No results found

Your search did not match any results.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
  • Try one of the popular searches shown below.
  • Start a new search.
Trending Questions
 

Oracle Cloud Compliance

Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment.

Shared Management Model

Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS).

Before deploying Oracle cloud services, Oracle strongly recommends that cloud customers formally analyze their cloud strategy to determine the suitability of using the applicable Oracle cloud services in light of their own legal and regulatory compliance obligations. Making this determination remains solely the responsibility of customers.

Attestations

Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” These attestations can assist in your compliance and reporting, providing independent assessment of the security, privacy and compliance controls of the applicable Oracle cloud services. In reviewing these third-party attestations, it is important that you consider they are generally specific to a certain cloud service and may also be specific to a certain data center or geographic region. Clicking on a compliance framework retrieves the relevant detail. Please note that this information is subject to change and may be updated frequently, is provided “as-is” and without warranty and is not incorporated into contracts.

Customers can obtain more information about available attestations by contacting their Oracle sales representative.

Global

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Advertising

CSA STAR
Cloud Security Alliance Security Trust Assurance and Risk
CSA STAR

The Cloud Security Alliance (CSA) is an organization that promotes best practices for providing security assurance in cloud computing. The CSA Security Trust, Assurance and Risk (STAR) attestation provides for an assessment to be performed by a reputable third-party that affirms implementation of necessary security controls. This assessment is based on the CSA Cloud Controls Matrix (CCM) and controls from SOC 2 and ISO/IEC 27001. For more information, see https://cloudsecurityalliance.org/star/

yes
yes
ISO 9001
ISO 9001: Quality Management Systems
ISO 9001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. The ISO 9001 standard family is based on a number of quality management principles including a strong customer focus. It is intended “to help organizations demonstrate its ability to consistently provide customers good quality products and services.” For more information, see https://www.iso.org/iso-9001-quality-management.html

yes
ISO/IEC 20000-1
ISO/IEC 20000-1: Service Management Systems
ISO/IEC 20000-1

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 20000-1 service management system (SMS) standard. It is intended to help design, transition, deliver and improve services to fulfil agreed service requirements. For more information, see https://www.iso.org/standard/51986.html

yes
ISO/IEC 27001
ISO/IEC 27001: Information Security Management Systems
ISO/IEC 27001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 27001 Standard. It is intended to provide guidance for establishment and continuous improvement of an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. For more information, see https://www.iso.org/isoiec-27001-information-security.html

yes
yes
yes
yes
ISO/IEC 27017
ISO/IEC 27017: Cloud Specific Controls
ISO/IEC 27017

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27017, a set of guidelines for information security controls applicable to the provision and use of cloud services. It is intended to provide additional implementation guidance for relevant controls specified in ISO/IEC 27002 and guidance that specifically relates to cloud services. For more information, see https://www.iso.org/standard/54533.html

yes
yes
ISO/IEC 27018
ISO/IEC 27018: Personal Information Protection Controls
ISO/IEC 27018

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27018, to be used in conjunction with the information security objectives and controls in ISO/IEC 27002. It is intended to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a Personally Identifiable Information (PII) processor. For more information, see https://www.iso.org/standard/76559.html

yes
yes
yes
ISO/IEC 27701
ISO/IEC 27701: Privacy Information Management
ISO/IEC 27701

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27701. It is intended to provide guidance for the establishment and continuous improvement of a Privacy Information Management System (PIMS) which is processing Personally Identifiable Information (PII). This standard is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management. For more information, see https://www.iso.org/standard/71670.html

yes
PCI DSS
Payment Card Industry Data Security Standard
PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. It is intended to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security practices globally. The PCI DSS standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council (PCI SSC). For more information, see https://www.pcisecuritystandards.org/

yes
yes
yes
yes
SOC 1
System and Organization Controls 1
SOC 1

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 1 report helps companies to establish trust and confidence in their service delivery processes and controls. The intent of these reports focuses on Internal Controls over Financial Reporting (ICFR). For more information, see https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

yes
yes
yes
yes
SOC 2
System and Organization Controls 2
SOC 2

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 2 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy Trust Criteria. The intent of this report is to provide detailed information and assurance about the controls relevant to security, availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems. For more information, see https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

yes
yes
yes
yes
yes
SOC 3
System and Organization Controls 3
SOC 3

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 3 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy. These reports are shorter than SOC 2 reports and have less details. For more information, see https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

yes
yes

Americas

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Advertising

DoD DISA SRG
Department of Defense, Defense Information Systems Agency, Systems Requirement Guide
DoD DISA SRG

The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the US Department of Defense (DoD) will assess the security posture of non-DoD cloud service providers (CSPs). Additionally, the CC SRG explains how non-DoD CSPs can show they meet the security controls and requirements before handling any DoD data.

CC SRG provides for the following categorization:

  • Impact Level 2: Data cleared for public release (note: Level 1 was combined with Level 2)
  • Impact Level 4: Controlled unclassified information (CUI) over the Non-Secure Internet Protocol Router Network (NIPRNet). CUI includes protected health information (PHI), privacy information (PII) and export controlled data (note: Level 3 was combined with Level 4)
  • Impact Level 5: Higher sensitivity CUI, mission-critical information, or NSS over NIPRNet
  • Impact Level 6: Classified data over Secret Internet Protocol Router Network (SIPRNet)
  • For more information, see https://dl.dod.cyber.mil/wp-content/uploads/cloud/pdf/Cloud_Computing_SRG_v1r3.pdf

    yes
    yes
    FedRAMP
    Federal Risk and Authorization Management Program
    FedRAMP

    The Federal Risk and Authorization Management Program (FedRAMP) is a US government program designed to provide a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.

    FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800-53, which provides a catalog of security controls for all US federal information systems. FedRAMP requires cloud service providers (CSPs) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).

    For more information, see https://marketplace.fedramp.gov/#!/products?sort=productName&productNameSearch=oracle

    yes
    yes
    FIPS 140
    Federal Information Processing Standards Publication 140
    FIPS 140

    The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard published by the National Institute of Standards and Technology (NIST) that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. For more information, see https://csrc.nist.gov/publications/detail/fips/140/2/final

    Learn more about Oracle's FIPS certifications: https://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/certifications.html

    Not applicable Not applicable Not applicable Not applicable Not applicable
    HITRUST CSF
    Health Information Trust Alliance Common Security Framework
    HITRUST CSF

    The Health Information Trust Alliance (HITRUST) is an organization representing the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a framework against which cloud service providers (CSPs) and covered health entities can demonstrate compliance to US Health Insurance Portability and Accountability Act (HIPAA) requirements. For more information, see https://hitrustalliance.net/

    yes
    HIPAA
    Health Insurance Portability and Accountability Act
    HIPAA

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law. It requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. For more information, see https://www.hhs.gov/hipaa/

    yes
    yes
    yes

    Europe, Middle East, and Africa

    Attestation

    Oracle Cloud Infrastructure

    Oracle Applications

    NetSuite

    Oracle Industries

    Oracle Advertising

    AgID
    The Agency for Digital Italy (Agenzia per I’italia Digitale or AgID)
    AgID

    The Agency for Digital Italy (Agenzia per l’italia Digitale or AgID) is the “technical agency of the Presidency of the Council of Ministers.” AgID supports Italy's digital agenda and manages a “Catalog of qualified Cloud services for the Public Administration (PA)”. AgID's cloud strategy is intended to provide “a qualification path for public and private entities to provide Cloud infrastructures and services to the Public Administration (PA) with high standards of security, efficiency and reliability, in line with the provisions of AgID circulars n.2 and n.3 of 9 April 2018.”

    For more information, see https://www.agid.gov.it/en/infrastructures/pa-cloud

    yes
    C5
    Cloud Computing Compliance Controls Catalog
    C5

    The Cloud Computing Compliance Controls Catalog (C5) was created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) in 2016. The intent of this standard is to establish a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with the government. For more information, see https://www.bsi.bund.de/EN/

    yes
    yes
    Cyber Essentials
    Cyber Essentials
    Cyber Essentials

    The Cyber Essentials is a UK government scheme intended to help participating organizations protect themselves against a whole range of the most common cyber-attacks. The scheme intends to establish more rigorous testing of the organization’s cyber security systems where cyber security experts carry out vulnerability tests to make sure the organization is protected against basic hacking and phishing attacks. For more information, see https://www.ncsc.gov.uk/cyberessentials/overview

    yes
    yes
    ENS
    Esquema Nacional de Seguridad (Law 11/2007)
    ENS

    Law 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with the ISO/IEC 27001 Standard, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. For more information, see https://administracionelectronica.gob.es/pae_Home/pae_Estrategias/pae_Seguridad_Inicio/pae_Esquema_Nacional_de_Seguridad.html?idioma=en#.YH9f2edlCUm

    yes
    yes
    yes
    HDS
    Hébergeur de Données de Santé
    HDS

    Hébergeur de Données de Santé (HDS) is a formal certification required by French laws. It is required for any commercial organizations who control, store, process, or transmit personally identifiable healthcare information in France. For more information, see https://esante.gouv.fr/labels-certifications/hebergement-des-donnees-de-sante

    yes
    yes
    TISAX
    Trusted Information Security Assessment Exchange
    TISAX

    The Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants. It is maintained by the ENX Association, an organization consisting of automobile manufacturers, suppliers and national automotive associations. For more information, see https://enx.com/en-US/TISAX/

    yes
    yes
    UAE ADISS
    United Arab Emirates (UAE) Abu Dhabi Information Security Standard (ADISS)
    UAE ADISS

    The Abu Dhabi Systems and Information Centre (ADSIC) issued the Abu Dhabi Information Security Standard (ADISS) to list minimum cyber security requirements for the critical infrastructure sectors in the UAE. Designated entities are required to implement the ADISS framework and apply its relevant requirements to the creation, handling, storage, transmission, and destruction of information or data. The ADSIC is now the Abu Dhabi Data Authority (ADDA). For more information, see https://www.adda.gov.ae/About-Us

    yes
    yes
    UAE IAR Information Security Requirements
    United Arab Emirates (UAE) Information Assurance Regulation (IAR) Information Security Requirements
    UAE IAR Information Security Requirements

    The United Arab Emirates (UAE) Telecommunication Regulatory Authority (TRA) has issued Information Assurance Regulation (IAR) to provide information security requirements for the critical infrastructure sectors in UAE. TRA-designated entities are required to implement the IAR framework and apply its requirements to the use, processing, storage, and transmission of information or data. For more information, see https://www.tdra.gov.ae/en/about-tra/telecommunication-sector/regulations-and-ruling/details.aspx#documents

    yes
    yes

    Asia Pacific

    Attestation

    Oracle Cloud Infrastructure

    Oracle Applications

    NetSuite

    Oracle Industries

    Oracle Advertising

    IRAP
    Information Security Registered Assessor Program
    IRAP

    The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative. IRAP is the assessors' program developed by the Australian government Cyber Security Centre (ASD/ACSC) for assessing cloud services for government and non-government agency use. It is intended “to provide the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments”. For more information, see https://www.cyber.gov.au/acsc/view-all-content/programs/irap

    yes
    yes
    ISMS (formerly K-ISMS)
    Information Security Management System
    ISMS (formerly K-ISMS)

    The Korean Information Security Management System (formerly K-ISMS, now ISMS) is a country-specific ISMS framework. It is intended to define a set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets. For more information, see https://www.oecd.org/korea/koreasinformationsecurityinitiatives.htm

    yes
    MeitY
    Ministry of Electronics and Information Technology Policy
    MeitY

    The Ministry of Electronics and Information Technology (MeitY) is an agency in India that provides policy guidelines to all government and state public sector organizations. It is intended to certify cloud services as compliant against a predefined set of standards and guidelines on security, interoperability, data portability, service level agreement, and contractual terms and conditions. For more information, see https://www.meity.gov.in/

    yes

    Advisories

    Oracle provides general information and technical recommendations for the use of its cloud services in the form of “advisories.” These advisories are provided to help you in your determination of the suitability of using specific Oracle cloud services as well as to assist you in implementing specific technical controls that may help you meet your compliance obligations. Please note that these advisories are not legal advice and you remain solely responsible for determining if a specific Oracle cloud service and/or configuration meets your legal and regulatory obligations.

    Global

    GxP

    GxP Good Practice Guidelines
    The Good Practice (GxP) guidelines and regulations comprise a set of global guidelines for traceability, accountability and data integrity. They are intended to ensure that food, medical devices, drugs and other life science products are safe, while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. Some of the primary regulators include Food & Drug Administration (FDA) in the US, Therapeutic Goods Administration (TGA) in Australia, and Health Canada | Santé Canada (HC-SC) in Canada. GxP includes varied regulation sets, but the most common are GCP, GLP, and GMP. For more information, see https://www.fda.gov/drugs/guidance-compliance-regulatory-information.

     

    Americas

    BACEN

    Central Bank of Brazil (BACEN) Resolution 4658 Digital Service Requirements
    Central Bank of Brazil (BACEN) Resolution 4658 Digital Service Requirements Framework description to add: The Central Bank of Brazil (BACEN) issued Resolution No. 4.893 of February 26th 2021 which describes several digital service requirements for regulated financial institutions, including cybersecurity policy, contracting data processing, storage, and cloud computing services. This Resolution is intended to guide financial institutions in evaluating cloud service providers and establish controls to manage this relationship. For more information, see https://www.dataguidance.com/news/brazil-bacen-issues-new-resolution-cybersecurity and https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20CMN&numero=4893

    CCPA

    California Consumer Privacy Act
    The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA provides for the following:

    • The right of Californians to know what personal information is being collected about them.
    • The right of Californians to know whether their personal information is sold or disclosed and to whom.
    • The right of Californians to say no to the sale of personal information.
    • The right of Californians to access their personal information.
    • The right of Californians to equal service and price, even if they exercise their privacy rights.
    For more information, see https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

    CJIS

    Criminal Justice Information Services Security Policy
    The US Federal Bureau of Investigation (FBI) Criminal Justice Information Services Division (CJIS) sets standards for information security, guidelines, and agreements for protecting Criminal Justice Information (CJI). The CJIS Security Policy describes the controls to protect sources, transmission, storage and access to data. For more information, see https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

    FFIEC Cybersecurity Assessment Tool

    Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment
    The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC has developed a Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity maturity. The Assessment provides guidance for financial institutions on developing an Inherent Risk Profile and identifying their level of Cybersecurity Maturity. For more information, see https://www.ffiec.gov/cyberassessmenttool.htm

    ICD 503

    Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503
    The U.S. Director of National Intelligence published Intelligence Community Directive (ICD) 503 Intelligence Community (IC) Information Technology Systems Security Risk Management, Certification, and Accreditation in September 2008. ICD 503 sets IC policy for processes related to security risk management, certification, and accreditation. For more information, see https://www.dni.gov/index.php/what-we-do/ic-related-menus/ic-related-links/intelligence-community-directives

    IRS 1075

    Internal Revenue Service Publication 1075
    The US Internal Revenue Service Publication 1075 (IRS 1075) applies to organizations that process or maintain US Federal Tax Information. The intent is “to address any public request for sensitive information and prevent disclosure of data that would put Federal Tax Information (FTI) at risk.” For more information, see https://www.irs.gov/

    ITAR

    International Traffic in Arms Regulations
    The International Traffic in Arms Regulations (ITAR) is a US requirement. It is intended to restrict and control the export of defense and military related technologies to safeguard US national security and further US foreign policy objectives. For more information, see https://www.federalregister.gov/documents/2020/01/23/2020-00574/international-traffic-in-arms-regulations-us-munitions-list-categories-i-ii-and-iii

    LGPD

    Lei Geral de Proteção de Dados
    Brazil’s Lei Geral de Proteção de Dados (LGPD) was passed in August 2018 with the intent to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. For more information, see https://www.lgpdbrasil.com.br/

    MARS-E

    Minimum Acceptable Risk Standards for Exchanges
    The U.S. Department of Health and Human Services established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) under the Affordable Care Act (ACA) of 2010. It is intended to ensure secure handing of Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) of US Citizens. For more information, see https://www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20

    NERC CIP

    North American Electric Reliability Corporation Critical Infrastructure Protection
    The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose aim is to ensure effective and efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC Critical Infrastructure Protection (CIP) cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada. For more information, see https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

    NIST SP 800-171

    NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
    The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI. For more information, see https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

    PIPEDA

    Personal Information Protection and Electronic Documents Act
    The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It is intended “to governs how private sector organizations collect, use and disclose personal information in the course of commercial business.” For more information, see https://www.priv.gc.ca/en/

    Protected B

    Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual, organization or government. For more information, see https://cloud-broker.canada.ca/s/central-provider-page-v2

    SEC Rule 17a-4(f), FINRA Rule 4511(c), CFTC Rule 1.31(c)-(d) Electronic Records Retention Requirements

    Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC) Electronic Records Retention Requirements
    Financial institutions trading in regulated securities in the US may be subject to special regulatory requirements for electronic records retention by the Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC). These requirements may include SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d). For more information, see the following resources: SEC 17a-4(f) - https://www.sec.gov/rules/interp/34-47806.htm
    FINRA Rule 4511(c) - https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511
    CFTC Rule 1.31(c)-(d) - https://www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm


    Europe, Middle East, and Africa

    CITC CCRF

    Communications and Information Technology Commission Cloud Computing Regulatory Framework (CCRF)
    The Communications and Information Technology Commission (CITC) in Saudi Arabia published a Cloud Computing Regulatory Framework (CCRF) based on international best practices and analysis that outlines the rights and obligation of cloud service providers and cloud customers in Saudi Arabia. Cloud service providers must register with CITC to demonstrate alignment with this framework. For more information, see https://www.citc.gov.sa

    DSPT

    UK NHS Data Security and Protection Toolkit
    The Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures performance against the United Kingdom’s National Health Service (NHS) 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. For more information, see https://www.dsptoolkit.nhs.uk/

    EBA

    European Banking Authority Guidelines on Outsourcing Arrangements
    The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements to provide financial institutions guidance for outsourcing arrangements such as cloud services. For more information, see https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements

    ENISA Cloud Computing IAF

    European Union Agency for Cybersecurity Information Assurance Framework
    European Union Agency for Cybersecurity (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur. ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:

    • Assess the risk of adopting cloud services
    • Compare different cloud providers offerings
    • Obtain assurances from the selected cloud providers
    • Reduce the assurance burden on cloud providers
    For more information, see https://www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework

    ESMA MiFID II & MiFIR 600/2014

    ESMA Markets in Financial Instruments Directive MiFID II & MiFIR 600/2014
    The European Securities and Markets Authority (ESMA) and European Union have issued Markets in Financial Instruments Directive II (MiFID 2) and associated Markets in Financial Instruments (MiFIR) Regulation (EU) No 600/2014 to promote fairer, safer and more efficient markets and facilitate greater transparency for all participants. For more information, see https://www.esma.europa.eu/policy-rules/mifid-ii-and-mifir

    FINMA

    Financial Market Supervisory Authority Circular 2018/3
    The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA’s Circular 2018/3 Outsourcing—banks and insurers sets a number of requirements for financial services organizations when they outsource any significant business activity. The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers. For more information, see https://www.finma.ch/

    G-Cloud

    UK Government G-Cloud Framework
    The UK Government G-Cloud is a procurement initiative for streamlining cloud-computing procurement by public-sector bodies in departments of the UK government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see https://www.gov.uk/digital-marketplace

    GDPR

    General Data Protection Regulation
    The General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy. It applies to all entities processing data about EU residents, regardless of company location and /or locale of data storage. For more information, see https://gdpr-info.eu/

    IT Grundschutz

    IT Grundschutz: Security Information System assessment against BSI standards
    The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) created a framework for information security (IT-Grundschutz). IT-Grunschutz comprises:

    • BSI Standard 200-1: provides the general requirements for an ISMS
    • BSI Standard 200-2 : explains how an ISMS can be built based on one of three different approaches
    • BSI Standard 200-3: contains all risk-related tasks
    • BSI Standard 100-4: covers Business Continuity Management (BCM)
    For more information, see https://www.bsi.bund.de

    ITHC

    National Cyber Security Centre IT Health Check (ITHC)
    The IT Health Check (ITHC) is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. For more information, see https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance

    NCA ECC

    National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)
    The National Cybersecurity Authority (NCA) developed the Essential Cyber Security Controls (ECC) to define the minimum set of cyber security requirements for national organizations in Saudi Arabia. The intent is to establish controls that set the minimum requirements for information and technology assets in the organizations. For more information, see https://www.my.gov.sa/

    POPIA

    Protection of Personal Information Act (POPIA)
    The Protection of Personal Information Act (POPIA) is a South African law intended to "promote the protection of personal information processed by public and private bodies." POPIA sets general conditions for public and private entities to lawfully process South African data subjects’ personal information. For more information, see https://popia.co.za/act/.

    SAMA CSF

    Saudi Arabian Monetary Authority Cyber Security Framework
    The Cyber Security Framework was developed by Saudi Arabian Monetary Authority (SAMA) to enable financial institutions to identify and address risks related to cyber security. For more information, see https://www.sama.gov.sa/en-US/

    UK NCSC Cloud Security Principles

    UK National Cyber Security Centre (NCSC) Cloud Security Principles
    The UK National Cyber Security Centre (NCSC) is chartered to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC’s 14 Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service. For more information, see https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles


    Asia Pacific

    ABS Guide

    Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide
    The Association of Banks in Singapore (ABS) is an industry association representing commercial and investment banking institutions in Singapore. The ABS Cloud Computing Implementation Guide 2.0 (ABS Guide) provides best-practice recommendations and considerations for the adoption of cloud technologies, including guidelines for due diligence, vendor management, and key controls. For more information, see https://abs.org.sg/industry-guidelines/outsourcing

    APRA CPS 231

    Australian Prudential Regulations for Outsourcing: CPS 231, SPS 231 and HPS 231
    The Australian Prudential Regulation Authority (APRA) is the regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. APRA’s Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), and Prudential Standard HPS 231 Outsourcing (HPS 231) set forth requirements to ensure that risks associated with outsourcing arrangements are identified, assessed, managed and reported. APRA has also published a Information Paper on Outsourcing Involving Cloud Computing Services. For more information, see https://www.apra.gov.au/sites/default/files/information_paper_-_outsourcing_involving_cloud_computing_services.pdf

    FISC

    Financial Industry Information Systems Security Guidelines
    The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. For more information, see https://www.fisc.or.jp

    IRDAI Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers

    Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers
    The Insurance Regulatory and Development Authority of India (IRDAI) issued IRDAI Regulations, Outsourcing of Activities by Indian Insurers. These regulations cover outsourcing and provide risk management guidelines and requirements for the insurance industry across India. For more information, see https://www.irdai.gov.in/ADMINCMS/cms/Uploadedfiles/Regulations/Consolidated/IRDAI%20 (Outsourcing%20of%20Activities%20by%20Indian%20Insurers)%C2%A0Regulations%202017.pdf

    My Number Act

    Financial Market Supervisory Authority Circular 2018/3
    The My Number Act, issued by the Personal Information Protection Commission (PPC), was enacted by the government of Japan in 2016. The intent is to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law. For more information, see https://www.ppc.go.jp/en/

    NISC

    National Center of Incident Readiness and Strategy for Cybersecurity
    The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015. The governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. It is intended to design a wide range of security guidelines for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. For more information, see https://www.nisc.go.jp/eng/

    RBI Guidelines on Information Security

    Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
    The Reserve Bank of India (RBI) has issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for financial institutions. These guidelines include requirements for governance of information security and information technology (IT) within banks. For more information, see https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf

    Three Ministries Guidelines

    The Three Guidelines from Three Ministries are Japan government agencies within the healthcare sector. Each Ministry has their own set of guidelines and requirements for cloud providers. The intent is to ensure that the cloud service provider conforms to the security guidelines identified by the three ministries. For more information, see:
    Ministry of Economy, Trade and Industry: https://www.meti.go.jp/english/
    Ministry of Internal Affairs and Communications: https://www.soumu.go.jp/english/
    Ministry of Health, Labour and Welfare: https://www.mhlw.go.jp/english/