CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
• Documentation – the operational, adminis - trative and technological procedures of the contracted service must be documented, updated and available for review. • Location – data, platforms and applications must be in specific processing sites and, in the case of processing abroad, in a defined and known jurisdiction. The city where the data centres operate must be known. Critical ICT Services Significant or strategic (critical) activities are considered to be those in which a failure in the provision of the service has a significant impact on regulatory compliance, business continuity, information security, or the quality of the entity’s services. Also considered critical are activities that involve the processing of data subject to secrecy or banking secrecy, activities with a significant impact on risk management, and those with high systemic interaction in the market. Cloud Service Providers Not all cloud service providers are automatically classified as critical. The classification depends on the criticality of the service being outsourced to the cloud. • Non-critical services – can be outsourced in the public or private cloud without additional considerations to those already mentioned in the preceding titles. • Critical services – in the event that a stra - tegic or critical activity is outsourced to the cloud, enhanced due diligence of the provider and the service must be carried out, which includes: (a) prestige and experience of the provider – the provider must be of recognised prestige and experience;
(b) certifications – the provider must have independent and internationally recog - nised certifications in information security management, business continuity and quality of services; (c) direct contracts – contracts must be en - tered into directly between the institution and the provider; (d) legal reports – the entity must have legal reports on the regulation of privacy and access to information in the jurisdictions where the service is provided; (e) audits – the provider must make audit reports available to the contracting entity and the CMF; (f) security – there must be physical and logi - cal security mechanisms that isolate the entity’s infrastructure from that of other clients; and (g) encryption – sensitive data must have strong encryption mechanisms. 3.3 Key Operational Resilience Obligations According to Chapter 20-10, the implementation of an adequate risk management process should include as a minimum: • a risk analysis process, which considers elements such as the assessment of the probability of occurrence of incidents and their consequence or impact on information assets, based on the degree of damage or costs caused by an information security and cybersecurity event, thus determining its level of risk;
• a risk assessment process; • a risk treatment plan; and
• at least an annual review of the information security and cyber security risk management process.
84
CHAMBERS.COM
Powered by FlippingBook