Skip to content

Cloud Security Policy

Owner Classification Review Date Status
CDO Office Internal April 2027 Active
Field Details
Document Type Policy
Document Reference SP-CSP-006
Version 1.0
Owner CISO
Classification Confidential
Review Cycle Annual

Control Objectives

Simpaisa's Cloud Security Policy establishes the security requirements for the procurement, deployment, use, and termination of cloud services. The policy aims to:

  • Ensure cloud services are procured and used in a manner consistent with Simpaisa's security and compliance requirements

  • Protect Simpaisa's data and systems hosted in or accessed via cloud environments

  • Define clear responsibilities for cloud security across the organisation

  • Maintain compliance with applicable regulatory and contractual obligations

This policy applies to all cloud services used by Simpaisa, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Risk Assessment

Before procuring or deploying any cloud service, a formal risk assessment shall be conducted to evaluate:

  • The sensitivity of data that will be stored, processed, or transmitted via the cloud service

  • The security controls provided by the cloud service provider (CSP)

  • Residual risks and required compensating controls

  • Regulatory and data residency requirements

  • Business continuity and data recovery capabilities

Risk assessments shall be reviewed at least annually or when significant changes occur to the cloud service or the data processed within it.

Procurement and Contract Management

Cloud services shall only be procured through an approved process that includes security review and sign-off by the CISO.

All contracts with CSPs shall include:

  • Clear definitions of security responsibilities (shared responsibility model)

  • Data protection and privacy obligations

  • Incident notification requirements

  • Audit and inspection rights

  • Data portability and deletion requirements upon termination

  • Service level agreements (SLAs) including uptime, availability, and recovery commitments

  • Compliance with applicable standards (e.g., ISO 27001, SOC 2)

Access Control and Management

Access to cloud services and environments shall be managed in accordance with Simpaisa's Access Control Policy.

  • Multi-factor authentication (MFA) shall be enforced for all cloud service accounts

  • Privileged access to cloud management consoles shall be restricted to authorised IT personnel

  • Access rights shall be reviewed at least quarterly

  • Service accounts and API keys shall be managed securely, rotated regularly, and immediately revoked when no longer required

  • Cloud resource permissions shall follow the principle of least privilege

Data Encryption and Security Controls

Data stored and transmitted via cloud services shall be protected using appropriate encryption controls.

  • Data in transit shall be encrypted using TLS 1.2 or higher

  • Data at rest shall be encrypted using AES-256 or equivalent

  • Encryption keys shall be managed in accordance with Simpaisa's Cryptography Policy

  • Customer-managed keys shall be used for highly sensitive data where technically feasible

  • Security controls provided by the CSP (e.g., security groups, network ACLs, WAF) shall be configured and maintained in accordance with Simpaisa's security standards

Incident Reporting and Management

Security incidents involving cloud services shall be managed in accordance with Simpaisa's Incident Response Policy.

  • CSPs shall be contractually required to notify Simpaisa of security incidents affecting Simpaisa's data or services within defined timeframes

  • Simpaisa shall maintain incident response procedures specific to cloud environments

  • All cloud-related security incidents shall be logged, investigated, and reported in accordance with applicable regulatory requirements

Termination of Service

Upon termination of a cloud service:

  • All Simpaisa data shall be retrieved and confirmed as complete prior to termination

  • The CSP shall provide written confirmation of secure data deletion

  • All access credentials and permissions associated with the terminated service shall be revoked

  • The termination process shall be documented and retained as a record

Auditing and Monitoring

Cloud environments shall be subject to continuous monitoring and periodic audit.

  • Audit logging shall be enabled for all cloud management activities and data access events

  • Logs shall be retained for a minimum period in accordance with Simpaisa's retention requirements

  • Cloud security posture shall be monitored using appropriate tooling (e.g., CSPM tools)

  • Annual security assessments of cloud environments shall be conducted

Vendor Compliance and Management

CSPs shall be subject to ongoing compliance assessment.

  • CSPs shall provide evidence of compliance with recognised security standards (e.g., ISO 27001, SOC 2 Type II) at least annually

  • Material changes to CSP security posture, certifications, or sub-processors shall be communicated to Simpaisa

  • Non-compliant CSPs shall be subject to remediation action or replacement

Documentation and Control

All cloud deployments shall be documented, including:

  • Architecture and data flow diagrams

  • Asset inventory of cloud resources

  • Security configurations and control settings

  • Change history

Documentation shall be maintained and kept current, reviewed at least annually.

Backup, Disaster Recovery, and Business Continuity

Cloud-hosted data and services shall be subject to backup and recovery requirements as defined in Simpaisa's Backup Policy.

  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) shall be defined for all cloud-hosted critical services

  • Backup and recovery capabilities shall be tested at least annually

  • Business continuity plans shall account for CSP service outages and provide for failover or alternative service arrangements

Continuous Compliance and Improvement

Simpaisa shall maintain an ongoing programme of cloud security improvement, including:

  • Regular review of cloud security policies and standards

  • Tracking of emerging threats and vulnerabilities relevant to cloud environments

  • Adoption of new security capabilities provided by CSPs where appropriate

  • Staff training and awareness on cloud security risks and responsibilities