BSP 808 Legal and Regulatory Compliance: Particular Laws + Granting BSP access to the cloud Outsourcing Activities: Compliance to our Outsourcing Policy Due Diligences from our end: Procurement, background checking, etc. Performance Management: proper SLA, incident response, etc. Clauses on Data Security / Privacy Data Location Business Continuity Planning of the Vendor 982 899 899 899 899 899 899 899 Implement multiple layers of control to prevent detect, correct, monitor and analyze system and network anomalies arising from DDoS attacks. These may include deployment of on-premise and/or cloud-based solutions, close coordination with internet service providers (ISPs) and hosting companies, as well as having robust and reliable back-up system. Sound risk management and risk mitigation controls policy for cloud computing. Key elements shall include: a. Vendor Management b. Information Security c. Audits d. Legal & Regulatory Compliance e. Business Continuity Planning Adjustment of the FI’s audit policies and practices to provide acceptable IT audit coverage of outsourced cloud computing. Mandatory notification by the service provider of all systems changes that will affect the FI. Transparent incident response process (including role of the CSP) and mechanism to share information with FI during and after the incident (IT Outsourcing/Vendor Management) CSP acquires no rights or licenses through the agreements, to use the FI’s data for its own purposes CSP does not acquire and may not claim any interest in the data due to security Continuous monitoring of security infrastructure of FI to have a sufficient level of assurance that the CSP is maintaining effective controls. Management processes for incident notification procedures; effective monitoring of security-related threats, incidents and events on both FI’s and CSP’s networks; comprehensive incident response methodologies; and maintenance of appropriate forensic strategies for investigation and evidence collection This item's classification is Internal. It was created by and is in property of the Home Credit Group. Do not distribute outside of the organization.