regulations & guidelines in thailand huawei cloud user ......software platform is highly...

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand

Issue 01

Date 2020-07-10

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: https://www.huawei.com

Email: [email protected]

Issue 01 (2020-07-10) Copyright © Huawei Technologies Co., Ltd. i

https://www.huawei.com

mailto:[email protected]

Contents

1 Overview....................................................................................................................................11.1 Background and Purpose of Publication......................................................................................................................... 11.2 Introduction of Applicable Financial Regulatory Requirements in Thailand...................................................... 11.3 Definitions.................................................................................................................................................................................. 2

2 HUAWEI CLOUD Security and Privacy Compliance......................................................... 3

3 HUAWEI CLOUD Security Responsibility Sharing Model............................................... 7

4 HUAWEI CLOUD Global Infrastructure...............................................................................9

5 How HUAWEI CLOUD Meets the Requirements of BoT Regulations onOutsourcing of Financial Institutions.................................................................................. 105.1 Selection of Service Providers........................................................................................................................................... 105.2 Consumer Protection........................................................................................................................................................... 135.3 Business Continuity Management of Service Providers...........................................................................................175.4 Contracts and Agreements................................................................................................................................................ 195.5 Monitoring, Assessing, Auditing, and Controlling Risks from Outsourcing Activities................................... 22

6 How HUAWEI CLOUD Meets the Requirements of BoT Information TechnologyRisk Regulations of Financial Institutions.......................................................................... 25

7 How HUAWEI CLOUD Meets the Requirements of OSEC Rules in Detail onEstablishment of Information Technology System and Guidelines for Establishmentof Information Technology System...................................................................................... 457.1 Information Security Policy............................................................................................................................................... 457.2 Organization of Information Security............................................................................................................................467.3 Access Control........................................................................................................................................................................ 497.4 Cryptographic Control......................................................................................................................................................... 537.5 Physical and Environmental Security............................................................................................................................. 557.6 Operations Security.............................................................................................................................................................. 577.7 Communication Security.................................................................................................................................................... 657.8 System Acquisition, Development and Maintenance............................................................................................... 707.9 IT Outsourcing....................................................................................................................................................................... 747.10 Information Security Incident Management.............................................................................................................777.11 Information Security Aspects of Business Continuity Management.................................................................80

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand Contents

Issue 01 (2020-07-10) Copyright © Huawei Technologies Co., Ltd. ii

8 How HUAWEI CLOUD Meets the Requirements of OSEC Cloud ComputingPractice Guide............................................................................................................................838.1 Assessment and selection of service providers........................................................................................................... 848.2 Service Agreement................................................................................................................................................................878.3 Use of Cloud Computing.................................................................................................................................................... 898.4 Service Monitoring and Evaluation.................................................................................................................................998.5 Cancellation or Termination of Service.......................................................................................................................100

9 Conclusion.............................................................................................................................101

10 Version History.................................................................................................................. 102

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand Contents

Issue 01 (2020-07-10) Copyright © Huawei Technologies Co., Ltd. iii

1 Overview

1.1 Background and Purpose of PublicationFollowing the recent wave of technological development, more and more FIs(Financial Institutions) are planning to transform their business by leveraginghigh-technology to reduce costs, improve operational efficiency and innovate. Toregulate the application of Information Technology (IT) in the financial industry,the Bank of Thailand (BoT) and the Office of the Securities and ExchangeCommission (OSEC) published a series of regulatory requirements and guidelines,covering technology risk management, IT outsourcing management, and cloudcomputing implementation for FIs operating in Thailand.

HUAWEI CLOUD, as a cloud service provider, is committed not only to help FIsmeeting local regulatory requirements, but also to continuously provide them withcloud services and business operating environments meeting FIs' standards. Thiswhitepaper sets out details regarding how HUAWEI CLOUD assists FIs operating inThailand in meeting regulatory requirements as to the contracting of cloudservices.

1.2 Introduction of Applicable Financial RegulatoryRequirements in Thailand

The Bank of Thailand (BoT)

● No. FPG 8/2557 Regulations on Outsourcing of Financial Institutions: ForFIs that use outsourcing services, the BoT proposes relevant requirements foroutsourcing management that FIs are required to comply with, and alsoprovides risk management guidelines related to those outsourcing activities.

● No. FPG 21/2562 Information Technology Risk Regulations of FinancialInstitutions: Setting out IT risk management principles and implementationguidelines to assist FIs in establishing a sound and robust technology riskmanagement framework.

The Office of the Securities and Exchange Commission (OSEC)

● No. Sor Thor. 37/2559 Rules in Detail on Establishment of InformationTechnology System: Setting out IT governance and information security

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand 1 Overview

Issue 01 (2020-07-10) Copyright © Huawei Technologies Co., Ltd. 1

https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2558/EngPDF/25580002.pdf

https://www.bot.or.th/Thai/FIPCS/Documents/FOG/2562/ThaiPDF/25620272.pdf

https://www.bot.or.th/Thai/FIPCS/Documents/FOG/2562/ThaiPDF/25620272.pdf

http://capital.sec.or.th/webapp/nrs/data/7038s.pdf


management requirements regarding establishing information technologysystems for intermediaries engaged in securities services.

● No. Nor Por. 3/2559 Guidelines for Establishment of InformationTechnology System: It is an interpretation of Rules in Detail onEstablishment of Information Technology System, and provides guidelinesand best practices to meet the requirements related to the company's ITgovernance and information security management.

● Cloud Computing Practice Guide: Providing guidelines to FIs to understandthe potential risks of cloud computing, and how to conduct risk managementand implement security controls when using cloud computing services.

Note: Insurance companies are separately regulated in Thailand by the Ministry ofFinance and the Office of Insurance Commission ("OIC"). The OIC has not issuedspecific requirements related to IT outsourcing, but does set out some generalrequirements, for example, insurance companies should have internal controlswith regard to their IT service providers under "Guidelines on the use of servicesfrom third parties (Outsourcing) of insurance companies". Considering that it issolely the responsibility of FIs to comply with the above requirements, this whitepaper will focus on the regulatory requirements issued by both the BOT and theOSEC.

1.3 Definitions● HUAWEI CLOUD

HUAWEI CLOUD is the cloud service brand of the HUAWEI marquee,committed to providing stable, secure, reliable, and sustainable cloud services.

● CustomerRegistered users having a business relationship with HUAWEI CLOUD.

● OutsourcingMeans contracting with a service provider to perform operations that areusually done partly or completely by FIs themselves.

● Service providerMeans other juristic person who enters into a contract to perform thefunctions which are normally done by financial institutions themselves,including any person who subcontract from the original service provider orfrom any subcontractor.

● Cloud computingMeans a type of internet-based computing that provides shared computerprocessing resources and data on demand according to the definition by theNational Institute of Standards and Technology (NIST).

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand 1 Overview





2 HUAWEI CLOUD Security and PrivacyCompliance

HUAWEI CLOUD inherits Huawei's comprehensive management system andleverages its experience in IT system construction and operation, activelymanaging and continuously improving the development, operation andmaintenance of cloud services. To date, HUAWEI CLOUD has received a number ofinternational and industry security compliance certifications, ensuring the securityand compliance of businesses deployed by cloud service customers.

HUAWEI CLOUD has attained the following certifications:

Global standard certification

Certification Description

ISO 20000-1:2011 ISO 20000 is an international recognized informationtechnology service management system (SMS) standard.It specifies requirements for the service provider to plan,establish, implement, operate, monitor, review, maintainand improve an SMS to make sure cloud service providers(CSPs) can provide effective IT services to meet therequirements of customers and businesses.

ISO 27001:2013 ISO 27001 is a widely used international standard thatspecifies requirements for information securitymanagement systems. This standard provides a methodof periodic risk evaluation for assessing systems thatmanage company and customer information.

ISO 27017:2015 ISO 27017 is an international certification for cloudcomputing information security. The adoption of ISO27017 indicates that HUAWEI CLOUD has achievedinternationally recognized best practices in informationsecurity management.

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand 2 HUAWEI CLOUD Security and Privacy Compliance



ISO 22301:2012 ISO 22301 is an internationally recognized businesscontinuity management system standard that helpsorganizations avoid potential incidents by identifying,analyzing, and alerting risks, and develops acomprehensive Business Continuity Plan (BCP) toeffectively respond to disruptions so that entities canrecover rapidly, keep core business running, and minimizeloss and recovery costs.

SOC audit The SOC audit report is an independent audit reportissued by a third-party auditor based on the relevantguidelines developed by the American Institute ofCertified Public Accountants (AICPA) for the system andinternal control of outsourced service providers. Atpresent, HUAWEI CLOUD has passed the audit of SOC2Type 1 Privacy Principle in terms of privacy, which provesthat HUAWEI CLOUD has reasonable control measures interms of cloud management and technology.

PCI DSSCertification

Payment Card Industry Data Security Standard (PCI DSS)is the global card industry security standard, jointlyestablished by five major international payment brands:JCB, American Express, Discover, MasterCard and Visa. Itis the most authoritative and strict financial institutioncertification in the world.

CSA STAR GoldCertification

CSA STAR certification was developed by the CloudSecurity Alliance (CSA) and the British StandardsInstitution (BSI), an authoritative standard developmentand preparation body as well as a worldwide certificationservice provider. This certification aims to increase trustand transparency in the cloud computing industry andenables cloud computing service providers todemonstrate their service maturity.

InternationalCommon CriteriaEAL 3+ Certification

Common Criteria certification is a highly recognizedinternational standard for information technologyproducts and system security. HUAWEI CLOUDFusionSphere passed Common Criteria EAL 3+certification, indicating that the HUAWEI CLOUDsoftware platform is highly recognized worldwide.

ISO 27018:2014 ISO 27018 is the first international code of conduct thatfocuses on personal data protection in the cloud. Thiscertification indicates that HUAWEI CLOUD has acomplete personal data protection management systemand is in the global leading position in data securitymanagement.




ISO 29151:2017 ISO 29151 is an international practical guide to theprotection of personal identity information. The adoptionof ISO 29151 confirms HUAWEI CLOUD's implementationof internationally recognized management measures forthe entire lifecycle of personal data processing.

ISO 27701:2019 ISO 27701 specifies requirements for the establishment,implementation, maintenance and continuousimprovement of a privacy-specific management system.The adoption of ISO 27701 demonstrates that HUAWEICLOUD operates a sound system for personal dataprotection.

BS 10012:2017 BS10012 is the personal information data managementsystem standard issued by BSI. The BS10012 certificationindicates that HUAWEI CLOUD offers a completepersonal data protection system to ensure personal datasecurity.

Regional standard certification


ClassifiedCybersecurityProtection ofChina's Ministry ofPublic Security

Classified Cybersecurity Protection issued by China'sMinistry of Public Security is used to guide organizationsin China through cybersecurity development. Today, it hasbecome the general security standard widely adopted byvarious industries throughout China. HUAWEI CLOUD haspassed the registration and assessment of ClassifiedCybersecurity Protection Class 3. In addition, key HUAWEICLOUD regions and nodes have passed the registrationand assessment of Classified Cybersecurity ProtectionClass 4.

Singapore MTCSLevel 3 Certification

The Multi-Tier Cloud Security (MTCS) specification is astandard developed by the Singapore InformationTechnology Standards Committee. This standard requirescloud service providers (CSPs) to adopt sound riskmanagement and security practices in cloud computing.HUAWEI CLOUD Singapore has obtained the highest levelof MTCS security rating (Level 3).

Gold O&M (TRUCS) The Gold O&M certification is designed to assess theO&M capability of cloud service providers who havepassed TRUCS certification. This certification confirmsthat HUAWEI CLOUD services operate a sound O&Mmanagement system that satisfies the cloud service O&Massurance requirements specified in Chinese certificationstandards.




Certification for theCapability ofProtecting CloudService User Data(TRUCS)

This certification evaluates a CSP's ability to protect clouddata. Evaluation covers pre-event prevention, in-eventprotection, and post-event tracking.

ITSS CloudComputing ServiceCapabilityEvaluation by theMinistry of Industryand InformationTechnology (MIIT)

ITSS cloud computing service capability evaluation isbased on Chinese standards such as the GeneralRequirements for Cloud Computing and Cloud ServiceOperations. It is the first hierarchical evaluationmechanism in China's cloud service/cloud computingdomain. Huawei private and public clouds have obtainedcloud computing service capability level-1 (top level)compliance certificates.

TRUCS Trusted Cloud Service (TRUCS) is one of the mostauthoritative public domain assessments in China. Thisassessment confirms that HUAWEI CLOUD complies withthe most detailed standard for cloud service data andservice assurance in China.

Cloud ServiceSecurityCertification -CyberspaceAdministration ofChina (CAC)

This certification is a third-party security reviewconducted by the Cyberspace Administration of Chinaaccording to the Security Capability Requirements ofCloud Computing Service. HUAWEI CLOUD e-GovernmentCloud Service Platform has passed the security review(enhanced level), indicating that Huawei e-Governmentcloud platform was recognized for its security andcontrollability by China's top cybersecurity managementorganization.

For more information on HUAWEI CLOUD security compliance and downloadingrelevant compliance certificate, please refer to the official website of HUAWEICLOUD "Trust Center - Security Compliance".



https://www.huaweicloud.com/intl/en-us/securecenter/safetycompliance.html

3 HUAWEI CLOUD Security ResponsibilitySharing Model

Due to the complex cloud service business model, cloud security is not the soleresponsibility of one single party, but requires the joint efforts of both thecustomer and HUAWEI CLOUD. As a result, HUAWEI CLOUD proposes aresponsibility sharing model to help customers to understand the securityresponsibility scope for both parties and ensure the coverage of all areas of cloudsecurity. Below is an overview of the responsibilities sharing model between thecustomer and HUAWEI CLOUD:

Figure 3-1 Responsibility Sharing Model

As shown in the above model, the privacy protection responsibilities aredistributed between HUAWEI CLOUD and customers as below:

HUAWEI CLOUD: The primary responsibilities of HUAWEI CLOUD are developingand operating the physical infrastructure of HUAWEI CLOUD data centers; theIaaS, PaaS, and SaaS services provided by HUAWEI CLOUD; and the built-insecurity functions of a variety of services. Furthermore, HUAWEI CLOUD is alsoresponsible for the secure design, implementation, and O&M of the multi-layereddefense-in-depth, which spans the physical, infrastructure, platform, application,and data layers, in addition to the identity and access management (IAM) cross-layer function.


3 HUAWEI CLOUD Security Responsibility SharingModel


Customer: The primary responsibilities of the customers are customizing theconfiguration and operating the virtual network, platform, application, data,management, security, and other cloud services to which a customer subscribes onHUAWEI CLOUD, including its customization of HUAWEI CLOUD servicesaccording to its needs as well as the O&M of any platform, application, and IAMservices that the customer deploys on HUAWEI CLOUD. At the same time, thecustomer is also responsible for the customization of the security settings at thevirtual network layer, the platform layer, the application layer, the data layer, andthe cross-layer IAM function, as well as the tenant's own in-cloud O&M securityand the effective management of its users and identities.

For details on the security responsibilities of both tenants and HUAWEI CLOUD,please refer to the HUAWEI CLOUD Security White Paper released by HUAWEICLOUD.


3 HUAWEI CLOUD Security Responsibility SharingModel


https://www.huaweicloud.com/intl/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf

4 HUAWEI CLOUD Global Infrastructure

HUAWEI CLOUD operates services in many countries and regions around theworld. The HUAWEI CLOUD infrastructure is built around Regions and AvailabilityZones (AZ). Compute instances and data stored in HUAWEI CLOUD can be flexiblyexchanged among multiple regions or multiple AZs within the same region. EachAZ is an independent, physically isolated fault maintenance domain, Users canand should take full advantage of all these regions and AZs in their planning forapplication deployment and operations in HUAWEI CLOUD. Distributeddeployment of an application across a number of AZs provides a high degree ofassurance for normal application operations and business continuity in mostoutage scenarios (including natural disasters and system failures). For currentinformation on HUAWEI CLOUD Regions and Availability Zones, please refer tothe official website of HUAWEI CLOUD "Worldwide Infrastructure".

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand 4 HUAWEI CLOUD Global Infrastructure


https://www.huaweicloud.com/intl/en-us/global/

5 How HUAWEI CLOUD Meets theRequirements of BoT Regulations onOutsourcing of Financial Institutions

Regulations on Outsourcing of Financial Institutions: the BoT classifies outsourcingservices according to their set of operations, licensing conditions for different typesof outsourcing, and provides guidelines and requirements for FIs related to themanagement of their outsourcing activities. Those requirements cover theresponsibilities of the board of directors, selection of service providers, consumerprotection, business continuity management, contracts and agreements, and otherdomains, which provide the guidelines for the management of outsourcing by FIs.

When FIs are seeking to comply with the requirements provided in the Regulationson Outsourcing of Financial Institutions, HUAWEI CLOUD, as a cloud serviceprovider, may be involved in some activities that are prescribed under suchrequirements. The following content summarizes the compliance requirementsrelated to cloud service providers in Regulations on Outsourcing of FinancialInstitutions, and explains how HUAWEI CLOUD, as a cloud service provider, canhelp FIs to meet these requirements.

5.1 Selection of Service ProvidersClause 2 of Attachment 3 of Regulations on Outsourcing of Financial Institutionsspecifies that FIs must have service provider selection criteria. The relevant controlrequirements and HUAWEI CLOUD's responses are as follows:


5 How HUAWEI CLOUD Meets the Requirements ofBoT Regulations on Outsourcing of Financial

Institutions


No. ControlDomain

Specific ControlRequirements

HUAWEI CLOUD Response

Attachment 3Clause2

Selection ofServiceProviders

FIs must haveappropriate serviceprovider selectioncriteria prior toentering into a newcontract or renewedcontract, coveringthe following keyissues.(1) Technical ability,expertise, andoperatingexperiences,(2) Financialstrength(3) Businessreputation, recordsof complaints orlitigation,(4) Organizationalculture and servicepolicy that isappropriate for FIs,(5) Ability torespond to newdevelopments,(6) Concentrationrisk, and(7) Clearregulations onconsideration ofoutsourcing toservice providersrelated to the boardand seniormanagement

Customers should establish serviceprovider selection criteria.(1)Technical ability: HUAWEICLOUD provides cloud servicesonline, opening Huawei's technologyaccumulation and product solutionsin ICT infrastructure for more than30 years to customers. HUAWEICLOUD has five core technologicaladvantages: full stack scenario AI,multidimensional framework,extreme performance, security andreliability, and open innovation. Forexample, in the field of artificialintelligence (AI), HUAWEI CLOUD AIhas landed over 300 projects in 10major industries, such as city,manufacturing, logistics, internet,medical treatment, and campus. Interms of multi-architecture, HUAWEICLOUD has created a new multi-computing cloud service architecturebased on "x86 + Kunpeng + Ascend",which enables various applicationsto run at the optimal computingpower to maximize customer value.(2)Financial strength: HUAWEICLOUD is Huawei's service brand.Since its launch in 2017, HUAWEICLOUD has been developing rapidlyand its revenue has maintained astrong growth trend. According tothe Market Share: IT Services,worldwide 2019 study released byGartner, HUAWEI CLOUD rankedsixth in the global IaaS market andis one of the top three within Chinamarket, with a fastest growth rateup to 222.2% in the world.(3)Business reputation: As always,HUAWEI CLOUD adheres to thecustomer-centric principle, makingmore and more customers chooseHUAWEI CLOUD. HUAWEI CLOUDhas made breakthroughs in differentChinese industries such as theinternet, live on demand, videosurveillance, genetics, automobilemanufacturing and other industries.



Institutions


No. ControlDomain



Apart from Chinese mainland,HUAWEI CLOUD was launched inHong Kong (China), Russia,Thailand, South Africa andSingapore in succession.(4)Corporate culture and servicepolicies suitable for FIs: HUAWEICLOUD defines product safety andfunctional requirements according tocustomer business scenarios, lawsand regulations, regulatoryrequirements in product, serviceplanning and design phases. Huaweiimplements these in R&D, anddesign phases to meet customerneeds. HUAWEI CLOUD has releasedfinancial industry solutions toprovide end-to-end cloud solutionsfor banks, insurance companies andother customers, by considering theneeds of the industry and Huawei'scomprehensive cloud services.(5)Ability to respond to newdevelopments: Since its launch,HUAWEI CLOUD has insisted ontechnological innovation. It hasreleased a series of leading newproducts and upgrades, coveringmany fields such as cloud security,DevOps, cloud container engine andmicro service engine, service grid,computing, cloud storage, network,cloud disaster recovery, and so on.(6)Risk management capability:HUAWEI CLOUD inherits Huawei'srisk management ability andestablishes a complete riskmanagement system. Through thecontinuous operation of the riskmanagement system, HUAWEICLOUD can effectively control risksin the complex internal and externalenvironment with the hugeuncertainties in the market, strivefor the optimal balance betweenperformance growth and risk,continuously manage internal andexternal risks, and ensure the



Institutions


No. ControlDomain



sustainable and healthydevelopment of the company.(7)Operational capability: HUAWEICLOUD follows ISO 27001, ISO20000, ISO 22301 and otherinternational standards to establisha sound information securitymanagement system, IT servicemanagement system, businesscontinuity management system, anddaily operation of the systemapplicable requirements. HUAWEICLOUD regularly carries out riskassessment, management review,and other activities every year toidentify problems in the operation ofthe system and rectify them tocontinuously improve themanagement system.

5.2 Consumer ProtectionAttachment 3 Clause 3 of Regulations on Outsourcing of Financial Institutionsstates that "Financial institutions must always be aware that outsourcing is theonly delegating services to the service providers. Financial institutions continue tobe responsible to customers as if the financial institutions provide the servicesthemselves. Therefore, financial institutions must ensure that the customers aretreated properly." Being FIs' cloud service provider, HUAWEI CLOUD'sresponsibilities s are subject to the protection of FIs themselves. Clause 3 ofAttachment 3 of Regulations on Outsourcing of Financial Institutions requires FIsto establish consumer protection mechanism. The relevant control requirementsand HUAWEI CLOUD's responses are as follows:



Institutions


No. ControlDomain



Attachment 3Clause3(1)

Customer DataConfidentiality

Must ensure thatthe serviceproviders are ableto arrange a goodsystem to maintainsecurity andconfidentiality ofcustomerinformation andthe financialinstitutioninformation.

HUAWEI CLOUD strictly adheres to"not accessing customer datawithout permission" and explicitlystates in the user agreement that itwill not access or use the user'scontent, unless it provides thenecessary services for the user orabides by the laws and regulationsor the binding orders of thegovernment institutions. HUAWEICLOUD conforms to the dataprotection principles described inthe Personal Data Protection Act(PDPA). At the same time, it willclearly stipulate the responsibility ofHUAWEI CLOUD to customers in thecase of a breach of confidentialityclauses in contracts signed withcustomers in the financial industry.In addition, HUAWEI CLOUD serviceproducts and components haveplanned and implemented isolationmechanism from the beginning ofdesign, avoiding unauthorizedaccess and tampering betweencustomers intentionally orunintentionally, and reducing therisk of data leakage. Using datastorage as an example, HUAWEICLOUD services including blockstorage, object storage, and filestorage all regard customer dataisolation as an important feature.



Institutions


No. ControlDomain




ProblemandIncidentManagement

Must arrange tohave an adequatesystem to handlecustomercomplaints andproblem solving byrecording andmonitoringcustomercomplaintsincluding theproblem ofcustomerinformationleakage, where FIsmust specifyappropriateguidelines to solvesuch problem.

Customers should establish formalincident and problem managementprocedures.HUAWEI CLOUD provides an after-sales service guarantee forcustomers. HUAWEI CLOUDprofessional service engineer teamprovides 24/7 service support socustomers can seek help withmethods such as work orders,intelligent customer service, self-service, and telephone. In additionto basic support, customers withcomplex systems can choose fromthe tiered support plans to obtainexclusive support from personnelsuch as the IM enterprise group,Technical Service Manager (TAM),and service manager.To meet the requirement for fastresponse, HUAWEI CLOUD hasdeveloped a complete eventmanagement process. Events areprioritized and different processingtime limits are defined according tothe impact and scope of each event.HUAWEI CLOUD will respond to andresolve the event within a specifiedtime limit according to the priorityof the event, to minimize the impactof the event on cloud servicecustomers.



Institutions


No. ControlDomain




PerformanceMonitoring andCapacityPlanning

Must ensure thatthe service qualityfor customer doesnot deteriorate orthe cost burdenthat normallyincurs to FIs is puton customer.

Customers should establishperformance monitoring andcapacity planning mechanisms.HUAWEI CLOUD Service LevelAgreement specifies the products/service level provided, including thecommitment to service availabilityand compensation when failing tomeet the agreed service level.In order to meet customercompliance requirements, HUAWEICLOUD has formulated a standardcapacity management and resourceforecasting procedure to manageHuawei's cloud capacity as a wholeand improve the availability ofHuawei's cloud resources. HUAWEICLOUD resource utilization ismonitored daily. Input from allparties provides ongoing predictionsfor future resource requirements,and resource expansion schemes areformulated to meet theserequirements. Business capacity andperformance bottlenecks areanalyzed and evaluated. Whenresources reach a preset threshold, awarning is issued, and furthersolutions are adopted to avoid theimpact on the system performanceof the tenant cloud service.Cloud Eye Service (CES) providesusers with a robust monitoringplatform for Elastic Cloud Server(ECS), bandwidth, and otherresources. CES provides real-timemonitoring alarms, notifications,and personalized report views toaccurately grasp the status ofbusiness resources. Users can setindependent alarm rules andnotification strategies to quickly seethe running status and performanceof instance resources of eachservice.



Institutions


https://www.huaweicloud.com/intl/en-us/declaration/sla.html



https://www.huaweicloud.com/intl/en-us/product/ces.html

https://www.huaweicloud.com/intl/en-us/product/ecs.html


No. ControlDomain




Customer DataDeletion

In case of contracttermination orcancellation basedon any reasons, FIsmust ensure thatcustomer'sinformation isdestroyed or isentirely removedfrom the serviceproviders.

When the service agreementterminates, customers can migratecontent data from HUAWEI CLOUDthrough Object Storage MigrationService (OMS) and ServerMigration Service (SMS) providedby HUAWEI CLOUD, such asmigrating to local data center.Upon the confirmation of thedestruction of customer data by thecustomers, HUAWEI CLOUD clearsthe specified data and all the copies.Once customers agree the deletion,HUAWEI CLOUD deletes the indexrelationship between customers anddata, and clears the storage space,such as memory and block storagebefore reallocation, to ensure thatrelated data and information cannotbe restored. If a physical storagemedium is to be disposed, HUAWEICLOUD clears the data bydegaussing, bending, or breakingthe storage medium to ensure thatdata on the storage medium cannotbe restored.

5.3 Business Continuity Management of ServiceProviders

Clause 4 of Attachment 3 of Regulations on Outsourcing of Financial Institutionsrequires FIs to implement business continuity management related to serviceproviders. The relevant control requirements and HUAWEI CLOUD's responses areas follows:



Institutions


https://www.huaweicloud.com/intl/en-us/product/oms.html


https://www.huaweicloud.com/intl/en-us/product/sms.html


No. ControlDomain




BusinessImpactAnalysisand RiskAssessment

FIs must specifythe significant levelof the outsourcedactivity byassessing the risksand impacts thatmay incur if theservices aredisrupted.

To provide continuous and stablecloud services to customers,HUAWEI CLOUD has established aset of complete business continuitymanagement systems in accordancewith ISO 22301 - BusinessContinuity ManagementInternational standards. Under therequirements of this framework,HUAWEI CLOUD carries out regularbusiness impact analysis, identifieskey business, and determines therecovery target and minimumrecovery level of key business. In theprocess of identifying key business,the impact of business interruptionon cloud service customers isregarded as an important criterionto judge key business.



Institutions


No. ControlDomain




BusinessContinuity PlanDevelopmentandTesting

FIs must requirethat the serviceproviders have abusiness continuityplan especially forthe case thatsignificant activityor the activity withwide impact, aswell as allocateadequate resourcesfor such operation,applying theguidelines by theBoT on businesscontinuitymanagement(BCM) andbusiness continuityplan (BCP) of FIs tothe extent that is inconsistent with theFIs' own businesscontinuity.FIs must conduct aregular test on thebusiness continuityplan with the keyservice providers,and must recordthe test results inwriting to bereviewed by theBoT.

HUAWEI CLOUD follows ISO 22301international standards for businesscontinuity management and hasestablished a complete set ofbusiness continuity managementsystems. Within this framework,business impact analysis and riskassessment are carried out regularly,business continuity plans anddisaster recovery plans areformulated.As a supplier of cloud servicecustomers, HUAWEI CLOUD willactively cooperate with customer-initiated test requirements and helpcustomers test the effectiveness oftheir business continuity plans.HUAWEI CLOUD tests the businesscontinuity plans and disasterrecovery plans annually according tothe requirements of the internalbusiness continuity managementsystem. All emergency responsepersonnel, including reservepersonnel, need to participate. Thetests include desktop exercises,functional exercises and full-scaleexercises, in which high-riskscenarios are emphasized. Duringthe testing process, HUAWEI CLOUDwill select test scenarios, developcomplete test plans and procedures,and record test results. After thecompletion of the test, relevantpersonnel write the test report andsummarize any problems foundduring the test. If the test resultsshow problems with the businesscontinuity plan, recovery strategy oremergency plan, the relevantdocuments will be updated.

5.4 Contracts and AgreementsAttachment 3 Clause 5 of Regulations on Outsourcing of Financial Institutionsrequires FIs to sign written contracts and agreements with service providers. Therelevant control requirements and HUAWEI CLOUD's responses are as follows:



Institutions


No. ControlDomain



Attachment 3Clause5

Contracts andAgreements

FIs must enter intoa written contractor agreement withthe serviceproviders, takinginto account, at theminimum, thefollowing key issues:

(1) Detail of theservice type, scopeof responsibility, riskmanagement,internal controlprocess, securitysystem forsafeguardinginformation andassets of FIs;

(2) Service levelagreement tospecify minimumstandard ofoperation that theservice providersmust perform bothunder normal andabnormalsituations;

(3) Businesscontinuity plan ofthe serviceproviders to supportthe case whereoutsourced servicesare disrupted orunable to providecontinuous services;

(4) Process tomonitor, audit, andevaluateperformance of theservice providers;

(6) Term ofcontract, terms andcontractterminationconditions,including the right

HUAWEI CLOUD provides onlineversion of HUAWEICLOUDCustomer Agreement and HUAWEICLOUDService Level Agreement,which specifies the content and levelof services provided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers.Customers' and their regulators'audit and supervision rights inHUAWEI CLOUD will be committedin the agreement signed with thecustomer according to the situation.



Institutions


https://www.huaweicloud.com/intl/en-us/declaration/sa_cua.html




No. ControlDomain



of FIs to revise orextend the contract;(7) Scope ofresponsibility of thecounter parties incase that a problemincurs such asservice delay andmistake, as well asproblem solvingguidelines orcompensation ofloss(8) Informationsecurity,maintaining theconfidentiality ofcustomerinformation, FIs'information, andaccess right andinformationownership, as wellas datatransmission, datamaintenance, clearpenalty in case thatthe breach ofcustomer's and FIs'information. In thisregard, the serviceproviders shouldseparate the database of FIs'customers fromthat of the serviceproviders as well asthe serviceproviders' othercustomers.(12) Compliancewith the supervisoryregulations(13) Assigning theright for the BoT,FIs, externalauditors, or othergovernment



Institutions


No. ControlDomain



agencies to inspectoperations, internalcontrol process, aswell as requestrelevantinformation fromthe serviceproviders orsubcontractors (ifany).

5.5 Monitoring, Assessing, Auditing, and ControllingRisks from Outsourcing Activities

Clause 6 of Attachment 3 of Regulations on Outsourcing of Financial Institutionsrequires FIs to monitor, assess, audit, and control risks from outsourcing activities.The relevant control requirements and HUAWEI CLOUD's responses are as follows:



Institutions


No. ControlDomain



Attachment 3Clause6(2)(4)(5)

ControlofOutsourcingActivities

(2) Arrange or havethe service providersprepare anoperating manualand relevantdocuments, as wellas regularlyupdating them forthe purpose ofmonitoring,evaluating, and riskmanagement of FIs.(4)Arrange to havewritten documentson problematic orrisk issues, loss data,as well as receivedorders from relevantauthorities inconjunction withoutsourcing servicesfor review by theBoT.(5)Arrange toreview the serviceprovided regularlyas deemedappropriate to thefunction group.

HUAWEI CLOUD's services andplatforms have been certified bymany international and industrysecurity compliance certifications,covering information security,privacy protection, businesscontinuity management, IT servicemanagement and other fields.HUAWEI CLOUD is committed tocreating security and credible cloudservices for customers in all walks oflife and providing empowermentand escorting services forcustomers.In order to meet the compliancerequirements of customers, HUAWEICLOUD regularly audits and updatesall system documents every yearaccording to the requirements ofthe internal business continuitymanagement system. In addition,HUAWEI CLOUD has a dedicatedteam to maintain the productsdescriptions and operating manualsregarding cloud services , and bothof them are available in English andaccessible on the internationalwebsite.HUAWEI CLOUD receives regularaudits from professional third-partyauditing institutions every year andprovides professional assistance toactively respond to and cooperatewith audit activities initiated bycustomers.In addition, HUAWEI CLOUDprovides an after-sales serviceguarantee for customers. HUAWEICLOUD professional serviceengineer team provides 24/7 servicesupport so customers can seek helpwith methods such as work orders,intelligent customer service, self-service, and telephone. In additionto basic support, customers withcomplex systems can choose fromthe tiered support plans to obtainexclusive support from personnelsuch as the IM enterprise group,



Institutions


No. ControlDomain



Technical Service Manager (TAM),and service manager.



Institutions


6 How HUAWEI CLOUD Meets theRequirements of BoT Information

Technology Risk Regulations of FinancialInstitutions

In November 2019, the BoT released Information Technology Risk Regulations ofFinancial Institutions, providing principles of information technology riskmanagement for FIs and implementation guidelines for information technologyrisk management and third party risk management.

When FIs are seeking to comply with the requirements of Information TechnologyRisk Regulations of Financial Institutions, HUAWEI CLOUD, as a cloud serviceprovider, may participate in some activities involved in the requirements. Thefollowing materials summarize the compliance requirements related to cloudservice providers in Information Technology Risk Regulations of FinancialInstitutions, and explains how HUAWEI CLOUD, as a cloud service provider, canhelp FIs to meet these requirements.


6 How HUAWEI CLOUD Meets the Requirements ofBoT Information Technology Risk Regulations of

Financial Institutions


No. ControlDomain



5.3.2(2) DataSecurity

A FI must haveinformation securitycontrols for datatransmitted throughcommunicationnetworks and datastored in IT systemsand any storagemedia. And, toensure dataconfidentiality, datamust beappropriatelyclassified, kept anddisposed dependingon its classification,and encrypted by areliable andgenerally acceptedencryptiontechnique atinternationalstandard(cryptography).

Customers should considerprotecting all media that storesinformation, both paper andelectronic. When customers useencryption to protect data, theyshould consider using industry-approved encryption algorithms andkey management mechanisms.HUAWEI CLOUD has developed asound media management processfor storage media that storescustomer content data in thefinancial industry to ensure thesecurity of the data stored in themedia. When a customer initiates adata deletion operation or if thedata needs to be deleted due to theexpiration of the service, HUAWEICLOUD will strictly follow the datadestruction standard signed inagreement with the customer toerase the stored customer data.Specific practice is: Once customersagree the deletion, HUAWEI CLOUDdeletes the index relationshipbetween customers and data, andclears the storage space, such asmemory and block storage beforereallocation, to ensure that relateddata and information cannot berestored. If a physical storagemedium is to be disposed, HUAWEICLOUD clears the data bydegaussing, bending, or breakingthe storage medium to ensure thatdata on the storage medium cannotbe restored.Currently, services including ElasticVolume Service (EVS), ObjectStorage Service (OBS), ImageManagement Service (IMS) andRelational Database Service providedata encryption or server-sideencryption functions and encryptdata using high-strength algorithms.The server-side encryption functionintegrates Key Management Service(KMS) of HUAWEI CLOUD DataEncryption Workshop (DEW),





https://www.huaweicloud.com/intl/en-us/product/evs.html


https://www.huaweicloud.com/intl/en-us/product/obs.html


https://www.huaweicloud.com/intl/en-us/product/ims.html


https://www.huaweicloud.com/intl/en-us/product/dew.html


No. ControlDomain



which provides full-lifecycle keymanagement. Withoutauthorization, others cannot obtainkeys to decrypt data, which ensuresdata security on the cloud. DEWadopts the layered key managementmechanism. Hardware securitymodule (HSM) creates andmanages keys for customers, whichis FIPS 140-2 (Level 2 and Level 3)certified to meet users' data securitycompliance requirements. EvenHuawei O&M personnel cannotobtain the root key. DEW alsoallows customers to import theirown keys as master keys for unifiedmanagement, facilitating seamlessintegration with customers' services.At the same time, HUAWEI CLOUDadopts a mechanism for onlineredundant storage of user masterkeys, multiple physical offlinebackups of root keys and regularbackups to ensure the durability ofthe keys.





No. ControlDomain



5.3.2(3) AccessControl

A FI must have thecontrol of accessand the right ofaudit to itsoperating systemsand databases, asthere must be themanagement ofaccess rights andauthentication. Theaccess rights mustbe given dependingon the need toaccess anyparticular systemand risk level inorder to prevent theaccess and revisionto systems or databy unauthorizedpersons.

Customers should establish amechanism for authentication andaccess control management of theinformation system, and restrict andsupervise the behavior of the accesssystem.Customers can manage useraccounts using cloud resourcesthrough HUAWEI CLOUD Identityand Access Management (IAM).Except for the support for passwordauthentication, IAM also supportsmultifactor authentication as anoption, and the customer has theoption to choose whether to enableit or not. If the customer has asecure and reliable externalauthentication service provider, thefederally authenticated externalusers of the IAM service can map tothe temporary users of HUAWEICLOUD and access the customer'sHUAWEI CLOUD resources. IAM canbe authorized by hierarchy anddetail as administrators can plan thelevel of cloud resource access basedon the user's responsibilities. Theycan also restrict malicious access tountrusted networks by settingsecurity policies such as accesscontrol lists.In addition, HUAWEI CLOUD'sCloud Trace Service (CTS) providescollection, storage, and querying ofoperational records for a variety ofcloud resources to support commonscenarios such as security analysis,compliance auditing, resourcetracking, and problem location.To meet the compliancerequirements of customers, HUAWEICLOUD has established a soundoperation and maintenance accountmanagement mechanism such thatwhen operational personnel tries toaccess Huawei's cloud managementnetwork to centralize themanagement of the system,employee identity account and two-





https://www.huaweicloud.com/intl/en-us/product/iam.html


https://www.huaweicloud.com/intl/en-us/product/cts.html

No. ControlDomain



factor authentication are required.All operations accounts are centrallymanaged, centrally monitored, andautomatically audited by LDAPthrough a unified operational auditplatform to ensure that usercreation, authorization, andauthentication to rights collectionprocesses are fully managed. RBACpermission management is alsoimplemented according to differentbusiness dimensions and differentresponsibilities of the same businessto ensure that personnel withdifferent responsibilities in differentpositions are limited to access theequipment under their role.





No. ControlDomain



5.3.2(4) PhysicalandEnvironmentalSecurity

A FI must havesecurity controls forits data centers, ITworkplaces, as wellas the areas ofcritical IT systems.There must also bea protection systemand maintenanceprocess forcomputer hardwareand facility systemconnected to ITsystems in order toprevent possibleattacks or damagefrom naturaldisasters and ensurethat they cancontinuouslysupport the businessoperations.

Customers should develop andimplement physical andenvironmental securitymanagement processes.HUAWEI CLOUD has establishedcomprehensive physical security andenvironmental safety protectionmeasures, strategies, andprocedures that comply with Class Astandard of GB 50174 Code forDesign of Electronic InformationSystem Room and T3+ standard ofTIA-942 TelecommunicationsInfrastructure Standard for DataCenters. HUAWEI CLOUD datacenters are located on suitablephysical sites, as determined fromsolid site surveys. During the design,construction, and operation stages,the data centers have properphysical zoning and well-organizedplacement of information systemsand components, which helpsprevent potential physical andenvironmental risk scenarios (forexample, fire or electro-magneticleakage) as well as unauthorizedaccess. Furthermore, sufficient datacenter space and adequateelectrical, networking, and coolingcapacities are reserved in order tomeet not only today's infrastructurerequirements but also the demandsof tomorrow's rapid infrastructureexpansion. The HUAWEI CLOUDO&M team carries out riskassessment to enforce stringentaccess control, safety measures,regular monitoring and auditing,and emergency response measuresto ensure the physical security andenvironmental safety of HUAWEICLOUD data centers. See section 5.1Physical and Environmental Securityof HUAWEI CLOUD Security WhitePaper for more information.







No. ControlDomain



5.3.2(5) CommunicationsSecurity

A FI must havesecurity controls forits communicationsystems so that thesystems and datatransmitted throughthem are secure andprotected from anypossible attacks orthreats.

Customers should establish anetwork security managementsystem to ensure that allinformation located and processedwithin its network are protected.HUAWEI CLOUD ensures thatdevelopment, configuration,deployment, and operation ofvarious cloud technologies is secure.Therefore, in the initial phase,HUAWEI CLOUD will strictlyimplement the correspondingcontrol measures to ensure HUAWEICLOUD is secure in its architecturedesign, equipment selection, hostnetwork (for a variety of multi-layerphysical and virtual networksecurity isolation methods), accesscontrol, border protectiontechnology, configuration, and otheraspects for consideration.Customers can rely on the Regionand Availability Zone (AZ)architecture of HUAWEI CLOUDData Center cluster for disasterrecovery and backup of theirbusiness systems. Data centers aredeployed around the worldaccording to rules. Customers havedisaster data backup centersthrough two places. HUAWEICLOUD has also deployed a GlobalServer Load Balance Center.Customer applications can achieveN+1 deployment in the data center.Even if one data center fails, it canalso balance traffic load to othercenters.HUAWEI CLOUD deployed a fullnetwork alarm system tocontinuously monitor the utilizationof network equipment resources,covering all network equipment.When resource utilization reaches apreset threshold, the alarm systemwill issue a warning. O&Mpersonnel will take promptmeasures to ensure the continuous





No. ControlDomain



operation of customer cloud servicesto the greatest extent.





No. ControlDomain



5.3.2(6) OperationsSecurity

A FI must havesecurity controls forits IT operations sothat the IToperations aresecure, which mustcover, but notlimited to, thefollowing:(6.1) Capacitymanagement for ITsystems and facilitysystems, such asconducting anassessment of thefuture demand forIT resources so thatthe IT resources areproperly managed,as they cansufficiently supportthe businessoperations, whilethe FIs can manageIT resources to dealwith its futureneeds;(6.2) Securitycontrols for thesevers and userdevices (endpointdevices), such asinstalling anti-virusor anti-malwaresoftware or cyberattack in order toprevent dataleakage orunauthorizedaccess;(6.3) Data backup –data must bebacked up using anappropriateapproach within anappropriatetimeframe , such ason a daily basis so

1. Capacitymanagement:Customers passthrough HUAWEI CLOUD's CloudEye Service (CES) which providesthree-dimensional monitoring ofelastic cloud servers, bandwidth,and other resources. The monitoringobject of CES is the resource usagedata of infrastructure, platform, andapplication services and does notmonitor or access tenant data.These metrics allow users to setalert rules and notification policiesto keep abreast of the health andperformance of instance resourcesfor each service. HUAWEI CLOUDhas also developed a completeperformance and capacitymanagement process through earlyidentification of resourcerequirements, and overallmanagement of platform resourcecapacity and equipment inventory,HUAWEI CLOUD can continuouslyoptimize resource utilization andresource availability levels, andultimately ensure that cloudresources meet the business needsof users.

2. Host security management:Customers can use the HUAWEICLOUD Host Security Service(HSS) to protect host security.HSSprovides asset management,vulnerability management, baselinecheck, and intrusion detectionfunctions to help enterprises bettermanage host security risks, detectand prevent hacker intrusion in realtime, and meet graded securityprotection compliance requirements.

3. Backup management: HUAWEICLOUD provides multi-granularitydata backup and archiving servicesto meet customers' requirements inspecific scenarios. Customers canuse the versioning function of OBS,Volume Backup Service (VBS), andCloud Server Backup Service







https://www.huaweicloud.com/intl/en-us/product/hss.html

https://www.huaweicloud.com/intl/en-us/product/hss.html

https://www.huaweicloud.com/intl/en-us/product/vbs.html

https://www.huaweicloud.com/intl/en-us/product/csbs.html

No. ControlDomain



that the backupdata is ready to usewhenever theoriginal data isunavailable ordamaged;(6.4) Keeping oflogs of the serversand importantnetworkinghardware, such askeeping andreviewing accesslogs and activitylogs in order tomonitor and inspectthe access and theuse of the system ordata;(6.5) Securitymonitoring – theremust be a processor tools formonitoringsuspicious incidentsor threats that mayaffect critical ITsystems, such asinstalling a systemfor monitoring andanalyzing cyberthreats so that theFIs can promptlydetect, prevent andhandle suspiciousincidents or threats;(6.6) Managementof systemvulnerabilityaccording to risklevel – so that thevulnerabilities canbe detected and theFIs can promptlytake further actionsto prevent possiblethreats; avulnerabilityassessment for

(CSBS) to back up in-clouddocuments, disks, and servers.Benefiting from on-demand use,scalability, and high reliabilityfeatures of cloud services, customerscan also back up data throughHUAWEI CLOUD's data backuparchiving service to ensure that datawill not be lost in the event of adisaster.4. Log and monitoringmanagement:HUAWEI CLOUD's Trace Service(CTS) provides operating records ofcloud service resources for users toquery, for auditing and backtrackuse. There are three types ofoperations recorded: operationsperformed through the cloudaccount login management console,operations performed through APIssupported by cloud services, andoperations triggered withinHuawei's cloud system. CTS inspectsthe log data sent by various servicesto ensure that the data itself doesnot contain sensitive information inthe following;1. In the transmission phase, it

ensures the accuracy andcomprehensiveness of loginformation transmission andpreservation by means of identityauthentication, format checking,whitelist checking and a one-wayreceiver system;

2. In the storage phase, it adoptsmultiple backups according toHuawei's network securityspecifications and makes surethat the data is transmitted andpreserved accurately andcomprehensively.

The security of the database itself isstrengthened to eliminate risks ofcounterfeiting, denial, tamperingand information leakage. Finally,






No. ControlDomain



critical IT systemsmust be conductedat least once a yearor when there is anysignificant changeof technicalstandard;(6.7) Penetrationtest, which may beconducted by anindependentinternal or externalexpert; the testmust cover internet-facing systems andbe conducted atleast once a year orwhen there is anysignificant changein order to detectthe vulnerabilitiesand that the FIs canpromptly makeimprovements toprevent possiblethreats;(6.8) Changemanagement –there must be asecure and sufficientprocess formanaging andcontrolling thechanges, which maybe in form of, suchas, systemdeployment, systemconfiguration, patchinstallment, in orderto ensure that thechange takes placecorrectly andcompletely reachesthe specifiedobjectives and theunauthorizedchange is prevented;(6.9) Systemconfiguration

CTS supports encrypted datastorage in OBS buckets.

HUAWEI CLOUD uses a centralizedand comprehensive log systembased on big data analytics. Thesystem collects managementbehavior logs of all physical devices,networks, platforms, applications,databases, and security systems aswell as threat detection logs ofsecurity products and components.The logs support for cybersecurityevent backtracking and compliance.

5. Vulnerability and patchmanagement:The Huawei ProductSecurity Incident Response Team(PSIRT) became an official memberof the Forum of Incident Responseand Security Teams (FIRST) in 2010,through which Huawei PSIRT andthe other 471 members can shareincident response best practices andother security information. HuaweiPSIRT has a reasonably maturevulnerability response program. Thenature of HUAWEI CLOUD's self-service model makes it necessary forPSIRT to continuously optimize thesecurity vulnerability managementprocess and technical means. It willensure rapid patching ofvulnerabilities found on in-house-developed and third partytechnologies for HUAWEI CLOUDinfrastructure, IaaS, PaaS and SaaSservices, mitigating risks to tenants'business operations. In addition,Huawei PSIRT and HUAWEICLOUD's security O&M team haveestablished a mature andcomprehensive program andframework for vulnerabilitydetection, identification, response,and disclosure. HUAWEI CLOUDrelies on this program andframework to managevulnerabilities and ensure thatvulnerabilities in HUAWEI CLOUDinfrastructure and cloud services,





No. ControlDomain



management –there must be acontrol process forthe configuration ofproduction systems,and theconfiguration mustbe regularlyreviewed in order toprevent operationalerrors;(6.10) Patchmanagement –there must be acontrol process forthe installment ofpatch on productionsystems in order topromptly install theimportant securitypatch.

and O&M tools, regardless whetherthey are found in Huawei's or thirdparty technologies, are handled andresolved within SLAs. HUAWEICLOUD strives to reduce andultimately prevent vulnerabilityexploitation related service impactsto our customers. Canarydeployment or blue-greendeployment is used whenvulnerabilities are fixed through apatch or version to minimize theimpact on tenant services. Inaddition, HUAWEI CLOUD ImageManagement Service (IMS)provides simple and convenient self-service management functions forimages. Tenants can manage theirimages through the IMS API or themanagement console. HUAWEICLOUD staff periodically update andmaintain public images, includingapplying security patches on themas required. The staff also providesecurity-related information forusers to reference in deploymenttesting, troubleshooting, and otherO&M activities.

6. Penetration testing: To meetcustomer compliance requirements,HUAWEI CLOUD regularly conductsinternal and third-party penetrationtesting and security assessment withregular monitoring, checks, andremoval of any security threats soas to guarantee the security of thecloud services.

7. Change management: To meetcustomer compliance requirements,HUAWEI CLOUD has formulated astandardized change managementprocess. Any change to theenvironment will take place only byorderly management process. Afterall change requests are generated,they are submitted to the HUAWEICLOUD Change Committee by thechange manager team with changeclassification assigned. After the







No. ControlDomain



committee has reviewed andapproved the requests, the plannedchanges can be implemented on theproduction network. Beforesubmitting a change request, thechange must undergo a testingprocess that includes production-likeenvironment testing, pilot release,and/or blue/green deployment. Thisensures that the change committeeclearly understands the changeactivities involved, duration, failurerollback procedure, and all potentialimpacts.8. Configuration management:HUAWEI CLOUD, as CSP, isresponsible for the configurationmanagement of the infrastructure itprovides and various cloud servicesfor IaaS, PaaS, and SaaS. TheHUAWEI CLOUD SettingsConfiguration Manager manages allbusiness units, including extractionof configuration models(configuration item types, variousconfiguration item attributes,relationships between configurationitems, etc.), and recordingconfiguration information. Therelationship between configurationitems, the properties ofconfiguration items, and their use ismanaged through a professionalconfiguration managementdatabase (CMDB) tool.





No. ControlDomain



5.3.2(7) SystemAcquisition,DevelopmentandMaintenance

(7.1) Systemacquisition: A FImust set out clearand appropriatecriteria for theselection of systemand service provider,which should cover,for example, thecredibility of systemor service provider,certification(according tointernationalstandards orgenerally acceptedIT standards),system security,system support andmaintenance, toensure that thesystem and serviceprovider canrespond to businessneeds of the FIs.Other key concernsmay include theflexibility in thereplacement ofservice provider,technologicalchanges, and futurechanges in businessstrategies of the FIs.(7.2) Systemdevelopment: A FImust carry out thedesign,development andtesting of system toensure that thesystem is accurate,secure, reliable,ready to use, and isflexible enough toaccommodate anychanges in thefuture.

Huawei development and testingprocesses follow unified system(software) security developmentmanagement specifications, andaccess to various environments isstrictly controlled. To meet customercompliance requirements, HUAWEICLOUD manages the end-to-endsoftware and hardware life cyclethrough complete systems andprocesses, as well as automatedplatforms and tools. The life cycleincludes security requirementsanalysis, security design, securitycoding and testing, securityacceptance and release, andvulnerability management.HUAWEI CLOUD and related cloudservices comply with the securityand privacy design principles andnorms, laws and regulations.Threats are analyzed according tobusiness scenarios, data flowdiagrams and networking models inthe security requirements analysisand design phase. When a threat isidentified, the design engineer willformulate mitigation measuresaccording to the reduction libraryand the safety design library andcomplete the corresponding safetydesign. All threat mitigationmeasures will eventually beconverted into security requirementsand security functions, andaccording to the company's testcase library, will be used tocomplete the design of security testcases, to ensure successfulimplementation, and ultimatelyensure the safety of products andservices.HUAWEI CLOUD strictly complieswith the security codingspecifications of variousprogramming languages issued byHuawei. Static code analysis toolsare used for routine checks, and theresulting data is entered in the





No. ControlDomain



cloud service tool chain to evaluatethe quality of coding. Before allcloud services are released, staticcode analysis alarms must becleared to effectively reduce thesecurity issues related to codingwhen online.HUAWEI CLOUD takes securityrequirements identified in thesecurity design stage, penetrationtest cases from the attacker'sperspective, and industry standards,and develops corresponding securitytesting tools, and conducts multi-round security testing before therelease of cloud services to ensurethat the released cloud servicesmeet security requirements. Testingis conducted in a test environment,isolated from the productionenvironment, and avoids the use ofproduction data for testing. Ifproduction data is used for testing,it must be desensitized, and datacleaning is required after use.





No. ControlDomain



5.3.2(8) ITIncidentandProblemManagement

A FI must properlyand promptlymanage IT incidentsand problems,where the incidentsand problems mustbe recorded,analyzed, andreported, togetherwith the resolutions,to the board ofdirectors,designatedcommittee or seniormanagements in atimely manner. Inaddition, the FIsmust figure out theroot causes of thoseproblems in order toresolve the actualproblems andprevent a recurrenceof the incidents.

HUAWEI CLOUD, as a CSP, isresponsible for the event andchange management of itsinfrastructure and various cloudservices such as IaaS, PaaS, andSaaS. HUAWEI CLOUD hasdeveloped a complete event andmanagement process to regularlyreview and update it. HUAWEICLOUD has a 24/7 professionalsecurity incident response teamresponsible for real-time monitoringand notification. The team followsstandard criteria for response andresolution time, and can quicklydetect, demarcate, isolate, andrecover from major events. Eventsare escalated and communicatedaccording to their real-time status.Moreover, HUAWEI CLOUD willregularly conduct statistical andtrend analysis of events, and theproblem-solving team will find outthe root causes of similar incidentsand develop solutions to eliminatesuch incidents from the source.





No. ControlDomain



5.3.2(9) ITBusinessContinuity Plan

(9.1) A FI must setup a working groupor appoint aparticular unit to beresponsible forpreparing an ITbusiness continuityplan, which must bein written and inline with thespecified policy.(9.3) An IT businesscontinuity planmust be practical asit can effectively beused to mitigatelosses, and must bein accordance withthe PolicyStatement of theBoT Re: BusinessContinuityManagement (BCM)and BusinessContinuity Planning(BCP) of FIs. Theplan must specifythe recovery timeobjective (RTO) andrecovery pointobjective (RPO),which will dependon the materialityof system, as well asthe maximumtolerance period ofdisruption (MTPD)to ensure thecontinuity ofbusiness operationsof the FIs and thatthe plan can dealwith the incidentsthat may lead to adisruption ordamage to thesystem, such ascyber threats,natural disasters.

Customers should establish theirown mechanisms for businesscontinuity and develop RTO andRPO metrics to ensure thecontinuity of their key businesses. IfFIs need HUAWEI CLOUD'sparticipation in their businesscontinuity plans, HUAWEI CLOUDwill actively cooperate.To provide continuous and stablecloud services to customers,HUAWEI CLOUD has obtained ISO22301 certification and formulatesbusiness continuity managementsystems for the cloud to suit thecustomer's business needs. HUAWEICLOUD carries out businesscontinuity promotion and trainingwithin the organization every year,and conducts emergency drills andtests regularly to continuouslyoptimize emergency response.Under the requirements of thisframework, HUAWEI CLOUD carriesout regular business impactanalysis, identifies key business, anddetermines the recovery target andminimum recovery level of keybusiness. In the process ofidentifying key business, the impactof business interruption on cloudservice customers is regarded as animportant criterion to judge keybusiness. In order to meet customercompliance requirements, HUAWEICLOUD has formulated a soundrecovery strategy for key businessessupporting the continuous operationof cloud services according to therequirements of its internal businesscontinuity management system.As a supplier of cloud servicecustomers, HUAWEI CLOUD willactively cooperate with customer-initiated test requirements and helpcustomers test the effectiveness oftheir business continuity plans.





No. ControlDomain



The plan will alsoensure that the FIscan rapidly recoverthe system andrecover to itsnormal operations.(9.5) An IT businesscontinuity planmust be reviewedand tested at leastonce a year or whenthere is anysignificant change.(9.6) A FI must setup a disasterrecovery site that isready to operatewhenever theprimary siteencounters adisruption. Thedisaster recoverysite should beremote from theprimary site toensure that they donot share the samedisruptions or havebeen affected fromthe same causes atthe same time, suchas power outage,natural disasters.

HUAWEI CLOUD tests the businesscontinuity plans and disasterrecovery plans annually according tothe requirements of the internalbusiness continuity managementsystem. All emergency responsepersonnel, including reservepersonnel, need to participate. Thetests include desktop exercises,functional exercises and full-scaleexercises, in which high-riskscenarios are emphasized. Duringthe testing process, HUAWEI CLOUDwill select test scenarios, developcomplete test plans and procedures,and record test results. After thecompletion of the test, relevantpersonnel write the test report andsummarize any problems foundduring the test. If the test resultsshow problems with the businesscontinuity plan, recovery strategy oremergency plan, the documents willbe updated.In order to meet the compliancerequirements of customers, HUAWEICLOUD regularly audits and updatesall system documents every yearaccording to the requirements ofthe internal business continuitymanagement system. HUAWEICLOUD maintains a list of contactsthat should be contacted in case ofan emergency and updates itpromptly when getting thenotification of personnel changes.Multiple copies of documents suchas the business continuity plan,emergency response plan anddisaster recovery operation manualare stored both electronically and inpaper form and are distributed torelevant management and other keypersonnel.Customers can rely on the Regionand Availability Zone (AZ)architecture of HUAWEI CLOUDData Center cluster for disasterrecovery and backup of their





No. ControlDomain



business systems. Data centers aredeployed around the worldaccording to rules. Customers havedisaster data backup centersthrough two places. If a failureoccurs, the system automaticallytransfers customer applications anddata from the affected areas toensure business continuity on thepremise of meeting compliancepolicies. HUAWEI CLOUD has alsodeployed a Global Server LoadBalance Center. Customerapplications can achieve N+1deployment in the data center. Evenif one data center fails, it can alsobalance traffic load to other centers.





No. ControlDomain



5.3.2(10)

ThirdPartyManagement

(10.1) Define clearlyand in writing theroles andresponsibilitiesbetween FIs andthird parties, andstipulate theconditions underwhich the BoT hasthe right to inspectthe operation ofthird parties;(10.2) Monitor andmanage risks arisingfrom connectingwith or obtaininginformation fromthird parties whenusing the services;(10.3) Ensure thatthe informationsecurity of the thirdparty conforms tothe informationtechnology securitystandards of FIs andthe recognizedinternationalstandards ofnetwork security;(10.4) Respond intime to possibleevents and eventsthat have asignificant impacton FIs to ensurethat they cancontinue to conductbusiness.

HUAWEI CLOUD provides onlineversion of HUAWEICLOUDCustomer Agreementand HUAWEICLOUD Service Level Agreement,which specifies the content andlevel of services provided, as well asthe responsibilities of HUAWEICLOUD. HUAWEI CLOUD has alsodeveloped an offline contracttemplate, which can be customizedaccording to the needs of differentcustomers. As the case may be, theauditing and supervision rights ofcustomers and regulatoryauthorities will be stipulated in theagreement signed with thecustomer.If a FI initiates an audit request forHUAWEI CLOUD, HUAWEI CLOUDwill arrange a responsible personnelto actively cooperate with the audit.HUAWEI CLOUD has obtained ISO27001, ISO 27017, ISO 27018, SOC,CSA STAR and other internationalsecurity and privacy protectioncertifications, and is audited by thirdparties every year.In addition, HUAWEI CLOUD hasdeveloped a complete emergencycontingency plan, which details theorganization, procedures andoperating norms of emergencyresponse, and conducts regular teststo ensure the continuous operationof cloud services and the security ofcustomer business and data.









7 How HUAWEI CLOUD Meets theRequirements of OSEC Rules in Detail onEstablishment of Information Technology

System and Guidelines for Establishment ofInformation Technology System

Rules in Detail on Establishment of Information Technology System provide themanagerial requirements by OSEC to intermediaries engaged in securities serviceson enterprise IT governance and information security when establishing aninformation technology system. Guidelines for Establishment of InformationTechnology System is a further interpretation of Rules in Detail on Establishmentof Information Technology System 's management requirements, providingconsiderations and best practices to meet those requirements.

When intermediaries comply with the above regulatory requirements, HUAWEICLOUD, as a cloud service provider, may participate in some activities involved inthe requirements. The following content summarizes the compliance requirementsrelated to cloud service providers in Rules in Detail on Establishment ofInformation Technology System and Guidelines for Establishment of InformationTechnology System, and explains how HUAWEI CLOUD, as a cloud service provider,can help intermediaries to meet these requirements.

7.1 Information Security PolicyClause 5 of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to formulate information security policies and measures.The relevant control requirements and HUAWEI CLOUD's responses are as follows:


7 How HUAWEI CLOUD Meets the Requirements ofOSEC Rules in Detail on Establishment of

Information Technology System and Guidelines forEstablishment of Information Technology System


No. ControlDomain



5(3) InformationSecurityPolicy

An intermediaryshall establish adocumented policyon the governanceof informationtechnology, cover atleast: (3)establishment ofpolicies andmeasures oninformation securityunder Clause 8 andClause 9.

Customers should establish andregularly review formal informationsecurity policies and processes.According to ISO 27001, HUAWEICLOUD has built a perfectinformation security managementsystem and formulated the overallinformation security strategy ofHUAWEI CLOUD. It clarifies thestructure and responsibilities ofinformation security managementorganization, the managementmethods of information securitysystem files, and the key directionsand objectives of informationsecurity, including asset security,access control, cryptography,physical security, operationalsecurity, communication security,system development security,supplier management, informationsecurity incident management, andbusiness continuity. HUAWEI CLOUDprotects the inviolability, integrity,and availability of customer systemsand data in one comprehensiveeffort. In addition, HUAWEI CLOUDfocuses on the development ofsafety awareness among employeesand outsourcing personnel, and hasdeveloped an applicable safetyawareness training program.

7.2 Organization of Information SecurityClause 9 and 10 of Rules in Detail on Establishment of Information TechnologySystem requires intermediaries to make arrangements regarding the organizationof information security and formulate information security policies related to theuse of cloud computing services. The relevant control requirements and HUAWEICLOUD's responses are as follows:





No. ControlDomain



10(1)(2)

InternalOrganization

An intermediaryshall have in placethe managementarrangement for theorganization ofinformation securityin accordance withthe followingcriteria:(1) define andrecord informationsecurity roles andresponsibilities andestablish operatingguidelines for thepersonnel of theintermediary;(2) establish across-check foroperation ofinformation securityto prevent potentialrisks;

Customers should clarify theinformation security internalorganization, define informationsecurity roles and responsibilities,and establish a mechanism relatedto segregations of duties or cross-check for information security.Huawei prioritizes cybersecurity asone of the company's key strategies,and implements it top-to-bottomthrough its entire governancestructure. From an organizationalstructure perspective, theGSPC(Global Security & PrivacyCommittee) functions as the highestcybersecurity managementorganizational unit, makingdecisions on and issuing approvals ofthe company's overall cybersecuritystrategy. The GSPO(Global Security& Privacy Officer) and its office areresponsible for formulating andexecuting Huawei's end-to-endcybersecurity framework. The GSPOreports directly to the company'sCEO. HUAWEI CLOUD hasestablished a responsibilityseparation mechanism to separateinternal responsibilities andauthorities. HUAWEI CLOUDimplements role-based accesscontrol rights management forinternal personnel. This limitspersonnel permissions to only allowthe operations which are requiredfor their individual role. Whileminimizing permission allocationand implementing strict behavioralauditing, it ensures that employeesare not unauthorized to use networkanalysis and monitoring tools.





No. ControlDomain



9(2) MobileDevicesandTeleworking

An intermediaryshall establish theinformation securitywhich addresses atleast the followingmatters:(2) the measures onthe use of cloudcomputing underthe policyestablished inClause 8(1) whichcovers:(a) an agreementbetween the cloudprovider and theintermediary whichcontains at least thefollowing matters:1. roles andresponsibilities ofthe cloud providerand the liabilities tothe intermediary inthe case that thecloud provider failsto comply with theagreement;2. the operatingprocedures thatmeet theinternationally-acceptedinformation securitystandards;3. measures on ITsecurity, accesscontrol, andinformationdisclosure;4. audit of the cloudprovider's operationby an independentauditor;5. conditions in thecase that the cloudprovidersubcontracts to

Customers should establish aninformation security managementsystem related to their cloud serviceprovider and specify informationsecurity requirements when usingcloud services.HUAWEI CLOUD provides onlineversion of HUAWEICLOUDCustomer Agreementand HUAWEICLOUDService Level Agreement,which specifies the content and levelof services provided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers. Forexample: auditing the cloud serviceprovider's operation through anindependent auditor; or, conditionsand responsibilities for HUAWEICLOUD when subcontractingservices to other suppliers.HUAWEI CLOUD follows ISO 27001,ISO 20000, ISO 22301 and otherinternational standards to establisha sound information securitymanagement system, IT servicemanagement system, businesscontinuity management system, anddaily operation of the systemapplicable requirements. HUAWEICLOUD regularly carries out riskassessment, management review,and other activities every year toidentify problems in the operation ofthe system and rectify them tocontinuously improve themanagement system.HUAWEI CLOUD receives regularaudits from professional third-partyauditing institutions every year andprovides professional assistance toactively respond to and cooperatewith audit activities initiated bycustomers.When the service agreementterminates, customers can migrate









No. ControlDomain



other cloud providerand the provisionon liabilities thatmay arise due tothe operation ofsuch cloud provider;(b) qualifications ofthe subcontractedcloud provider oninformation securitywhich arecomparable tothose of the cloudprovider or meetthe internationalstandards;(c) monitoring,evaluation, andreview of theservicesperformance of thecloud provider;(d) procedures fordata migration tothe new cloudprovider in case ofany replacement ofthe cloud provider.

content data from HUAWEI CLOUDthrough Object StorageMigrationService (OMS) and ServerMigrationService (SMS) providedby HUAWEI CLOUD, such asmigrating to local data center.

7.3 Access ControlClause 20 of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to implement access control on data and informationsystems. The relevant control requirements and HUAWEI CLOUD's responses areas follows:









No. ControlDomain



20(1) BusinessUserAccessManagement

An intermediaryshall implementaccess control ofinformation andinformation systemsin accordance withthe followingcriteria:(1) there shall be auser managementin place to limitaccess forauthorized usersonly as follows:(a) a formal userregistration processto enableassignment ofaccess rights;(b) the allocationand use ofprivileged accessrights should berestricted andcontrolled;(c) the allocation ofpasswords shouldbe controlledthrough a formalmanagementprocess;(d) monitor andreview the users'access rights at aregular interval.

Customers should establish a useraccess management mechanism torestrict and supervise the access tothe system.Customers can manage useraccounts using cloud resourcesthrough HUAWEI CLOUDIdentityand Access Management(IAM). Except for support forpassword authentication, IAM alsosupports multifactor authenticationas an option, and the customer hasthe option to choose whether toenable it or not. If the customer hasa secure and reliable externalauthentication service provider, thefederally authenticated externalusers of the IAM service can map tothe temporary users of HUAWEICLOUD and access the customer'sHUAWEI CLOUD resources. IAM canbe authorized by hierarchy anddetail as administrators can plan thelevel of cloud resource access basedon the user's responsibilities. Theycan also restrict malicious access tountrusted networks by settingsecurity policies such as accesscontrol lists. In addition, HUAWEICLOUD's Cloud Trace Service (CTS)provides collection, storage, andquerying of operational records for avariety of cloud resources to supportcommon scenarios such as securityanalysis, compliance auditing,resource tracking, and problemlocation.To meet the compliancerequirements of customers, HUAWEICLOUD has established a soundoperation and maintenance accountmanagement mechanism such thatwhen operational personnel tries toaccess Huawei's cloud managementnetwork to centralize themanagement of the system,employee identity account and two-factor authentication are required.All operations accounts are centrally








No. ControlDomain



managed, centrally monitored, andautomatically audited by LDAPthrough a unified operational auditplatform to ensure that usercreation, authorization, andauthentication to rights collectionprocesses are fully managed. RBACpermission management is alsoimplemented according to differentbusiness dimensions and differentresponsibilities of the same businessto ensure that personnel withdifferent responsibilities in differentpositions are limited to access theequipment under their role.





No. ControlDomain



20(3) SystemandApplicationAccessControl

An intermediaryshall implementaccess control ofinformation andinformation systemsin accordance withthe followingcriteria:(3) there shall becontrols ofunauthorized accessto informationsystems andapplications asfollows:(a) control access ofusers and systemadministrators toinformation andapplication systemfunctions inaccordance with thedefined accessrights;(b) control accessto informationsystems andapplications by asecured log-onprocedure;(c) establishpasswordmanagementsystems to ensuresecurity ofpasswords;

Customers should establish accessmanagement controls to monitortheir employees' access to systemsand applications.HUAWEI CLOUD Identityand AccessManagement (IAM) provides cloudresource access control forcustomers. With IAM, the customeradministrator can manage the useraccounts and control the operationpermissions of these user accountsto the resources under thecustomer's name. When multi-usercooperative operation resources existin customer enterprises, IAM canavoid sharing account keys withother users, assign users minimumprivileges on demand, and ensurethe security of user accounts bysetting login authentication strategy,password strategy and access controllist. Through the above ways,customers can effectively controlprivileges and emergency accounts.In addition, HUAWEI CLOUDprovides operating records of cloudservice resources for users to query,audit and retrospective throughCloud Trace Service (CTS).At the same time, when HUAWEICLOUD O&M personnel accessHUAWEI CLOUD ManagementNetwork for centralizedmanagement of the system, theyneed to use only identifiableemployee identity accounts. Useraccounts are equipped with strongpassword security policies, andpasswords are changed regularly toprevent violent decryption. Inaddition, two-factor authenticationis used to authenticate cloudpersonnel, such as USB key, SmartCard and so on. Employee account isused to log on VPN and accessgateway to realize the deep audit ofuser login.








7.4 Cryptographic ControlClause 8 (2) of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to establish a cryptographic control and key managementsystem. The relevant control requirements and HUAWEI CLOUD's response are asfollows:





No. ControlDomain



8(2) CryptographicControl

An intermediaryshall establish adocumentedinformation securitypolicy whichaddresses at leastthe followingmatters: (2) policyon the use ofcryptographiccontrols and keymanagement forprotection ofsensitive and criticalinformation.

When customers use encryption toprotect data, they should considerusing industry-approved encryptionalgorithms and key managementmechanisms.Currently, services including ElasticVolume Service (EVS), ObjectStorage Service (OBS), ImageManagement Service (IMS) andRelational Database Service providedata encryption or server-sideencryption functions and encryptdata using high-strength algorithms.The server-side encryption functionintegrates Key Management Service(KMS) of HUAWEI CLOUD DataEncryption Workshop (DEW),which provides full-lifecycle keymanagement. Withoutauthorization, others cannot obtainkeys to decrypt data, which ensuresdata security on the cloud. DEWadopts the layered key managementmechanism. Hardware securitymodule (HSM) creates and manageskeys for customers, which is FIPS140-2 (Level 2 and Level 3) certifiedto meet users' data securitycompliance requirements. EvenHuawei O&M personnel cannotobtain the root key. DEW also allowscustomers to import their own keysas master keys for unifiedmanagement, facilitating seamlessintegration with customers' services.At the same time, HUAWEI CLOUDadopts a mechanism for onlineredundant storage of user masterkeys, multiple physical offlinebackups of root keys and regularbackups to ensure the durability ofthe keys.See section 6.8.2 Data EncryptionWorkshop (DEW) of HUAWEICLOUD Security White Paper formore information.















7.5 Physical and Environmental SecurityClause 18 and 19 of Rules in Detail on Establishment of Information TechnologySystem requires intermediaries to establish physical and environmental securitycontrols to protect their IT assets. The relevant control requirements and HUAWEICLOUD's responses are as follows:





No. ControlDomain



18(1)(2)&19

PhysicalandEnvironmentalSecurity

An intermediaryshall establishphysical andenvironmentalsecurity measuresto protect IT assetsin accordance withthe followingcriteria:(1) assess securityrequirement of ITassets based ontheir results of arisk assessment andcriticality;(2) define thesecure areas andthe siting of thecritical IT assets toensure security andpreventunauthorizedphysical access.In addition to thephysical andenvironmentalsecurity measuresunder Clause 18, anintermediary shallprevent loss,damage, theft orcompromising ofequipment assets,and interruption byirrelevant personnelto theorganization'soperation.

Customers should develop andimplement physical andenvironmental security managementmechanisms.HUAWEI CLOUD has establishedcomprehensive physical security andenvironmental safety protectionmeasures, strategies, and proceduresthat comply with Class A standard ofGB 50174 Code for Design ofElectronic Information System Roomand T3+ standard of TIA-942Telecommunications InfrastructureStandard for Data Centers. HUAWEICLOUD data centers are located onsuitable physical sites, as determinedfrom solid site surveys. During thedesign, construction, and operationstages, the data centers have properphysical zoning and well-organizedplacement of information systemsand components, which helpsprevent potential physical andenvironmental risk scenarios (forexample, fire or electro-magneticleakage) as well as unauthorizedaccess. Furthermore, sufficient datacenter space and adequate electrical,networking, and cooling capacitiesare reserved in order to meet notonly today's infrastructurerequirements but also the demandsof tomorrow's rapid infrastructureexpansion. The HUAWEI CLOUDO&M team enforces stringent accesscontrol, safety measures, regularmonitoring and auditing, andemergency response measures toensure the physical security andenvironmental safety of HUAWEICLOUD data centers. See section 5.1Physical and Environmental Securityof HUAWEI CLOUD Security WhitePaper for more information.







7.6 Operations SecurityClause 23 of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to establish controls for operational security related toinformation systems. The relevant control requirements and HUAWEI CLOUD'sresponse are as follows:





No. ControlDomain



23(1) OperationalProcedures andResponsibilities

An intermediaryshall establishmeasures foroperations securityrelating toinformationsystems inaccordance withthe followingcriteria: (1) defineoperatingproceduresrelating to theinformationsystems to ensurecorrect and secureoperations;

Customers should consider managingchanges through formal procedures.Customers should establish formalcapacity management procedures tomonitor their cloud resources toensure that they meet the needs ofbusiness growth. When deploying adevelopment environment, a testenvironment, and a productionenvironment, customers shouldensure that the physical and logicalaspects of the environment areisolated and that access to theenvironment is strictly managed.Change management:To meet customer compliancerequirements, HUAWEI CLOUD hasformulated a standardized changemanagement process. Any change tothe environment will take place onlyby orderly management process. Afterall change requests are generated,they are submitted to the HUAWEICLOUD Change Committee by thechange manager team with changeclassification assigned. After thecommittee has reviewed andapproved the requests, the plannedchanges can be implemented on theproduction network. Beforesubmitting a change request, thechange must undergo a testingprocess that includes production-likeenvironment testing, pilot release,and/or blue/green deployment. Thisensures that the change committeeclearly understands the changeactivities involved, duration, failurerollback procedure, and all potentialimpacts.Capacity management:Customers pass through HUAWEICLOUD's Cloud Eye Service (CES)which provides three-dimensionalmonitoring of Elastic Cloud Server(ECS), bandwidth, and otherresources. The monitoring object ofCES is the resource usage data of








No. ControlDomain



infrastructure, platform, andapplication services and does notmonitor or access tenant data. CEScan currently monitor the followingindicators of cloud services: ElasticCloud Server (ECS), Elastic VolumeService (EVS), Virtual Private CloudService (VPC), Relational DatabaseService (RDS), Distributed CachingService (DCS), Distributed MessageService (DMS), Elastic Load Balancing(ELB), Elastic Scaling Service (AS),Web Application Firewall (WAF), HostVulnerability Detection Service (HVD),Cloud Desktop Service (Workspace),Machine Learning Service (MLS), WebTamper Protection Service (WTP),Data Warehouse Service (DWS),Artificial Intelligence Service (AIS),and so on. These metrics allow usersto set alert rules and notificationpolicies to keep abreast of the healthand performance of instanceresources for each service.HUAWEI CLOUD has also developed acomplete performance and capacitymanagement process through earlyidentification of resourcerequirements, and overallmanagement of platform resourcecapacity and equipment inventory,HUAWEI CLOUD can continuouslyoptimize resource utilization andresource availability levels, andultimately ensure that cloud resourcesmeet the business needs of users.Separation of development, testingand operating environment:Huawei development and testingprocesses follow unified system(software) security developmentmanagement specifications, andaccess to various environments isstrictly controlled.





No. ControlDomain



23(2) ProtectionagainstMalware

An intermediaryshall establishmeasures foroperations securityrelating toinformationsystems inaccordance withthe followingcriteria: (2)establish measuresfor preventionagainst, anddetection of,malware andmeasures forrecoveringinformationsystems frommalware attacks;

Customers should establish controlsto prevent and detect malware.HUAWEI CLOUD ensures the secureintroduction and use of open sourceand third-party software based on theprinciple of strict entry and wide use.HUAWEI CLOUD has formulated clearsecurity requirements and completeprocess control solutions forintroduced open source and third-party software, and strictly controlsthe selection analysis, security test,code security, risk scanning, legalreview, software application, andsoftware exit.In addition, in order to ensure thesafe and stable operation of Huawei'scloud platform and network, HUAWEICLOUD has adopted a series ofmanagement measures, including:vulnerability analysis and processing,log monitoring, incident response,optimization of the default securityconfiguration of cloud products,security patch deployment, antivirussoftware deployment, regular backupof system and device profiles, andtesting of backup effectiveness.Huawei PSIRT and HUAWEI CLOUD'ssecurity O&M team have establisheda mature and comprehensive programand framework for vulnerabilitydetection, identification, response,and exposure. Additionally, HUAWEICLOUD will actively implementquality assurance of cloud productand platform security, and conductsinternal and third-party penetrationtesting and security assessments eachyear to ensure the HUAWEI CLOUDenvironment is secure.





No. ControlDomain



23(3) Backup An intermediaryshall establishmeasures foroperations securityrelating toinformationsystems inaccordance withthe followingcriteria: (3)backup criticalbusinessinformation,computeroperating systems,applicationsoftware, and testthe backup abilityat least once ayear.

Customers should establish a backupmanagement mechanism to back upkey business data, operating systemand software application.HUAWEI CLOUD provides multi-granularity data backup and archivingservices to meet customers'requirements in specific scenarios.Customers can use the versioningfunction of OBS, Volume BackupService (VBS), and Cloud ServerBackup Service (CSBS) to back up in-cloud documents, disks, and servers.Benefiting from on-demand use,scalability, and high reliability featuresof cloud services, customers can alsoback up data through HUAWEICLOUD's data backup archivingservice to ensure that data will not belost in the event of a disaster.Customers can rely on the Region andAvailability Zone (AZ) architecture ofHUAWEI CLOUD Data Center clusterfor disaster recovery and backup oftheir business systems. Data centersare deployed around the worldaccording to rules. Customers havedisaster data backup centers throughtwo places. If a failure occurs, thesystem automatically transferscustomer applications and data fromthe affected areas to ensure businesscontinuity on the premise of meetingcompliance policies. HUAWEI CLOUDhas also deployed a Global ServerLoad Balance Center. Customerapplications can achieve N+1deployment in the data center. Even ifone data center fails, it can alsobalance traffic load to other centers.









No. ControlDomain



23(4) LoggingandMonitoring

An intermediaryshall establishmeasures foroperations securityrelating toinformationsystems inaccordance withthe followingcriteria: (4)completely andsufficiently storeand record logsfor inspection ofconflicts ofinterest in theorganization, useof informationand informationsystems incompliance withassigned roles andresponsibilities,unauthorizedaccess, abnormaland/or illegal useof informationsystems. Logsrecorded from theuse of criticalinformationsystems should berequired tomonitor andanalyze based onthe riskassessment of theorganization..

Customers should establish a logmanagement process to record andstore, as well as to monitor andanalyze, the logs of key informationsystems completely and sufficiently.HUAWEI CLOUD's Cloud TraceService (CTS) provides operatingrecords of cloud service resources forusers to query, and for auditing. Thereare three types of operationsrecorded: operations performedthrough the cloud account loginmanagement console, operationsperformed through APIs supported bycloud services, and operationstriggered within Huawei's cloudsystem. CTS inspects the log data sentby various services to ensure that thedata itself does not contain sensitiveinformation in the following;● In the transmission phase, it


● In the storage phase, it adoptsmultiple backups according toHuawei's network securityspecifications and makes sure thatthe data is transmitted andpreserved accurately andcomprehensively.

The security of the database itself isstrengthened to eliminate risks ofcounterfeiting, denial, tampering andinformation leakage. Finally, CTSsupports encrypted data storage inOBS buckets.HUAWEI CLOUD uses a centralizedand comprehensive log system basedon big data analytics. The systemcollects management behavior logs ofall physical devices, networks,platforms, applications, databases,and security systems as well as threat







No. ControlDomain



detection logs of security productsand components. The logs support forcybersecurity event backtracking andcompliance and include the followinginformation: resource IDs (such assource IP addresses, host IDs, anduser IDs), event types, date and time,IDs of the affected data/components/resources (such as destination IPaddresses, host IDs, and service IDs),and success or failure information.This log analysis system supportsmassive data storage and powerfulsearch and query features, which canstore all logs for over 180 days andsupport real time queries within 90days. HUAWEI CLOUD also has adedicated internal audit departmentthat performs periodic audits on O&Mactivities.





No. ControlDomain



23(6) TechnicalVulnerabilityManagement

An intermediaryshall establishmeasures foroperations securityrelating toinformationsystems inaccordance withthe followingcriteria:(6) establish aneffectivemanagementprocess fortechnicalvulnerabilities asfollows:(a) carry outpenetrationtesting withcriticalinformationsystems connectedto untrustednetworks by aperson who isindependent fromunits andresponsible forinformationtechnology inaccordance withthe results of riskassessment.(b) carry outvulnerabilityassessments withall criticalinformationsystems at leastonce a year orupon any materialchange to suchsystems, andreport the resultsto the complianceunit or the

Customers should establish aneffective vulnerability managementsystem and regularly conductpenetration testing on keyinformation systems.To meet customer compliancerequirements, HUAWEI CLOUDregularly conducts internal and third-party penetration testing and securityassessment with regular monitoring,checks, and removal of any securitythreats so as to guarantee thesecurity of the cloud services.The Huawei Product Security IncidentResponse Team (PSIRT) became anofficial member of the Forum ofIncident Response and Security Teams(FIRST) in 2010, through whichHuawei PSIRT and the other 471members can share incident responsebest practices and other securityinformation. Huawei PSIRT has areasonably mature vulnerabilityresponse program. The nature ofHUAWEI CLOUD's self-service modelmakes it necessary for PSIRT tocontinuously optimize the securityvulnerability management processand technical means. It will ensurerapid patching of vulnerabilities foundon in-house-developed and thirdparty technologies for HUAWEICLOUD infrastructure, IaaS, PaaS andSaaS services, mitigating risks totenants' business operations.In addition, Huawei PSIRT andHUAWEI CLOUD's security O&M teamhave established a mature andcomprehensive program andframework for vulnerability detection,identification, response, anddisclosure. HUAWEI CLOUD relies onthis program and framework tomanage vulnerabilities and ensurethat vulnerabilities in HUAWEICLOUD infrastructure and cloudservices, and O&M tools, regardlesswhether they are found in Huawei'sor third party technologies, are





No. ControlDomain



internal audit unitwithout delay;

handled and resolved within SLAs.HUAWEI CLOUD strives to reduce andultimately prevent vulnerabilityexploitation related service impacts toour customers. See section 8.2Vulnerability Management ofHUAWEI CLOUD Security WhitePaper for more information.

7.7 Communication SecurityClause 22 of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to establish controls for communication security. Therelevant control requirements and HUAWEI CLOUD's responses are as follows:







No. ControlDomain



22(2)(3)

NetworkSecurityManagement

An intermediaryshall establishmeasures forcommunicationssecurity inaccordance with thefollowing criteria:(2) arrange networkservices agreements(including servicelevels, managementrequirements, andsecuritymechanisms of allnetwork services)with serviceproviders;(3) segregatenetwork domainsproperly, define theperimeter of eachdomain clearly, andcontrol the accessto each domain in asecure way.

Customers should establish anetwork security managementsystem to ensure that allinformation located and processedwithin their network are protected.HUAWEI CLOUD cooperates withcustomers to exercise supervisionover technology outsourcing. Theonline version of HUAWEI CLOUDCustomer Agreement definessecurity responsibilities of cloudservice customers and Huawei, whilethe HUAWEI CLOUD Service LevelAgreement stipulates the level ofproducts/service provided, includingthe commitment to serviceavailability and compensation whenfailing to meet the agreed servicelevel.HUAWEI CLOUD ensures thatdevelopment, configuration,deployment, and operation ofvarious cloud technologies is secure.Therefore, in the initial phase,HUAWEI CLOUD will strictlyimplement the correspondingcontrol measures to ensure HUAWEICLOUD is secure in its architecturedesign, equipment selection, hostnetwork (for a variety of multi-layerphysical and virtual network securityisolation methods), access control,border protection technology,configuration, and other aspects forconsideration.Customers can use the VirtualPrivate Cloud (VPC), Elastic LoadBalance (ELB) to network isolationand load balancing betweendifferent regions.Among them, the VPC serviceprovided by HUAWEI CLOUD forcustomers can create a privatenetwork environment for tenants,and realize complete isolation ofdifferent tenants in a three-tiernetwork. Tenants have full controlover the construction of their own









https://www.huaweicloud.com/intl/en-us/product/vpc.html


https://www.huaweicloud.com/intl/en-us/product/elb.html

https://www.huaweicloud.com/intl/en-us/product/elb.html

No. ControlDomain



virtual network and configuration,and can configure network ACL andsecurity group rules to strictlycontrol the network traffic coming inand out of subnets and virtualmachines, to meet the needs ofcustomers for finer-grained networkisolation. The ELB automaticallydistributes access traffic amongmultiple Elastic Cloud Servers,improving the ability of applicationsystems to provide service andenhancing the fault tolerance ofapplication programs.Customers can rely on the Regionand Availability Zone (AZ)architecture of HUAWEI CLOUDData Center cluster for disasterrecovery and backup of theirbusiness systems. Data centers aredeployed around the worldaccording to rules. Customers havedisaster data backup centersthrough two places. If a failureoccurs, the system automaticallytransfers customer applications anddata from the affected areas toensure business continuity on thepremise of meeting compliancepolicies. HUAWEI CLOUD has alsodeployed a Global Server LoadBalance Center. Customerapplications can achieve N+1deployment in the data center. Evenif one data center fails, it can alsobalance traffic load to other centers.HUAWEI CLOUD deployed a fullnetwork alarm system tocontinuously monitor the utilizationof network equipment resources,covering all network equipment.When resource utilization reaches apreset threshold, the alarm systemwill issue a warning. O&M personnelwill take prompt measures to ensurethe continuous operation ofcustomer cloud services to thegreatest extent.





No. ControlDomain



22(4)(5)

InformationTransfer

An intermediaryshall establishmeasures forcommunicationssecurity inaccordance with thefollowing criteria:(4) put in placeprocedures toprotect informationtransfer throughcomputer networksystems;(5) arrange for thepersonnel of theintermediary or anoutsourcee (if any)to have in placeconfidentiality or anon-disclosureagreement.

Customers should establish datamanagement mechanism to ensuredata confidentiality and integrity.Customers can use agreementconstraints, reviews, and othermeans to ensure the securitypolicies, procedures, and controls ofservice providers enableorganizations to protect theconfidentiality and security of theircustomer information.Customers can encrypt data throughHUAWEI CLOUD's data storage andencryption service. HUAWEI CLOUDencapsulates complex dataencryption and decryption, and keymanagement logic, which makes theoperation of customer's dataencryption easy. Currently, servicesincluding Elastic Volume Service(EVS), Object Storage Service(OBS), Image Management Service(IMS) and Relational DatabaseService provide data encryption orserver-side encryption functions andencrypt data using high-strengthalgorithms. The encryption functionof the server integrates the keymanagement function (DEW) ofHuawei's cloud data encryptionservice. The HSM used in thisfunction has passed strictinternational security certificationand can prevent intrusion andtampering. Even Huawei's operationand maintenance personnel cannotsteal the root key of customers. Fordata in transmission, whencustomers provide Web site servicesthrough the Internet, they can usecertificate management servicesprovided by the HUAWEI CLOUDUnited Global Well-knownCertificate Service Provider. Byapplying for and configuringcertificates for Web sites, the trustedidentity authentication of Web sitesand secure transmission based onencryption protocols are realized. In











No. ControlDomain



view of the scenario of hybrid clouddeployment and global layout ofcustomer services, we can use theVirtual Private Network (VPN),Direct Connect (DC), CloudConnect (CC), and other servicesprovided by HUAWEI CLOUD torealize business interconnection anddata transmission security betweendifferent regions.Among them, the VPN service usesHuawei's professional equipmentand VPN on Internet based on IKEand IPsec protocols. It constructs asecure and reliable encryptiontransmission channel between alocal data center and HUAWEICLOUD VPCs in different areas.Direct Connect is based onoperators' various types of dedicatedline network. It builds exclusiveencrypted transmission channelsbetween local data center andHUAWEI CLOUD VPC. Physicalisolation between customerdedicated lines meets higher securityand stability requirements. CloudConnect can quickly establish aprivate communication networkbetween multiple local data centersand multiple cloud VPCs, supportthe interconnection of cross-cloudVPCs, and greatly improve thesecurity and speed of globalexpansion of customer services.HUAWEI CLOUD strictly adheres to"not accessing customer datawithout permission" and explicitlystates in the user agreement that itwill not access or use the user'scontent, unless it provides thenecessary services for the user orabides by the laws and regulationsor the binding orders of thegovernment institutions. If a FIinitiates a confidentialityrequirement, HUAWEI CLOUD willarrange a specialist to activelycooperate. HUAWEI CLOUD will





https://www.huaweicloud.com/intl/en-us/product/vpn.html

https://www.huaweicloud.com/intl/en-us/product/dc.html

https://www.huaweicloud.com/intl/en-us/product/cc.html

https://www.huaweicloud.com/intl/en-us/product/cc.html

No. ControlDomain



avoid unauthorized informationdisclosure, the expected actions tobe taken in termination or inviolation of agreement, and theaudit and supervision rights ofcustomers on HUAWEI CLOUD, andthe responsibilities and actions ofHUAWEI CLOUD will be contained inthe signed agreement.HUAWEI CLOUD has obtained ISO27001, ISO 27017, ISO 27018, SOC,CSA STAR and other internationalsecurity and privacy protectioncertifications, and is audited by thirdparties every year.Additionally, HUAWEI CLOUD hasdeveloped a complete suppliermanagement mechanism thatregularly assesses the performanceof suppliers (including outsourcingpersonnel). The results of theassessment are used as an importantreference for the next procurement.HUAWEI CLOUD also has securitycompliance and confidentialityagreements with suppliers, includingoutsourced individuals.

7.8 System Acquisition, Development and MaintenanceClause 24 of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to establish security in development managementstandard. The relevant control requirements and HUAWEI CLOUD's responses areas follows:





No. ControlDomain



24(3)(4)

SecurityinDevelopmentandSupportProcess

An intermediaryshall ensure thatsystem acquisition,development, andmaintenance of theinformation systemsmeet the followingcriteria:(3) establishcontrols ofdevelopment orchanges to theexisting informationsystems incompliance with theestablished changecontrol procedures;(4) carry out testingof informationsystem developedor changed toensure that suchinformation systemsare able to operateefficiently, processaccurately, andmeet therequirements of theusers;

Customers should considermanaging changes through formalprocedures. To meet customercompliance requirements, HUAWEICLOUD has formulated astandardized change managementprocess. Any change to theenvironment will take place only byorderly management process. Afterall change requests are generated,they are submitted to the HUAWEICLOUD Change Committee by thechange manager team with changeclassification assigned. After thecommittee has reviewed andapproved the requests, the plannedchanges can be implemented on theproduction network. Beforesubmitting a change request, thechange must undergo a testingprocess that includes production-likeenvironment testing, pilot release,and/or blue/green deployment. Thisensures that the change committeeclearly understands the changeactivities involved, duration, failurerollback procedure, and all potentialimpacts.HUAWEI CLOUD has also developeda standardized emergency changemanagement process. If emergencychanges affect users, they willcommunicate with users in advanceby announcement, mail, telephone,conference, or other meansaccording to the prescribed timelimit. If the emergency changes donot meet the prescribed notice timelimit, the changes will be upgradedto HUAWEI CLOUD seniorleadership, and users will be notifiedpromptly after the changes areimplemented. Emergency changesare recorded. The old version anddata of the program are retainedbefore the changes are executed.The changes are guaranteed toproceed smoothly through two-person operation to minimize the





No. ControlDomain



impact on the productionenvironment. After theimplementation, a designatedperson will verify it to ensure thatthe change achieves its desiredpurpose.





No. ControlDomain



24(6)(8)

SecurityinDevelopmentandSupportProcess

An intermediaryshall ensure thatsystem acquisition,development, andmaintenance of theinformation systemsmeet the followingcriteria:(6) control people,processes, andtechnologyassociated with thedevelopment ofinformation systemsto ensureinformation securitythrough the entiredevelopmentlifecycle;(8) carry out testingof the developedinformation systemsby users orindependent testers.

Customers should establish asecurity development managementmechanism.Huawei development and testingprocesses follow unified system(software) security developmentmanagement specifications, andaccess to various environments isstrictly controlled. To meet customercompliance requirements, HUAWEICLOUD manages the end-to-endsoftware and hardware life cyclethrough complete systems andprocesses, as well as automatedplatforms and tools. The life cycleincludes security requirementsanalysis, security design, securitycoding and testing, securityacceptance and release, andvulnerability management.HUAWEI CLOUD and related cloudservices comply with the securityand privacy design principles andnorms, laws and regulations. Threatsare analyzed according to businessscenarios, data flow diagrams andnetworking models in the securityrequirements analysis and designphase. When a threat is identified,the design engineer will formulatemitigation measures according tothe reduction library and the safetydesign library and complete thecorresponding safety design. Allthreat mitigation measures willeventually be converted into securityrequirements and security functions,and according to the company's testcase library, will be used to completethe design of security test cases, toensure successful implementation,and ultimately ensure the safety ofproducts and services.HUAWEI CLOUD strictly complieswith the security codingspecifications of variousprogramming languages issued byHuawei. Static code analysis toolsare used for routine checks, and the





No. ControlDomain



resulting data is entered in the cloudservice tool chain to evaluate thequality of coding. Before all cloudservices are released, static codeanalysis alarms must be cleared toeffectively reduce the security issuesrelated to coding when online.HUAWEI CLOUD takes securityrequirements identified in thesecurity design stage, penetrationtest cases from the attacker'sperspective, and industry standards,and develops corresponding securitytesting tools, and conducts multi-round security testing before therelease of cloud services to ensurethat the released cloud servicesmeet security requirements. Testingis conducted in a test environment,isolated from the productionenvironment, and avoids the use ofproduction data for testing. Ifproduction data is used for testing, itmust be desensitized, and datacleaning is required after use.

7.9 IT OutsourcingClause 8 and 25 of Rules in Detail on Establishment of Information TechnologySystem requires intermediaries to establish IT outsourcing security managementcontrols. The relevant control requirements and HUAWEI CLOUD's responses areas follows:





No. ControlDomain



8(5)25(1)(6)(7)

InformationSecurityof ITOutsourcing

An intermediaryshall establish adocumentedinformationsecurity policywhich addresses atleast the followingmatters: (5) policyon the use of IToutsourcing whichcovers selectionand evaluation ofthe outsourcee,review of theoutsourcee'squalifications, andprovisionassociated with theuse of services toensure mitigationof risks from theoutsourcee's accessto theorganization's ITassets;

In the case that anintermediaryappoints anoutsourcee toengage in itsinformationsystems function,the intermediaryshall comply withthe followingcriteria:

(1) stipulateconditions andcontrols relating toinformationsecurity in theagreement signedby both parties;

(6) define the rightof the intermediaryto inspect theoperation of theoutsourcee to

Customers should establish therequirements and controls relatedto information security in theagreement signed with serviceproviders. When outsourcing toservice providers, customers shouldconduct due diligence, with anemphasis given not only to theconfidentiality of sensitiveinformation, but also to theintegrity and availability ofinformation and informationsystems. Customers shouldregularly review service providers'financial conditions and adequacyof its service capacity.

HUAWEI CLOUD provides onlineversion of HUAWEI CLOUDCustomer AgreementandHUAWEI CLOUD Service LevelAgreement, which specifies thecontent and level of servicesprovided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has alsodeveloped an offline contracttemplate, which can be customizedaccording to the needs of differentcustomers. As the case may be, theauditing and supervision rights ofcustomers and regulatoryauthorities will be stipulated in theagreement signed with thecustomer.

HUAWEI CLOUD will assign specialpersonnel to actively cooperatewith this due diligence by FIs.HUAWEI CLOUD places greatimportance to its users' datainformation assets and regardsdata protection as the core ofHuawei's cloud security policy.HUAWEI CLOUD will continue tofollow industry-leading standardsfor data security lifecyclemanagement using excellenttechnologies, practices, andprocesses to ensure the privacy oftenants' data in terms of









No. ControlDomain



ensure compliancewith the agreedconditions. Withthe exceptionwhere theoutsourcee has arestriction to do so,the intermediaryshould establishanother measureto ensure that theoperation of theoutsourcee remainsin compliance withthe agreed term;(7) stipulate theterm for theoutsourcee toallow the OSEC tocall and inspect therelevantdocuments or toenter and inspectthe operation ofthe outsourcee.

authentication and access control,rights management, data isolation,transmission security, storagesecurity, data deletion, physicaldestruction, and data backuprecovery. Inviolable ownership andcontrol are necessary to provideusers with the most effective dataprotection.HUAWEI CLOUD is Huawei'sservice brand. Since its launch in2017, HUAWEI CLOUD has beendeveloping rapidly and its revenuehas maintained a strong growthtrend. According to the MarketShare: IT Services, worldwide 2019study released by Gartner, HUAWEICLOUD ranked sixth in the globalIaaS market and one of the topthree within China market, with afastest growth rate up to 222.2%in the world.HUAWEI CLOUD provides cloudservices online, opening the accessof Huawei's technologyaccumulation and productsolutions in ICT infrastructure formore than 30 years to customers.HUAWEI CLOUD has five coretechnological advantages: fullstack scenario AI, multidimensionalframework, extreme performance,security and reliability, and openinnovation. For example, in thefield of artificial intelligence (AI),HUAWEI CLOUD AI has landedover 300 projects in 10 majorindustries, such as city,manufacturing, logistics, internet,medical treatment, and campus. Interms of multi-architecture,HUAWEI CLOUD has created anew multi-computing cloud servicearchitecture based on "x86 +Kunpeng + Ascend", which enablesvarious applications to run at theoptimal computing power tomaximize customer value.





No. ControlDomain



25(2)(3) SupplierServiceDeliveryManagement

In the case that anintermediaryappoints anoutsourcee toengage in itsinformationsystems function,the intermediaryshall comply withthe followingcriteria:(2) monitor,evaluate, review,and audit servicedelivery of theoutsourceeregularly;(3) re-assess andre-manage risks incase of changes tothe processes,procedures andcontrols associatedwith informationsecurity, orchanges of theoutsourcee.

Customers should conduct anindependent audit or expertassessment of their outsourcedservice providers on a regular basisand inform the service provider'ssenior management of identifiedissues.If an FI initiates an audit requestfor HUAWEI CLOUD, HUAWEICLOUD will arrange a responsiblepersonnel to actively cooperatewith the audit. Customer audit andsupervision interests in HUAWEICLOUD will be committed in theagreement signed with thecustomer according to thesituation. HUAWEI CLOUD hasobtained ISO 27001, ISO 27017,ISO 27018, SOC, CSA STAR andother international security andprivacy protection certifications,and is audited by third partiesevery year.Additionally, HUAWEI CLOUD hasdeveloped a complete suppliermanagement mechanism thatregularly assesses the performanceof suppliers (including outsourcingpersonnel). The results of theassessment are used as animportant reference for the nextprocurement. HUAWEI CLOUD alsohas security compliance andconfidentiality agreements withsuppliers, including outsourcedindividuals.

7.10 Information Security Incident ManagementClause 11 of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to establish an information security incident management.The relevant control requirements and HUAWEI CLOUD's responses are as follows:





No. ControlDomain



11(1)(2)(3)(4)(5)(7)

InformationSecurityIncidentManagement

An intermediaryshall establish theinformationsecurity incidentmanagement inaccordance withthe followingcriteria:

(1) establishprocedures andprocesses tomanageinformationsecurity incidents;

(2) define theperson responsiblefor managinginformationsecurity incidents;

(3) report anyinformationsecurity events tothe responsibleperson definedunder (2) and theOSEC withoutdelay;

(4) carry outtesting ofprocedures andprocesses in themanagement ofinformationsecurity incidentsdefined under (1)at least once ayear and thetesting shall atleast cover themanagement ofcyber securitythreats (cybersecurity drills);

(5) reviewprocedures andprocesses in themanagement ofinformation

Customers should establish aninformation security incidentmanagement system.

HUAWEI CLOUD has developed acomplete mechanism for internalsecurity incident management andcontinues to optimize it. The rolesand responsibilities are clearlydefined for each activity during theincident response process. HUAWEICLOUD log system based on bigdata analytics can quickly collect,process, and analyze mass logs inreal time and can connect to third-party Security Information andEvent Management (SIEM)systems such as SIEM systemsprovided by ArcSight and Splunk.HUAWEI CLOUD collectsmanagement behavior logs of allphysical devices, networks,platforms, applications, databasesand security systems and threatdetection and warning logs ofsecurity products and componentsthrough a centralized log largedata analysis system. In addition,given the professionalism andurgency to handle securityincidents, HUAWEI CLOUD has aprofessional security incidentresponse team available 24/7 anda corresponding pool of securityexpert resources for response.HUAWEI CLOUD also uses a bigdata security analysis system tocommunicate alert logs for unifiedanalysis of a variety of securitydevices. HUAWEI CLOUDformulates the classification andescalation principles of informationsecurity incidents, ranking themaccording to their degree of impacton the customer's business, andinitiates a process to notifycustomers of the incident.

When serious events occur on theunderlying infrastructure platformand have or may have a serious





No. ControlDomain



security incidents,and carry out testto the incidentswhich mayinfluence theinformationsecurity at leastonce a year asregulated under(4);(7) maintain alldocuments relatedto themanagement ofinformationsecurity incidentsat least two yearsfrom the date ofissuance.

impact on multiple customers,HUAWEI CLOUD can promptlynotify customers of events with anannouncement. The contents ofthe notification include but are notlimited to a description of theevent, the cause, impact, measurestaken by HUAWEI CLOUD and themeasures recommended forcustomers. After the incident isresolved, the incident report will beprovided to the customeraccording to the specific situation.HUAWEI CLOUD annually testsinformation security incidentmanagement procedures. All ofinformation security incidentresponse personnel, includingreserve personnel, need toparticipate. The test scenarios arecombined with the currentcommon network security threats,in which high-risk scenarios will betested during simulations. Duringthe testing process, HUAWEICLOUD will select test scenarios,develop complete test plans andprocedures, and record test results.After their completion, relevantpersonnel will redact a report andsummarize any problems identifiedduring the simulation. If the resultsare indicating issues with theinformation security incidentmanagement and process, relateddocumentation will be accordinglyupdated.HUAWEI CLOUD regularly auditsand updates all system documentsevery year according to therequirements of the internalbusiness continuity managementsystem and information securitysystem. HUAWEI CLOUD maintainsa list of contacts that should becontacted in case of an emergencyand updates it promptly whennotified of personnel changes.





7.11 Information Security Aspects of BusinessContinuity Management

Clause 12 of Rules in Detail on Establishment of Information Technology Systemrequires intermediaries to establish business continuity regarding the informationsecurity management mechanism. The relevant control requirements and HUAWEICLOUD's responses are as follows:





No. ControlDomain



12(1)(2)(3)(4)

InformationSecurityAspectsofBusinessContinuityManagement

An intermediaryshall establishinformation securityof the businesscontinuitymanagement inaccordance with thefollowing criteria:(1) determinerequirements forinformation securityand the continuityof informationsecuritymanagement inadverse situations;(2) establishprocedures,processes andcontrols to ensurethe required level ofcontinuity forinformationsecurity;(3) define therecovery timeobjective (RTO) forinformation systemand its priority tobe recovered basedon its criticality andpotential impact;(4) considerredundantinformationsystems, if needed,to ensureavailability asrequired under (3).

Customers should establish theirown mechanisms for businesscontinuity and develop RTO andRPO metrics to ensure the continuityof their key businesses. If FIs needHUAWEI CLOUD's participation intheir business continuity plans,HUAWEI CLOUD will activelycooperate.To provide continuous and stablecloud services to customers,HUAWEI CLOUD has obtained ISO22301 certification and formulatesbusiness continuity managementsystems for the cloud to suit thecustomer's business needs. HUAWEICLOUD carries out businesscontinuity promotion and trainingwithin the organization every year,and conducts emergency drills andtests regularly to continuouslyoptimize emergency response.Under the requirements of thisframework, HUAWEI CLOUD carriesout regular business impact analysis,identifies key business, anddetermines the recovery target andminimum recovery level of keybusiness. In the process ofidentifying key business, the impactof business interruption on cloudservice customers is regarded as animportant criterion to judge keybusiness. In order to meet customercompliance requirements, HUAWEICLOUD has formulated a soundrecovery strategy for key businessessupporting the continuous operationof cloud services according to therequirements of its internal businesscontinuity management system.Customers can rely on the Regionand Availability Zone (AZ)architecture of HUAWEI CLOUDData Center cluster for disasterrecovery and backup of theirbusiness systems. Data centers aredeployed around the worldaccording to rules. Customers have





No. ControlDomain



disaster data backup centersthrough two places. If a failureoccurs, the system automaticallytransfers customer applications anddata from the affected areas toensure business continuity on thepremise of meeting compliancepolicies. HUAWEI CLOUD has alsodeployed a Global Server LoadBalance Center. Customerapplications can achieve N+1deployment in the data center. Evenif one data center fails, it can alsobalance traffic load to other centers.





8 How HUAWEI CLOUD Meets theRequirements of OSEC Cloud Computing

Practice Guide

In November 2019, the OSEC released Cloud Computing Practice Guide, whichprovides FIs with practices to consider regarding the governance of cloudcomputing services and cloud service provider management. Among them, cloudservice provider management includes: assessment and selection of serviceproviders, service agreement, use of cloud computing, service monitoring andevaluation, cancellation and termination of service.

When FIs are seeking to comply with the requirements of Cloud ComputingPractice Guide, HUAWEI CLOUD, as a cloud service provider, may be involved insome activities stipulated under the requirements. The following contentsummarizes the compliance requirements related to cloud service providers inCloud Computing Practice Guide, and explains how HUAWEI CLOUD, as a cloudservice provider, can help FIs to meet these requirements.


8 How HUAWEI CLOUD Meets the Requirements ofOSEC Cloud Computing Practice Guide


8.1 Assessment and selection of service providersNo. Control

DomainSpecific ControlRequirements


2.2.1 Selection ofServiceProviders

FIs should clearlydefine processesand guidelines forselecting cloudservice providersand monitoring theavailability andappropriateness ofthe service providerto ensure that theservice provider canprovide services. Inaddition, the keyfactors to beconcerned includeknowledge,experience, financialcapabilities, etc.

Customers should establish serviceprovider selection criteria.(1)Technical ability: HUAWEICLOUD provides cloud servicesonline, opening Huawei's technologyaccumulation and product solutionsin ICT infrastructure for more than30 years to customers. HUAWEICLOUD has five core technologicaladvantages: full stack scenario AI,multidimensional framework,extreme performance, security andreliability, and open innovation.For example, in the field of artificialintelligence (AI), HUAWEI CLOUD AIhas landed over 300 projects in 10major industries, such as city,manufacturing, logistics, internet,medical treatment, and campus. Interms of multi-architecture, HUAWEICLOUD has created a new multi-computing cloud service architecturebased on "x86 + Kunpeng + Ascend",which enables various applicationsto run at the optimal computingpower to maximize customer value.(2)Financial strength: HUAWEICLOUD is Huawei's service brand.Since its launch in 2017, HUAWEICLOUD has been developing rapidlyand its revenue has maintained astrong growth trend. According tothe Market Share: IT Services,worldwide 2019 study released byGartner, HUAWEI CLOUD rankedsixth in the global IaaS market andone of the top three within Chinamarket, with a fastest growth rateup to 222.2% in the world.(3)Business reputation: As always,HUAWEI CLOUD adheres to thecustomer-centric principle, makingmore and more customers chooseHUAWEI CLOUD. HUAWEI CLOUDhas made breakthroughs in different




No. ControlDomain



Chinese industries such as theinternet, live on demand, videosurveillance, genetics, automobilemanufacturing and other industries.Apart from Chinese mainland,HUAWEI CLOUD was launched inHong Kong (China), Russia,Thailand, South Africa andSingapore in succession.(4)Corporate culture and servicepolicies suitable for FIs: HUAWEICLOUD defines product safety andfunctional requirements according tocustomer business scenarios, lawsand regulations, regulatoryrequirements in product and serviceplanning, and design phases. Huaweiimplements these in R&D, anddesign phases to meet customerneeds. HUAWEI CLOUD has releasedfinancial industry solutions toprovide end-to-end cloud solutionsfor banks, insurance companies andother customers, by considering theneeds of the industry and Huawei'scomprehensive cloud services.

2.2.1 AssessInformationTechnologySecurityStandards

Assess informationtechnology securitystandards, includingdata confidentiality,information systemintegrity, andservice availability.For example, theevaluation results ofinternationallyrecognized safetystandards, such asISO27001,ISO27017, PCI-DSS,etc.

HUAWEI CLOUD has received anumber of international andindustry security compliancecertifications, including ISO27001,ISO27017, ISO27018, PCI-DSS, CSASTAR, etc.HUAWEI CLOUD followsinternational standards to establisha sound information securitymanagement system, IT servicemanagement system, businesscontinuity management system, anddaily operation of the systemapplicable requirements. HUAWEICLOUD regularly carries out riskassessment, management review,and other activities every year toidentify problems in the operation ofthe system and rectify them tocontinuously improve themanagement system.




No. ControlDomain



2.2.1 IndependentAudit

Independentauditors provideassessment andinspection reports,as well as reportson technical safetystandards, such assystem andorganizationalcontrol (SOC)reports, whichshould include keyissues of the auditscope, audit period,and audit results.

If an FI initiates an audit request forHUAWEI CLOUD, HUAWEI CLOUDwill arrange a responsible personnelto actively cooperate with the audit.Customer audit and supervisionrights in HUAWEI CLOUD will becommitted in the agreement signedwith the customer according to thesituation. HUAWEI CLOUD hasobtained ISO 27001, ISO 27017, ISO27018, SOC, CSA STAR and otherinternational security and privacyprotection certifications, and isaudited by third parties every year.

2.2.1 AssessContinuousServiceCapability

Assess thecontinuity practicesof cloud serviceproviders and theconsistency ofbusiness impactanalysis of systemsthat will be used oncloud computingsystems, includingmaximum tolerabledowntime (MTD),acceptable recoverytime objective(RTO), and recoverypoint objective(RPO).

To provide continuous and stablecloud services to customers,HUAWEI CLOUD has established aset of complete business continuitymanagement systems in accordancewith ISO 22301 - Business ContinuityManagement Internationalstandards. Under the requirementsof this framework, HUAWEI CLOUDcarries out regular business impactanalysis, identifies key business, anddetermines the recovery target andminimum recovery level of keybusiness. In the process ofidentifying key business, the impactof business interruption on cloudservice customers is regarded as animportant criterion to judge keybusiness.




8.2 Service AgreementNo. Control



2.2.2 ServiceAgreement

FIs should considerthe followingimportantconditions in serviceagreements withservice providers:A. The agreementbetween the serviceprovider and theservice user shallcover at least thefollowing details:1. Responsibilities ofservice providersand responsibilitiesto intermediaries inthe event thatservice providers failto comply with theagreement;2. Operatingprocedures thatcomply withinternationallyrecognizedinformation securitystandards;3. Measures ofinformationtechnology security,access control andinformationdisclosuremeasures;4. An independentauditor audits theoperation of thecloud serviceprovider;5. Conditions forthe cloud serviceprovider tosubcontract to otherservice providers,

Customers should establish aninformation security managementsystem for their cloud serviceproviders.HUAWEI CLOUD provides onlineversion of HUAWEI CLOUDCustomer Agreementand HUAWEICLOUD Service Level Agreement,which specifies the content and levelof services provided, as well as theresponsibilities of HUAWEI CLOUD.HUAWEI CLOUD has also developedan offline contract template, whichcan be customized according to theneeds of different customers. Forexample, auditing of the cloudservice provider's operation by anindependent auditor; or, conditionsand responsibilities for HUAWEICLOUD when subcontractingservices to other suppliers.HUAWEI CLOUD follows ISO 27001,ISO 20000, ISO 22301 and otherinternational standards to establisha sound information securitymanagement system, IT servicemanagement system, businesscontinuity management system, anddaily operation of the systemapplicable requirements. HUAWEICLOUD regularly carries out riskassessment, management review,and other activities every year toidentify problems in the operation ofthe system and rectify them tocontinuously improve themanagement system.HUAWEI CLOUD receives regularaudits from professional third-partyauditing institutions every year andprovides professional assistance toactively respond to and cooperatewith audit activities initiated bycustomers.








No. ControlDomain



and the terms ofliability fordamages that maybe caused by theoperation of otherservice providers;B. The informationsecurityqualification of thesubcontracted cloudservice provider iscomparable to thatof the cloud serviceprovider or meetsinternationalstandards;C. Monitor, evaluateand review theservice performanceof cloud serviceproviders;D. The process offor data migrationto the new cloudprovider in case ofany replacement ofthe cloud provider.

When the service agreementterminates, customers can migratecontent data from HUAWEI CLOUDthrough Object Storage MigrationService (OMS) and ServerMigration Service (SMS) providedby HUAWEI CLOUD, such asmigrating to local data center.








8.3 Use of Cloud ComputingNo. Control



2.2.3 OrganizationalStructure(InternalOrganization)

FIs should havemultiple channelsto contact serviceproviders to dealwith use issues andinformation securityincidents.

Customers should establish formalincident and issue managementprocedures.HUAWEI CLOUD provides an after-sales service guarantee forcustomers. HUAWEI CLOUDprofessional service engineer teamprovides 24/7 service support socustomers can seek help withmethods such as work orders,intelligent customer service, self-service, and telephone. In addition tobasic support, customers withcomplex systems can choose fromthe tiered support plans to obtainexclusive support from personnelsuch as the IM enterprise group,Technical Service Manager (TAM),and service manager.




No. ControlDomain



2.2.3 AccessControl

FIs should:(1) Formulateappropriateauthenticationmethods, such asmulti-factorauthenticationwhen accessing theadministrator page;(2) The distributionof passwords shouldbe controlledthrough a formalmanagementprocess;(3) Assign accessrights based onresponsibilities, andcontrol user accessto information andapplication systemfunctions accordingto defined accessrights;(4) Monitor andreview user accessrights.

Customers can manage useraccounts using cloud resourcesthrough HUAWEI CLOUDIdentityand Access Management(IAM). Except for the support forpassword authentication, IAM alsosupports multifactor authenticationas an option, and the customer hasthe option to choose whether toenable it or not. If the customer hasa secure and reliable externalauthentication service provider, thefederally authenticated externalusers of the IAM service can map tothe temporary users of HUAWEICLOUD and access the customer'sHUAWEI CLOUD resources. IAM canbe authorized by hierarchy anddetail as administrators can plan thelevel of cloud resource access basedon the user's responsibilities. Theycan also restrict malicious access tountrusted networks by settingsecurity policies such as accesscontrol lists. In addition, HUAWEICLOUD's Cloud Trace Service (CTS)provides collection, storage, andquerying of operational records for avariety of cloud resources to supportcommon scenarios such as securityanalysis, compliance auditing,resource tracking, and problemlocation.







No. ControlDomain



2.2.3 Cryptography

When managingencryption providedby service providers,FIs should collectthe followinginformation:▪ The type ofencryptionalgorithm;▪ Creation, editing,storage, access,revocation anddestruction of keys.Service providersshould not begranted access,storage, andmanagement keys.

Currently, services including ElasticVolume Service (EVS), ObjectStorage Service (OBS), ImageManagement Service (IMS) andRelational Database Service providedata encryption or server-sideencryption functions and encryptdata using high-strength algorithmscould be chosen by the customers.The server-side encryption functionintegrates Key Management Service(KMS) of HUAWEI CLOUDDataEncryption Workshop (DEW),which provides full-lifecycle keymanagement. Withoutauthorization, others cannot obtainkeys to decrypt data, which ensuresdata security on the cloud. DEWadopts the layered key managementmechanism. Hardware securitymodule (HSM) creates and manageskeys for customers, which is FIPS140-2 (Level 2 and Level 3) certifiedto meet users' data securitycompliance requirements, avoidingunauthorized access and tampering.Even Huawei O&M personnel cannotobtain the root key. DEW also allowscustomers to import their own keysas master keys for unifiedmanagement, facilitating seamlessintegration with customers' services.At the same time, HUAWEI CLOUDadopts a mechanism for onlineredundant storage of user masterkeys, multiple physical offlinebackups of root keys and regularbackups to ensure the durability ofthe keys.











No. ControlDomain



2.2.3 PhysicalandEnvironmentalSecurity

FIs should reviewthe destructionprocedures to reusethe serviceprovider'sequipment orinformation storageresources.

HUAWEI CLOUD has developed asound media management processfor storage media that storescustomer content data in thefinancial industry to ensure thesecurity of the data stored in themedia. When a customer initiates adata deletion operation or if thedata needs to be deleted due to theexpiration of the service, HUAWEICLOUD will strictly follow the datadestruction standard signed inagreement with the customer toerase the stored customer data.Specific practice is: Once customersagree the deletion, HUAWEI CLOUDdeletes the index relationshipbetween customers and data, andclears the storage space, such asmemory and block storage beforereallocation, to ensure that relateddata and information cannot berestored. If a physical storagemedium is to be disposed, HUAWEICLOUD clears the data bydegaussing, bending, or breaking thestorage medium to ensure that dataon the storage medium cannot berestored.




No. ControlDomain



2.2.3 OperationsSecurity

If FIs and serviceproviders agree thatbackup activitiesare theresponsibility of theservice provider, FIsshall review theservice provider'simplementation ofthe backupprocedure inaccordance with theagreement.FIs shoulddetermine therequirements forrecording eventsrelated to cloudcomputing services,and monitor andstore event logs.FIs should reviewand evaluate serviceprovider'svulnerabilitymanagementguidelines andinstall serviceprovider's patches.

HUAWEI CLOUD provides multi-granularity data backup andarchiving services to meetcustomers' requirements in specificscenarios. Customers can use theversioning function of OBS, VolumeBackup Service (VBS), and CloudServer Backup Service (CSBS) toback up in-cloud documents, disks,and servers. Benefiting from on-demand use, scalability, and highreliability features of cloud services,customers can also back up datathrough HUAWEI CLOUD's databackup archiving service to ensurethat data is not lost in the event of adisaster.HUAWEI CLOUD's CloudTraceService (CTS) provides operatingrecords of cloud service resources forusers to query, and for auditing.There are three types of operationsrecorded: operations performedthrough the cloud account loginmanagement console, operationsperformed through APIs supportedby cloud services, and operationstriggered within Huawei's cloudsystem. CTS inspects the log datasent by various services to ensurethat the data itself does not containsensitive information in thefollowing;1. In the transmission phase, it


2. In the storage phase, it adoptsmultiple backups according toHuawei's network securityspecifications and makes surethat the data is transmitted andpreserved accurately andcomprehensively.










No. ControlDomain



The security of the database itself isstrengthened to eliminate risks ofcounterfeiting, denial, tamperingand information leakage. Finally,CTS supports encrypted data storagein OBS buckets.Customers can scan for externalvulnerabilities and operating systemvulnerabilities. They can detect assetcontent compliance, scan theconfiguration to compare it againstthe baseline, detect weak passwords,and perform other such functionsthrough HUAWEI CLOUDVulnerability Scan Service (VSS). Itcan automatically discover thesecurity risks of websites or serversexposed in the network, and helpusers to secure their business on thecloud from multiple dimensions.In addition, Huawei PSIRT andHUAWEI CLOUD's security O&Mteam have established a mature andcomprehensive program andframework for vulnerabilitydetection, identification, response,and exposure. HUAWEI CLOUD relieson this program and framework tomanage vulnerabilities and ensurethat vulnerabilities in HUAWEICLOUD infrastructure and cloudservices, and O&M tools (regardlessof whether they are found in Huaweior third party technologies) arehandled and resolved within SLAs.HUAWEI CLOUD strives to reduceand ultimately prevent vulnerabilityexploitation, and its impact to ourcustomers' services.To protect end users and tenants,HUAWEI CLOUD upholds theprinciple of responsible disclosure. Itensures no undue risks for potentialexploitation and attacks will resultfrom the disclosure of anyvulnerability, HUAWEI CLOUDcontinues to proactively makerecommendations on platform-layerand tenant service-specific




https://www.huaweicloud.com/intl/en-us/product/vss.html

No. ControlDomain



vulnerabilities, and offer our endusers and tenants vulnerabilitymitigation solutions, standingshoulder to shoulder with ourcustomers to tackle securitychallenges caused by vulnerabilities.

2.2.3 CommunicationsSecurity

FIs should assessand determine theneed for networksegmentation andtenant isolation incloud environments,and check thebehavior of serviceproviders accordingto serviceagreements.

HUAWEI CLOUD cooperates withcustomers to exercise supervisionover technology outsourcing. Theonline HUAWEICLOUD CustomerAgreement defines securityresponsibilities of cloud servicecustomers and Huawei, while theHUAWEI CLOUDService LevelAgreement stipulates the level ofproducts/service provided, includingthe commitment to serviceavailability and compensation whenfailing to meet the agreed servicelevel.In the initial phase, HUAWEI CLOUDwill strictly implement thecorresponding control measures toensure HUAWEI CLOUD is secure inits architecture design, equipmentselection, host network (for a varietyof multi-layer physical and virtualnetwork security isolation methods),access control, border protectiontechnology, configuration, and otheraspects for consideration. TheVirtual PrivateCloud (VPC) serviceprovided by HUAWEI CLOUD forcustomers can create a privatenetwork environment for tenants,and realize complete isolation ofdifferent tenants in a three-tiernetwork. Tenants have full controlover the construction of their ownvirtual network and configuration,and can configure network ACL andsecurity group rules to strictlycontrol the network traffic coming inand out of subnets and virtualmachines, to meet the needs ofcustomers for finer-grained networkisolation.









No. ControlDomain



2.2.3 SystemAcquisition,DevelopmentandMaintenance

FIs should conductinformation securityassessments ofcloud computingapplications anduse them as part ofdue diligenceactivities to assessand check thecapabilities of cloudservice providers.In the case of usingSaaS, FIs shouldevaluate andinspect serviceproviders toestablish securedevelopmentprocedures.

Huawei development and testingprocesses follow unified system(software) security developmentmanagement specifications, andaccess to various environments isstrictly controlled. To meet customercompliance requirements, HUAWEICLOUD manages the end-to-endsoftware and hardware life cyclethrough complete systems andprocesses, as well as automatedplatforms and tools. The life cycleincludes security requirementsanalysis, security design, securitycoding and testing, securityacceptance and release, andvulnerability management.




No. ControlDomain



2.2.3 InformationSecurityIncidentManagement

FIs should clarifythe following in theincidentmanagementregulations:▪ The types ofevents that will bereported to cloudcomputing users;▪ Detailedinformation andincident response;▪ Notify users of thetime frame andprocess of theevent;▪ Contact channeland contact details;▪ The solution tothe problem.

HUAWEI CLOUD has developed acomplete mechanism for internalsecurity incident management andcontinues to optimize it. The rolesand responsibilities are clearlydefined for each activity during theincident response process. HUAWEICLOUD log system based on bigdata analytics can quickly collect,process, and analyze mass logs inreal time and can connect to third-party Security Information and EventManagement (SIEM) systems suchas SIEM systems provided byArcSight and Splunk. HUAWEICLOUD collects managementbehavior logs of all physical devices,networks, platforms, applications,databases and security systems andthreat detection and warning logs ofsecurity products and componentsthrough a centralized log large dataanalysis system. In addition, giventhe professionalism and urgency tohandle security incidents, HUAWEICLOUD has a professional securityincident response team available24/7 and a corresponding pool ofsecurity expert resources forresponse. HUAWEI CLOUD also usesa big data security analysis systemto communicate alert logs forunified analysis of a variety ofsecurity devices. Incidents will beranked based on the extent to whichsecurity incidents affect thecustomer's business, and will initiatea customer notification process tonotify customers of the incident.After the event is resolved, an eventreport will be provided to thecustomer. HUAWEI CLOUDformulates the classification andescalation principle of informationsecurity incidents, ranking themaccording to their degree of impacton the customer's business, andinitiates a process to notifycustomers of the incident.




No. ControlDomain



When serious events occur on theunderlying infrastructure platformand have or may have a seriousimpact on multiple customers,HUAWEI CLOUD can promptly notifycustomers of events with anannouncement. The contents of thenotification include but are notlimited to a description of the event,the cause, impact, measures takenby HUAWEI CLOUD and themeasures recommended forcustomers. After the incident isresolved, the incident report will beprovided to the customer accordingto the specific situation.




8.4 Service Monitoring and EvaluationNo. Control



2.2.4 ServiceMonitoring andEvaluation

FIs should clearlydefine the roles andresponsibilities offollow-up,evaluation andreview of services toensure servicecontract, servicequality performanceand identifypotential risks ofusing services.FIs should monitor,evaluate, andreview the servicesof service providersin accordance withthe terms of theiragreements ("cloudservice agreement")with serviceproviders.

HUAWEI CLOUD's services andplatforms have been certified bymany international and industrysecurity compliance certifications,covering information security,privacy protection, businesscontinuity management, IT servicemanagement and other fields.HUAWEI CLOUD is committed tocreating security and credible cloudservices for customers in all walks oflife and providing empowermentand escorting services for customers.HUAWEI CLOUD receives regularaudits from professional third-partyauditing institutions every year andprovides professional assistance toactively respond to and cooperatewith audit activities initiated bycustomers.In addition, HUAWEI CLOUDprovides an after-sales serviceguarantee for customers. HUAWEICLOUD professional service engineerteam provides 24/7 service supportso customers can seek help withmethods such as work orders,intelligent customer service, self-service, and telephone. In addition tobasic support, customers withcomplex systems can choose fromthe tiered support plans to obtainexclusive support from personnelsuch as the IM enterprise group,Technical Service Manager (TAM),and service manager.




8.5 Cancellation or Termination of ServiceNo. Control



2.2.5 Cancellation orTermination ofService

When cancelingand terminating theuse of cloudservices, FIs shouldfully formulatestrategies and plansto properly opt outof services toprevent or eliminatethe risk of possibleadverse effects. Forexample: risk ofservice interruption,information securityand storage risk.

When the service agreementterminates, customers can migratecontent data from HUAWEI CLOUDthrough Object Storage MigrationService (OMS) and ServerMigration Service (SMS) providedby HUAWEI CLOUD, such asmigrating to local data center.During the destruction of customerdata, HUAWEI CLOUD clears thespecified data and all the copies.Once customers agree the deletion,HUAWEI CLOUD deletes the indexrelationship between customers anddata, and clears the storage space,such as memory and block storagebefore reallocation, to ensure thatrelated data and information cannotbe restored. If a physical storagemedium is to be disposed, HUAWEICLOUD clears the data bydegaussing, bending, or breaking thestorage medium to ensure that dataon the storage medium cannot berestored.








9 Conclusion

This whitepaper describes how HUAWEI CLOUD provides cloud services that meetregulatory requirements of the financial industry in Thailand and shows thatHUAWEI CLOUD complies with key regulatory requirements issued by the Bank ofThailand (BoT) and the Office of the Securities and Exchange Commission (OSEC).This aims to help customers learn more about HUAWEI CLOUD's compliancestatus with Thailand 's regulatory requirements related to the financial industryand to assure customers that they can store and process customers' content datasecurely. To some extent, this whitepaper also guides customers on how to design,build and deploy a secure cloud environment that meets the regulatoryrequirements of the BoT and the OSEC on HUAWEI CLOUD, and assists customerto better identify security responsibilities together with HUAWEI CLOUD.

This whitepaper is for reference only and does not have legal effect or constituteany legal advice. Customers should assess their own use of cloud services asappropriate and ensure compliance with relevant regulatory requirements fromthe BoT and the OSEC when using HUAWEI CLOUD.

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand 9 Conclusion


10 Version History

Date Version Description

2020-07-10 1.0 First release

HUAWEI CLOUD User Guide to Financial ServicesRegulations & Guidelines in Thailand 10 Version History
