AGL 40.40 Increased By ▲ 0.20 (0.5%)
AIRLINK 129.25 Increased By ▲ 0.14 (0.11%)
BOP 6.81 Increased By ▲ 0.21 (3.18%)
CNERGY 4.13 Increased By ▲ 0.10 (2.48%)
DCL 8.73 Increased By ▲ 0.28 (3.31%)
DFML 41.40 Increased By ▲ 0.15 (0.36%)
DGKC 87.75 Increased By ▲ 0.75 (0.86%)
FCCL 33.85 Increased By ▲ 0.50 (1.5%)
FFBL 66.40 Increased By ▲ 0.50 (0.76%)
FFL 10.69 Increased By ▲ 0.15 (1.42%)
HUBC 113.51 Increased By ▲ 2.81 (2.54%)
HUMNL 15.65 Increased By ▲ 0.42 (2.76%)
KEL 4.87 Increased By ▲ 0.09 (1.88%)
KOSM 7.62 Decreased By ▼ -0.21 (-2.68%)
MLCF 43.10 Increased By ▲ 1.20 (2.86%)
NBP 61.50 Increased By ▲ 1.00 (1.65%)
OGDC 192.20 Increased By ▲ 9.40 (5.14%)
PAEL 27.05 Increased By ▲ 1.69 (6.66%)
PIBTL 7.26 Increased By ▲ 1.00 (15.97%)
PPL 150.50 Increased By ▲ 2.69 (1.82%)
PRL 24.96 Increased By ▲ 0.40 (1.63%)
PTC 16.25 Increased By ▲ 0.01 (0.06%)
SEARL 71.30 Increased By ▲ 0.80 (1.13%)
TELE 7.25 Decreased By ▼ -0.05 (-0.68%)
TOMCL 36.29 Decreased By ▼ -0.01 (-0.03%)
TPLP 8.05 Increased By ▲ 0.20 (2.55%)
TREET 16.30 Increased By ▲ 1.00 (6.54%)
TRG 51.56 Decreased By ▼ -0.14 (-0.27%)
UNITY 27.35 No Change ▼ 0.00 (0%)
WTL 1.27 Increased By ▲ 0.04 (3.25%)
BR100 9,957 Increased By 115.5 (1.17%)
BR30 30,770 Increased By 733.6 (2.44%)
KSE100 93,292 Increased By 771.2 (0.83%)
KSE30 29,017 Increased By 230.5 (0.8%)

KARACHI: The State Bank of Pakistan (SBP) on Monday issued “Framework on Outsourcing to Cloud Service Providers (CSPs)” to set out minimum requirements for SBP’s Regulated Entities (REs) to outsource their material and non-material workloads through a risk-based approach in a safe and secure manner.

In order to enable SBP’s regulated entities to design and offer innovative products and services by embracing the cloud technology and effectively manage the risks arising out of these arrangements, SBP has developed ‘Framework on Outsourcing to Cloud Service Providers’.

As per SBP, the framework has set out minimum requirements for Banks, Digital Bank, Microfinance Banks, Development Finance Institutions, Electronic Money Institutions, Payment System Operators and Payment System Providers to outsource their material and non-material workloads to CSPs through a risk-based approach in a safe and secure manner. Henceforth, all cloud outsourcing arrangements by the SBP’s regulated entities will be governed under this framework.

REs may outsource their workloads to CSPs in the manner as prescribed in the framework. SBP has directed the REs to ensure that all existing cloud outsourcing arrangements are compliant with the requirements of the framework by December 31, 2023.

Digital services: SBP issues guidelines for downtime

This framework sets out minimum requirements for REs to outsource their material and non-material workloads to CSPs. However, certain requirements which are applicable only on the material workloads have been specifically mentioned.

For the purpose of these regulations, material workload means all systems, applications, and services that are fundamental for carrying out business of an RE, and if disrupted, have the potential to significantly impact an institution’s business operations, reputation or profitability.

REs may outsource all types of workloads to reputable onshore CSPs. However, outsourcing of their material workloads to offshore CSPs will be subject to SBP approval whereby SBP may grant approval on case-to-case basis, after considering the systemic implications of the CO arrangement

For approval to outsource material workloads to offshore CSPs, banks, MFBs, DBs and DFIs will be required to submit their request to SBP and while granting approval to banks, MFBs, DBs, DFIs and designated PSOs/ PSPs, SBP may impose additional terms and conditions over and above the requirements of this framework.

The structure and processes for managing CO arrangement are vital for maximizing the benefits, and managing the associated risks. REs planning to outsource their workloads to CSPs need to consider adapting their organizational structure for effective and efficient oversight of CSPs, specifically pertaining to performance, operational effectiveness of controls and remediation.

REs must exercise reasonable care before entering into CO arrangements. To ensure effective management of the associated risks, REs have been advised to conduct reasonable due diligence of the CSPs and their material subcontracting arrangements by using defined criteria.

Outsourcing of the workloads to the CSPs does not relieve the REs from the responsibility of safeguarding data confidentiality and integrity and in this regard, REs must ensure that their data in the cloud environment is clearly identifiable and segregated.

The dynamic and evolving nature of cyber threats requires a high degree of validation and testing of the security posture of an enterprise, on a periodic basis. However, security testing of the systems and applications in the cloud environment is challenging due to the inherent shared service model. Therefore, REs will conduct vulnerability assessment, penetration testing and scenario-based security testing of their systems hosted with the CSPs on a periodic basis, at least once annually.

Copyright Business Recorder, 2023

Comments

Comments are closed.