huawei cloud user guide to financial services regulations & … · 2021. 1. 15. · malaysia to...

HUAWEI CLOUD User Guide toFinancial Services Regulations &Guidelines in Malaysia

Issue 01

Date 2020-09-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: https://www.huawei.com

Email: [email protected]

Issue 01 (2020-09-30) Copyright © Huawei Technologies Co., Ltd. i

https://www.huawei.com

mailto:[email protected]

Contents

1 Overview....................................................................................................................................11.1 Background and Purpose of Publication......................................................................................................................... 11.2 Introduction of Applicable Financial Regulatory Requirements in Malaysia......................................................11.3 Definitions.................................................................................................................................................................................. 3

2 HUAWEI CLOUD Security and Privacy Compliance......................................................... 4

3 HUAWEI CLOUD Security Responsibility Sharing Model............................................... 9

4 HUAWEI CLOUD Global Infrastructure............................................................................ 11

5 How HUAWEI CLOUD Meets and Assists Customers to Meet the Requirements ofBNM Risk Management in Technology............................................................................... 125.1 Technology Operations Management........................................................................................................................... 135.2 Cyber Security Management.............................................................................................................................................375.3 Technology Audit.................................................................................................................................................................. 495.4 Internal Awareness and Training..................................................................................................................................... 50

6 How HUAWEI CLOUD Meets and Assists Customers to Meet the Requirements ofBNM Outsourcing..................................................................................................................... 526.1 Outsourcing Process and Management of Risks........................................................................................................536.2 Outsourcing Outside Malaysia......................................................................................................................................... 646.3 Outsourcing Involving Cloud Services............................................................................................................................66

7 How HUAWEI CLOUD Meets and Assists Customers to Meet the Requirements ofBNM Management of Customer Information and Permitted Disclosures..................687.1 Control Environment............................................................................................................................................................697.2 Customer Information Breaches...................................................................................................................................... 827.3 Outsourced Service Provider............................................................................................................................................. 85

8 How HUAWEI CLOUD Meets and Assists Customers to Meet the Requirements ofBNM Guidelines on Data Management and MIS Framework for DevelopmentFinancial Institutions............................................................................................................... 88

9 How HUAWEI CLOUD Meets and Assists Customers to Meet the Requirements ofBNM Guidelines on Business Continuity Management................................................... 92

10 How HUAWEI CLOUD Meets and Assists Customers to Meet the Requirementsof SC Guidelines on Management of Cyber Risk.............................................................. 96

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia Contents

Issue 01 (2020-09-30) Copyright © Huawei Technologies Co., Ltd. ii

11 How HUAWEI CLOUD Meets and Assists Customers to Meet the Requirementsof SC Guiding Principles on Business Continuity............................................................ 103

12 Conclusion.......................................................................................................................... 109

13 Version History.................................................................................................................. 110

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia Contents

Issue 01 (2020-09-30) Copyright © Huawei Technologies Co., Ltd. iii

1 Overview

1.1 Background and Purpose of PublicationWith the more prevalent use of technology in the provision of financial services,there is a need for financial institutions (FIs) to strengthen their technologyresilience against operational disruptions to maintain confidence in the financialsystem. The growing sophistication of cyber threats also calls for the increasedvigilance and capability of FIs to respond to emerging threats. Critically, thisshould ensure the continuous availability of essential financial services tocustomers and adequate protection of customer data. To regulate the applicationof Information Technology (IT) in the financial industry, Bank Negara Malaysia(BNM) and Securities Commission Malaysia (SC) published a series of regulatoryrequirements and guidelines, covering technology risk management, IToutsourcing management, customer information protection and businesscontinuity management for FIs operating in Malaysia.

HUAWEI CLOUD, as a cloud service provider, is committed not only to help FIsmeeting local regulatory requirements, but also to continuously provide them withcloud services and business operating environments meeting FIs' standards. Thiswhitepaper sets out details regarding how HUAWEI CLOUD assists FIs operating inMalaysia to meet regulatory requirements when providing cloud services.

1.2 Introduction of Applicable Financial RegulatoryRequirements in Malaysia

Bank Negara Malaysia (BNM)

● Risk Management in Technology (RMiT): This policy document sets outBank Negara Malaysia's requirements with regard to FIs' management oftechnology risk. In complying with these requirements, a FI shall have regardto the size and complexity of its operations. Accordingly, larger and morecomplex FIs are expected to demonstrate risk management practices andcontrols that are commensurate with the increased technology risk exposureof the institution. In addition, all FIs shall observe minimum prescribedstandards in this document to prevent the exploitation of weak links in

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia 1 Overview

Issue 01 (2020-09-30) Copyright © Huawei Technologies Co., Ltd. 1

https://www.bnm.gov.my/index.php?ch=57&pg=144&ac=815&bb=file

interconnected networks and systems that may cause detriment to other FIsand the wider financial system.

● Outsourcing: This policy document sets out the scope of arrangementsrelevant to the outsourcing policy, and Bank Negara Malaysia's requirementsand expectations on FIs to maintain appropriate internal governance andoutsourcing risk frameworks, including those relevant to the protection ofdata confidentiality. The requirements also serve to ensure the FIs' continuedability to carry out effective supervisory oversight over FIs in relation to theiroutsourced activities.

● Management of Customer Information and Permitted Disclosures: Thispolicy document sets out Bank Negara Malaysia's requirements andexpectations with regard to financial service providers'(FSP) measures andcontrols in handling customer information, throughout the informationlifecycle, covering collection, storage, use, transmission, sharing, disclosureand disposal of customer information.

● Guidelines on Data Management and Management Information SystemFramework for Development Financial Institutions: This policy documentsets out high level guiding principles on sound data management andmanagement information system (MIS) practices that FIs should observewhen developing internal data management capabilities. FIs should structureand implement data and management information systems in a manner thatis consistent with the principles set out in this document and appropriate toeach FI's specific business needs.

● Guidelines on Business Continuity Management: This policy document setsout minimum Business Continuity Management (BCM) requirements on FIs soas to ensure the continuity of critical business functions and essential serviceswithin a specified timeframe in the event of a major disruption. Minimumdisruption to essential business services would in turn enhance publicconfidence in FIs and the financial system, and mitigates reputational risk toFIs.

Securities Commission Malaysia (SC)

● Guidelines on Management of Cyber Risk: This policy document sets outSecurities Commission Malaysia's requirements with regard to FIs'management of cyber risk. These requirements will help FIs improve theircyber risk management capabilities and ensure their cyber security.

● Guiding Principles on Business Continuity: The objective of this document isto guide the FIs on minimum standards where entities are encouraged toadopt based on the nature, size and complexity of their business operations.The overall intended outcomes of the principles are to ensure timelycontinuation of critical services and the fulfilment of business obligations inthe event of disruptions and ultimately with the objectives to mitigate ormanage any possible wider systemic risk implications to the Malaysian capitalmarket.

*Remarks: The above regulatory requirements issued by BNM are applicable to FIssuch as banks and insurance companies. The above regulatory requirements issuedby SC are applicable to FIs such as Bursa Malaysia, Capital Markets ServicesLicense (CMSL) holders, registered persons and self-regulatory organizationsunder securities laws. For specific applicable objects, please refer to the originalregulatory requirements.







https://www.sc.com.my/api/documentms/download.ashx?id=9aaddb2e-aa13-409a-a47f-8d0124afd229

https://www.sc.com.my/api/documentms/download.ashx?id=451c268a-27a0-4102-84c9-5a1dd5ccfcf0

1.3 Definitions● HUAWEI CLOUD

HUAWEI CLOUD is the cloud service brand of the HUAWEI marquee,committed to providing stable, secure, reliable, and sustainable cloud services.

● Service providerAn entity, including an affiliate, providing services to a FI under anoutsourcing arrangement.

● Cyber ResilienceThe ability of people, processes, IT systems, applications, platforms orinfrastructures to withstand adverse cyber events.

● Central bank of Malaysia (The Bank)Bank Negara Malaysia (BNM).



2 HUAWEI CLOUD Security and PrivacyCompliance

HUAWEI CLOUD inherits Huawei's comprehensive management system andleverages its experience in IT system construction and operation, activelymanaging and continuously improving the development, operation andmaintenance of cloud services. To date, HUAWEI CLOUD has received a number ofinternational and industry security compliance certifications, ensuring the securityand compliance of businesses deployed by cloud service customers.

HUAWEI CLOUD has attained the following certifications:

Global standard certification

Certification Description

ISO 20000-1:2011 ISO 20000 is an international recognized informationtechnology service management system (SMS) standard.It specifies requirements for the service provider to plan,establish, implement, operate, monitor, review, maintainand improve an SMS to make sure cloud service providers(CSPs) can provide effective IT services to meet therequirements of customers and businesses.

ISO 27001:2013 ISO 27001 is a widely used international standard thatspecifies requirements for information securitymanagement systems. This standard provides a methodof periodic risk evaluation for assessing systems thatmanage company and customer information.

ISO 27017:2015 ISO 27017 is an international certification for cloudcomputing information security. The adoption of ISO27017 indicates that HUAWEI CLOUD has achievedinternationally recognized best practices in informationsecurity management.

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia 2 HUAWEI CLOUD Security and Privacy Compliance



ISO 22301:2012 ISO 22301 is an internationally recognized businesscontinuity management system standard that helpsorganizations avoid potential incidents by identifying,analyzing, and alerting risks, and develops acomprehensive Business Continuity Plan (BCP) toeffectively respond to disruptions so that entities canrecover rapidly, keep core business running, and minimizeloss and recovery costs.

SOC audit The SOC audit report is an independent audit reportissued by a third-party auditor based on the relevantguidelines developed by the American Institute ofCertified Public Accountants (AICPA) for the system andinternal control of outsourced service providers. Atpresent, HUAWEI CLOUD has passed the audit of SOC2Type 1 Privacy Principle in terms of privacy, which provesthat HUAWEI CLOUD has reasonable control measures interms of cloud management and technology.

PCI DSSCertification

Payment Card Industry Data Security Standard (PCI DSS)is the global card industry security standard, jointlyestablished by five major international payment brands:JCB, American Express, Discover, MasterCard and Visa. Itis the most authoritative and strict FI certification in theworld.

CSA STAR GoldCertification

CSA STAR certification was developed by the CloudSecurity Alliance (CSA) and the British StandardsInstitution (BSI), an authoritative standard developmentand preparation body as well as a worldwide certificationservice provider. This certification aims to increase trustand transparency in the cloud computing industry andenables cloud computing service providers todemonstrate their service maturity.

InternationalCommon CriteriaEAL 3+ Certification

Common Criteria certification is a highly recognizedinternational standard for information technologyproducts and system security. HUAWEI CLOUDFusionSphere passed Common Criteria EAL 3+certification, indicating that the HUAWEI CLOUDsoftware platform is highly recognized worldwide.

ISO 27018:2014 ISO 27018 is the first international code of conduct thatfocuses on personal data protection in the cloud. Thiscertification indicates that HUAWEI CLOUD has acomplete personal data protection management systemand is in the global leading position in data securitymanagement.




ISO 29151:2017 ISO 29151 is an international practical guide to theprotection of personal identity information. The adoptionof ISO 29151 confirms HUAWEI CLOUD's implementationof internationally recognized management measures forthe entire lifecycle of personal data processing.

ISO 27701:2019 ISO 27701 specifies requirements for the establishment,implementation, maintenance and continuousimprovement of a privacy-specific management system.The adoption of ISO 27701 demonstrates that HUAWEICLOUD operates a sound system for personal dataprotection.

BS 10012:2017 BS10012 is the personal information data managementsystem standard issued by BSI. The BS10012 certificationindicates that HUAWEI CLOUD offers a completepersonal data protection system to ensure personal datasecurity.

M&O certification Uptime Institute is a globally recognized data centerstandardization organization and an authoritativeprofessional certification organization. Huawei cloud datacenters have obtained the M&O certification issued byUptime Institute. The M&O certification symbolizes thatHUAWEI CLOUD data center O&M management hasbeen leading in the world.

NIST CSF(CybersecurityFramework)

NIST CSF consists of three parts: standards, guidelines,and best practices for managing cyber security risks. Thecore content of the framework can be summarized as theclassic IPDRR capability model, five capabilities: Identify,Protect, Detect, Response, and Recovery.

PCI 3DS The PCI 3DS standard is designed to protect the 3DSenvironment that performs specific 3DS functions orstores 3DS data, and supports 3DS implementation. PCI3DS evaluates the 3D protocol execution environment,including the access control server, directory server, or3DS server function. and system components, such asfirewalls, virtual servers, network devices, andapplications, that are required in and connected to the 3Dexecution environment; In addition, the process, process,and personnel management of the 3D protocol executionenvironment are evaluated.

Regional standard certification




ClassifiedCybersecurityProtection ofChina's Ministry ofPublic Security

Classified Cybersecurity Protection issued by China'sMinistry of Public Security is used to guide organizationsin China through cybersecurity development. Today, it hasbecome the general security standard widely adopted byvarious industries throughout China. HUAWEI CLOUD haspassed the registration and assessment of ClassifiedCybersecurity Protection Class 3. In addition, key HUAWEICLOUD regions and nodes have passed the registrationand assessment of Classified Cybersecurity ProtectionClass 4.

Singapore MTCSLevel 3 Certification

The Multi-Tier Cloud Security (MTCS) specification is astandard developed by the Singapore InformationTechnology Standards Committee. This standard requirescloud service providers (CSPs) to adopt sound riskmanagement and security practices in cloud computing.HUAWEI CLOUD Singapore has obtained the highest levelof MTCS security rating (Level 3).

Gold O&M (TRUCS) The Gold O&M certification is designed to assess theO&M capability of cloud service providers who havepassed TRUCS certification. This certification confirmsthat HUAWEI CLOUD services operate a sound O&Mmanagement system that satisfies the cloud service O&Massurance requirements specified in Chinese certificationstandards.

Certification for theCapability ofProtecting CloudService User Data(TRUCS)

This certification evaluates a CSP's ability to protect clouddata. Evaluation covers pre-event prevention, in-eventprotection, and post-event tracking.

ITSS CloudComputing ServiceCapabilityEvaluation by theMinistry of Industryand InformationTechnology (MIIT)

ITSS cloud computing service capability evaluation isbased on Chinese standards such as the GeneralRequirements for Cloud Computing and Cloud ServiceOperations. It is the first hierarchical evaluationmechanism in China's cloud service/cloud computingdomain. Huawei private and public clouds have obtainedcloud computing service capability level-1 (top level)compliance certificates.

TRUCS Trusted Cloud Service (TRUCS) is one of the mostauthoritative public domain assessments in China. Thisassessment confirms that HUAWEI CLOUD complies withthe most detailed standard for cloud service data andservice assurance in China.




Cloud ServiceSecurityCertification -CyberspaceAdministration ofChina (CAC)

This certification is a third-party security reviewconducted by the Cyberspace Administration of Chinaaccording to the Security Capability Requirements ofCloud Computing Service. HUAWEI CLOUD e-GovernmentCloud Service Platform has passed the security review(enhanced level), indicating that Huawei e-Governmentcloud platform was recognized for its security andcontrollability by China's top cybersecurity managementorganization.

For more information on HUAWEI CLOUD security compliance and downloadingrelevant compliance certificate, please refer to the official website of HUAWEICLOUD "Trust Center - Security Compliance".



https://www.huaweicloud.com/intl/en-us/securecenter/safetycompliance.html

3 HUAWEI CLOUD Security ResponsibilitySharing Model

Due to the complex cloud service business model, cloud security is not the soleresponsibility of one single party, but requires the joint efforts of both thecustomer and HUAWEI CLOUD. As a result, HUAWEI CLOUD proposes aresponsibility sharing model to help customers to understand the securityresponsibility scope for both parties and ensure the coverage of all areas of cloudsecurity. Below is an overview of the responsibilities sharing model between thecustomer and HUAWEI CLOUD:

Figure 3-1 Responsibility Sharing Model

As shown in the above model, the privacy protection responsibilities aredistributed between HUAWEI CLOUD and customers as below:

HUAWEI CLOUD: The primary responsibilities of HUAWEI CLOUD are developingand operating the physical infrastructure of HUAWEI CLOUD data centers; theIaaS, PaaS, and SaaS services provided by HUAWEI CLOUD; and the built-insecurity functions of a variety of services. Furthermore, HUAWEI CLOUD is alsoresponsible for the secure design, implementation, and O&M of the multi-layereddefense-in-depth, which spans the physical, infrastructure, platform, application,

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia

3 HUAWEI CLOUD Security Responsibility SharingModel


and data layers, in addition to the identity and access management (IAM) cross-layer function.

Customer: The primary responsibilities of the customers are customizing theconfiguration and operating the virtual network, platform, application, data,management, security, and other cloud services to which a customer subscribes onHUAWEI CLOUD, including its customization of HUAWEI CLOUD servicesaccording to its needs as well as the O&M of any platform, application, and IAMservices that the customer deploys on HUAWEI CLOUD. At the same time, thecustomer is also responsible for the customization of the security settings at thevirtual network layer, the platform layer, the application layer, the data layer, andthe cross-layer IAM function, as well as the customer's own in-cloud O&M securityand the effective management of its users and identities.

For details on the security responsibilities of both customers and HUAWEI CLOUD,please refer to the HUAWEI CLOUD Security White Paper released by HUAWEICLOUD.


3 HUAWEI CLOUD Security Responsibility SharingModel


https://www.huaweicloud.com/intl/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf

4 HUAWEI CLOUD Global Infrastructure

HUAWEI CLOUD operates services in many countries and regions around theworld. The HUAWEI CLOUD infrastructure is built around Regions and AvailabilityZones (AZ). Compute instances and data stored in HUAWEI CLOUD can be flexiblyexchanged among multiple regions or multiple AZs within the same region. EachAZ is an independent, physically isolated fault maintenance domain, Users canand should take full advantage of all these regions and AZs in their planning forapplication deployment and operations in HUAWEI CLOUD. Distributeddeployment of an application across a number of AZs provides a high degree ofassurance for normal application operations and business continuity in mostoutage scenarios (including natural disasters and system failures). For currentinformation on HUAWEI CLOUD Regions and Availability Zones, please refer tothe official website of HUAWEI CLOUD "Worldwide Infrastructure".

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia 4 HUAWEI CLOUD Global Infrastructure


https://www.huaweicloud.com/intl/en-us/global/

5 How HUAWEI CLOUD Meets and AssistsCustomers to Meet the Requirements of

BNM Risk Management in Technology

BNM released Risk Management in Technology on July 18, 2019. This policy setFIs' technology risk management requirements from the perspectives ofgovernance, technology risk management, technology operations management,cyber security management, technology audit, internal awareness and training,and notification for technology. Among them, the domain of technologyoperations management includes requirements for system development andacquisition, cryptography, data center resilience, network resilience, third partyservice provider management, cloud services, access control, etc. The domain ofcyber security management includes requirements for cyber security operations,data loss prevention, cyber response and recovery, etc.

When FIs are seeking to comply with the requirements provided in RiskManagement in Technology, HUAWEI CLOUD, as a cloud service provider, may beinvolved in some activities that are prescribed under such requirements. Thefollowing contents summarize the compliance requirements related to cloudservice providers in Risk Management in Technology, and explains how HUAWEICLOUD, as a cloud service provider, can help FIs to meet these requirements.


5 How HUAWEI CLOUD Meets and AssistsCustomers to Meet the Requirements of BNM Risk

Management in Technology


5.1 Technology Operations ManagementNo. Control

DomainSpecific ControlRequirements

HUAWEI CLOUD Response

10.5,10.6,10.7,10.8,10.10,10.12,10.13,and10.14

SystemDevelopmentandAcquisition

10.5 A FI mustestablish clear riskmanagementpolicies andpractices for the keyphases of thesystemdevelopment lifecycle (SDLC)encompassingsystem design,development,testing,deployment, changemanagement,maintenance anddecommissioning.Such policies andpractices must alsoembed security andrelevant enterprisearchitectureconsiderations intothe SDLC to ensureconfidentiality,integrity andavailability of data.10.6 A FI isencouraged todeploy automatedtools for softwaredevelopment,testing, softwaredeployment, changemanagement, codescanning andsoftware versioncontrol to supportmore securesystemsdevelopment.10.7 A FI shallconsider the needfor diversity intechnology to

Customers should establish asecurity development managementmechanism, and establish clear riskmanagement policies and measuresfor the SDLC encompassing systemdesign, development, testing,deployment, change management.The management mechanism is notlimited to the use of automatedtools, the development of securecoding standards, code review,isolation of the test environmentand the production environment,etc., and the managing changesthrough formal procedures shall betaken into consideration as well. Asa cloud service provider:(1) Huawei's development andtesting processes follow unifiedsystem (software) securitydevelopment managementspecifications, and access to variousenvironments is strictly controlled.To meet customer compliancerequirements, HUAWEI CLOUDmanages the end-to-end softwareand hardware life cycle throughcomplete systems and processes, aswell as automated platforms andtools. The life cycle includes securityrequirements analysis, securitydesign, security coding and testing,security acceptance and release, andvulnerability management.HUAWEI CLOUD and related cloudservices comply with the securityand privacy design principles andnorms, applicable laws andregulations. Threats are analyzedaccording to business scenarios, dataflow diagrams and networkingmodels in the security requirementsanalysis and design phase. When athreat is identified, the designengineer will formulate mitigation





No. ControlDomain

Specific ControlRequirements


enhance resilienceby ensuring criticalsystemsinfrastructure arenot excessivelyexposed to similartechnology risks.10.8 A FI mustestablish a soundmethodology forrigorous systemtesting prior todeployment. Thetesting shall ensurethat the systemmeets userrequirements andperforms robustly.Where sensitive testdata is used, the FImust ensure properauthorizationprocedures andadequate measuresto prevent theirunauthorizeddisclosure are inplace.10.10 A FI mustensure any changesto the source codeof critical systemsare subject toadequate sourcecode reviews toensure code issecure and wasdeveloped in linewith recognizedcoding practicesprior to introducingany systemchanges.10.12 A FI shallphysically segregatethe productionenvironment fromthe developmentand testing

measures according to the reductionlibrary and the safety design libraryand complete the correspondingsafety design. All threat mitigationmeasures will eventually beconverted into security requirementsand security functions, andaccording to the company's test caselibrary, will be used to complete thedesign of security test cases, toensure the safety of products andservices.(2) HUAWEI CLOUD strictlycomplies with the security codingspecifications of variousprogramming languages issued byHuawei. Static code analysis toolsare used for routine checks, and theresulting data is entered in the cloudservice tool chain to evaluate thequality of coding. Before all cloudservices are released, static codeanalysis alarms must be cleared toeffectively reduce the security issuesrelated to coding when online.(3) HUAWEI CLOUD takes securityrequirements identified in thesecurity design stage, penetrationtest cases from the attacker'sperspective, and industry standards,and develops corresponding securitytesting tools, and conducts multi-round security testing before therelease of cloud services to meet thesecurity requirement of the releasedcloud services. Testing is conductedin a test environment, isolated fromthe production environment, andavoids the use of production data fortesting. If production data is used fortesting, it must be desensitized, anddata cleaning is required after use.(4) To meet customer compliancerequirements, HUAWEI CLOUD hasformulated a standardized changemanagement process. Any change tothe environment will take place onlyby orderly management process.After all change requests are





No. ControlDomain



environment forcritical systems.Where a FI isrelying on a cloudenvironment, the FIshall ensure thatthese environmentsare not running onthe same virtualhost.10.13 A FI mustestablishappropriateprocedures toindependentlyreview and approvesystem changes.The FI must alsoestablish and testcontingency plansin the event ofunsuccessfulimplementation ofmaterial changes tominimize anybusiness disruption.10.14 Where a FI'sIT systems aremanaged by thirdparty serviceproviders, the FIshall ensure,including throughcontractualobligations, that thethird party serviceproviders providesufficient notice tothe FI before anychanges areundertaken thatmay impact the ITsystems.

generated, they are submitted to theHUAWEI CLOUD Change Committeeby the change manager team withchange classification assigned. Afterthe committee has reviewed andapproved the requests, the plannedchanges can be implemented on theproduction network. Beforesubmitting a change request, thechange must undergo a testingprocess that includes production-likeenvironment testing, pilot release,and/or blue/green deployment, thatthe change committee can clearlyunderstands the change activitiesinvolved, duration, failure rollbackprocedure, and all potential impacts.In addition, HUAWEI CLOUD hasformulated more fine-grainedchange operation standards to guidethe implementation, tracking, andverification of the change to achievethe expected purpose of the change.HUAWEI CLOUD has also developeda standardized emergency changemanagement process. If emergencychanges affect users, they willcommunicate with users in advanceby announcement, mail, telephone,conference, or other meansaccording to the prescribed timelimit. If the emergency changes donot meet the prescribed notice timelimit, the changes will be upgradedto HUAWEI CLOUD seniorleadership, and users will be notifiedpromptly after the changes areimplemented. Emergency changesare recorded. The old version anddata of the program are retainedbefore the changes are executed.The changes are guaranteed toproceed smoothly through two-person operation to minimize theimpact on the productionenvironment. After theimplementation, a designatedperson will verify it to help thechange achieves its desired purpose.





No. ControlDomain



10.16,19.19,and10.20

Cryptography

10.16 A FI mustestablish a robustand resilientcryptography policyto promote theadoption of strongcryptographiccontrols forprotection ofimportant data andinformation.10.19 A FI mustensurecryptographiccontrols are basedon the effectiveimplementation ofsuitablecryptographicprotocols. Theprotocols shallinclude secret andpublic cryptographickey protocols, bothof which shallreflect a highdegree of protectionto the applicablesecret or privatecryptographic keys.The selection ofsuch protocols mustbe based onrecognizedinternationalstandards andtested accordingly.Commensurate withthe level of risk,secret cryptographickey and private-cryptographic keystorage andencryption/decryptioncomputation mustbe undertaken in aprotectedenvironment,

Customers should establishcryptography management policy.When customers use encryption toprotect data, they should considerusing industry-recognized encryptionalgorithms and key managementmechanisms, and use the certificateof the specialized certificationauthorities to manage the storageand transmission of the key. In orderto cooperate with customers to meetregulatory requirements:

(1) The server-side encryptionfunction integrates KeyManagement Service (KMS) ofHUAWEI CLOUD Data EncryptionWorkshop (DEW), which providesfull-lifecycle key management.Without authorization, otherscannot obtain keys to decrypt data,which supports data security on thecloud. DEW adopts the layered keymanagement mechanism. Hardwaresecurity module (HSM) creates andmanages keys for customers, whichis FIPS 140-2 (Level 2 and Level 3)certified to help user to meet therequirements of data securitycompliance. Even Huawei O&Mpersonnel cannot obtain the rootkey. DEW also allows customers toimport their own keys as masterkeys for unified management,facilitating seamless integration withcustomers' services. At the sametime, HUAWEI CLOUD adopts amechanism for online redundantstorage of user master keys, multiplephysical offline backups of root keysand regular backups to ensure thedurability of the keys. See section6.8.2 Data Encryption Workshop(DEW) of HUAWEI CLOUD SecurityWhite Paper for more information.

(2) Currently, services includingElastic Volume Service (EVS),Object Storage Service (OBS),Image Management Service (IMS)and Relational Database Service





https://www.huaweicloud.com/intl/en-us/product/dew.html




https://www.huaweicloud.com/intl/en-us/product/evs.html

https://www.huaweicloud.com/intl/en-us/product/obs.html

https://www.huaweicloud.com/intl/en-us/product/ims.html

No. ControlDomain



supported by ahardware securitymodule (HSM) ortrusted executionenvironment (TEM).10.20 A FI shallstore publiccryptographic keysin a certificateissued by acertificate authorityas appropriate tothe level of risk.Such certificatesassociated withcustomers shall beissued byrecognizedcertificateauthorities. The FImust ensure thatthe implementationof authenticationand signatureprotocols using suchcertificates aresubject to strongprotection to ensurethat the use ofprivatecryptographic keyscorresponding tothe user certificatesare legally bindingand irrefutable.

provide data encryption or server-side encryption functions andencrypt data using high-strengthalgorithms.(3) For data in transmission, whencustomers provide Web site servicesthrough the Internet, they can usecertificate management servicesprovided by the HUAWEI CLOUDUnited Global Well-knownCertificate Service Provider. Byapplying for and configuringcertificates for Web sites, the trustedidentity authentication of Web sitesand secure transmission based onencryption protocols are realized.





No. ControlDomain



10.21-10.24

DataCenterResilience - DataCenterInfrastructure

10.21 A FI mustspecify theresilience andavailabilityobjectives of itsdata centers whichare aligned with itsbusiness needs. Thenetworkinfrastructure mustbe designed to beresilient, secure andscalable. Potentialdata center failuresor disruptions mustnot significantlydegrade thedelivery of itsfinancial services orimpede its internaloperations.10.22 A FI mustensure productiondata centers areconcurrentlymaintainable. Thisincludes ensuringthat productiondata centers haveredundant capacitycomponents anddistribution pathsserving thecomputerequipment.10.23 In addition tothe requirement inparagraph 10.22large FIs are alsorequired to ensurerecovery datacenters areconcurrentlymaintainable.10.24 A FI shall hostcritical systems in adedicated spaceintended forproduction data

Customers should establish resilientand highly available data centerswhich are aligned with their businessneeds. The security and scalability ofnetwork infrastructure, independentspace and physical security of keysystems, redundancy ofinfrastructure and hardwareequipment, continuous monitoringof the environment and resources,etc. should be considered to preventserious impacts of its services orinternal operations from datacenter's failures or disruptions. As acloud service provider, HUAWEICLOUD will cooperate withcustomers to meet regulatoryrequirements from the followingperspectives:(1) HUAWEI CLOUD data centerscomply with Class A standard of GB50174 Code for Design of ElectronicInformation System Room and T3+standard of TIA-942Telecommunications InfrastructureStandard for Data Centers. HUAWEICLOUD data centers are located onsuitable physical sites, as determinedfrom solid site surveys. During thedesign, construction, and operationstages, the data centers have properphysical zoning and well-organizedplacement of information systemsand components, which helpsprevent potential physical andenvironmental risk scenarios (forexample, fire or electro-magneticleakage) as well as unauthorizedaccess. Furthermore, appropriateand sufficient data center space andadequate electrical, networking, andcooling capacities are reserved inorder to meet not only today'sinfrastructure requirements but alsothe demands of tomorrow's rapidinfrastructure expansion. TheHUAWEI CLOUD O&M teamenforces stringent access control,safety measures, regular monitoring





No. ControlDomain



center usage. Thededicated spacemust be physicallysecured fromunauthorized accessand is not locatedin a disaster-pronearea. A FI must alsoensure there is nosingle point offailure (SPOF) inthe design andconnectivity forcritical componentsof the productiondata centers,including hardwarecomponents,electrical utility,thermalmanagement anddata centerinfrastructure. A FImust also ensureadequatemaintenance, andholistic andcontinuousmonitoring of thesecritical componentswith timely alertson faults andindicators ofpotential issues.

and auditing, and emergencyresponse measures to ensure thephysical security and environmentalsafety of HUAWEI CLOUD datacenters. See section 5.1 Physical andEnvironmental Security of HUAWEICLOUD Security White Paper formore information.(2) Customers can rely on theRegion and Availability Zone (AZ)architecture of HUAWEI CLOUDData Center cluster for disasterrecovery and backup of theirbusiness systems. Data centers aredeployed around the worldaccording to rules. Customers havedisaster data backup centersthrough two places. If a failureoccurs, the system automaticallytransfers customer applications anddata from the affected areas toensure business continuity on thepremise of meeting compliancepolicies. HUAWEI CLOUD has alsodeployed a Global Server LoadBalance Center. Customerapplications can achieve N+1deployment in the data center. Evenif one data center fails, it can alsobalance traffic load to other centers.







No. ControlDomain



10.26,10.27,and10.30

DataCenterResilience - DataCenterOperations

10.26 A FI mustensure its capacityneeds are well-planned andmanaged with dueregard to businessgrowth plans. Thisincludes ensuringadequate systemstorage, centralprocessing unit(CPU) power,memory andnetwork bandwidth.10.27 A FI mustestablish real-timemonitoringmechanisms totrack capacityutilization andperformance of keyprocesses andservices. Thesemonitoringmechanisms shallbe capable ofproviding timelyand actionablealerts toadministrators.10.30 A FI must alsomaintain asufficient number ofbackup copies ofcritical data, theupdated version ofthe operatingsystem software,productionprograms, systemutilities, all masterand transaction filesand event logs forrecovery purposes.Backup media mustbe stored in anenvironmentallysecure and access-

Customers should establishperformance monitoring andcapacity planning mechanisms, planand manage the capacity of their ITbasic resources based on businessdevelopment, and continuouslymonitor the performance of keysystems. In addition, customersshould establish a backupmanagement mechanism to back upkey business data, operatingsystems, and application software. Inorder to cooperate with customersto meet regulatory requirements:(1) Cloud Eye Service (CES)provides users with a robustmonitoring platform for ElasticCloud Server (ECS), bandwidth, andother resources. CES provides real-time monitoring alarms,notifications, and personalizedreport views to accurately grasp thestatus of business resources. Userscan set independent alarm rules andnotification strategies to quickly seethe running status and performanceof instance resources of each service.(2)HUAWEI CLOUD has formulateda standard capacity managementand resource forecasting procedureto manage Huawei's cloud capacityas a whole and improve theavailability of Huawei's cloudresources. HUAWEI CLOUD resourceutilization is monitored daily. Inputfrom all parties provides ongoingpredictions for future resourcerequirements, and resourceexpansion schemes are formulatedto meet these requirements.Business capacity and performancebottlenecks are analyzed andevaluated. When resources reach apreset threshold, a warning is issued,and further solutions are adopted toavoid the impact on the systemperformance of the user cloudservice.





https://www.huaweicloud.com/intl/en-us/product/ces.html

https://www.huaweicloud.com/intl/en-us/product/ecs.html

https://www.huaweicloud.com/intl/en-us/product/ecs.html

No. ControlDomain



controlled backupsite.

(3) HUAWEI CLOUD provides multi-granularity data backup andarchiving services to meetcustomers' requirements in specificscenarios. Customers can use theversioning function of ObjectStorage Service (OBS), VolumeBackup Service (VBS), and CloudServer Backup Service (CSBS) toback up in-cloud documents, disks,and servers. Benefiting from on-demand use, scalability, and highreliability features of cloud services,customers can also back up datathrough HUAWEI CLOUD's databackup archiving service to ensurethat data will not be lost in theevent of a disaster.







https://www.huaweicloud.com/intl/en-us/product/vbs.html


https://www.huaweicloud.com/intl/en-us/product/csbs.html


No. ControlDomain



10.33,10.34,10.35,10.36,10.38,and10.39

NetworkResilience

10.33 A FI mustdesign a reliable,scalable and secureenterprise networkthat is able tosupport its businessactivities, includingfuture growth plans.10.34 A FI mustensure the networkservices for itscritical systems arereliable and haveno SPOF in order toprotect the criticalsystems againstpotential networkfaults and cyberthreats.10.35 A FI mustestablish real-timenetwork bandwidthmonitoringprocesses andcorrespondingnetwork serviceresilience metrics toflag any overutilization ofbandwidth andsystem disruptionsdue to bandwidthcongestion andnetwork faults. Thisincludes trafficanalysis to detecttrends andanomalies. 10.36 AFI must ensurenetwork servicessupporting criticalsystems aredesigned andimplemented toensure theconfidentiality,integrity andavailability of data.

Customers should establish areliable and scalable enterprisenetwork, including the deploymentof redundant network lines, theestablishment of networkperformance monitoring, networkchannel encryption, networkequipment log storage, appropriatenetwork isolation and othermeasures.As a cloud service provider:(1) HUAWEI CLOUD responses thatit is responsible for securingdevelopment, configuration,deployment, and operation ofvarious cloud technologies, and it isresponsible for the security ofoperation, maintenance andoperation of the cloud services itprovides. Therefore, in the initialphase, HUAWEI CLOUD will strictlyimplement the correspondingcontrol measures to support that theHUAWEI CLOUD is secure in itsarchitecture design, equipmentselection, host network (for a varietyof multi-layer physical and virtualnetwork security isolation methods),access control, border protectiontechnology, configuration, and otheraspects for consideration.(2) Customers can rely on HUAWEICLOUD's data center cluster multi-region (Region) and multi-availablezones (AZ) architecture toimplement disaster tolerance andbackup of their business systems.Data centers are deployed aroundthe world so customers will havemutual disaster data backup centersin case of disasters. In the event ofone failure in an area, the systemautomatically transfers customerapplications and data away from theaffected area to a data backupcenter, while meeting compliancepolicies, to ensure businesscontinuity for affected customers.HUAWEI CLOUD also deploys a





No. ControlDomain



10.38 A FI mustensure sufficientand relevantnetwork device logsare retained forinvestigations andforensic purposesfor at least threeyears.10.39 A FI mustimplementappropriatesafeguards tominimize the risk ofa systemcompromise in oneentity affectingother entities withinthe group.Safeguardsimplemented mayinclude establishinglogical networksegmentation forthe FI from otherentities within thegroup.

global load-balanced managementcenter, where the customers'applications enable N+1 deploymentsizing in the data center whilebalancing traffic load to othercenters, even in the event of a datacenter failure.(3) HUAWEI CLOUD deployed a fullnetwork alarm system tocontinuously monitor the utilizationof network equipment resources,covering all network equipment.When resource utilization reaches apreset threshold, the alarm systemwill issue a warning. O&M personnelwill take prompt measures to ensurethe continuous operation ofcustomer cloud services to thegreatest extent.(4) In view of the scenario of hybridcloud deployment and global layoutof customer services, we can use theVirtual Private Network (VPN),Direct Connect (DC), CloudConnect (CC), and other servicesprovided by HUAWEI CLOUD torealize business interconnection anddata transmission security betweendifferent regions.Among them, the VPN service usesHuawei's professional equipmentand VPN on Internet based on IKEand IPsec protocols. It constructs asecure and reliable encryptiontransmission channel between alocal data center and HUAWEICLOUD VPCs in different areas.Direct Connect is based onoperators' various types of dedicatedline network. It builds exclusiveencrypted transmission channelsbetween local data center andHUAWEI CLOUD VPC. Physicalisolation between customerdedicated lines meets higher securityand stability requirements. CloudConnect can quickly establish aprivate communication networkbetween multiple local data centers





https://www.huaweicloud.com/intl/en-us/product/vpn.html

https://www.huaweicloud.com/intl/en-us/product/dc.html

https://www.huaweicloud.com/intl/en-us/product/cc.html

https://www.huaweicloud.com/intl/en-us/product/cc.html

No. ControlDomain



and multiple cloud VPCs, supportthe interconnection of cross-cloudVPCs, and greatly improve thesecurity and speed of globalexpansion of customer services.(5) HUAWEI CLOUD's Cloud TraceService (CTS) provides operatingrecords of cloud service resources forusers to query, for auditing andbacktrack use. There are three typesof operations recorded: operationsperformed through the cloudaccount login management console,operations performed through APIssupported by cloud services, andoperations triggered withinHUAWEI's cloud system. CTS canmerge records into event files on aregular basis and move these to anOBS bucket for storage, making logshighly available over a long periodof time and at a low cost. At thesame time, HUAWEI CLOUD uses acentralized and comprehensive logsystem based on big data analytics.The system collects managementbehavior logs of all physical devices,networks, platforms, applications,databases, and security systems aswell as threat detection logs ofsecurity products and components.The logs support for cybersecurityevent backtracking and complianceand include the followinginformation: resource IDs (such assource IP addresses, host IDs, anduser IDs), event types, date andtime, IDs of the affected data/components/resources (such asdestination IP addresses, host IDs,and service IDs), and success orfailure information.(6) Customers can use the VirtualPrivate Cloud (VPC), Elastic LoadBalance (ELB) to network isolationand load balancing betweendifferent regions.Among them, the VPC serviceprovided by HUAWEI CLOUD for





https://www.huaweicloud.com/intl/en-us/product/cts.html


https://www.huaweicloud.com/intl/en-us/product/vpc.html

https://www.huaweicloud.com/intl/en-us/product/vpc.html

https://www.huaweicloud.com/intl/en-us/product/elb.html

https://www.huaweicloud.com/intl/en-us/product/elb.html

No. ControlDomain



customers can create a privatenetwork environment for users, andrealize complete isolation ofdifferent users in a three-tiernetwork. Users have full control overthe construction of their own virtualnetwork and configuration, and canconfigure network ACL and securitygroup rules to strictly control thenetwork traffic coming in and out ofsubnets and virtual machines, tomeet the needs of customers forfiner-grained network isolation. TheELB automatically distributes accesstraffic among multiple Elastic CloudServers, improving the ability ofapplication systems to provideservice and enhancing the faulttolerance of application programs.





No. ControlDomain



10.42,10.43,10.46,10.47,and10.48

ThirdPartyServiceProviderManagement

10.42 A FI mustconduct proper duediligence on thethird party serviceprovider'scompetency, systeminfrastructure andfinancial viability asrelevant prior toengaging itsservices. In addition,an assessment shallbe made of thethird party serviceprovider'scapabilities inmanaging thefollowing specificrisks:

(a) data leakagesuch asunauthorizeddisclosure ofcustomer andcounterpartyinformation;

(b) servicedisruption includingcapacityperformance;

(c) processingerrors;

(d) physical securitybreaches;

(e) cyber threats;

(f) over-reliance onkey personnel;

(g) mishandling ofconfidentialinformationpertaining to the FIor its customers inthe course oftransmission,processing orstorage of suchinformation;

Customers should conduct duediligence on service providers'competency, system infrastructureand financial viability andcapabilities in managing risks beforeselecting them.

Customers shall sign a legally-binding agreement with the serviceprovider, and stipulate the terms ofcooperation in auditing,confidentiality, business continuityarrangements, notifications, servicetermination, etc. to protect thecustomer's rights and interests andmeet regulatory requirements. Inorder to cooperate with customersto meet regulatory requirements:

(1) HUAWEI CLOUD will arrange aresponsible personnel to activelycooperate with due diligencerequirements initiated by customers.HUAWEI CLOUD has obtained ISO27001, ISO 27017, ISO 27018, SOC,CSA STAR and other internationalsecurity and privacy protectioncertifications, and is audited by thirdparties every year.

(2) HUAWEI CLOUD provides onlineversion of HUAWEI CLOUDCustomer Agreement and HUAWEICLOUD Service Level Agreement,which specifies the content and levelof services provided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers. As thecase may be, the auditing andsupervision rights of customers andregulatory authorities will bestipulated in the agreement signedwith the customer.

(3) HUAWEI CLOUD provides anafter-sales service guarantee forcustomers. HUAWEI CLOUDprofessional service engineer teamprovides 24/7 service support so





https://www.huaweicloud.com/intl/en-us/declaration/sa_cua.html


https://www.huaweicloud.com/intl/en-us/declaration/sla.html


No. ControlDomain



(h) concentrationrisk.10.43 A FI mustestablish service-level agreements(SLA) whenengaging thirdparty serviceproviders. At aminimum, the SLAshall contain thefollowing:(a) access rights forthe regulator andany party appointedby the FI toexamine anyactivity or entity ofthe FI.(b) requirementsfor the serviceprovider to providesufficient priornotice to FIs of anysub-contractingwhich is substantial;(c) a writtenundertaking by theservice provider oncompliance withsecrecy provisionsunder relevantlegislation;(d) arrangementsfor disaster recoveryand backupcapability, whereapplicable;(e) critical systemavailability; and(f) arrangements tosecure businesscontinuity in theevent of exit ortermination of theservice provider.10.46 A FI mustensure data residing

customers can seek help withmethods such as work orders,intelligent customer service, self-service, and telephone. In addition tobasic support, customers withcomplex systems can choose fromthe tiered support plans to obtainexclusive support from personnelsuch as the IM enterprise group,Technical Service Manager (TAM),and service manager.

To meet the requirement for fastresponse, HUAWEI CLOUD hasdeveloped a complete eventmanagement process. Events areprioritized and different processingtime limits are defined according tothe impact and scope of each event.HUAWEI CLOUD will respond to andresolve the event within a specifiedtime limit according to the priorityof the event, to minimize the impactof the event on cloud servicecustomers.

(4) HUAWEI CLOUD will not usecustomer data for commercialmonetization and explicitly states inthe user agreement that it will notaccess or use the user's content,unless it provides the necessaryservices for the user or abides by theapplicable laws and regulations orthe binding orders of thegovernment institutions. HUAWEICLOUD conforms to the dataprotection principles described in thePersonal Data Protection Act (PDPA)of Malaysia. In addition, HUAWEICLOUD service products andcomponents have planned andimplemented appropriate isolationmechanism from the beginning ofdesign, avoiding unauthorized accessand tampering between customersintentionally or unintentionally, andreducing the risk of data leakage.Using data storage as an example,HUAWEI CLOUD services includingblock storage, object storage, and





No. ControlDomain



in third partyservice providers arerecoverable in atimely manner. TheFI shall ensureclearly definedarrangements withthe third partyservice provider arein place to facilitatethe FI's immediatenotification andtimely updates tothe Bank and otherrelevant regulatorybodies in the eventof a cyber-incident.10.47 A FI mustensure the storageof its data is atleast logicallysegregated fromthe other clients ofthe third partyservice provider.There shall beproper controls overand periodic reviewof the accessprovided toauthorized users.10.48 A FI mustensure any criticalsystem hosted bythird party serviceproviders havestrong recovery andresumptioncapability andprovisions tofacilitate an orderlyexit in the event offailure orunsatisfactoryperformance by thethird party serviceprovider.

file storage all take customer dataisolation as an important feature.(5) HUAWEI CLOUD infrastructurehas high availability. HUAWEICLOUD has developed a soundinternal process to continuousmonitoring, regular maintenanceand regular testing of infrastructureoperation, to minimize the impact ofsystem failures on customers.Customers can rely on HUAWEICLOUD's data center cluster multi-region (Region) and multi-availablezones (AZ) architecture toimplement disaster tolerance andbackup of their business systems.Data centers are deployed aroundthe world so customers will havemutual disaster data backup centersin case of disasters. In the event ofone failure in an area, the systemautomatically transfers customerapplications and data away from theaffected area to a data backupcenter, while meeting compliancepolicies, to ensure businesscontinuity for affected customers.HUAWEI CLOUD also deploys aglobal load-balanced managementcenter, where the customers'applications enable N+1 deploymentsizing in the data center whilebalancing traffic load to othercenters, even in the event of a datacenter failure. HUAWEI CLOUD hasset up a multiple position backupmechanism for key positionssupporting cloud services. When theservice agreement terminates,customers can migrate content datafrom HUAWEI CLOUD throughObject Storage Migration Service(OMS) and Server MigrationService (SMS) provided by HUAWEICLOUD, such as migrating to localdata center.





https://www.huaweicloud.com/intl/en-us/product/oms.html


https://www.huaweicloud.com/intl/en-us/product/sms.html


No. ControlDomain



10.51and10.53

CloudServices

10.51 A FI isrequired to consultthe Bank prior tothe use of publiccloud for criticalsystems. The FI isexpected todemonstrate thatspecific risksassociated with theuse of cloudservices for criticalsystems have beenadequatelyconsidered andaddressed. The riskassessment shalladdress the risksoutlined in thefollowing areas:(b) the availabilityof independent,internationallyrecognizedcertifications of thecloud serviceproviders, at aminimum, in thefollowing areas:(i) informationsecuritymanagementframework,includingcryptographicmodules such asused for encryptionand decryption ofuser data; and(ii) cloud-specificsecurity controls forprotection ofcustomer andcounterparty orproprietaryinformationincluding paymenttransaction data in

Customers should consult the Bankprior to the use of public cloud forcritical systems and evaluate thesecurity qualifications of cloudservice providers. In addition,customers should also develop dataprotection measures to preventillegal access to data on cloudservices. As a cloud service provider:(1) HUAWEI CLOUD has received anumber of international andindustry security compliancecertifications, including ISO27001,ISO27017, ISO27018, PCI-DSS, CSASTAR, etc.HUAWEI CLOUD followsinternational standards to establisha sound information securitymanagement system, IT servicemanagement system, businesscontinuity management system, anddaily operation of the systemapplicable requirements. HUAWEICLOUD regularly carries out riskassessment, management review,and other activities every year toidentify problems in the operation ofthe system and rectify them tocontinuously improve themanagement system.(2) HUAWEI CLOUD will not usecustomer data for commercialmonetization and explicitly states inthe user agreement that it will notaccess or use the user's content,unless it provides the necessaryservices for the user or abides by theapplicable laws and regulations orthe binding orders of thegovernment institutions. HUAWEICLOUD conforms to the dataprotection principles described in thePersonal Data Protection Act (PDPA)of Malaysia. In addition, HUAWEICLOUD service products andcomponents have planned andimplemented appropriate isolationmechanism from the beginning ofdesign, avoiding unauthorized access





No. ControlDomain



use, in storage andin transit.10.53 A FI mustimplementappropriatesafeguards oncustomer andcounterpartyinformation andproprietary datawhen using cloudservices to protectagainstunauthorizeddisclosure andaccess. This shallinclude retainingownership, controland managementof all datapertaining tocustomer andcounterpartyinformation,proprietary dataand services hostedon the cloud,including therelevantcryptographic keysmanagement.

and tampering between customersintentionally or unintentionally, andreducing the risk of data leakage.Using data storage as an example,HUAWEI CLOUD services includingblock storage, object storage, andfile storage all take customer dataisolation as an important feature.(3) HUAWEI CLOUD servicesincluding Elastic Volume Service(EVS), Object Storage Service(OBS), Image Management Service(IMS) and Relational DatabaseService provide data encryption orserver-side encryption functions andencrypt data using high-strengthalgorithms.(4) The server-side encryptionfunction integrates KeyManagement Service (KMS) ofHUAWEI CLOUD Data EncryptionWorkshop (DEW), which providesfull-lifecycle key management.Without authorization, otherscannot obtain keys to decrypt data,which supports data security on thecloud. DEW adopts the layered keymanagement mechanism tofacilitate the rotation of keys at alllevels. Hardware security module(HSM) creates and manages keys forcustomers, which is FIPS 140-2(Level 2 and Level 3) certified tohelp customers to meet therequirements of data securitycompliance. Even Huawei O&Mpersonnel cannot obtain the rootkey. DEW also allows customers toimport their own keys as masterkeys for unified management,facilitating seamless integration withcustomers' services. At the sametime, HUAWEI CLOUD adopts amechanism for online redundantstorage of user master keys, multiplephysical offline backups of root keysand regular backups to ensure thedurability of the keys.













No. ControlDomain



See section 6.8.2 Data EncryptionWorkshop (DEW) of HUAWEICLOUD Security White Paper formore information.







No. ControlDomain



10.54,10.56,10.57,and10.58

AccessControl

10.54 A FI mustimplement anappropriate accesscontrols policy forthe identification,authentication andauthorization ofusers (internal andexternal users suchas third partyservice providers).This must addressboth logical andphysical technologyaccess controlswhich arecommensurate withthe level of risk ofunauthorized accessto its technologysystems.10.56 A FI mustemploy robustauthenticationprocesses to ensurethe authenticity ofidentities in use.Authenticationmechanisms shallbe commensuratewith the criticalityof the functions andadopt at least oneor more of thesethree basicauthenticationfactors, namely,something the userknows (e.g.password, PIN),something the userpossesses (e.g.smart card, securitydevice) andsomething the useris (e.g. biometriccharacteristics, suchas a fingerprint orretinal pattern).

Customers should implement anappropriate access controls policyand adopt reliable authenticationmethods, such as multi-factorauthentication. In addition,customers should review and updatetheir password policies regularly toensure the security of passwords. Inorder to cooperate with customersto meet regulatory requirements:(1) Customers can manage useraccounts using cloud resourcesthrough HUAWEI CLOUD Identityand Access Management (IAM).Each HUAWEI CLOUD customer hasa unique user ID in HUAWEI CLOUD,and provides a variety of userauthentication mechanisms.● IAM supports the security

administrators of customers toset up different passwordstrategies and change cyclesaccording to their needs toprevent users from using simplepasswords or using fixedpasswords for a long time,resulting in account leakage. Inaddition, IAM also supportscustomers' security administratorsto set up login strategies to avoidusers' passwords being violentlycracked or to leak accountinformation by visiting phishingpages.

● IAM supports multi-factorauthentication mechanism at thesame time. MFA is an optionalsecurity measure that enhancesaccount security. If MFA isenabled, users who havecompleted passwordauthentication will receive a one-time SMS authentication codethat they must use for secondaryauthentication. MFA is used bydefault for changing important orsensitive account information





https://www.huaweicloud.com/intl/en-us/product/iam.html


No. ControlDomain



10.57 A FI shallperiodically reviewand adapt itspassword practicesto enhanceresilience againstevolving attacks.This includes theeffective and securegeneration ofpasswords. Theremust be appropriatecontrols in place tocheck the strengthof the passwordscreated.10.58Authenticationmethods thatdepend on morethan one factortypically are moredifficult tocompromise than asingle factorsystem. In view ofthis, FIs areencouraged toproperly design andimplement(especially in high-risk or 'single sign-on' systems) multi-factorauthentication(MFA) that aremore reliable andprovide strongerfraud deterrents.

such as passwords or mobilephone numbers.

● If the customer has a secure andreliable external authenticationservice provider, the federallyauthenticated external users ofthe IAM service can map to thetemporary users of HUAWEICLOUD and access the customer'sHUAWEI CLOUD resources. IAMcan be authorized by hierarchyand detail as administrators canplan the level of cloud resourceaccess based on the user'sresponsibilities. They can alsorestrict malicious access tountrusted networks by settingsecurity policies such as accesscontrol lists.

(2) HUAWEI CLOUD's Cloud TraceService (CTS) provides collection,storage, and querying of operationalrecords for a variety of cloudresources to support commonscenarios such as security analysis,compliance auditing, resourcetracking, and problem location.(3) HUAWEI CLOUD has establisheda sound operation and maintenanceaccount management mechanism.When HUAWEI CLOUD O&Mpersonnel access HUAWEI CLOUDManagement Network forcentralized management of thesystem, they need to use onlyidentifiable employee identityaccounts. User accounts areequipped with strong passwordsecurity policies, and passwords arechanged regularly to prevent violentdecryption. In addition, two-factorauthentication is used toauthenticate cloud personnel, suchas USB key, Smart Card and so on.All operations accounts are centrallymanaged, centrally monitored, andautomatically audited by LDAPthrough a unified operational auditplatform to fully manage user







No. ControlDomain



creation, authorization, andauthentication to rights collectionprocesses. RBAC permissionmanagement is also implementedaccording to different businessdimensions and differentresponsibilities of the same businessto ensure that personnel withdifferent responsibilities in differentpositions are limited to access theequipment under their role.





No. ControlDomain



10.65 PatchManagement

A FI must establisha patchmanagementframework whichaddresses amongothers the followingrequirements:(a) identificationand risk assessmentof all technologyassets for potentialvulnerabilitiesarising fromundeployedpatches;(b) conduct ofcompatibilitytesting for criticalpatches;(c) specification ofturnaround time fordeploying patchesaccording to theseverity of thepatches; and(d) adherence tothe workflow forend-to-end patchdeploymentprocesses includingapproval,monitoring andtracking ofactivities.

Customers should establish aneffective patch and vulnerabilitymanagement mechanism to identifyand conduct risk assessment of alltechnology assets, compatibilitytesting for critical patches, andformulate patch update cycle andpatch repair workflow. As a cloudservice provider:(1) HUAWEI CLOUD ImageManagement Service (IMS)provides simple and convenient self-service management functions forimages. Customers can manage theirimages through the IMS API or themanagement console. HUAWEICLOUD staff periodically update andmaintain public images, includingapplying security patches on themas required. The staff also providesecurity-related information forusers to refer in deployment testing,troubleshooting, and other O&Mactivities.(2) The Huawei Product SecurityIncident Response Team (PSIRT) hasa reasonably mature vulnerabilityresponse program. ConsideringHUAWEI CLOUD's self-servicemodel, the program ensures rapidpatching of vulnerabilities found onin-house-developed and third partytechnologies for HUAWEI CLOUDinfrastructures, platforms,applications and cloud services, andreduces the risk of impact on userbusiness operations throughcontinuously optimizing the securityvulnerability management processand technical means. In addition,Huawei PSIRT and HUAWEI CLOUD'ssecurity O&M team have establisheda mature and comprehensiveprogram and framework forvulnerability detection, identification,response, and disclosure. HUAWEICLOUD relies on this program andframework to manage vulnerabilitiesand vulnerabilities in HUAWEI







No. ControlDomain



CLOUD infrastructure and cloudservices, and O&M tools, regardlesswhether they are found in Huawei'sor third party technologies, arehandled and resolved within SLAs.HUAWEI CLOUD strives to reduceand ultimately prevent vulnerabilityexploitation related service impactsto our customers. Canarydeployment or blue-greendeployment is used whenvulnerabilities are fixed through apatch or version to minimize theimpact on customers' services.





5.2 Cyber Security ManagementNo. Control



11.7-11.9

CybersecurityOperations

11.7 A FI mustdeploy effectivetools to support thecontinuous andproactivemonitoring andtimely detection ofanomalousactivities in itstechnologyinfrastructure. Thescope of monitoringmust cover allcritical systemsincluding thesupportinginfrastructure.11.8 A FI mustensure that itscybersecurityoperationscontinuouslyprevent and detectany potentialcompromise of itssecurity controls orweakening of itssecurity posture. Forlarge FIs, this mustinclude performinga quarterlyvulnerabilityassessment ofexternal andinternal networkcomponents thatsupport all criticalsystems.11.9 A FI mustconduct annualintelligence-ledpenetration tests onits internal andexternal networkinfrastructure as

Customers should deploy effectivetools to establish the monitoring oftechnical infrastructure, conductvulnerability assessments on thenetwork formation of criticalsystems quarterly, and conductannual penetration testingmechanisms on the networkinfrastructure and critical systems. Inorder to cooperate with customersto meet regulatory requirements:(1) HUAWEI CLOUD's Cloud TraceService (CTS) provides operatingrecords of cloud service resources forusers to query, for auditing andbacktrack use. There are three typesof operations recorded: operationsperformed through the cloudaccount login management console,operations performed through APIssupported by cloud services, andoperations triggered within Huawei'scloud system. CTS inspects the logdata sent by various services thatensures the data itself does notcontain sensitive information. In thetransmission phase, it guaranteesthe accuracy and comprehensivenessof log information transmission andpreservation by means of identityauthentication, format checking,whitelist checking and a one-wayreceiver system; In the storagephase, it adopts multiple backupsaccording to Huawei's networksecurity specifications and makessure that the data is transmitted andpreserved accurately andcomprehensively. The security of thedatabase itself is strengthened toeliminate risks of counterfeiting,denial, tampering and informationleakage. Finally, CTS supportsencrypted data storage in OBSbuckets. HUAWEI CLOUD uses a







No. ControlDomain



well as criticalsystems includingweb, mobile and allexternal-facingapplications. Thepenetration testingshall reflectextreme butplausible cyber-attack scenariosbased on emergingand evolving threatscenarios. A FI mustengage suitablyaccreditedpenetration testersand serviceproviders toperform thisfunction.

centralized and comprehensive logsystem based on big data analytics.The system collects managementbehavior logs of all physical devices,networks, platforms, applications,databases, and security systems aswell as threat detection logs ofsecurity products and components.The logs support for cybersecurityevent backtracking and compliance.(2) The Huawei Product SecurityIncident Response Team (PSIRT) hasa reasonably mature vulnerabilityresponse program. ConsideringHUAWEI CLOUD's self-servicemodel, the program ensures rapidpatching of vulnerabilities found onin-house-developed and third partytechnologies for HUAWEI CLOUDinfrastructures, platforms,applications and cloud services, andreduces the risk of impact on userbusiness operations throughcontinuously optimizing the securityvulnerability management processand technical means. In addition,Huawei PSIRT and HUAWEI CLOUD'ssecurity O&M team have establisheda mature and comprehensiveprogram and framework forvulnerability detection, identification,response, and disclosure. HUAWEICLOUD relies on this program andframework to manage vulnerabilitiesand vulnerabilities in HUAWEICLOUD infrastructure and cloudservices, and O&M tools, regardlesswhether they are found in Huawei'sor third party technologies, arehandled and resolved within SLAs.HUAWEI CLOUD strives to reduceand ultimately prevent vulnerabilityexploitation related service impactsto our customers. Canarydeployment or blue-greendeployment is used whenvulnerabilities are fixed through apatch or version to minimize theimpact on clients' services.





No. ControlDomain



(3) HUAWEI CLOUD regularlyconducts internal and third-partypenetration testing and securityassessment with regular monitoring,checks, and removal of any securitythreats so as to guarantee thesecurity of the cloud services.Together with partners, HUAWEICLOUD has launched host intrusiondetection, web application firewall,host vulnerability scanning, webpage anti-tampering, andpenetration test services, whichenhance the security detection,correlation, and protectioncapabilities of HUAWEI CLOUD.





No. ControlDomain



11.13 DistributedDenialofService(DDoS)

A FI must ensure itstechnology systemsand infrastructure,including criticalsystems outsourcedto or hosted bythird party serviceproviders, areadequatelyprotected againstall types of DDoSattacks (includingvolumetric, protocoland applicationlayer attacks)through thefollowing measures:(a) subscribing toDDoS mitigationservices, whichinclude automatic'clean pipe' servicesto filter and divertany potentialmalicious trafficaway from thenetwork bandwidth;(b) regularlyassessing thecapability of theprovider to expandnetwork bandwidthon-demandincluding upstreamprovider capability,adequacy of theprovider's incidentresponse plan andits responsivenessto an attack; and(c) implementingmechanisms tomitigate againstDomain NameServer (DNS) basedlayer attacks.

Customers should establish anti-DDoS attack mechanism, purchasinganti-DDoS attack services, regularlyassessing the capability of theprovider to expand networkbandwidth on-demand, implementmeasures to prevent DNS layerattacks. In order to cooperate withcustomers to meet regulatoryrequirements:HUAWEI CLOUD provides customerswith two kinds of Anti-DDoS attackservices: Anti-DDoS and AdvancedAnti-DDoS (AAD).(1) Anti-DDoS is a traffic scrubbingservice that protects resources suchas Elastic Cloud Server and ElasticLoad Balance instances fromnetwork and application layerdistributed denial-of-service (DDoS)attacks. It notifies users of detectedattacks instantly, ensures bandwidthavailability as well as the stable andreliable running of services. AAD canbe used to protect HUAWEI CLOUDand non-HUAWEI CLOUD hosts.User can change the DNS server orexternal service IP address to a high-defense IP address, thereby divertingtraffic to the high-defense IP addressfor scrubbing malicious attacktraffic. This mechanism ensures thatimportant services are notinterrupted.(2) HUAWEI CLOUD Anti-DDoSattack services provide fine-grainedDDoS mitigation capabilities to dealwith the likes of Challenge Collapsarattacks and ping, SYN, UDP, HTTP,and DNS floods. Once a protectionthreshold is configured (based onthe leased bandwidth and thebusiness model), Anti-DDoS willnotify the affected user and activateprotection in the event of a DDoSattack.(3) HUAWEI CLOUD Anti-DDoSattack services also leverages other





https://www.huaweicloud.com/intl/en-us/product/antiddos.html

https://www.huaweicloud.com/intl/en-us/product/aad.html

https://www.huaweicloud.com/intl/en-us/product/aad.html

No. ControlDomain



HUAWEI CLOUD technologies toenhance its security capabilities:namely, the secure infrastructureand platform, secure networkarchitecture, perimeter protection,virtual network isolation, APIsecurity, and log auditing.





No. ControlDomain



11.15 DataLossPrevention(DLP)

A financialinstitution mustdesign internalcontrol proceduresand implementappropriatetechnology in allapplications andaccess points toenforce DLP policiesand trigger anypolicy violations.The technologydeployed mustcover the following:(a) data in-use –data beingprocessed by ITresources;(b) data in-motion– data beingtransmitted on thenetwork; and(c) data at-rest –data stored instorage mediumssuch as servers,backup media anddatabases.

Customers should establish a dataleakage prevention mechanism anduse appropriate technical means toprevent data leakage. The deployedtechnology should cover the data lifecycle of data usage, datatransmission, and data storage. Inorder to ensure the safe processingof data on the cloud by customers,HUAWEI CLOUD provides layer-by-layer protection for all stages of thedata life cycle:(1) Data creation: HUAWEI CLOUDprovides services on a regional basis,which is the storage location ofcustomer content data. HUAWEICLOUD will never transfer customercontent data across regions withoutauthorization. Customers chooseareas based on the principle ofnearby access and applicable lawsand regulations in different regionswhen customers use cloud services,so that customer content data isstored in the target location. Whencustomers use cloud hard drives,object storage, cloud databases,container engines and other services,HUAWEI CLOUD uses differentgranular access control mechanismssuch as volumes, buckets, databaseinstances, and containers to enablecustomers to only access their owndata.(2) Data storage: Currently, ElasticVolume Service (EVS), ObjectStorage Service (OBS), ImageManagement Service (IMS) andRelational Database Service providedata encryption or server-sideencryption functions and encryptdata using high-strength algorithms.The server-side encryption functionintegrates Key Management Service(KMS) of HUAWEI CLOUD DataEncryption Workshop (DEW),which provides full-lifecycle keymanagement. Withoutauthorization, others cannot obtain













No. ControlDomain



keys to decrypt data, which supportsdata security on the cloud.(3) Data usage: HUAWEI CLOUDprovides customers with services indata access control, securityprotection, and auditing to helpthem control data usage andtransfer in a fine-grained manner.For more information, please refer toSection 4.5 of "Whitepaper forHUAWEI CLOUD Data Security".(4) Data transmission: Whencustomers provide Web site servicesthrough the Internet, they can usethe certificate management serviceprovided by HUAWEI CLOUD inconjunction with world-renownedcertificate service providers. Byapplying and configuring acertificate for the Web site, thetrusted identity authentication of thewebsite and the secure transmissionbased on the encryption protocol arerealized. For customer businesshybrid cloud deployment and globallayout scenarios, the virtual privatenetwork (VPN), cloud dedicated lineservice, cloud connection and otherservices provided by HUAWEICLOUD can be used to achievebusiness interconnection and datatransmission security betweendifferent regions.(5) Data archiving: HUAWEICLOUD provides multi-granularitydata backup and archiving servicesto meet customers' requirements inspecific scenarios. Customers can usethe versioning function of OBS,Volume Backup Service (VBS), andCloud Server Backup Service(CSBS) to back up in-clouddocuments, disks, and servers. Byintegrating with data encryptionservices, backup data can also beencrypted and stored convenientlyand quickly, effectively ensuring thesecurity of backup data.








No. ControlDomain



(6) Data destroying: If customerswant to delete data or data needs tobe deleted due to the expiration of aservice, HUAWEI CLOUD strictlyfollows the data destructionstandard and agreement withcustomers to clear the stored data.





No. ControlDomain



11.17 SecurityOperationsCenter(SOC)

A FI must ensure itsSOC, whethermanaged in-houseor by third partyservice providers,has adequatecapabilities forproactivemonitoring of itstechnology securityposture. This shallenable the FI todetect anomaloususer or networkactivities, flagpotential breachesand establish theappropriateresponse supportedby skilled resourcesbased on the levelof complexity of thealerts. The outcomeof the SOC activitiesshall also informthe FI's reviews ofits cybersecurityposture andstrategy.

Customer should establish SOC todetect user or network activities,identify breaches and establish theappropriate response. As a cloudprovider:(1) HUAWEI CLOUD uses acentralized and comprehensive logsystem based on big data analytics.The system collects managementbehavior logs of all physical devices,networks, platforms, applications,databases, and security systems aswell as threat detection logs ofsecurity products and components.The logs support for cybersecurityevent backtracking and complianceand include the followinginformation: resource IDs (such assource IP addresses, host IDs, anduser IDs), event types, date andtime, IDs of the affected data/components/resources (such asdestination IP addresses, host IDs,and service IDs), and success orfailure information. This log analysissystem supports massive datastorage and powerful search andquery features, which can store alllogs for over 180 days and supportreal time queries within 90 days.HUAWEI CLOUD also has adedicated internal audit departmentthat performs periodic audits onO&M activities. HUAWEI CLOUD logsystem based on big data analyticscan quickly collect, process, andanalyze mass logs in real time andcan connect to third-party SecurityInformation and Event Management(SIEM) systems such as SIEMsystems provided by ArcSight andSplunk.(2) HUAWEI CLOUD has built aappropriate, multi-layered full stacksecurity framework withcomprehensive perimeter defense.For example, layers of firewallsisolate networks by security zone,anti-DDoS quickly detects and





No. ControlDomain



protects against DDoS attacks, WAFdetects and fends off web attacksclose to real time, and IDS/IPSdetects and blocks network attacksfrom the Internet in the real timewhile also monitoring for behavioralanomalies on the host.See section 8.3 Security Logging &Event Management of HUAWEICLOUD Security White Paper formore information.







No. ControlDomain



11.22-11.25

CyberResponse andRecovery

11.22 A FI mustestablishcomprehensivecyber crisismanagementpolicies andprocedures thatincorporate cyber-attack scenariosand responses inthe organization'soverall crisismanagement plan,escalationprocesses, businesscontinuity anddisaster recoveryplanning. Thisincludes developinga clearcommunicationplan for engagingshareholders,regulatoryauthorities,customers andemployees in theevent of a cyber-incident.

11.23 A FI mustestablish andimplement acomprehensiveCyber IncidentResponse Plan(CIRP).

11.24 A FI mustensure that relevantCyber EmergencyResponse Team

(CERT) membersare conversant withthe incidentresponse plan andhandlingprocedures, andremain contactableat all times.

Customers should establish cybercrisis management policies andprocedures, establish and implementa comprehensive Cyber IncidentResponse Plan (CIRP), and ensurethat relevant CERT members areconversant with it. In addition,conduct an annual cyber drillexercise to test the effectiveness ofits CIRP. As a cloud service provider:(1) HUAWEI CLOUD has developeda complete mechanism for internalsecurity incident management andcontinues to optimize it. The rolesand responsibilities are clearlydefined for each activity during theincident response process. HUAWEICLOUD log system based on bigdata analytics can quickly collect,process, and analyze mass logs inreal time and can connect to third-party Security Information and EventManagement (SIEM) systems suchas SIEM systems provided byArcSight and Splunk. HUAWEICLOUD collects managementbehavior logs of all physical devices,networks, platforms, applications,databases and security systems andthreat detection and warning logs ofsecurity products and componentsthrough a centralized log large dataanalysis system. In addition, giventhe professionalism and urgency tohandle security incidents, HUAWEICLOUD has a professional securityincident response team available24/7 and a corresponding pool ofsecurity expert resources forresponse. HUAWEI CLOUDformulates the classification andescalation principles of informationsecurity incidents, ranking themaccording to their degree of impacton the customer's business, andinitiates a process to notifycustomers of the incident. Whenserious events occur on theunderlying infrastructure platform





No. ControlDomain



11.25 A FI mustconduct an annualcyber drill exerciseto test theeffectiveness of itsCIRP, based onvarious current andemerging threatscenarios (e.g.social engineering),with theinvolvement of keystakeholdersincluding membersof the board, seniormanagement andrelevant third partyservice providers.

and have or may have a seriousimpact on multiple customers,HUAWEI CLOUD can promptly notifycustomers of events with anannouncement. The contents of thenotification include but are notlimited to a description of the event,the cause, impact, measures takenby HUAWEI CLOUD and themeasures recommended forcustomers. After the incident isresolved, the incident report will beprovided to the customer accordingto the specific situation.(2) HUAWEI CLOUD has formulatedvarious specific contingency plans todeal with complex security risks inthe cloud environment. Each year,HUAWEI CLOUD conductscontingency plan drills for majorsecurity risk scenarios to quicklyreduce potential security risks andensure cyber resilience when suchsecurity incidents occur. HUAWEICLOUD regularly audits and updatesall system documents every yearaccording to the requirements of theinternal business continuitymanagement system andinformation security system.HUAWEI CLOUD maintains a list ofcontacts that should be contacted incase of an emergency and updates itpromptly when notified of personnelchanges.





5.3 Technology AuditNo. Control



12.5 TechnologyAudit

A FI must establisha technology auditplan that providesappropriatecoverage of criticaltechnology services,third party serviceproviders, materialexternal systeminterfaces, delayedor prematurelyterminated criticaltechnology projectsand post-implementationreview of new ormaterialenhancements oftechnology services.

Customers should establish atechnology audit plan, and reviewcritical technology services, thirdparty service providers, materialexternal system interfaces, etc. As acloud service provider, if a FI initiatesan audit request for HUAWEICLOUD, HUAWEI CLOUD willarrange a responsible person toactively cooperate with the audit.Customer's audit and supervisionrights in HUAWEI CLOUD will becommitted in the agreement signedwith the customer according to thesituation. HUAWEI CLOUD hasobtained ISO 27001, ISO 27017, ISO27018, SOC, CSA STAR and otherinternational security and privacyprotection certifications, and isaudited by third party every year.





5.4 Internal Awareness and TrainingNo. Control



13.1-13.4

InternalAwareness andTraining

13.1 FI must provideadequate andregular technologyand cybersecurityawarenesseducation for allstaff in undertakingtheir respectiveroles, and measurethe effectiveness ofits education andawarenessprograms. Thiscybersecurityawarenesseducation must beconducted at leastannually by the FIand must reflect thecurrent cyber threatlandscape.13.2 A FI mustprovide adequateand continuoustraining for staffinvolved intechnologyoperations,cybersecurity andrisk management inorder to ensure thatthe staff arecompetent toeffectively performtheir roles andresponsibilities.13.3 In fulfilling therequirements underparagraph 13.2, alarge FI shall ensurethe staff working onday-to-day IToperations such asIT security, projectmanagement and

Customers should establish acybersecurity training mechanism,provide adequate and regularsecurity awareness training for allemployees, and provide security riskmanagement and technical trainingfor professionals to ensure that thestaff are competent to effectivelyperform their roles andresponsibilities. As a cloud serviceprovider, to raise cybersecurityawareness company-wide, avoidnon-compliance risks, and ensurenormal business operations, Huaweiprovides employee with securityawareness training in three ways:company-wide awareness training,awareness promotion events, andthe signing of Business ConductGuidelines (BCG) commitmentagreements. By utilizing industrybest practices, Huawei hasestablished a comprehensivecybersecurity training program,which implements securitycompetency trainings for new hiresas well as existing and newly-promoted employees. This programboosts employees' securitycompetencies and improvesemployee capabilities of deliveringto our customers secure products,services, and solutions that arecompliant with all relevant laws andregulations. In order to streamlineinternal personnel management andto minimize any potential impact ofpersonnel management on ourbusiness continuity and security,HUAWEI CLOUD implements aspecialized personnel managementprogram for key positions such asO&M engineers. This programincludes: on boarding securityreview, on the job security training





No. ControlDomain



cloud operationsare also suitablycertified.13.4 A FI mustprovide its boardmembers withregular training andinformation ontechnologydevelopments toenable the board toeffectively dischargeits oversight role.

and enablement, on boardingqualifications management, offboarding security review.See section 4.4 Human ResourceManagement of HUAWEI CLOUDSecurity White Paper for moreinformation.








BNM Outsourcing

BNM released Outsourcing onOctober 23, 2019. This policy set FIs' outsourcingmanagement requirements from the perspectives of responsibilities of the boardand senior management, outsourcing process and management of risks,outsourcing outside Malaysia, outsourcing involving cloud services, approval foroutsourcing arrangements, and submission of outsourcing plans. Among them, thedomain of outsourcing process and management of risks includes requirementsfor assessment of service provider, outsourcing agreements, protection of dataconfidentiality, and business continuity planning.

When FIs are seeking to comply with the requirements provided in Outsourcing,HUAWEI CLOUD, as a cloud service provider, may be involved in some activitiesthat are prescribed under such requirements. The following content summarizesthe compliance requirements related to cloud service providers in Outsourcing,and explains how HUAWEI CLOUD, as a cloud service provider, can help FIs tomeet these requirements.


6 How HUAWEI CLOUD Meets and AssistsCustomers to Meet the Requirements of BNM

Outsourcing


6.1 Outsourcing Process and Management of RisksNo. Control



9.3 Assessment ofServiceProvider

A FI must conductappropriate duediligence of aservice provider atthe point ofconsidering all newarrangements, andrenewing orrenegotiatingexistingarrangements. Thescope and depth ofthe due diligenceprocess must becommensurate withthe materiality ofthe outsourcedactivity. The duediligence processmust cover, at aminimum:

(a) capacity,capability, financialstrength andbusiness reputation;

(b) riskmanagement andinternal controlcapabilities,including physicaland IT securitycontrols, andbusiness continuitymanagement;

(c) the location ofthe outsourcedactivity (e.g. cityand country),including primaryand back-up sites;

(d) access rights ofthe FI and the Bankto the serviceprovider;

Customers should conductappropriate due diligence of aservice provider at the point ofconsidering all new arrangements,or renewing or renegotiatingexisting arrangements, includingtechnical capabilities, financialresources, business reputation, riskmanagement capabilities, location ofoutsourcing activities, data security,reliance on subcontractors, etc. As acloud service provider, HUAWEICLOUD's performance in theaforesaid aspects is as follows:(1)Technical ability: HUAWEICLOUD provides cloud servicesonline, opening Huawei's technologyaccumulation and product solutionsbased on its experience in ICTinfrastructure for more than 30 yearsto customers. HUAWEI CLOUD hasfive core technological advantages:full stack scenario AI,multidimensional framework,extreme performance, security andreliability, and open innovation. Forexample, in the field of artificialintelligence (AI), HUAWEI CLOUD AIhas landed over 300 projects in 10major industries, such as city,manufacturing, logistics, internet,medical treatment, and campus. Interms of multi-architecture, HUAWEICLOUD has created a new multi-computing cloud service architecturebased on "x86 + Kunpeng + Ascend",which enables various applicationsto run at the optimal computingpower to maximize customer value.(2)Financial strength: HUAWEICLOUD is Huawei's service brand.Since its launch in 2017, HUAWEICLOUD has been developing rapidlyand its revenue has maintained astrong growth trend. According to



Outsourcing


No. ControlDomain



(e) measures andprocesses to ensuredata protection andconfidentiality;(f) reliance on sub-contractors, if any,in particular wherethe sub-contractingadds furthercomplexity to theoperational chainsof the outsourcingarrangement;(i) ability of theservice provider tocomply withrelevant laws,regulations andrequirements in thispolicy document.

the Market Share: IT Services,worldwide 2019 study released byGartner, HUAWEI CLOUD rankedsixth in the global IaaS market andis one of the top three within Chinamarket, with a fastest growth rateup to 222.2% in the world.

(3)Business reputation: As always,HUAWEI CLOUD adheres to thecustomer-centric principle, makingmore and more customers chooseHUAWEI CLOUD. HUAWEI CLOUDhas made breakthroughs in differentChinese industries such as theinternet, live on demand, videosurveillance, genetics, automobilemanufacturing and other industries.Apart from Chinese mainland,HUAWEI CLOUD was launched inHong Kong (China), Russia,Thailand, South Africa andSingapore in succession.

(4)Operational capability: HUAWEICLOUD inherits Huawei's riskmanagement ability and establishesa complete risk managementsystem. Through the continuousoperation of the risk managementsystem, HUAWEI CLOUD caneffectively control risks in thecomplex internal and externalenvironment with the hugeuncertainties in the market, strivefor the optimal balance betweenperformance growth and risk,continuously manage internal andexternal risks, and ensure thesustainable and healthydevelopment of the company.HUAWEI CLOUD follows ISO 27001,ISO 20000, ISO 22301 and otherinternational standards to establisha sound information securitymanagement system, IT servicemanagement system, businesscontinuity management system, anddaily operation of the systemapplicable requirements. HUAWEICLOUD regularly carries out risk



Outsourcing


No. ControlDomain



assessment, management review,and other activities every year toidentify problems in the operation ofthe system and rectify them tocontinuously improve themanagement system.(5)Data center location: Customerscan use their own choice of datacenter when purchasing cloudservices. HUAWEI CLOUD will followthe customer's choice. Without thecustomer's consent, HUAWEI CLOUDwill not migrate customer contentfrom the selected region, unless: (a)it must be migrated to comply withapplicable laws and regulations orbinding orders of governmentagencies; or (b) for technical servicesor for investigation of securityincidents or investigating violationsof contractual requirements.(6) Access rights of the FIs andregulatory authority: Please refer"Outsourcing Agreement" in section6.1 "Outsourcing Process andManagement of Risks" of thisdocument.(7) Data security: Please refer"Data Confidentiality Protection" insection 6.1 "Outsourcing Process andManagement of Risks" of thisdocument.(8) Subcontracting managementIn order to cooperate with customersin exercising its supervision overservice providers, the onlineHUAWEI CLOUD CustomerAgreementdivides the securityresponsibilities of cloud servicecustomers and Huawei, while theHUAWEI CLOUD Service LevelAgreement defines the level ofservices provided by HUAWEICLOUD. In addition, HUAWEI CLOUDhas also formulated an offlinecontract template. According to thespecific requirements of thecustomer, it can stipulate that if



Outsourcing






No. ControlDomain



HUAWEI CLOUD hiressubcontractors, HUAWEI CLOUDshall notify the customer and beresponsible for the subcontractedservices. HUAWEI CLOUD hasformulated supplier managementmechanism, and has put forwardsecurity requirements from thesupplier's products and the supplier'sinternal management. In addition,HUAWEI CLOUD conducts regularaudits of suppliers, and networksecurity agreements will be signedwith suppliers involved in networksecurity. During the service process,the quality of services will becontinuously monitored and theperformance of suppliers will bescored. Suppliers with poor securityperformance will be cooperativelydowngraded.(9)Corporate culture and servicepolicies suitable for FIs: HUAWEICLOUD defines product safety andfunctional requirements according tocustomer business scenarios,applicable laws and regulations,regulatory requirements in product,service planning and design phases.Huawei implements these in R&D,and design phases to meet customerneeds. HUAWEI CLOUD has releasedfinancial industry solutions toprovide end-to-end cloud solutionsfor banks, insurance companies andother customers, by considering theneeds of the industry and Huawei'scomprehensive cloud services.



Outsourcing


No. ControlDomain



9.6 and9.7

OutsourcingAgreement

9.6 An outsourcingarrangement mustbe governed by awritten agreementthat is legallyenforceable. Theoutsourcingagreement must, ata minimum, providefor the following:duration of thearrangement withdate, responsibilitiesof the serviceprovider, securitycontrol of service,data usage scope,service providerinspection, businesscontinuity plan,notificationobligation, breachclause, terminationclause, etc.9.7 The outsourcingagreement mustalso containprovisions which:(a) enable the Bankto have direct,timely andunrestricted accessto the systems andany information ordocuments relatingto the outsourcedactivity; (b) enablethe Bank to conducton-site supervisionof the serviceprovider where theBank deemsnecessary; (c)enable the Bank toappoint anindependent partyto perform a reviewof the relevantsystems,

Customer should sign a legallybinding service agreement with theservice provider and ensure thelegality and suitability of the termsof the agreement. To cooperate withcustomers to meet regulatoryrequirements, HUAWEI CLOUDprovides online version of HUAWEICLOUD Customer AgreementandHUAWEI CLOUD Service LevelAgreement, which specifies thecontent and level of servicesprovided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers.Customers' and their regulators'audit and supervision rights inHUAWEI CLOUD will be committedin the agreement signed accordingto the actual situation.



Outsourcing






No. ControlDomain



information ordocuments of theservice providerrelating to theoutsourced activity,where the Bankdeems necessary;and (d) allow the FIthe right to modifyor terminate thearrangement whenthe Bank issues adirection to the FIto that effect.



Outsourcing


No. ControlDomain



9.8 and9.9

Protection ofDataConfidentiality

9.8 It is imperativethat the FI satisfiesitself that the levelof security controls,governance,policies, andprocedures at theservice provider arerobust to protectthe security andconfidentiality ofinformation sharedunder theoutsourcingarrangement.9.9 A FI mustensure thatappropriate controlsare in place and areeffective insafeguarding thesecurity,confidentiality andintegrity of anyinformation sharedwith the serviceprovider. In meetingthis requirement,the FI must ensurethat:(d) where theservice provider islocated, or performsthe outsourcedactivity, outsideMalaysia, theservice provider issubject to dataprotectionstandards that arecomparable toMalaysia;(e) where theservice providerprovides services tomultiple clients, theFI's informationmust be segregated18 from the

Customers should use agreementrestrictions, reviews, and othermeans to ensure the measure ofsecurity controls, governance,policies, and procedures at theservice provider are robust andsecure, and can effectively protectthe security and confidentiality ofinformation. To meet regulatoryrequirements, HUAWEI CLOUDcooperates with the customers asthe following:(1) The development of HUAWEICLOUD business follows Huawei'sstrategy of "one policy for onecountry/region, one policy for onecustomer", and on the basis ofcompliance with the safetyregulations and industry supervisionrequirements of the country orregion where the customer islocated. HUAWEI CLOUD not onlyleverages and adopts best securitypractices from throughout theindustry but also complies with allapplicable country-, and region-specific security policies andregulations as well as internationalcybersecurity and cloud securitystandards, which forms our securitybaseline. Moreover, HUAWEI CLOUDcontinues to build and mature inareas such as our security-relatedorganization, processes, andstandards, as well as personnelmanagement, technical capabilities,compliance, and ecosystemconstruction in order to providehighly trustworthy and sustainablesecurity infrastructure and servicesto our customers. We will alsoopenly and transparently tacklecloud security challenges standingshould-to-shoulder with ourcustomers and partners as well asrelevant governments in order tosupport the security requirements ofour cloud users. HUAWEI CLOUDhas obtained many authoritative



Outsourcing


No. ControlDomain



information ofother clients of theservice provider;(f) the serviceprovider is boundby confidentialityprovisionsstipulated under theoutsourcingagreement evenafter thearrangement hasceased; and(g) informationshared with theservice provider isdestroyed, renderedunusable, orreturned to the FI ina timely and securemanner once theoutsourcingarrangement ceasesor is terminated.

security and privacy protectioncertificates in the world. Third-partyevaluation companies will regularlyconduct security, security adequacyand compliance audits, and issueexpert reports on HUAWEI CLOUD.(2) HUAWEI CLOUD will not usecustomer data for commercialmonetization and explicitly states inthe user agreement that it will notaccess or use the user's content,unless it provides the necessaryservices for the user or abides by theapplicable laws and regulations orthe binding orders of thegovernment institutions. HUAWEICLOUD conforms to the dataprotection principles described in thePersonal Data Protection Act (PDPA)of Malaysia.(3) HUAWEI CLOUD serviceproducts and components haveplanned and implementedappropriate isolation mechanismfrom the beginning of design,avoiding unauthorized access andtampering between customersintentionally or unintentionally, andreducing the risk of data leakage.Using data storage as an example,HUAWEI CLOUD services includingblock storage, object storage, andfile storage all regard customer dataisolation as an important feature.(4) When the service agreementterminates, customers can migratecontent data from HUAWEI CLOUDthrough Object Storage MigrationService (OMS) and ServerMigration Service (SMS) providedby HUAWEI CLOUD, such asmigrating to local data center.Upon the confirmation of thedestruction of customer data by thecustomers, HUAWEI CLOUD clearsthe specified data and all the copies.Once customers agree the deletion,HUAWEI CLOUD deletes the index



Outsourcing






No. ControlDomain



relationship between customers anddata, and clears the storage space,such as memory and block storagebefore reallocation, so that relateddata and information cannot berestored. If a physical storagemedium is to be disposed, HUAWEICLOUD clears the data bydegaussing, bending, or breaking thestorage medium so that data on thestorage medium cannot be restored.



Outsourcing


No. ControlDomain



9.10,9.13,and9.14

BusinessContinuityPlanning

9.10 A FI isresponsible forensuring that itsBusiness continuityplanning (BCP)consider anyoperationaldisruptions at, orfailure of, theservice provider.

9.13 A FI must, atall times, ensurethat it has readyaccess to all itsrecords andinformation at theservice providerwith respect to theoutsourced activitywhich would benecessary for it tooperate and meetits legal andregulatoryobligations.

9.14 A FI mustperiodically test itsown BCP andproactively seekassurance on thestate of BCPpreparedness of theservice provider andwhere relevant,alternative serviceproviders. Theintensity andregularity of theBCP testing andassessments of BCPpreparedness mustbe commensuratewith the materialityof the outsourcingarrangement. Inassessing thispreparedness, the FImust, at aminimum:

Customers should ensure its BCP hasconsidered any operationaldisruptions at, or failure of, theservice provider and ensure that ithas ready access to all its recordsand information at the serviceprovider with respect to theoutsourced activity. In addition,customer should periodically test itsown BCP, and ensures that serviceproviders test their businesscontinuity plans and makecontinuous improvements. To meetregulatory requirements, HUAWEICLOUD cooperates with customers :(1) To provide continuous and stablecloud services to customers,HUAWEI CLOUD has obtained ISO22301 certification and formulatesbusiness continuity managementsystems for the cloud to suit thecustomer's business needs. HUAWEICLOUD carries out businesscontinuity promotion and trainingwithin the organization every year,and conducts emergency drills andtests regularly to continuouslyoptimize emergency response.(2) HUAWEI CLOUD provides onlineversion of HUAWEI CLOUDCustomer Agreementand HUAWEICLOUD Service Level Agreement,which specifies the content and levelof services provided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers.Customers' and their regulators'audit and supervision rights inHUAWEI CLOUD will be committedin the agreement signed with thecustomer according to the situation.(3) Customers can rely on theRegion and Availability Zone (AZ)architecture of HUAWEI CLOUDData Center cluster for disasterrecovery and backup of their



Outsourcing






No. ControlDomain



(a) ensure that theback-uparrangements areavailable and readyto be operatedwhen necessary;(b) ensure that theservice providerperiodically tests itsBCP and providesany test reports,including anyidentifieddeficiencies, thatmay affect theprovision of theoutsourced serviceand measures toaddress suchdeficiencies as soonas practicable; and(c) for materialoutsourcingarrangements,participate in jointtesting with theservice provider toenable an end-to-end BCP test forthese arrangementsby the FI.

business systems. Data centers aredeployed around the worldaccording to rules. Customers havedisaster data backup centersthrough two places. If a failureoccurs, the system automaticallytransfers customer applications anddata from the affected areas toensure business continuity on thepremise of meeting compliancepolicies. HUAWEI CLOUD has alsodeployed a Global Server LoadBalance Center. Customerapplications can achieve N+1deployment in the data center. Evenif one data center fails, it can alsobalance traffic load to other centers.(4) As a supplier of cloud servicecustomers, HUAWEI CLOUD willactively cooperate with customer-initiated test requirements and helpcustomers test the effectiveness oftheir BCPs.HUAWEI CLOUD tests the BCPs anddisaster recovery plans annuallyaccording to the requirements of theinternal business continuitymanagement system. All emergencyresponse personnel, includingreserve personnel, need toparticipate. The tests includedesktop exercises, functionalexercises and full-scale exercises, inwhich high-risk scenarios areemphasized. During the testingprocess, HUAWEI CLOUD will selecttest scenarios, develop complete testplans and procedures, and recordtest results. After the completion ofthe test, relevant personnel write thetest report and summarize anyproblems found during the test. Ifthe test results show problems withthe BCPs, recovery strategy oremergency plan, the documents willbe updated.



Outsourcing


6.2 Outsourcing Outside MalaysiaNo. Control



10.1-10.3

OutsourcingOutsideMalaysia

10.1 Outsourcingarrangementswhere the serviceprovider is located,or performs theoutsourced activity,outside Malaysiaexposes a FI toadditional risks (e.g.country risk). A FIshould have inplace appropriatecontrols andsafeguards tomanage theseadditional risks,having regard tosocial and politicalconditions,governmentpolicies, and legaland regulatorydevelopments.10.2 In conductingthe due diligenceprocess, a FI mustensure that suchassessmentaddresses theadded dimensionsof risks associatedwith outsourcingoutside Malaysia,and the ability ofthe FI or serviceprovider toimplementappropriateresponses toemerging riskevents in a timelymanner.10.3 A FI mustensure thatoutsourcing

When choosing foreign outsourcedservice providers, customers shouldconduct due diligence in advance toensure that government policies,economic conditions, legalsupervision and service capabilitiesof outsourced service providers meetthe needs of customer businessdevelopment and regulatoryrequirements. In order to cooperatewith customers to meet regulatoryrequirements, HUAWEI CLOUD willarrange special personnel to activelycooperate with the customer duringtheir due diligence. In addition,Huawei's cloud business followsHuawei's strategy of "one policy forone country/region, one policy forone customer" which complies withthe safety regulations of thecustomer's country or region and therequirements of industry supervision.It also establishes and manages ahighly trusted and sustainablesecurity guarantee system towardsthe aspects of organization, process,norms, technology, compliance,ecology and other aspects thatadheres to the best practices of theindustry. In an open and transparentmanner, we will work with relevantgovernments, customers andindustry partners to meet thechallenges of cloud security andsupport the security needs ofcustomers in an all-round way. Formore information, please refer tothe relevant content of "BusinessContinuity Plan" in section 6.1"Outsourcing Process andManagement of Risks" of thisdocument.



Outsourcing


No. ControlDomain



arrangementsundertaken outsideMalaysia areconducted in amanner which doesnot affect:(a) the FI's abilityto effectivelymonitor the serviceprovider andexecute theinstitution's BCP;(b) the FI's promptrecovery of data inthe event of theservice provider'sfailure, havingregard to the lawsof the particularjurisdiction; and(c) the Bank'sability to exercise itsregulatory orsupervisory powers,in particular theBank's timely andunrestricted accessto systems,information ordocuments relatingto the outsourcedactivity.



Outsourcing


6.3 Outsourcing Involving Cloud ServicesNo. Control



11.3and11.4

Outsourcinginvolving CloudServices

11.3 In relation to aFI's ability toconduct audits andinspections on thecloud serviceprovider and sub-contractorspursuant toparagraph 9.6(f),the FI may rely onthird partycertification andreports madeavailable by thecloud serviceprovider for theaudit, provided suchreliance issupported by anadequateunderstanding andreview of the scopeof the audit andmethods employedby the third party,and access to thethird party andservice provider toclarify mattersrelating to theaudit.11.4 In relation tothe testing of acloud serviceprovider's BCPpursuant toparagraph 9.6(i), aFI must be able toaccess informationon the state ofrobustness of thecontrols institutedby such cloudservice providers

Customers should regularly reviewcloud service providers, or obtainthird-party certification and reports.In addition, customers should alsoobtain information about businesscontinuity management of the cloudservice providers. In order tocooperate with customers to meetregulatory requirements, if an FIinitiates an audit request forHUAWEI CLOUD, HUAWEI CLOUDwill arrange a responsible persons toactively cooperate regarding theaudit. Customer's audit andsupervision rights in HUAWEICLOUD will be committed in theagreement signed with the HUAWEICLOUD according to the situation.HUAWEI CLOUD has obtained ISO27001, ISO 27017, ISO 27018, SOC,CSA STAR and other internationalsecurity and privacy protectioncertifications, and is audited by thirdparty every year.For more information aboutHUAWEI CLOUD's businesscontinuity management, please referto the relevant content of "BusinessContinuity Plan" in section 6.1"Outsourcing Process andManagement of Risks" of thisdocument.



Outsourcing


No. ControlDomain



arising from theBCP testing.



Outsourcing



BNM Management of Customer Informationand Permitted Disclosures

BNM released Management of Customer Information and Permitted Disclosureson October 17, 2017. This policy set FIs' customer information managementrequirements from the perspectives of board oversight, senior management,control environment, customer information breaches, and outsourced serviceprovider and other domains. Among them, the domain of control environmentincludes requirements for risk assessment, policies and procedures, informationand communication technology controls, access control, physical security, andindependent review, etc.

When FIs are seeking to comply with the requirements provided in Managementof Customer Information and Permitted Disclosures, HUAWEI CLOUD, as a cloudservice provider, may be involved in some activities that are prescribed under suchrequirements. The following content summarizes the compliance requirementsrelated to cloud service providers in Management of Customer Information andPermitted Disclosures, and explains how HUAWEI CLOUD, as a cloud serviceprovider, can help FIs to meet these requirements.



Management of Customer Information andPermitted Disclosures


7.1 Control EnvironmentNo. Control



10.1and10.2

RiskAssessment

10.1 FSPs mustidentify potentialthreats andvulnerabilities thatcould result in theft,loss, misuse, orunauthorizedaccess, modificationor disclosure bywhatever means.10.2 FSPs must alsoassess thelikelihood that suchthreat andvulnerability willmaterialize and thepotential impact itwill have on the FSPand its customers inthe event acustomerinformation breachoccurs.

Customers should identify potentialsecurity threats and vulnerabilities,and assess the likelihood that suchthreat and vulnerability, as well asthe potential impact caused bysecurity incidents. As a cloud serviceprovider, HUAWEI CLOUD hasestablished comprehensive physicalsecurity and environmental safetyprotection measures, strategies, andprocedures that comply with Class Astandard of GB 50174 Code forDesign of Electronic InformationSystem Room and T3+ standard ofTIA-942 TelecommunicationsInfrastructure Standard for DataCenters. The HUAWEI CLOUD O&Mteam regularly carries out riskassessment on global data centersto ensure that data centers strictlyimplement access control, securitymeasures, routine monitoring andaudit, emergency response andother measures. In addition, HuaweiPSIRT and HUAWEI CLOUD's securityO&M team have established amature and comprehensive programand framework for vulnerabilitydetection, identification, response,and disclosure. HUAWEI CLOUDrelies on this program andframework to managevulnerabilities, so that vulnerabilitiesin HUAWEI CLOUD infrastructureand cloud services, and O&M tools,regardless whether they are found inHuawei's or third party technologies,are handled and resolved withinSLAs. HUAWEI CLOUD strives toreduce and ultimately preventvulnerability exploitation relatedservice impacts to our customers.





No. ControlDomain



10.6and10.11

PoliciesandProcedures

10.6 FSPs mustestablish and havein place writtenpolicies andprocedures tosafeguard customerinformation, whichcovers collection,storage, use,transmission,sharing, disclosureand disposal ofcustomerinformation.10.11 FSPs mustcontinually reviewtheir policies andprocedures toensure that theyremain adequate,relevant andoperate effectivelyin response tochanges in theoperatingenvironment.

Customers should formulate andimplement data security policies andprocedures to protect the entire lifecycle of customer information. Inaddition, Customers shouldcontinually review their policies andprocedures to ensure their adequacyand effectiveness. To ensure the safeprocessing of data on the cloud bycustomers, HUAWEI CLOUDimplements layer-by-layer protectionat all phases of the data life cycle.For details, please refer to therelevant content of "Data LossPrevention" in section 5.2 "CyberSecurity Management" in thisdocument. HUAWEI CLOUD followsISO 27001, ISO 20000, ISO 22301and other international standards toestablish a sound informationsecurity management system, ITservice management system,business continuity managementsystem, and daily operation of thesystem applicable requirements.HUAWEI CLOUD regularly carriesout risk assessment, managementreview, and other activities everyyear to identify problems in theoperation of the system each yearand rectify them to continuouslyimprove the management system.





No. ControlDomain



10.12,10.13,10.20,and10.21

ControlMeasures -Information andCommunicationTechnology(ICT)Controls

10.12 FSPs mustdeploy preventiveand detective ICTcontrols to preventtheft, loss, misuseor unauthorizedaccess, modificationor disclosure ofcustomerinformation and todetect errors andirregularities whenthey occur.10.13 FSPs mustregularly monitorthe effectiveness ofthese controls toensure that theyremain responsiveto changing threats.10.20 FSPs musthave in placemechanisms thatcreate a strongdeterrent effectagainstunauthorizeddisclosure bywhatever means ofcustomerinformation bystaff.10.21 Unauthorizeddisclosure mayoccur in many waysand forms such asstaff takingphotograph ofdocuments orscreens that containcustomerinformation. Themechanismsreferred to inparagraph 10.20may include raisingstaff awareness onthe disciplinaryactions for

Customers should deploy preventiveand detective ICT controls, regularlymonitor the effectiveness of thesecontrols, and establish anaccountability mechanism forinformation disclosure. In order tocooperate with customers to meetregulatory requirements:(1) HUAWEI CLOUD's Identity andAccess Management (IAM)provides cloud resource accesscontrol for customers. With IAM, thecustomer administrator can manageuser accounts and control theoperation rights of these useraccounts to the resources under thecustomer name; Cloud TraceService (CTS) can provide customerswith operational records of cloudservice resources for users to query,audit and retrospective use. Thereare three types of operationsrecorded: operations performedthrough the cloud account loginmanagement console, operationsperformed through APIs supportedby cloud services, and operationstriggered within Huawei's cloudsystem.HUAWEI CLOUD will not usecustomer data for commercialmonetization and explicitly states inthe user agreement that it will notaccess or use the user's contentunless it provides the necessaryservices for the user or abides by theapplicable laws and regulations orthe binding orders of governmentorgans. When internal operation andmaintenance personnel accessHUAWEI CLOUDmanagement network forcentralized management of thesystem, they need to use two-factorauthentication for identityauthentication, such as USB key,Smart Card and so on. Employeeaccount is used to log on VPN and









No. ControlDomain



unauthorizeddisclosure bywhatever means,installing CCTV atrelevant areas,having an openoffice concept,encouragingwhistleblowing inthis respect, orrestricting personalelectronic devices athigh risk areas likedata centers,dealing rooms, callcenters, etc.

Fortress Machine to realize the deepaudit of user login.(2) Huawei has established arigorous security responsibilitysystem and implementedaccountability measures againstsecurity violations. On the one hand,HUAWEI CLOUD carries out ourresponsibilities in accordance withthe shared responsibility model andtakes full responsibility for anysecurity violation caused by HUAWEICLOUD in order to minimize userbusiness impact. On the other hand,HUAWEI CLOUD mandates thatevery employee be responsible forhis/her actions and results at work,not only for the technologies andservices of concern, but also in termsof bearing legal responsibility.HUAWEI CLOUD employees aremade well aware that if ever asecurity issue arises due to a securityviolation by an employee, it mayhave grave consequences forcustomers and the company as awhole. Therefore, HUAWEI CLOUDalways holds employees accountablebased on behavior and results,regardless of their intent. HUAWEICLOUD will determine the nature ofan employee's security violation andthe level of his or her accountabilitybased on the consequences and takedisciplinary actions accordingly.Cases will be handed over to lawenforcement if legal violations areinvolved. Direct and indirectmanagement must also bearresponsibility for their negligence,substandard management, andcondonation for security violation(s)by their employee(s). In handlingsecurity violations, HUAWEI CLOUDalso factors in the perpetrator'sattitude and cooperation during theinvestigation and adjusts thepunishment severity accordinglybefore meeting it out.





No. ControlDomain



(3) HUAWEI CLOUD data centersemploy industry standard datacenter physical security technologiesto monitor and eliminate physicalhazards and physical securityconcerns. CCTV monitoring isenabled 24/7 for data centers'physical perimeters, entrances, exits,hallways, elevators, and computercage areas. CCTV is also integratedwith infrared sensors and physicalaccess control systems. Securityguards routinely patrol data centersand set up online electronic patrolsystems such that unauthorizedaccess and other physical securityincidents promptly trigger sound andlight alarms.





No. ControlDomain



10.26and10.27

AccessControls

10.26 FSPs mustidentify the locationof customerinformation residingin different systemsand ensure thatadequate accesscontrols are in placeat different levels(i.e. applicationlevel, databaselevel, operatingsystem level andnetwork level) topreventunauthorizedaccess, modificationor disclosure bywhatever means ofcustomerinformation toexternal parties.10.27 FSPs mustregularly review theaccess rights ofstaff andimmediately revokethe access rights ofa staff leaving theFSP or changing toa new role orposition that doesnot require accessto customerinformation toprevent the theft ofcustomerinformation.

Customers should establish anaccess control mechanism forcustomer information to preventunauthorized access to the system,and regularly review the accessrights of staff, immediately revokethe access rights of a staff leavingthe company and update the rightsof transfer staff. In order tocooperate with customers to meetregulatory requirements:(1) Customers can manage useraccounts using cloud resourcesthrough HUAWEI CLOUD Identityand Access Management (IAM).Except for support for passwordauthentication, IAM also supportsmultifactor authentication as anoption, and the customer has theoption to choose whether to enableit or not. If the customer has asecure and reliable externalauthentication service provider, thefederally authenticated externalusers of the IAM service can map tothe temporary users of HUAWEICLOUD and access the customer'sHUAWEI CLOUD resources. IAM canbe authorized by hierarchy anddetail as administrators can plan thelevel of cloud resource access basedon the user's responsibilities. Theycan also restrict malicious access tountrusted networks by settingsecurity policies such as accesscontrol lists.(2) HUAWEI CLOUD's Cloud TraceService (CTS) provides collection,storage, and querying of operationalrecords for a variety of cloudresources to support commonscenarios such as security analysis,compliance auditing, resourcetracking, and problem location.(3) HUAWEI CLOUD has establisheda sound operation and maintenanceaccount management mechanismsuch that when operationalpersonnel tries to access Huawei's









No. ControlDomain



cloud management network tocentralize the management of thesystem, employee identity accountand two-factor authentication arerequired. All operations accounts arecentrally managed, centrallymonitored, and automaticallyaudited by LDAP through a unifiedoperational audit platform to realizethat user creation, authorization,and authentication to rightscollection processes are fullymanaged. RBAC permissionmanagement is also implementedaccording to different businessdimensions and differentresponsibilities of the same businessto ensure that personnel withdifferent responsibilities in differentpositions are limited to access theequipment under their role.





No. ControlDomain



10.28,10.29,and10.32

PhysicalSecurity

10.28 FSPs mustimplementadequate physicalsecurity controls toensure customerinformation storedeither in paper orelectronic forms areproperly protectedagainst theft, loss,misuse orunauthorizedaccess, modificationor disclosure bywhatever means.

10.29 FSPs mustrestrict access andemploy robustintruder deterrentsto areas wherelarge amounts ofcustomerinformation isaccessible andstored, for example,the server and filingrooms.

10.32 To effectivelysafeguard customerinformationthroughout itslifecycle, FSPs musthave properprocedures in placeto identify customerinformation that isno longer requiredfrom theperspective ofoperation orrequirements of anywritten law. FSPsshall deployappropriatemethods to securelydispose of suchcustomerinformation whichincludes any paper

Customers should establish physicalsecurity management mechanisms,restrict access to areas where largeamounts of customer information isaccessible and stored to preventcustomer information from beingstolen, lost, or unauthorized use. Inaddition, the customer should alsoidentify the customer informationthat is no longer needed, and adoptan appropriate way to dispose. As acloud service provider:(1) HUAWEI CLOUD has establishedcomprehensive physical security andenvironmental safety protectionmeasures, strategies, and proceduresthat comply with Class A standard ofGB 50174 Code for Design ofElectronic Information System Roomand T3+ standard of TIA-942Telecommunications InfrastructureStandard for Data Centers. HUAWEICLOUD data centers are located onsuitable physical sites, as determinedfrom solid site surveys. During thedesign, construction, and operationstages, the data centers have properphysical zoning and well-organizedplacement of information systemsand components, which helpsprevent potential physical andenvironmental risk scenarios (forexample, fire or electro-magneticleakage) as well as unauthorizedaccess. Furthermore, sufficient andappropriate data center space andadequate electrical, networking, andcooling capacities are reserved inorder to meet not only today'sinfrastructure requirements but alsothe demands of tomorrow's rapidinfrastructure expansion. TheHUAWEI CLOUD O&M teamenforces stringent access control,safety measures, regular monitoringand auditing, and emergencyresponse measures to ensure thephysical security and environmental





No. ControlDomain



and digital recordsof the customerinformation.

safety of HUAWEI CLOUD datacenters.

(2) HUAWEI CLOUD enforcesstringent data center access controlfor both personnel and equipment.Security guards, stationed 24/7 atevery entrance to each HUAWEICLOUD data center site as well as atthe entrance of each building onsite, are responsible for registeringand monitoring visitors and staff,managing their access scope on anas-needed basis. Different securitystrategies are applied to the physicalaccess control systems at differentzones of the data center site foroptimal physical security. Securityguards strictly review and regularlyreview the users' accessauthorizations. Important physicalcomponents of a data center arestored in designated safes withcrypto-based electronic access codeprotection in the data center storagewarehouses. Only authorizedpersonnel can access and operatethe safes. Work orders must be filledout before any physical componentswithin the data center can be carriedout of the data center. Personnelremoving any data centercomponents must be registered inthe warehouse management system.Designated personnel performperiodic inventories on all physicalequipment and warehouse materials.Data center administrators not onlyperform routine safety checks butalso audit data center visitor logs onan as-needed basis so thatunauthorized personnel have noaccess to data centers.

(3) HUAWEI CLOUD attaches greatimportance to the security of users'data and information assets, and itssecurity strategy and policy include astrong focus on data protection.HUAWEI CLOUD will continue toembrace industry-leading standards





No. ControlDomain



for data security lifecyclemanagement and adopt best-of-breed security technologies,practices, and processes across avariety of aspects, including identityauthentication, privilegemanagement, access control, dataisolation, transmission, storage,deletion, and physical destruction ofstorage media. In short, HUAWEICLOUD will always strive toward themost effective data protectionpossible in order to support theprivacy, ownership, and control ofour users' data against databreaches and impacts on theirbusiness. When customers stopusing HUAWEI CLOUD services andneed to destroy content data,HUAWEI CLOUD clears the specifieddata and the copies. Once customersagree the deletion, HUAWEI CLOUDdeletes the index relationshipbetween customers and data, andclears the storage space, such asmemory and block storage beforereallocation so the related data andinformation cannot be restored. If aphysical storage medium is to bedisposed, HUAWEI CLOUD clears thedata by degaussing, bending, orbreaking the storage medium sothat data on the storage mediumcannot be restored.





No. ControlDomain



10.39,10.40,10.42,10.43,10.44,10.45,10.49,and10.50

Staff,Representatives,AgentsandExternalVendors'Personnel

10.39 FSPs mustensure thatemploymentcontract contains aprovision requiringall staff to sign aconfidentialityundertaking thatclearly specifies theobligation andrequirement of anywritten law tosafeguard customerinformation as wellas theconsequences forfailure to complywith such obligationand requirement.10.40 Where FSPsengage withexternal vendors tocarry out duties orservices within theFSPs' premises (e.g.security guards,cleaners andmaintenanceofficer/ engineer),FSPs must ensurethat the externalvendors carry outan appropriate levelof vetting andmonitoring on theirpersonnel to reducethe risk of customerinformation theft.10.42 FSPs musthave in place robustmonitoring toensure that therelevant policies,procedures andcontrols establishedby the FSPs arebeing adhered to bystaff.

Customers should require all staff tosign a confidentiality undertakingthat clearly specifies the obligationand requirement of safeguardcustomer information. Customersshould have in place robustmonitoring to ensure that thesecurity policies are being adheredto by staff, and request the externalvendors carry out an appropriatelevel of vetting and monitoring ontheir personnel. In addition,customers should conductinformation security awarenesstraining for employees, andinvestigate and appropriately handleemployees who violate securitypolicies. As a cloud service provider:(1) HUAWEI CLOUD has established,and continued to improve, acomplete information security andprivacy protection managementsystem in accordance with variousregulatory requirements,international and industry standards.The management system hasdetailed policies and procedures inmany security fields, such as physicalsecurity control, system security,security awareness training and soon. HUAWEI CLOUD continues toimplement management systemrequirements to ensure customerbusiness and data security.(2) HUAWEI CLOUD has formulateda comprehensive security awarenesstraining plan, which includes variousforms of employee recruitment, on-the-job, transfer, and other suchtypes of security awareness training.This makes employees' behaviorcomplies with all applicable laws,policies, processes and requirementsin Huawei's business code ofconduct.(3) HUAWEI CLOUD provides onlineversion of HUAWEI CLOUDCustomer Agreement and HUAWEICLOUD Service Level Agreement,





https://www.huaweicloud.com/en-us/declaration/sa_cua.html


https://www.huaweicloud.com/en-us/declaration/sla.html


No. ControlDomain



10.43 FSPs mustprovide relevanttraining andregularly remind allstaff on theirobligations toproperly handlecustomerinformation.10.44 FSPs mustinclude in theirprogram for newstaff a specifictraining to explainthe relevant policiesand procedures onprotecting customerinformation.10.45 New staffmust also bealerted by the FSPson the possibleactions that may betaken for non-compliance withpolicies andprocedures.10.49 FSPs mustconduct a thoroughand timelyinvestigation upondetecting theft, loss,misuse orunauthorizedaccess, modificationor disclosure bywhatever means ofcustomerinformation by staffand takeappropriate actionsagainst the staffconcerned.10.50 The actionstaken pursuant toparagraph 10.49must send a strongmessage to all staff

which specifies the content and levelof services provided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers.Customers' and their regulators'audit and supervision rights inHUAWEI CLOUD will be committedin the agreement signed with theHUAWEI CLOUD according to thesituation.(4) Huawei has established arigorous security responsibilitysystem and implementedaccountability measures againstsecurity violations. On the one hand,Huawei Cloud carries out ourresponsibilities in accordance withthe shared responsibility model andtakes full responsibility for anysecurity violation caused by HuaweiCloud in order to minimize userbusiness impact. On the other hand,Huawei Cloud mandates that everyemployee be responsible for his/heractions and results at work, not onlyfor the technologies and services ofconcern, but also in terms of bearinglegal responsibility. Huawei Cloudemployees are made well aware thatif ever a security issue arises due toa security violation by an employee,it may have grave consequences forcustomers and the company as awhole. Therefore, Huawei Cloudalways holds employees accountablebased on behavior and results,regardless of their intent. HuaweiCloud will determine the nature ofan employee's security violation andthe level of his or her accountabilitybased on the consequences and takedisciplinary actions accordingly.Cases will be handed over to lawenforcement if legal violations areinvolved. Direct and indirectmanagement must also bear





No. ControlDomain



and act as deterrentto prevent futurerecurrence of thecustomerinformation breach.

responsibility for their negligence,substandard management, andcondonation for security violation(s)by their employee(s). In handlingsecurity violations, Huawei Cloudalso factors in the perpetrator'sattitude and cooperation during theinvestigation and adjusts thepunishment severity accordinglybefore meeting it out.

10.53 IndependentReview

FSPs must subjecttheir policies,procedures andcontrol measuresfor safeguardingcustomerinformation to anindependent reviewat least once inevery two years.

Customers should regularly subjecttheir policies, procedures and controlmeasures for safeguarding customerinformation to an independentreview. As a cloud service provider, ifan FI initiates an audit request forHUAWEI CLOUD, HUAWEI CLOUDwill arrange a responsible person toactively cooperate regarding theaudit. Customer's audit andsupervision rights in HUAWEICLOUD will be committed in theagreement signed with the HUAWEICLOUD according to the situation.HUAWEI CLOUD has obtained ISO27001, ISO 27017, ISO 27018, SOC,CSA STAR and other internationalsecurity and privacy protectioncertifications, and is audited by thirdparty every year.





7.2 Customer Information BreachesNo. Control



11.1,11.2,11.3,11.4,11.5,11.6,11.12,and11.13

CustomerInformationBreaches

11.1 FSPs musthave in place acustomerinformation breachhandling andresponse plan in theevent of theft, loss,misuse orunauthorizedaccess, modificationor disclosure bywhatever means ofcustomerinformation.11.2 The plan byFSPs underparagraph 11.1must at aminimum, includeescalationprocedures and aclear line ofresponsibility tocontain thecustomerinformation breachand take remedialactions.11.3 FSPs mustensure that staffunderstands theescalationprocedures andrelevant staff aretrained to take theappropriateremedial action to acustomerinformation breacheffectively toprotect affectedcustomers' interests.11.4 FSPs musthave in place amechanism to

Customers should establish acustomer information breachincident management mechanism,formulate customer informationbreach handling and response plan,clarify the escalation procedures andpersonnel responsibilities, establishidentify customer informationbreaches procedures, and takeappropriate mitigating actions. Inaddition, customers should alsoassess the impact and notifycustomers in time. As a cloud serviceprovider:(1) HUAWEI CLOUD has developeda complete mechanism for internalsecurity incident management andcontinues to optimize it. The rolesand responsibilities are clearlydefined for each activity during theincident response process. HUAWEICLOUD log system based on bigdata analytics can quickly collect,process, and analyze mass logs inreal time and can connect to third-party Security Information and EventManagement (SIEM) systems suchas SIEM systems provided byArcSight and Splunk. HUAWEICLOUD collects managementbehavior logs of all physical devices,networks, platforms, applications,databases and security systems andthreat detection and warning logs ofsecurity products and componentsthrough a centralized log large dataanalysis system. In addition, giventhe professionalism and urgency tohandle security incidents, HUAWEICLOUD has a professional securityincident response team available24/7 and a corresponding pool ofsecurity expert resources forresponse. HUAWEI CLOUD also usesa big data security analysis system





No. ControlDomain



identify customerinformationbreaches includingthose which arisefrom customercomplaints andinvestigate thecomplaintspromptly andproperly.

11.5 FSPs must takeappropriatemitigating actionsto contain acustomerinformation breachimmediately.

11.6 FSPs mustassess the impactarising from thetheft, loss, misuseor unauthorizedaccess, modificationor disclosure bywhatever means ofcustomerinformation.

11.12 In the eventthe customerinformation breachaffects a largenumber ofcustomers, FSPsmust assess thepotential impactand takeappropriate actionsto avoid or reduceany harm on theaffected customers.

11.13 The actionsreferred to inparagraph 11.12may include thefollowing:

(a) making a publicannouncement tonotify the

to communicate alert logs forunified analysis of a variety ofsecurity devices.(2) HUAWEI CLOUD formulates theclassification and escalationprinciples of information securityincidents, ranking them according totheir degree of impact on thecustomer's business, and initiates aprocess to notify customers of theincident.When serious events occur on theunderlying infrastructure platformand have or may have a seriousimpact on multiple customers,HUAWEI CLOUD can promptly notifycustomers of events with anannouncement. The contents of thenotification include but are notlimited to a description of the event,the cause, impact, measures takenby HUAWEI CLOUD and themeasures recommended forcustomers. After the incident isresolved, the incident report will beprovided to the customer accordingto the specific situation.(3) HUAWEI CLOUD annually testsinformation security incidentmanagement procedures. All ofinformation security incidentresponse personnel, includingreserve personnel, need toparticipate. The test scenarios arecombined with the current commonnetwork security threats, in whichhigh-risk scenarios will be testedduring simulations. During thetesting process, HUAWEI CLOUD willselect test scenarios, developcomplete test plans and procedures,and record test results. After theircompletion, relevant personnel willredact a report and summarize anyproblems identified during thesimulation. If the results areindicating issues with theinformation security incidentmanagement and process, related





No. ControlDomain



customers promptlyto regain customers'confidence;(b) providingcontact details forcustomers to obtainfurther informationor raise any concernwith regard to thebreach; or(c) providing adviceto affectedcustomers onprotective measuresagainst potentialharm that could becaused by thebreach.

documentation will be accordinglyupdated.HUAWEI CLOUD regularly reviewsand updates all system documentsevery year according to therequirements of the internalbusiness continuity managementsystem and information securitysystem. HUAWEI CLOUD maintains alist of contacts that should becontacted in case of an emergencyand updates it promptly whennotified of personnel changes.





7.3 Outsourced Service ProviderNo. Control



12.2,12.3,12.4,12.6,and12.7

OutsourcedServiceProvider(OSP)

12.2 FSPs mustperform adequateand relevant duediligenceassessments whenselecting an OSPwhich has access tocustomerinformationincluding forprocessing, storing,or disposingcustomerinformation.12.3 FSPs must besatisfied that theOSP has in placepolicies, proceduresand controls thatare comparable tothat of the FSPs, toensure thatcustomerinformation isproperlysafeguarded at alltimes.12.4 In ensuring theobligation tosafeguard customerinformation isadequatelyreflected in theService LevelAgreement (SLA)with an OSP, at aminimum, the SLAmust require theOSP to:(a) undertake tosafeguard thecustomerinformation andprevent any theft,loss, misuse or

Customers should establish asecurity management mechanismfor outsourcing service providers,perform diligence assessments onthe service provider and ensure thatthe service provider has in placeappropriate security policies,procedures and controls. Customersshould also sign service levelagreement and confidentialityagreement with the service providerto ensure the obligation tosafeguard customer information. Inaddition, customers require serviceproviders to conduct training to itsstaff, as well as reviews theadequacy and effectiveness of thetraining plan. In order to cooperatewith customers to meet regulatoryrequirements:(1) HUAWEI CLOUD will assign aresponsible person to activelycooperate regarding the audit anddue diligence initiated by customers.HUAWEI CLOUD places greatimportance to its users' datainformation assets and regards dataprotection as the core of Huawei'scloud security policy. HUAWEICLOUD will continue to followindustry-leading standards for datasecurity lifecycle management usingexcellent technologies, practices, andprocesses to support the privacy ofusers' data in terms ofauthentication and access control,rights management, data isolation,transmission security, storagesecurity, data deletion, physicaldestruction, and data backuprecovery. Inviolable ownership andcontrol are necessary to provideusers with the effective dataprotection. In addition, HUAWEICLOUD has formulated an





No. ControlDomain



unauthorizedaccess, modificationor disclosure bywhatever means;

(b) ensure theadequacy andeffectiveness of itspolicies andprocedures toprotect the FSP'scustomerinformation;

(c) conduct robustvetting on itspersonnel whohandles customerinformation;

(d) only allow itspersonnel access tocustomerinformation strictlyfor the purpose ofcarrying out theirfunctions;

(e) ensure that itspersonnelunderstands andundertakes tocomply with theprohibition ondisclosure bywhatever means ofcustomerinformation to anyperson for anypurpose other thanthat which isspecified in the SLA,permitted under thewritten law orapproved by theBank, as the casemay be (includingafter the end of thecontract term);

(f) investigate anycustomerinformation breach

emergency response plan, whichspecifies the organization,procedures, and operating standardsof emergency response in detail, andconducts regular tests to ensurecontinuous operation of cloudservices and protect customers'business and data security.(2) According to ISO 27001,HUAWEI CLOUD has built a perfectinformation security managementsystem and formulated the overallinformation security strategy ofHUAWEI CLOUD. It clarifies thestructure and responsibilities ofinformation security managementorganization, the managementmethods of information securitysystem files, and the key directionsand objectives of informationsecurity, including asset security,access control, cryptography,physical security, operationalsecurity, communication security,system development security,supplier management, informationsecurity incident management, andbusiness continuity. HUAWEI CLOUDprotects the inviolability, integrity,and availability of customer systemsand data in one comprehensiveeffort.(3) HUAWEI CLOUD provides onlineversion ofHUAWEI CLOUDCustomer Agreementand HUAWEICLOUD Service Level Agreement,which specifies the content and levelof services provided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers.(4) HUAWEI CLOUD will not usecustomer data for commercialmonetization and explicitly states inthe user agreement that it will notaccess or use the user's content,unless it provides the necessary









No. ControlDomain



to determine whenand how the breachoccurred;(g) report anycustomerinformation breachto the FSP within anagreed timeframe;(h) destroy inaccordance withparagraph 10.32 orreturn all customerinformation to theFSP upon the expiryor termination ofthe SLA;(i) allow the FSP toaudit or inspecthow customerinformation issafeguarded.12.6 FSPs mustrequire the OSP tosign a binding non-disclosureundertaking withregard to thehandling ofcustomerinformation.12.7 FSPs mustensure that the OSPconducts training toits staff, at regularintervals, onrelevant policiesand proceduresrelating to theproper handling ofcustomerinformation as wellas reviews theadequacy andeffectiveness of thetraining program.

services for the user or abides by theapplicable laws and regulations orthe binding orders of thegovernment institutions. If acustomer initiates a confidentialityrequirement, HUAWEI CLOUD willarrange a specialist to activelycooperate. HUAWEI CLOUD willavoid unauthorized informationdisclosure, the expected actions tobe taken in termination or inviolation of agreement, and theaudit and supervision rights ofcustomers on HUAWEI CLOUD, andthe responsibilities and actions ofHUAWEI CLOUD will be contained inthe signed agreement.(5) HUAWEI CLOUD has formulateda comprehensive security awarenesstraining plan, which includes variousforms of employee recruitment, on-the-job, transfer, and other suchtypes of security awareness training.This makes employee behaviorcomplies with all applicable laws,policies, processes and requirementsin Huawei's business code ofconduct.






BNM Guidelines on Data Management andMIS Framework for Development Financial

Institutions

BNM released Guidelines on Data Management and MIS Framework forDevelopment Financial Institutions on May 9, 2011. This policy set FIs' customerdata management and MIS framework guiding principles from the perspectives ofdata governance, internal controls and reviews, data architecture and otherdomains.

When FIs are seeking to comply with the requirements provided in Guidelines onData Management and MIS Framework for Development Financial Institutions,HUAWEI CLOUD, as a cloud service provider, may be involved in some activitiesthat are prescribed under such requirements. The following content summarizesthe compliance requirements related to cloud service providers in Guidelines onData Management and MIS Framework for Development Financial Institutions,and explains how HUAWEI CLOUD, as a cloud service provider, can help FIs tomeet these requirements.



Guidelines on Data Management and MISFramework for Development Financial Institutions


No. ControlDomain



4.12 Principle 2- DataGovernance

Where data ismanaged by thirdparty serviceproviders underoutsourcingarrangements,seniormanagement mustensure thateffective oversight,review andreportingarrangements areestablished toensure that servicelevel agreementsregardingstandards on dataquality, integrityand accessibilityare observed at alltimes.

Please refer to 5.3 TechnologyAudit of this document.

4.14(VI)

Principle 3- DataArchitecture

The FI shouldestablishappropriate datastorage and back-up processes thatoptimize thefunctioning of datasystems and enableefficient and timelyaccess to data forthe purpose ofbusiness continuitymanagement.

Please refer to the control domainof "Data Center Resilience - DataCenter Operations" under 5.1Technology OperationsManagement of this document.





No. ControlDomain



4.20,4.23,4.25,and4.27

Principle 5- InternalControlsandReviews

4.20 FIs mustestablish adequatepreventive anddetective controlsto ensure thatlogical and physicalaccess to systemsand data is secureand only availableto authorizedpersonnel forspecific purposes.

4.23 Access rightsto systems anddata should beclearly defined,documented andwhere appropriate,segregated toprevent criticaldata or systemsfrom beingcompromised.Given thesensitivity of thebulk of datahandled by FIs,access shouldgenerally be givenon a "need toknow" basis.

4.25 Access tocritical data orsystems by externalparties (e.g. systemvendors and serviceproviders) must beproperlyauthorized. FIsmust ensure thatsuch access byexternal parties isclosely supervised,monitored andappropriatelyrestricted in linewith the purpose ofthe access given.Legal agreements

Please refer to the control domainof "Access Control" under 5.1Technology OperationsManagement and the controldomain of " Control Measures -Information and CommunicationTechnology ICT) Controls" under7.1 Control Environment of thisdocument.





No. ControlDomain



for servicescontracted shouldclearly prohibit theunauthorizeddisclosure ofconfidential databy the externalparty and providefor adequateremedies to the FI.4.27 Appropriatesafeguards shouldbe put in place toensure thatpersonal data isnot misused ordisclosed in awrongful manner.Personalinformation (ofcustomers,employees or anyother parties thatthe FI may conductbusiness with)should be handledproperly to ensureconfidentiality ofthe informationand compliancewith relevantlegislation.





9 How HUAWEI CLOUD Meets and AssistsCustomers to Meet the Requirements ofBNM Guidelines on Business Continuity

Management

BNM released Guidelines on Business Continuity Management on January 1, 2008.This policy set FIs' customer business continuity management requirements in theperspectives of the principles and requirements of business continuitymanagement (BCM), communication, internal audit, outsourcing and otherdomains.

When FIs are seeking to comply with the requirements provided in Guidelines onBusiness Continuity Management, HUAWEI CLOUD, as a cloud service provider,may be involved in some activities that are prescribed under such requirements.The following content summarizes the compliance requirements related to cloudservice providers in Guidelines on Business Continuity Management, and explainshow HUAWEI CLOUD, as a cloud service provider, can help FIs to meet theserequirements.

No. ControlDomain



71 BCMPrinciplesandRequirements-Methodology-AlternateandRecoverySites

The alternate andrecovery sites couldeither be in-housearrangements, oravailable throughagreement withthird-partyrecovery facilityprovider, or acombination ofboth options.

Please refer to the control domainof "Outsourcing Agreement"under 6.1 Outsourcing Processand Management of Risks of thisdocument.



Guidelines on Business Continuity Management


No. ControlDomain



109-114

Outsourcing

109. The FI shouldensure that theoutsourcing vendoris subjected to theBCM Guidelines,where appropriate.

110. Theoutsourcingcontract shouldspecify therequirements forensuring thecontinuity of theoutsourcedbusiness functionin the event of amajor disruptionaffecting theoutsourcingvendor's services.Recovery timeobjectives (RTO)should be built intothe outsourcingcontract, withprovisions for legalliability should theRTO not beachieved.

111. The FI shouldensure that theoutsourcing vendorhas in place fullydocumented andadequatelyresourced businesscontinuity plan(BCP) and disasterrecovery plan(DRP). Theinstitution shouldensure thatperiodic testing isconducted by theoutsourcing vendoron its BCP and DRPat least annuallyand twice a year,respectively. The

Please refer to the control domainof "Outsourcing Agreement" and"Business Continuity Planning"under 6.1 Outsourcing Processand Management of Risks of thisdocument.





No. ControlDomain



vendor shouldnotify the FI of thetest results andaction to beundertaken toaddress any gap.The FI may alsorequire itsoutsourcing vendorto declare theirstate of businesscontinuityreadiness to theinstitution,annually.112. The FI shouldinclude a clause inthe outsourcingagreement, whichallows theinstitution'sinternal auditor orother independentparty appointed toreview the BCM ofthe outsourcingvendor.113. The FI shouldbe notified in theevent that theoutsourcing vendormakes significantchanges to its BCPand disasterrecovery plan(DRP), orencounters othercircumstances thatmight have aserious impact onits services.114. The FI's ownBCP should addressreasonablyforeseeablesituations wherethe outsourcingvendor fails toprovide the





No. ControlDomain



required services,causing disruptionsto the FI'soperations. Inparticular, the planshould ensure thatthe FI has in itspossession, or canreadily access, allrecords necessaryfor it to sustainbusiness operationsand meetobligations in theevent theoutsourcing vendoris unable to providethe contractedservices.





10 How HUAWEI CLOUD Meets andAssists Customers to Meet the Requirements

of SC Guidelines on Management of CyberRisk

SC released Guidelines on Management of Cyber Risk on October 31, 2016. Thispolicy set FIs' cyber risk management requirements from the perspectives ofprevention, detection, recovery and other domains.

When FIs are seeking to comply with the requirements provided in Guidelines onManagement of Cyber Risk, HUAWEI CLOUD, as a cloud service provider, may beinvolved in some activities that are prescribed under such requirements. Thefollowing content summarizes the compliance requirements related to cloudservice providers in Guidelines on Management of Cyber Risk, and explains howHUAWEI CLOUD, as a cloud service provider, can help FIs to meet theserequirements.


10 How HUAWEI CLOUD Meets and AssistsCustomers to Meet the Requirements of SC

Guidelines on Management of Cyber Risk


No. ControlDomain



4.5-4.10

CyberRisk -Prevention

4.5 The FI mustconduct regularassessments as partof the FI'scomplianceprogram to identifypotentialvulnerabilities andcyber threats in itsoperatingenvironment whichcould underminethe security,confidentiality,availability andintegrity of theinformation assets,systems andnetworks.4.6 The assessmentof thevulnerabilities ofFI's operatingenvironment mustbe comprehensive,including makingan assessment ofpotentialvulnerabilitiesrelating to thepersonnel, partieswith whom a FIdeals with, systemsand technologiesadopted, businessprocesses andoutsourcingarrangements.4.7 The FI mustdevelop andimplementpreventivemeasures tominimize the FI'sexposure to cyberrisk.4.8 Preventivemeasures referredto in Paragraph 4.7

Customers should regularly identifyand assess potential vulnerabilitiesand network threats, and formulatepreventive measures to minimize thecyber risk, including deploying ofanti-virus software, buildingfirewalls, conducting security tests atsoftware development stage, andconducting penetration testing ofsystems and networks. In addition,customers should conductappropriate security awarenesstraining for all employees on aregular basis, and regularly reviewthe adequacy and effectiveness of itstraining plan. As a cloud serviceprovider:(1) The Huawei Product SecurityIncident Response Team (PSIRT) hasa reasonably mature vulnerabilityresponse program. ConsideringHUAWEI CLOUD's self-servicemodel, the program ensures rapidpatching of vulnerabilities found onin-house-developed and third partytechnologies for HUAWEI CLOUDinfrastructures, platforms,applications and cloud services, andreduces the risk of impact on userbusiness operations throughcontinuously optimizing the securityvulnerability management processand technical means. In addition,Huawei PSIRT and HUAWEI CLOUD'ssecurity O&M team have establisheda mature and comprehensiveprogram and framework forvulnerability detection, identification,response, and disclosure. HUAWEICLOUD relies on this program andframework to manage vulnerabilitiesand ensure that vulnerabilities inHUAWEI CLOUD infrastructure andcloud services, and O&M tools,regardless whether they are found inHuawei's or third party technologies,are handled and resolved withinSLAs. HUAWEI CLOUD strives toreduce and ultimately prevent





No. ControlDomain



above may includethe following:(a) Deployment ofanti-virus softwareand malwareprogram to detectand isolatemalicious code;(b) Layeringsystems andsystemscomponents;(c) Build firewalls toreduce weak pointsthrough whichattacker can gainaccess to an entity'snetwork;(d) Rigorous testingat softwaredevelopment stageto limit the numberof vulnerabilities;(e) Penetrationtesting of existingsystems andnetworks; and(f) Use of authoritymatrix to limitprivileged internalor external accessrights to systemsand data.4.9 The FI mustensure that theboard,management,employees andagents undergoappropriate trainingon a regular basisto enhance theirawareness andpreparedness todeal with a widerange of cyber risks,

vulnerability exploitation relatedservice impacts to our customers.(2) To meet customer compliancerequirements, HUAWEI CLOUDregularly conducts internal andthird-party penetration testing andsecurity assessment with regularmonitoring, checks, and removal ofany security threats so as toguarantee the security of the cloudservices.(3) HUAWEI CLOUD is built upon anappropriate, multi-layered full stacksecurity framework withcomprehensive perimeter defense.For example, layers of firewallsisolate networks by security zone,anti-DDoS quickly detects andprotects against DDoS attacks, WAFdetects and fends off web attacksclose to real time, and IDS/IPSdetects and blocks network attacksfrom the Internet in the real timewhile also monitoring for behavioralanomalies on the host. Given that apublic cloud usually needs to processhuge amounts of traffic while alsoexposed to a wide variety of attacks,Huawei Cloud employs its situationawareness analysis system, whichcorrelates security alerts and logsfrom myriad security appliances, andperforms centralized analysis toensure rapid and thorough detectionof ongoing attacks and forecastpotential threats.(4) Huawei development andtesting processes follow unifiedsystem (software) securitydevelopment managementspecifications, and access to variousenvironments is strictly controlled.To meet customer compliancerequirements, HUAWEI CLOUDmanages the end-to-end softwareand hardware life cycle throughcomplete systems and processes, aswell as automated platforms andtools. The life cycle includes security





No. ControlDomain



incidents andscenarios.4.10 The FI mustevaluateimprovement in thelevel of awarenessand preparedness todeal with cyber riskto ensure theeffectiveness oftraining programsimplemented.

requirements analysis, securitydesign, security coding and testing,security acceptance and release, andvulnerability management. HUAWEICLOUD takes security requirementsidentified in the security designstage, penetration test cases fromthe attacker's perspective, andindustry standards, and developscorresponding security testing tools,and conducts multi-round securitytesting before the release of cloudservices so that the released cloudservices can meet the securityrequirements. Testing is conducted ina test environment, isolated fromthe production environment, andavoids the use of production data fortesting. If production data is used fortesting, it must be desensitized, anddata cleaning is required after use.(5) Customers can manage useraccounts using cloud resourcesthrough HUAWEI CLOUD Identityand Access Management (IAM).IAM can be authorized by hierarchyand detail as administrators canplan the level of cloud resourceaccess based on the user'sresponsibilities. They can also restrictmalicious access to untrustednetworks by setting security policiessuch as access control lists.(6) HUAWEI CLOUD has formulateda comprehensive security awarenesstraining plan, which includes variousforms of employee recruitment, on-the-job, transfer, and other suchtypes of security awareness training.This makes employee behaviorcomplies with all applicable laws,policies, processes and requirementsin Huawei's business code ofconduct.







No. ControlDomain



4.11-4.15

CyberRisk -Detection

4.11 In addition toimplementingpreventivemeasures, the FImust continuouslymonitor for anycyber incidents andbreaches within itssystems andnetwork.4.12 The FI mustensure timelydetection of andresponse to cyberbreaches within aclearly definedescalation anddecision-makingprocesses to ensurethat any adverseeffect of a cyber-incident is properlymanaged andinitiate recoveryaction quickly.4.13 To ensuresufficientpreparedness inresponding to cyberincidents detected,the FI must:(a) identifyscenarios of cyberrisk that the FI ismost likely to beexposed to;(b) considerincidents in thecapital market andthe broaderfinancial servicesindustry;(c) assess the likelyimpact of theseincidents to the FIs;and(d) identifyappropriate

Customers should continuouslymonitor for cyber incidents andbreaches within its systems andnetwork, establish a security incidentescalation and decision-makingprocesses, and undertakeappropriate response plan andcommunication strategies. Inaddition, customers should alsoregularly conduct cyber securitypractical exercises to test theeffectiveness of their response plans.Customers shall escalate to relevantpersonnel and implementappropriate responses when cyberbreaches are detected. As a cloudservice provider:(1) HUAWEI CLOUD has developeda complete mechanism for internalsecurity incident management andcontinues to optimize it. The rolesand responsibilities are clearlydefined for each activity during theincident response process. HUAWEICLOUD log system based on bigdata analytics can quickly collect,process, and analyze mass logs inreal time and can connect to third-party Security Information and EventManagement (SIEM) systems suchas SIEM systems provided byArcSight and Splunk. HUAWEICLOUD collects managementbehavior logs of all physical devices,networks, platforms, applications,databases and security systems andthreat detection and warning logs ofsecurity products and componentsthrough a centralized log large dataanalysis system. In addition, giventhe professionalism and urgency tohandle security incidents, HUAWEICLOUD has a professional securityincident response team available24/7 and a corresponding pool ofsecurity expert resources forresponse. HUAWEI CLOUD also usesa big data security analysis systemto communicate alert logs for





No. ControlDomain



response plan andcommunicationstrategies thatshould beundertaken.4.14 The FIs mustregularly test,review and updatethe identified cyberrisk scenarios andresponse plan. Thisis to ensure that thescenarios andresponse planremain relevant andeffective, takinginto accountchanges in theoperatingenvironment,systems or theemergence of newcyber threats.4.15 The FIs mustensure that cyberbreaches detectedare escalated to anincidence responseteam, managementand the board, inaccordance with theentity's businesscontinuity plan andcrisis managementplan, and that anappropriateresponse isimplementedpromptly.

unified analysis of a variety ofsecurity devices.(2) HUAWEI CLOUD formulates theclassification and escalationprinciples of information securityincidents, ranking them according totheir degree of impact on thecustomer's business, and initiates aprocess to notify customers of theincident.When serious events occur on theunderlying infrastructure platformand have or may have a seriousimpact on multiple customers,HUAWEI CLOUD can promptly notifycustomers of events with anannouncement. The contents of thenotification include but are notlimited to a description of the event,the cause, impact, measures takenby HUAWEI CLOUD and themeasures recommended forcustomers. After the incident isresolved, the incident report will beprovided to the customer accordingto the specific situation.(3) HUAWEI CLOUD has formulatedvarious specific contingency plans todeal with complex security risks inthe cloud environment. Each year,HUAWEI CLOUD conductscontingency plan drills for majorsecurity risk scenarios to quicklyreduce potential security risks andensure cyber resilience when suchsecurity incidents occur. HUAWEICLOUD regularly audits and updatesall system documents every yearaccording to the requirements of theinternal business continuitymanagement system andinformation security system.HUAWEI CLOUD maintains a list ofcontacts that should be contacted incase of an emergency and updates itpromptly when notified of personnelchanges.





No. ControlDomain



4.17-4.19

cyberrisk -recovery

4.17 The FIs mustensure that allcritical systems areable to recoverfrom a cyber breachwithin the FI'sdefined recoverytime objective inorder to provideimportant servicesor some level ofminimum servicesfor a temporaryperiod of time.4.18 The FIs mustidentify the criticalsystems andservices within itsoperatingenvironment thatshould be recoveredon a priority basisin order to providecertain minimumlevel of servicesduring thedowntime anddetermine howmuch time the FIswill require toreturn to full serviceand operations.4.19 The FIs mustensure its businesscontinuity plan iscomprehensive andincludes a recoveryplan for its systems,operations andservices arisingfrom a cyberbreach.

Customers should determine therecovery time objective of criticalsystems, and formulate acomprehensive recovery plan toensure the timely recovery ofservices. As a cloud service provider(1) To provide continuous and stablecloud services to customers,HUAWEI CLOUD has obtained ISO22301 certification and formulatesbusiness continuity managementsystems for the cloud to suit thecustomer's business needs.Under the requirements of thisframework, HUAWEI CLOUD carriesout regular business impact analysis,identifies key business, anddetermines the recovery target andminimum recovery level of keybusiness. In the process ofidentifying key business, the impactof business interruption on cloudservice customers is regarded as animportant criterion to judge keybusiness.(2) In order to meet customercompliance requirements, HUAWEICLOUD has formulated a soundrecovery strategy for key businessessupporting the continuous operationof cloud services according to therequirements of its internal businesscontinuity management system. Therecovery strategy covers all aspectsof spare sites, equipment, personnel,information systems, and thirdparties.





11 How HUAWEI CLOUD Meets andAssists Customers to Meet the Requirements

of SC Guiding Principles on BusinessContinuity

SC released Guiding Principles on Business Continuity on May 14, 2019. This policyset FIs' business continuity management requirements from the perspectives ofmajor operational disruptions, recovery objectives and strategies, testing andtraining, maintenance and review, communications and other domains.

When FIs are seeking to comply with the requirements provided in GuidingPrinciples on Business Continuity, HUAWEI CLOUD, as a cloud service provider,may be involved in some activities that are prescribed under such requirements.The following content summarizes the compliance requirements related to cloudservice providers in Guiding Principles on Business Continuity, and explains howHUAWEI CLOUD, as a cloud service provider, can help FIs to meet theserequirements.


11 How HUAWEI CLOUD Meets and AssistsCustomers to Meet the Requirements of SC Guiding

Principles on Business Continuity


No. ControlDomain



BusinessContinuityGuidePrinciple 2

MajorOperationalDisruptions

Major operationaldisruptions andrisks arising frominterdependencyand concentrationof critical businessfunctions as well asoutsourcingarrangementsshould be identified.Any adverseimpacts andimplications of risksfrom suchdisruptions arethoroughly assessedand analyzed.

Customers should establish businessimpact analysis and risk assessmentmechanism. As a cloud serviceprovider:(1) To provide continuous and stablecloud services to customers,HUAWEI CLOUD has established aset of complete business continuitymanagement systems in accordancewith ISO 22301 - Business ContinuityManagement Internationalstandards. Under the requirementsof this framework, HUAWEI CLOUDcarries out regular business impactanalysis, identifies key business, anddetermines the recovery target andminimum recovery level of keybusiness. In the process ofidentifying key business, the impactof business interruption on cloudservice customers is regarded as animportant criterion to judge keybusiness.(2) HUAWEI CLOUD regularlyconducts risk assessment accordingto the requirements of the internalbusiness continuity managementsystem, identifies and analyses thepotential risks faced by keyresources supporting the continuousoperation of cloud services, furtherconsiders emergency scenarios andrisks, and formulates crisismanagement procedures to dealwith and minimize the impact ofvarious emergencies. Crisismanagement procedures includeearly warning and reporting ofemergencies, emergency escalation,the conditions for startingemergency plans, notification ofevent progress, and internal andexternal communication processes.





No. ControlDomain




RecoveryObjectives andStrategies

Recovery objectivesand strategies aredevelopedaccording to risk-based principleswhere prioritizationof recovery arebased on thedegree or level ofrisk the entity'sbusiness units posesto the entirebusiness operation.

Customers should considerdeveloping recovery strategies basedon the results of business impactanalysis and risk assessment. As acloud service provider, HUAWEICLOUD has formulated a soundrecovery strategy for key businessessupporting the continuous operationof cloud services according to therequirements of its internal businesscontinuity management system. Therestoration strategy takes site,equipment, personnel, informationsystems, third party and otheraspects into consideration.





No. ControlDomain




Communications

Comprehensiveescalationprocedures andcommunicationplans during majoroperationaldisruptions forinternal andexternalstakeholders areestablished andembedded in thebusiness continuityframework. Suchprocedures shouldenable timely,transparent andcoordinateddissemination ofinformation that areadequate to addressany reputationalrisks arising frommajor operationaldisruptions.

Customers should establishcommunication mechanism withinternal and external stakeholders.As a cloud service provider:(1) HUAWEI CLOUD will activelycooperate regarding thecommunication initiated by therecognized authorities. HUAWEICLOUD professional service engineerteam provides 24/7 service support,customers can contact HUAWEICLOUD support team through workorders, intelligent customer service,self-service, and hotline.(2) HUAWEI CLOUD has alsoformulated crisis communicationstrategies according to therequirements of internal businesscontinuity management system, anddefined the people to contact in thecase of emergencies, the dialogue,and the method for communication.(3) To meet the requirements fornotification, HUAWEI CLOUD hasdeveloped a complete process forevent management and notification.If an event occurs on the HUAWEICLOUD Base Platform, relevantpersonnel will analyze the impact ofthe event according to the process. Ifthe event has or will have an impacton the cloud service customers,HUAWEI CLOUD will start to notifycustomers of the event. The contentsof the notice include but are notlimited to description of the event,the cause, impact, measures takenby HUAWEI CLOUD, and measuresrecommended for customers. Theinternal customer notificationprocess ensures that HUAWEICLOUD can promptly notifycustomers of events with anannouncement when serious eventsoccur on the underlyinginfrastructure platform and have ormay have a serious impact onmultiple customers.





No. ControlDomain




TestingandTraining

Testing and trainingare done at leastannually by the FIsto ensure ongoingreliability andrelevancy,incorporatingevolving marketpractices, changesin key personneland technologyutilized in day-to-day businessoperations as wellas regulatory policyupdates.

Customers should establish a testingand training of business continuityplan mechanism. As a cloud serviceprovider, HUAWEI CLOUD willactively cooperate regardingcustomer-initiated test requirementsand help customers test theeffectiveness of their businesscontinuity plans.HUAWEI CLOUD tests the businesscontinuity plans and disasterrecovery plans annually according tothe requirements of the internalbusiness continuity managementsystem. All emergency responsepersonnel, including reservepersonnel, need to participate. Thetests include desktop exercises,functional exercises and full-scaleexercises, in which high-riskscenarios are emphasized. Duringthe testing process, HUAWEI CLOUDwill select test scenarios, developcomplete test plans and procedures,and record test results. After thecompletion of the test, relevantpersonnel write the test report andsummarize any problems foundduring the test. If the test resultsshow problems with the businesscontinuity plan, recovery strategy oremergency plan, the documents willbe updated.





No. ControlDomain




MaintenanceandReview

The approach orframework forbusiness continuityare regularlymaintained andreviewed by FIs. Anymaterial updates orchanges areacknowledged,approved andendorsed by theBoard and seniormanagement.Employees areencouraged to bemade aware of suchupdates or changes.

Customers should consider regularmaintenance and review of businesscontinuity plan. As a cloud serviceprovider, HUAWEI CLOUD regularlyreviews and updates all systemdocuments every year according tothe requirements of the internalbusiness continuity managementsystem. HUAWEI CLOUD maintains alist of contacts that should becontacted in case of an emergencyand updates it promptly whennotified of personnel changes.Multiple copies of documents suchas the business continuity plan,emergency response plan anddisaster recovery operation manualare stored both electronically and inpaper form and are distributed torelevant management and other keypersonnel.





12 Conclusion

This Whitepaper describes how HUAWEI CLOUD provides cloud services that meetregulatory requirements of the financial industry in Malaysia and shows thatHUAWEI CLOUD complies with key regulatory requirements issued by BankNegara Malaysia (BNM) and Securities Commission Malaysia (SC). This aims tohelp customers learn more about HUAWEI CLOUD's compliance status withMalaysia 's regulatory requirements related to the financial industry and to assurecustomers that they can store and process customers' content data securely. Tosome extent, this Whitepaper also guides customers on how to design, build anddeploy a secure cloud environment that meets the regulatory requirements ofBank Negara Malaysia (BNM) and Securities Commission Malaysia (SC) onHUAWEI CLOUD, and assists customer to better identify security responsibilitiestogether with HUAWEI CLOUD.

This Whitepaper is for reference only and does not have any legal effect orconstitute any legal advice. Customers should assess their own use of cloudservices as appropriate and be responsible for ensuring compliance with relevantregulatory requirements from Bank Negara Malaysia (BNM) and SecuritiesCommission Malaysia (SC) when using HUAWEI CLOUD.

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia 12 Conclusion


13 Version History

Date Version Description

2020-09-30 1.0 First release

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Malaysia 13 Version History


huawei cloud user guide to financial services regulations & … · 2021. 1. 15. · malaysia to...

Documents