- 접근성 정책을 보려면 클릭하세요
- 콘텐츠로 건너뛰기
- Oracle 대한민국
- Oracle 소개
Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment.
Shared Management Model
Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS).
Before deploying Oracle cloud services, Oracle strongly recommends that cloud customers formally analyze their cloud strategy to determine the suitability of using the applicable Oracle cloud services in light of their own legal and regulatory compliance obligations. Making this determination remains solely the responsibility of customers.
Attestations
Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” These attestations can assist in your compliance and reporting, providing independent assessment of the security, privacy and compliance controls of the applicable Oracle cloud services. In reviewing these third-party attestations, it is important that you consider they are generally specific to a certain cloud service and may also be specific to a certain data center or geographic region. Clicking on a compliance framework retrieves the relevant detail. Please note that this information is subject to change and may be updated frequently, is provided “as-is” and without warranty and is not incorporated into contracts.
Customers can obtain more information about available attestations by contacting their Oracle sales representative.
Global
Americas
Europe, Middle East, and Africa
Asia Pacific
Advisories
Oracle provides general information and technical recommendations for the use of its cloud services in the form of “advisories.” These advisories are provided to help you in your determination of the suitability of using specific Oracle cloud services as well as to assist you in implementing specific technical controls that may help you meet your compliance obligations. Please note that these advisories are not legal advice and you remain solely responsible for determining if a specific Oracle cloud service and/or configuration meets your legal and regulatory obligations.
Global
GxP
GxP Good Practice Guidelines
The Good Practice (GxP) guidelines and
regulations comprise a set of global guidelines for traceability, accountability and data integrity. They are intended to ensure that food, medical devices, drugs and other life science products are safe, while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. Some of the primary regulators include Food & Drug Administration (FDA) in the US, Therapeutic Goods Administration (TGA) in Australia, and Health Canada | Santé Canada
(HC-SC) in Canada. GxP includes varied regulation sets, but the most common are GCP, GLP, and GMP. For more information, see //www.fda.gov/drugs/guidance-compliance-regulatory-information.
- U.S. Food & Drug Administration Electronic Records; Electronic Signatures Rule:21 CFR 11 and General GxP Applicability for Oracle Fusion Cloud Supply Chain and Manufacturing (PDF)
Americas
BACEN
Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements
The Central Bank of Brazil (BACEN) issued Resolution No. 4,893 of February 26, 2021, which describes several digital service requirements for regulated
financial institutions, including cybersecurity policy, contracting data processing, storage, and cloud computing services. This Resolution is intended to guide financial institutions in evaluating cloud service providers and establish controls to manage this relationship. For more information, see
//www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20CMN&numero=4893
- Oracle Cloud Infrastructure and Central Bank of Brazil (BACEN) CMN Resolution No. 4,893 of February 26, 2021 (PDF)
- Oracle Contract Checklist for the Central Bank of Brazil (BACEN) Resolution CMN 4,893 of February 26, 2021 (PDF)
CCPA
California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA provides for the following:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
For more information, see //leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
- Oracle Cloud Infrastructure Privacy Features (PDF)
CJIS
Criminal Justice Information Services Security Policy
The US Federal Bureau of
Investigation (FBI) Criminal Justice Information Services Division (CJIS) sets standards for information security, guidelines, and agreements for protecting Criminal Justice Information (CJI). The CJIS Security Policy describes the controls to protect sources, transmission, storage and access to data. For more information, see //www.fbi.gov/services/cjis/cjis-security-policy-resource-center
- Oracle Cloud Infrastructure and Criminal Justice Information Services (CJIS) (PDF)
DFARS Parts 7010 and 7012
Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012
The Defense Federal Acquisition Regulation Supplement (DFARS) encompasses the Department of Defense (DoD) requirements for contractors and suppliers to follow when
providing cloud computing services in the performance of a covered contract. For more information, see //www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS-252.239-7010
FFIEC Cybersecurity Assessment Tool
Federal Financial Institutions Examination Council (FFIEC) Cybersecurity
Assessment
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC has developed a Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity maturity. The Assessment provides guidance for financial institutions on developing an Inherent Risk Profile and identifying their level of
Cybersecurity Maturity. For more information, see //www.ffiec.gov/cyberassessmenttool.htm
ICD 503
Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503
The U.S. Director of National Intelligence published Intelligence Community Directive (ICD) 503 Intelligence Community (IC) Information Technology Systems Security Risk Management,
Certification, and Accreditation in September 2008. ICD 503 sets IC policy for processes related to security risk management, certification, and accreditation. For more information, see //www.dni.gov/index.php/what-we-do/ic-related-menus/ic-related-links/intelligence-community-directives
IRS 1075
Internal Revenue Service
Publication 1075
The US Internal Revenue Service Publication 1075 (IRS 1075) applies to organizations that process or maintain US Federal Tax Information. The intent is “to address any public request for sensitive information and prevent disclosure of data that would put Federal Tax Information (FTI) at risk.” For more information, see //www.irs.gov/
- Oracle Cloud Infrastructure and Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (PDF)
ITAR
International Traffic in Arms Regulations
The International Traffic in Arms Regulations (ITAR) is a US requirement. It is intended to restrict and control the export of defense and military related technologies to safeguard US
national security and further US foreign policy objectives. For more information, see //www.federalregister.gov/documents/2020/01/23/2020-00574/international-traffic-in-arms-regulations-us-munitions-list-categories-i-ii-and-iii
LGPD
Lei Geral de Proteção de Dados (LGPD) Federal Law
13,709/18
Brazil’s Lei Geral de Proteção de Dados (LGPD) Federal Law 13,709/18 was passed in August 2018 with the intent to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. For more information, see
//www.lgpdbrasil.com.br/o-que-muda-com-a-lei/
- Oracle Cloud Infrastructure Privacy Features (PDF)
LGPDPPSO
General Law for the Protection of Personal Data in the possession of Obliged Subjects
Mexico’s General Law for the Protection of Personal Data in Possession of
Obliged Subjects (LGPDPPSO) applies to data processing by ‘Obliged Subjects’, i.e., governmental entities at the Mexican federal, state and municipal levels, including authorities, agencies or bodies of the Executive, Legislative or Judicial branches, as well as autonomous bodies, political parties, trusts and public funds. The stated purpose of the LGPDPPSO is to establish principles for guaranteeing the right to the protection of personal data including the right to access, rectification,
deletion and opposition to the data processing. For more information, see //www.diputados.gob.mx/LeyesBiblio/pdf/LGPDPPSO.pdf
- Oracle Cloud Infrastructure Privacy Features (PDF)
MARS-E
Minimum Acceptable Risk Standards for Exchanges
The U.S. Department of Health
and Human Services established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) under the Affordable Care Act (ACA) of 2010. It is intended to ensure secure handing of Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) of US Citizens. For more information, see
//www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20
NERC CIP
North American Electric Reliability Corporation Critical Infrastructure Protection
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose aim is to ensure effective and
efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC Critical Infrastructure Protection (CIP) cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada. For more information, see
//www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
NIST SP 800-171
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security
requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI. For more information, see
//csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
PIPEDA
Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It is intended “to governs how private sector organizations collect, use and disclose personal information in the
course of commercial business.” For more information, see //www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
- Oracle Cloud Infrastructure Privacy Features (PDF)
Protected B
Canadian Security Requirements for Protected B information
Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual,
organization or government. For more information, see //www.tpsgc-pwgsc.gc.ca/esc-src/protection-safeguarding/niveaux-levels-eng.html
SEC Rule 17a-4(f), FINRA Rule 4511(c), CFTC Rule 1.31(c)-(d) Electronic Records Retention Requirements
Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities
Futures Trading Commission (CFTC) Electronic Records Retention Requirements
Financial institutions trading in regulated securities in the US may be subject to special regulatory requirements for electronic records retention by the Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC). These requirements may include SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d). For
more information, see the following resources: SEC 17a-4(f) - //www.sec.gov/rules/interp/34-47806.htm
FINRA Rule 4511(c) - //www.finra.org/rules-guidance/rulebooks/finra-rules/4511
CFTC Rule 1.31(c)-(d) -
//www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm
Europe, Middle East, and Africa
CITC CCRF
Communications and Information Technology Commission Cloud Computing Regulatory Framework (CCRF)
The Communications and Information Technology Commission (CITC) in Saudi Arabia
published a Cloud Computing Regulatory Framework (CCRF) based on international best practices and analysis that outlines the rights and obligation of cloud service providers and cloud customers in Saudi Arabia. Cloud service providers must register with CITC to demonstrate alignment with this framework. For more information, see //www.citc.gov.sa
Directive 3 of 2018 (D3/2018)
Prudential Authority Cloud Computing
and Offshoring of Data Directive 3 of 2018
The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued a directive pertaining to cloud computing and offshoring of data in the financial services sector referred to as Directive 3 of 2018 (D3/2018). For more information, see //www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-directives/2018/8749.
- Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)
Directive 159.A.i
Financial Services Board Outsourcing of Insurance Business Directive 159.A.i
The Financial Services Board of South Africa, part of the Financial Sector Conduct Authority, implemented Directive 159.A.i, which specifies the rules applicable to outsourcing by insurers in South Africa. For more information, see
//www.fsca.co.za/Enforcement-Matters/Directives/Forms/DispForm.aspx?ID=436.
- Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)
DSPT
UK NHS Data Security and Protection Toolkit
The
Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures performance against the United Kingdom’s National Health Service (NHS) 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. For more information, see
//www.dsptoolkit.nhs.uk/
EBA
European Banking Authority Guidelines on Outsourcing Arrangements
The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements to provide financial institutions guidance for outsourcing arrangements such as cloud services. For more information, see
//www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements
- Contract Checklist for EBA-EIOPA-ESMA Guidelines (PDF)
- Oracle Cloud Services and the European Outsourcing Guidelines (EBA, EIOPA, ESMA) (PDF)
ENISA Cloud Computing IAF
European Union Agency for Cybersecurity Information Assurance Framework
European Union Agency for Cybersecurity (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of
the union, when large-scale cyber incidents occur. ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:
- Assess the risk of adopting cloud services
- Compare different cloud providers offerings
- Obtain assurances from the selected cloud providers
- Reduce the assurance burden on cloud providers
For more information, see //www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework
ESMA MiFID II & MiFIR 600/2014
ESMA Markets in Financial Instruments Directive MiFID II & MiFIR 600/2014
The European Securities and Markets Authority (ESMA) and European Union have issued Markets in Financial Instruments Directive II (MiFID 2) and
associated Markets in Financial Instruments (MiFIR) Regulation (EU) No 600/2014 to promote fairer, safer and more efficient markets and facilitate greater transparency for all participants. For more information, see //www.esma.europa.eu/policy-rules/mifid-ii-and-mifir
- Oracle Contract Checklist for Select UK Financial Services Regulations (PDF)
FINMA
Financial Market Supervisory Authority Circular 2018/3
The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA’s Circular 2018/3 Outsourcing—banks and insurers sets a number of requirements for financial services organizations when they outsource any significant business activity.
The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers. For more information, see //www.finma.ch/
- Contract Checklist_FINMA_Guidelines (PDF)
- Oracle Cloud Service and the Swiss Financial Market Supervisory Authority (FINMA) (PDF)
FCA Handbook
Financial Conduct Authority’s Handbook of Rules and Guidance
The Financial Conduct Authority (FCA) is responsible for the authorization and conduct supervision of financial institutions in the UK. The FCA Handbook sets out the FCA’s legislative and other
provisions made under powers given to it by the Financial Services and Markets Act 2000. The Senior Management Arrangements, Systems and Controls (SYSC) and Supervision (SUP) parts of the FCA Handbook contain rules and guidance relevant to outsourcing arrangements. For more information, see //www.handbook.fca.org.uk/
- Oracle Contract Checklist for Select UK Financial Services Regulations (PDF)
G-Cloud
UK Government G-Cloud Framework
The UK Government G-Cloud is a procurement initiative for streamlining cloud-computing procurement by public-sector bodies in departments of the UK government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see
//www.gov.uk/digital-marketplace
GDPR
General Data Protection Regulation
The General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy. It applies to all entities processing data about EU residents, regardless of company location and /or locale of data storage. For more information, see
//ec.europa.eu/info/law/law-topic/data-protection_en
- Oracle Cloud Infrastructure Privacy Features (PDF)
- Oracle Cloud Infrastructure and the General Data Protection Regulation (GDPR) (PDF)
Guidance Note 5 of 2014 (G5/2014)
Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 of 2014
The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 5 of 2014 (G5/2014). For more information, see
//www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2014/6320.
- Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)
Guidance Note 4 of 2017 (G4/2017)
Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 of 2017
The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 4 of 2017 (G4/2017). For more information, see
//www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2014/6115.
- Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)
Guidance Note 5 of 2018 (G5/2018)
Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 of 2018
The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued guidance pertaining to
cloud computing and offshoring of data in the financial services sector referred to as Guidance Note 5 of 2018 (G5/2018). For more information, see //www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2018/8747.
- Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)
IT Grundschutz
IT Grundschutz: Security Information System assessment against BSI standards
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) created a framework for information security (IT-Grundschutz).
IT-Grunschutz comprises:
- BSI Standard 200-1: provides the general requirements for an ISMS
- BSI Standard 200-2 : explains how an ISMS can be built based on one of three different approaches
- BSI Standard 200-3: contains all risk-related tasks
- BSI Standard 100-4: covers Business Continuity Management (BCM)
For more information, see //www.bsi.bund.de
ITHC
National Cyber
Security Centre IT Health Check (ITHC)
The IT Health Check (ITHC) is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. For more information, see //www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance
MiFID Org Regulation
Commission Delegated
Regulation (EU) 2017/565
The Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 (MiFID Org Regulation) sets out organisational requirements and operating conditions for investment firms. It contains requirements relating to the outsourcing of critical or important operational functions. The UK version of the MiFID Org Regulation became part of UK law by virtue of the European Union (Withdrawal) Act 2018 and related legislation. For more information, see
//www.legislation.gov.uk/uksi/2018/1403
- Oracle Contract Checklist for Select UK Financial Services Regulations (PDF)
NCA ECC
National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)
The National Cybersecurity Authority (NCA) developed the
Essential Cyber Security Controls (ECC) to define the minimum set of cyber security requirements for national organizations in Saudi Arabia. The intent is to establish controls that set the minimum requirements for information and technology assets in the organizations. For more information, see //www.my.gov.sa/
POPIA
Protection of Personal Information Act (POPIA)
The Protection of Personal Information
Act (POPIA) is a South African law intended to "promote the protection of personal information processed by public and private bodies." POPIA sets general conditions for public and private entities to lawfully process South African data subjects’ personal information. For more information, see //www.justice.gov.za/legislation/acts/2013-004.pdf
- Oracle Cloud Infrastructure and the South African Protection of Personal Information Act 2013 (PDF)
PRA SS2/21
Prudential Regulation Authority’s Supervisory Statement 2/21 on Outsourcing and Third-Party Risk Management
The Prudential Regulation Authority (PRA) is responsible for prudential supervision of banks, insurance companies, building societies, credit unions
and major investment firms in the UK. The PRA’s remit includes supervising firms’ outsourcing and other third-party arrangements. The PRA’s Supervisory Statement 2/21 on outsourcing arrangements and third-party risk management published on 29 March 2021 (SS2/21) sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management. For more information, see
//www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss
- Oracle Contract Checklist for Select UK Financial Services Regulations (PDF)
SAMA CSF
Saudi
Arabian Monetary Authority Cyber Security Framework
The Cyber Security Framework was developed by Saudi Arabian Monetary Authority (SAMA) to enable financial institutions to identify and address risks related to cyber security. For more information, see //www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf
SAMA Outsourcing Rules
Saudi Arabian Monetary Authority Rules on Outsourcing
Saudi Arabian Monetary Authority (SAMA) is the central bank of the Kingdom of Saudi Arabia and the supervisory authority for banks, payment providers, insurance companies, finance companies and credit bureaus operating within the Kingdom. The SAMA Rules on Outsourcing apply to banks licensed under the Banking Control Law (Royal Decree No. M/5 dated 22/2/1386 H), and require these banks to
appropriately manage risks arising from outsourcing, including ensuring their outsourcing arrangements are subject to appropriate due diligence, approval and ongoing monitoring. For more information, see //www.sama.gov.sa/en-US/RulesInstructions/BankingRules/Rules-on-Outsourcing.pdf.
- Oracle Contract Checklist for Saudi Arabian Monetary Authority Rules on Outsourcing (PDF)
Solvency II Delegated Regulation
Commission Delegated Regulation (EU) 2015/35
The Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 (Solvency II Delegated Regulation) forms part of the framework for a solvency and supervisory regime for
insurers and reinsurers. It sets out organizational requirements and procedures for various matters including outsourcing arrangements. The UK version of the Solvency II Delegated Regulation became part of UK law by virtue of the European Union (Withdrawal) Act 2018 and related legislation. For more information, see //www.legislation.gov.uk/uksi/2019/407/contents/made
- Oracle Contract Checklist for Select UK Financial Services Regulations (PDF)
UAE Federal Law No. 2 of 2019
United Arab Emirates (UAE) Federal Law No. 2 of 2019
The United Arab Emirates issued Federal Law No. 2 of 2019 on 6 February 2019 Concerning the Use of the Information and Communication Technology ("ICT") in Health Fields (“Health Data Law”). The Health
Data Law applies to all ICT methods and usages in the health fields in the UAE, including free zones. The Law aims at the following: (1) ensuring the optimal use of the ICT in health fields; (2) ensuring compatibility of the principles, standards, and practices applicable in the State with their internally recognized counterparts; (3) enabling the Ministry of Health and Prevention to collect, analyze and keep the health information at the UAE level; and (4) ensuring the safety and security of
health data and information. For more information, see //mohap.gov.ae/app_content/legislations/php-law-en-77/mobile/index.html.
- Oracle Cloud Infrastructure and United Arab Emirates Health Data Law (PDF)
UK NCSC Cloud Security Principles
UK
National Cyber Security Centre (NCSC) Cloud Security Principles
The UK National Cyber Security Centre (NCSC) is chartered to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC’s 14 Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service. For more information, see
//www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles
Asia Pacific
ABS Guide
Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide
The Association of Banks in Singapore (ABS) is an industry association representing
commercial and investment banking institutions in Singapore. The ABS Cloud Computing Implementation Guide 2.0 (ABS Guide) provides best-practice recommendations and considerations for the adoption of cloud technologies, including guidelines for due diligence, vendor management, and key controls. For more information, see //abs.org.sg/industry-guidelines/outsourcing
- Oracle Cloud Infrastructure Contract Checklist for ABS Guidelines on Control Objectives and Procedures for Outsourced Services Providers (PDF)
APRA CPS 231
Australian Prudential Regulations for Outsourcing: CPS 231, SPS 231 and HPS 231
The Australian Prudential Regulation Authority (APRA) is the regulator of financial services in Australia. APRA
is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. APRA’s Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), and Prudential Standard HPS 231 Outsourcing (HPS 231) set forth requirements to ensure that risks associated with outsourcing arrangements are identified, assessed, managed and reported. APRA has also published a Information Paper on
Outsourcing Involving Cloud Computing Services. For more information, see //www.apra.gov.au/sites/default/files/information_paper_-_outsourcing_involving_cloud_computing_services.pdf
FISC
Financial Industry Information Systems Security Guidelines
The Center for Financial Industry Information Systems (FISC),
created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. For more information, see
//www.fisc.or.jp
FSI Cloud Guidelines
Financial Security Initiative (FSI) Cloud Guidelines
The Financial Security Initiative (FSI) issued its Guidelines on the Use of Cloud Computing Services in the Financial Industry in 2019. The guidelines provide procedures and security measures that financial companies in Korea are required to implement when employing the use of cloud services. For more
information, see //www.fsec.or.kr/fseceng/index.do
IRDAI Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers
Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers
The Insurance Regulatory and Development Authority of India (IRDAI) issued IRDAI Regulations, Outsourcing of Activities by Indian
Insurers. These regulations cover outsourcing and provide risk management guidelines and requirements for the insurance industry across India. For more information, see //www.irdai.gov.in/ADMINCMS/cms/NormalData_Layout.aspx?page=PageNo4133&mid=4.2.1
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
MAS TRM
Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines
The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk
management, cyber security, and IT outsourcing. For more information, see //www.mas.gov.sg/regulation/regulations-and-guidance?page=1&topics=Risk%20Management
- Oracle Cloud Infrastructure Practices in the Context of the Technology Risk Management Guidelines (PDF)
- Oracle Contract Checklist for Oracle Cloud Infrastructure and the Monetary Authority of Singapore (MAS) Guidelines on Outsourcing (PDF)
MAS 655
Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655
The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is
Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see //www.mas.gov.sg/regulation/regulations-and-guidance
- Oracle Cloud Applications and the Monetary Authority of Singapore Cyber Hygiene Requirements Notice 655 (PDF)
- Oracle Contract Checklist for Oracle Cloud Infrastructure and the Monetary Authority of Singapore (MAS) Guidelines on Outsourcing (PDF)
My Number Act
Financial Market Supervisory Authority Circular 2018/3
The My Number Act, issued by the Personal Information Protection Commission (PPC), was enacted by the government of Japan in 2016. The intent is to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law. For more information, see
//www.ppc.go.jp/en/
- Oracle Cloud Infrastructure Privacy Features (PDF)
NISC
National Center of Incident Readiness and Strategy for Cybersecurity
The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015. The governing body is responsible for
monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. It is intended to design a wide range of security guidelines for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. For more information, see //www.nisc.go.jp/eng/
RBI BCSF for UCBs (2018)
Reserve Bank of India
(RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018)
The Reserve Bank of India (RBI) issued a set of guidelines for Primary (Urban) Cooperative Banks (UCBs) to enhance security & resilience, protecting their assets against cyber security attacks on a continuous basis. It highlights the need to implement a robust cyber security/resilience framework and recommends specific security controls to support adequate cyber security preparedness. For more
information see: //www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11397&Mode=0
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
RBI CSF in Banks (2016)
Reserve Bank of India (RBI) Cyber Security
Framework in Banks safeguarding use of Information Technology (2016)
The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS. CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016. These guidelines are intended as a robust cyber security/resilience framework to ensure adequate cyber-security preparedness among banks on a continuous basis. The RBI Guidelines related to Cyber Security framework will enable banks to formalize and adopt cyber
security policy and cyber crisis management plan. For more information see: //www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
RBI Guidelines on Information Security
Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
The Reserve Bank of India (RBI) has issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for financial institutions. These guidelines include requirements for governance of information security and information technology (IT) within banks. For more information, see //rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
RBI Guidelines on Outsourcing (2006)
Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of
Conduct in Outsourcing of Financial Services by banks (2006)
The Guidelines on Managing Risk and Code of Conduct in Outsourcing of Financial Services by banks is intended to address the RBI’s expectations for banks managing the risks in outsourcing to third-parties. The RBI guidelines provide specific guidance on risk management practices for outsourced financial services and foreign outsourcing of financial services. For more information see:
//rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.PDF
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
SEBI Circular on Outsourcing (2015)
Securities and Exchange Board of India (SEBI) Circular on Outsourcing by
Depositories (2015)
The guidelines are intended to ensure depositories do not outsource their Core and critical activities, ensure proper audit of implementation of risk assessment and mitigation measures, monitor and have checks and overall controls over the outsourced entity on a real-time basis. For information see:
//www.sebi.gov.in/legal/circulars/dec-2015/outsourcing-by-depositories_31219.html
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
SEBI Circular on Outsourcing (2017)
Securities and
Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017)
The Circular on Outsourcing of activities by Stock Exchanges and Clearing Corporations provide specific guidance on: due diligence, sub-contracting, contracts with service providers, monitoring of the service provider’s performance, business continuity, confidentiality, termination, access to information and other records and audit. For information see:
//www.sebi.gov.in/legal/circulars/sep-2017/outsourcing-of-activities-by-stock-exchanges-and-clearing-corporations_35932.html
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
SEBI Guidelines on Outsourcing (2011)
Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011)
The Guidelines on Outsourcing of activities by Intermediaries provide specific guidance on: audit rights, confidentiality and data security, monitoring outsourced services, subcontracting and business continuity. For more information, see
//www.sebi.gov.in/legal/circulars/dec-2011/guidelines-on-outsourcing-of-activities-by-intermediaries_21752.html
- Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF)
Three Ministries
Guidelines by Three Ministries for Healthcare Data
Three Japanese Ministries provide guidance for the healthcare sector. Each Ministry has their own set of guidelines and requirements for cloud providers. The intent is to ensure that the cloud service provider conforms to the security guidelines identified by the three ministries. For more information, see: Ministry of Economy, Trade and Industry:
//www.meti.go.jp/english/
Ministry of Internal Affairs and Communications: //www.soumu.go.jp/english/
Ministry of Health, Labour and Welfare: //www.mhlw.go.jp/english/
알아보기
- 클라우드 컴퓨팅이란?
- CRM이란?
- Docker란?
- Kubernetes란?
- Python이란?
- SaaS란?
새로운 소식
- 뉴스
- Oracle CloudWorld
- Oracle과 Premier League
- Oracle Red Bull Racing
- Oracle 지속가능성
- 직원 경험 플랫폼
문의하기
- 영업 팀: 080-2194-114
- 어떻게 도와드릴까요?
- 이메일로 구독하기
- 이벤트
- 블로그
- © 2022 Oracle
- 이용 약관 및 개인 정보 처리 방침
- 광고 선택
- 채용
- YouTube