AGL 23.47 Decreased By ▼ -0.93 (-3.81%)
AIRLINK 106.11 Decreased By ▼ -3.18 (-2.91%)
BOP 5.17 Decreased By ▼ -0.12 (-2.27%)
CNERGY 3.66 Decreased By ▼ -0.01 (-0.27%)
DCL 7.80 Decreased By ▼ -0.20 (-2.5%)
DFML 44.19 Decreased By ▼ -0.11 (-0.25%)
DGKC 88.50 Decreased By ▼ -0.30 (-0.34%)
FCCL 21.75 Decreased By ▼ -0.24 (-1.09%)
FFBL 42.52 Increased By ▲ 0.24 (0.57%)
FFL 8.75 Decreased By ▼ -0.15 (-1.69%)
HUBC 147.80 Decreased By ▼ -3.90 (-2.57%)
HUMNL 10.25 Decreased By ▼ -0.10 (-0.97%)
KEL 4.34 Decreased By ▼ -0.11 (-2.47%)
KOSM 3.79 Decreased By ▼ -0.16 (-4.05%)
MLCF 36.40 Decreased By ▼ -0.20 (-0.55%)
NBP 49.30 Increased By ▲ 0.14 (0.28%)
OGDC 130.85 Decreased By ▼ -0.85 (-0.65%)
PAEL 25.95 Decreased By ▼ -0.36 (-1.37%)
PIBTL 6.05 Decreased By ▼ -0.02 (-0.33%)
PPL 114.55 Decreased By ▼ -0.90 (-0.78%)
PRL 22.60 Decreased By ▼ -0.07 (-0.31%)
PTC 12.37 Decreased By ▼ -0.13 (-1.04%)
SEARL 55.70 Decreased By ▼ -0.49 (-0.87%)
TELE 7.25 Decreased By ▼ -0.15 (-2.03%)
TOMCL 36.40 Decreased By ▼ -1.29 (-3.42%)
TPLP 7.95 Decreased By ▼ -0.39 (-4.68%)
TREET 15.29 Decreased By ▼ -0.04 (-0.26%)
TRG 56.70 Decreased By ▼ -3.26 (-5.44%)
UNITY 31.85 Decreased By ▼ -0.49 (-1.52%)
WTL 1.17 Decreased By ▼ -0.01 (-0.85%)
BR100 8,295 Decreased By -111.5 (-1.33%)
BR30 26,102 Decreased By -351.9 (-1.33%)
KSE100 78,469 Decreased By -927.7 (-1.17%)
KSE30 25,198 Decreased By -319.9 (-1.25%)

KARACHI: The State Bank of Pakistan (SBP) on Monday issued “Framework on Outsourcing to Cloud Service Providers (CSPs)” to set out minimum requirements for SBP’s Regulated Entities (REs) to outsource their material and non-material workloads through a risk-based approach in a safe and secure manner.

In order to enable SBP’s regulated entities to design and offer innovative products and services by embracing the cloud technology and effectively manage the risks arising out of these arrangements, SBP has developed ‘Framework on Outsourcing to Cloud Service Providers’.

As per SBP, the framework has set out minimum requirements for Banks, Digital Bank, Microfinance Banks, Development Finance Institutions, Electronic Money Institutions, Payment System Operators and Payment System Providers to outsource their material and non-material workloads to CSPs through a risk-based approach in a safe and secure manner. Henceforth, all cloud outsourcing arrangements by the SBP’s regulated entities will be governed under this framework.

REs may outsource their workloads to CSPs in the manner as prescribed in the framework. SBP has directed the REs to ensure that all existing cloud outsourcing arrangements are compliant with the requirements of the framework by December 31, 2023.

Digital services: SBP issues guidelines for downtime

This framework sets out minimum requirements for REs to outsource their material and non-material workloads to CSPs. However, certain requirements which are applicable only on the material workloads have been specifically mentioned.

For the purpose of these regulations, material workload means all systems, applications, and services that are fundamental for carrying out business of an RE, and if disrupted, have the potential to significantly impact an institution’s business operations, reputation or profitability.

REs may outsource all types of workloads to reputable onshore CSPs. However, outsourcing of their material workloads to offshore CSPs will be subject to SBP approval whereby SBP may grant approval on case-to-case basis, after considering the systemic implications of the CO arrangement

For approval to outsource material workloads to offshore CSPs, banks, MFBs, DBs and DFIs will be required to submit their request to SBP and while granting approval to banks, MFBs, DBs, DFIs and designated PSOs/ PSPs, SBP may impose additional terms and conditions over and above the requirements of this framework.

The structure and processes for managing CO arrangement are vital for maximizing the benefits, and managing the associated risks. REs planning to outsource their workloads to CSPs need to consider adapting their organizational structure for effective and efficient oversight of CSPs, specifically pertaining to performance, operational effectiveness of controls and remediation.

REs must exercise reasonable care before entering into CO arrangements. To ensure effective management of the associated risks, REs have been advised to conduct reasonable due diligence of the CSPs and their material subcontracting arrangements by using defined criteria.

Outsourcing of the workloads to the CSPs does not relieve the REs from the responsibility of safeguarding data confidentiality and integrity and in this regard, REs must ensure that their data in the cloud environment is clearly identifiable and segregated.

The dynamic and evolving nature of cyber threats requires a high degree of validation and testing of the security posture of an enterprise, on a periodic basis. However, security testing of the systems and applications in the cloud environment is challenging due to the inherent shared service model. Therefore, REs will conduct vulnerability assessment, penetration testing and scenario-based security testing of their systems hosted with the CSPs on a periodic basis, at least once annually.

Copyright Business Recorder, 2023

Comments

Comments are closed.