9911796707
TMI BlogFramework for Adoption of Cloud Services by SEBI Regulated Entities (REs)X X X X Extracts X X X X X X X X Extracts X X X X ..... nd regulatory compliances by the RE. The framework shall be seen as an addition to already existing SEBI circulars /guidelines /advisories. 2. Objective: The major purpose of this framework is to highlight the key risks, and mandatory control measures which REs need to put in place before adopting cloud computing. The document also sets out the regulatory and legal compliances by REs if they adopt such solutions. 3. Applicability: The framework shall be applicable to the following REs: i. Stock Exchanges ii. Clearing Corporations iii. Depositories iv. Stock Brokers through Exchanges v. Depository Participants through Depositories vi. Asset Management Companies (AMCs)/ Mutual Funds (MFs) vii. Qualified Registrars to an Issue and Share Transfer Agents viii. KYC Registration Agencies (KRAs) 4. Transition Period i. The framework shall come into force with immediate effect for all new or proposed cloud onboarding assignments/ projects of the REs. ii. REs which are currently availing cloud services (as on date of issuance of this framework) shall ensure that, wherever applicable, all such arrangements are revised and they (RE) shall be in compliance with this fram ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... models after due consultations. The same may be specified by SEBI from time to time. 6. Approach: The cloud framework is a principle-based framework which covers Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and data localization, due- diligence by REs, security controls, legal and regulatory obligations, DR & BCP, and vendor lock-in risk. The principles are broadly stated guidelines to set the standards by which RE must comply with while adopting cloud services. The principles are stated below: i. Principle 1: Governance, Risk and Compliance Sub-Framework ii. Principle 2: Selection of Cloud Service Providers iii. Principle 3: Data Ownership and Data Localization iv. Principle 4: Responsibility of the Regulated Entity v. Principle 5: Due Diligence by the Regulated Entity vi. Principle 6: Security Controls vii. Principle 7: Contractual and Regulatory Obligations viii. Principle 8: BCP, Disaster Recovery & Cyber Resilience ix. Principle 9: Vendor Lock-in and Concentration Risk Management The detailed framework is enclosed at Annexure-1 of this circular. 7. This circular is issued in exercise of powers conferre ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... the RE shall be responsible and accountable for any violation of the same. iii. The cloud services shall be taken only from the Ministry of Electronics and Information Technology (MeitY) empaneled CSPs. The CSP's data center should hold a valid STQC (or any other equivalent agency appointed by Government of India) audit status. For selection of CSPs offering PaaS and SaaS services in India, RE shall choose only such CSPs which: 1. Utilize the underlying infrastructure of MeitY empaneled CSPs for providing services to the RE. 2. Host the application/ platform/ services provided to RE as well as store/ process data of the RE, only within the data centers as empaneled by MeitY and holding a valid STQC (or any other equivalent agency appointed by Government of India) audit status. iv. In a multi-tenant cloud architecture, adequate controls shall be provisioned to ensure that data (in motion, at rest and in use) shall be isolated and inaccessible to any other tenant. RE shall assess and ensure that the multi tenancy segregation controls are placed by CSP, and shall place additional security controls if required. v. Data shall be encrypted at all lifecycle stages (at rest, in moti ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... 16 P2P Point-to-Point connection 17 PII Personal Identifiable Information 18 RE Regulated Entity 19 SI System Integrator 20 SLA Service Level Agreement 21 SOAR Security Orchestration, Automation and Response 22 SOC Security Operations Center 23 SSL Secure Sockets Layer 24 STQC Standardization Testing and Quality Certification 25 UAT User Acceptance Testing 26 VAPT Vulnerability Assessment & Penetration Testing 27 VM Virtual Machine 28 VPN Virtual Private Network 29 WAF Web Application Firewall Definitions 1. Cloud Model Description- The description of common cloud deployment models (as per NIST) [Ref: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf] is given below: Sr. No Model Description 1 Private Cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. 2 Community Cloud The cloud infrastructure is provisioned for exclusive use by a specific com ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... plications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. A few examples of SaaS are Gmail, Microsoft Office 365, etc. B. Other deployment models such as Application as a Service, Security as a Service, etc. may be considered as a sub-part or variant of the above-mentioned models as they contain components of IaaS, PaaS and SaaS. For example, Security as a Service is a form of SaaS which provides specialized information security services. Similarly, Application as a Service is a type of SaaS in which applications (for example Google sheets, Google docs, etc.) are delivered on-demand to customers through the internet. 3. Regulated Entity (RE) - The term "Regulated Entity" refers to SEBI registered/ recognized intermediaries (for example brokers, mutual funds, KYC ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... risk management approach shall provide details regarding the various risks of cloud adoption such as technical, legal, business, regulatory etc., and the commensurate risk mitigation controls which should be proportionate to the criticality and sensitivity of the data/operations to be on-boarded on the cloud. 3. As part of risk management process, a thorough risk assessment shall also be done keeping in mind that the RE cannot outsource the risks and decision making associated with deployment of cloud services, to the CSP. The risk assessment shall include (but not limited to) standards like identifying threat sources and events, identifying vulnerabilities and pre-disposing conditions, control analysis, magnitude of impact, etc. 4. A clearly identified and named resource (typically CISO) shall be appointed and shall be responsible for security of the deployments in cloud. iii. Compliance and Legal Aspects: The RE shall have policies, processes, etc. in place to ensure compliance with the applicable legal and regulatory requirements (including but not limited to guidelines, circulars, advisories, etc.) for deployments in cloud, issued by SEBI/ Government of India/ respective s ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... s'/ members' grievances related to cloud on boarded services shall rest with the RE. Adoption of cloud services shall not affect the rights of the investor/ member against the RE, including the ability of the investor/ member to obtain redressal of grievances as applicable under relevant laws. vi. Monitoring and Control of Cloud Deployments: 1. RE shall have in place a management structure to monitor and control the activities and services deployed on cloud. This shall include, but not limited to, monitoring the performance, uptime (of the systems/ resources) and service availability, adherence to SLA requirements, incident response mechanism, etc. 2. RE shall conduct regular audits/VAPT of its cloud deployments. The frequency and scope of such audits/VAPT shall be in line with SEBI cyber guidelines /circulars /framework issued from time to time. 3. Additionally, the RE shall also assess the performance of the CSP, adequacy of the risk management practices adopted by the CSP, compliance with laws/regulations etc. vii. Country Risk: The engagement with a CSP having country of incorporation/registration outside of India, exposes the RE to country risk. To manage such risk, wh ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... rage/ processing/ transfer of its data should be done according to requirements provided in this framework as well as any other regulations/ circulars/ guidelines issued by SEBI and any other Government authorities. Principle 3: Data Ownership and Data Localization 3. Data Ownership and Localization: i. Data Ownership: The RE shall retain the complete ownership of all its data and logs, encryption keys, etc. residing in cloud. The CSP shall be working only in a fiduciary capacity. Therefore, the RE, SEBI and any other Government authority authorized under law, shall always have the right to access any or all of the data at any or all point of time. ii. Visibility: Whenever required (by RE/ SEBI), the CSP shall provide visibility to RE as well as SEBI into CSP's infrastructure and processes, and its compliance to applicable policies and regulations issued by SEBI/ Government of India/ respective state government. iii. Data Localization: In order to ensure that RE and SEBI's right to access RE's data as well as SEBI's rights of search and seizure are not affected by adoption of cloud services, the storage/ processing of data (DC, DR, near DR etc.) including logs and any other ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ng of responsibility for each sub-task/ line-item within the task. The aforementioned delineation of responsibilities shall be added explicitly in the agreement (as an annexure) signed between the RE and the CSP. iii. In the event of a Managed Service Provider (MSP) or System Integrator (SI) being involved in procurement of cloud services, an explicit and unambiguous delineation/ demarcation of responsibilities shall also be done with respect to MSP/ SI, and the same shall be included in the agreement (in-line with the requirements given above). iv. Similarly, there shall be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to applicable circulars (for example cybersecurity and cyber resilience circular, outsourcing circular, BCP-DR etc.) issued by SEBI from time to time. There shall be no "joint/ shared ownership" for ensuring compliance with respect to any clause. If compliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... se conditions. 2. CSP's capability to identify and segregate RE's data, whenever required. 3. Security risk assessment of the CSP. 4. Ensuring that appropriate controls, assurance requirements and possible contractual arrangements are in place to establish data ownership. 5. CSP's ability to effectively service all the RE's customers while maintaining confidentiality, especially where a CSP has exposure to multiple entities. 6. Ability to enforce agreements and the rights available thereunder including those relating to aspects such as data storage, data protection and confidentiality, SLA, etc. 7. RE shall ensure that CSP performs proper screening and background checks of its personnel and vendors before onboarding, and provides adequate trainings and awareness programs to ensure that the customer (RE) services are not hampered due to misconfiguration/inadvertent actions/operational issues/etc. 8. Capability of the CSP to deal with RE's compliance needs, operational aspects, and ensure information security, data privacy, etc. 9. CSP's ability to ensure compliance with this framework as well as all applicable rules/ regulations/ circulars issued by SEBI from time to ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... . Monitoring: RE shall ensure that CSP has adequate security monitoring solutions in place. The monitoring solutions of CSP shall be responsible for the following: 1. Monitoring shall cover all components of the cloud. Additionally, the CSP shall continuously monitor the alerts generated and take appropriate actions as per the defined timelines. 2. The RE shall ensure that any event(s) which may have an impact (financial, reputational, operational, etc.) on the RE shall be intimated to RE by CSP in a timely manner. The reporting should be done in-line with the guidelines/ regulations/ circulars issued by SEBI/ Government of India and (wherever applicable) as per the contractual agreement signed between the CSP and RE. iii. Incident Management: The RE shall ensure that the CSP has incident management processes in place, to detect, respond and recover from any incident at the earliest. The processes should aim to minimize the impact to the RE. iv. Wherever Key management is being done by CSP for platform level encryption (for example, full disk encryption or VM level encryption), RE shall assess and ensure that the entire Key lifecycle management is being done by CSP in a s ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... shall also be applicable in multi-tenancy structure. vii. The RE shall ensure that the agreement with the CSP contains clause(s) for safe deletion/ erasure of RE's information. The clause should cover various scenarios like business requirement of RE, exit strategy, etc. viii. For further assurance, the RE may assess the availability of global compliance standards like SOC-2 [SOC-2 is a voluntary compliance standard for information security developed by American Institute of Certified Public Accountants (AICPA). ] reporting for CSP. ix. RE shall ensure that CSP has adequate controls (for example anti-virus, encryption of data, micro-segmentation, etc.) in place to safeguard cloud infrastructure as well as to ensure the privacy, confidentiality, availability, processing integrity and security of the RE's data right from data creation/transfer/etc. in the cloud till final expunging of data. 6.2. Security in the Cloud: RE shall perform risk-based assessment and place adequate controls depending on the criticality of the data/ services/ operations (placed in cloud environment) under the purview of RE. Some of the common controls (including but not limited to) that RE shall pu ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... shall be adopted for granting access to any resources for normal and admin/privileged accounts. ii. The identity and access management solution should give the complete view of the access permissions applicable to all resources. The access permissions shall be reviewed regularly in order to remove any unwanted access. iii. The access logs should be retained and reviewed frequently for any anomalous events. iv. Time bound access permissions shall be adopted wherever feasible. v. Multi factor authentication shall be adopted for admin accounts. 6.2.6. Security of Interfaces: Controls related to typical interfaces in a cloud deployment are given below: 6.2.6.1. Management interface: i. This is the interface provided to the RE by CSP to manage the infrastructure on cloud. This interface is also used to manage the account of the RE assigned by CSP. ii. To mitigate the risks, the interface shall have Two Factor Authentication (2FA)/ Multi Factor Authentication (MFA). For additional security, measures such as dedicated lease lines may be explored. The access logs and access list to the interface should be strictly monitored (by RE and CSP). The traffic to and from the int ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... yption algorithms. Data object encryption, file level encryption or tokenization in addition to the encryption provided at the platform level shall be used. 2. Data-in-motion including the data within the cloud shall be encrypted. Session encryption or data object encryption in addition to the encryption provided at the platform level (Ex. TLS encryption) shall be used wherever any sensitive data is in transit. 3. Data-in-use i.e., wherever data that is being used or processed in the cloud, confidential computing solutions shall be implemented. ii. To ensure RE's controls on encryption and Key management, the following shall be followed: 1. Wherever applicable: a. "Bring Your Own Key" (BYOK) approach shall be adopted, which ensures that the RE retains the control and management of cryptographic keys that would be uploaded to the cloud to perform data encryption. b. "Bring Your Own Encryption" (BYOE) approach shall be followed by the RE. 2. In case BYOK and BYOE approaches (as given above) are not implemented by RE, the RE shall conduct a detailed risk assessment and implement appropriate risk mitigation measures to achieve equivalent functionality/ security to BYO ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ting shall be done as per the norms/ guidelines/ circulars issued by SEBI/ Government of India and (wherever applicable) as per the contractual agreement signed between the CSP and RE. The CSP shall provide all related forensic data, reports and event logs as required by RE/ SEBI/ CERT-In/ any other government agency. The incident shall be dealt as per the Security Incident Management Policy of the RE along with the relevant guidelines/ directions issued by SEBI/ Government of India/ respective state government. Principle 7: Contractual and Regulatory Obligations 7. Contractual and Regulatory Obligations [With respect to CSPs offering PaaS/SaaS services, REs shall deploy the services of only those CSPs which have a back-to-back, clear and enforceable agreement with their vendor/ partner/ sub-contractor providing their underlying infrastructure/ platform for fulfilling the requirements provided in this Principle. ]: i. A clear and enforceable cloud service provider engagement agreement should be in place to protect RE's interests, risk management needs, and ability to comply with supervisory expectations. ii. The contractual/agreement terms between RE and CSP shall include th ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ration for closure of vulnerabilities, etc.) provided in various applicable circulars/ regulations issued by SEBI from time to time. 3. Implementation and configuration audit of the resources to be deployed by the RE in cloud environment shall be conducted by the RE and the same shall be certified by the RE after closing all non-compliances/ observations before go-live. 4. The RE may take into consideration the report/certificate of the audit of the CSP conducted by STQC. However, wherever required, CSP has to conduct additional audits (from CERT-In empaneled auditors) to fulfil all the requirements provided in various applicable circulars/ regulations issued by SEBI, and the same shall be ensured by the RE. 5. The RE shall ensure that appropriate clauses/ terms (including SLA clauses) are added in the agreement (signed between RE and CSP) to enforce the above-mentioned audit/ VAPT requirements. vi. Contract/Agreement should have adequate provisions regarding the termination of contract with CSP, and appropriate exit strategies to ensure smooth exit without hindering any legal, regulatory or technical obligations of the RE. vii. As part of exit strategy, a clear expunging ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... boundaries of India as per extant regulatory requirements. 8. Clauses requiring the CSP to provide details of data (captured, processed and stored) related to RE and RE's customers to SEBI/ any other government agency. 9. Controls for maintaining confidentiality of data of RE and its customers, and incorporating CSP's liability to the RE in the event of security breach and leakage of such information. 10. Types of data/ information that the CSP is permitted to share with the RE's customers and/or any other party. 11. Specifying the resolution process for events of default, insolvency, etc. and indemnities, remedies, and recourse available to the respective parties. 12. Contingency plan(s) to ensure business continuity planning, RPO/RTO, and recovery requirements. 13. Provisions to fulfill the search and seizure requirements (as provided above in this principle) and audit/ VAPT requirements (as provided above in this principle). 14. Right to seek information (by RE/ SEBI) from the CSP about the third parties (in the supply chain) engaged by the CSP. 15. Clauses making the CSP contractually liable for the performance and risk management practices of its sub-c ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... mpliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the clause. This delineation shall also be added explicitly in the agreement (as an annexure) signed between the RE and the CSP. xiv. Reporting Requirements: 1. It is being reiterated that the RE is solely accountable for all aspects related to the cloud services adopted by it including but not limited to availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE's compliance with the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government. 2. The RE shall explicitly and unambiguously specify the party (RE or CSP/MSP/SI) which is responsible for ensuring compliance with each clause of the applicable SEBI circulars (for example cybersecurity circular, systems audit, etc.) in its audit reports. There shall be no "joint/ shared ownership" for any of the clauses. In case the responsibility of ensuring complianc ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... d services. Principle 9: Vendor Lock-In and Concentration Risk Management 9. Concentration Risk Management i. RE shall assess its exposure to CSP lock-in and concentration risks. The risk evaluation shall be done before entering into contract/ agreement with CSP and the same should also be assessed on a periodic basis. ii. In order to mitigate the CSP concentration risks, RE shall explore the option of cloud-ready and CSP agnostic solutions (such as implementing multi-cloud ready solutions) which can facilitate the RE in migrating the solutions as and when necessary, with minimal changes. Exit strategies shall be developed, which should consider the pertinent risk indicators, exit triggers, exit scenarios, possible migration options, etc. iii. The RE shall also take measures to implement data portability and inter-operability as part of exit/ transfer strategy. iv. In order to mitigate the risk arising due to failure/ shutdown of a particular CSP, and to limit the impact of any such failure/ shutdown on the securities market, SEBI may specify concentration limits on CSPs (thereby setting a limit on the number of REs that a CSP may provide its services to). 10. Recommendation ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... the requirements provided in this framework including those in Principles 6 (Security Controls), 7 (Contractual and Regulatory Obligations) and 8 (BCP, Disaster Recovery & Cyber resilience). v. There should be an explicit and unambiguous delineation/ demarcation of responsibilities for all activities (technical, managerial, governance related, etc.) of the cloud services between the RE and CSP (and MSP/SI wherever applicable). There shall be no "joint/ shared ownership" for any function/ task/ activity between the RE and CSP. If any function/ task/ activity has to be performed jointly by the RE and CSP, there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the task. The same should be a part of the agreement (as an annexure) between the RE and the CSP (and MSP/SI wherever applicable). vi. Similarly, there should be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to circulars (for example cybersecurity and cyber resilience circular, outsourcing circ ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... orensic auditor to identify the root cause of any incident (cyber security or other incidents) related to RE. 4. Seek the audit reports of the audits conducted by CSP. The RE shall ensure that adequate provisions are included in the agreement/ contract with CSP to enable the above functionalities. Additionally, RE shall also include provisions (in the contract/ agreement with CSP) mandating that CSP extends full cooperation to SEBI while conducting the above-mentioned activities. x. The cloud framework should be read along with the circulars (including circulars on outsourcing, cybersecurity, BCP-DR, etc.), directions, advisories, etc. issued by SEBI from time to time. xi. Transition Period: 1. For the REs which are not utilizing any cloud services currently, the framework shall be applicable/ come into force from the date of issuance. 2. For the REs which are currently utilizing cloud services, upto 12 months shall be given to ensure their compliance with the framework. Additionally, such REs shall provide regular milestone-based updates as follows: SN. Timeline Milestone 1 Within one (1) month of issuance of framework REs shall provide details of the cloud servi ..... X X X X Extracts X X X X X X X X Extracts X X X X
|
