Confidential

Page 1 of 38

10006599-2

NEW ZEALAND

GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES

INSTITUTIONS USING CLOUD COMPUTING (AZURE)

Last update: November 2014

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using

cloud computing. In this guidance financial services institutions means financial institutes, securities trading companies, insurance companies, capital

investment companies and other financial services institutions (“FSIs”).

Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.

Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to

the use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from FSIs that a

checklist approach like this is very helpful. The checklist can be used:

(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2);

and

(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to

compliance with their requirements.

Appendix One also contains a list of the items that the Privacy Commissioner states are useful to include in a contract with a cloud services provider

(but note these items are not mandatory.

Note that the RBNZ Outsourcing Policy does not contain detailed technical and operational requirements relating to the use of cloud services but,

rather, focuses more generally on issues such as risk management. However, on the basis that technical and operational factors (specifically

Confidential

Page 2 of 38

10006599-2

security) are directly relevant to risk strategy (and therefore compliance with the RBNZ Outsourcing Policy and Privacy Act), we have included some

specific detail on this point which should be useful for the purposes outlined above.

Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of

Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your

technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your

Microsoft contact.

2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?

RBNZ is not against outsourcing or the use of cloud services and recognizes that well-designed arrangements may make useful contributions to

improved efficiency for FSIs. However, its policy is to ensure that FSIs and their customers are not exposed to new or increased risks by virtue of

using outsourced services. Whilst there are no forms that must be completed, there are certain requirements that FSIs should be aware of. In

particular:

(i) large banks1 using cloud services need to consider the RBNZ Outsourcing Policy of January 2006 (“RBNZ Outsourcing Policy”);

(ii) all FSIs (whether large or small) need to consider their general RBNZ obligations to manage their business risks properly; and

(iii) all FSIs (whether large or small) need to consider the Privacy Act in relation to any outsourcing that may involve the processing of personal

data.

3. WHO IS/ARE THE RELEVANT REGULATOR(S)?

The Reserve Bank of New Zealand (“RBNZ”)

1 RBNZ will consider a bank as “large” if its liabilities net of amounts due to related parties exceed $10 billion. Currently, BNZ, ASB, ANZ National and Westpac are the only banks that are

considered “large”.

Confidential

Page 3 of 38

10006599-2

4. IS REGULATORY APPROVAL REQUIRED IN NEW ZEALAND?

No.

RBNZ does not require approval before FSI outsource IT functionality to a cloud services solution such as Microsoft Azure.

5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?

No.

Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an FSI must complete when considering cloud

computing solutions.

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

No.

RBNZ does not stipulate any mandatory contractual requirements that FSIs must ensure are included in their outsourcing contracts.

The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains

some useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in Appendix One to this

document and mapped them against where in the Microsoft documentation these are covered for ease of reference.

Confidential

Page 4 of 38

10006599-2

7. CHECKLIST

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the

point raised in the checklist. The suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to

provide this if you get in touch with your Microsoft contact. Some points are specific to your own internal operations and processes and you will need

to complete these answers as well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist.

Ref. Question/requirement Template response and guidance

A. OVERVIEW

This section provides a general overview of the Microsoft Azure solution.

1. Who is the service provider? The service provider is Microsoft Operations Pte Ltd, the regional licensing entity for

Microsoft Corporation, a global provider of information technology devices and

services, which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s full

company profile is available here: https://www.microsoft.com/en-

us/news/inside_ms.aspx.

2. What type of cloud services would your organization be

using?

RBNZ guidance does not distinguish between different types of cloud solution but an

understanding of the type of solution (i.e. multi-tenant or dedicated) is relevant for your

organization’s own risk management purposes.

Microsoft’s “Azure” service, which is described in more detail here: Microsoft’s Azure.

Azure is a multi-tenant service. Data storage and processing for each tenant is

segregated through Active Directory structure and capabilities specifically developed to

Confidential

Page 5 of 38

10006599-2

Ref. Question/requirement Template response and guidance

help build, manage, and secure multi-tenant environments. Active Directory isolates

customers using security boundaries (also known as silos). This safeguards a

customer’s data so that the data cannot be accessed or compromised by co-tenants.

3. What activities and operations will be outsourced to the

service provider?

1. Compute

2. Data & Storage

3. Networking

4. Identity & Access Management

5. IT support services

B. COMPLIANCE WITH A BANK’S CONDITIONS OF REGISTRATION

New Zealand Banks are subject to various standard and non-standard conditions of registration. You will need to ensure that the proposed use of

Azure complies with any such conditions.

4. Please confirm whether the FSI is a “large bank” for the

purposes of RBNZ policy.

Many of the RBNZ requirements only apply to “large banks”. RBNZ will consider a bank

as “large” if its liabilities net of amounts due to related parties exceed $10 billion.

Currently, BENZ, ABS, AN National and Westpac are the only banks that are

considered “large”. Note that since all large banks in New Zealand are currently owned

by parent banks in Australia, those parent banks will be subject to Australian law and

regulation (including the outsourcing and cloud computing requirements of the

Australian Prudential Regulatory Authority (“APRA”)). Microsoft has prepared a similar

Q&A for APRA requirements in Australia and can share this with you on request.

Confidential

Page 6 of 38

10006599-2

Ref. Question/requirement Template response and guidance

5. Please confirm whether any of the following activities will be

affected by the proposed outsourcing:

(a) clearing and settlement obligations;

(b) identification of financial risk positions;

(c) monitoring and management of financial risk

positions; or

(d) access by existing customers to payments facilities.

RBNZ Outsourcing Policy, Sections A’S and A1. One of the key objectives of the RBNZ

Outsourcing Policy is to ensure that banks have the legal and practical ability to control

each of these activities.

None of these core banking functions will be outsourced or affected by the outsourcing.

Only the services and operations described in response to question A.3, above, are

being outsourced. Management will retain the legal and practical ability to control and

execute any outsourced functions.

6. Will the proposed outsourcing have any impact on the ability

of the board to manage, direct or supervise the business and

affairs of the FSI?

RBNZ Outsourcing Policy, Section A.5(a). The ability of the board to

manage/direct/supervise is a condition of registration.

The board will still have ultimate control of the business and affairs of the FSI and the

proposed use of Azure will not change this. The contract that we have in place with

Microsoft contains various contractual and technical means for us to ensure that we

have due supervision and control. See for example, the details set out in our response

to questions 8 (1(g) and 2) and 10 below.

7. Is the proposed outsourcing compliant with any other

standard or non-standard conditions of registration imposed

on the FSI?

RBNZ Outsourcing Policy, Section A.6. Some large banks are subject to non-standard

conditions of registration which may apply to their outsourcing arrangements. You will

need to consider whether such conditions exist and, if so, how (if at all) they may apply

to the proposed use of Azure.

C. RISK MANAGEMENT

Confidential

Page 7 of 38

10006599-2

Ref. Question/requirement Template response and guidance

RBNZ is particularly interested in the controls that the FSI has in place in respect of the outsourcing and how risks are managed. This section

looks at these requirements in more detail.

8. How do the proposed arrangements ensure that the

outsourcing does not create a risk that the operation and

management of the FSI might be interrupted for a material

length of time?

RBNZ Outsourcing Policy, Section B.10.

We have minimized the risks in the following ways:

1. Through our choice of service provider

a. Competence and experience. Microsoft is an industry leader in cloud computing.

Azure was built based on ISO/IEC 27001 standards and was the first major

business productivity public cloud service to have implemented the rigorous set of

global standards covering physical, logical, process and management controls.

b. Past track-record. 40% of the world’s top brands use Azure. We consulted various

case studies relating to Azure, which are available on the Microsoft website and

also considered the fact that Microsoft has amongst its customers some of the

world’s largest organizations and FSIs.

c. Specific financial services credentials. FSI customers in leading markets,

including in the UK, France, Germany, Australia, Singapore, Canada, the United

States and many other countries have performed their due diligence and, working

with their regulators, are satisfied that Azure meets their respective regulatory

requirements. This gives us confidence that Microsoft is able to help meet the high

burden of financial services regulation and is experienced in meeting these

requirements.

d. Microsoft’s staff hiring and screening process. All personnel with access to

Confidential

Page 8 of 38

10006599-2

Ref. Question/requirement Template response and guidance

customer data are subject to background screening, security training and access

approvals. In addition, the access levels are reviewed on a periodic basis to ensure

that only users who have appropriate business justification have access to the

systems. User access to data is also limited by user role. For example, system

administrators are not provided with database administrative access.

e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed in the

United States and is amongst the world’s largest companies by market

capitalization. Microsoft’s audited financial statements indicate that it has been

profitable for each of the past three years. Its market capitalization is in the region

of USD 280 billion. Accordingly, we have no concerns regarding its financial

strength.

f. Business resumption and contingency plan. Microsoft offers contractually-

guaranteed uptime, hosted out of world class data centers with physical

redundancy at disk, NIC, power supply and server levels, constant content

replication, robust backup, restoration and failover capabilities, real-time issue

detection and automated response such that workloads can be moved off any

failing infrastructure components with no perceptible impact on the service, with

24/7 on-call engineering teams.

g. Security and internal controls, audit, reporting and monitoring. Microsoft is an

industry leader in cloud security and implements policies and controls on par with

or better than on-premises data centers of even the most sophisticated

organizations. We have confidence in the security of the solution and the systems

and controls offered by Microsoft. In addition to the ISO/IEC 27001 certification,

Azure is designed for security with controls for encryption of data at rest and

secure sockets layer (“SSL”)/transport layer security (“TLS”) encryption of data in

Confidential

Page 9 of 38

10006599-2

Ref. Question/requirement Template response and guidance

transit. The Microsoft service is subject to the SSAE16 SOC1 Type II audit, an

independent, third party audit.

2. Through specific technical measures in place to ensure that operation and

management not affected

Microsoft offers contractually-guaranteed uptime, globally available data centers for

primary and backup storage, physical redundancy at disk, NIC, power supply and

server levels, constant content replication, robust backup, restoration and failover

capabilities, real-time issue detection and automated response such that workloads

can be moved off any failing infrastructure components with no perceptible impact on

the service, 24/7 on-call engineering teams. See also the response to question 40

below.

9. What contractual controls does the FSI have in respect of the

outsourcing? Is the documentation clear on the rights and

obligations of each party to the contract and on service levels

and pricing, to a level commensurate with the function’s time

criticality, materiality and substitutability?

RBNZ Outsourcing Policy, Sections C.20 and D.36.

The provision of Azure is subject to the following contractual documents:

Microsoft Online Business and Services Agreement (a copy of which is

available on request); and

Service Level Agreement (“SLA”), a copy of which is available at:

http://azure.microsoft.com/en-us/support/legal/sla/

Both of these documents and the documents referred to therein very clearly set out the

rights and obligations of each party, the service levels and the pricing.

Confidential

Page 10 of 38

10006599-2

Ref. Question/requirement Template response and guidance

The documents provide us with a number of other contractual controls in respect of the

outsourcing, notably:

Microsoft is only contractually permitted to use our data to provide the online

services. Microsoft is not permitted to use our data for any other purposes,

including for advertising or other commercial purposes.

Microsoft commits that it will implement and maintain appropriate technical and

organizational measures, internal controls, and information security routines

intended to protect our data against accidental, unauthorized or unlawful

access, disclosure, alteration, loss, or destruction.

Microsoft commits that it has in place audit mechanisms in order to verify that

the online services meet appropriate security and compliance standards.

In addition, the contractual process can culminate in the regulator’s

examination of Microsoft’s premises. We also have the opportunity to

participate in the Microsoft Online Services Customer Compliance Program,

which is a for-fee program that facilitates our ability to: (a) assess the services’

controls and effectiveness; (b) access data related to service operations; (c)

maintain insight into operational risks of the services; (d) be provided with

additional notification of changes that may materially impact Microsoft’s ability

to provide the services; and (e) provide feedback on areas for improvement in

the services.

The SLA contains Microsoft’s service level commitment, as well as the

remedies for us in the event that Microsoft does not meet the commitment.

Microsoft commits that it will not modify the terms of the SLA during the initial

Confidential

Page 11 of 38

10006599-2

Ref. Question/requirement Template response and guidance

term of our subscription.

10. What practical controls does the FSI have in respect of the

outsourcing?

RBNZ Outsourcing Policy, Section C.19 and C.21.

The solution provides a lot of tools which mean that we remain in practical control.

Microsoft’s SLA (as defined above) applies to the Azure product (linked in question 10

above and the details of which are summarized in the response to question 36 below).

Our IT administrators also have access to the Azure Service Health Dashboard, which

provides real-time and continuous monitoring of the Azure service. The Service Health

Dashboard provides our IT administrators with information about the current availability

of each service or tool (and history of availability status) details about service disruption

or outage, scheduled maintenance times. The information is provided via an RSS feed.

Amongst other things, it provides a contractual uptime guarantee for the Azure product

and covers performance monitoring and reporting requirements which enable us to

monitor Microsoft’s performance on a continuous basis against service levels. We also

have very extensive contractual audit and inspection rights, plus access to the

independent SSAE16 SOC1 Type II audit, which enable us to verify their performance

(as detailed further in section F below).

As part of the support we receive from Microsoft, we also have access to a technical

account manager who is responsible for understanding our challenges and providing

expertise, accelerated support and strategic advice tailored to our organization. This

includes both continuous hands-on assistance and immediate escalation of urgent

issues to speed resolution and keep mission-critical systems functioning. We are

confident that such arrangements provide us with the appropriate mechanisms for

Confidential

Page 12 of 38

10006599-2

Ref. Question/requirement Template response and guidance

managing performance and problems.

Our contract with Microsoft clearly provides that ownership of our data remains with us

and we retain rights to access our data at all times. On top of this, as mentioned above,

Microsoft’s services are audited by an independent third party (see our response

8(1)(g) above) and there are various audit and inspection rights (as detailed in section

F below).

Our contractual agreements also allow to terminate the arrangements with Microsoft for

our convenience, which would enable us to move to another provider if required.

11. What internal processes does the FSI have in place to

manage the risks to the business associated with any

outsourcing arrangements?

RBNZ Outsourcing Policy, Section D.33. This requires you to have in place and explain

your internal processes. The RBNZ Outsourcing Policy states that a wider range of

outsourcing arrangements could be acceptable where a bank has established a

“credible internal process to manage the risks to its business associated with any

outsourcing arrangements”. There are no minimum requirements or detail provided

when it comes to internal processes but it would be usual to expect this to include:

processes for management review and sign off by the board;

risk management policies;

business continuity and disaster recovery plans; and

outsourcing policies.

D. PRIVACY AND DATA PROTECTION

Confidential

Page 13 of 38

10006599-2

Ref. Question/requirement Template response and guidance

In addition to RBNZ requirements, FSIs in New Zealand are of course subject to privacy and data protection requirements under New Zealand law.

This section looks at how the use of Azure complies with these requirements.

12. What data will be processed by the service provider on

behalf of the FSI?

Customer data (including customer name, contact details, account information,

payment card data, security credentials and correspondence).

Employee data (including employee name, contact details, internal and external

correspondence by email and other means and personal information relating to

their employment with the organization).

Transaction data (data relating to transactions in which the organization is

involved).

Indices (for example, market feeds).

Other personal and non-personal data relating to the organization’s business

operations as an FSI.

We ensure, pursuant to the terms of the contract in place with the service provider, that

all data (but in particular any customer data) is treated with the highest level of security

so that we can continue to comply with our legal and regulatory obligations and our

commitments to customers. We do of course only collect and process data that is

necessary for our business operations in compliance with all applicable laws and

regulation and this applies whether we process the data on our own systems or via a

cloud solution such as Microsoft Azure.

13. How does the service provider and the proposed solution

comply with New Zealand privacy law requirements relating

The Office of the Privacy Commissioner (“OPC”) published a cloud computing checklist

and “Cloud Computing – A guide to making the right choices”. Microsoft New Zealand

Confidential

Page 14 of 38

10006599-2

Ref. Question/requirement Template response and guidance

to the cloud? Limited has prepared a standard response to help organizations assess the Azure

cloud service against the OPC checklist and guide. Please see the standard response

here. Note that this response is in relation to the checklist for small businesses

contained in the OPC guide but may still provide useful information relevant to FSIs.

Confidential

Page 15 of 38

10006599-2

Ref. Question/requirement Template response and guidance

E. OFFSHORING

RBNZ has no issue in principle with the use of service providers located outside of New Zealand. However, it does consider that use of non-NZ

service providers can, in some circumstances, give rise to some additional risks. This section looks at how any potential risks are mitigated.

14. Will the proposed outsourcing require offshoring? If so, from

which territory(ies) will the outsourced cloud services be

provided?

RBNZ Outsourcing Policy, Section C.23 to C.26.

Microsoft informs us that it takes a regional approach to hosting of Azure data.

Microsoft is transparent in relation to the location of our data. Microsoft data center

locations are made public on the Microsoft Trust Center.

Microsoft enables customers to select the region that it is provisioned from. Under the

OST, Microsoft commits that if a customer provisions its tenant in the United States or

EU, Microsoft will store the customer’s data at rest in the United States or EU, as

applicable.

The table below will need to be amended depending on the specific solution that you

are taking up.

# Locations of Data

Centre

Classification of DC: Tier

I, II, III or IV

Storing your

organization’s data (Y/N)

1.

2.

Confidential

Page 16 of 38

10006599-2

Ref. Question/requirement Template response and guidance

15. Would proceedings relating to the outsourcing have to be

brought in another jurisdiction’s court under that jurisdiction’s

laws?

RBNZ Outsourcing Policy, Section C.23.

The governing law is that of Washington, however the parties have the ability to bring

proceedings in the locations as follows:

If Microsoft brings the action, the jurisdiction will be where we are located (i.e. New

Zealand);

If we bring the action, the jurisdiction will be the state of Washington; and

Both parties can seek injunctive relief with respect to a violation of intellectual

property rights or confidentiality obligations in any appropriate jurisdiction.

16. Is there a risk that the duties and powers of the service

provider’s own regulator(s) in the country(ies) in which the

service will be hosted could cause the regulator(s) to

intervene in such a way as to intervene with the provider’s

performance?

RBNZ Outsourcing Policy, Section C.24.

Microsoft’s data center locations are recognized as stable, safe and reliable

jurisdictions in respect of their legal systems, regulatory regime, technology and

infrastructure. The circumstances in which authorities in these countries may have

rights to access customer information are not considered to be unwarranted.

The data center locations have been selected by Microsoft taking into careful account

the country and socio-economic factors. We are confident that the data center

locations offer extremely stable political and socio-economic environments with robust

and transparent legal frameworks. Microsoft data center locations are made public on

the Microsoft Trust Center.

17. What measures are in place to ensure that performance by

the service provider of the outsourced functions outside of

RBNZ Outsourcing Policy, Section C.25.

Confidential

Page 17 of 38

10006599-2

Ref. Question/requirement Template response and guidance

New Zealand would not complicate the logistics of ensuring

timely performance? For example, due to time zone

differences, differences in statutory holidays, the extra time

needed to access essential staff and systems.

Microsoft works with customers around the world (including many in New Zealand) and

its operations are set up to ensure that logistical issues for international customers do

not arise. For example, time zones and statutory holidays will not be an issue, since

Microsoft’s services are provided 24/7 without reference to statutory holidays. We do

not see any issue in terms of needing extra time to access essential staff and systems,

since we have audit and inspection rights (as detailed in section F below).

Commitments on the location of data at rest is discussed at p 9 of the OST, and may

depend on where a customer provisions its service tenancy or specify as a Geo for the

online service. More details are set out, non-contractually, on the Trust Center for each

applicable online service. The other considerations are also relevant to the location of

Microsoft’s data centers:

a. Political (i.e. cross-broader conflict, political unrest etc). Azure offers data-

location transparency so that the organizations and regulators are informed of the

jurisdiction(s) in which data is hosted. We are confident that Microsoft’s data

center locations offer extremely stable political environments.

b. Country/socioeconomic. Azure offers data-location transparency so that the

organizations and regulators are informed of the jurisdiction(s) in which data is

hosted. The centers are strategically located around the world taking into account

country and socioeconomic factors. We are confident that Microsoft’s data center

locations offer extremely stable socioeconomic environments.

c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting

standards, designed to protect customer data from harm and unauthorized access.

Data center access is restricted 24 hours per day by job function so that only

Confidential

Page 18 of 38

10006599-2

Ref. Question/requirement Template response and guidance

essential personnel have access. Physical access control uses multiple

authentication and security processes, including badges and smart cards, biometric

scanners, on-premises security officers, continuous video surveillance and two-

factor authentication. The data centers are monitored using motion sensors, video

surveillance and security breach alarms.

d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft data centers are

built in seismically safe zones. Environmental controls have been implemented to

protect the data centers including temperature control, heating, ventilation and air-

conditioning, fire detection and suppression systems and power management

systems, 24-hour monitored physical hardware and seismically-braced racks.

These requirements are covered by Microsoft’s ISO/IEC 27001 accreditation for

Azure.

18. What measures are in place to avoid the risk that competition

for the service provider’s resources could impede the

performance of functions for the FSI?

RBNZ Outsourcing Policy, Section C.25.

Microsoft is one of the largest providers of cloud services globally and has capacity to

service a large number of customers without the risk of competition for resources. Our

organization would be subject to the same prioritization as any other customer of the

same services from Microsoft. Of course, the services are protected by Microsoft’s SLA

and its coinciding terms and conditions. More information on SLA is available at:

http://azure.microsoft.com/en-us/support/legal/sla/.

Microsoft provides a contractual, financially-backed uptime guarantee for the Azure

product.

Microsoft also ensures that a raft of different safeguards and arrangements are in place

Confidential

Page 19 of 38

10006599-2

Ref. Question/requirement Template response and guidance

to prevent and minimize the impact of any technology failure. Microsoft is subject to

very high international auditing standards in this regard which provide us with a great

deal of comfort. The resources that Microsoft has in place also mean that we do not

foresee risks in relation to the adequacy of Microsoft to fulfill obligations or provide

remedies and restitution.

Microsoft is an industry leader in cloud computing. Azure was built based on ISO/IEC

27001 standards and was the first major business productivity public cloud service to

have implemented the rigorous set of global standards covering physical, logical,

process and management controls. FSI customers in leading markets, including in the

UK, France, Germany, Australia, Singapore, Canada, the United States and many

other countries have performed their due diligence and, working with their regulators,

are satisfied that Azure meets their respective regulatory requirements. This gives us

confidence that Microsoft is able to help meet the high burden of financial services

regulation and is experienced in meeting these requirements.

F. TECHNICAL AND OPERATIONAL RISK Q&A

RBNZ guidance does not focus on detailed technical and operational requirements relating to the use of cloud services but, rather, focuses more

generally on issues such as risk management. However, on the basis that technical and operational factors (for example, data security) are

directly relevant to risk management strategy, this section provides some detailed information about the Azure service.

19. Does the service provider permit audit by RBNZ? Yes.

We are confident that in our choice of Microsoft as Cloud Service Provider (“CSP”) we

have far more extensive audit rights than most if not all other service providers offer.

This was an important factor in our decision to choose Microsoft. Microsoft offers the

Confidential

Page 20 of 38

10006599-2

Ref. Question/requirement Template response and guidance

right for RBNZ to conduct audits. There is a contractual audit/inspection right, so that

RBNZ can carry out inspections or examinations of Microsoft’s facilities, systems,

processes and data relating to the services to determine and confirm that it is in

compliance with applicable laws and regulations and assess the soundness of the risk

management processes and controls which it has in place. In addition, Microsoft is

subject to third party audits (see our response to question 20 below).

Microsoft also offers a Compliance Framework Program. If you take-up the

Compliance Framework Program, you may add this additional information about its key

features: the regulator audit/inspection right, access to Microsoft’s security policy, the

right to participate at events to discuss Microsoft’s compliance program, the right to

receive audit reports and updates on significant events, including security incidents,

risk-threat evaluations and significant changes to the business resumption and

contingency plans.

20. Are the provider’s services subject to any third party audit? Yes.

As part of Microsoft’s certification requirements, they are required to undergo regular

independent third party auditing (via the SSAE16 SOC1 Type II audit, a globally-

recognized standard), and Microsoft shares with us the independent third party audit

reports.

21. What security controls are in place to protect the

transmission and storage of confidential information such as

customer data within the infrastructure of the service

provider?

Microsoft as an outsourcing partner is an industry leader in cloud security and

implements policies and controls on par with or better than on-premises data centers of

even the most sophisticated organizations, as described elsewhere in this document.

The Microsoft Azure security features consist of three parts: (a) built-in security

Confidential

Page 21 of 38

10006599-2

Ref. Question/requirement Template response and guidance

features; (b) security controls; and (c) scalable security. These include 24-hour

monitored physical hardware, isolated customer data, automated operations and lock-

box processes, secure networks and encrypted data.

Microsoft implements the Microsoft Security Development Lifecycle (“SDL”) which is a

comprehensive security process that informs every stage of design, development and

deployment of Microsoft software and services, including Azure. Through design

requirements, analysis of attack surface and threat modeling, the SDL helps Microsoft

predict, identify and mitigate vulnerabilities and threats from before a service is

launched through its entire production lifecycle.

Networks within the Azure data centers are segmented to provide physical separation

of critical back-end servers and storage devices from the public-facing interfaces. Edge

router security allows the ability to detect intrusions and signs of vulnerability. Azure

uses industry-standard transport protocols such as SSL and TLS between user devices

and Microsoft data centers, and within data centers themselves. With virtual networks,

industry standard IPsec protocol can be used to encrypt traffic between the corporate

VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end

users.

Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses

the “prevent, detect and mitigate breach” process as a defensive strategy to predict

and prevent security breaches before they happen. This involves continuous

improvements to built-in security features, including port-scanning and remediation,

perimeter vulnerability scanning, OS patching to the latest updated security software,

network-level DDOS (distributed denial-of-service) detection and prevention and multi-

factor authentication for service access. From a people and process standpoint,

Confidential

Page 22 of 38

10006599-2

Ref. Question/requirement Template response and guidance

preventing breach involves auditing all operator/administrator access and actions, zero

standing permission for administrators in the service, “Just-In-Time (JIT) access and

elevation” (that is, elevation is granted on an as-needed and only-at-the-time-of-need

basis) of engineer privileges to troubleshoot the service, and segregation of the

employee email environment from the production access environment. Employees who

have not passed background checks are automatically rejected from high privilege

access, and checking employee backgrounds is a highly scrutinized, manual-approval

process.

Azure offers a wide range of data encryption capabilities up to AES-256. Options

include .NET cryptographic services, Windows Server public key infrastructure (PKK)

components, Active Directory Rights Management Services (AD RMS), and Bitlocker

for data import/export scenarios.

22. How are customers authenticated? Azure can use two-factor authentication to enhance security. Typical authentication

practices that require only a password to access resources may not provide the

appropriate level of protection for information that is sensitive or vulnerable. Two-factor

authentication is an authentication method that applies a stronger means of identifying

the user. The Microsoft phone-based two-factor authentication solution allows users to

receive their PINs sent as messages to their phones, and then they enter their PINs as

a second password to log on to their services.

23. What are the procedures for identifying, reporting and

responding to suspected security incidents and violations?

This is an issue that we take very seriously. We have therefore checked these

procedures in detail with Microsoft and are confident that they provide excellent means

to enable us to identify, report and respond properly and promptly in the event of any

security incident or violation.

Confidential

Page 23 of 38

10006599-2

Ref. Question/requirement Template response and guidance

First, there are robust procedures offered by Microsoft that enable the prevention of

security incidents and violations arising in the first place and detection in the event that

they do occur. Specifically:

a. Microsoft implements 24 hour monitored physical hardware. Data center

access is restricted 24 hours per day by job function so that only essential

personnel have access to customer applications and services. Physical access

control uses multiple authentication and security processes, including badges and

smart cards, biometric scanners, on-premises security officers, continuous video

surveillance, and two-factor authentication.

b. Microsoft implements “prevent, detect, and mitigate breach”, which is a

defensive strategy aimed at predicting and preventing a security breach before it

happens. This involves continuous improvements to built-in security features,

including port scanning and remediation, perimeter vulnerability scanning, OS

patching to the latest updated security software, network-level DDOS (distributed

denial-of-service) detection and prevention, and multi-factor authentication for

service access.

c. Wherever possible, human intervention is replaced by an automated, tool-

based process, including routine functions such as deployment, debugging,

diagnostic collection, and restarting services. Azure continues to invest in systems

automation that helps identify abnormal and suspicious behavior and respond

quickly to mitigate security risk. Microsoft is continuously developing a highly

effective system of automated patch deployment that generates and deploys

solutions to problems identified by the monitoring systems—all without human

Confidential

Page 24 of 38

10006599-2

Ref. Question/requirement Template response and guidance

intervention. This greatly enhances the security and agility of the service.

d. Microsoft conducts penetration tests to enable continuous improvement of

incident response procedures. These internal tests help Azure security experts

create a methodical, repeatable, and optimized stepwise response process and

automation.

Second, in the event that a security incident or violation is detected, Microsoft

Customer Service and Support notifies Azure subscribers by updating the Service

Health Dashboard that is available on the Azure portal. We would have access to

Microsoft’s dedicated support staff, who have a deep knowledge of the service.

Microsoft provides a Recovery Time Objective (“RTO”) of 30 min or less for Virtual

Machines and Storage, 1 hour or less for Virtual Network., and a Recovery Point

Objective (“RPO”) of 1 minute or less for Storage..

Finally, after the incident, Microsoft provides a thorough post-incident review report

(“PIR”). The PIR includes:

An incident summary and event timeline.

Broad customer impact and root cause analysis.

Actions being taken for continuous improvement.

Microsoft will provide the PIR within five business days following resolution of the

service incident. Administrators can also request a PIR using a standard online service

request submission through the Azure portal or a phone call to Microsoft Customer

Confidential

Page 25 of 38

10006599-2

Ref. Question/requirement Template response and guidance

Service and Support.

24. How is end-to-end application encryption security

implemented to protect PINs and other sensitive data

transmitted between terminals and hosts?

Azure offers a wide range of data encryption capabilities up to AES-256. Options

include .NET cryptographic services, Windows Server public key infrastructure (PKK)

components, Active Directory Rights Management Services (AD RMS), and Bitlocker

for data import/export scenarios.

Networks within the Azure data centers are segmented to provide physical separation

of critical back-end servers and storage devices from the public-facing interfaces. Edge

router security allows the ability to detect intrusions and signs of vulnerability. Azure

uses industry-standard transport protocols such as SSL and TLS between user devices

and Microsoft data centers, and within data centers themselves. With virtual networks,

industry standard IPsec protocol can be used to encrypt traffic between the corporate

VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end

users.

25. Are there procedures established to securely destroy or

remove the data when the need arises?

Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88

compliant. For hard drives that can’t be wiped it uses a destruction process that

destroys it (i.e. shredding) and renders the recovery of information impossible (e.g.,

disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is

determined by the asset type. Records of the destruction are retained.

All Microsoft Online Services utilize approved media storage and disposal management

services. Paper documents are destroyed by approved means at the pre-determined

end-of-life cycle.

Confidential

Page 26 of 38

10006599-2

Ref. Question/requirement Template response and guidance

“Secure disposal or re-use of equipment and disposal of media” is covered under the

ISO/IEC 27001 standards against which Microsoft is certified.

26. Are there procedures to ensure that access to production

data is restricted on a 'least privilege' basis? If yes, provide a

description of these procedures.

Yes.

Microsoft applies strict controls over which personnel roles and personnel will be

granted access to customer data. Personnel access to the IT systems that store

customer data is strictly controlled via role-based access control (“RBAC”) and lock

box processes. Access control is an automated process that follows the separation of

duties principle and the principle of granting least privilege. This process ensures that

the engineer requesting access to these IT systems has met the eligibility

requirements, such as a background screen, fingerprinting, required security training

and access approvals. In addition, the access levels are reviewed on a periodic basis

to ensure that only users who have appropriate business justification have access to

the systems.

27. Are there documented security procedures for safeguarding

premises and restricted areas? If yes, provide descriptions of

these procedures.

Yes.

Physical access control uses multiple authentication and security processes, including

badges and smart cards, biometric scanners, on-premises security officers, continuous

video surveillance and two-factor authentication. The data centers are monitored using

motion sensors, video surveillance and security breach alarms.

28. Are there documented security procedures for safeguarding

hardware, software and data in the data center?

Yes.

The security procedures for safeguarding hardware, software and security are

documented by Microsoft in its Standard Response to Request for Information –

Confidential

Page 27 of 38

10006599-2

Ref. Question/requirement Template response and guidance

Security and Privacy. This confirms how the following aspects of Microsoft’s operations

safeguard hardware, software and data:

Compliance

Data Governance

Facility

Human Resources

Information Security

Legal

Operations

Risk Management

Release Management

Resiliency

Security Architecture

29. How are privileged system administration accounts

managed? Describe the procedures governing the issuance

(including emergency usage), protection, maintenance and

Access to the IT systems that store customer data is strictly controlled via RBAC (as

defined above) and lock box processes. Access control is an automated process that

follows the separation of duties principle and the principle of granting least privilege.

This process ensures that the engineer requesting access to these IT systems has met

Confidential

Page 28 of 38

10006599-2

Ref. Question/requirement Template response and guidance

destruction of these accounts. the eligibility requirements, such as a background screen, fingerprinting, required

security training, and access approvals. In addition, the access levels are reviewed on

a periodic basis to ensure that only users who have appropriate business justification

have access to the systems. User access to data is also limited by user role. For

example, system administrators are not provided with database administrative access.

In emergency situations, a “Just-In-Time (JIT) access and elevation system” is used

(that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of

engineer privileges to troubleshoot the service.

30. Are the activities of privileged accounts captured (e.g.

system audit logs) and reviewed regularly? Indicate the party

reviewing the logs and the review frequency.

Yes.

An internal, independent Microsoft team will audit the log at least once per quarter.

31. Are the audit/activity logs protected against tampering by

users with privileged accounts? Describe the safeguards

implemented.

Yes.

All logs are saved to the log management system which a different team of

administrators manages. All logs are automatically transferred from the production

systems to the log management system in a secure manner and stored in a tamper-

protected way.

32. Is access to sensitive files, commands and services

restricted and protected from manipulation? Provide details

of controls implemented.

Yes.

System level data such as configuration data/file and commands are managed as part

of the configuration management system. Any changes or updates to or deletion of

those data/files/commands will be automatically deleted by the configuration

management system as anomalies.

Confidential

Page 29 of 38

10006599-2

Ref. Question/requirement Template response and guidance

33. Are file integrity checks in place to detect unauthorized

changes to databases, files, programs and system

configuration? Provide details of checks implemented.

Yes.

System level data such as configuration data/file and commands are managed as part

of the configuration management system. Any changes or updates to or deletion of

those data/files/commands will be automatically deleted by the configuration

management system as anomalies.

34. Are password controls for critical applications/systems

reviewed for compliance on a regular basis?

Yes.

All access to production and customer data require multi-factor authentication. Use of

strong password is enforced as mandatory and password must be changed on a

regular basis.

35. Are remote access activities tracked and reviewed? Provide

details of controls implemented.

Yes.

Administrators who have access to applications have no physical access to the

production so administrators have to remotely access the controlled, monitored remote

access facility. All operations through this remote access facility are logged.

36. Does the service provider have a disaster recovery or

business continuity plan? If yes, provide documentation or

details.

Yes.

Microsoft offers contractually-guaranteed uptime, globally available data centers for

primary and backup storage, physical redundancy at disk, NIC, power supply and

server levels, constant content replication, robust backup, restoration and failover

capabilities, real-time issue detection and automated response such that workloads

can be moved off any failing infrastructure components with no perceptible impact on

the service, 24/7 on-call engineering teams. See also the response to question 40

Confidential

Page 30 of 38

10006599-2

Ref. Question/requirement Template response and guidance

below.

37. What are the recovery time objectives (RTO) of systems or

applications outsourced to the service provider?

30 min or less for Virtual Machines and Storage, 1 hour or less for Virtual Network.

38. What are the recovery point objectives (RPO) of systems or

applications outsourced to the service provider?

1 minute or less for Storage.

39. What are the data backup and recovery arrangements for

your organization’s data that resided with the service

provider?

Microsoft’s arrangements are as follows:

Redundancy

Physical redundancy at server, data center, and service levels

Data redundancy with robust failover capabilities

Functional redundancy with offline functionality

Resiliency

Active load balancing

Automated failover with human backup

Recovery testing across failure domains

Distributed Services

Distributed component services limit scope and impact of any failures in a

Confidential

Page 31 of 38

10006599-2

Ref. Question/requirement Template response and guidance

component.

Directory data replicated across component services insulates one service

from another in any failure events.

Simplified operations and deployment.

Monitoring

Internal monitoring built to drive automatic recovery

Outside-in monitoring raises alerts about incidents

Extensive diagnostics provide logging, auditing, and granular tracing

Simplification

Standardized hardware reduces issue isolation complexities

Fully automated deployment models.

Standard built-in management mechanism

Human backup

Automated recovery actions with 24/7 on-call support

Team with diverse skills on the call provides rapid response and resolution

Confidential

Page 32 of 38

10006599-2

Ref. Question/requirement Template response and guidance

Continuous improvement by learning from the on-call teams

Continuous learning

If an incident occurs, Microsoft does a thorough post-incident review every time

Microsoft’s post-incident review consists of analysis of what happened,

Microsoft’s response, and Microsoft’s plan to prevent it in the future

40. How frequently does the service provider conduct disaster

recovery tests?

At least once per year.

41. Have you jointly tailored and tested your disaster recovery or

business continuity plan with the service provider? If yes,

please provide a report on the test results.

You are welcome to raise this with your Microsoft contact if you have any questions

about how your disaster recovery/business continuity plan would interface with that of

Microsoft.

In general, it would be Microsoft that would need to take action to recover the Azure

service in a disaster/business continuity situation. Any internal actions can be carried

out by our organization without coordinating with Microsoft.

42. In the event of contract termination with the service provider,

either on expiry or prematurely, are you able to have all IT

information and assets promptly removed or destroyed?

Yes.

Microsoft uses best practice procedures and a wiping solution that is NIST 800-88

compliant. For hard drives that can’t be wiped it uses a destruction process that

destroys it (i.e. shredding) and renders the recovery of information impossible (e.g.,

disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is

determined by the asset type. Records of the destruction are retained.

Confidential

Page 33 of 38

10006599-2

Ref. Question/requirement Template response and guidance

All Microsoft Online Services utilize approved media storage and disposal management

services. Paper documents are destroyed by approved means at the pre-determined

end-of-life cycle.

“Secure disposal or re-use of equipment and disposal of media” is covered under the

ISO/IEC 27001 standards against which Microsoft is certified.

Confidential

Page 34 of 38

10006599-2

APPENDIX ONE

MANDATORY CONTRACTUAL REQUIREMENTS

The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains some

useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in the table below and mapped them against

where in the Microsoft documentation these are covered for ease of reference.

Key:

Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.

Terms used below as follows:

OST = Online Services Terms

EA = Enterprise Agreement

Enrolment = Enterprise Enrolment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PUR = Product Use Rights

SLA = Online Services Service Level Agreement

Confidential

Page 35 of 38

10006599-2

Ref. Requirement Microsoft agreement reference

1. Check the contract. Make sure your key concerns are covered in

the contract or in the standard terms and conditions. In particular

check:

(i) Whether the provider has to tell you if something

goes wrong (for instance if there is a security

breach);

(ii) How would you notify your customers if their

data is lost or stolen?

(iii) How you’re going to know whether the provider

is living up to the terms of the agreement (for

example does it get regular independent audits

done that you’ll be able to check?);

(iv) Who is liable and what the penalties are if

something goes wrong?

(v) What country’s laws apply if there is a legal

dispute and who the appropriate regulator might

be?

(vi) Whether mediation or arbitration is available;

(vii) Whether your provider is insured against privacy

breaches;

Privacy Commissioner Cloud Computing: A guide to making the right choices,

February 2013, p9.

Taking each of the points in turn:

(i) Microsoft will notify us if it becomes aware of any security incident, and will

take reasonable steps to mitigate the effects and minimize the damage resulting

from the security incident (see OST, page 9). In addition, as set out on page 13

of the OST, Microsoft maintains a record of security breaches with a description

of the breach, the time period, the consequences of the breach, the name of the

reporter, and to whom the breach was reported, and the procedure for recovering

data. Finally, see (iii) below in terms of monitoring which allows for real-time

monitoring so that breaches would be apparent.

Furthermore, Microsoft commits to comply with (and is audited against) ISO/IEC

27018. Under paragraph A.9 of this international standard Microsoft is required

to promptly notify customers of any unauthorized access to personal information

or unauthorized access to processing equipment or facilities resulting in loss,

disclosure or alteration to personal information.

(ii) This is more an internal matter for the FSI.

(iii) The OST specifies the monitoring mechanisms that Microsoft puts in place in

order to verify that the online services meet appropriate security and compliance

standards. This commitment is reiterated in the FSA.

Clause 1f of the Financial Services Amendment gives the customer the

Confidential

Page 36 of 38

10006599-2

Ref. Requirement Microsoft agreement reference

(viii) What the provider’s disaster recovery plans

cover.

opportunity to participate in the Microsoft Online Services Customer Compliance

Program, which is a for-fee program that facilitates the customer’s ability to (a)

assess the services’ controls and effectiveness, (b) access data related to

service operations, (c) maintain insight into operational risks of the services, (d)

be provided with additional notification of changes that may materially impact

Microsoft’s ability to provide the services, and (e) provide feedback on areas for

improvement in the services.

Clauses 1e and 1f of the FSA detail the examination and influence rights that are

granted to the customer and the regulator. Clause 1e sets out a process which

can culminate in the regulator’s examination of Microsoft’s premises.

In addition, under paragraph 18 of ISO/IEC 27018 Microsoft is required, where

individual customer audit rights are impractical or may increase risks to security,

to make available, before and during our contract with Microsoft, independent

evidence that information security is implemented and operated in accordance

with Microsoft’s policies and procedures.

(iv) The SLA contains Microsoft’s service level commitment, as well as the

remedies for the customer in the event that Microsoft does not meet the

commitment, including services credits. MBSA section 6 deals with liability.

MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity

against third party infringement and breach of confidence claims. Microsoft’s

liability under section 5 is unlimited.

(v) MBSA section 11h sets out the choice of law provision. Either, the contract is

governed by the laws of the State of Washington if the contract is with a Microsoft

Confidential

Page 37 of 38

10006599-2

Ref. Requirement Microsoft agreement reference

affiliate located outside of Europe; or the contract is governed by the laws of

Ireland if the contract is with a European Microsoft affiliate.In addition, as

mentioned above, Clause 1e sets out a process which can culminate in the

regulator’s examination of Microsoft’s premises.

(vi) MBSA section 11e sets out the jurisdictions in which parties should bring their

actions. Microsoft must bring actions against the customer in the countries

where the customer’s contracting party is headquartered. The customer must

bring actions against: (a) in Ireland if the action is against a Microsoft affiliates in

Europe; (b) in the State of Washington, if the action is against a Microsoft affiliate

outside of Europe; or (c) in the country where the Microsoft affiliate delivering the

services has its headquarters if the action is to enforce a Statement of Services.

(vii) MBSA section 10 deals with insurance. In practice, Microsoft maintains self-

insurance arrangements for much of the areas where third party insurance is

typically obtained. Microsoft has taken the commercial decision to take this

approach, and does not believe that this detrimentally impacts upon its

customers given that Microsoft is an extremely substantial entity.

(viii) As set out on page 13 of the OST Microsoft maintains emergency and

contingency plans for the facilities in which Microsoft information systems that

process Customer Data are located. Business Continuity Management (“BCM”)

forms part of the scope of the accreditation that Microsoft remains in relation to

the online services, and Microsoft commits to maintain a data security policy that

complies with these accreditations (see OST page 13). BCM also forms part of

the scope of Microsoft’s annual third party compliance audit.

Confidential

Page 38 of 38

10006599-2