Staying Ahead of New Regulations in APAC

Over the course of the COVID-19 pandemic, we’ve seen our customers across the globe increase their use of cloud services, in large part due to an increase in e-commerce activities, digitization efforts, and the move to remote work. This shift has put further emphasis on the importance of security and control in cloud computing. Cloud Service Providers (CSP) have a responsibility to provide transparency and assurance around how customer data is being stored, processed, and protected, which is why in 2021 we’ve increased our efforts to support security and compliance in the APAC region.   

At Google Cloud, we strongly believe in trust and transparency, and recently outlined criteria we believe defines what it means to be a trusted cloud service provider. Data protection is a baseline requirement across many industries and the need for a trusted, compliant cloud service provider becomes increasingly important as new regulations are published and organizations shift their IT operations and workloads to public cloud platforms. In the APAC region, there have been some key regulatory updates over the course of the last year, which include: 

• IRAP  (Information Security Registered Assessors Program) - A framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements. 
• ISMAP (Information System Security Management and Assessment Program) - A Japanese government system for assessing the security and operation of cloud service providers to participate in public sector tenders.
• ETDA (Electronic Transaction Development Agency) - An agency setting the security standard for meeting control systems.
• RBIA (Risk Based Internal Audit) - An internal audit methodology that provides assurance to a Board of Directors on the effectiveness of how risks are managed. 
• GR 95 (Presidential Regulation No. 95) - Responsible for providing guidance to government agencies and businesses to implement online governance tools used for public services.

We have posted updates to guidance and resources to help support regulatory and compliance requirements as part of our compliance offerings, which include compliance mappings geared toward assisting regulated entities with their regulatory notification and outsourcing requirements. You’ll also be able to see the results of the assessments and certifications that we’ve completed so far this year:

• Australia - IRAP
• India - RBI Outsourcing Guidelines
• India -  Ministry of Electronics and Information Technology (MeitY)
• Indonesia - Government Regulation (GR) 95
• Japan - ISMAP
• Korea - Regulation on Outsourcing of Information Processing Business of Financial Institutions
• Korea - K-ISMS (Korea Information Security Management System)
• Singapore - Multi-Tier Cloud Security (MTCS) Tier 3 
• Singapore - MAS Technology Risk Management Guidelines (MAS TRM)
• Thailand - ETDA

In the coming months we will continue providing updates and you can look forward to the following: 

• Australia SCEC Zone 3/ PSZ 3 - Enablement of SCEC Z3 for our Melbourne Region, allowing for regional replication.
• 2G3M Japan - Healthcare Security Guidelines for the Ministry of Health, Labor, and Welfare. 
• MAMPU (Malaysian Administrative Modernization and Management Planning Unit) - A government agency in Malaysia tasked with facilitating the modernization of the public administrative system and driving economic growth in Malaysia by helping public sector agencies adopt innovative technologies.

As this space continues to evolve, we are committed to doing our best to stay ahead of new and changing regulations. Look for updated compliance offerings and continued momentum in this space.