guide for cloud service providers in the kingdom of saudi ...€¦ · guide for cloud service...
TRANSCRIPT
Guide for Cloud Service Providers
in the Kingdom of Saudi Arabia
Issued by
Communication and Information Technology Commission
Contents
1. Introduction .......................................................................... 1
2. Registration Obligation and Procedure ...................................... 2
2.1. Who needs to register? ................................................................................ 2
2.2. Procedure for registration ............................................................................. 2
Appendix “A” Registration application form to provide Cloud
Computing Services ....................................................................... 6
Guide for Cloud Service Providers Page 1 of 7
1. Introduction
The Communications and Information Technology Commission (CITC or ‘the
Commission’) is the entity authorized to regulate the telecommunications and
information technology sector in the Kingdom of Saudi Arabia (the Kingdom) in
accordance with “Telecommunication Act” (the Act) issued by Royal Decree No.
M/12 of 12/3/1422H (4/6/2001G). The Act, provides the legislative foundation for
developing and regulating the sector, on which “the Bylaw” is issued. The
Commission issues regulatory frameworks, rules, guidelines, procedures and
licenses, based on developments in the market, technologies and services, in
accordance with its power to assist in improving the market and providing the
services to end-users.
This document (“Guide for Cloud Service Providers”) issued by the Commission
provides practical guidance on the implementation of the provisions of the
Regulatory Framework on Cloud Computing (the “Regulatory Framework”). This
document explains the registration process and requirements for Cloud Service
Providers (CSPs) operating in the Kingdom. This Guide is published by the
Commission for clarification and information purposes only. It does not constitute
legal advice and its contents may be periodically changed or be subject to changes
in the future, without notice. The terms defined in the regulatory framework, the
Act and its Bylaw will have the same meanings in this guide.
In addition to the Regulatory Framework for Cloud Computing and other relevant
regulations governing the provision of Cloud Computing Services, there are other
relevant regulations in the Kingdom such as the Anti-Cyber Crime Act (issued under
the Council of Ministers Decision No. 79, dated 7/3/1428 H, and approved by Royal
Decree No. M/17, dated 8/3/1428H), the Electronic Transactions Act (issued under
the Council of Ministers Decision No. 80 dated 7/3/1428 H and approved by Royal
Decree No. M/18 dated of 8/3/1428H) and other rules and regulations governing
the provision of Cloud Computing Services in the Kingdom. Similarly, public and
private entities may have to comply with internal or sector-specific rules with
regard to information security requirements, the confidentiality and processing of
data, or other matters implicated in Cloud Computing. Accordingly, the legal
responsibility lies with CSPs registered with the Commission and other interested
parties to seek appropriate legal advice if they have any doubts regarding relevant
regulations in the Kingdom to offer or take advantage of Cloud Computing Services.
Guide for Cloud Service Providers Page 2 of 7
2. Registration Obligation and
Procedure
2.1. Who needs to register?
The registration obligation under “the Regulatory Framework” applies to any
Company or Corporation engaged, in whole or in part, in the provision of Cloud
Services in the Kingdom of Saudi Arabia, which exercises direct or effective control
over:
Datacentres or other critical Cloud System infrastructure hosted in the
Kingdom and used in whole or in part for the provision of Cloud Services,
and/or,
the processing and/or storing of Customer Content classified as ‘Level
Three’ Customer Content based on the classification system described in
Article 3.3 of the Regulatory Framework.
Datacentres are legally defined in the Regulatory Framework as facilities “consisting
of computing infrastructure and supporting components, which are housed in the
same location and used, at least in part, for the storage and/or processing of
Customer Content and Customer Data.
The CSP that meet one or more of the conditions listed above must register with
the Commission, so that the registry would provide additional safeguards for him
and the customers regarding quality and reliability. Additionally, CSPs not meeting
the above conditions may register on a voluntary basis for commercial purposes to
attract customers.
In such cases, the Commission will have the right to reject such a request, at its
discretion and without an obligation to provide a justification. In principle, the
Commission may choose to do so if it has any reasons to believe that the CSP in
question does not sufficiently demonstrate that it meets the required minimum
technical qualifications, proven experience, quality standards, financial resources or
other conditions.
2.2. Procedure for registration
1. Fill out the registration application form, signed by the legal representative and
authenticated by the Chamber of Commerce, as shown in the Appendix A.
Guide for Cloud Service Providers Page 3 of 7
2. Attach a copy of the valid Commercial Registration, compatible with the registration
period.
3. Provide a clear copy of the legal representative’s identity documents (National
Identity Document or proof of residence).
4. Provide information that describes the type of Cloud Computing Service(s) that
are planned to be provided or are already provided through datacentres and/or
other facilities in the KSA to: (a) Cloud Customers with a Residence or
Customer Address in the KSA and (b): Cloud Customers outside the KSA.
5. Provide the following information regarding the Cloud Systems you use:
a. A brief description of the Cloud System(s) you use or intend to use for
the provision of Cloud Services to Cloud Customers in the KSA including,
in particular:
i. Any Datacentres located in the territory of the KSA, with their full
address, contact details (tel/fax/email) and website.
ii. The relationship that best describes your access to this
Datacentre's capacity and infrastructure (e.g., owner, operator,
co-owner, lessor or lessee of capacity, reseller, etc.).
b. A brief description of any network or other key equipment associated
with the above Datacentres and the relationship that best describes your
access to, and use of, such key equipment.
c. A description of any relevant international standards you meet regarding
the quality of your services and your overall qualification as a Cloud
Service provider.
d. Attach to this application proof of any relevant certificates or credentials
that you or your main shareholders or partners in the present Cloud
Computing venture have in the KSA or elsewhere.
e. You may also attach any available technical brochures, website printouts
or other technical and commercial information related to the Cloud
System(s) you use or intend to use for the purposes of this registration.
f. Submit any documents certifying compliance with the technical
standards listed below or, exceptionally, any other technical standards
that are demonstrably equivalent or superior to those standards, subject
to the Commission's satisfaction.
i. ISO/IEC 27001 - Information security management
ii. ISO/IEC 27017 - Code of practice for information security controls
based on ISO/IEC 27002 for cloud services
iii. ISO/IEC 27018 - Code of practice for protection of personally
identifiable information (PII) in public clouds acting as PII
processors
Guide for Cloud Service Providers Page 4 of 7
iv. Certificate rating the level of maturity of the active infrastructure
for the datacentre in the Kingdom. Such classification certificate
must be from a recognized international standard such as:
( ANSI / TIA-942 / TIA-942A ) or Uptime Institute or similar
classification certificate, and must be for the active constructed
facility (not only for the design documents).
6. Provide a brief description of the operations, in the KSA and elsewhere, of your
company, its structure and the ownership details. Also provide any other
statements covering the Applicant's group that belongs to (if available).
7. Provide a list of any licenses held to date in the KSA, granted by the
Commission to (i) the Applicant, (ii) any Affiliate of the Applicant or (iii) any
joint venture in which the Applicant or an affiliate of the Applicant participates.
8. Documents should be provided in Arabic, with the option of attaching other
supporting documents in English.
9. Supporting documentation, agreements or links to websites on the Internet may
be attached to the application.
The application can be delivered by hand or sent by mail to one of the following
addresses:
Riyadh:
Communications & Information Technology Commission (CITC)
P.O. Box 75606, Riyadh 11588
Phone: 011 4618000
CITC Branch in Makkah Region:
Jeddah , Al Salamah District , Prince Sultan St. Opposite of Sultan Mall
ZAHRAN Business Center
The Northern tower , 12th floor , Office No 1205
P.O Box 17313,Jeddah 21484
Phone: 012-2638000
CITC Branch in Eastern Region:
2nd floor , Al Dosary Tower, Alashre'aa Road, Al shati District ,Dammam
P.O. Box 2218 Dammam 31451
Phone: 0138441818
Guide for Cloud Service Providers Page 5 of 7
Within not later than 15 working days from the submission of the registration
application form (or any subsequent submission of the registration application form
if it has previously been deemed incomplete by the Commission), the Commission
will inform the result of the examination of the submission to the applicant:
(a) that its application of registration is complete and the CSP is
validly registered as a CSP by the Commission for a period of 1
year. The registration can be renewed after submitting the
registration requirements referred to in this guide;
(b) that its registration application form is incomplete or otherwise
deficient, with a reference to the information that is required to
complete it; or
(c) that its registration application form cannot be accepted because
the Applicant does not meet the relevant legal requirements for a
registration.
The Commission will publish a list of the registered CSPs on its website and in its
Annual Reports.
Guide for Cloud Service Providers Page 6 of 7
Appendix “A”
Registration application form to
provide Cloud Computing Services
Name of Company or
Corporation (in Arabic)
Name of Company or
Corporation (in English)
Company Registration
Number
Address of
registration
Registration
date
Registration and
expiry date
Name of
representative Position
ID
Number
Location and date
of issue
P.O. Box:
P.O. Box City
ZIP Code Street
District
Or postal address:
Building
number
Street
Name
Quarter
Name City
ZIP
Code
Additional
Number
Landline Fax Mobile
Website e-mail
Guide for Cloud Service Providers Page 7 of 7
I, the undersigned, as the legal representative of the company or corporation
declare the following:
- The company or corporation complies with the Commission statutes and its
decisions related service to be provided and published on its webpage
(www.citc.gov.sa).
- The company or corporation complies with the provisions of the Cloud
Computing Regulatory Framework, any guidelines and regulations issued by
the Commission and all regulations of the Kingdom, as well as any future
amendments.
- The company or corporation shall extend, not later than one month from the
effective date of this Declaration, its terms and conditions to its existing
Cloud Customers (if any) with a residence or Customer Address in the
Kingdom.
- The Applicant accepts that the Commission may publish any of the
information provided by the Applicant in this Application, with the exception
of any such information reasonably qualifying as a confidential business
secret.
- The company or corporation will visit periodically the website to be updated
on new regulations and conditions for service provision that may be
applicable.
- The Applicant shall inform the Commission immediately of any changes to
the information provided.
- The information provided in this Application and its attachments is true and
correct.
- The Applicant will update information provided to the Commission in the
event of any change.
- The Applicant shall maintain the ID and password used on the Commission website
once created by the Commission, and bear the consequences and responsibility of
any information or any action entered by this ID.
Seal:
_____________________
Name / Title
____________________
Signature
____________________
Date
Checklist for Registration to Provide Cloud Computing Services 1/3
Checklist for Registration to Provide Cloud Computing Services
Name of Company: ………………………..…………………………..
Reference page number
Matching (Yes/No)
Requirement #
Fill out the registration application form, signed by the legal representative and authenticated by the Chamber
of Commerce, as shown in the Appendix A.
1.
Attach a copy of the valid Commercial Registration, compatible with the registration period. 2.
Provide a clear copy of the legal representative’s identity documents (National Identity Document or proof of
residence).
3.
Provide information that describes the type of Cloud Computing Service(s) that are planned to be provided or
are already provided through datacentres and/or other facilities in the KSA to: (a) Cloud Customers with a
Residence or Customer Address in the KSA and (b): Cloud Customers outside the KSA.
4.
A brief description of the Cloud System(s) you use or intend to use for the provision of Cloud Services to Cloud
Customers in the KSA including, in particular:
i. Any Datacentres located in the territory of the KSA, with their full address, contact details
(tel/fax/email) and website.
ii. The relationship that best describes your access to this Datacentre's capacity and infrastructure
(e.g., owner, operator, co-owner, lessor or lessee of capacity, reseller, etc.).
5.
A brief description of any network or other key equipment associated with the above Datacentres and the relationship that best describes your access to, and use of, such key equipment.
6.
A description of any relevant international standards you meet regarding the quality of your services and your
overall qualification as a Cloud Service provider.
7.
Checklist for Registration to Provide Cloud Computing Services 2/3
Attach to this application proof of any relevant certificates or credentials that you or your main shareholders or
partners in the present Cloud Computing venture have in the KSA or elsewhere.
8.
You may also attach any available technical brochures, website printouts or other technical and commercial
information related to the Cloud System(s) you use or intend to use for the purposes of this registration.
9.
Submit any documents certifying compliance with the technical standards listed below or, exceptionally, any
other technical standards that are demonstrably equivalent or superior to those standards, subject to the
Commission's satisfaction.
i. ISO/IEC 27001 - Information security management
ii. ISO/IEC 27017 - Code of practice for information security controls based on ISO/IEC 27002
for cloud services
iii. ISO/IEC 27018 - Code of practice for protection of personally identifiable information (PII) in
public clouds acting as PII processors
iv. Certificate rating the level of maturity of the active infrastructure for the datacentre in the
Kingdom. Such classification certificate must be from a recognized international standard
such as:
( ANSI / TIA-942 / TIA-942A ) or ptime Institute or similar classification certificate, and must
be for the active constructed facility (not only for the design documents).
10.
Provide a brief description of the operations, in the KSA and elsewhere, of your company, its
structure and the ownership details. Also provide any other statements covering the Applicant's
group that belongs to (if available).
11.
Provide a list of any licenses held to date in the KSA, granted by the Commission to (i) the Applicant, (ii) any
Affiliate of the Applicant or (iii) any joint venture in which the Applicant or an affiliate of the Applicant
participates.
12.
Checklist for Registration to Provide Cloud Computing Services 3/3
Documents should be provided in Arabic, with the option of attaching other supporting documents in English. 13.
Supporting documentation, agreements or links to websites on the Internet may be attached to the
application.
14.
Notes