Resolution CMN 4,658 of April 26, 2018 5
Paragraph 1. In the assessment of the relevance of the service to be contracted, mentioned
in item I of the heading, the contracting institution must consider the criticality of the service and the
sensitivity of the data and information to be processed, stored and managed by the third-party provider,
taking into account the classification carried out in accordance to art. 3, item V, sub-item “c”.
Paragraph 2. The procedures mentioned in the heading must be documented, including the
information related to the verification mentioned in item II.
Paragraph 3. In the case of applications run through the internet, referred to in item III of
art. 13, the institution must ensure that the potential third-party provider adopts controls that mitigate
the effects of possible vulnerabilities in releasing new versions of the application.
Paragraph 4. The institution must have the necessary resources and competencies for the
adequate management of the services to be contracted, including the analysis of information and use of
resources provided under the terms of sub-item “f”, item II.
Art. 13. For the purposes of this Resolution, cloud computing services comprises the avail-
ability to a contracting institution, on demand and in a virtual form, of at least one of the following ser-
vices:
I – data processing, data storage, network infrastructures and other computational re-
sources that enable the contracting institution to deploy or run softwares, which may include operating
systems and applications developed or acquired by the institution;
II - deployment or execution of applications developed or acquired by the contracting in-
stitution using a third-party provider's computing resources; or
III - execution, through the internet, of applications deployed or developed by a third-party
provider using its own computational resources.
Art. 14. The institution contracting the services mentioned in art. 12 is responsible for the
reliability, integrity, availability, security and confidentiality of the services contracted, as well as for com-
pliance with the legislation and regulation in force.
Art. 15. The contracting of relevant services of data processing, data storage and cloud
computing must be previously communicated to the Central Bank of Brazil by the institutions mentioned
in art. 1º.
Paragraph 1. The communication mentioned in the heading must comprise the following
information:
I – the name of the third-party provider to be contracted;
II – the relevant services to be contracted; and
III – the designation of the countries and the regions in each country where the services
can be provided and the data can be stored, processed and managed, as defined in item III, art. 16, in the
case of contracting abroad.
Paragraph 2. The communication mentioned in the heading must be made at least sixty
days before the contracting of services.