Nie znaleziono wyników

Twoje wyszukiwanie nie dało żadnych wyników.

Zalecamy wypróbowanie następujących rozwiązań, aby znaleźć to, czego szukasz:

  • Sprawdź pisownię wyszukiwania słowa kluczowego.
  • Użyj synonimów dla wpisanego słowa kluczowego, na przykład spróbuj wpisać „aplikacja” zamiast „oprogramowanie”.
  • Wypróbuj jedno z popularnych wyszukiwań wskazanych poniżej.
  • Rozpocznij nowe wyszukiwanie.
Popularne pytania

Oracle Cloud Compliance

Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment.

Shared Responsibility Model

Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS).

Before deploying Oracle cloud services, Oracle strongly recommends that cloud customers formally analyze their cloud strategy to determine the suitability of using the applicable Oracle cloud services in light of their own legal and regulatory compliance obligations. Making this determination remains solely the responsibility of customers.

Attestations

Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” These attestations can assist in your compliance and reporting, providing independent assessment of the security, privacy and compliance controls of the applicable Oracle cloud services. In reviewing these third-party attestations, it is important that you consider they are generally specific to a certain cloud service and may also be specific to a certain data center or geographic region. Clicking on a compliance framework retrieves the relevant detail. Please note that this information is subject to change and may be updated frequently, is provided “as-is” and without warranty and is not incorporated into contracts.

Customers can obtain more information about available attestations by contacting their Oracle sales representative.

Global

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Advertising

CSA STAR
Cloud Security Alliance Security Trust Assurance and Risk
CSA STAR

The Cloud Security Alliance (CSA) is an organization that promotes best practices for providing security assurance in cloud computing. The CSA Security Trust, Assurance and Risk (STAR) attestation provides for an assessment to be performed by a reputable third-party that affirms implementation of necessary security controls. This assessment is based on the CSA Cloud Controls Matrix (CCM) and controls from SOC 2 and ISO/IEC 27001. For more information, see https://cloudsecurityalliance.org/star/

yes
yes
ISO 9001
ISO 9001: Quality Management Systems
ISO 9001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. The ISO 9001 standard family is based on a number of quality management principles including a strong customer focus. It is intended “to help organizations demonstrate its ability to consistently provide customers good quality products and services.” For more information, see https://www.iso.org/iso-9001-quality-management.html

yes
ISO/IEC 20000-1
ISO/IEC 20000-1: Service Management Systems
ISO/IEC 20000-1

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 20000-1 service management system (SMS) standard. It is intended to help design, transition, deliver and improve services to fulfil agreed service requirements. For more information, see https://www.iso.org/standard/51986.html

yes
ISO/IEC 27001
ISO/IEC 27001: Information Security Management Systems
ISO/IEC 27001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 27001 Standard. It is intended to provide guidance for establishment and continuous improvement of an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. For more information, see https://www.iso.org/isoiec-27001-information-security.html

yes
yes
yes
yes
ISO/IEC 27017
ISO/IEC 27017: Cloud Specific Controls
ISO/IEC 27017

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27017, a set of guidelines for information security controls applicable to the provision and use of cloud services. It is intended to provide additional implementation guidance for relevant controls specified in ISO/IEC 27002 and guidance that specifically relates to cloud services. For more information, see https://www.iso.org/standard/54533.html

yes
yes
ISO/IEC 27018
ISO/IEC 27018: Personal Information Protection Controls
ISO/IEC 27018

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27018, to be used in conjunction with the information security objectives and controls in ISO/IEC 27002. It is intended to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a Personally Identifiable Information (PII) processor. For more information, see https://www.iso.org/standard/76559.html

yes
yes
yes
ISO/IEC 27701
ISO/IEC 27701: Privacy Information Management
ISO/IEC 27701

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27701. It is intended to provide guidance for the establishment and continuous improvement of a Privacy Information Management System (PIMS) which is processing Personally Identifiable Information (PII). This standard is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management. For more information, see https://www.iso.org/standard/71670.html

yes
PCI DSS
Payment Card Industry Data Security Standard
PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. It is intended to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security practices globally. The PCI DSS standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council (PCI SSC). For more information, see https://www.pcisecuritystandards.org/

yes
yes
yes
yes
SOC 1
System and Organization Controls 1
SOC 1

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 1 report helps companies to establish trust and confidence in their service delivery processes and controls. The intent of these reports focuses on Internal Controls over Financial Reporting (ICFR). For more information, see https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

yes
yes
yes
yes
SOC 2
System and Organization Controls 2
SOC 2

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 2 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy Trust Criteria. The intent of this report is to provide detailed information and assurance about the controls relevant to security, availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems. For more information, see https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

yes
yes
yes
yes
yes
SOC 3
System and Organization Controls 3
SOC 3

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 3 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy. These reports are shorter than SOC 2 reports and have less details. For more information, see https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

yes

Americas

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Advertising

DoD DISA SRG
Department of Defense, Defense Information Systems Agency, Systems Requirement Guide
DoD DISA SRG

The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the US Department of Defense (DoD) will assess the security posture of non-DoD cloud service providers (CSPs). Additionally, the CC SRG explains how non-DoD CSPs can show they meet the security controls and requirements before handling any DoD data.

CC SRG provides for the following categorization:

    •Impact Level 2: Data cleared for public release (note: Level 1 was combined with Level 2)

    •Impact Level 4: Controlled unclassified information (CUI) over the Non-Secure Internet Protocol Router Network (NIPRNet). CUI includes protected health information (PHI), privacy information (PII) and export controlled data (note: Level 3 was combined with Level 4)

    •Impact Level 5: Higher sensitivity CUI, mission-critical information, or NSS over NIPRNet

    •Impact Level 6: Classified data over Secret Internet Protocol Router Network (SIPRNet)

For more information, see https://dl.dod.cyber.mil/wp-content/uploads/cloud/pdf/Cloud_Computing_SRG_v1r3.pdf

yes
FedRAMP
Federal Risk and Authorization Management Program
FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a US government program designed to provide a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.

FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800-53, which provides a catalog of security controls for all US federal information systems. FedRAMP requires cloud service providers (CSPs) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).

For more information, see https://marketplace.fedramp.gov/#!/products?sort=productName&productNameSearch=oracle

yes
yes
FIPS 140
Federal Information Processing Standards Publication 140
FIPS 140

The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard published by the National Institute of Standards and Technology (NIST) that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. For more information, see https://csrc.nist.gov/publications/detail/fips/140/2/final

Learn more about Oracle's FIPS certifications: https://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/certifications.html

Not applicable Not applicable Not applicable Not applicable Not applicable
HITRUST CSF
Health Information Trust Alliance Common Security Framework
HITRUST CSF

The Health Information Trust Alliance (HITRUST) is an organization representing the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a framework against which cloud service providers (CSPs) and covered health entities can demonstrate compliance to US Health Insurance Portability and Accountability Act (HIPAA) requirements. For more information, see https://hitrustalliance.net/

yes
HIPAA
Health Insurance Portability and Accountability Act
HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law. It requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. For more information, see https://www.hhs.gov/hipaa/

yes
yes
yes

Europe, Middle East, and Africa

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Advertising

C5
Cloud Computing Compliance Controls Catalog
C5

The Cloud Computing Compliance Controls Catalog (C5) was created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) in 2016. The intent of this standard is to establish a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with the government. For more information, see https://www.bsi.bund.de/EN/

yes
yes
Cyber Essentials Plus
Cyber Essentials Plus
Cyber Essentials Plus

The Cyber Essentials is a UK government scheme intended to help participating organizations protect themselves against a whole range of the most common cyber-attacks. The scheme intends to establish more rigorous testing of the organization’s cyber security systems where cyber security experts carry out vulnerability tests to make sure the organization is protected against basic hacking and phishing attacks. For more information, see https://www.ncsc.gov.uk/cyberessentials/overview

yes
ENS
Esquema Nacional de Seguridad (Law 11/2007)
ENS

Law 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with the ISO/IEC 27001 Standard, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. For more information, see https://administracionelectronica.gob.es/pae_Home/pae_Estrategias/pae_Seguridad_Inicio/pae_Esquema_Nacional_de_Seguridad.html?idioma=en#.YH9f2edlCUm

yes
yes
yes
HDS
Hébergeur de Données de Santé
HDS

Hébergeur de Données de Santé (HDS) is a formal certification required by French laws. It is required for any commercial organizations who control, store, process, or transmit personally identifiable healthcare information in France. For more information, see https://esante.gouv.fr/labels-certifications/hebergement-des-donnees-de-sante

yes
yes
TISAX
Trusted Information Security Assessment Exchange
TISAX

The Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants. It is maintained by the ENX Association, an organization consisting of automobile manufacturers, suppliers and national automotive associations. For more information, see https://enx.com/en-US/TISAX/

yes
yes
UAE IAR Information Security Requirements
United Arab Emirates (UAE) Information Assurance Regulation (IAR) Information Security Requirements
UAE IAR Information Security Requirements

The United Arab Emirates (UAE) Telecommunication Regulatory Authority (TRA) has issued Information Assurance Regulation (IAR) to provide information security requirements for the critical infrastructure sectors in UAE. TRA-designated entities are required to implement the IAR framework and apply its requirements to the use, processing, storage, and transmission of information or data. For more information, see https://www.tdra.gov.ae/en/about-tra/telecommunication-sector/regulations-and-ruling/details.aspx#documents

yes
yes

Asia Pacific

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Advertising

IRAP
Information Security Registered Assessor Program
IRAP

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative. IRAP is the assessors' program developed by the Australian government Cyber Security Centre (ASD/ACSC) for assessing cloud services for government and non-government agency use. It is intended “to provide the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments”. For more information, see https://www.cyber.gov.au/acsc/view-all-content/programs/irap

yes
yes
ISMS (formerly K-ISMS)
Information Security Management System
ISMS (formerly K-ISMS)

The Korean Information Security Management System (formerly K-ISMS, now ISMS) is a country-specific ISMS framework. It is intended to define a set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets. For more information, see https://www.oecd.org/korea/koreasinformationsecurityinitiatives.htm

yes
MeitY
Ministry of Electronics and Information Technology Policy
MeitY

The Ministry of Electronics and Information Technology (MeitY) is an agency in India that provides policy guidelines to all government and state public sector organizations. It is intended to certify cloud services as compliant against a predefined set of standards and guidelines on security, interoperability, data portability, service level agreement, and contractual terms and conditions. For more information, see https://www.meity.gov.in/

yes

Advisories

Oracle provides general information and technical recommendations for the use of its cloud services in the form of “advisories.” These advisories are provided to help you in your determination of the suitability of using specific Oracle cloud services as well as to assist you in implementing specific technical controls that may help you meet your compliance obligations. Please note that these advisories are not legal advice and you remain solely responsible for determining if a specific Oracle cloud service and/or configuration meets your legal and regulatory obligations.

Global

GxP

GxP Good Practice Guidelines
The Good Practice (GxP) guidelines and regulations comprise a set of global guidelines for traceability, accountability and data integrity. They are intended to ensure that food, medical devices, drugs and other life science products are safe, while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. Some of the primary regulators include Food & Drug Administration (FDA) in the US, Therapeutic Goods Administration (TGA) in Australia, and Health Canada | Santé Canada (HC-SC) in Canada. GxP includes varied regulation sets, but the most common are GCP, GLP, and GMP. For more information, see https://www.fda.gov/drugs/guidance-compliance-regulatory-information.

 

Americas

CCPA

California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA provides for the following:
    •The right of Californians to know what personal information is being collected about them.
    •The right of Californians to know whether their personal information is sold or disclosed and to whom.
    •The right of Californians to say no to the sale of personal information.
    •The right of Californians to access their personal information.
    •The right of Californians to equal service and price, even if they exercise their privacy rights.
For more information, see https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

CJIS

Criminal Justice Information Services Security Policy
The US Federal Bureau of Investigation (FBI) Criminal Justice Information Services Division (CJIS) sets standards for information security, guidelines, and agreements for protecting Criminal Justice Information (CJI). The CJIS Security Policy describes the controls to protect sources, transmission, storage and access to data. For more information, see https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

FFIEC Cybersecurity Assessment Tool

Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC has developed a Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity maturity. The Assessment provides guidance for financial institutions on developing an Inherent Risk Profile and identifying their level of Cybersecurity Maturity. For more information, see https://www.ffiec.gov/cyberassessmenttool.htm

ICD 503

Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503
The U.S. Director of National Intelligence published Intelligence Community Directive (ICD) 503 Intelligence Community (IC) Information Technology Systems Security Risk Management, Certification, and Accreditation in September 2008. ICD 503 sets IC policy for processes related to security risk management, certification, and accreditation. For more information, see https://www.dni.gov/index.php/what-we-do/ic-related-menus/ic-related-links/intelligence-community-directives

IRS 1075

Internal Revenue Service Publication 1075
The US Internal Revenue Service Publication 1075 (IRS 1075) applies to organizations that process or maintain US Federal Tax Information. The intent is “to address any public request for sensitive information and prevent disclosure of data that would put Federal Tax Information (FTI) at risk.” For more information, see https://www.irs.gov/

ITAR

International Traffic in Arms Regulations
The International Traffic in Arms Regulations (ITAR) is a US requirement. It is intended to restrict and control the export of defense and military related technologies to safeguard US national security and further US foreign policy objectives. For more information, see https://www.federalregister.gov/documents/2020/01/23/2020-00574/international-traffic-in-arms-regulations-us-munitions-list-categories-i-ii-and-iii

LGPD

Lei Geral de Proteção de Dados
Brazil’s Lei Geral de Proteção de Dados (LGPD) was passed in August 2018 with the intent to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. For more information, see https://www.lgpdbrasil.com.br/

MARS-E

Minimum Acceptable Risk Standards for Exchanges
The U.S. Department of Health and Human Services established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) under the Affordable Care Act (ACA) of 2010. It is intended to ensure secure handing of Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) of US Citizens. For more information, see https://www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20

NERC CIP

North American Electric Reliability Corporation Critical Infrastructure Protection
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose aim is to ensure effective and efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC Critical Infrastructure Protection (CIP) cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada. For more information, see https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

NIST SP 800-171

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI. For more information, see https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

PIPEDA

Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It is intended “to governs how private sector organizations collect, use and disclose personal information in the course of commercial business.” For more information, see https://www.priv.gc.ca/en/

Protected B

Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual, organization or government. For more information, see https://cloud-broker.canada.ca/s/central-provider-page-v2

SEC Rule 17a-4(f), FINRA Rule 4511(c), CFTC Rule 1.31(c)-(d) Electronic Records Retention Requirements

Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC) Electronic Records Retention Requirements
Financial institutions trading in regulated securities in the US may be subject to special regulatory requirements for electronic records retention by the Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC). These requirements may include SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d). For more information, see the following resources: SEC 17a-4(f) - https://www.sec.gov/rules/interp/34-47806.htm
FINRA Rule 4511(c) - https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511
CFTC Rule 1.31(c)-(d) - https://www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm


Europe, Middle East, and Africa

CITC CCRF

Communications and Information Technology Commission Cloud Computing Regulatory Framework (CCRF)
The Communications and Information Technology Commission (CITC) in Saudi Arabia published a Cloud Computing Regulatory Framework (CCRF) based on international best practices and analysis that outlines the rights and obligation of cloud service providers and cloud customers in Saudi Arabia. Cloud service providers must register with CITC to demonstrate alignment with this framework. For more information, see https://www.citc.gov.sa

DSPT

UK NHS Data Security and Protection Toolkit
The Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures performance against the United Kingdom’s National Health Service (NHS) 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. For more information, see https://www.dsptoolkit.nhs.uk/

EBA

European Banking Authority Guidelines on Outsourcing Arrangements
The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements to provide financial institutions guidance for outsourcing arrangements such as cloud services. For more information, see https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements

ENISA Cloud Computing IAF

European Union Agency for Cybersecurity Information Assurance Framework
European Union Agency for Cybersecurity (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur. ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:
    •Assess the risk of adopting cloud services
    •Compare different cloud providers offerings
    •Obtain assurances from the selected cloud providers
    •Reduce the assurance burden on cloud providers
For more information, see https://www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework

ESMA MiFID II & MiFIR 600/2014

ESMA Markets in Financial Instruments Directive MiFID II & MiFIR 600/2014
The European Securities and Markets Authority (ESMA) and European Union have issued Markets in Financial Instruments Directive II (MiFID 2) and associated Markets in Financial Instruments (MiFIR) Regulation (EU) No 600/2014 to promote fairer, safer and more efficient markets and facilitate greater transparency for all participants. For more information, see https://www.esma.europa.eu/policy-rules/mifid-ii-and-mifir

FINMA

Financial Market Supervisory Authority Circular 2018/3
The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA’s Circular 2018/3 Outsourcing—banks and insurers sets a number of requirements for financial services organizations when they outsource any significant business activity. The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers. For more information, see https://www.finma.ch/

G-Cloud

UK Government G-Cloud Framework
The UK Government G-Cloud is a procurement initiative for streamlining cloud-computing procurement by public-sector bodies in departments of the UK government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see https://www.gov.uk/digital-marketplace

GDPR

General Data Protection Regulation
The General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy. It applies to all entities processing data about EU residents, regardless of company location and /or locale of data storage. For more information, see https://gdpr-info.eu/

IT Grundschutz

IT Grundschutz: Security Information System assessment against BSI standards
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) created a framework for information security (IT-Grundschutz). IT-Grunschutz comprises:
    •BSI Standard 200-1: provides the general requirements for an ISMS
    •BSI Standard 200-2 : explains how an ISMS can be built based on one of three different approaches
    •BSI Standard 200-3: contains all risk-related tasks
    •BSI Standard 100-4: covers Business Continuity Management (BCM)
For more information, see https://www.bsi.bund.de

ITHC

National Cyber Security Centre IT Health Check (ITHC)
The IT Health Check (ITHC) is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. For more information, see https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance

NCA ECC

National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)
The National Cybersecurity Authority (NCA) developed the Essential Cyber Security Controls (ECC) to define the minimum set of cyber security requirements for national organizations in Saudi Arabia. The intent is to establish controls that set the minimum requirements for information and technology assets in the organizations. For more information, see https://www.my.gov.sa/

SAMA CSF

Saudi Arabian Monetary Authority Cyber Security Framework
The Cyber Security Framework was developed by Saudi Arabian Monetary Authority (SAMA) to enable financial institutions to identify and address risks related to cyber security. For more information, see https://www.sama.gov.sa/en-US/

UK Cloud Security Principles

United Kingdom (UK) Cloud Security Principles
The UK National Cyber Security Centre (NCSC) developed a framework of 14 Cloud Security Principles designed to help public sector and enterprise organisations evaluate the security of cloud services. The NCSC's cloud security guidance provides details and context including their goals and technical implementation in the following information security control areas: data in transit, asset protection and resilience, separation between users, governance framework, operations, personnel, secure development, supply chain, secure user management, identity and authentication, external interface protection, service administration, audit information for users, and usage of the service. For more information, see https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles

UK NCSC Cloud Security Principles

UK National Cyber Security Centre (NCSC) Cloud Security Principles
The UK National Cyber Security Centre (NCSC) is chartered to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC’s 14 Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service. For more information, see https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles


Asia Pacific

ABS Guide

Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide
The Association of Banks in Singapore (ABS) is an industry association representing commercial and investment banking institutions in Singapore. The ABS Cloud Computing Implementation Guide 2.0 (ABS Guide) provides best-practice recommendations and considerations for the adoption of cloud technologies, including guidelines for due diligence, vendor management, and key controls. For more information, see https://abs.org.sg/industry-guidelines/outsourcing

APRA CPS 231

Australian Prudential Regulations for Outsourcing: CPS 231, SPS 231 and HPS 231
The Australian Prudential Regulation Authority (APRA) is the regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. APRA’s Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), and Prudential Standard HPS 231 Outsourcing (HPS 231) set forth requirements to ensure that risks associated with outsourcing arrangements are identified, assessed, managed and reported. APRA has also published a Information Paper on Outsourcing Involving Cloud Computing Services. For more information, see https://www.apra.gov.au/sites/default/files/information_paper_-_outsourcing_involving_cloud_computing_services.pdf

FISC

Financial Industry Information Systems Security Guidelines
The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. For more information, see https://www.fisc.or.jp

IRDAI Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers

Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers
The Insurance Regulatory and Development Authority of India (IRDAI) issued IRDAI Regulations, Outsourcing of Activities by Indian Insurers. These regulations cover outsourcing and provide risk management guidelines and requirements for the insurance industry across India. For more information, see https://www.irdai.gov.in/ADMINCMS/cms/Uploadedfiles/Regulations/Consolidated/IRDAI%20 (Outsourcing%20of%20Activities%20by%20Indian%20Insurers)%C2%A0Regulations%202017.pdf

My Number Act

Financial Market Supervisory Authority Circular 2018/3
The My Number Act, issued by the Personal Information Protection Commission (PPC), was enacted by the government of Japan in 2016. The intent is to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law. For more information, see https://www.ppc.go.jp/en/

NISC

National Center of Incident Readiness and Strategy for Cybersecurity
The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015. The governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. It is intended to design a wide range of security guidelines for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. For more information, see https://www.nisc.go.jp/eng/

RBI Guidelines on Information Security

Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
The Reserve Bank of India (RBI) has issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for financial institutions. These guidelines include requirements for governance of information security and information technology (IT) within banks. For more information, see https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf

Three Ministries Guidelines

The Three Guidelines from Three Ministries are Japan government agencies within the healthcare sector. Each Ministry has their own set of guidelines and requirements for cloud providers. The intent is to ensure that the cloud service provider conforms to the security guidelines identified by the three ministries. For more information, see:
Ministry of Economy, Trade and Industry: https://www.meti.go.jp/english/
Ministry of Internal Affairs and Communications: https://www.soumu.go.jp/english/
Ministry of Health, Labour and Welfare: https://www.mhlw.go.jp/english/