Bank of Israel. 1. Background. In recent years, cloud. environmentally. from. aspects in. these. 2. Applicability. Directive ). 3.



Similar documents
Mapping of outsourcing requirements

14 December 2006 GUIDELINES ON OUTSOURCING

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Information Security Program

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Regulations on Information Systems Security. I. General Provisions

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Practical Overview on responsibilities of Data Protection Officers. Security measures

Data Processing Agreement for Oracle Cloud Services

Green Credit Guidelines

Outsourcing Risk Guidance Note for Banks

Third Party Security Guidelines. e-governance

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Cloud Computing: Legal Risks and Best Practices

Electronic Payment Schemes Guidelines

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Charter of the Compliance and Operational Risk Management Office (CORMO)

Identifying and Managing Third Party Data Security Risk

Principles of Best Practice applicable to the distribution of Life Insurance Products on a Cross-border Basis within the EU or a Third Country

(a) the kind of data and the harm that could result if any of those things should occur;

Investigation Report: The Hong Kong Police Force. Leaked Internal Documents Containing Personal Data. via Foxy

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

6/8/2016 OVERVIEW. Page 1 of 9

RESERVE BANK OF VANUATU OPERATIONAL RISK MANAGEMENT

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

Security Officer s Checklist in a Sourcing Deal

The Business Case for Cloud: Critical Legal, Business & Diligence Considerations

PART I - PRELIMINARY...1 Objective...1 Applicability...2 Legal and Regulatory Provision...2

Norwegian Data Inspectorate

Contact: Henry Torres, (870)

Israeli Law Information and Technology Authority. Privacy and Data Security in the Cloud - The Israeli Perspective

Cloud Computing in a Regulated Environment

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

REQUEST FOR PROPOSALS PERFORMANCE MANAGEMENT SYSTEM CDEMA-CU

Service Definition Document

NSW Government Digital Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Vendor Assessment Worksheet:

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Insurance Inspection Manual

Information for Management of a Service Organization

State of Israel Ministry of Finance - Capital Market, Insurance and Savings Division

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

INFORMATION SECURITY California Maritime Academy

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

No. 33 February 19, The President

Aegon's Internal Cloud Broker

Cloud security architecture

CORPORATE GOVERNANCE GUIDELINES (As Revised on November 14, 2007)

ELECTRICITY SUPPLY/ TRADE LICENSE KORLEA INVEST A.S

FFIEC Cybersecurity Assessment Tool

Authorisation Requirements and Standards for Debt Management Firms

Office 365 Data Processing Agreement with Model Clauses

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Pharma CloudAdoption. and Qualification Trends

Operational Risk. Operational Risk Policy

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

COMMISSION REGULATION (EU) No /.. of XXX

DESIGN SERVICES AGREEMENT

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

IT Governance Charter

Exhibit 2. Business Associate Addendum

ICMA Private Wealth Management Charter of Quality

CORPORATE GOVERNANCE. 1 Introduction. 2 Board composition and conduct

2) applied methods and means of authorisation and procedures connected with their management and use;

Procedure for Managing a Privacy Breach

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

The potential legal consequences of a personal data breach

Mitigating and managing cyber risk: ten issues to consider

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Cloud Computing. Introduction

Addressing Cloud Computing Security Considerations

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Intel Enhanced Data Security Assessment Form

Transcription:

Bank of Israel Supervisor of Banks Jerusalem, 12 Tammuz 5775 June 29, 2015 15LM2087 To: The Banking Corporations Attn: Chief Executive Officer Re: Risk management in a cloud computing environment 1. Background In recent years, there has been an increasing trend of moving to various forms of cloud computing. These technologies enable the efficient and convenient use of computer resources by sharing these resources and using them on demand. In addition with savings in equipment costs, dataa center floor, electricity, etc., which contribute to more environmentally friendly green computing. Alongside the advantages, the use of such technology may expose the banking corporation to significant operational risks related to information security, business continuity, command and control of IT assets, etc. These risks are derived, inter alia, from dependency on specific suppliers or technologies; management, security, command and control tools that have not yet been matured; difficulties in protecting information and in implementing adequate controls; increasing the potential damage in the case of failure, particularly regarding single points of failure; sensitivity of the technology s designated components; difficulty in separating roles, and more. While some of these riskss are known, they contain unique aspects in view of the specific characteristics of these technologies and the fact thatt these technologies are developing and that the information security tools are not necessarily mature. 2. Applicability The provisions of this letter shall apply in accordance with the applicability provisions set out in Section 2 of Proper Conduct of Banking Business Directive 357 (hereinafter: the Directive ). 3. General 3.1 A banking corporation shall not make use activities and/or core systems. of cloud computing services for core

3.2 A banking corporation shall not store customer information or data on the cloud outside the borders of the State of Israel, unless it has ascertained that the cloud service provider meets the level of protection in accordance with the directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data directive of the European Union. 3.3 Cloud computing constitutes a private instance of outsourcing as defined in Chapter F of the Directive. Therefore, the banking corporation must act in accordance with Proper Conduct of Banking Business Directive number 357, particularly in relation to that stated in Sections 17, 18 and 30 of the Directive. 3.4 We hereby refer the banking corporations to the relevant laws and regulations for the use of cloud computing technologies, including to the Privacy Protection Law and to the Privacy Protection Regulations (Transfer of Information to Information Databases Outside the Borders of the Country), 5761 2001. In addition, we refer to the Registrar of Information Databases Guideline number 2/2011 Use of Outsourcing Services for the Processing of Personal Information. 3.5 It is recommended that the banking corporation consult, as relevant, external consultants with expertise in reducing the risks inherent in the use of cloud technologies. 4. Corporate governance 4.1 A banking corporation examining the use of cloud computing technologies, must bring the matter for prior discussion by the Board of Directors, before using cloud computing technologies. At this discussion, the risks inherent in cloud computing technologies and the implemented controls and those planned to be implemented to mitigate the risks, are to be presented. The Board of Directors must discuss these risks, decide whether to grant preliminary approval to the process, and instruct the senior management regarding the actions it must take including according to those specified in this letter. As relevant, the Board of Directors shall instruct management to formulate and present for its approval a policy document for the use of cloud computing technologies. 4.2 Further to that stated in Section 4.1 above, the Board of Directors shall discuss and approve policy for the use of cloud computing technologies. The policy document shall relate to the accountability, responsibility and operations of cloud service management functions, controls and supervision functions, the types and scope of services, approval processes and approval ranks, the responsibility of various parties at the bank for handling legal, maintenance, monitoring, information security, and other aspects. The policy shall provide a response, inter alia, to the requirements of this letter. 4.3 Before any engagement with cloud computer service provider (hereinafter: cloud service providers or the supplier or "the provider"), a discussion must be held by management and, as relevant, by the Board of Directors.

4.4 The banking corporation s senior management must make sure that any use of cloud computer technologies shall be in accordance with the policy set forth as stated. 5. Risk management 5.1 Before engaging with cloud service providers, the banking corporation must carry out due diligence, including regarding the provider s financial resilience, professional ability and experience in providing similar services. It is expected that such an examination shall be carried out periodically, during the service period. 5.2 A banking corporation shall carry out risk identification and assessment process for any engagement with a cloud service provider. The risk assessment shall be done prior to the engagement, and shall be updated on an on-going basis during the service period, inter alia in accordance with the following changes: technological; business and organizational changes at the banking corporation or at the cloud service provider; and regulatory. The banking corporation must ascertain the existence of appropriate compensatory controls. Even though cloud computing constitutes a private instance of outsourcing, the risk assessment must also include unique risks (technological and other) related to the use of cloud computing. Examples of aspects that must be taken into account are provided in the appendix. Accordingly, the banking corporation shall ensure that it receives the required information from the cloud service provider for the purpose of carrying out the risk assessment, including that required in Section 6.1.1 below. 5.3 The banking corporation shall ensure that it has the ability to monitor information security incidents related to its use of cloud computing systems. If this monitoring is done through tools provided by the provider, the banking corporation shall ensure that the tools meet the accepted standards and enable integration with the bank s current monitoring tools. 5.4 The banking corporation s information must be encrypted when being transferred over communications lines and when being stored in a multi-tenancy system (a system that is not exclusively for the use of the banking corporation). In cases where it is difficult for the banking corporation to encrypt all of the information as stated, it must encrypt at least the information that it classifies as sensitive, that may harm the banking corporation or its customers if being exposed. The encryption keys shall be stored at the banking corporation and not at the provider. 6. Agreement with the cloud service provider 6.1 The service agreement with the provider shall include, among other things, the following requirements: 6.1.1 Receiving from the provider internal and external audit reports conducted on its operations, including audit reports carried out by regulatory entities. In addition, the agreement shall enable the banking corporation to require the provider to carry out, on particular cases, an audit on a specific subject.

6.1.2 The existence of a unilateral possibility that the banking corporation may cease the engagement with the provider or move to a different provider, including transferring its relevant data from the provider s system within a short time, their deletion from the provider s system, and the provider s obligation that it will not be possible to review these data in its system. 6.1.3 Granting the Banking Supervision Department the ability to conduct an audit at the provider's premises. 6.2 In any change in ownership of the cloud service provider, the banking corporation must re-examine the engagement in order to ensure the new ownership s fulfillment of obligations toward the banking corporation. 7. Obtaining a permit from the Supervisor of Banks Notwithstanding that stated in Section 3.3 above, the banking corporation is required to obtain in advance a written permit from the Supervisor of Banks, prior to any engagement with a cloud service provider, as part of which information is stored with the provider, even if it is not customer information. In order to obtain the permit, the bank must apply to the Banking Supervision Department at least 60 days before using the service. 8. Start date The provisions of this letter will come into force on the date of its publication. Sincerely, David Zaken Supervisor of Banks

Appendix Risk assessment Examples of cloud computing aspects Corporate governance, policy and procedures, internal and external audits Do the policy documents properly relate to the use of cloud computing? Regulatory risk difficulty in adhering to the laws and regulations of the State of Israel and of the state in where the system operates, or the system and/or the data are stored. It is important, inter alia, to take into consideration issues such as the provider s obligation to provide information to law and enforcement entities even without the knowledge of the banking corporation. There are many legal aspects related to the non-uniformity of definitions and the requirements in various countries. Systemic risk derived from a cloud service provider who provides services to a number of banking corporations. Life cycle of the data, including location, multiplicity of copies and exposure of data. Data transferring, components and systems - for instance, does the use of a particular provider s cloud components limit the banking corporation and could prevent it from being able to move to another provider or transfer the information and/or systems back to the bank s premises? Information security, including changes in the traditional concept and the use of designated security tools. Access controls, while using the appropriate tools for the cloud computing environment. Change management and information technology asset management for instance, does the banking corporation have control over changes in the systems and are the changes in line with the banking corporation s policy and procedures? Risks related to business continuity and BCP/DRP, including changes in the banking corporation s network configuration. Management tools and environments that may add a level of complexity and sophistication to the systems. Legal risks, including aspects of confidentiality, data maintenance, ownership of information and licensing of software. Incident management, including reporting and handling procedures, and responsibilities definition.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information