OSPAR (Singapore)

OSPAR overview

The Association of Banks in Singapore (ABS) has issued the ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers (ABS Guidelines). The ABS Guidelines contain information security guidance for service providers who deliver services to financial institutions operating in Singapore. The guidelines specify the baseline organizational controls that service providers must implement in cloud outsourcing arrangements, particularly for workloads with material impact. The Outsourced Service Provider's Audit Report (OSPAR) is the framework that external auditors use to validate the service provider's controls against the criteria specified in the ABS Guidelines.

An independent third-party auditor approved by ABS performed a rigorous audit of the security capabilities of Azure and Dynamics 365, including more than 120 Azure services and 10 Dynamics 365 applications, to assess their compliance with the ABS Guidelines. The auditor attested that the Azure and Dynamics 365 security controls were suitably designed to meet the applicable ABS controls criteria and that these controls operated effectively during the year-long testing period.

Achieving the ABS OSPAR attestation demonstrates that the security controls for Microsoft in-scope services meet the ABS Guidelines, putting these services on the official list of OSPAR audited outsourced service providers that can be downloaded from the ABS outsourcing landing page. OSPAR attestation for Azure and Dynamics 365 provides assurance to financial services customers with facilities in Singapore that Microsoft meets the high ABS requirements for deploying compliant financial services solutions.

Applicability

  • Azure

Services in scope

Microsoft online services in scope are shown in the Azure and Dynamics 365 OSPAR report:

  • Azure (for detailed insight, see Microsoft Azure Compliance Offerings or Azure and Dynamics 365 OSPAR report)
  • Dynamics 365 (for detailed insight, see Azure and Dynamics 365 OSPAR report)
  • Microsoft 365 Defender (formerly Microsoft Threat Protection)
  • Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security, MCAS)
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Managed Desktop
  • Microsoft Stream
  • Microsoft Threat Experts
  • Power Apps
  • Power Automate (formerly Microsoft Flow)
  • Power BI
  • Power Virtual Agents

Audit reports

You can access the Azure and Dynamics 365 OSPAR report via the Service Trust Portal (STP) Audit Reports - GRC Assessment Reports section. You must login to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Frequently asked questions

What is a 'material' outsourcing arrangement and why is the definition important?
An outsourcing arrangement is 'material' if a service failure or breach:

  • has the potential to materially affect a financial firm's business operations or ability to manage risk and comply with applicable laws and regulations; or
  • if it involves customer information, and any unauthorized access or disclosure, loss, or theft of customer information, has a material impact on a firm's customers. The definition of 'customer information' expressly excludes securely encrypted information.

This definition is important because certain provisions of the Monetary Authority of Singapore (MAS) Outsourcing Guidelines apply only to 'material outsourcing arrangements'. These provisions include an obligation to perform annual reviews, mandatory contractual clauses addressing audit rights, and ensuring that outsourcing outside of Singapore does not affect MAS supervisory efforts.

Where can I get the Azure OSPAR audit documentation?
For links to audit documentation, see Audit reports. You must have an existing Azure subscription or free Azure trial account to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Resources