India

The contract should:
i. Clearly define what activities are going to be service including appropriate service and performance standards.
ii. provide for continuous monitoring and assessment by the regulated entity of the service provider, so that any necessary corrective measure can be taken immediately.
iii. A termination clause and minimum periods to execute a termination provision, if deemed necessary, should be included.
iv. Controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information.
v. Contingency plans to ensure business continuity.
- in IT outsourcing agreements
For some of the sectors, like banking, NBFC, insurance, the agreement must address the following points
i. The contract should clearly define what activities are going to be outsourced, including appropriate service and performance standards.
ii. The regulated entity (banks, NBFCs, insurance companies, telecom companies) must ensure that it has the ability to access all books, records and information relevant to the outsourced activity available with the service provider.
iii. The contract should provide for continuous monitoring and assessment by the regulated entity of the service provider, so that any necessary corrective measure can be taken immediately.
iv. A termination clause and minimum periods to execute a termination provision, if deemed necessary, should be included.
v. Controls to ensure customer data confidentiality and service providers’ liability in case of breach of security and leakage of confidential customer related information.
vi. Contingency plans to ensure business continuity.
vii. The contract should provide for the prior approval/consent by the regulated entity of the use of sub-contractors by the service provider for all or part of an outsourced activity.
viii. Provide the regulated entity with the right to conduct audits on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the bank.
ix. Outsourcing agreements should include clauses to allow the Reserve Bank of India or IRDAI or persons authorized by it to access the regulated entity’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider, within a reasonable time.
x. Outsourcing agreement should also include clause to recognize the right of the Reserve Bank to cause an inspection to be made of a service provider of a bank and its books and account by one or more of its officers or employees or other persons.
xi. The outsourcing agreement should also provide that the confidentiality of customer’s information should be maintained even after the contract expires or gets terminated.
xii. The outsourcing agreement should provide for the preservation of documents and data by the service provider in accordance with the legal/regulatory obligation of the regulated entity in this regard.
- in cloud agreements
The regulated entities should implement appropriate Access control mechanism with reliable authentication mechanism to ensure
i. Data is not shared accidentally with other customers on the cloud;
ii. Cloud service provider/Application service provider/any third-party personnel controls are in place to provide a logical segregation of duties, and
iii. Logging and monitoring of privilege access shall be carried out.
The regulated entities is required to implement:
i. controls related to Operations Security for ensuring Secure Configuration, Application, OS, DB, Web Server, Back-up & Recovery, Change Management, Capacity & Demand Management, Protection against Malicious Code and Monitoring, Auditing & Logging security requirements on cloud.
ii. Data-in-transition cloud shall be in encrypted form, as appropriate to the information classification. The Encryption techniques shall be implemented for cloud data hosting like Data in Transit and Data-at-rest. It is recommended to use appropriate Data Loss Prevention (DLP) solution to identify, monitor and protect sensitive data and manage the data risk for the organization.
iii. Data retention and destruction schedules should be defined by the organization and service provider should be made responsible to destroy the data upon request, with special emphasis on destroying all data in all locations including slack in data structures and on the media. The company should audit this practice, wherever applicable. Data retention controls should also ensure that the multiple copies of the data stored in different locations are also destroyed post the retention timeframe.
- in others?
If so, please describe the respective standards / obligations in connection to the respective type of agreement (see above).