Руководство HKMAS
Разъяснительное замечание
Приведенное ниже руководство предназначено исключительно для помощи клиентам Cloud из Азиатско-Тихоокеанского региона, работающим в государственном секторе, а также предприятиям, признанным «регулируемыми организациями» Надзорной службой Валютного управления Гонконга (HKMAS), рассматривающим возможность аутсорсинга бизнес-функций в Cloud и оценивающим продукты Atlassian Cloud и связанные с ними услуги.
Данный отчет содержит только информацию и рекомендации, предоставляемые компанией Atlassian клиентам Cloud и касающиеся того, как мы обеспечиваем соответствие принципам HKMAS. Кроме того, мы составили специальный технический документ, озаглавленный «Общая ответственность», в котором описаны общие обязанности, возлагаемые как на поставщика облачных услуг («CSP»), такого как Atlassian, так и на его клиентов при обеспечении соответствия требованиям GxP. Модель общей ответственности не избавляет клиентов, использующих продукты Atlassian Cloud, от ответственности и рисков, но в нескольких аспектах облегчает задачу по обеспечению безопасности, включая управление компонентами системы и физическую защиту объектов. Кроме того, благодаря ей часть расходов на обеспечение безопасности и соответствия нормативным требованиям перекладывается с плеч клиентов на Atlassian.
Подробнее об обязательствах Atlassian по защите данных клиентов см. на странице о принципах безопасности.
Определение.
- УУ— уполномоченные учреждения
ID | HKMAS Guidance | Atlassian Response | |
---|---|---|---|
Introduction | |||
The Hong Kong Monetary Authority (HKMA) is the central banking institution in Hong Kong. It is responsible for supervising authorised institutions (AIs) with the aim of promoting stability and integrity of the financial system. HKMA Outsourcing SA-2 outlines the HKMA's supervisory approach to outsourcing and the recommendation for AIs to address when outsourcing to third parties. Outsourcing SA-2 provides specific guidance on outsourcing agreements, customer data confidentiality, contingency planning, access to outsourced data, and concerns in relation to overseas outsourcing. | As per the requirements of HKMA's SA-2, AIs utilising Cloud service providers are expected to conduct due diligence, assess and address potential risks, and establish appropriate outsourcing agreements after conducting a comprehensive analysis. Although your agreement with Atlassian governs the terms of the engagement, we have provided guidance on how we assist AIs in complying with HKMA's requirements. If you would like to understand how these guidelines apply to your specific agreement, please contact our Enterprise Sales Team at https://www.atlassian.com/enterprise/contact?formType=product-features. | ||
SA-2 Outsourcing Guidelines | |||
Major Supervisory Concerns | |||
Accountability | |||
2.1.1 | In any outsourcing arrangement, the Board of Directors and management of AIs should retain ultimate accountability for the outsourced activity. Outsourcing can only allow them to transfer their day-to-day managerial responsibility, but not accountability, for an activity or a function to a service provider. AIs should therefore continue to retain ultimate control of the outsourced activity. | Atlassian's dedicated Shared Responsibilities whitepaper, available at https://www.atlassian.com/whitepapers/Cloud-security-shared-responsibilities, discusses the shared responsibilities that both a Cloud service provider, like Atlassian, and its customers need to keep in mind when ensuring compliance with HKMA. | |
Risk Assessment |
|
| |
2.2.1 | The Board of Directors and management of AIs should ensure that the proposed outsourcing arrangement has been subject to a comprehensive risk assessment (in respect of operational, legal and reputation risk) and that all the risks identified have been adequately addressed before launch. Specifically, the risk assessment should cover inter alia the following: | Atlassian provides several resources to assist its customers in conducting the necessary due diligence they require. For more information on Atlassian's security and operational practices, visit Atlassian's Trust Center at https://www.atlassian.com/trust, where you will find details on our security practices, compliance programs, and audit reports/security questionnaires.
| |
2.2.1.1 | The importance and criticality of the services to be outsourced; | This is a customer consideration. Please also see row 9 (2.2.1), above. | |
2.2.1.2 | Reasons for the outsourcing (e.g. cost and benefit analysis); and | This is a customer consideration. Please also see row 9 (2.2.1), above. | |
2.2.1.3 | The impact on AIs' risk profile (in respect of operational, legal and reputation risks) of the outsourcing. | This is a customer consideration. Please also see row 9 (2.2.1), above. | |
2.2.2 | After AIs implement an outsourcing plan, they should regularly re-perform this assessment. | This is a customer consideration. Please also see row 9 (2.2.1), above. | |
Ability of Service Providers | |||
2.3.1 | Before selecting a service provider AIs should perform appropriate due diligence. In assessing a provider, apart from the cost factor and quality of services AIs should take into account the provider's financial soundness, reputation, managerial skills, technical capabilities, operational capability and capacity, compatibility with the AIs corporate culture and future development strategies, familiarity with the banking industry and capacity to keep pace with innovation in the market. | This is a customer consideration. Please also see row 9 (2.2.1), above. | |
2.3.2 | AIs should have controls in place (e.g. comparison with target service level) to monitor the performance of service providers on a continuous basis. | We publish service availability updates at https://status.atlassian.com, and are committed to notifying customers of events that have a material impact on the availability of the Covered Cloud Products. | |
Outsourcing Agreement | |||
2.4.1 | The type and level of services to be provided and the contractual liabilities and obligations of the service provider should be clearly set out in a service agreement between AIs and their service provider. | All engagements with customers are governed by a formal contract. See the standard customer terms.
| |
2.4.2 | AIs should regularly (e.g. annually) review their outsourcing agreements. They should assess whether the agreements should be renegotiated and renewed to bring them in line with current market standards and to cope with changes in their business strategies. | This is a customer consideration. | |
2.4.3 | Where the service provider is a wholly-owned subsidiary of an AI or the head office or another branch of a foreign AI, a memorandum of understanding may be acceptable. | This is not applicable to Atlassian. | |
Customer Data Confidentiality | |||
2.5.1 | AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements (e.g. the Personal Data (Privacy) Ordinance - PDPO) and common law customer confidentiality. This will generally involve seeking legal advice. | The default governing law of Atlassian’s subscription agreements is California law. Please contact our Enterprise Sales Team (https://www.atlassian.com/enterprise/contact) for more details. | |
2.5.2 | AIs should have controls in place to ensure that the requirements of customer data confidentiality are observed and proper safeguards are established to protect the integrity and confidentiality of customer information. Typical safeguards include, among other things: | Atlassian maintains a robust information security program commensurate with the size and extent of the threats we face. We have made available several resources that provide details regarding the design, implementation, and operation of Atlassian's information security capability.
| |
2.5.2.1 | Undertakings by the service provider that the company and its staff will abide by confidentiality rules, including taking account of the data protection principles set our in PDPO; | See row 22 (2.5.1), above. | |
2.5.2.2 | AIs' contractual rights to take action against service provider in the event of a breach of confidentiality; | See row 22 (2.5.1), above. | |
2.5.2.3 | Segregation or compartmentalisation of AIs' customer data from those of the service provider and its other clients; and | Atlassian is a multi-tenant SaaS application. Multi-tenancy is a key feature of Atlassian Cloud that enables multiple customers to share one instance of the Jira or Confluence application layer, while isolating each customer tenant’s application data. Atlassian Cloud accomplishes this through the Tenant Context Service (TCS). Every user ID is associated with exactly one tenant, which is then used to access the Atlassian Cloud applications. For more information, see : https://www.atlassian.com/trust/security/security-practices#tenant-isolation | |
2.5.2.4 | Access rights to AIs' data delegated to authorized employees of the service provider on a need basis. | Atlassian has an established workflow linking our HR management system and our access provisioning system. We use role based access control based on pre-defined user profiles. All user accounts must be approved by management prior to their access to data, applications, infrastructure or network components. | |
2.5.3 | AIs should notify their customers in general terms of the possibility that their data may be outsourced. They should also give specific notice to customers of significant outsourcing initiatives, particularly where the outsourcing is to an overseas jurisdiction. | This is a customer consideration. | |
2.5.4 | In the event of a termination of outsourcing agreement, for whatever reason, AIs should ensure that all customer data is either retrieved from the service provider or destroyed. | We provide customers with a broad right to terminate for convenience, which would allow them to terminate in any circumstances. | |
Control Over Outsourced Activities |
|
| |
2.6.1 | In any outsourcing arrangement, AIs should ensure they have effective procedures for monitoring the performance of, and managing the relationship with, the service provider and the risks associated with the outsourced activity. | See row 16 (2.3.2) and rows 23 (2.5.2), above. | |
2.6.2 | Such monitoring should cover, inter alia: | ||
2.6.2.1 | Contract performance; | See row 16 (2.3.2), above. | |
2.6.2.2 | Material problems encountered by the service provider; | We have a documented Security Incident Response Policy and Plan, the key principles of which include:
| |
2.6.2.3 | Regular review of the service provider's financial condition and risk profile; and | See row 15 (2.3.1), above. | |
2.6.2.4 | The service provider's contingency plan, the results of testing thereof and the scope for improving it. | See rows 41 (2.7.1), below. | |
2.6.3 | Responsibility for monitoring the service provider and the outsourced activity should be assigned to staff with appropriate expertise. | This is a customer consideration. | |
2.6.4 | AIs should establish reporting procedures which can promptly escalate problems relating to the outsourced activity to the attention of the management of the AI and their service providers. | This is a customer consideration. Please also see row 34 (2.6.2.2), above. | |
2.6.5 | The control procedures over the outsourcing arrangement should be subject to regular reviews by the Internal Audit. | This is a customer consideration. Please also see row 46 (2.8.2), below. | |
Contingency Planning |
|
| |
2.7.1 | Contingency plans should be maintained and regularly tested by AIs and their service providers to ensure business continuity, e.g. in the event of a breakdown in the systems of the service provider or telecommunication problems with the host country. | We maintain business continuity plans and disaster recovery plans, as described on our Trust Center at https://www.atlassian.com/trust/security/security-practices#business-continuity-and-disaster-recovery-management. These plans are reviewed and tested at least annually. | |
2.7.2 | Contingency arrangements in respect of daily operational and systems problems would normally be covered in the service provider's own contingency plan. AIs should ensure that they have an adequate understanding of their service provider's contingency plan and consider the implications for their own contingency planning in the event that an outsourced service is interrupted due to failure of the service provider's system. | See row 41 (2.7.1), above. | |
2.7.3 | In establishing a viable contingency plan, AIs should consider, among other things, the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency, and the costs, time, and resources that would be involved. | This is a customer consideration. Please also see row 29 (2.5.4), above. | |
Access to Outsourced Data |
|
| |
2.8.1 | AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA in accordance with §§55 and 56 of the Banking Ordinance and that data retrieved from the service providers are accurate and available in Hong Kong on a timely basis. | This is a customer consideration. Please also see row 29 (2.5.4), above. | |
2.8.2 | Access to data by the HKMA's examiners and the AI's internal and external auditors should not be impeded by the outsourcing. AIs should ensure that the outsourcing agreement with the service provider contains a clause which allows for supervisory inspection or review of the operations and controls of the service provider as they relate to the outsourced activity. | Atlassian grants certain audit, access and information rights to such regulated entities and their supervisory authorities in compliance with applicable laws. Our audit program is designed to allow qualifying customers and their supervisory authorities to audit the Covered Cloud Products effectively. | |
Additional Concerns in Relation to Overseas Outsourcing |
|
| |
2.9.1 | In addition to the issues mentioned from subsection 2.1 to 2.8 above, there are further concerns that need to be addressed in relation to overseas outsourcing: | ||
2.9.1.1 | Implications of the overseas outsourcing for AIs' risk profile - AIs should understand the risks arising from overseas outsourcing, taking into account relevant aspects of an overseas country (e.g. legal system, regulatory regime, sophistication of technology, infrastructure); | Certain Covered Cloud Products include in-product data residency functionality, as further described at https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency/, which allows our customers’ administrators to pin in-scope product data to a location of their choice. Our Cloud hosting infrastructure is described at https://www.atlassian.com/trust/reliability/Cloud-architecture-and-operational-practices#atlassian-Cloud-hosting-architecture. | |
2.9.1.2 | Right of access to customers' data by overseas authorities such as the police and tax authorities - AIs should generally obtain a legal opinion from an international or other reputable legal firm in the relevant jurisdiction on this matter. This will enable them to be informed of the extend and the authorities to which they are legally bound to provide information. Right of access by such parties may be unavoidable due to compulsion of law. AIs should therefore conduct a risk assessment to evaluate the extent and possibility of such access taking place. AIs should notify the HKMA if overseas authorities seek access to their customers' data. If such access seems unwarranted the HKMA reserves the right to require the AI to take steps to make alternative arrangements for the outsourced activity; | Atlassian only provides customer data to third parties in accordance with our Guideline for Law Enforcement Requests. Details of these guidelines can be found at https://www.atlassian.com/trust/privacy/guidelines-for-law-enforcement. | |
2.9.1.3 | Notification to customers - AIs should generally notify their customers of the country in which the service provider is located (and of any subsequent changes) and the right of access, if any, available to the overseas authorities; | See row 49 (2.9.1.1), and 50 (2.9.1.2), above. | |
2.9.1.4 | Right of access to customers' data for examination by the HKMA after outsourcing - AIs should not outsource to a jurisdiction which is inadequately regulated or which has secrecy laws that may hamper access to data by the HKMA or AIs' external auditors. They should ensure that the HKMA has right of access to data. Such right o f access should be confirmed in writing by both AIs and their home or host authorities, as the case may be; | See row 46 (2.8.2), above. | |
2.9.1.5 | §33 of the PDPO in respect of transfer of personal data outside Hong Kong - although §33 has not yet come into operation, AIs are advised to take account of the provisions therein and the potential impact on their plans in respect of overseas outsourcing; and | See row 23 (2.5.2), above. | |
2.9.1.6 | Governing law of the outsourcing agreement - the agreement should preferable be governed by Hong Kong law. | See row 22 (2.5.1), above. | |
2.9.2 | In case of a locally incorporated AI, a principal concern is the ability of the HKMA to exercise its legal powers under the Banking Ordinance effectively if there is limited cooperation by the service provider. Accordingly, where a local AI is planning to outsource, for example, a major part of its data processing function to outside Hong Kong, the HKMA will expect the AI to have a robust back-up system and contingency plan in acceptable jurisdiction. The back-up system should be properly documented and regularly tested (see also subsection 2.7 above). It may be appropriate for an independent opinion on its effectiveness to be sought. | See row 46 (2.8.2), above. |