Outsourcing – IT Controls (MAS TRMG)

Any restrictions?: There is no restriction on the implementation of Cloud Computing, as long as the necessary due diligence and the necessary controls required surrounding Outsourcing is completed.

Reference: Section 5 of the Technology Risk Management Guidelines (TRMG).

Due Diligence Check: Due Diligence Check should be completed to assess the viability, capability, reliability, track record and financial position of the service provider and approved by the different parties involved.

Verification of DR Results: The FI should verify the service provider’s ability to recover the outsourced systems and IT services within the stipulated recovery time objective (“RTO”) prior to contracting with the service provider.

DR Training and Participation: The service provider should participate in the FI’s DR and should receive DR related training.

Contingency Planning: FI should prepare contingency plans for credible worst-case scenarios whereby the service provider is unable to continue providing the services.

Data Return and Removal: Upon termination of the contract, the service provider should return the FI’s data and remove all data from their systems and backup.  This should be contractually enforced.

Data Protection: Multi-tenancy and data commingling architectures should be risk assessed to ensure that the FI’s data are securely access controlled and protected.

Contract: The contract should include performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery capability and backup processing facility.  The service provider should be legally auditable by the FI’s regulators.

(SLA, Scalability, Security, Auditability, DR Planning)

Regular Monitoring: The FI should monitor the security policies, procedures and controls of the service provider on a regular basis.

Outsourcing – IT Controls (MAS TRMG)