financial statements
indicate that it has been profitable for each of the past three years. Its market capitalization is in the region
of USD 280 billion. Accordingly, we have no concerns regarding its financial strength.
f. Business resumption and contingency plan. Microsoft offers contractually-guaranteed 99.9% uptime,
hosted out of world class data centers with physical redundancy at disk, NIC, power supply and server
levels, constant content replication, robust backup, restoration and failover capabilities, real-time issue
detection and automated response such that workloads can be moved off any failing infrastructure
components with no perceptible impact on the service, with 24/7 on-call engineering teams.
g. Security and internal controls, audit, reporting and monitoring. Microsoft is an industry leader in cloud
security and implements policies and controls on par with or better than on-premises data centers of even
the most sophisticated organizations. We have confidence in the security of the solution and the systems
and controls offered by Microsoft. In addition to the ISO/IEC 27001 certification, Office 365 is designed for
security with BitLocker Advanced Encryption Standard (AES)encryption of email at rest and secure
Confidential
Page 9 of 35
10004323-2
Ref. Question/requirement Template response and guidance
sockets layer (“SSL”)/transport layer security (“TLS”) encryption of data in transit. The Microsoft service is
subject to the SSAE16 SOC1 Type II audit, an independent, third party audit.
2. Through specific technical measures in place to ensure that operation and management not affected
Microsoft offers contractually-guaranteed 99.9% uptime, globally available data centers for primary and backup
storage, physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust
backup, restoration and failover capabilities, real-time issue detection and automated response such that
workloads can be moved off any failing infrastructure components with no perceptible impact on the service,
24/7 on-call engineering teams. See also the response to question 40 below.
9. What contractual controls does the
FSI have in respect of the
outsourcing? Is the documentation
clear on the rights and obligations of
each party to the contract and on
service levels and pricing, to a level
commensurate with the function’s
time criticality, materiality and
substitutability?
RBNZ Outsourcing Policy, Sections C.20 and D.36.
The provision of Office 365 is subject to the following contractual documents:
Microsoft Online Business and Services Agreement (a copy of which is available on request); and
Service Level Agreement (“SLA”), a copy of which is available at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37
Both of these documents and the documents referred to therein very clearly set out the rights and obligations of
each party, the service levels and the pricing.
The documents provide us with a number of other contractual controls in respect of the outsourcing, notably:
Microsoft is only contractually permitted to use our data to provide the online services. Microsoft is not
permitted to use our data for any other purposes, including for advertising or other commercial
Confidential
Page 10 of 35
10004323-2
Ref. Question/requirement Template response and guidance
purposes.
Microsoft commits that it will implement and maintain appropriate technical and organizational
measures, internal controls, and information security routines intended to protect our data against
accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction.
Microsoft commits that it has in place audit mechanisms in order to verify that the online services meet
appropriate security and compliance standards.
In addition, the contractual process can culminate in the regulator’s examination of Microsoft’s
premises. We also have the opportunity to participate in the Microsoft Online Services Customer
Compliance Program, which is a for-fee program that facilitates our ability to: (a) assess the services’
controls and effectiveness; (b) access data related to service operations; (c) maintain insight into
operational risks of the services; (d) be provided with additional notification of changes that may
materially impact Microsoft’s ability to provide the services; and (e) provide feedback on areas for
improvement in the services.
The SLA contains Microsoft’s service level commitment, as well as the remedies for us in the event
that Microsoft does not meet the commitment. Microsoft commits that it will not modify the terms of the
SLA during the initial term of our subscription.
10. What practical controls does the FSI
have in respect of the outsourcing?
RBNZ Outsourcing Policy, Section C.19 and C.21.
The solution provides a lot of tools which mean that we remain in practical control.
Microsoft’s SLA (as defined above) applies to the Office 365 product (linked in question 10 above and the
details of which are summarized in the response to question 36 below). Our IT administrators also have access
to the Office 365 Service Health Dashboard, which provides real-time and continuous monitoring of the Office
Confidential
Page 11 of 35
10004323-2
Ref. Question/requirement Template response and guidance
365 service. The Service Health Dashboard provides our IT administrators with information about the current
availability of each service or tool (and history of availability status) details about service disruption or outage,
scheduled maintenance times. The information is provided via an RSS feed.
Amongst other things, it provides a contractual 99.9% uptime guarantee for the Office 365 product and covers
performance monitoring and reporting requirements which enable us to monitor Microsoft’s performance on a
continuous basis against service levels. We also have very extensive contractual audit and inspection rights,
plus access to the independent SSAE16 SOC1 Type II audit, which enable us to verify their performance (as
detailed further in section F below).
As part of the support we receive from Microsoft, we also have access to a technical account manager who is
responsible for understanding our challenges and providing expertise, accelerated support and strategic advice
tailored to our organization. This includes both continuous hands-on assistance and immediate escalation of
urgent issues to speed resolution and keep mission-critical systems functioning. We are confident that such
arrangements provide us with the appropriate mechanisms for managing performance and problems.
Our contract with Microsoft clearly provides that ownership of our data remains with us and we retain rights to
access our data at all times. On top of this, as mentioned above, Microsoft’s services are audited by an
independent third party (see our response 8(1)(g) above) and there are various audit and inspection rights (as
detailed in section F below).
Our contractual agreements also allow to terminate the arrangements with Microsoft for our convenience,
which would enable us to move to another provider if required.
11. What internal processes does the
FSI have in place to manage the
risks to the business associated with
RBNZ Outsourcing Policy, Section D.33. This requires you to have in place and explain your internal
processes. The RBNZ Outsourcing Policy states that a wider range of outsourcing arrangements could be
acceptable where a bank has established a “credible internal process to manage the risks to its business
Confidential
Page 12 of 35
10004323-2
Ref. Question/requirement Template response and guidance
any outsourcing arrangements? associated with any outsourcing arrangements”. There are no minimum requirements or detail provided when it
comes to internal processes but it would be usual to expect this to include:
processes for management review and sign off by the board;
risk management policies;
business continuity and disaster recovery plans; and
outsourcing policies.
D. PRIVACY AND DATA PROTECTION
In addition to RBNZ requirements, FSIs in New Zealand are of course subject to privacy and data protection requirements under New Zealand law.
This section looks at how the use of Office 365 complies with these requirements.
12. What data will be processed by the
service provider on behalf of the
FSI?
Customer data (including customer name, contact details, account information, payment card data, security
credentials and correspondence).
Employee data (including employee name, contact details, internal and external correspondence by email
and other means and personal information relating to their employment with the organization).
Transaction data (data relating to transactions in which the organization is involved).
Indices (for example, market feeds).
Other personal and non-personal data relating to the organization’s business operations as an FSI.
We ensure, pursuant to the terms of the contract in place with the service provider, that all data (but in
Confidential
Page 13 of 35
10004323-2
Ref. Question/requirement Template response and guidance
particular any customer data) is treated with the highest level of security so that we can continue to comply with
our legal and regulatory obligations and our commitments to customers. We do of course only collect and
process data that is necessary for our business operations in compliance with all applicable laws and
regulation and this applies whether we process the data on our own systems or via a cloud solution such as
Microsoft Office 365.
13. How does the service provider and
the proposed solution comply with
New Zealand privacy law
requirements relating to the cloud?
The Office of the Privacy Commissioner (“OPC”) published a cloud computing checklist and “Cloud Computing
– A guide to making the right choices”. Microsoft New Zealand Limited has prepared a standard response to
help organizations assess the Office 365 cloud service against the OPC checklist and guide. Please see the
standard response here. Note that this response is in relation to the checklist for small businesses contained in
the OPC guide but may still provide useful information relevant to FSIs.
Confidential
Page 14 of 35
10004323-2
Ref. Question/requirement Template response and guidance
E. OFFSHORING
RBNZ has no issue in principle with the use of service providers located outside of New Zealand. However, it does consider that use of non-NZ
service providers can, in some circumstances, give rise to some additional risks. This section looks at how any potential risks are mitigated.
14. Will the proposed outsourcing
require offshoring? If so, from which
territory(ies) will the outsourced
cloud services be provided?
RBNZ Outsourcing Policy, Section C.23 to C.26.
Microsoft informs us that it takes a regional approach to hosting of Office 365 data. Microsoft is transparent in
relation to the location of our data. Microsoft data center locations are made public on the Microsoft Trust
Center.
Microsoft enables customers to select the region that it is provisioned from. Under the OST, Microsoft commits
that if a customer provisions its tenant in the United States or EU, Microsoft will store the customer’s data at
rest in the United States or EU, as applicable.
The table below will need to be amended depending on the specific solution that you are taking up.
# Locations of Data
Centre
Classification of DC: Tier I, II, III or
IV
Storing your organization’s data
(Y/N)
1.
2.
15. Would proceedings relating to the
outsourcing have to be brought in
another jurisdiction’s court under that
RBNZ Outsourcing Policy, Section C.23.
The governing law is that of Washington, however the parties have the ability to bring proceedings in the
Confidential
Page 15 of 35
10004323-2
Ref. Question/requirement Template response and guidance
jurisdiction’s laws? locations as follows:
If Microsoft brings the action, the jurisdiction will be where we are located (i.e. New Zealand);
If we bring the action, the jurisdiction will be the state of Washington; and
Both parties can seek injunctive relief with respect to a violation of intellectual property rights or
confidentiality obligations in any appropriate jurisdiction.
16. Is there a risk that the duties and
powers of the service provider’s own
regulator(s) in the country(ies) in
which the service will be hosted
could cause the regulator(s) to
intervene in such a way as to
intervene with the provider’s
performance?
RBNZ Outsourcing Policy, Section C.24.
Microsoft’s data center locations are recognized as stable, safe and reliable jurisdictions in respect of their
legal systems, regulatory regime, technology and infrastructure. The circumstances in which authorities in
these countries may have rights to access customer information are not considered to be unwarranted.
The data center locations have been selected by Microsoft taking into careful account the country and socio-
economic factors. We are confident that the data center locations offer extremely stable political and socio-
economic environments with robust and transparent legal frameworks. Microsoft data center locations are
made public on the Microsoft Trust Center.
17. What measures are in place to
ensure that performance by the
service provider of the outsourced
functions outside of New Zealand
would not complicate the logistics of
ensuring timely performance? For
example, due to time zone
differences, differences in statutory
RBNZ Outsourcing Policy, Section C.25.
Microsoft works with customers around the world (including many in New Zealand) and its operations are set
up to ensure that logistical issues for international customers do not arise. For example, time zones and
statutory holidays will not be an issue, since Microsoft’s services are provided 24/7 without reference to
statutory holidays. We do not see any issue in terms of needing extra time to access essential staff and
systems, since we have audit and inspection rights (as detailed in section F below).
Confidential
Page 16 of 35
10004323-2
Ref. Question/requirement Template response and guidance
holidays, the extra time needed to
access essential staff and systems.
Commitments on the location of data at rest is discussed at p 9 of the OST, and may depend on where a
customer provisions its service tenancy or specify as a Geo for the online service. More details are set out,
non-contractually, on the Trust Center for each applicable online service. The other considerations are also
relevant to the location of Microsoft’s data centers:
a. Political (i.e. cross-broader conflict, political unrest etc). Office 365 offers data-location transparency
so that the organizations and regulators are informed of the jurisdiction(s) in which data is hosted. We are
confident that Microsoft’s data center locations offer extremely stable political environments.
b. Country/socioeconomic. Office 365 offers data-location transparency so that the organizations and
regulators are informed of the jurisdiction(s) in which data is hosted. The centers are strategically located
around the world taking into account country and socioeconomic factors. We are confident that Microsoft’s
data center locations offer extremely stable socioeconomic environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting standards, designed to
protect customer data from harm and unauthorized access. Data center access is restricted 24 hours per
day by job function so that only essential personnel have access. Physical access control uses multiple
authentication and security processes, including badges and smart cards, biometric scanners, on-premises
security officers, continuous video surveillance and two-factor authentication. The data centers are
monitored using motion sensors, video surveillance and security breach alarms.
d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft data centers are built in seismically safe
zones. Environmental controls have been implemented to protect the data centers including temperature
control, heating, ventilation and air-conditioning, fire detection and suppression systems and power
management systems, 24-hour monitored physical hardware and seismically-braced racks. These
requirements are covered by Microsoft’s ISO/IEC 27001 accreditation for Office 365.
Confidential
Page 17 of 35
10004323-2
Ref. Question/requirement Template response and guidance
18. What measures are in place to avoid
the risk that competition for the
service provider’s resources could
impede the performance of functions
for the FSI?
RBNZ Outsourcing Policy, Section C.25.
Microsoft is one of the largest providers of cloud services globally and has capacity to service a large number
of customers without the risk of competition for resources. Our organization would be subject to the same
prioritization as any other customer of the same services from Microsoft. Of course, the services are protected
by Microsoft’s SLA and its coinciding terms and conditions. More information on SLA is available at:
http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37, and more
details about Microsoft’s Service Continuity are available at: http://office.microsoft.com/en-us/business/office-
365-online-service-availability-FX104028266.aspx.
Microsoft provides a contractual, financially-backed 99.9% uptime guarantee for the Office 365 product.
Microsoft also ensures that a raft of different safeguards and arrangements are in place to prevent and
minimize the impact of any technology failure. Microsoft is subject to very high international auditing standards
in this regard which provide us with a great deal of comfort. The resources that Microsoft has in place also
mean that we do not foresee risks in relation to the adequacy of Microsoft to fulfill obligations or provide
remedies and restitution.
Microsoft is an industry leader in cloud computing. Office 365 was built based on ISO/IEC 27001 standards and
was the first major business productivity public cloud service to have implemented the rigorous set of global
standards covering physical, logical, process and management controls. FSI customers in leading markets,
including in the UK, France, Germany, Australia, Singapore, Canada, the United States and many other
countries have performed their due diligence and, working with their regulators, are satisfied that Office 365
meets their respective regulatory requirements. This gives us confidence that Microsoft is able to help meet
the high burden of financial services regulation and is experienced in meeting these requirements.
F. TECHNICAL AND OPERATIONAL RISK Q&A
Confidential
Page 18 of 35
10004323-2
Ref. Question/requirement Template response and guidance
RBNZ guidance does not focus on detailed technical and operational requirements relating to the use of cloud services but, rather, focuses more
generally on issues such as risk management. However, on the basis that technical and operational factors (for example, data security) are
directly relevant to risk management strategy, this section provides some detailed information about the Office 365 service.
19. Does the service provider permit
audit by RBNZ?
Yes.
We are confident that in our choice of Microsoft as Cloud Service Provider (“CSP”) we have far more extensive
audit rights than most if not all other service providers offer. This was an important factor in our decision to
choose Microsoft. Microsoft offers the right for RBNZ to conduct audits. There is a contractual audit/inspection
right, so that RBNZ can carry out inspections or examinations of Microsoft’s facilities, systems, processes and
data relating to the services to determine and confirm that it is in compliance with applicable laws and
regulations and assess the soundness of the risk management processes and controls which it has in place. In
addition, Microsoft is subject to third party audits (see our response to question 20 below).
Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework Program,
you may add this additional information about its key features: the regulator audit/inspection right, access to
Microsoft’s security policy, the right to participate at events to discuss Microsoft’s compliance program, the right
to receive audit reports and updates on significant events, including security incidents, risk-threat evaluations
and significant changes to the business resumption and contingency plans.
20. Are the provider’s services subject to
any third party audit?
Yes.
As part of Microsoft’s certification requirements, they are required to undergo regular independent third party
auditing (via the SSAE16 SOC1 Type II audit, a globally-recognized standard), and Microsoft shares with us
the independent third party audit reports.
21. What security controls are in place to Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls
Confidential
Page 19 of 35
10004323-2
Ref. Question/requirement Template response and guidance
protect the transmission and storage
of confidential information such as
customer data within the
infrastructure of the service provider?
on par with or better than on-premises data centers of even the most sophisticated organizations, as described
elsewhere in this document.
The Microsoft Office 365 security features consist of three parts: (a) built-in security features; (b) security
controls; and (c) scalable security. These include 24-hour monitored physical hardware, isolated customer
data, automated operations and lock-box processes, secure networks and encrypted data.
Microsoft implements the Microsoft Security Development Lifecycle (“SDL”) which is a comprehensive security
process that informs every stage of design, development and deployment of Microsoft software and services,
including Office 365. Through design requirements, analysis of attack surface and threat modeling, the SDL
helps Microsoft predict, identify and mitigate vulnerabilities and threats from before a service is launched
through its entire production lifecycle.
Networks within the Office 365 data centers are segmented to provide physical separation of critical back-end
servers and storage devices from the public-facing interfaces. Edge router security allows the ability to detect
intrusions and signs of vulnerability. Client connections to Office 365 use SSL (as defined above) for securing
Outlook, Outlook Web App, Exchange ActiveSync, POP3, and IMAP. Customer access to services provided
over the Internet originates from users’ Internet-enabled locations and ends at a Microsoft data center. These
connections are encrypted using industry-standard TLS (as defined above)/SSL. The use of TLS/SSL
establishes a highly secure client-to-server connection to help provide data confidentiality and integrity between
the desktop and the data center. Customers can configure TLS between Office 365 and external servers for
both inbound and outbound email. This feature is enabled by default.
Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses the “prevent, detect and
mitigate breach” process as a defensive strategy to predict and prevent security breaches before they happen.
This involves continuous improvements to built-in security features, including port-scanning and remediation,
perimeter vulnerability scanning, OS patching to the latest updated security software, network-level DDOS
Confidential
Page 20 of 35
10004323-2
Ref. Question/requirement Template response and guidance
(distributed denial-of-service) detection and prevention and multi-factor authentication for service access. From
a people and process standpoint, preventing breach involves auditing all operator/administrator access and
actions, zero standing permission for administrators in the service, “Just-In-Time (JIT) access and elevation”
(that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of engineer privileges to
troubleshoot the service, and segregation of the employee email environment from the production access
environment. Employees who have not passed background checks are automatically rejected from high
privilege access, and checking employee backgrounds is a highly scrutinized, manual-approval process.
Data is also encrypted. Customer data in Office 365 exists in two states:
At rest on storage media
In transit from a data center over a network to a customer device
All email content is encrypted on disk using BitLocker AES (as defined above) encryption. Protection covers all
disks on mailbox servers and includes mailbox database files, mailbox transaction log files, search content
index files, transport database files, transport transaction log files, and page file OS system disk
tracing/message tracking logs.
Office 365 also transports and stores secure/multipurpose Internet mail extensions (“S/MIME”) messages.
Office 365 will transport and store messages that are encrypted using client-side, third-party encryption
solutions such as Pretty Good Privacy (“PGP”).
22. How are customers authenticated? Office 365 uses two-factor authentication to enhance security. Typical authentication practices that require only
a password to access resources may not provide the appropriate level of protection for information that is
sensitive or vulnerable. Two-factor authentication is an authentication method that applies a stronger means of
identifying the user. The Microsoft phone-based two-factor authentication solution allows users to receive their
PINs sent as messages to their phones, and then they enter their PINs as a second password to log on to their
Confidential
Page 21 of 35
10004323-2
Ref. Question/requirement Template response and guidance
services.
23. What are the procedures for
identifying, reporting and responding
to suspected security incidents and
violations?
This is an issue that we take very seriously. We have therefore checked these procedures in detail with
Microsoft and are confident that they provide excellent means to enable us to identify, report and respond
properly and promptly in the event of any security incident or violation.
First, there are robust procedures offered by Microsoft that enable the prevention of security incidents and
violations arising in the first place and detection in the event that they do occur. Specifically:
a. Microsoft implements 24 hour monitored physical hardware. Data center access is restricted 24 hours
per day by job function so that only essential personnel have access to customer applications and
services. Physical access control uses multiple authentication and security processes, including badges
and smart cards, biometric scanners, on-premises security officers, continuous video surveillance, and two-
factor authentication.
b. Microsoft implements “prevent, detect, and mitigate breach”, which is a defensive strategy aimed at
predicting and preventing a security breach before it happens. This involves continuous improvements to
built-in security features, including port scanning and remediation, perimeter vulnerability scanning, OS
patching to the latest updated security software, network-level DDOS (distributed denial-of-service)
detection and prevention, and multi-factor authentication for service access.
c. Wherever possible, human intervention is replaced by an automated, tool-based process, including
routine functions such as deployment, debugging, diagnostic collection, and restarting services. Office 365
continues to invest in systems automation that helps identify abnormal and suspicious behavior and
respond quickly to mitigate security risk. Microsoft is continuously developing a highly effective system of
automated patch deployment that generates and deploys solutions to problems identified by the monitoring
systems—all without human intervention. This greatly enhances the security and agility of the service.
Confidential
Page 22 of 35
10004323-2
Ref. Question/requirement Template response and guidance
d. Microsoft conducts penetration tests to enable continuous improvement of incident response
procedures. These internal tests help Office 365 security experts create a methodical, repeatable, and
optimized stepwise response process and automation.
Second, in the event that a security incident or violation is detected, Microsoft Customer Service and Support
notifies Office 365 subscribers by updating the Service Health Dashboard that is available on the Office 365
portal. We would have access to Microsoft’s dedicated support staff, who have a deep knowledge of the
service. Microsoft provides a Recovery Time Objective (“RTO”) of 1 hour or less for Microsoft Exchange
Online and 6 hours of less for SharePoint Online, and a Recovery Point Objective (“RPO”) of 45 minutes or
less for Microsoft Exchange Online and 2 hours or less for SharePoint Online.
Finally, after the incident, Microsoft provides a thorough post-incident review report (“PIR”). The PIR includes:
An incident summary and event timeline.
Broad customer impact and root cause analysis.
Actions being taken for continuous improvement.
Microsoft will provide the PIR within five business days following resolution of the service incident.
Administrators can also request a PIR using a standard online service request submission through the Office
365 portal or a phone call to Microsoft Customer Service and Support.
24. How is end-to-end application
encryption security implemented to
protect PINs and other sensitive data
transmitted between terminals and
Data is encrypted. Customer data in Office 365 exists in two states:
At rest on storage media
Confidential
Page 23 of 35
10004323-2
Ref. Question/requirement Template response and guidance
hosts? In transit from a data center over a network to a customer device
All email content is encrypted on disk using BitLocker AES encryption. Protection covers all disks on mailbox
servers and includes mailbox database files, mailbox transaction log files, search content index files, transport
database files, transport transaction log files, and page file OS system disk tracing/message tracking logs.
Office 365 also transports and stores S/MIME (as defined above) messages. Office 365 will transport and store
messages that are encrypted using client-side, third-party encryption solutions such as PGP (as defined
above).
25. Are there procedures established to
securely destroy or remove the data
when the need arises?
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives
that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of
information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is
determined by the asset type. Records of the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal management services. Paper
documents are destroyed by approved means at the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001 standards
against which Microsoft is certified.
26. Are there procedures to ensure that
access to production data is
restricted on a 'least privilege' basis?
If yes, provide a description of these
Yes.
Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer
data. Personnel access to the IT systems that store customer data is strictly controlled via role-based access
control (“RBAC”) and lock box processes. Access control is an automated process that follows the separation
Confidential
Page 24 of 35
10004323-2
Ref. Question/requirement Template response and guidance
procedures. of duties principle and the principle of granting least privilege. This process ensures that the engineer
requesting access to these IT systems has met the eligibility requirements, such as a background screen,
fingerprinting, required security training and access approvals. In addition, the access levels are reviewed on a
periodic basis to ensure that only users who have appropriate business justification have access to the
systems.
27. Are there documented security
procedures for safeguarding
premises and restricted areas? If
yes, provide descriptions of these
procedures.
Yes.
Physical access control uses multiple authentication and security processes, including badges and smart
cards, biometric scanners, on-premises security officers, continuous video surveillance and two-factor
authentication. The data centers are monitored using motion sensors, video surveillance and security breach
alarms.
28. Are there documented security
procedures for safeguarding
hardware, software and data in the
data center?
Yes.
The security procedures for safeguarding hardware, software and security are documented by Microsoft in its
Standard Response to Request for Information – Security and Privacy. This confirms how the following aspects
of Microsoft’s operations safeguard hardware, software and data:
Compliance
Data Governance
Facility
Human Resources
Confidential
Page 25 of 35
10004323-2
Ref. Question/requirement Template response and guidance
Information Security
Legal
Operations
Risk Management
Release Management
Resiliency
Security Architecture
29. How are privileged system
administration accounts managed?
Describe the procedures governing
the issuance (including emergency
usage), protection, maintenance and
destruction of these accounts.
Access to the IT systems that store customer data is strictly controlled via RBAC (as defined above) and lock
box processes. Access control is an automated process that follows the separation of duties principle and the
principle of granting least privilege. This process ensures that the engineer requesting access to these IT
systems has met the eligibility requirements, such as a background screen, fingerprinting, required security
training, and access approvals. In addition, the access levels are reviewed on a periodic basis to ensure that
only users who have appropriate business justification have access to the systems. User access to data is also
limited by user role. For example, system administrators are not provided with database administrative access.
In emergency situations, a “Just-In-Time (JIT) access and elevation system” is used (that is, elevation is
granted on an as-needed and only-at-the-time-of-need basis) of engineer privileges to troubleshoot the service.
30. Are the activities of privileged
accounts captured (e.g. system audit
logs) and reviewed regularly?
Indicate the party reviewing the logs
Yes.
An internal, independent Microsoft team will audit the log at least once per quarter.
Confidential
Page 26 of 35
10004323-2
Ref. Question/requirement Template response and guidance
and the review frequency.
31. Are the audit/activity logs protected
against tampering by users with
privileged accounts? Describe the
safeguards implemented.
Yes.
All logs are saved to the log management system which a different team of administrators manages. All logs
are automatically transferred from the production systems to the log management system in a secure manner
and stored in a tamper-protected way.
32. Is access to sensitive files,
commands and services restricted
and protected from manipulation?
Provide details of controls
implemented.
Yes.
System level data such as configuration data/file and commands are managed as part of the configuration
management system. Any changes or updates to or deletion of those data/files/commands will be
automatically deleted by the configuration management system as anomalies.
33. Are file integrity checks in place to
detect unauthorized changes to
databases, files, programs and
system configuration? Provide
details of checks implemented.
Yes.
System level data such as configuration data/file and commands are managed as part of the configuration
management system. Any changes or updates to or deletion of those data/files/commands will be
automatically deleted by the configuration management system as anomalies.
34. Are password controls for critical
applications/systems reviewed for
compliance on a regular basis?
Yes.
All access to production and customer data require multi-factor authentication. Use of strong password is
enforced as mandatory and password must be changed on a regular basis.
35. Are remote access activities tracked
and reviewed? Provide details of
Yes.
Administrators who have access to applications have no physical access to the production so administrators
Confidential
Page 27 of 35
10004323-2
Ref. Question/requirement Template response and guidance
controls implemented. have to remotely access the controlled, monitored remote access facility. All operations through this remote
access facility are logged.
36. Does the service provider have a
disaster recovery or business
continuity plan? If yes, provide
documentation or details.
Yes.
Microsoft offers contractually-guaranteed 99.9% uptime, globally available data centers for primary and backup
storage, physical redundancy at disk, NIC, power supply and server levels, constant content replication, robust
backup, restoration and failover capabilities, real-time issue detection and automated response such that
workloads can be moved off any failing infrastructure components with no perceptible impact on the service,
24/7 on-call engineering teams. See also the response to question 40 below.
37. What are the recovery time
objectives (RTO) of systems or
applications outsourced to the
service provider?
1 hour or less for Microsoft Exchange Online, 6 hours or less for SharePoint Online.
38. What are the recovery point
objectives (RPO) of systems or
applications outsourced to the
service provider?
45 minutes or less for Microsoft Exchange Online, 2 hours or less for SharePoint Online.
39. What are the data backup and
recovery arrangements for your
organization’s data that resided with
the service provider?
Microsoft’s arrangements are as follows:
Redundancy
Physical redundancy at server, data center, and service levels
Confidential
Page 28 of 35
10004323-2
Ref. Question/requirement Template response and guidance
Data redundancy with robust failover capabilities
Functional redundancy with offline functionality
Resiliency
Active load balancing
Automated failover with human backup
Recovery testing across failure domains
Distributed Services
Distributed component services like Exchange Online, SharePoint Online, and Lync Online limit scope
and impact of any failures in a component.
Directory data replicated across component services insulates one service from another in any failure
events.
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery
Outside-in monitoring raises alerts about incidents
Confidential
Page 29 of 35
10004323-2
Ref. Question/requirement Template response and guidance
Extensive diagnostics provide logging, auditing, and granular tracing
Simplification
Standardized hardware reduces issue isolation complexities
Fully automated deployment models.
Standard built-in management mechanism
Human backup
Automated recovery actions with 24/7 on-call support
Team with diverse skills on the call provides rapid response and resolution
Continuous improvement by learning from the on-call teams
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every time
Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and
Microsoft’s plan to prevent it in the future
40. How frequently does the service
provider conduct disaster recovery
tests?
At least once per year.
Confidential
Page 30 of 35
10004323-2
Ref. Question/requirement Template response and guidance
41. Have you jointly tailored and tested
your disaster recovery or business
continuity plan with the service
provider? If yes, please provide a
report on the test results.
You are welcome to raise this with your Microsoft contact if you have any questions about how your disaster
recovery/business continuity plan would interface with that of Microsoft.
In general, it would be Microsoft that would need to take action to recover the Office 365 service in a
disaster/business continuity situation. Any internal actions can be carried out by our organization without
coordinating with Microsoft.
42. In the event of contract termination
with the service provider, either on
expiry or prematurely, are you able
to have all IT information and assets
promptly removed or destroyed?
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives
that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of
information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is
determined by the asset type. Records of the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal management services. Paper
documents are destroyed by approved means at the pre-determined end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO/IEC 27001 standards
against which Microsoft is certified.
Confidential
Page 31 of 35
10004323-2
APPENDIX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains some
useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in the table below and mapped them against
where in the Microsoft documentation these are covered for ease of reference.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 32 of 35
10004323-2
Ref. Requirement Microsoft agreement reference
1. Check the contract. Make sure your key concerns are covered in
the contract or in the standard terms and conditions. In particular
check:
(i) Whether the provider has to tell you if something
goes wrong (for instance if there is a security
breach);
(ii) How would you notify your customers if their
data is lost or stolen?
(iii) How you’re going to know whether the provider
is living up to the terms of the agreement (for
example does it get regular independent audits
done that you’ll be able to check?);
(iv) Who is liable and what the penalties are if
something goes wrong?
(v) What country’s laws apply if there is a legal
dispute and who the appropriate regulator might
be?
(vi) Whether mediation or arbitration is available;
(vii) Whether your provider is insured against privacy
breaches;
Privacy Commissioner Cloud Computing: A guide to making the right choices,
February 2013, p9.
Taking each of the points in turn:
(i) Microsoft will notify us if it becomes aware of any security incident, and will
take reasonable steps to mitigate the effects and minimize the damage resulting
from the security incident (see OST, page 9). In addition, as set out on page 13
of the OST, Microsoft maintains a record of security breaches with a description
of the breach, the time period, the consequences of the breach, the name of the
reporter, and to whom the breach was reported, and the procedure for recovering
data. Finally, see (iii) below in terms of monitoring which allows for real-time
monitoring so that breaches would be apparent.
Furthermore, Microsoft commits to comply with (and is audited against) ISO/IEC
27018. Under paragraph A.9 of this international standard Microsoft is required
to promptly notify customers of any unauthorized access to personal information
or unauthorized access to processing equipment or facilities resulting in loss,
disclosure or alteration to personal information.
(ii) This is more an internal matter for the FSI.
(iii) The OST specifies the monitoring mechanisms that Microsoft puts in place in
order to verify that the online services meet appropriate security and compliance
standards. This commitment is reiterated in the FSA.
Clause 1f of the Financial Services Amendment gives the customer the
Confidential
Page 33 of 35
10004323-2
Ref. Requirement Microsoft agreement reference
(viii) What the provider’s disaster recovery plans
cover.
opportunity to participate in the Microsoft Online Services Customer Compliance
Program, which is a for-fee program that facilitates the customer’s ability to (a)
assess the services’ controls and effectiveness, (b) access data related to
service operations, (c) maintain insight into operational risks of the services, (d)
be provided with additional notification of changes that may materially impact
Microsoft’s ability to provide the services, and (e) provide feedback on areas for
improvement in the services.
Clauses 1e and 1f of the FSA detail the examination and influence rights that are
granted to the customer and the regulator. Clause 1e sets out a process which
can culminate in the regulator’s examination of Microsoft’s premises.
In addition, under paragraph 18 of ISO/IEC 27018 Microsoft is required, where
individual customer audit rights are impractical or may increase risks to security,
to make available, before and during our contract with Microsoft, independent
evidence that information security is implemented and operated in accordance
with Microsoft’s policies and procedures.
(iv) The SLA contains Microsoft’s service level commitment, as well as the
remedies for the customer in the event that Microsoft does not meet the
commitment, including services credits. MBSA section 6 deals with liability.
MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity
against third party infringement and breach of confidence claims. Microsoft’s
liability under section 5 is unlimited.
(v) MBSA section 11h sets out the choice of law provision. Either, the contract is
governed by the laws of the State of Washington if the contract is with a Microsoft
Confidential
Page 34 of 35
10004323-2
Ref. Requirement Microsoft agreement reference
affiliate located outside of Europe; or the contract is governed by the laws of
Ireland if the contract is with a European Microsoft affiliate.In addition, as
mentioned above, Clause 1e sets out a process which can culminate in the
regulator’s examination of Microsoft’s premises.
(vi) MBSA section 11e sets out the jurisdictions in which parties should bring their
actions. Microsoft must bring actions against the customer in the countries
where the customer’s contracting party is headquartered. The customer must
bring actions against: (a) in Ireland if the action is against a Microsoft affiliates in
Europe; (b) in the State of Washington, if the action is against a Microsoft affiliate
outside of Europe; or (c) in the country where the Microsoft affiliate delivering the
services has its headquarters if the action is to enforce a Statement of Services.
(vii) MBSA section 10 deals with insurance. In practice, Microsoft maintains self-
insurance arrangements for much of the areas where third party insurance is
typically obtained. Microsoft has taken the commercial decision to take this
approach, and does not believe that this detrimentally impacts upon its
customers given that Microsoft is an extremely substantial entity.
(viii) As set out on page 13 of the OST Microsoft maintains emergency and
contingency plans for the facilities in which Microsoft information systems that
process Customer Data are located. Business Continuity Management (“BCM”)
forms part of the scope of the accreditation that Microsoft remains in relation to
the online services, and Microsoft commits to maintain a data security policy that
complies with these accreditations (see OST page 13). BCM also forms part of
the scope of Microsoft’s annual third party compliance audit.
Confidential
Page 35 of 35
10004323-2