Policy on Outsourcing

Karnataka Bank Ltd. Your Family Bank, Across India.
Regd. & Head Office Phone : 0824-2228332

P. B. No.599, Mahaveera Circle E-Mail : hrir@ktkbank.com
Kankanady Website : www.karnatakabank.com
Mangaluru – 575 002 CIN : L85110KA1924PLC001128
HR & IR DEPARTMENT
(ISO 9001:2015 CERTIFIED)
Circular/HO/HR&IR/GF(3)/13/2024-25 July 22, 2024
Outsourcing Policy
KBL/ISMS/POL/005
Ver 3.0 dated 19.06.2024
Confidential-Internal Outsourcing Policy Page 1

POLICY ON OUTSOURCING 2024-25
CONTENTS
A. OUTSOURCING OTHER THAN INFORMATION TECHNOLOGY SERVICES -
CHAPTER – I
B. OUTSOURCING INFORMATION TECHNOLOGY SERVICES - CHAPTER – II
CHAPTER – I
TABLE OF CONTENTS Page

1 Objective 4
2 Scope 4
3 Strategy 4
4 Areas of Outsourcing 4
5 Parameters for Outsourcing 5
6 Authority 6
7 Responsibilities of Senior Management 8
8 ‘Material’ Outsourcing 8
9 Risk Evaluation and Measurement 8
10 Contract 9
11 Providing access to vendors/ outsourced entities 11
12 Confidentiality and Security 11
13 Risk Management in outsourcing arrangements 12
14 Service delivery 12
15 Reporting to the regulator 12
16 Multiple Service provider relationships 13
17 Managed Security Service Provider (MSSP) 13
18 Information security and Critical service providers/vendors 13
19 Sub-contracting 14
20 Dispute resolution 14
21 Applicable laws 14
22 Monitoring and Control of Outsourced Activities 15
23 Service Level Agreements and performance metrics 15
24 Control Environment offered by the Service Provider 18
25 Periodic Risk Assessment, Audit and Reviews 18
26 Business Continuity & Management of Disaster Recovery Plan 18
CHAPTER – II
TABLE OF CONTENTS Page

1 Background 19
2 Objective 19

3 Scope 20
4 Definitions 20
5 Governance Framework 21
6 Roles and responsibilities 23
6.1 Role of the Board 23
6.2 Role of the Senior Management 23
6.3 Role of IT Function 24
6.4 Outsourcing within a Group / Conglomerate 25
6.5 Cross Border Outsourcing 25
6.6 Contract (Legally binding agreement) 25
6.7 Service Level Agreement 27
6.8 Security and Operations 27
7 Due Diligence on Service Providers 28
8 Grievance Redressal Mechanism 30
9 Monitoring and Control of Outsourced Activities 30
9.1 Quarterly Review 30
9.2 Annual Review 30
9.3 Audit 31
10 Business Continuity Plan and Disaster Recovery Plan 31
11 Exit Strategy 32
12 Annexure A – Considerations for Agreement 32
13 Appendix – I – Usage of Cloud Computing Services 34
14 Disaster Recovery & Cyber Resilence 38
15 Redressal of Grievances Related to Outsourced Services 40
16 Revision 40
17 Reference ISO27001 40

CHAPTER – I
OUTSOURCING OTHER THAN INFORMATION TECHNOLOGY SERVICES
1. Objective
The objective of the Bank’s outsourcing policy is to maintain the security of the
organization’s information and information processing facilities that are accessed,
processed, communicated to, or managed by external parties. It is in alignment with
the Reserve Bank’s supervisory framework and our current priorities projected within
that framework.
2. Scope
This policy is applicable to permanent and contract employees, vendors, and agents
operating on behalf of the Bank. The policy is applicable to all outsourcing
arrangements entered or likely to be entered into by the Bank.
3. Strategy
The policy also covers issues relating to safeguarding the interest of the Bank,
balancing the interest of customers, employees, community and share-holders. The
policy aims at capturing efficiency, cost – effectiveness and risk reduction advantages
that outsourcing will provide. The Bank controls outsourcing activities to ensure
effective management of Strategic Risk, Reputation Risk, Compliance Risk, Legal Risk,
Exit Strategy Risk, Counter Party Risk, Contractual Risk, Access Risk, Concentration
and Systemic Risk.
4. Areas of Outsourcing
1) The Facility Management and allied services (Network Monitoring) at the

Customer Care Centre, IT Department.
2) ATM operation management and E-Funds management.
3) ATM Cash Management.
4) Debit Card processing.
5) Data Entry,Business Correspondent Services under Financial inclusion, Point of
Sale etc.

6) Maintenance of HO/RO/Branch building premises, Cleaning, Sweeping etc.
7) Security services to ATMs and Branches.
8) Watch and ward Staff.
9) Any other IT related work which requires a high degree of expertise & cannot be
generated in house.
10) In any other areas of financial services.
❖ The areas mentioned above are only illustrative and not exhaustive.
However, the Bank would not outsource Core Management functions including
Internal Audit, Compliance function and decision making functions like determining
compliance with KYC norms for opening deposit accounts, according sanction for
loans and Management of Investment portfolio, the information security
group/function itself , information security governance related structures and
activities which cannot be outsourced as per RBI guidelines.
5. Parameters for Outsourcing
1. For a one time activity, the bank shall consider the following factors:
a) Time and resource required to execute the work, if taken up internally.
b) Skills and expertise required.
c) Time and cost likely to be incurred in preparing the internal resources to
meet this requirement.
d) If the internal resource mobilization (having necessary skills and expertise)
is not expected to meet the requirement in terms of desired quantity/quality,
the bank may outsource such a one-time activity.
2. For an ongoing activity, the bank shall consider the following factors:
a) The dynamics involved.
b) Pace of change of technology.
c) Skills and expertise required if taken up internally.
d) The displacement cost.
e) Training requirements on an ongoing basis.

6. Authority
The Board and Senior Management oversee outsourcing operations and manage risks
inherent in such outsourcing relationships. The activities to be outsourced are referred
to the Outsourcing Committee.
Members of Outsourcing Committee:

The Managing Director will constitute the Outsourcing Committee, with appropriate
members.
Roles of the Committee:

1) The committee will evolve criteria for selection of outsourcing activities.
2) The committee may evolve its own procedure.
3) The Managing Director can reconstitute the above committee, whenever
necessary.
The above committee will conduct due diligence in relation to outsourcing, to consider
all relevant laws, regulations, guidelines and conditions of approval, licensing or
registration.
6.1 Due Diligence
The Bank may delegate its day-to-day operational duties to a service provider.
Responsibilities for effective due diligence, oversight and management of outsourcing
and accountability for all outsourcing decisions continue to rest with the Bank, Board
and senior management.
• While evaluating vendors, business partners and outsourced entities, the

security measures at their end shall be evaluated as part of the due diligence
taken up by the Bank. These parties shall have the ability to maintain
confidentiality, integrity and availability of the Bank related information.
• A reference check shall be carried out on the vendor. Selection of software
vendors shall be done after appropriate controls have been deployed for
ensuring that the software is not defective. These controls include: selection of

vendors with a good reputation and proven track record, implementation of a
quality assurance programme and documentation and testing of all software.
• In negotiating / renewing an Outsourcing arrangement, due diligence will be
performed to assess the capability of the technology service provider to comply
with obligations in the outsourcing agreement. Due diligence will involve an
evaluation of all information about the service provider including qualitative,
quantitative, financial, operational and reputational factors, as follows:
➢ Past experience and competence to implement and support proposed
activities over the contractual period.
➢ Financial soundness and ability to service commitments even under
adverse conditions.
➢ Business reputation and culture, compliance, complaints and outstanding
or potential litigations
➢ Security and internal control, audit coverage reporting and monitoring
environment, business continuity management.
➢ External factors like political, economic, social and legal environment of
jurisdiction in which the service provider operates and other events that
may impact service performance.
➢ Business continuity arrangements in case of technology outsourcing.
➢ Due diligence for sub-service providers.
➢ Risk management, framework, alignment to applicable international
standards on quality / security / environment, etc., may be considered.
➢ Secure infrastructure facilities.
➢ Employee training, knowledge transfer.
➢ Reliance on and ability to deal with sub-contractors.
Extent of due diligence reviews may vary based on risk inherent in the outsourcing
arrangements. Due diligence undertaken during the selection process will be
documented and re-performed periodically as part of the monitoring and control
processes of outsourcing.

It will be ensured that information used for due diligence is current and not more
than 12 months old.
The convener of the said committee will place a review note to the Risk and Capital
Management Committee (RCMC) on a half – yearly basis with the grievances of
the customers, if any, and the action taken will be reported to the Board, preferably
within 2 months from the end of the half – year/financial year.
7. Responsibilities of Senior Management:
• Evaluating the risks and materiality of all prospective outsourcing based on the
framework developed by the Board.
• Developing sound outsourcing policies and procedures for implementation by
Line Managers.
• Periodically reviewing the effectiveness of policies and procedures.
• Communicating significant risks in outsourcing to the Board on a periodic basis.
• Ensuring an independent review and audit in accordance with approved policies
and procedures.
• Ensuring contingency plans have been developed and tested adequately.
8. ‘Material’ Outsourcing
Bank will assess the degree of ‘materiality’ inherent in the outsourced functions and
exercise due diligence accordingly.
9. Risk Evaluation and Measurement

Risk evaluation should be performed prior to entering into an outsourcing agreement
and reviewed periodically in the light of known and expected changes, as part of the
strategic planning or review processes.
10. Contract
Agreements with third parties involving accessing, processing, communicating or
managing the organization’s information or information processing facilities, or

adding products or services to information processing facilities shall cover all relevant
security requirements.
Outsourcing Agreement with a service provider will be vetted by the Bank’s panel
advocate and/or by the Legal Department, Head Office on its legal effect and
enforceability. The agreement will also define the nature of legal relationship between
the parties – i.e., whether agent, principal or otherwise as the outsourcing agreement
prefers. Contracts will clearly define the roles and responsibilities of the parties to the
contract and include suitable indemnification clauses. Any ‘limitation of liability’
consideration incorporated by the service provider will be assessed in consultation
with the legal department. It will also briefly cover the following key provisions.
a. The contract will clearly define what activities are going to be outsourced
including appropriate service and performance standards.
b. Key performance metrics will be defined for each activity to be outsourced, as

part of the overall Service Level Agreement.
c. The Bank must ensure access to the all books, records and information, which
are relevant to the outsourced activity and available with the service provider.
For technology outsourcing, requisite audit trails and logs for administrative
activities will be retained and accessible to the Bank based on approved
requests.
d. The contract will provide for continuous monitoring and assessment of the
service provider by the Bank, so that any necessary corrective measures can be
taken immediately, if the need arises.
e. A termination clause and minimum period to execute termination provision, if

deemed necessary.
f. Contingency plans to ensure business continuity.
g. The contract will provide for the prior approval/consent by the bank for the
use of subcontractors by the service provider for all or part of an outsourced

activity. The Bank will retain the ability of similar control and oversight over
the sub service provider as the service provider.
h. Provide the bank with the right to conduct audits on the service provider either
by its internal or external auditors, or by agents appointed to act on its behalf
and to obtain copies of any audit or review reports and findings made on the
service provider in conjunction with the services performed for the Bank.
i. Clauses to allow the Reserve Bank of India or persons authorized by it to access

the Bank’s documents, records of transactions, and other necessary information
given to, stored or processed by the service provider within a reasonable time.
j. A clause to recognize the right of the Reserve Bank to cause an inspection to be

made of the service provider of the bank, and its books and account by one or
more of its officers or employees or other persons.
k. The outsourcing agreement will also provide for confidentiality of customer’s

information even after the expiry or termination of contract.
l. Contract will include conditions for default termination / early exit option for
contracts. This may include circumstances when the service provider
undergoes a change in ownership, becomes insolvent or goes under
liquidation, received judicial indictment (whether within India or any other
location), or when there has been a breach of confidentiality, security, or
demonstrable deterioration in quality of services rendered.
m. In all cases of termination (early or otherwise), an appropriate handover

process for data and process will be agreed with the service provider.
n. The outsourcing agreement will provide for the preservation of documents and
data by the service provider in accordance with the legal/regulatory obligation
of the bank in this regard.
o. Agreements will specify the resolution process, the event of default,

indemnities involved and the remedies and recourse of the respective parties
to the agreement.
p. Agreements shall provide for periodic renewal and re-negotiation to enable the
Bank to retain an appropriate level of control over the outsourcing and shall
include the right to intervene with appropriate measure to meet the Banks’
legal and regulatory obligations.
11. Providing access to vendors/ outsourced entities
11.1 While establishing connectivity with vendors/ partners the security measures
at their end will be evaluated to ensure that the Bank is not exposed to security
threats due to the connectivity.
11.2 Access, both physical and logical, when provided to partners shall be
authorized and approved by relevant authorities and shall be on a business
need basis.
11.3 Access provided to partners and vendors shall be logged and monitored.
11.4 Access privileges provided to partners/ vendors shall be periodically

reviewed by relevant authorities.
12. Confidentiality and Security
• Access to customer information by staff of the service provider will be on ‘need

to know’ basis i.e., limited to those areas where the information is required in
order to perform the outsourced function.
• The Department of the Bank which is directly associated with the service
provider (outsourced party) will review and monitor the security practices and
control processes of the service providers on critical functions on quarterly basis
and non-critical functions on yearly basis and require the service provider to
disclose security breaches.
• Mandatory controls are in place to ensure customer data confidentiality and
service providers' liability in case of breach of security and leakage of
confidential customer related information.

• Requirements for confidentiality or non-disclosure agreements reflecting the
organization’s needs for the protection of information shall be identified and
regularly reviewed.
13. Risk Management in outsourcing arrangements
Risks inherent to process outsourcing include Strategic risk, Reputation risk,

Operational risk, Compliance risk, Legal risk, Counter party risk, Country risk,
Contractual risk, Access risk, Concentration and systemic risk, and Exit strategy risk.
Bank has a Risk Management Process in place to effectively deal with risks arising
from outsourcing arrangements.
Rating of the service provider/outsourcing agency including DSAs and BSAs shall be
done by all Offices/Departments as per the template provided by Risk Management
Department, Head Office.
The Final rating of Service provider/outsourcing agency including DSAs and BSAs
shall be done by the Risk Management Department.
14. Service delivery
It shall be ensured that the security controls, service definitions and delivery levels
included in the third party service delivery agreement are implemented, operated,
and maintained by the third party.
15. Reporting to the regulator
The Bank reports to the regulator, where the scale and nature of functions outsourced
are significant, or extensive data sharing is involved across geographic locations as
part of technology / process outsourcing and when data pertaining to Indian
operations are stored / processed abroad, provided, in the payment ecosystem, all
system providers shall ensure that the entire data relating to payment systems
operated by them are stored in a system only in India. This data should include the
full end-to-end transaction details / information collected / carried / processed as

part of the message / payment instruction. For the foreign leg of the transaction, if
any, the data can also be stored in the foreign country, if required.
16. Multiple Service provider relationships
The Bank monitors the control environment of all service providers that have access
to the Bank systems, records or resources in a multiple service provider relationships
scenario.
17. Managed Security Service Provider (MSSP)
If security event management is outsourced to an MSSP, the latter will provide

notification when an incident requires attention. Bank obtains as much information
on the incident as possible from MSSP and implement remediation steps as
recommended by MSSP.
18. Information security and Critical service providers/vendors
Third-party service providers are used in a variety of different capacities. These

providers may often perform important functions for the Bank and usually may
require access to confidential information, applications and systems.
a. Third parties can become a key component in an enterprise’s controls and its
achievement of related control objectives. Management will evaluate the role that
the third party performs in relation to the IT environment, related controls and
control objectives.
b. Third-party providers can affect Bank (including its partners), its processes,
controls and control objectives on many different levels. This includes effects
arising from such things as economic viability of the third-party provider, third-
party provider access to information that is transmitted through their
communication systems and applications, systems and application availability,
processing integrity, application development and change management processes
and the protection of systems and information assets through backup recovery,
contingency planning and redundancy.

c. The Bank implements appropriate controls as the lack of controls may lead to
consequences like loss of information confidentiality and privacy, systems not
being available for use when needed, unauthorized access and changes to
systems, applications or data, changes to systems, applications or data occurring
that result in system or security failures, loss of data, loss of data integrity, loss of
data protection, or system unavailability, loss of system resources and/or
information assets and Increased costs incurred by the enterprise as a result of any
of the above.
d. The relationship between the Bank and a third-party provider will be
documented in the form of an executed contract.
19. Sub-contracting
Agreements may include covenants limiting further sub-contracting. Agreements

should provide for due prior approval/consent by the bank of the use of
subcontractors by the service provider for all or part of an outsourced activity. The
Bank shall retain the ability of similar control and oversight over the sub service
provider as the service provider.
20. Dispute resolution:
Agreements should specify the resolution process, the event of default, indemnities
involved and the remedies and recourse of the respective parties to the agreement.
21. Applicable laws
Agreements should include choice of law provisions, based on the regulations as

applicable to the bank. An agreement should be tailored to provide for specific risks
relating to cross border businesses and operations, data privacy and ownership
aspects, among others.
22. Monitoring and Control of Outsourced Activities
The services, reports and records provided by the third party shall be regularly
monitored and reviewed, and audits shall be carried out regularly. Half yearly review

of the services of the outsourced agencies will be placed before the Risk and Capital
Management Committee (RCMC) by Operations Department.
23. Service Level Agreements and performance metrics
Management includes SLAs in the outsourcing contracts to agree and establish

accountability for performance expectations. SLA shall clearly formalize the
performance criteria to measure the quality and quantity of service levels. The Bank
will develop the following towards establishing an effective oversight program:
• Formal policy that defines the SLA program
• SLA monitoring process
• Recourse in case of non-performance
• Escalation process
• Dispute resolution process
• Conditions in which the contract may be terminated by either party
23.1 Service Level Agreements (SLA)
If the vendor service level falls below acceptable levels, it may affect the Bank in
unforeseen ways. Hence it becomes critical for the Bank to define service levels
and ensure vendor adherence to the same.
23.1.1 Relevant Department shall frame appropriate Service Level Agreements

to be adhered to by the vendor which shall thereafter be communicated to the
vendor and their acceptance of the same shall be obtained in writing.
23.1.2 Appropriate controls are put in place to track and monitor Service Levels
maintained by the vendors.
23.1.3 Penalties for Service Level Agreement violations are clearly defined and
communicated to the vendor and their acceptance of the same shall be obtained
in writing.
23.2 Non-Disclosure Agreements (NDA)

23.2.1 The Bank insists on vendors and partners signing a Mutual Non-
Disclosure Agreement (NDA) wherever there is a potential exchange of
confidential/ sensitive information.
23.2.2 While the Bank signs an NDA provided by the partner/ vendor, relevant
department reviews the same. The NDA shall be signed by an authorized
signatory.
23.3 Agreement with the Service Provider:
The agreement with the service provider shall invariably incorporate the
following clauses (apart from the regular clauses as approved by the legal
department):
23.3.1 The Bank shall have access to all books, records and information
relevant to the outsourced activity available with the service provider.
23.3.2 The Bank shall exercise the right to audit the activities of the service
provider by engaging internal or external auditors and to obtain copies of audit
or review reports and finding made on the service provider in conjunction with
the services performed for the bank.
23.3.3 The service provider shall allow the Reserve Bank of India or persons
authorized by it to access the Bank’s documents, records of transactions, and
other necessary information given to, stored or processed by the service provider
within a reasonable time.
23.3.4 The service provider shall recognize the right of the Reserve Bank of
India to cause an inspection to be made of a service provider and its books and
account by one or more of its officers or employees or other persons.
23.4 Definition of Roles and Responsibilities
23.4.1 All responsibilities of outsourced vendors and partners are clearly

defined, allocated to relevant roles and communicated to them.

23.4.2 Controls are put in place to track adherence and carrying out of
responsibilities.
23.4.3 Penalties for violations and non-performance of responsibilities,

wherever applicable are clearly communicated to partners and vendors.
23.5 Transfer, deployment and induction of staff :
23.5.1 The Bank shall reserve the right to interview and reject staff being
deployed by vendors/ partners for carrying out the responsibilities associated
with the Bank.
23.5.2 The Bank shall reserve the right of enforcing its employee selection
criteria and procedures to employees of the vendor who are to be deployed for
carrying out responsibilities associated with the Bank.
23.5.3 Staff of the vendors and partners shall undergo an induction program
detailing the operational procedures of the Bank, which they would be expected
to follow. A written acceptance stating their willingness to adhere to these shall
be obtained in writing.
23.5.4 Wherever there is an exchange of confidential information, the Bank

shall ensure:
1. An NDA between the Bank and the partner/ vendor.
2. An NDA between the partner/ vendor and their staff.
23.6 Intellectual property rights
23.6.1 Issues on Intellectual property rights on innovations/ developments,

which might come about during the course of the contract, shall be discussed
and documented before commencement of work.
Innovations or developments may come about during the course of any contract.
The rights to such innovations/ developments in terms of who can use/ patent/
market the same shall be discussed and documented before commencing work.

24. Control Environment offered by the Service Provider
The Bank will evaluate the adequacy of internal controls environment offered by the
service provider.
25. Periodic Risk Assessment, Audit and Reviews
The Bank shall conduct pre and post outsourcing implementation reviews. The Bank
shall also review its outsourcing arrangements periodically to ensure that its
outsourcing risk management policies and procedures, and the Guidelines, are
effectively complied with. The Bank shall at least on an annual basis, review the
financial and operational condition of the service provider to assess its ability to
continue to meet outsourcing obligations. Such due diligence reviews, which can be
based on all available information about the service provider including reports by the
service provider’s external auditors, should highlight any deterioration or breach in
performance standards, confidentiality and security, and in business continuity
preparedness.
The Bank shall also periodically commission independent audit and expert
assessments on the security and control environment of the service provider. Such
assessments and reports on the service provider may be performed and prepared by
the institution’s internal or external auditors, or by agents appointed by the
institution.
26. Business Continuity and Management of Disaster Recovery Plan

The Bank shall ensure that business continuity preparedness is not adversely
compromised on account of outsourcing. In order to mitigate the risk of unexpected
termination of outsourcing agreement or liquidation of service providers, the
Department which engages the service providers will retain an appropriate level of
control over the outsourcing and the right to intervene with appropriate measures to
continue the business operations including the possibility of bringing the outsourced
activity back-in house in an emergency, without any break in the operations of the
Bank and its services to the customers.

The Bank adopts sound business continuity management practices as issued by RBI
and seeks proactive assurance that the outsourced service provider maintains
readiness and preparedness for business continuity on an ongoing basis.
***************
B. OUTSOURCING INFORMATION TECHNOLOGY SERVICES - CHAPTER

– II
1. Background
IT outsourcing policy is crucial, given the technological innovation and ideations that
have inched into the Indian Financial system in recent times. Banks rely heavily on
technology to deliver their products and services to customers. Technology has
become the core component of every activity and operation in the banking system
today. Technology not being the core expertise of the Banking system, it is sometimes
necessary for the Banks to rely on the expertise residing outside the banking system
to deliver value and growth to the Banking sector.
2. Objective
Bank, in its current helm of growth trajectory, continues to outsource the technology
services to support its strategic goals. The Bank, on one hand, benefits from IT
outsourcing regarding Cost Efficiency, time to market, efficiency in delivery,
Optimization of costs by leveraging the expertise and resources of service providers
and reducing bank’s operational costs / specialised skills, Enhanced Quality of Service
& Performance, and at the same time faces the risk associated with such outsourcing.
This necessitates, the Bank to formulate and implement a strong governance
framework around the IT outsourcing. The objective of this policy is to ensure that IT
outsourcing activities by Bank are managed in a controlled and secure manner,
aligning with business objectives, minimising risks, and maximising the benefits
derived from outsourcing.

3. Scope
This policy applies to all departments and employees involved in the outsourcing of
IT functions and services for Bank. It encompasses all aspects of IT outsourcing,
including but not limited to software development, infrastructure management, cloud
services, help desk support, network administration, and data centre operations.
The following outsourcing activities shall adhere to this policy:
a) IT infrastructure management, maintenance, and support (hardware, software,
or firmware).
b) Network and security solutions, maintenance (hardware, software, or
firmware).
c) Application Development, Maintenance and Testing; Application Service
Providers (ASPs) including ATM Switch ASPs.
d) Services and operations related to Data Centres.
e) Cloud Computing Services and Cloud Service Providers (CSPs)
f) Managed Security Services; and
g) Management of IT infrastructure and technology services associated with
payment system ecosystem.
The above service providers of the Bank will hereafter be referred as IT Outsourcing
service provider in this Policy. The scope of policy will also covers the activities that
may be classified as material outsourcing by the regulatory bodies.
4. Definitions
For the purpose of this policy, Material outsourcing of IT services is those which:
If disrupted or compromised, shall have the potential to impact the Bank's business
operations significantly; or,
May have a material impact on the Bank's customers in the event of any unauthorised
access, loss, or theft of customer information.

5. Governance Framework
The Governance framework of IT outsourcing shall be guided by the Risk
Management framework of the Bank.
Framework shall include the following:
1. Governance Structure: (Board Oversight, Outsourcing Committee and Senior

Management)
2. Risk Assessment & Due Diligence: (Comprehensive evaluation & due
diligence on the proposed outsourced IT Services)
3. Selection & Management: (Selection of Outsourced Service Provider,
contractual agreements, onboarding etc.)
4. Data Security & Privacy: (Data protection & related compliances)
5. Compliance & Regulatory Oversight: (Regulatory reporting & compliance)
6. Business Continuity & Disaster Recovery: (Contingency planning, Testing &
drills etc)
7. Exit Strategy : (Termination procedures and triggering events)
8. Performance Metrics: (KPIs etc, SLA breaches etc)
9. Review: (Regular Audit or Assessments)
The Bank shall evaluate the need for Outsourcing IT Services based on a
comprehensive assessment, including the potential benefits, risks, and controls to
manage those risks. Bank shall inter-alia consider the following:
a. Determining the need for outsourcing based on the criticality of activity to be

outsourced.
b. Determining expectations and outcomes from outsourcing.
c. Determining success factors and cost-benefit analysis, and
d. Deciding the outsourcing model.

During the onboarding process of the proposed IT Outsourced service provider the
Proposal document shall detail, among others, the risk category of the IT Outsourced
service provider guided by the risk framework of the Bank into one of the following:
a. Material Outsourcing – Critical IT Outsourced service provider

b. Non Material Outsourcing - Non Critical IT Outsourced service provider
The Bank shall ensure that the outsourcing does not impede RBI in its supervisory
functions and objectives.
The Bank shall ensure that the service provider, if not a group company, shall not be
owned or controlled by any director, key managerial personnel, or approver of the
outsourcing arrangement of the Bank or their relatives. The Bank shall ensure that
there is no conflict of interest arising out of third-party engagements.
All data collected, stored and processed for the services provided to the Bank shall be
from systems in India.
Only MeitY - Ministry of Electronics and Information Technology, Government of
India approved Cloud Service Providers and data centers (for cloud) shall be used by
the Bank. Further, cloud controls dealt in Cloud policy (Policy on IT Chapter 6) in
respect of usage of cloud computing services and outsourcing of security operations,
guidelines as outlined by RBI as indicated in Appendix - I and modified from time to
time shall be adhered to.
The Bank shall create an inventory of the IT outsourcing service providers covering
all basic elements of contractual terms, key entities involved in their supply chains,
and Risk categorisation.
Bank shall consider all relevant laws, regulations, rules, guidelines and conditions of
approval, licensing, or registration when performing its due diligence in relation to
outsourcing of IT services.

6. Roles and responsibilities
6.1. Role of the Board
The Board of the Bank shall, inter alia, be responsible to:
a. Put in place a framework for approval of IT outsourcing activities depending on

risks and materiality.
b. Approve IT outsourcing policy and evaluate the risks and materiality of all existing
and prospective IT outsourcing arrangements; and
Approve the IT outsourcing implementation framework for the purpose of these

Directions.
6.2. Role of the Senior Management

The Senior Management of the Bank shall, inter alia, be responsible to:
a. Formulate IT outsourcing policies and procedures, evaluating the risks and

materiality of all existing and prospective IT outsourcing arrangements based on
the framework commensurate with the complexity, nature, and scope, in line with
the enterprise-wide risk management of the organisation approved by the Board
and its implementation.
b. Prior evaluation of prospective IT outsourcing arrangements and periodic
evaluation of the existing outsourcing arrangements covering the performance
review, criticality, and associated risks of all such arrangements based on the
policy approved by the Board.
c. Identify IT outsourcing risks as they arise, monitoring, mitigating, managing, and
reporting them to the Board / Board Committee in a timely manner.
d. Ensure that suitable business continuity plans based on realistic and probable
disruptive scenarios, including the exit of any third-party service provider, are in
place and tested periodically.

e. Ensure (i) effective oversight over Outsourced Service Providers for data
confidentiality and (ii) appropriate redressal of customer grievances in a timely
manner.
f. Ensure an independent review and audit on a periodic basis for compliance with
the legislations, regulations, Board-approved policy, and performance standards
and reporting the same to Board / Board Committee; and
g. Create essential capacity with required skillsets within the organisation for proper
oversight of outsourced activities.
6.3 Role of IT Function
The responsibilities of the IT Function of the Bank shall, inter alia, include:
a. Assist the Senior Management in identifying, measuring, monitoring, mitigating,

and managing the level of IT outsourcing risk in the organisation.
b. Ensure that a central database of all IT outsourcing arrangements is maintained
and is accessible for review by the Board, Senior Management, Auditors and
Supervisors.
c. Effectively monitor and supervise the outsourced activity to ensure that the service
providers meet the laid down performance standards and provide uninterrupted
services, report to the Senior Management; co-ordinate periodic due diligence and
highlight concerns, if any; and
Put in place the necessary documentation required for contractual agreements,

including service level management, monitoring of Outsourced Service Provider
operations, key risk indicators and classifying the Outsourced Service Providers as
per the determined risk.
d. Track all monitoring, review, and audit of outsourcing partners by respective

internal and external entities and ensure timely completion of such activities and
its resultant outcome/action.

e. Reporting to the respective internal committees/Board and external authorities as
per defined frequency and any adhoc requirements arising out of outsourcing
activities.
6.4 Outsourcing within a Group / Conglomerate
Bank may outsource any IT activity / IT-enabled service within its business
group/conglomerate provided such an arrangement shall be backed by appropriate
service level arrangements/agreements with its group entities and shall maintain
arm's length relationship in dealings with group entities. Risk management practices
being adopted by the Bank while outsourcing to a group entity will be identical to
those specified for a non-related party.
6.5 Cross Border Outsourcing
In case the Bank engages a service provider outside the Jurisdiction of India, the
additional requirements for cross-border outsourcing, as enunciated by RBI and other
statutory authorities from time to time, will be complied with.
6.6 Contract (Legally binding agreement)

A formal, legally binding Contract shall be signed with the Outsourcing service
provider before the commencement of any service. The Contract can be Time based
(for a fixed period of time) or Project/Deliverable based.
The terms and conditions shall be vetted by the Legal Dept of the Bank. The formal
Contract for IT outsourcing shall cover the following mandatory clauses:
a. The Scope of Work, Roles and Responsibilities, Security Requirements,

adherence to the Bank's Information Security Policy, Escalation mechanism,
availability of services to be maintained in the event of a disaster etc.
b. Prescribed minimum considerations as per Annexure A.

c. Flexibility for benchmarking to align with current conditions, while ensuring
compliance to the guidelines issued periodically by the Regulator and/or
competent authorities.
d. Agreement to implement additional controls as prescribed by the Bank from
time to time.
Applicable Regulatory/Statutory regulations to be compiled as applicable to the place

of location & nature of services.
a. Bank shall have the right to audit contractual responsibilities of the

Outsourcing Services provider at any given point of time during the period of
the Contract.
b. Any change to the supplier agreement needs to follow the change management
process and they are implemented only after the approval from the competent
authority.
c. Sub-contract clause and required approval that is necessary to be obtained from
the Bank should be in place.
d. Bank shall reserve the right to any intellectual property arising from
collaborative work with the Outsourcing Services provider like development
of software etc.
e. Exit clause detailing safe removal/destruction of data, hardware, and other
records of the Bank. The service provider shall be legally obliged to the Bank’s
decision on alternate solution in the event of exiting the relationship and
cooperate fully with the Bank and the new service provider. Agreement shall
ensure that the service provider is prohibited from erasing, purging, revoking,
altering, or changing any data during the transition period, unless specifically
advised by the regulator or the Bank.
f. Access rights clause stating the service provider grants unrestricted and
effective access to a) data related to the outsourced activities; b) the relevant
business premises of the service provider; subject to appropriate security

protocols, for the purpose of effective oversight use by the Bank, their auditors,
regulators, and other relevant Competent Authorities, as authorised under law.
6.7 Service Level Agreement

Service Level Agreement (SLA) details shall be agreed upon with the Outsourcing
Services provider. Service Level agreement shall lay down the details of the activities
being outsourced, including appropriate service and performance standards for the
Outsourced service provider and sub-contractors, if any.
Service level agreement signed between the Bank and the service providers shall be
part of the legally binding Contract with the Outsourced Service Providers.
6.8 Security and Operations

Outsourcing Services provider shall sign the Non-Disclosure Agreement (NDA) and
shall adhere to IT Policies, Security Policies, and Compliance and Statutory
requirements of the Bank.
The access by the Outsourcing Services provider shall be on need-to-know basis.

Access provided to Outsourcing Services provider shall be tracked, monitored, and
audited on periodic basis. The activities of the Outsourcing Services provider shall be
logged as per the logging and monitoring policy (having access to the Bank's systems
either through their systems or users).
Adequate Security requirements shall be identified for the Outsourcing Services

provider as per the Information security policy.
All documents and information that may be provided to the Outsourcing Services
provider shall be noted and reviewed by the Concerned IT Function. The document and
information must be returned to Bank on contract expiry or termination. Also, any soft
copy document maintained on mobile computing device of the Outsourcing Services
provider must be destroyed on contract expiry or termination. No part of the
document, or information provided may be copied without the prior explicit

permission of the respective Head of IT Function or the authorised competent
authority.
Outsourced Service Provider shall notify any type of security violation or security
incident which may potentially affect Bank's computing environment within mutual
agreed duration. Outsourced Service Provider shall have documented recovery
procedures for the services provided to the Bank as per service level agreement with
Bank.
During the period of the Contract, it shall be the responsibility of the Outsourcing
Services provider to protect any document or information provided to them against
loss, theft, or misuse. Any such incident shall be reported immediately to the CISO
Office who in-turn shall immediately report to senior management. The personnel
must be familiar with the requirements of the outsourced activities and the Bank. They
shall adhere to the policies, standards, and procedures as per governed by
organization. Bank shall verify that Outsourced Service Providers have appropriate
security program to train their personnel for security related issues and for their
assigned roles.
Security Assessments shall be carried out periodically to review and assess the risks
to the Bank and security controls implemented by the Outsourced Service Provider.
The Bank shall also periodically commission independent audit and expert
assessments on the security & controls implemented by the service provider.
7. Due Diligence on Service Providers

The Bank may delegate its day-to-day operational duties to a service provider.
Responsibilities for effective due diligence, oversight and management of outsourcing
and accountability for all outsourcing decisions continue to rest with the Bank, Board,
and senior management.
While evaluating Outsourced Service Providers, business partners and outsourced

entities, the security measures at their end shall be evaluated as part of the due

diligence taken up by the Bank (as applicable). These parties shall have the ability to
maintain confidentiality, integrity, and availability of the Bank related information.
Banks shall carefully evaluate the need for outsourcing critical processes and selection
of Outsourced Service Provider/partner based on comprehensive risk assessment. In
negotiating / renewing an Outsourcing arrangement, due diligence will be performed
to assess the capability of the technology service provider to comply with obligations
in the outsourcing agreement. Due diligence will involve an evaluation of all
information about the service provider including qualitative, quantitative, financial,
operational, and reputational factors, as follows:
➢ Past experience and competence to implement and support proposed activities

over the contractual period.
➢ Financial soundness and ability to service commitments even under adverse
conditions.
➢ Business reputation and culture, compliance, complaints and outstanding or
potential litigations
➢ Security and internal control, audit coverage reporting and monitoring
environment, business continuity management.
➢ External factors like political, economic, social, and legal environment of
jurisdiction in which the service provider operates and other events that may
impact service performance.
➢ Business continuity arrangements in case of technology outsourcing.
➢ Due diligence for sub-service providers.
➢ Risk management, framework, alignment to applicable international standards on
quality / security / environment, etc., may be considered.
➢ Secure infrastructure facilities.
➢ Employee training, knowledge transfer.
➢ Reliance on and ability to deal with sub-contractors.
Bank shall device varied due diligence based on the inherent risk in the outsourcing
arrangements. Due diligence undertaken during the selection process will be

documented and re-performed periodically as part of the monitoring and control
processes of outsourcing.
8.Grievance Redressal Mechanism

The Bank's customer grievance and redressal mechanism shall be communicated to
Outsourced Service Provider to be adhered to as per Bank's policy. The responsibility
for redressal of customers' grievances related to outsourced services shall be with the
Bank.
Outsourcing arrangements shall not in any way affect the rights of the customer
against the Bank.
9.Monitoring and Control of Outsourced Activities
9.1 Quarterly Review

The Head of IT Function on a quarterly basis shall review the Performance and SLA
Compliance. Outsourced Service Providers are monitored and reviewed for the
following,
➢ Performance in delivery of services

➢ Quality in delivery of services
➢ Minimal number of issues or problems
➢ Quality of support in resolving issues or problems
➢ Support during emergency requirements
➢ Adherence to all the contractual conditions.
Review meetings shall be conducted with the Outsourcing Services Provider to assess
the performance and SLA Compliance.
9.2 Review
All Materially critical outsourcing services shall be subject to half yearly review by
Outsourcing committee. The objective of this review is to assure to the management

that the financial and operational strength of the service provider in offering
uninterrupted services agreed as per the agreement is in order.
The Bank shall insist and evidence during the review that the service provider isolate
Bank's information, data, records of transactions, documents and assets of the Bank
are identifiable so as to ensure deletion, destruction or rendered unusable in the event
of termination. Review and maintenance of inventory for Outsourced service provider
is part of Annual review.
9.3 Audit
Audit and Assurance: The audit / periodic review / third-party certifications should
cover, as per applicability and cloud usage, inter alia, aspects such as roles and
responsibilities of both Bank and CSP in cloud governance, access and network
controls, configurations, monitoring mechanism, data encryption, log review, change
management, incident response, and resilience preparedness and testing, etc.
10. Business Continuity Plan and Disaster Recovery Plan

The Bank in conjunction with its prevailing BCP and DR policy, shall put in place
practices to examine the BCP and DR readiness of the service provider wherever
applicable. This shall be assessed as part of the Bank's Annual Risk Review of the
Service provider to ensure the framework cover the extent of regulatory instructions
issued from time to time.
The annual risk review shall cover the readiness of the Bank detailing the alternatives
of the Bank to switch to another service provider or bring the services in house in the
eventuality of disruption at the current service providers delivery. This shall be
detailed covering the cost, time, and other relevant resources to manage the BCP.
11.Exit Strategy
Bank shall assess and recommend exiting the relationship with the outsourcing
service provider under the following scenarios.

a. Change in the strategy or ownership of the outsourcing partner.
b. Financial instability that may lead to insolvency or liquidation of outsourcing
partner.
c. Any regulatory /judicial indictment on the outsourcing partner, that may have
an impact their service to the Bank.
d. Any incidents of breach of confidentiality, security in the conduct of the
outsourcing partner.
e. Continuous deterioration in delivering the services against the contractual
obligations and SLA entered with the Bank.
f. Any other scenario that may impact the service in the long run and pose a threat
to the business continuity.
Annexure A – Considerations for Agreement

The below aspects should be considered in the agreement with the IT Service
Providers as applicable (based on service)
• Details of the activity being outsourced, including appropriate service and
performance standards including for the sub-contractors.
• Access by the Bank to all data, books, records, information, logs, alerts, and
business premises relevant to the outsourced activity, available with the service
provider.
• Regular monitoring and assessment of the service provider for continuous
management of the risks holistically, so that any necessary corrective measure
can be taken immediately.
• Type of material adverse events (e.g., data breaches, denial of service, service
unavailability, etc.) and the incidents required to be reported to the Bank, to
ensure prompt risk mitigation measures and ensure compliance with statutory
and guidelines.
• Compliance with the provisions of Information Technology Act, 2000, other
applicable legal requirements and standards to protect the customer data.

• The deliverables, including Service-Level Agreements (SLAs) formalising
performance criteria to measure the quality and quantity of service levels.
• Storage of data only in India as per extant regulatory requirements.
• Information and Cyber Security Control
• Clauses requiring the service provider to provide details of data captured,
processed, and stored.
• Controls for maintaining the confidentiality of data of Bank and its customers
and incorporating the service provider's liability to Bank in the event of security
breach and leakage of such information.
• Data sharing arrangements, Data lifecycle including disposal of data.
• Transfer of data back to the Bank in the event of termination or at the end of
the engagement with the Outsourced Service Provider
• Specifying the resolution process, events of default, indemnities, remedies, and
recourse available to the respective parties.
• Contingency plans to ensure BCP and testing requirements.
• Right to conduct audit of the service provider (including its sub-contractors) by
the Bank, whether by its internal or external auditors, or by agents appointed
to act on its behalf, and to obtain copies of any audit or review reports and
findings made about the service provider in conjunction with the services
performed for the Bank, Including audit by regulators and legal authorities.
• Including clauses making the service provider contractually liable for the
performance and risk management practices of its sub-contractors.
• Right to seek information from the service provider about the Outsourced
Service Provider (in the supply chain) engaged by the service provider.
Obligation of the service provider to comply with directions issued by the RBI in
relation to the activities outsourced to the service provider, through specific
contractual terms and conditions specified by the Bank.
• Clauses requiring prior approval/ consent of the Bank for use of sub-
contractors by the service provider for all or part of an outsourced activity.

• Termination rights of the Bank, including the ability to orderly transfer the
proposed IT-outsourcing arrangement to another service provider, if necessary
or desirable.
• Including clauses making the service provider contractually liable for the
performance and risk management practices of its subcontractors.
• Obligation of the service provider to co-operate with the relevant authorities in
case of insolvency/ resolution of the Bank.
• Provision to consider skilled resources of service provider who provide core
services as "essential personnel" so that a limited number of staff with back-up
arrangements necessary to operate critical functions can work on-site during
exigencies (including pandemic situations).
• Clause requiring suitable back-to-back arrangements between service
providers and the OEMs.
• Clause requiring non-disclosure agreement with respect to information
retained by the service provider.
Appendix – I – Usage of Cloud Computing Services
There are several cloud deployment and service models that have emerged over time.
These are generally based on the extent of technology stack that is proposed to be
adopted by the consuming entity. Each of these models come with corresponding
service, business benefit and risk profiles.
In addition to the Outsourcing of IT Services controls prescribed in the policy, Bank will
adopt the following requirements for storage, computing, and movement of data in
cloud environments:
1. While considering adoption of cloud solution, it is imperative to analyse the

business strategy and goals adopted to the current IT applications footprint
and associated costs. Cloud adoption ranges from moving only non-

business critical workloads to the cloud to moving critical business
applications such as SaaS adoption and the several combinations in-
between, which should be based on a business technology risk assessment.
2. In engaging cloud services, Bank will ensure, inter alia, that the
Outsourcing of IT Services policy addresses the entire lifecycle of data, i.e.,
covering the entire span of time from generation of the data, its entry into
the cloud, till the data is permanently erased / deleted. The Bank will
ensure that the procedures specified are consistent with business needs and
legal and regulatory requirements.
3. In adoption of cloud services, Bank will consider the cloud service specific
factors, viz., multi-tenancy, multi-location storing / processing of data, etc.,
and attendant risks, while establishing appropriate risk management
framework. Cloud security is a shared responsibility between the Bank and
the Cloud Service Provider (CSP). Bank may refer to some of the cloud
security best practices, for implementing necessary controls, as per
applicability of the shared responsibility model in the adoption of cloud
services.
4. Cloud Governance: Bank has adopted and demonstrated a well-

established and documented cloud adoption policy (Chapter 6 of Policy on
IT). Such a policy should, inter alia, identify the activities that can be moved
to the cloud, enable and support protection of various stakeholder interests,
ensure compliance with regulatory requirements, including those on
privacy, security, data sovereignty, recoverability, and data storage
requirements, aligned with data classification. The policy should provide
for appropriate due diligence to manage and continually monitor the risks
associated with CSPs.
Cloud Service Providers (CSP)

Considerations for selection of CSP: Bank will ensure that the selection of the CSP
is based on a comprehensive risk assessment of the CSP. Bank will enter a contract
only with CSPs subject to jurisdictions that uphold enforceability of agreements and
the rights available thereunder to Bank, including those relating to aspects such as
data storage, data protection and confidentiality.
Cloud Services Management and Security Considerations

a) Service and Technology Architecture: Bank will ensure that the service
and technology architecture supporting cloud-based applications is built in
adherence to globally recognised architecture principles and standards.
Bank will prefer a technology architecture that provides for secure
container-based data management, where encryption keys and Hardware
Security Modules are under the control of the Bank. The architecture
should provide for a standard set of tools and processes to manage
containers, images, and releases. Multi-tenancy environments should be
protected against data integrity and confidentiality risks, and against co-
mingling of data. The architecture should be resilient and enable smooth
recovery in case of failure of any one or combination of components across
the cloud architecture with minimal impact on data / information security.
b) Identity and Access Management (IAM): IAM shall be agreed upon with
the CSP and ensured for providing role-based access to the cloud hosted
applications, in respect of user-access and privileged-access. Stringent
access controls, as applicable for an on-premises application, may be
established for identity and access management to cloud-based
applications. Segregation of duties and role conflict matrix should be
implemented for all kinds of user-access and privileged-access roles in the
cloud-hosted application irrespective of the cloud service model. Access
provisioning should be governed by principles of 'need to know' and 'least

privileges'. In addition, multi-factor authentication should be implemented
for access to cloud applications.
c) Security Controls: Bank will ensure that the implementation of security

controls in the cloud-based application achieves similar or higher degree of
control objectives than those achieved in / by an on-premises application.
This includes ensuring - secure connection through appropriate
deployment of network security resources and their configurations;
appropriate and secure configurations, monitoring of the cloud assets
utilised by the Bank; necessary procedures to authorise changes to cloud
applications and related resources.
d) Robust Monitoring and Surveillance: Bank will accurately define

minimum monitoring requirements in the cloud environment. Bank will
ensure to assess the information / cyber security capability of the cloud
service provider, such that, the
CSP maintains an information security policy framework commensurate

with its exposures to vulnerabilities and threats;
CSP can maintain its information / cyber security capability with respect
to changes in vulnerabilities and threats, including those resulting from
changes to information assets or its business environment;
nature and frequency of testing of controls by the CSP in respect of the

outsourced services is commensurate with the materiality of the services
being outsourced by the Bank and the threat environment; and
CSP has mechanisms in place to assess the sub-contractors with regards

to confidentiality, integrity and availability of the data being shared with
the sub-contractors, where applicable.
Appropriate integration of logs, events from the CSP into the Bank's SOC,
wherever applicable and / or retention of relevant logs in cloud shall be

ensured for incident reporting and handling of incidents relating to services
deployed on the cloud.
The Bank's own efforts in securing its application shall be complemented by

the CSP's cyber resilience controls. The CSP / Bank will ensure continuous
and regular updates of security-related software including upgrades, fixes,
patches, and service packs for protecting the application from advanced
threats / malware.
Vulnerability Management: Bank will ensure that CSPs have a well-governed

and structured approach to manage threats and vulnerabilities supported by
requisite industry-specific threat intelligence capabilities.
Disaster Recovery & Cyber Resilience

The Bank's business continuity framework shall ensure that, in the event of a
disaster affecting its cloud services or failure of the CSP, the Bank can continue
its critical operations with minimal disruption of services while ensuring
integrity and security.
Bank will ensure that the CSP puts in place demonstrative capabilities for
preparedness and readiness for cyber resilience as regards cloud services in
use by them. This should be systematically ensured, inter alia, through robust
incident response and recovery practices including conduct of Disaster
Recovery (DR) drills at various levels of cloud services including necessary
stakeholders.
The following points may be evaluated while developing an exit strategy:
the exit strategy and service level stipulations in the SLA shall factor in, inter
alia,
agreed processes and turnaround times for returning the Bank's service
collaterals and data held by the CSP;
ii) data completeness and portability;

iii) secure purge of Bank's information from the CSP's environment;
iv) smooth transition of services; and
v) unambiguous definition of liabilities, damages, penalties, and
indemnities.
b) monitoring the ongoing design of applications and service delivery
technology stack that the exit plans should align with.
c) contractually agreed exit / termination plans should specify how the cloud-
hosted service(s) and data will be moved out from the cloud with minimal
impact on continuity of the Bank's business, while maintaining integrity and
security.
d) All records of transactions, customer and operational information,

configuration data should be promptly taken over in a systematic manner
from the CSP and purged at the CSP-end and independent assurance sought
before signing off from the CSP.
Audit and Assurance: The audit / periodic review / third-party certifications should
cover, as per applicability and cloud usage, inter alia, aspects such as roles and
responsibilities of both Bank and CSP in cloud governance, access and network controls,
configurations, monitoring mechanism, data encryption, log review, change
management, incident response, and resilience preparedness and testing, etc.
*********
Redressal of Grievances Related to Outsourced Services

Bank has a robust grievance Redressal mechanism.
Review of the Policy

This policy shall be reviewed at least annually or as and when required. Managing
Director is empowered to permit modifications to this policy from time to time for any
regulatory changes in policy.

Reference ISO27001:2013
A 15.1.2 Addressing security within supplier agreements
A 15.2.1 Service delivery
A 15.2.1 Monitoring and review of supplier’s services
Document Title Outsourcing Policy
Document Classification Confidential-Internal
Document No. KBL/ISMS/POL/005
Version History
Version
Date Changes/Comments Changed By
No.
1.0 03.12.2012 Initial Document N. A.
2.0 07.10.2014 Transition to ISO27001:2013 Std. CISO
2.1 27.05.2015 Annual Review HR&IR
2.7 23.03.2021 Annual Review HR & IR
Approved by
CISO-Signature

Policy on Outsourcing

Uploaded by

Copyright:

Available Formats

Policy on Outsourcing

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Policy on Outsourcing

Uploaded by

Copyright:

Available Formats

Karnataka Bank Ltd. Your Family Bank, Across India.

Regd. & Head Office Phone : 0824-2228332

Confidential-Internal Outsourcing Policy Page 1

TABLE OF CONTENTS Page

TABLE OF CONTENTS Page

Confidential-Internal Outsourcing Policy Page 2

Confidential-Internal Outsourcing Policy Page 3

1) The Facility Management and allied services (Network Monitoring) at the

Confidential-Internal Outsourcing Policy Page 4

5. Parameters for Outsourcing

Confidential-Internal Outsourcing Policy Page 5

Members of Outsourcing Committee:

Roles of the Committee:

6.1 Due Diligence

• While evaluating vendors, business partners and outsourced entities, the

Confidential-Internal Outsourcing Policy Page 6

Confidential-Internal Outsourcing Policy Page 7

7. Responsibilities of Senior Management:

9. Risk Evaluation and Measurement

Confidential-Internal Outsourcing Policy Page 8

b. Key performance metrics will be defined for each activity to be outsourced, as

e. A termination clause and minimum period to execute termination provision, if

f. Contingency plans to ensure business continuity.

Confidential-Internal Outsourcing Policy Page 9

i. Clauses to allow the Reserve Bank of India or persons authorized by it to access

j. A clause to recognize the right of the Reserve Bank to cause an inspection to be

k. The outsourcing agreement will also provide for confidentiality of customer’s

m. In all cases of termination (early or otherwise), an appropriate handover

o. Agreements will specify the resolution process, the event of default,

11. Providing access to vendors/ outsourced entities

11.4 Access privileges provided to partners/ vendors shall be periodically

12. Confidentiality and Security

• Access to customer information by staff of the service provider will be on ‘need

Confidential-Internal Outsourcing Policy Page 11

13. Risk Management in outsourcing arrangements

Risks inherent to process outsourcing include Strategic risk, Reputation risk,

14. Service delivery

15. Reporting to the regulator

Confidential-Internal Outsourcing Policy Page 12

16. Multiple Service provider relationships

17. Managed Security Service Provider (MSSP)

If security event management is outsourced to an MSSP, the latter will provide

18. Information security and Critical service providers/vendors

Third-party service providers are used in a variety of different capacities. These

Confidential-Internal Outsourcing Policy Page 13

Agreements may include covenants limiting further sub-contracting. Agreements

20. Dispute resolution:

21. Applicable laws

Agreements should include choice of law provisions, based on the regulations as

22. Monitoring and Control of Outsourced Activities

Confidential-Internal Outsourcing Policy Page 14

23. Service Level Agreements and performance metrics

Management includes SLAs in the outsourcing contracts to agree and establish

23.1 Service Level Agreements (SLA)

23.1.1 Relevant Department shall frame appropriate Service Level Agreements

23.2 Non-Disclosure Agreements (NDA)

Confidential-Internal Outsourcing Policy Page 15

23.3 Agreement with the Service Provider:

23.4 Definition of Roles and Responsibilities

23.4.1 All responsibilities of outsourced vendors and partners are clearly