The Association of Banks in Singapore (ABS) has developed this implementation guide for Financial
Institutions (FIs) to use when entering into Cloud outsourcing arrangements.
The recommendations that lie within have been discussed and agreed by members of the ABS
Standing Committee for Cyber Security (SCCS) with the intent to assist FIs in understanding
approaches to due diligence, vendor management and key controls that should be implemented in
Cloud outsourcing arrangements.
Additionally it can be used by Cloud Service Providers (CSPs) to better understand what is required to
achieve successful Cloud outsourcing arrangements with FIs.
The guiding principle that information security controls in the Cloud must be at least as strong as what
the FIs would have implemented had the operations been performed in-house should apply. In
addition, the security controls should also address the unique risks that are associated with
outsourcing to the Cloud.
These guidelines are set out in the three following sections:
Section 2 addresses Information Asset Classifications and how these should influence
decision making in Cloud outsourcing agreements.
Section 3 addresses a minimum set of activities recommended as part of due diligence before
entering into a Cloud outsourcing agreement.
Section 4 addresses key controls recommended when entering into a Cloud outsourcing