SEBI Cloud Services Framework

SEBI Cloud Services Framework for Regulated Entities (2023). Coming soon — currently folded into CSCRF.PR.14; will be split for clarity.

Composition

25 controls currently indexed; participates in 21 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Business continuity and ICT recovery readiness
• Centralised logging with retention, tamper protection, and integrity
• Change management — IT systems, configuration, supplier services, risk
• Cloud Identity and Access Management — federation, vulnerability testing, monitoring
• Cloud Security Posture Management — continuous configuration assessment
• Cloud cryptographic key management — CMK/BYOK/HYOK
• Cloud network security — remote access, vulnerability scanning, monitoring
• Cloud shared responsibility — CSC/CSP RACI
• Cryptographic controls, key management, and post-quantum readiness
• Data Loss Prevention — multi-channel egress protection
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data-at-rest protection — encryption, access, processor controls
• Data-in-transit protection and physical media handling
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Network segmentation with zero-trust principles
• Ransomware-resilient backup architecture
• Secure configuration baselines and hardening discipline
• Secure disposal of equipment, media, and personal information
• Workforce security awareness, role-based training, and human-factor controls