Confidential
Page 1 of 50
10006608-2
INDONESIA –BANKS
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES INSTITUTIONS
USING CLOUD COMPUTING (AZURE)
Last updated: March 2015
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using
cloud computing. In this guidance financial services institutions means banks (“FSIs”).
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7, Part A, sets out some information, tips and template responses for each of the items included in the information sheet of Annex to BI Circular
Letter No. 9/30/DPNP. Part A should assist you to collate the report which you are required to submit to the OJK in order to obtain the OJK’s approval.
Part B sets out additional questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant
to the use of cloud services. Although there is no requirement to answer the questions in Part B in a checklist like this one, we have received feedback
from FSIs that a checklist approach like this is very helpful. Part A and Part B can be used:
(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and
(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to
compliance with their requirements.
Appendix One also contains a list of the mandatory contractual requirements required by relevant regulation.
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment. Instead, it is
intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal
and regulatory obligations.
Confidential
Page 2 of 50
10006608-2
2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?
The use of cloud services is considered to be an “outsourcing arrangement” and subject to regulatory supervision.
The relevant documents are as follows. We have included a hyperlink where the documents are available online and, where available, the links are to
English translations that have been prepared by public authorities. However, the translations are not always the latest versions or official translations
since they have not been updated periodically. Therefore, they should be used only for reference and should not be relied upon.
Bank Indonesia Regulation 9/15/PBI/2007 on Implementation of Risk Management in the Use of Information Technology by Commercial Banks (“BI
Regulation 9/2007”)
BI Circular Letter No. 9/30/DPNP dated 12 December 2007 (“BI Circular Letter No. 9/30”), which can be viewed as the implementing guidelines to
BI Regulation 9/2007 (note, only the appendix which contains the detailed guidelines is available in English and not the appendix including the
information sheet which must be completed as explained in section 5 above)
Indonesian Banking Law (“Law No.10 of 1998”)
Law No.11 of 2008 on Electronic Transaction and Information (“ITE Law”)
Note: Under Government Regulation No. 82 of 2012 on Electronic System and Transaction (“GR 82”), operators of an electronic system used for
providing public services are required to locate their data centers and disaster recovery centers within Indonesia. GR 82 provides that further details will
be set out in subsidiary regulations, including guidance on what entities will be considered as providing public services. Based on current draft subsidiary
regulations to GR 82, it appears that GR 82 will apply primarily to public sector entities. Therefore it is unlikely that GR 82 will apply to non-public sector
customers, including FSIs (and therefore the requirement for local data centers and local disaster recovery centers does not apply to FSIs).
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Financial Services Authority of Indonesia (“OJK”) is the government agency which regulates and supervises FSIs (having taken over the
responsibilities of The Central Bank of Indonesia (“BI”) as of 31 December 2013).
Confidential
Page 3 of 50
10006608-2
Note: As a result of OJK taking over the responsibilities of BI as of 31 December 2013, it is expected that the OJK may make changes to the above
documents or issue a new one in due course. No timetable or details are available at the current time however.
4. IS REGULATORY NOTIFICATION OR APPROVAL REQUIRED?
Yes.
FSIs must report on any intended outsourcing arrangements to the OJK and obtain approval. Cloud services would be considered outsourcing
arrangements subject to this approval requirement.
5. IS/ARE THERE (A) SPECIFIC FORM(S) OR QUESTIONNAIRE(S) TO BE COMPLETED?
Yes.
FSI’s need to complete and submit a report to OJK as part of the approval process explained above which includes various letters and plans. The
content of report shall conform with the information sheet as set out in an annex to BI Circular Letter No. 9/30/DPNP dated 12 December 2007 (which is
unfortunately only available in Bahasa). Section 7, Part A, sets out some information, tips and template responses for each of the items included in the
information sheet of Annex to BI Circular Letter No. 9/30/DPNP
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
Yes.
The OJK does specifically mandate contractual requirements that must be agreed by FSIs with their service providers. These can be found in various
sections of the BI Regulation 9/2007 and also in BI Circular Letter No. 9/30. Appendix One contains a list of the requirements that must be included in
contracts with cloud service providers and details of where in the Microsoft contractual documents these requirements are covered.
Confidential
Page 4 of 50
10006608-2
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point
raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref. Question/requirement Template response and guidance
PART A: REPORT REQUIREMENTS
This section contains the items set out in the information sheet of Annex to BI Circular Letter No. 9/30/DPNP which should be collated into a report to
be submitted to OJK in order to obtain the OJK’s approval.
1. Name and address of the cloud service provider. Annex to BI Circular Letter No. 9/30/DPNP.
The Service Provider is the regional licensing entity for Microsoft Corporation, a
global provider of information technology devices and services, which is publicly-
listed in the USA (NASDAQ: MSFT). Microsoft’s full company profile is available
here: https://www.microsoft.com/en-us/news/inside_ms.aspx.
For the correct Service Provider name relevant for your region, please review your
Microsoft license agreement. Please also obtain the address details from your
Microsoft contact.
[Address to be inserted.]
2. Summary of requirements and due diligence conducted by the bank Annex to BI Circular Letter No. 9/30/DPNP.
Confidential
Page 5 of 50
10006608-2
Ref. Question/requirement Template response and guidance
with regard to its plan to have a data center abroad. Details regarding the due diligence that OJK expects to be carried out on potential
service providers and solutions can be found in The Guidelines Annex to BI
Circular Letter No. 9/30/DPN, Chapter II, section 2.3(c) (which states that FSIs
must carry out a selection process with reference to the FSI’s own guidelines on
outsourcing as well as policies and internal procedures); and Chapter X, sections
10.3.2 which includes details regarding the service provider selection process and
due diligence including RFP proposal that OJK would expect you to have
undertaken – which are reflected in the following.
The process covered:
a. The outlining of our business requirements for the use of third parties to
provide the services. We identified the functions and activities to be
outsourced, the potential risks of such outsourcing. As a result we produced a
document with a detailed illustration of our expectations in respect of the
services from the service provider, please see attached. The Guidelines
Annex to BI Circular Letter No. 9/30/DPN, Chapter X, section 10.3.2.1(a) to (g)
contains a list of the items that OJK would expect you to include in this
document of requirements.
b. A request for proposal (RFP) stage. A copy is attached. Note: you may want
to add in details of how many different providers you approached and any
other details of how you ran this process. See the Guidelines Annex to BI
Circular Letter No. 9/30/DPN, Chapter X, section 10.3.2.2 for more details.
c. Due diligence in relation to the potential service providers. In particular
we looked at the following: Note this is a list which is found in the Guidelines
Confidential
Page 6 of 50
10006608-2
Ref. Question/requirement Template response and guidance
Annex to BI Circular Letter No. 9/30/DPN, Chapter X, section 10.3.2.2.3, but
that list is expressed as a including the minimum aspects which should be
covered so you may well want to add to this.
The service provider company’s history: Microsoft is an industry leader in
cloud computing. Azure was built based on ISO/IEC 27001 standards and was
the first major business productivity public cloud service to have implemented
the rigorous set of global standards covering physical, logical, process and
management controls. Microsoft Corporation, the parent company, is publicly-
listed in the United States and is amongst the world’s largest companies by
market capitalization.
The service provider’s qualifications, background and reputation: 40% of
the world’s top brands use Azure. Some case studies are available on the
Microsoft website. FSI customers in leading markets, including in the UK,
France, Germany, Australia, Hong Kong, Canada, the United States and many
other countries have performed their due diligence and, working with their
regulators, are satisfied that Azure meets their respective regulatory
requirements. This gives us confidence that the service provider is able to
help meet the high burden of financial services regulation and is experienced
in meeting these requirements.
References from other companies using the same services from the
service provider: We consulted various case studies relating to Azure, which
are available on the Microsoft website and also considered the fact that
Microsoft has amongst its customers some of the world’s largest organizations
and FSIs. FSI customers in leading markets, including in the UK, France,
Confidential
Page 7 of 50
10006608-2
Ref. Question/requirement Template response and guidance
Germany, Australia, Hong Kong, Canada, the United States and many other
countries have performed their due diligence and, working with their
regulators, are satisfied that Azure meets their respective regulatory
requirements. This gives us confidence in our choice of service provider.
The financial condition of the service provider including a review of its
audited financial report: Microsoft Corporation is publicly-listed in the United
States and is amongst the world’s largest companies by market capitalization.
Microsoft’s audited financial statements indicate that it has been profitable for
each of the past three years. Its market capitalization is in the region of USD
280 billion. Accordingly, we have no concerns regarding its financial strength.
The capability and effectiveness of the service provider: The due
diligence carried out in all of the other areas listed here gives us confidence in
the capability and effectiveness of Microsoft.
The technology and system architecture: This will of course depend in part
on the solution that you choose. Your Microsoft contact will be able to provide
you with details and diagrams which you can use for this purpose once
decided.
The internal control environment, security history and scope of any
audit: Microsoft is an industry leader in cloud security and implements policies
and controls on par with or better than on-premises data centers of even the
most sophisticated organizations. As detailed elsewhere, we have confidence
in the security of the solution and the systems and controls offered by the
service provider. In addition to the ISO/IEC 27001 certification (with
Confidential
Page 8 of 50
10006608-2
Ref. Question/requirement Template response and guidance
independent third party audit), Azure is designed for security with controls for
encryption of data at rest and SSL/TLS encryption of data in transit. In
addition, all personnel with access to customer data are subject to background
screening, security training and access approvals. In addition, the access
levels are reviewed on a periodic basis to ensure that only users who have
appropriate business justification have access to the systems. User access to
data is also limited by user role. For example, system administrators are not
provided with database administrative access.
The service provider’s compliance with existing laws and regulations: As
a world leading technology provider with an excellent track record, experience
in serving clients in the financial services sector and being subject to
independent audit and scrutiny, we have no grounds for concern regarding
Microsoft’s compliance with existing laws and regulations.
Trust and success in the relationship management with sub-contractors:
Microsoft is contractually required to maintain a list of authorized
subcontractors which is updated periodically. The actual list is available on the
Microsoft Trust Centre. If we do not approve of a subcontractor that is added
to the list, then we have rights to terminate the affected online services.
Microsoft is experienced in using trusted sub-contractors (to provide limited
services on its behalf, such as providing customer support. Any such
subcontractors will be permitted to obtain our data only to deliver the services
Microsoft has retained them to provide, and they are prohibited from using
such data for any other purpose. Microsoft remains responsible for its
subcontractors’ compliance and all subcontractors will have entered into
written agreements with Microsoft requiring that the subcontractor abide by
Confidential
Page 9 of 50
10006608-2
Ref. Question/requirement Template response and guidance
terms no less protective than Microsoft’s agreement with us.
Insurance cover: Microsoft self-insures and, in view of the size and reputation
of the organization, we are comfortable with this position.
The service provider’s ability to provide disaster recovery and business
continuity: Microsoft offers contractually-guaranteed uptime, hosted out of
world class data centers with physical redundancy at disk, NIC, power supply
and server levels, constant content replication, robust backup, restoration and
failover capabilities, real-time issue detection and automated response such
that workloads can be moved off any failing infrastructure components with no
perceptible impact on the service, 24/7 on-call engineering teams.
The service provider’s implementation of risk management: Microsoft as
an outsourcing partner is an industry leader in risk management for the service
it is providing. One of the key risks that Microsoft is required to manage is
security. Microsoft’s cloud security is marketing leading and Microsoft
implements policies and controls on par with or better than on-premises data
centers of even the most sophisticated organizations. Azure was built based
on ISO/IEC 27001 standards, a rigorous set of global standards covering
physical, logical, process and management controls. The Microsoft Azure
security features (being the product that the organization will be using) consist
of three parts: (a) built-in security features including encryption of data when in
transit and at rest; (b) security controls; and (c) scalable security. These
include 24-hour monitored physical hardware, isolated customer data,
automated operations and lock-box processes, secure networks and
Confidential
Page 10 of 50
10006608-2
Ref. Question/requirement Template response and guidance
encrypted data.
The results report of any independent third party assessment: As part of
Microsoft’s certification requirements, they are required to undergo regular
independent third party auditing and Microsoft shares with us the independent
third party audit reports. The Microsoft service is subject to the SSAE16 SOC1
Type II audit, an independent, third party audit and Microsoft will make this
available to us. Microsoft will also make available the ISO/IEC 27001 audit
report to us.
d. We also undertook the following: See Guidelines Annex to BI Circular Letter
No. 9/30/DPN, Chapter X, section 10.3.2.4 which sets out these requirements.
An evaluation of the implementation of risk management by the service
provider.
A check to ensure that the service provider would provide the necessary
reports to enable the monitoring of the service provider’s performance
including to determine if any monitoring program is required. For example, we
have access rights (at any time) to the online dashboards, which provide live
information in relation to Microsoft’s services’ performance against
performance measures.
A cost-benefit analysis for the different options in accordance with our IT
strategic plan and business plan. See Guidelines Annex to BI Circular Letter
No. 9/30/DPN, Chapter I, section 1.2.2 for details of what OJK expects in
terms of an IT strategic plan. See also the high level obligation in Article
Confidential
Page 11 of 50
10006608-2
Ref. Question/requirement Template response and guidance
18,(2)(a)(3).
Ensuring that representatives of our IT work unit were able to present their
opinions and analysis of the results of the due diligence and selection process.
Ensuring that the service provider would implement IT control adequately
including physical security and logical security. This included ensuring that
Microsoft would submit to us the latest result of any independent third party
audits. As part of Microsoft’s certification requirements, they are required to
undergo regular independent third party auditing and Microsoft shares with us
the independent third party audit reports. The Microsoft service is subject to
the SSAE16 SOC1 Type II audit, an independent, third party audit and
Microsoft will make this available to us. Microsoft will also make available the
ISO/IEC 27001 audit report to us.
A check using annual reports and other sources to confirm that we are able to
monitor and evaluate the reliability of the service provider periodically.
Microsoft would also be happy to connect you with other FSI customers who
have taken up Microsoft’s online services and you could include details of
such customer references here. Please contact your Microsoft contact if you
would like to do this.
A check to confirm that our databases are accessible to OJK in a timely
manner for both current and past data. Microsoft contractually commits to us
that we will have access to our data at all times (see OST, page 11).
3. Draft agreement between the FSI and the cloud provider. Annex to BI Circular Letter No. 9/30/DPNP.
Confidential
Page 12 of 50
10006608-2
Ref. Question/requirement Template response and guidance
A copy is enclosed.
Note: please ask your Microsoft contact for a copy.
4. Summary of the risk analysis undertaken by the cloud provider for
the proposed provision of cloud services to the FSI.
Annex to BI Circular Letter No. 9/30/DPNP. Also Article 10(3), BI Regulation
9/2007.
Note: This ‘risk analysis’ is something that Microsoft as opposed to the FSI needs
to prepare. However no further details are available relating to what exactly the
regulator is looking for and what it should include so this may be one aspect that
the FSI and Microsoft discussed with OJK. Note that under the FSA you are also
provided with access to Microsoft’s independent third party audit reports and we
have the right to review Microsoft’s Information Security Policies, along with other
information we may reasonably request regarding Microsoft’s security practices
and policies. In order to meet the objectives and demands of a robust service,
Microsoft regularly conducts penetration testing and vulnerability assessments
against the service through its commitment to Security Development Lifecycle and
ISO certification. The output of testing is tracked through a risk register which is
audited and reviewed on a regular basis to ensure compliance to Microsoft’s
security practices. In order to protect both the system and customer data,
Microsoft does not provide copies of the testing reports however the tests
conducted typically include the OWASP top ten and also include the use of
independent verified security teams (CREST certified). Microsoft is happy to make
available the ISO and SSAE 16 audit reports which cover vulnerability
assessments.
Confidential
Page 13 of 50
10006608-2
Ref. Question/requirement Template response and guidance
5. Summary analysis of costs and benefits for the implementation of
cloud services.
Annex to BI Circular Letter No. 9/30/DPNP and Article 18,(2)(a)(3). You will need
to provide details of the cost benefit analysis that you have conducted. There may
be some cross-reference or duplication with your response to question 2 above.
See attached.
6. A description of the current and future intended IT architecture once
cloud services have been implemented.
Annex to BI Circular Letter No. 9/30/DPNP. Note, what you set out in your
attachment here will of course depend on the solution that you have decided to
deploy. Your Microsoft contact will be happy to work with you to provide a suitable
attachment for inclusion here.
See attached.
7. A monitoring plan that will be used by the FSI for the implementation
of the cloud services.
Annex to BI Circular Letter No. 9/30/DPNP. This is an overview document which
must be prepared and submitted by the FSI. See Guidelines Annex to BI Circular
Letter No. 9/30/DPN, Chapter I, section 1.3.3 for details of what OJK expects FSIs
to do in terms of risk measurement and monitoring which should be factored into
the plan which you provide. Guidelines Annex to BI Circular Letter No. 9/30/DPN,
Chapter III, section 3.3.12 also states that the FSI must assign personnel with the
obligation to monitor the services of any IT service provider by using a procedure
which at least includes service surveillance, error reporting and documentation
related to service delivery. Further high level obligations on FSIs in relation to
monitoring can be found in Article 6(5; 7(2)(f); 10(1);12(1)(f); and 15(2); 18(2)(3).
You may find it useful to reference the following monitoring and reporting facilities
which Microsoft provides in your response:
Confidential
Page 14 of 50
10006608-2
Ref. Question/requirement Template response and guidance
Monitoring for security incidents:
Microsoft’s systems, including its real-time monitoring facilities, enable us to fulfill
our reporting obligations to OJK in the event of a security breach or incident
occurring.
Microsoft implements “prevent, detect, and mitigate breach”, which is a defensive
strategy aimed at predicting and preventing any security breach before it happens.
This involves continuous improvements to built-in security features, including port
scanning and remediation, perimeter vulnerability scanning, OS patching to the
latest updated security software, network-level DDOS (distributed denial-of-
service) detection and prevention, and multi-factor authentication for service
access. Wherever possible, human intervention is replaced by an automated, tool-
based process, including routine functions such as deployment, debugging,
diagnostic collection, and restarting services. Azure continues to invest in systems
automation that helps identify abnormal and suspicious behavior and respond
quickly to mitigate security risk. Microsoft is continuously developing a highly
effective system of automated patch deployment that generates and deploys
solutions to problems identified by the monitoring systems—all without human
intervention. This greatly enhances the security and agility of the service.
In the event that a security incident or violation is detected, Microsoft Customer
Service and Support notifies Azure subscribers by updating the Service Health
Dashboard that is available on the Azure portal. We would have access to
Microsoft’s dedicated support staff who has a deep knowledge of the service.
Microsoft provides a Recovery Time Objective (“RTO”) of 30 min or less for
Virtual Machines and Storage, 1 hour or less for Virtual Network, and a Recovery
Confidential
Page 15 of 50
10006608-2
Ref. Question/requirement Template response and guidance
Point Objective (“RPO”) of 1 minute or less for Storage.
Reporting and information:
Microsoft’s Service Level Agreement (“SLA”) applies to the Azure product. Our IT
administrators also have access to the Azure Service Health Dashboard, which
provides real-time and continuous monitoring of the Azure service. The Service
Health Dashboard provides our IT administrators with information about the
current availability of each service or tool (and history of availability status) details
about service disruption or outage, scheduled maintenance times. The information
is provided via an RSS feed.
Amongst other things, it provides a contractual uptime guarantee for the Azure
product and covers performance monitoring and reporting requirements which
enable us to monitor Microsoft’s performance on a continuous basis against
service levels.
As part of the support we receive from Microsoft, we also have access to a
technical account manager who is responsible for understanding our challenges
and providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems
functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
Audit:
We are confident that in our choice of Microsoft as Service Provider we have far
Confidential
Page 16 of 50
10006608-2
Ref. Question/requirement Template response and guidance
more extensive audit rights than most if not all other Service Provider’s offer. This
was an important factor in our decision to choose this Service Provider. This is a
key component of our monitoring plan.
In particular, the following audit protections are made available by Microsoft:
1. As part of Microsoft’s certification requirements, they are required to
undergo regular independent third party auditing (via the SSAE16 SOC1
Type II audit, a globally-recognized standard), and Microsoft shares with
us the independent third party audit reports. Microsoft also agrees as
part of the compliance program to a customer right to monitor and
supervise. We are confident that such arrangements provide us with the
appropriate level of assessment of Microsoft’s ability to meet our policy,
procedural, security control and regulatory requirements.
2. The OJK is given a contractual right of audit/inspection over Microsoft’s
facilities, so that it can assess and examine systems, processes and
security and regulatory compliance.
8. A letter from the FSI stating the availability of access by internal and
external auditors and the OJK to obtain data and information as
demanded.
Annex to BI Circular Letter No. 9/30/DPNP. Guidelines in Annex to BI Circular
Letter No. 9/30/DPNP, Chapter IX contains details of OJK’s expectations in
relation to the FSI’s own internal audit function. This letter is concerned with the
FSI’s own internal auditor’s ability to audit the FSI’s data and information (even
where that happens to be maintained by a third party) as opposed to an audit right
over systems and infrastructure. FSI data and information will be owned by the FSI
and accessible at any time. See also Article 18, BI Regulation 9/2007.
Confidential
Page 17 of 50
10006608-2
Ref. Question/requirement Template response and guidance
Microsoft does give audit rights to financial services regulators and provides FSIs
with access to its data and information at all times. Your Microsoft contact would
be happy to help you with the wording of such letter if that would be helpful.
See attached.
9. If the FSI is a branch office of a foreign bank or owned by a foreign
financial institution, the following items should also be provided:
(i) A letter from the supervisory authority/regulator of the
country/state where the cloud service provider is located (i.e.
where the contracting entity is based), declaring that the
cloud service provider is under its jurisdiction;
(ii) A letter from the local monitoring authority (which would be
the applicable regulator where the data centers and disaster
recovery centers are located – essentially so that OJK can
ensure that there is no impediment from the local authority to
have the data centers inspected by OJK) in the event that
OJK wishes to conduct an inspection on the data centers or
disaster recovery center;
(iii) A letter from the FSI confirming that it will periodically submit
an evaluation report (as per (iv) below conducted by the
related foreign bank (and should also include the proposed
timeline for submission of such report);
(iv) An evaluation report from the foreign bank concerning the
Annex to BI Circular Letter No. 9/30/DPNP.
Note: There is no further detail provided regarding what these letters or the
evaluation report should contain etc. This is an area where the FSI and Microsoft
may like to discuss what the OJK’s expectations are with the OJK and if there are
any ways that Microsoft is able to help the FSIs in obtaining these, for example
because Microsoft already has relationships with the relevant regulators.
Confidential
Page 18 of 50
10006608-2
Ref. Question/requirement Template response and guidance
implementation of risk management conducted by the cloud
service provider.
10. A copy of a master plan by the FSI relating to (i) improvement of
quality toward its customers and (ii) improvement of human
resources in connection with the implementation of cloud services.
Annex to BI Circular Letter No. 9/30/DPNP. OJK is very keen to ensure that FSIs
make efforts to increase and invest in the competency of human resources related
to the management of IT through adequate training and education programs (see
for example the Guidelines to BI Circular Letter No. 9/30/DPNP, Chapter I,
sections 1.2.1.2(7) and (8) and 1.2.4. Your Microsoft contact would be happy to
discuss ways in which Microsoft can help you with this, if that would be helpful.
See attached.
PART B: ADDITIONAL REQUIREMENTS WHEN USING AN OVERSEAS PROVIDER
Note that the following additional requirements are set out in the Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section 10.3.4
and are required in order to obtain OJK’s approval to the outsourcing. Whilst they are not specifically included in the information sheet for inclusion
in the report set out in Part A above, OJK will likely expect you to provide evidence to support that you and the intended outsourcing meet these
requirements so it is useful to have this information to hand or to even submit it with your report.
11. FSIs must conduct analysis and a feasibility study on government
policies and the political, social and economic and legal environment
in the countries where the IT services will be carried out.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(a). BI Regulation 9/2007 contains high level obligations in relation to risk
management and security. The answer to this question will depend on the region
you are in. You may discuss this with your Microsoft contact. Microsoft enables
customers to select the region that it is provisioned from
Azure is hosted out of […..]. This/These location(s) has/have been vetted for
geopolitical/socioeconomic risks as set out in this checklist requirement. As part of
Confidential
Page 19 of 50
10006608-2
Ref. Question/requirement Template response and guidance
our usual processes, we constantly monitor the countries in which we operate. .
We specifically considered the following:
a. Political (i.e. cross-broader conflict, political unrest etc). Azure offers
data-location transparency so that the organizations and regulators are
informed of the jurisdiction(s) in which data is hosted. We are confident that
Microsoft’s data center locations offer extremely stable political environments.
b. Country/socioeconomic. Azure offers data-location transparency so that the
organizations and regulators are informed of the jurisdiction(s) in which data is
hosted. The centers are strategically located around the world taking into
account country and socioeconomic factors. We are confident that Microsoft’s
data center locations offer extremely stable socioeconomic environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to
exacting standards, designed to protect customer data from harm and
unauthorized access. Data center access is restricted 24 hours per day by job
function so that only essential personnel have access. Physical access control
uses multiple authentication and security processes, including badges and
smart cards, biometric scanners, on-premises security officers, continuous
video surveillance and two-factor authentication. The data centers are
monitored using motion sensors, video surveillance and security breach
alarms.
d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft Data centers
are built in seismically safe zones. Environmental controls have been
Confidential
Page 20 of 50
10006608-2
Ref. Question/requirement Template response and guidance
implemented to protect the data centers including temperature control,
heating, ventilation and air-conditioning, fire detection and suppression
systems and power management systems, 24-hour monitored physical
hardware and seismically-braced racks. These requirements are covered by
Microsoft’s ISO/IEC 27001 accreditation for Azure.
e. Legal. We will have in place a binding negotiated contractual agreement with
Microsoft in relation to the outsourced service, giving us direct contractual
rights. We also took into account the fact that Azure was built based on
ISO/IEC 27001 standards, a rigorous set of global standards covering
physical, logical, process and management controls. Finally, we took into
account the fact that Microsoft offers access and regulator audit rights thereby
allowing us to comply with our regulatory obligations in this respect.
12. FSIs need to analyze their ability to monitor the service provider
effectively and including its ability to carry out the business continuity
plan and early termination.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(a). In addition to explaining your own internal processes, you may in this
context also wish to mention the contractual vendor management rights that you
have under your agreements with Microsoft, including the rights of audit and
inspection. Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter VI
sets out OJK’s expectations in relation to your own business continuity plan. See
also Articles 12 and 13, BI Regulation 9/2007 which contain the high level
obligations in relation to business continuity.
We have the ability to monitor Microsoft effectively. For example, we have access
rights (at any time) to the online dashboards, which provide live information in
relation to Microsoft’s services’ performance against performance measures. We
also, as part of the support we receive from Microsoft, have access to a technical
Confidential
Page 21 of 50
10006608-2
Ref. Question/requirement Template response and guidance
account manager who is responsible for understanding our challenges and
providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate
escalation of urgent issues to speed resolution and keep mission-critical systems
functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
We are able to monitor Microsoft’s business continuity plans. Microsoft has
provided us with detailed information in relation to its business continuity plans.
Business continuity management forms part of the scope of the accreditation that
Microsoft retains in relation to the online services, and Microsoft contractually
commits to maintain a data security policy that complies with these accreditations
(see OST, page 13). Business Continuity Management also forms part of the
scope of Microsoft’s annual third party compliance audit. In addition, if a business
continuity incident occurs, Microsoft does a thorough post-incident review every
time Microsoft’s post-incident review consists of analysis of what happened,
Microsoft’s response, and Microsoft’s plan to prevent it in the future. In the event
the organization was affected by a service incident, Microsoft shares the post-
incident review with the organization
In relation to termination, our agreement with the Microsoft is terminable by us for
convenience at any time by providing not less than 60 days’ notice. Any sub-
agreements to the MBA are terminable by us for convenience at any time by
providing not less than 30 days’ notice. In addition, we have standard rights of
termination for material breach. This gives us the flexibility and control we need to
manage the relationship with Microsoft because it means that we can terminate
the arrangements whether with or without cause. Aside from these contractual
Confidential
Page 22 of 50
10006608-2
Ref. Question/requirement Template response and guidance
remedies, it is important to note that we are always in control of our data. As such,
we could (at any time) chose to migrate our data to an alternate service provider
with or without relying on the above contractual remedies.
13. FSIs must carry out a country risk analysis which shows that there
are no significant impacts from the location of the country including in
the event of a dispute with the country where the service provider is
located.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(b).
See our response to question 11 above. We do not have concerns regarding the
location of the services.
We have obtained legal advice in relation to our ability to bring a claim in the event
of a dispute and are comfortable that our rights are protected.
14. FSIs must conduct an assessment on the local regulations in the
countries where the service provider is established that require the
service provider to provide information disclosure on customer’s data
(even though there may be confidentiality restrictions and controls in
the service agreement).
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(c).
Ultimately it is for the FSI to be comfortable on this point. This is one area that
Microsoft and the FSI could discuss with OJK to understand further what their
expectations and concerns are here. Microsoft has provided some further
information here, that may assist:
Microsoft is transparent in relation to the location of our data. Microsoft data
center locations are made public on the Microsoft Trust Center. By participating in
the Microsoft Online Services Customer Compliance Program under section 2d of
the FSA, we will have access to Microsoft’s data center roadmap which will give us
advance warning of new data center locations.
If there is any regulatory request to access data, Microsoft will not disclose our
Confidential
Page 23 of 50
10006608-2
Ref. Question/requirement Template response and guidance
data to law enforcement authorities unless it is legally obliged to do so, and only
after not being able to redirect the request to us (see OST, page 8). Otherwise,
Microsoft will not disclose our data to other people looking for access.
15. FSIs may only make agreements with other parties which operate in
a jurisdiction which generally supports the clause and agreement of
confidentiality. FSIs must ensure that the service agreement with the
service provider also includes the choice of law and FSI should be
able to understand the possible impact from the choice of law
provisions in order to be able to resolve disputes or legal problems in
the future.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(d). See also Article 11, BI Regulation 9/2007.
MBSA section 11h sets out the choice of law provision. Either, the contract is
governed by the laws of the State of Washington if the contract is with a Microsoft
affiliate located outside of Europe; or the contract is governed by the laws of
Ireland if the contract is with a European Microsoft affiliate.
MBSA section 11e sets out the jurisdictions in which parties should bring their
actions. Microsoft must bring actions against the customer in the countries where
the customer’s contracting party is headquartered. The customer must bring
actions against: (a) in Ireland if the action is against a Microsoft affiliates in
Europe; (b) in the State of Washington, if the action is against a Microsoft affiliate
outside of Europe; or (c) in the country where the Microsoft affiliate delivering the
services has its headquarters if the action is to enforce a Statement of Services.
We have sought legal advice on our rights and any risks in relation to the
jurisdictional issues relating to the arrangement and are comfortable with the
position, in particular in relation to the enforceability of the confidentiality clause.
16. The FSI must ensure that the database structure of every application
used is owned by the FSI and stored in the FSI’s office in Indonesia
and that there are officers of the FSI inside the state which
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(e).
We have selected the Azure product because it provides us with control over our
Confidential
Page 24 of 50
10006608-2
Ref. Question/requirement Template response and guidance
understand the database structure including the technical references
of said database. FSIs must ensure that the placement of data
centers outside Indonesia does not obstruct attempts to observe and
reconstruct the FSI’s activities inside the state (i.e. accounting and
accounts) in a timely manner.
data, including data location, access and authentication. We (not Microsoft) will
continue to own and retain all rights to our data and our data will not be used for
any purpose other than to provide us with the Azure services, and Microsoft
commits to these points in its contract with our organization. Our officers inside
the state have access at all times to our data held by Microsoft (and Microsoft
commits to this point in its contract with our organization).
Clause 1f of the FSA gives the customer the opportunity to participate in the
Microsoft Online Services Customer Compliance Program, which is a for-fee
program that allows that facilitates the customer’s ability to assess the services’
controls and effectiveness and to communicate with Microsoft’s subject matter
experts. Therefore, this program provides a facility through which the FSI, if
necessary, can find out more about the database structure, including the technical
references of the database.
We have carried out a thorough review of Microsoft’s data center locations where
our data will be processed and we are confident that the country risks and
potential obstacles in exercising oversight and management of the arrangements
are adequately dealt with in our contract with Microsoft.
17. FSIs cannot place data centers in a jurisdiction where access to
information by OJK or other parties appointed by OJK to act on
behalf of OJK on the data center/the service provider can be
obstructed by legal or administrative restrictions.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(f) The answer to this question will depend on the region you are in. You
may discuss this with your Microsoft contact. Microsoft enables customers to
select the region that it is provisioned from.
The data centers will be in [….]. We have no reasons to believe that there would
be any obstruction in the form of administrative or legal restrictions in those
Confidential
Page 25 of 50
10006608-2
Ref. Question/requirement Template response and guidance
countries which would impact OJK’s or other parties’ appointed by OJK from
accessing relevant information.
18. FSIs must conduct a review on how the outsourcing would still
enable the access from the FSI’s auditor from internal, external or
OJK to obtain necessary data and information for the carrying out of
IT promptly whenever necessary.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(g).
We have carried out a review and are confident that in Microsoft we are choosing
a provider that not only has data centers in safe jurisdictions but one that provides
contractual commitments to audit rights which are more extensive than most
service providers. We have a number of rights in relation to audit in our contract
with Microsoft:
a. In our contract with Microsoft (see the FSA) we have the opportunity to
participate in the Microsoft Online Services Customer Compliance Program,
which is a for-fee program that allows us (a) to evaluate the services provided
and (b) to review Microsoft’s internal control environment. Specifically, this
compliance program facilitates our ability to (a) assess the services’ controls
and effectiveness, (b) access data related to service operations, (c) maintain
insight into operational risks of the services, (d) be provided with additional
notification of changes that may materially impact Microsoft’s ability to provide
the services, and (e) provide feedback on areas for improvement in the
services.
b. We have access rights (at any time) to the online dashboards, which provide
live information in relation to Microsoft’s services’ performance against
performance measures.
Confidential
Page 26 of 50
10006608-2
Ref. Question/requirement Template response and guidance
c. Under our contract with Microsoft, Microsoft will also make its Online
Information Security Policy available to us, along with other information
reasonably requested by us regarding Microsoft security practices and
policies.
d. In addition, as part of Microsoft’s certification requirements, they are required
to undergo regular independent third party auditing and Microsoft shares with
us the independent third party audit reports. Under the FSA, section 2c,
Microsoft will provide to us copies of its audit reports so that we can verify
Microsoft’s compliance with its obligations.
e. There are provisions in our contract with Microsoft that enable our regulators
to carry out inspection or examination of Microsoft’s facilities, systems,
processes and data relating to the services. These are set out in Section 2a of
the FSA.
f. Under Section 2a of the FSA we are entitled to delegate our rights of access to
the service to representatives of our regulator. We are also entitled under
Section 2a to share the information and resources with our regulator that
Microsoft makes available to us under the contract. This includes copies of
Microsoft’s audit reports and information about findings of Microsoft’s
independent third party auditors. The examination and influence rights that
are granted to the regulator and the process can culminate in the regulator’s
examination of Microsoft’s services, records, reports and premises.
19. FSIs must notify OJK if there are authorities out of Indonesia which
request access on information about FSI’s customers or if a situation
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
Confidential
Page 27 of 50
10006608-2
Ref. Question/requirement Template response and guidance
arises where the right of access of the FSI or OJK to obtain
information and documents is restricted or refused.
10.3.4(h).
Yes.
We will make such a notification to OJK in any such event.
We note also that Microsoft will not disclose our data to a law enforcement
authority unless it is legally obliged to do so, and only after not being able to
redirect the request to us (see OST, page 8).
20. OJK should have the ability to terminate the service agreement in the
event that any such obstruction to conduct an assessment on the
data centers etc. occurs.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(i).
We have termination rights that allow us to terminate the contract with Microsoft at
will and also in the event of a material breach. We are therefore able to terminate
the contract e.g. in the event that there is an obstruction to conduct an assessment
of the data centers.
We note also that Microsoft is under a contractual obligation to provide audit rights
to OJK. These rights are set out in the FSA.
21. The cost benefit assessment must demonstrate that the benefits for
the FSI exceed the costs including the potential of increasing quality
of service to customers.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(j). You will need to outline here details of the cost benefit analysis you have
undertaken in order to demonstrate you are able to meet this requirement. You will
likely want to cross-reference your responses to the other questions on cost
benefit assessments set out in part A.
Confidential
Page 28 of 50
10006608-2
Ref. Question/requirement Template response and guidance
22. The FSI’s assessment must include product development and
human resources planning. FSIs are required to improve the
capability of the FSI’s human resources in relation to IT or business
transactions or offered products even though the carrying out of IT is
located outside of Indonesia.
Guidelines in Annex to BI Circular Letter No. 9/30/DPNP, Chapter X, section
10.3.4(k). We would suggest that in this respect you can refer OJK to the response
you give and documents you provide under question 11 above.
Confidential
Page 29 of 50
10006608-2
APPENDIX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
This table sets out the specific items that the OJK requires be covered in your agreement with Microsoft.
Key:
A cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
OST = Online Service Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 30 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
1. The use of information technology service providers by
an FSI must be based on a written agreement which
contains at least the ability of said information
technology service provider to render services and or
as mentioned in paragraph (2) letter (b) – see below.
Article 18, paragraph (3), BI Regulation 9/2008
The contract pack is in writing and comprehensively sets out the scope of the arrangement and
the respective commitments of the parties. The online services are ordered under the
Enrollment, and the order will set out the online services. Sales of Microsoft product to
enterprise customers are made via a Microsoft reseller, who sets the end price with the
customer.
2. Service providers must implement sufficient information
technology control principles which are verified by audit
results carried out by independent parties.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(1)
Microsoft commits (see OST, page 9) to help protect the security of our information, to
implement, maintain and follow appropriate technical and organizational measures to protect
our information against accidental, unauthorized or unlawful access, disclosure, alteration, loss,
or destruction. These security measures are set out in more detail on pages 11 to 13 of the
OST.
The OST specifies the audit mechanisms that Microsoft puts in place in order to verify that the
online services meet appropriate technology controls and standards. This commitment is
reiterated in the FSA. Under the FSA, section 2c, Microsoft will provide to us copies of its audit
reports so that we can verify Microsoft’s compliance with its obligations.
In addition, Clauses 1e and 1f of the FSA detail the examination and influence rights that are
granted to the customer and the regulator. Clause 1e sets out a process which can culminate in
the regulator’s examination of Microsoft’s premises.
Confidential
Page 31 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
3. Service providers must provide access to necessary
data and information for the FSI’s internal auditor, for
external auditors appointed by the FSI and the auditor
of FSI promptly when required.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(2)
There are a number of provisions in our contract with Microsoft under which Microsoft is obliged
to provide us with necessary data and information.
1. The OST specifies the monitoring mechanisms that Microsoft puts in place in order to verify
that the online services meet appropriate security and compliance standards.
2. Under the OST Microsoft must also provide us with information about security incidents
(page 5).
3. Under the OST, on a confidential need-to-know basis, and subject to our agreement to non-
disclosure obligations Microsoft specifies, Microsoft will make the Online Information
Security Policy available to us, along with other information reasonably requested by
Customer regarding Microsoft security practices and policies (page 13).
4. Under the FSA, section 2c, Microsoft will provide to us copies of its audit reports so that we
can verify Microsoft’s compliance with its obligations.
5. Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft
Online Services Customer Compliance Program, which is a for-fee program that facilitates
the customer’s ability to (a) assess the services’ controls and effectiveness, (b) access data
related to service operations, (c) maintain insight into operational risks of the services, (d)
be provided with additional notification of changes that may materially impact Microsoft’s
ability to provide the services, and (e) provide feedback on areas for improvement in the
services.
Confidential
Page 32 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
4. Service providers must declare their acceptance to be
audited by OJK for given services.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(3)
There are provisions in our contract with Microsoft that enable our regulators to carry out
inspection or examination of Microsoft’s facilities, systems, processes and data relating to the
services. These are set out in Section 2a of the FSA.
Under Section 2a of the FSA we are entitled to delegate our rights of access to the service to
representatives of our regulator. We are also entitled under Section 2a to share the information
and resources with our regulator that Microsoft makes available to us under the contract. This
includes copies of Microsoft’s audit reports and information about findings of Microsoft’s
independent third party auditors. The examination and influence rights that are granted to the
regulator and the process can culminate in the regulator’s examination of Microsoft’s services,
records, reports and premises.
5. The service provider must guarantee the security of all
information including the FSI’s secrecy and customer’s
personal information.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(4)
MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose
our confidential information (which includes our data) to third parties and to only use our
confidential information for the purposes of Microsoft’s business relationship with us. Further,
Microsoft commits to take reasonable steps to protect our confidential information, to notify us if
there is any unauthorized use or disclosure of our confidential information and to cooperate with
us to help to regain control of our confidential information and prevent further unauthorized use
or disclosure of it.
Microsoft also makes specific commitments with respect to safeguarding our data in the OST. In
summary Microsoft commits that:
Confidential
Page 33 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
1. Ownership of our data remains at all times with us (see OST, page 8).
2. Our data will only be used to provide the online services to us and our data will not be used
for any other purposes, including for advertising or other commercial purposes (see OST,
page 8).
3. Microsoft will not disclose our data to law enforcement unless it is legally obliged to do so,
and only after not being able to redirect the request to us (see OST, page 8).
4. Microsoft will implement and maintain appropriate technical and organizational measures,
internal controls, and information security routines intended to protect our data against
accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction (see
OST, page 8 and pages 11-13 for more details).
5. Microsoft will notify us if it becomes aware of any security incident, and will take reasonable
steps to mitigate the effects and minimize the damage resulting from the security incident
(see OST, page 9).
6. Service providers may sub-contract part of their
services only with a written agreement.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(5)
Yes.
Microsoft commits that any subcontractors to whom Microsoft transfers our data will have
entered into written agreements with Microsoft that are no less protective than the data
processing terms in the OST (OST, page 11).
The confidentiality of our data is protected when Microsoft uses subcontractors because
Microsoft commits that its subcontractors “will be permitted to obtain Customer Data only to
Confidential
Page 34 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
deliver the services Microsoft has retained them to provide and will be prohibited from using
Customer Data for any other purpose” (OST, page 9).
Microsoft maintains a list of authorized subcontractors for the online services that have access
to our data and provides us with a mechanism to obtain notice of any updates to that list (OST,
page 10). The actual list is published on the applicable Trust Center. If we do not approve of a
subcontractor that is added to the list, then we are entitled to terminate the affected online
services.
7. Service providers must report on every critical
occurrence with possible consequences of significant
monetary loss and/or disturbance to the operational
activities of the FSI.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(6)
Yes.
Microsoft will notify us if it becomes aware of any security incident, and will take reasonable
steps to mitigate the effects and minimize the damage resulting from the security incident (see
OST, page 9).
8. Service providers must periodically submit the result of
information technology audits carried out by
independent auditors on the carrying-out of data
centers, disaster recovery centers and/or technology
based transaction processes to OJK through the related
FSI.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(7)
Under Section 2a of the FSA we are entitled to delegate our rights of access to the service to
representatives of our regulator. We are also entitled under Section 2a to share the information
and resources with our regulator that Microsoft makes available to us under the contract. This
includes copies of Microsoft’s audit reports and information about findings of Microsoft’s
independent third party auditors. Microsoft commits to providing the customer with a summary
of Microsoft’s annual audit report, which is performed by an independent third party and
measures compliance against Microsoft’s certifications. The OST specifies the audit and
monitoring mechanisms that Microsoft puts in place in order to verify that the online services
Confidential
Page 35 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
meet appropriate security and compliance standards.
9. Service providers must provide an adequate and
properly tested disaster recovery plan.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(8)
Business Continuity Management and disaster recovery form part of the scope of the
accreditation that Microsoft retains in relation to the online services, and Microsoft commits to
maintain policies that comply with these accreditations (see page 13 of the OST). Business
continuity management and disaster recovery also form part of the scope of Microsoft’s annual
third party compliance audit.
In addition, RTO requirements are set out in the SLA.
10. Service provider must be willing to accept the possibility
of early termination.
Article 18 paragraph 3, BI Regulation 9/2008 and paragraph (2)(b)(9)
Yes.
We have the right to terminate our contract with Microsoft for convenience (MBSA section 8) by
providing 60 calendar days prior written notice. Under the same section, we may also terminate
the contract if Microsoft is in material breach or default of any obligation that is not cured within
30 calendar days’ notice of such breach. These rights give us the flexibility and control we need
to manage the relationship with Microsoft because it means that we can terminate the
arrangements whether with or without cause. We have also assessed the timeliness and
expense of these termination provisions and we are comfortable with these.
If we exercise this right Microsoft contractually commits to retain our data stored in the Online
Service in a limited function account for 90 days after expiration or termination of our
subscription so that we may extract the data (OST, page 5). Microsoft does not charge us a fee
Confidential
Page 36 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
to extract the data.
11. Scope of work/service. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(a)
The contract pack is in writing and comprehensively sets out the scope of the arrangement and
the respective commitments of the parties. The online services are ordered under the
Enrollment, and the order will set out the online services.
The services are broadly described, along with the applicable usage rights, in the Product List
and OST. The services are described in more detail in OST, which includes a list of service
functionality at OST, page 10 and core features of the Azure Services at pages 15-25.
12. Cost and duration of the agreement. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(b)
Sales of Microsoft product to enterprise customers are made via a Microsoft reseller, who sets
the end price with the customer. In general, the customer is required to commit to annual
payments (payable in advance) based upon the customer’s number of users.
Enrollments have a three year term, and may be renewed for a further three year term.
13. Rights and obligations of the FSI and of the service
provider.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(c)
Yes.
The contract pack comprehensively sets out the scope of the arrangement and the respective
commitments of the parties.
MBSA section 6 deals with liability. In summary: The liability of both parties is limited at an
Confidential
Page 37 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
annual cap of the fees payable for the online services. However, subject to the terms of the
MBSA, the liability of the parties under Section 5 of the MBSA (Defense of infringement,
misappropriation, and third party claims) is unlimited.
MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity against third party
infringement and breach of confidence claims. Subject to the terms of the MBSA, Microsoft’s
liability under section 5 is unlimited.
14. Security guarantee and confidentiality agreement. Data
should only be accessible by the FSI.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(d)
Yes.
MBSA section 3 deals with confidentiality. Under this section Microsoft commits not to disclose
our confidential information (which includes our data) to third parties and to only use our
confidential information for the purposes of Microsoft’s business relationship with us. Further,
Microsoft commits to take reasonable steps to protect our confidential information, to notify us if
there is any unauthorized use or disclosure of our confidential information and to cooperate with
us to help to regain control of our confidential information and prevent further unauthorized use
or disclosure of it.
We retain the ability to access our data at all times (OST, page 11), and Microsoft will deal with
our data only in accordance with the terms of the Enrollment and the OST.
Following termination Microsoft will (unless otherwise directed by us) delete our data after a 90
day retention period OST, page 5).
Microsoft also makes specific commitments with respect to safeguarding our data in the OST. In
Confidential
Page 38 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
summary Microsoft commits that:
1. Ownership of our data remains at all times with us (see OST, page 8).
2. Our data will only be used to provide the online services to us and our data will not be used
for any other purposes, including for advertising or other commercial purposes (see OST,
page 8).
3. Microsoft will not disclose our data to law enforcement unless it is legally obliged to do so,
and only after not being able to redirect the request to us (see OST, page 8).
4. Microsoft will implement and maintain appropriate technical and organizational measures,
internal controls, and information security routines intended to protect our data against
accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction (see
OST, page 8 and pages 11-13 for more details).
5. Microsoft will notify us if it becomes aware of any security incident, and will take reasonable
steps to mitigate the effects and minimize the damage resulting from the security incident
(see OST, page 9).
15. An SLA containing performance standards such as
agreed service levels and performance targets. Such
SLA must remain valid even in the event of a change of
the FSI or service provider.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(e) and (f)
The SLA contains Microsoft’s service level commitment, as well as the remedies for us in the
event that Microsoft does not meet the commitment. The terms of the SLA current at the start of
the applicable initial or renewal term of the Enrollment are fixed for the duration of that term.
A copy of the SLA is available here:
Confidential
Page 39 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
http://azure.microsoft.com/en-us/support/legal/sla/
16. Monitoring and reports in relation to the SLA. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(g)
The customer may monitor the performance of the online services via the administrative
dashboard, which includes information as to Microsoft’s compliance with its SLA commitments.
SLA contains the performance measures.
The OST specifies the monitoring mechanisms that Microsoft puts in place in order to verify that
the online services meet appropriate security and compliance standards.
Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online
Services Customer Compliance Program, which is a for-fee program that facilitates the
customer’s ability to (a) assess the services’ controls and effectiveness, (b) access data related
to service operations, (c) maintain insight into operational risks of the services, (d) be provided
with additional notification of changes that may materially impact Microsoft’s ability to provide
the services, and (e) provide feedback on areas for improvement in the services.
In addition, the customer can review the manner in which Microsoft provides the online
services. As set out on page 13 of the OST, the customer is entitled to access the Microsoft
Online Information Security Policy, which is the document where Microsoft sets out its
information security management processes. Microsoft also commits to providing the customer
with a summary of Microsoft’s annual audit report, which is performed by an independent third
party and measures compliance against Microsoft’s certifications. Where required by the
Regulator, Microsoft will also work with us to allow us to inspect or audit the services.
Confidential
Page 40 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
17. Limits on the potential risks to be sustained by the FSI
and service provider including:
(i) Limiting the risk of changes in the scope of the
contract;
(ii) Changes on the scope of the business and the
size of the service provider’s business;
(iii) Changes in legal requirement and regulations;
(iv) Legal aspects including copyrights, patents and
trademarks.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(h)
(i) Section 11k of the MBSA states that the contract may be amended only by a formal
written agreement signed by both parties.
(ii) The contract allows the customer to terminate the arrangement with Microsoft for
convenience (MBSA section 8) which means the customer has the right to terminate in
the event of a change in the scope of the business and the size of the service provider’s
business.
(iii) MBSA section 11m states that Microsoft and the customer each commit to comply with
all applicable privacy and data protection laws and regulations. Again, if there are
changes in legal requirements and regulations, the customer may terminate the
contract for convenience, although in reality it is more likely that the parties will discuss
in good faith how to address such changes. In the FSA Microsoft also commits in
section 2a of the FSA to work together in good faith to resolve a request of a regulator.
(iv) Microsoft is contractually obliged (under section 5 of the MBSA) to defend the customer
from any third party claims that copyrights, patents and trademarks of third parties have
been infringed by the services.
18. If the service provider subcontracts parts of their
activities, the FSI must give its agreement in writing.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(i)
Yes.
See page 9 of the OST, under which Microsoft is permitted to hire subcontractors.
Microsoft maintains a list of authorized subcontractors for the online services that have access
Confidential
Page 41 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
to our data and provides us with a mechanism to obtain notice of any updates to that list (OST,
page 10). The actual list is published on the applicable Trust Center. If we do not approve of a
subcontractor that is added to the list, then we are entitled to terminate the affected online
services.
19. Details on the provision of online communication
facilities, security on data access and transmission to
and from the data center, disaster recovery center and
IT based transaction processing, backup, contingency,
record protection including hardware, equipment,
software and data files, to ensure the continuity of the
IT services, and the security of any necessary source
documents to and from the data center, disaster
recovery center and IT based transaction processing.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(j), (k) and (l)
As set out on page 13 of the OST, Microsoft maintains emergency and contingency plans for
the facilities in which Microsoft information systems that process Customer Data are located.
Business Continuity Management (“BCM”) forms part of the scope of the accreditation that
Microsoft remains in relation to the online services, and Microsoft commits to maintain a data
security policy that complies with these accreditations (see OST, page 13). BCM also forms part
of the scope of Microsoft’s annual third party compliance audit.
Microsoft will implement and maintain appropriate technical and organizational measures,
internal controls, and information security routines intended to protect our data against
accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction (see
OST, page 8 and pages 11-13 for more details).
Pages 9-11 of the OST contain general commitments around data location. Microsoft will
ensure that Customer Data will always be stored and processed in accordance with the EU and
Swiss Safe Harbour Frameworks as maintained by the US Government. Microsoft also commits
that Customer Data transfers out of the EU will be governed by the EU Model Clauses set out at
pages 29-33 of the OST. Also, as noted on page 11 of the OST: “Any subcontractors to whom
Microsoft transfers Customer Data, even those used for storage purposes, will have entered
into written agreements with Microsoft that are no less protective than the DPT”.
Confidential
Page 42 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
20. The parties should have adequate insurance cover. MBSA section 10 deals with insurance. In practice, Microsoft maintains self-insurance
arrangements for much of the areas where third party insurance is typically obtained. Microsoft
has taken the commercial decision to take this approach, and does not believe that this
detrimentally impacts upon its customers given that Microsoft is an extremely substantial entity.
21. Willingness to be audited by the FSI’s internal audit
function, OJK or external parties assigned by the FSI or
OJK and the availability of information for the purposes
of such assessment including rights of logical and
physical access on data managed by the service
provider.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(m)
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in order to
verify that the online services meet appropriate security and compliance standards. This
commitment is reiterated in the FSA.
The FSA details the examination and influence rights that are granted to the customer and OJK.
The FSA sets out a process which can culminate in the regulator’s examination of Microsoft’s
premises. The customer also has the opportunity to participate in the Microsoft Online Services
Customer Compliance Program, which is a for-fee program that facilitates the customer’s ability
to (a) assess the services’ controls and effectiveness, (b) access data related to service
operations, (c) maintain insight into operational risks of the services, (d) be provided with
additional notification of changes that may materially impact Microsoft’s ability to provide the
services, and (e) provide feedback on areas for improvement in the services.
The customer may monitor the performance of the online services via the administrative
dashboard, which includes information as to Microsoft compliance with its SLA commitments.
In addition, the customer can review the manner in which Microsoft provides the online
services. As set out on page 13 of the OST, the customer is entitled to access the Microsoft
Online Information Security Policy, which is the document where Microsoft sets out its
information security management processes. Microsoft also commits to providing the customer
Confidential
Page 43 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
with a summary of Microsoft’s annual audit report, which is performed by an independent third
party and measures compliance against Microsoft’s certifications. Where required by the
Regulator, Microsoft will also work with us to allow us to inspect or audit the services.
22. Requirement on the service provider to submit technical
documents to the FSI in relation to the services provider
including on IT process flow and database structure.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(n)
The customer can review the manner in which Microsoft provides the online services. As set out
on page 13 of the OST, the customer is entitled to access the Microsoft Online Information
Security Policy, which is the document where Microsoft sets out its information security
management processes. Microsoft also commits to providing the customer with a summary of
Microsoft’s annual audit report, which is performed by an independent third party and measures
compliance against Microsoft’s certifications.
23. A requirement on the service provider to report on any
critical occurrence that can cause financial losses
and/or disturb the FSI’s operations.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(o)
Microsoft will notify us if it becomes aware of any security incident, and will take reasonable
steps to mitigate the effects and minimize the damage resulting from the security incident (see
OST, page 9).
In addition, the customer also has the opportunity to participate in the Microsoft Online Services
Customer Compliance Program, which is a for-fee program that facilitates the customer’s ability
to \be provided with additional notification of changes that may materially impact Microsoft’s
ability to provide the services.
24. In relation to the outsourcing of any data centers,
disaster recovery or IT based processing, the service
provider must submit their latest financial statements to
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(p)
Microsoft Corporation is publicly-listed in the United States and is amongst the world’s largest
Confidential
Page 44 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
the FSI and a report on the periodic assessment by an
independent party on the IT facilities which are the
object of this agreement.
companies by market capitalization. Microsoft’s audited financial statements indicate that it has
been profitable for each of the past three years. Its market capitalization is in the region of USD
280 billion. Accordingly, we have no concerns regarding its financial strength.
The OST specifies the audit mechanisms that Microsoft puts in place in order to verify that the
online services meet appropriate technology controls and standards. This commitment is
reiterated in the FSA. Under the FSA, section 2c, Microsoft will provide to us copies of its audit
reports so that we can verify Microsoft’s compliance with its obligations.
25. The responsibilities of the service provider in providing
human resource with relevant qualifications and
competence in accordance with the service provided.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(q)
MBSA section 4(a)(i) deals with professional conduct. Microsoft warrants that its services will
be performed with professional care and skill.
Note also that all Microsoft’s staff involved in the provision of the services are on-boarded and
trained ready for their day-to-day responsibilities.
26. Plans for the training of staff including the number of
staff to be trained and forms of training and required
cost. Service providers must conduct a knowledge
transfer to the FSI so that there are personnel in the
FSI’s IT work units that understand the IT used in the
FSI especially IT process flow and database structure
from the application system provided by the service
providers.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(r)
Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft Online
Services Customer Compliance Program, which is a for-fee program that facilitates the
customer’s ability to (a) assess the services’ controls and effectiveness, (b) access data related
to service operations, (c) maintain insight into operational risks of the services, (d) be provided
with additional notification of changes that may materially impact Microsoft’s ability to provide
the services, and (e) provide feedback on areas for improvement in the services. This program
provides a knowledge transfer facility to the customer’s personnel.
Confidential
Page 45 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
27. Ownership and licence of IP and assets. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(s)
Ownership of Customer Data remains at all times with the customer (see OST, page 7).
The software and hardware are owned by Microsoft but licensed for use by the customer as a
service, as is standard in any cloud services solution.
28. A guarantee that service providers will provide support
and maintenance services to FSIs during a certain
period of time after implementation.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(t)
The SLA contains Microsoft’s service level commitment, as well as the remedies for the
customer in the event that Microsoft does not meet the commitment. The terms of the SLA
current at the start of the applicable initial or renewal term of the Enrollment are fixed for the
duration of that term.
29. Provisions relating to termination of the contract
including where requested by the FSI.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(u)
We have a number of termination rights in our contract with Microsoft. The contract allows the
customer to terminate the arrangement with Microsoft for convenience (MBSA section 8) which
means the customer has the right to terminate in the event of default including change of
ownership, insolvency or where there is a breach of security or confidentiality or demonstrable
deterioration in the ability of the Service Provider to perform the service as contracted. Online
services may also be terminated or suspended in the circumstances described in section 6d of
the EA, and as specified in the OST, pages 5, 11 and 30.
We also have control over the use we make of, and data we load into, the online service.
30. Terms to restrict cancellation or breach of the contract. Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(v)
Confidential
Page 46 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
Microsoft may only termination the contract by giving 60 days’ notice which restrict its right to
cancel the contract (MBSA section 8). Section 11k of the MBSA states that the contract may be
amended only by a formal written agreement signed by both parties.
MBSA section 6 deals with liability. In summary: The liability of both parties is limited at an
annual cap of the fees payable for the online services. However, subject to the terms of the
MBSA, the liability of the parties under Section 5 of the MBSA (Defense of infringement,
misappropriation, and third party claims) is unlimited.
MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity against third party
infringement and breach of confidence claims. Subject to the terms of the MBSA, Microsoft’s
liability under section 5 is unlimited.
31. Provisions relating to compliance with existing laws and
regulations in Indonesia including dispute and conflict
resolution provisions.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.1(w)
MBSA section 11m states that Microsoft and the customer each commit to comply with all
applicable privacy and data protection laws and regulations.
MBSA sections 11e and 11h deal with how a dispute under the contract is to be conducted.
MBSA section 11e sets out the jurisdictions in which parties should bring their actions.
Microsoft must bring actions against the customer in the countries where the customer’s
contracting party is headquartered. The customer must bring actions against: (a) in Ireland if the
action is against a Microsoft affiliates in Europe; (b) in the State of Washington, if the action is
against a Microsoft affiliate outside of Europe; or (c) in the country where the Microsoft affiliate
delivering the services has its headquarters if the action is to enforce a Statement of Services.
MBSA section 11h sets out the choice of law provision. Either, the contract is governed by the
Confidential
Page 47 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
laws of the State of Washington if the contract is with a Microsoft affiliate located outside of
Europe; or the contract is governed by the laws of Ireland if the contract is with a European
Microsoft affiliate.
32. Provisions regarding the possibility of changing, making
new agreements or taking over activities of the service
providers or termination of agreement before the end of
the duration of the agreement.
Appendix 1, BI Circular Letter No. 9/30, Chapter X, section 10.3.3.2
Section 11k of the MBSA states that the contract may be amended only by a formal written
agreement signed by both parties.
We, at all times, retain control over the use we make of, and data we load into, the online
service.
In addition, we have a number of termination rights in our contract with Microsoft. The contract
allows the customer to terminate the arrangement with Microsoft for convenience (MBSA
section 8) which means the customer has the right to terminate in the event of default including
change of ownership, insolvency or where there is a breach of security or confidentiality or
demonstrable deterioration in the ability of the Service Provider to perform the service as
contracted.
Following termination Microsoft will (unless otherwise directed by the customer) delete the
Customer Data after a 90 day retention period. From a technical perspective the wide
availability and usage of Microsoft’s products means that Customer Data can generally be
extracted in a format compatible with commonly available alternative products. This permits the
FSI to readily bring the services back in-house or move them to another supplier.
33. FSIs should be able to measure the risks and efficiency
of the IT service and promptly notify if there are certain
(i) The customer may monitor the performance of the online services via the administrative
dashboard, which includes information as to Microsoft compliance with its SLA commitments.
Confidential
Page 48 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
conditions as the following:
(i) declining performance of FSI’s activities
conducted by the service provider;
(ii) the inadequate level of solvability of the service
provider in the process to liquidation or
declared bankrupt by a court of law;
(iii) breach of the regulation relating to FSI’s
secrecy and customer’s personal information;
and/or
(iv) conditions which cause FSIs to be unable to
provide necessary data in timely manner for an
effective monitoring by OJK.
The OST specifies the monitoring mechanisms that Microsoft puts in place in order to verify that
the online services meet appropriate security and compliance standards. The monitoring tools
provide real-time information to the FSI.
(ii) Microsoft Corporation is publicly-listed in the United States and is amongst the world’s
largest companies by market capitalization. We are able to monitor Microsoft’s audited financial
statements (which currently indicate that it has been profitable for each of the past three years).
Its market capitalization is in the region of USD 280 billion. Accordingly, we have no concerns
regarding its financial strength.
(iii) Microsoft will notify the customer if it becomes aware of any security incident, and will take
reasonable steps to mitigate the effects and minimize the damage resulting from the security
incident (see OST, page 9). As set out on page 13 of the OST, Microsoft maintains a record of
security breaches with a description of the breach, the time period, the consequences of the
breach, the name of the reporter, and to whom the breach was reported, and the procedure for
recovering data.
(iv) We are entitled to provide information that Microsoft provides to us to our regulator.
Microsoft also commits to work with us in good faith to resolve a request from our regulator. In
addition Clause 1f of the FSA gives the customer the opportunity to participate in the Microsoft
Online Services Customer Compliance Program, which is a for-fee program that facilitates the
customer’s ability to (a) assess the services’ controls and effectiveness, (b) access data related
to service operations, (c) maintain insight into operational risks of the services, (d) be provided
with additional notification of changes that may materially impact Microsoft’s ability to provide
the services, and (e) provide feedback on areas for improvement in the services.
Confidential
Page 49 of 50
10006608-2
Ref. Requirement Microsoft agreement reference
34. Requirements on FSIs after acknowledgement of
abovementioned conditions.
(i) Report to OJK within 3 working days at the
latest.
(ii) Decide the ensuring actions to be taken to
resolve problems, including the termination of
the use of services if necessary.
(iii) Report to OJK immediately after the FSI halts
the use of the service before the end of the time
duration of the agreement.
Our contract with Microsoft provides us with the relevant notification for the items listed above
(please see our answer to the question above).
It is then our responsibility to satisfy these requirements in relation to our notification to the OJK.
We note that Microsoft commits in the FSA to work with us in good faith to resolve any requests
from our regulator. We also note that our contract allows us to terminate the arrangements with
Microsoft for convenience (MBSA section 8) which means that we have the right to terminate if
any of the events that we notify to OJK should require us to do so.
35. FSI’s adequate contingency plan to maintain the
continuity of the business when halting the use of
services before the end of contract.
As set out on page 13 of the OST, Microsoft maintains emergency and contingency plans for
the facilities in which Microsoft information systems that process Customer Data are located.
Business Continuity Management (“BCM”) forms part of the scope of the accreditation that
Microsoft remains in relation to the online services, and Microsoft commits to maintain a data
security policy that complies with these accreditations (see OST, page 13). BCM also forms part
of the scope of Microsoft’s annual third party compliance audit.
When halting the use of the services, the FSI is able to bring the services back in-house or
move them to another supplier. In order to do this, all that is required from Microsoft is a copy of
the data that is held by Microsoft. Following termination Microsoft will (unless otherwise
directed by the customer) delete the Customer Data after a 90 day retention period. From a
technical perspective the wide availability and usage of Microsoft’s products means that
Customer Data can be extracted in a format that is readily reusable. This permits the FSI to