Sl no

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.1O

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18
1.19

1.2O

1.21

1.22

2.1

2.2

2.3

2.4

2.5

2.6

3.1

3.2

3.3

3.4

4.1

4.2

5
5.1

6.1

6.2

6.3

6.4

7.1

7.2

7.3

7.4

7.5

7.6
 Security Requirement

Application development security controls (OWASP, SANS practices)

Is the functional design document/ solution architecture document available?

Are data flow diagrams available?

Is a threat modeling activity done on the application components?

Are secure development lifecycle standards followed? (e.g.. OWASP practices)

Is application threat modeling done by vendor prior to development?

Is thorough input validation performed by application (both client and server side validations)

Are parameterized queries or stored procedures used to prevent SQL Injection?

Are anti-XSS filters and regex used to mitigate Cross Site scripting (XSS) attacks?

Are all relevant application session controls enforced (session timeout, cookie security controls)?

What controls are implemented to prevent privilege escalation, CSRF and functionality abuse attacks?

Are anti-key logging mechanisms implemented across application login functionalities?

Is application configured how to prevent displaying sensitive error messages?

What kind of file upload security checks are implemented for application? Example- extension validation, mime
type validation, magic number checks etc.

What kind of encryption algorithms/ hash functions are used across the application? (E.g..- SHA256 etc.)

What all types of business logic validation security validations are applied across the application?

What are the input validation checks across file and directory traversal attacks

What are the transport layer security and SSL features implemented (E.g.- TLS 1.3)

What kind of error handling/ info leakage protection is applied?

What kind of HTTP security headers are used (Example- X-XSS, CSP, CORS etc.)

Are thorough input validations present to prevent injection attacks like command injection, server side template
injection etc.? If yes, how?

What all third party libraries are used for the application? Are those with latest version and no vulnerabilities as of
date?

What internal security tools are used for secure coding? SAST/DAST ex. Burp, Sonarqube/ Checkmarx, please
explain details of threshold for code compliance

Application authentication and authorization controls

How are application authentication security checks implemented?

What kind of step-up authentication (OTP/Smart PIN) is used?

What password policies are implemented in terms of configuration and complexity?

What kind of anti-phishing controls are applied? (Example- sign in image, virtual keyboard etc.)

What kind of security controls are applied to login functions (IP based checks, account lockout) etc.

Are geo-location based checks applied for application access?

Application transactional security controls

What security controls are defined in the application based on customer types?

What evidences are available to support security by design approach including secure software development,
quality management and information security management processes.

What valid security certification in the relevant area or something equivalent (e.g. development, production), such
as ISO27001 or corresponding) is existing with the software vendor?

What existing security or quality assurance certifications/gates are available

Database security controls

Are TDE/ Data masking/ Encryption checks applied? If yes which controls and how?

What kind of connection strings are used and enforced?

Integrity Checks
What kind of integrity checks are applied across application and database to check for unauthorized changes and
modifications?

Service Continuity - Application developer vendor to guarantee:

The minimum lifecycle during which support is assured.

An ongoing research for potential vulnerabilities (e.g. a responsible disclosure program).

If critical vulnerabilities (according to their CVE rating) get known, what process is ensured to resolve them in timely
manner and own expense?
What is the protocol of informing of the product is affected by the weakness and the actionable fix implemented?
Timely provisioning of security patches or other appropriate risk mitigation measures, When new vulnerabilities get
known. As a first remediation step the provider should at least respond with a remediation plan at the latest within
seven (7) working days. The plan shall indicate the timeframe for resolving the vulnerability.

Data privacy and compliance laws

Software vendor to inform the operator about non-EU laws that it is obliged to obey.

Please mention all applicable countries’ laws that apply to Ajman bank using the product and services.

Project manager shall ensure that all Personnel with access to Ajman Bank Information sign the Non-Disclosure
Agreement (NDA).

The provider shall inform Ajman Bank about other laws that must be obeyed concerning data collection or
forwarding.

The provider and Ajman Bank shall agree on the use of the Traffic Light Protocol (TLP) when sharing security
relevant information between operator, provider, supplier(s), other operators, end users and the general public.

Is source code escrow agreement signed?

Applicable Vendor comments IS comments
Yes

No

N.A
Sl.No User Management Application Requirements/Checklist
1 Application Base requirements
1.1 Cross -Browser & cross platform device support .
1.2 SMS/Email Communication integartion with auto email support.
1.3 Self Password /Activation Feature support.
1.4 Multifactor Authentication Support (Email/SMS/Key/Token)
2 User Management Module
2.1 Role based user access managemement.
2.2 4 -eye principle on user management module .
2.3 User Management basic fuctionalities Supported (Add/Modify/Delete/Disable/Enable).
2.4 Input validation and base testing are performed on basic fiunctions.
2.5 Change Logs and Audit are available.
3 Group Management Module
3.1 Role Based Group Assignment
3.2 4 - eye principal applied on Group -Assignment module
3.3 Group Management basic functionalities are supported and basic check Performed
3.4 Group Permission Details are readable
3.5 Change Logs and Audit are available.
4 Reports Module
User List Reports :
a) Basic Field Requirement -( ID,Name,Email,User status(Active/Disable),Role assigned,Branch
4.1
Assigned,Last Login Date,Created by ,Modified by,Approved by) and other necessary fileds are
included

4.2 User Session Activity Report (Log on/Log off )Report :

Fields : ID,Name.IP/PC Name ,Logon date,Logon Time,Status (Successful Attempt/Failure Attempt)

User Activity Audit Trail Report:

4.3 Fileds : ID,Name,Time,Date,Actioned by ,Approved By,Activity,Change Module, old Change
Value,New Change Value,

Group Permission Details Report :

4.4
Group ID,Group Name, Permissions assigned (Y/N) , Read access, Write Access,Delete Access.

4.5 Reports can be generated in CSV,EXCEL,PDF,RTF,XML format's.

4.6 All Formats of Reports are printable.
Generated reports are readable and formatted properly. (Avoided unnecessary whitespaces and
4.7
intendation in excel)
5 User Management Dashboards
5.1 User Dashboard includes relevant fields such as last login date,time,role ,Active status etc..
6 Basic Secuirty Requirements (Refer IS checklist for advances serutiy checks requirements)
6.1 Multiple user logon session is restricted .

6.2 Auto user session termination is applied after inactivity .(20 Minutes of session inactivity).

6.3 Session Termination on all other devices on successful login from a client device.
6.4 Auto User disablement after X days of user inactivity - (Days to be set by admin users)
Password Management policy Non AD Users - Bank password policy to be applied on non -ad
6.5
users
6.7 Password Management policy AD users - Bank password policy to be applied on Non -AD users
6.8 Last successful & Unsuccessful Logon info on user dashbord
7 Documentation
User Management Guides (Including definition of all the business/User input fileds
7.1 usage ,functionalities and workflow). -
7.2 Security Access Matrix - ( Onboarding Groups and group permission assigned to each groups)

7.3 Definitions of permission and their functionaloty description.

Applicable Vendor's Vendor's Comments IAM Comments
response
 Control area Category Control description
Access and Authentication Questions
>

Ensure all platforms conform to

Access and Governance and a structured roles based access
Authentication Management control to appropriately restrict
the rights of privileged users

Cloud service provider should

provide the capability to use
Access and Technical system geographic location as
Authentication Requirement an authentication factor (e.g.
restricting access based on
origin of IP address)

Cloud service provider should

provide a formal, role-based,
security awareness training
program for cloud-related
access and data management
Access and Governance and
Authentication Management issues (e.g., multi-tenancy,
nationality, cloud delivery
model segregation of duties
implications and conflicts of
interest) for all persons with
access to tenant data.

Cloud service provider should

support identity federation
standards (e.g. SAML, SPML,
WS-Federation, etc.) as a means
of authenticating/authorizing
users. If identity federation is
Access and Technical
not available, the Cloud service
Authentication Requirement provider should maintain a
secure identity store for
managing accounts, credentials
and entitlements following
standard naming, account and
security practices.

Access to self-service portals

should be provisioned with
Access and Technical privileged accounts in order to
Authentication Requirement
minimize exposure to risks such
as account or service hijacking.
 Document a Cloud access policy
that specifies the access
controls to be implemented for
the Cloud solution. Controls
should be implemented
covering new user access,
modification of user access and
Access and Technical access revocation (joiner,
Authentication Requirement mover, leaver controls) user
registration, privileged account
management, use of passwords
and user password
management, periodic reviews
of user access rights and user
authentication for external
connections.

Implement authentication
controls including two form and
two factor authentication with
user name and a secure one-
time token codes for access to
the management console, SFTP
service with username and
public/private key based
authentication with IP address
Access and Technical
Authentication Requirement filtering, where possible,
enforcement of strong
passwords (e.g. 60 days
password expiry, 8 character
minimum length and password
complexity requirements,
positive identification of users
prior to authorisation and
management of authorised user
listings.

Data Security Questions

>

Cloud service provider should

use dedicated secure networks
to provide management access
Governance and to cloud service infrastructure
Data Security
Management that is separate from the
customer (tenant) production
infrastructure and CSP shared
service infrastructure.
 Cloud service provider must
have the capability to restrict
the storage of customer data to
specific countries or geographic
locations.

Request that potential cloud

providers provide a list of
countries where data is likely to
be processed and for
information relating to the
Technical
Data Security safeguards in place. The cloud
Requirement
provider should be able to
explain when data will be
transferred to these locations.
In the case of layered cloud
services, information relating to
the location of each sub-
processor involved in the
processing of the data should
also be available from the cloud
provider, with details of the
security arrangements in place.
Ensure the potential cloud
provider you wish to choose can
protect your data adequately.
Cloud service provider should
support tenant-generated
encryption keys, permit tenants
to encrypt data to an identity
without access to a public key
Technical
Data Security certificate (e.g. identity-based
Requirement
encryption), or tenant specific
encryption keys.

If these capabilities are not

available, encryption keys must
be maintained by the Cloud
service provider or a trusted key
Carrymanagement
out and document
provider.a data
security risk assessment for
each Cloud deployment. As part
of this, establish a joint data
Technical residency policy specifying the
Data Security
Requirement jurisdictions in which the data
can be stored, processed and
managed. Periodically review
the policy as part of the overall
governance arrangements.

Ensure alignment of the service

provider's data loss and breach
Technical
Data Security notification processes with the
Requirement
Bank's overall risk appetite and
legal or regulatory obligations.
 Controls must be implemented
to ensure that data remains
Technical segregated in public cloud
Data Security
Requirement deployments between
production and non-production
environments.

Ensure compliance with the

eight principles of the Data
Protection Act (DPA) 1998, the
Governance and guidelines laid out in General
Data Security
Management Data Protection Regulations
(GDPR) 2018 and associated
guidance throughout the end to
end Cloud solution.

Facilities to encrypt data whist

Technical
Data Security in transit must be available and
Requirement
should be utilised at all times

Facilities to encrypt data whilst

Technical
Data Security at rest must be available and
Requirement should be used at all times

Traffic over virtual networks

must be visible to security
protection devices, such as
Technical
Data Security network-based intrusion
Requirement
detection and prevention
systems, on the physical
network.

The party responsible for

Developing and Releasing
Technical solutions (including Retained
Data Security
Requirement DevOps teams, SaaS CSPs, etc.)
should maintain segregation of
duties within the platform.
 Ensure you have identified the
data controller, who has
ultimate responsibility for
complying with the DPA. The
use of layered services mean
that it is possible that a number
of data controllers, and data
processors working on their
behalf, could be acting together
to deliver content or services.
Governance and
Data Security The precise role of the cloud
Management
provider will have to be
reviewed in each case, in order
to assess whether or not it is
processing personal data. If it is,
it is important to determine
whether the cloud provider is
merely acting as a ‘data
processor’ on behalf of the data
controller or whether it is a data
controller in its own right.

For each cloud deployment,

review the personal data being
processed and determine
Governance and whether there is any data that
Data Security
Management should not be put into the
cloud. E.g. where assurances
were given to clients etc. when
the personal data was collected.

Governance and
Data Security
Management
 A continual cycle of monitoring,
review and assessment is
required to ensure that the
cloud service is running in the
manner expected and as the
contractual agreement
Governance and stipulates. The cloud customer
Data Security may need to take appropriate
Management
steps to inform the end users of
the cloud service about the
processing arrangements that
the controller has put in place.
As a matter of good practice,
cloud customers should be as
open as possible about this.

Ensure you have a written

contract with the data
processor requiring that the
data processor is to act only on
instructions from the data
controller, and the data
Governance and processor will comply with
Data Security
Management security obligations equivalent
to those imposed on the data
controller itself. The terms of
service a cloud provider may
offer should be checked to
ensure that they adequately
address the risks.

Select a data processor that

provides sufficient guarantees
about the technical and
organisational security
measures governing the
processing to be carried out,
Governance and
Data Security and take reasonable steps to
Management
ensure compliance with those
measures. Ensure you review
the guarantees of availability,
confidentiality and integrity that
the potential cloud provider
provides.
 Ensure that the potential cloud
provider can delete all copies of
personal data within a timescale
that is in line with their own
Governance and
Data Security Management deletion schedule. You should
also be aware what will happen
to personal data if you decide to
withdraw from the cloud service
in the future.

There should be a clear policy in

place to specify the
circumstances in which the
potential cloud provider may
access the personal data it
processes. The policy should
provide for an audit process
that will alert the cloud
customer if unauthorised
access, deletion or modification
Governance and occurs. If the cloud provider is
Data Security
Management managing the computing
resources on behalf of the cloud
customer it is likely that it will
be able to access copies of the
data. Access may be authorised
for actions such as the provision
of support services. However,
unauthorised access may lead
to the inappropriate disclosure,
deletion or modification of
personal data.

Ensure that the potential cloud

provider only processes
personal data for the specified
purposes. Processing for any
additional purposes could
breach the requirements of the
DPA that personal data shall be
obtained only for one or more
Data Security Governance and specified and lawful purposes,
Management and shall not be further
processed in any manner
incompatible with that purpose
or those purposes. This might
be the case if the cloud provider
decides to use the data for its
own purposes. Contractual
arrangements should prevent
this.
 Ensure that the potential cloud
provider has a robust set of
safeguards in place to protect
against the possibility of one
Governance and cloud customer gaining access
Data Security
Management to another’s personal data. The
cloud provider will also need to
ensure that the activities of one
cloud customer do not impact
on those of another.

Recognise that a switch to cloud

computing can introduce a new
set of data protection risks that
cloud users may be unaware of.
The cloud provider might offer
controls that enable the cloud
customer to configure the
Technical security settings of the cloud
Data Security Requirement service. If it does, you should
have appropriate training and
procedures in place to maintain
the security that these controls
offer. Any procedures and
policies in place should be
supported by an audit function,
to help ensure on going
compliance.

Ensure that a move to a cloud

service still allows data subjects
to exercise their rights, such as
Governance and
Data Security access to their personal data
Management and the right to object to their
personal data being processed
for certain purposes.

Governance and oversight Questions

>
 Establish a committee / forum
tasked with the governance and
oversight of the Cloud
outsourced arrangement
specific to the operational
function. This should be
comprised of senior
stakeholders from across the
business (finance, operations,
risk and compliance, IT etc.) and
Governance and Governance and include individuals with the
oversight Management skills and experienced required
to oversee the proposed Cloud
solution. Terms of reference,
roles and responsibilities should
be clearly documented and
communicated. These should be
periodically reviewed, updated
and approved. Allocate
responsibility for the day-to-day
and strategic management of
the service provider.

Assess the overall operational

risks associated with the
regulated service subject to
Governance and Governance and outsourcing for which the firm
oversight Management
is responsible and assign
responsibility for managing
them.

Establish a governance
framework for ongoing
oversight of the Cloud solution,
providers and overall risk
profile. Procedures for
Governance and Governance and
measuring and monitoring and
oversight Management
reporting of performance and
issues should be established
along with procedures for
managing and resolving
disputes.
 Establish a program for ensuring
that sufficient skills and
resources are available to
Governance and Governance and
oversee and manage the
oversight Management
outsourced Cloud activities and
perform ongoing risks
management activities.

Establish exit plans, procedures

and controls that allow for
exiting data and platforms from
outsourced Cloud arrangements
without causing undue
disruption to operational
functions and service provision
as well as compliance with
regulatory obligations. This
Governance and Governance and should include documented exit
oversight Management plans, how services would be
transitioned in a manner that
maintains continuity,
obligations on the service
provider to cooperate in a
transition situation and how
data will be migrated and
handled. The monitoring of
concentration risk should also
be considered as part of this
process.

Ensure effective access to data

and the business premises of
Governance and Governance and the Cloud service provider(s) for
oversight Management
the firm, it's auditors and
regulatory authorities.
 Establish, document and
periodically review the Cloud
responsibility and security
architecture including the
shared responsibility model for
the architecture of Cloud
Governance and Governance and security arrangements,
specifically describing the
oversight Management
arrangements for the 'security
of the Cloud' and 'security in the
Cloud'. This should clearly
highlight where accountability
and responsibility between the
Bank and the service providers
resides for the cloud solution.

Allocate responsibility for the

Governance and Governance and day-to-day and strategic
oversight Management management of the service
provider.

Legal and Regulatory Questions

>

Ensure that overarching

contracts with Cloud Service
Governance and Providers have been negotiated
Legal and Regulatory
Management to provide the appropriate level
of liability and other key legal
elements.

Understand the regulations

around data retention and
Technical
Legal and Regulatory implement retention and
Requirement
lifecycle policy required for the
solution.
 Document the business case /
rationale in support of the
decision to leverage Cloud for
key operational functions or
Governance and
Legal and Regulatory material outsourcing including
Management
assessing the relative risks of
using a particular service, model
or approach over another (e.g.
public versus private Cloud.)

Perform and document the due

diligence carried out on the
Cloud providers. As part of this,
assess legal and regulatory
obligations and implications and
confirm that entering into
outsource agreements or
leveraging the selected Cloud
model does not worsen the
overall operational risk position
of the function and/or business
Governance and as a whole.
Legal and Regulatory
Management
As part of the initial due
diligence and on-going
monitoring of the services being
provided, the Bank should
consider the proposed
providers adherence to internal
standards (e.g. ISO 27001, ISAE
service organisation reports) as
well assess other providers in
the 'chain' or overall service
arrangement.
 Maintain an accurate record of
Governance and
Legal and Regulatory contracts between the firm and
Management
its service provider(s).

Implement Cloud based

outsourced services in a manner
that considers potential
resolution requirements, cater
Technical for swift resolution and do not
Legal and Regulatory
Requirement further complicate resolution
procedures (e.g. resolution
should not impede the ability to
generate Single Customer View
files etc.)

Monitoring & Audit Logging Questions

>

Ensure all platforms are

monitored for access to
Monitoring & Audit Technical underlying resources by
Logging Requirement operators. Any such access
should be justified and
approved

Cloud service provider should

make available Security
Information and Event
Management system (enable
Monitoring & Audit Technical
Logging Requirement the merge and analysis of
application logs, firewall logs,
intrusion detection system logs,
physical access logs, etc.) for
granular analysis and alerting.
 Cloud service provider should
provide client with platform
Monitoring & Audit Technical
management logs, application
Logging Requirement
logs, API activity logs via agreed
upon methods.

Cloud service provider logging

Monitoring & Audit Technical and monitoring framework
Logging Requirement should allow isolation of an
incident to specific tenants.

Understand what components

of the solution will require
active and passive monitoring
Monitoring & Audit Technical and the required thresholds.
Logging Requirement Understand who needs to be
informed of monitoring events.
Build monitoring policy into the
solution.

Network Security Questions

>

Cloud service provider should

implement technical measures
and apply defence-in-depth
techniques (e.g. deep packet
analysis, traffic throttling and
black-holing) for detection and
Technical
Network Security timely response to network-
Requirement
based attacks associated with
anomalous ingress or egress
traffic patterns (e.g., MAC
spoofing and ARP poisoning
attacks) and/or distributed
denial-of-service (DDoS) attacks.
 Cloud service provider should
Technical establish an option for API
Network Security
Requirement request calls to be digitally
signed.

Policies, procedures, and

mechanisms should be
implemented to prevent CSP
infrastructure resources
Technical
Network Security (network, storage, server,
Requirement management console, etc.)
from connecting to the
customer (tenant) production
infrastructure wirelessly.

Patching Questions
>

All virtual Operating System,

virtual Network & Firewall
Patching Technical configuration layers should be
Requirement maintained at latest patching
and hardening levels
consistently across all platforms

Risk Management Questions

>

Ensure there is a clear process

for recording and reporting risks
Governance and while deploying the technical
Risk Management Management solution. These areas should be
discussed regularly and the risk
mitigated or accepted.
 Carry out and document an
initial risk assessment to
identify and quantify the risks of
leveraging Cloud for the
Governance and operational function in
Risk Management Management question. As part of this,
identify mitigating actions and
controls and assign
responsibility for managing the
operational risks identified.

Develop a Cloud compliance

framework that incorporates
Governance and industry good practice guidance
Risk Management Management and controls for managing risks
(e.g. Information security, data
protection etc.)

Risk assessments of Cloud

solutions should be carried out
periodically and reviewed by
Product Owners (at minimum
annually) to identify, quantify,
and prioritise risks such as
multi-tenancy, network
Governance and segregation, entitlement and
Risk Management relative risks of using a
Management
particular service, model or
approach over another (e.g.
public versus private Cloud).
This should also consider
concentration risk.
A documented process should
be followed for risk mitigation
and risk acceptance.

Cloud service providers should

Governance and have an option for customers to
Risk Management
Management opt-in or opt-out of specific
features in releases.
 Cloud service providers should
allow tenants to opt-out of
Governance and
Risk Management having their data/metadata
Management
accessed via inspection
technologies.

As part of the contracting

process with Cloud providers,
formally document:
• A roles and responsibilities
matrix between the Cloud
service provider(s) and the Bank
for each platform/service
offering (i.e. incident response,
infrastructure support, access
management, etc.). Methods
for maintaining segregation of
duties within the cloud service
Governance and offering should be included.
Risk Management Management • Scenarios in which the Cloud
service provider may access
tenant data and metadata
• Installation, configuration, and
use of
products/services/features
• Known issues with certain
products/services of the cloud
offering
• Transport routes of data
between systems and governing
procedures for data migration
to and from the cloud service
offering.

Secrets Management Questions

>

The platform should possess a

process and tool to store and
Technical share passwords, private keys,
Secrets Management
Requirement SSL certificates and any other
sensitive information across
relevant parties.

Security Testing Questions

>
 Cloud service providers should
permit tenants to perform
independent vulnerability
Governance and
Security Testing assessments and penetration
Management tests of the customer (tenant)
production infrastructure
wherever possible.

Service Operations & Delivery Questions

>

The party responsible for

Developing and Releasing
solutions (including Retained
Service Operations & Technical DevOps teams) should ensure
Delivery Requirement that all debugging and test code
elements are removed from
Production released software
versions.

Changes to the overall Cloud

solution and related service
provision should follow well
established change
management processes and
controls, in particular,
establishing provision for future
changes to the technology
service provision and how these
Service Operations & Governance and will be effectively tested and
Delivery Management approved prior to deployment
into production. Relevant
related aspects should be
considered as part of change
management procedures,
including the potential impact
on legal and regulatory
requirements, information
security, data protection and
compliance with the DPA.
 Ensure the end to end service
arrangement is fully
documented including clear
accountability and
Service Operations & Governance and responsibilities between the
Delivery Management firm and service provider(s).
Changes to the services being
provided should be formally
approved and reflected in this
document.

Any Cloud solution being

deployed into live service
should have appropriate and
Service Operations & Governance and
where needed, additional
Delivery Management
support and service level
agreements in place with the
Cloud Service provider

Ensure that specific support

arrangements and clear access
Service Operations & Governance and to service and support
representatives has been
Delivery Management
established and is maintained
throughout the life of a contract
with the Cloud Service Provider

Service Resilience Questions

>

Ensure solutions are built to

achieve High Availability with a
Governance and Disaster Recovery model in
Service Resilience
Management place. Test the Business
Continuity regularly as required
for the solution.

Establish appropriate
arrangements for ensuring
operational continuity and
ongoing compliance with
regulatory obligations in the
event of unforeseen
Technical interruptions to the outsourced
Service Resilience
Requirement Cloud based services. The
contract with the service
provider should provide for the
timely notification of breaches
or events at the Cloud provider
and the appropriate
remediation thereof.
 In assessing continuity, for each
Cloud deployment and in
aggregate, the Bank should
consider the likelihood and
impact of unexpected outages
to the continuity of its Banking
Technical
Service Resilience operations, document a
Requirement
strategy for maintaining
continuity and regularly test
and update these arrangements
as required and ensure that
regulators have access to the
firm's data.

Cloud service provider must

Governance and provide client with
Service Resilience Management geographically resilient hosting
options.

Cloud service provider should

have the capability to logically
Governance and
Service Resilience segment and recover data for a
Management specific customer in the case of
a failure or data loss.

Understand the possible data

loss or corruption risks present
Technical
Service Resilience and data regulations required
Requirement and implement a backup policy
required for the solution.
 Recommendation Applicable Vendor Comments

Map current role(s) definitions to policies

on the cloud platform that can be
attached to a user, group or role.

Use the cloud service provider's whitelist

feature, Security Groups, firewall rules or
Network Access Control Lists (NACL) to
restrict or allow specific traffic on a
specific IP address or range.

Negotiate with the provider to include this

as an obligation in the service contract

Most CSP's offer the capability to establish

SSO via one or more of the methods
suggested in this control, vendor selection
should include this as part of the
evaluation criteria

Where possible, use the central identity

store for SSO or federated access to
ensure only authenticated and authorised
users are allowed access.
 Implement required access controls
through a mixture of 1) policies that can
be attached to users, groups or roles. 2)
utilising the current central identity store
to allow easy integration with the JML
process. 3) password complexity and
password history configuration on the
Cloud Service Provider.

Enable MFA, password complexity

requirements and password history
requirements, wherever possible. Also use
the central identity store for accurate
authentication and authorisation of a user.

Ideally management applications or

tooling should be made more highly
available than the 'object' it is managing.
This can be done by extending the
management applications and tooling
capability into the cloud service provider.
 This can be easily achieved by ensuring
the correct region is chosen when
deploying within the CSP. Restrictions can
be placed to allow resources to be
deployed in only the approved regions,
and/or notifications can be sent when
non-approved regions are being used.

Ensure encryption keys are created on a

per-account, per-application or per-use
basis. These can be stored on premise or
using a self-hosted secret store such as
HashiCorp Vault. Keys should be rotated
regularly.

Controls can be configured to ensure

services or resources are only created or
used within approved regions, and pro-
active alerting/notifications can be
configured to notify when non-approved
regions are being used, this can also be
utilised to monitor shadow IT.

Encryption of data wherever possible will

help mitigate risks around data loss or
data breach.
Production and non-production workloads
should be segregated at the account or
subscription level to ensure data cannot
transverse between these environments.

Suitably skilled data protection specialists

should be involved in proposed Cloud
strategies and deployments in order to
ensure that the principles established for
the use of Cloud meet the overarching
requirements and principles of data
protection regulations.

Usually this is a simple 'tick in the box'

when deploying and can be easily enabled
- this should ideally be enabled or
configured wherever possible.

Usually this is a simple 'tick in the box'

when deploying and can be easily enabled
- this should ideally be enabled or
configured wherever possible.

Network traffic logs can be collected,

aggregated and stored in a central point
such as on premise or self-hosted logging
tool. An application or tooling should be
available to provide insight on the data for
pro-active alerting or notifications.

Segregation of duties can be enforced by

policies or 'rules' that the CSP offers.
 A data security specialist needs to be
involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.

A data security specialist needs to be

involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.

Have a data classification scheme in place

that defines types of data according to
sensitivity and/or policies on data
residency. If you are looking to process
personal data in large or complex cloud
services you would benefit from
conducting a privacy impact assessment in
order to assess and identify any privacy
concerns and address them at an early
stage.
 A data security specialist needs to be
involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.

A written contract should be set up prior

to moving data to a cloud or involvement
of a potential cloud provider.

A data security specialist needs to be

involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.
A data security specialist needs to be
involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.

A data security specialist needs to be

involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.

A data security specialist needs to be

involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.
 A data security specialist needs to be
involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners. Refer
to the Shared Responsibility Model,
whereby the cloud customer is
responsible of ensuring the security of the
data in the cloud, and the cloud provider
is responsible for the security of the cloud.

Working closely with the Internal Audit

function throughout the setup and
implementation of a cloud solution ensure
the requirements around staff training are
met. Refer to the Shared Responsibility
Model, whereby the cloud customer is
responsible of ensuring the security of the
data in the cloud, and the cloud provider
is responsible for the security of the cloud.

A data security specialist needs to be

involved in the setup and every
deployment of the cloud solution, and
work closely with the data owners.
Consider how the Cloud CoE fits into the
overall framework, what existing forums
and procedures can be leveraged and
what would potentially need to be
implemented going forward.

Consider implementing performance

monitoring of the cloud supplier, ensuring
that it meets agreed SLAs and
performance by running regular resilience
tests and having active monitoring and
alerting in place on the infrastructure
components.
The Cloud CoE can manage overseeing the
cloud based applications by having
standardised active monitoring and
alerting in place on the infrastructure and
applications which are fed into Service
Now. Risk Management activities such as
regular patching, vulnerability scanning
and Identity and Access Management can
be owned by the Cloud CoE, with
governance and controls in place outlining
how these activities will be carried out in
an automated way using recommended
tooling.

For each proposed Cloud based solution,

refer to regulatory Cloud guidance 'FCA
FG16-5' and 'ICO Guidance on the use of
cloud computing' for specifics on the
extent to which aspects should be covered
as part of assessing and designing the
proposed Cloud based solution.

For each proposed Cloud based solution

and provider, refer to regulatory Cloud
guidance 'FCA FG16-5' for detailed
considerations and contracting provisions
relating to access to both data and the
provider's business premises for the Bank,
it's auditors and regulators.
 Most providers operate a ‘shared
responsibility’ model for security, whereby
the customer, is responsible for security
‘in’ the cloud and the provider is
responsible for security ‘of’ the cloud.
Utilise industry and UK Government
practice of “Defence in Depth” approach –
reference CESG Good Practice Guide
(GPG) 8. The 'Defence in Depth' approach
is aligned with the patterns set out within
AP2 Walled Gardens for Remote Access
contributing to a secure "Walled Garden"
architecture solution

Consider how the Cloud CoE and other

forums could help achieve this
requirement which may evolve over time
depending on the nature and scale of the
Cloud outsourcing to be adopted.

Depending on the requirements, data

lifecycles can be configured on the CSP to
provide data archival methods for long-
term and cheaper storage of data.
 Document the business case / rationale
for each Cloud deployment and the
associated risk assessment.

For each proposed Cloud based solution,

refer to regulatory Cloud guidance 'FCA
FG16-5' and 'ICO Guidance on the use of
cloud computing' for specifics on the
extent to which aspects should be covered
as part of assessing and designing the
proposed Cloud based solution.
 Consider the wider Bank supplier
management processes to determine the
most efficient and effective means to
cover this requirement.

This should be assessed for each

deployment to the Cloud and where
applicable, measures implemented that
cater for an orderly resolution and the
ability to access required data.

Most CSP's offer the capability to track all

changes and API calls made to the
environment. The logs should be
collected, aggregated and stored in a
central point. An application or tooling
should be available to provide insight on
the data for pro-active alerting or
notifications.

Most CSP's offer the capability to track all

changes and API calls made to the
environment. The logs should be
collected, aggregated and stored in a
central point. An application or tooling
should be available to provide insight on
the data for pro-active alerting or
notifications.
Most CSP's offer the capability to track all
changes and API calls made to the
environment. The logs should be
collected, aggregated and stored in a
central point. An application or tooling
should be available to provide insight on
the data for pro-active alerting or
notifications.

This control can be achieved via inherent

management features available from CSP
to segregate logs and alerts at the account
level which would allow filtering of logs to
just the specific tenant under the
authority of that account

Pro-active alerting or monitoring can be

configured on the CSP and sent to the
most relevant teams once requirements
have been gathered on a
per-application/service basis.

Within a virtual network, utilise a suitable

product set to provide Host based
Intrusion Detection Services (IDS) and File
Integrity Monitoring (FIM).
To maintain separation of the production
environment from the development and
testing environments, utilise different
virtual networks for development, test,
pre-production and production
environments. This maintains that
development and testing work processes
do not impact production environment
and a level of service and security stability
can be provided for the production
environment.
CSPs provide the physical boundary
protection for the network perimeter
devices that connect to the public
Internet. As part of the IaaS service, the
provider should notify the Bank if any
DDoS attacks are being conducted on the
Bank's Cloud hosted services.
 It is not recommended that any CSP who
is unable to provision digitally signed API
be engaged by the bank. CSPs will provide
guidance on how to enable Digital
signatures for APIs and it is recommended
that Digital Signatures are enabled by
default for all APIs

Use of private subnets for applications and

firewalls can be used to prevent any
access to the environment from outside
the network.

Depending on the model being used

(IaaS / PaaS ) and the respective shared
responsibility model, there are a multitude
of options available to ensure patching
and hardening levels. An example of this
would be to use Hashicorp Packer to
create new OS images with the latest
patches regularly and refresh the OS on
the infrastructure for a given application
as regularly as required.
 Perform and document the risk
assessment for each proposed Cloud
deployment.

This deliverable is the initial framework

which can develop and evolve over time.

Include annual risk reviews and

assessments into the Bank's Cloud
operations model for the ongoing review
and management of the risks associated
with the Bank's Cloud deployments.
Concentration risk should be assessed and
actions identified with a view to ensuring
the resilience of the services being
provided.

Additional features are usually built into

solutions to provide additional
performance, security or resiliency. These
are usually opt-in and additional features
are not introduced by default if they are
performance or security impairing. The
Bank should always perform regression
testing when accepting a new update or
patch from a service provider.
Negotiate with the provider to include this
as an obligation in the service contract.

Elements outlined in this control should

be included in the contract during
negotiations / drafting however some
CSPs may refuse to make material changes
to their contracts at which point a call will
need to be made on risk vs benefit and
potential mitigating factors that could be
considered.

Secure storage of secrets and sharing of

these secrets should be done by an
approved tool that has it's own set of
controls.
 CSP's usually offer a form-based request
process to allow penetration testing of a
service/resource, however, there are
limitations for specific services depending
on the service and the CSP so it is worth
checking these limitations.

Pull requests should be used whenever

code changes are required and approved
before rolled out in any Production
environment.

Where possible, create a re-useable and

reliable pattern of change that can be
approved once and used again without
additional approval. Approval of changes
should be sought when the pattern is
changed.
 Elements outlined in this control should
be included in the contract during
negotiations / drafting however some
CSPs may refuse to make material changes
to their contracts at which point a call will
need to be made on risk vs benefit and
potential mitigating factors that could be
considered.

Elements outlined in this control should

be included in the contract during
negotiations / drafting however some
CSPs may refuse to make material changes
to their contracts at which point a call will
need to be made on risk vs benefit and
potential mitigating factors that could be
considered.

Elements outlined in this control should

be included in the contract during
negotiations / drafting however some
CSPs may refuse to make material changes
to their contracts at which point a call will
need to be made on risk vs benefit and
potential mitigating factors that could be
considered.

High Availability and Disaster Recovery

can both be catered for when deploying
an Active-Active model across multiple
datacentres with the approved datacentre
locations. The Business Continuity can be
tested by creating a new temporary
environment from the Infrastructure-as-
Code framework and ensuring a
functionally working solution is brought
up.

Leverage Cloud provider functionality for

building resilience and continuity into
Cloud solutions. In addition, include Cloud
solutions in overall Business Continuity
Planning assessments, procedures and
testing.
Leverage Cloud provider functionality for
building resilience and continuity into
Cloud solutions. In addition, include Cloud
solutions in overall Business Continuity
Planning assessments, procedures and
testing.

Most Cloud Providers at PaaS and IaaS

levels will offer multiple regions and
provide the Bank with the ability to
maintain workloads in specific regions
only whilst maintaining multiple sites is
selected regions. Any CSP that cannot at
minimum provide multiple sites within
one region should not be treated as a
viable selection. The Bank should consider
the impact of BREXIT when setting
regional restrictions as some workloads
may need to be restricted to UK region
only across 2 sites to maintain active
configuration.

Negotiate with the provider to include this

as an obligation in the service contract.

Backup policies can be customised to suit

requirements of the solution using CSP's
offering.
IS Comments