The Securities Exchange Board of India vide circular dated November 04, 2022 has issued Consultation Paper on Cloud Framework. The summary of the framework is as follows:
- There are no limitations on using any cloud deployment model. The SEBI regulated entity (RE)may adopt for cloud computing depending on their business and technology risk assessment.
- It is to be noted that although the IT services/ functionality can be outsourced (to a cloud based solution), RE are solely accountable for all aspects related to the cloud services including but not limited to availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE’s compliance with respect to the laws, rules, regulations, circulars, etc. issued by SEBI/ Union Government/ respective state government. Accordingly, the RE shall be held accountable for any violation of the same.
- The cloud services should be taken only from the MeitY empaneled cloud service provider’s(CSP’s)data centers. The CSP’s data center should hold a valid STQC(or any other equivalent agency appointed by Government of India)audit status.
- In a multi-tenant cloud architecture, adequate controls shall be provisioned to ensure that data (in transit, at rest and in process) shall be isolated and inaccessible to any other tenant. RE shall assess and ensure the multi tenancy segregation controls placed by CSP and place additional security controls if required.
- Data shall be encrypted at any lifecycle stage (at rest, in transit, in use), source or location to ensure the confidentiality, privacy and integrity.
- RE shall retain complete ownership of its data and associated data, encryption keys, logs etc. residing in cloud.
- Compliance with legal and regulatory requirementshas to be ensured by the RE.
- The cloud deployments of RE shall be monitored through in-house Security Operations Centre (SOC), a third-party SOC or a managed SOC.
- Necessary provisions for audit and inspection of CSP and its sub-contractor or engage third party auditor to conduct audit and inspection should be included.
- The agreement between the RE and CSP shall cover security controls, legal and regulatory compliances, clear demarcation of roles, and liabilities, appropriate services and performance standards etc.
The proposed cloud framework will guide RE to adopt cloud computing for augmenting the business prospects by scalability, reduced operational cost, digital transformation and reducing IT infrastructure complexity.