Data Security Compliance with Outsourcing of Information Technology Services Directions in India
Thales helps Regulated Entities comply with Directions by addressing the requirement for Usage of Cloud Computing Services.
Indian Regulated Entities (REs) have been extensively leveraging Information Technology (IT) and IT enabled Services (ITeS) to support their business models, products and services offered to their customers. REs also outsource a substantial portion of their IT activities to third parties, which expose them to various risks.
To ensure effective management of attendant risks, the Reserve Bank of India (RBI) finalized the Outsourcing of Information Technology Services Directions, 2023 on 10 April 2023 and shall come into effect from October 1, 2023.
As one of the leaders in data security, Thales enables REs to comply with the control on the Usage of Cloud Computing Services of the Directions.
Regulation Overview
The RBI Outsourcing of Information Technology Services Directions have prescribed 9 control focuses with appendixes on the Usage of Cloud Computing Services, Outsourcing of Security Operations Centre and Services not considered under Outsourcing of IT Services.
Which organizations are subject to the Directions?
When will the Directions be enforced?
RBI has given REs up to twelve months from the date of issuance of the Directions to re-visit their outsourcing arrangements and comply with the requirements enclosed under the Directions if such renewals are due before October 01, 2023, and has offered thirty-six months from the date of issuance of the Directions, if their agreements are due for renewal after October 01, 2023.
Definitions
The remaining services which are not considered as Outsourcing of IT Services or are included in Appendix III shall be considered as outsourcing of financial services and shall not be covered under these IT Outsourcing Directions.
Thales helps REs comply with the Outsourcing of IT Services Directions 2023 by addressing two of the controls and the requirement for Usage of Cloud Computing Services.
The Directions | Thales Solutions |
---|---|
Chapter – VI: Risk Management | 17. Risk Management Framework | |
(e) “…REs shall seek to ensure the preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider…” (f) “the RE remains responsible for understanding and monitoring the control environment of all service providers that have access to the RE’s data, systems, records or resources…” | CipherTrust Data Security Platform is an integrated suite of data-centric security products and solutions that unify data discovery, protection, and control in one platform. CipherTrust Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:
Data Security Fabric provides a unified view of data across various platforms, enabling auditing across relational, NoSQL, mainframe, big data, and data warehouses. |
(i) “… review and monitor the control processes and security practices of the service provider to disclose security breaches…” | CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) detects abnormal I/O activity, alerts or blocks malicious activity, and prevents ransomware from gaining control of endpoints and servers. Imperva Data Security Fabric Threat Detection monitors data access and activity, providing visibility to identify risky data access for all users, including privileged ones. It delivers real-time alerts, policy violation blocking, and cost-effective data retention for audits. |
Chapter – X: Exit Strategy | |
b) “… safe removal/ destruction of data, hardware and all records (digital and physical), as applicable…” | CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments, enabling REs to effectively delete encrypted information managed by CSPs. |
Appendix – I | Usage of Cloud Computing Services | |
3. “…Cloud security is a shared responsibility between the RE and the Cloud Service Provider (CSP). REs may refer to some of the cloud security best practices, for implementing necessary controls…” | REs can take control of their cloud security and improve visibility with Thales CipherTrust Cloud Key Management (CCKM). CCKM offers a single pane of glass view for cloud-native users, ensuring protection of time and data. It supports Bring Your Own Key (BYOK) use cases across multiple cloud infrastructures and SaaS applications. Hold Your Own Key (HYOK) enhances REs' control over encryption keys, allowing clear separation of duties and explicit delineation of responsibilities for cloud services activities with CSP. |
6. Cloud Services Management and Security Considerations a. Service and Technology Architecture
| Thales offers integrated encryption and key management solutions to protect cloud-based applications for REs with BYOE and BYOK.
|
| Thales Luna Hardware Security Modules (HSM) provide organizations with dedicated hardware for crypto key control, offering a tamper-resistant environment for secure cryptographic processing, key generation, and encryption. |
| CipherTrust Transparent Encryption Container Security delivers in-container capabilities for encryption, access controls, and data access logging, so organizations can establish strong safeguards around data in dynamic container environments. |
| CipherTrust Enterprise Key Management is a high-availability appliance that centralizes encryption key management for Thales Data Security Portfolio and third-party encryption solutions. It manages key life-cycle tasks, certificates, and secrets, and offers multi-tenency domains for added security. |
b. Identity and Access Management (IAM) | Thales OneWelcome identity and access management solutions limit the access of internal and external users based on their roles and context.
|
Indian Regulated Entities (REs) have been extensively leveraging Information Technology (IT) and IT enabled Services (ITeS) to support their business models, products and services offered to their customers. REs also outsource a substantial portion of their IT activities to...
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.