The Securities and Exchange Board of India (SEBI) has issued a consultation paper introducing the Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities. This framework aims to tackle cybersecurity challenges, enhance cyber resilience, and establish uniform guidelines for all entities under SEBI’s regulation. The paper provides an overview of the framework’s objectives and highlights its key components.
With the increasing use of information technology in the securities market, cybersecurity measures have become crucial for SEBI Regulated Entities (REs). Over the years, SEBI has issued various cybersecurity and cyber resilience frameworks to address these risks and promote best practices among REs. In order to enhance the scope and effectiveness of these measures, SEBI has drafted the master framework on cybersecurity and cyber resilience in consultation with its High Powered Steering Committee – Cyber Security (HPSC-CS).
The CSCRF follows a graded approach and is divided into three parts: applicable to all REs, applicable to specified REs, and applicable to Market Infrastructure Institutions (MIIs). The framework is based on the five functions of cybersecurity: Identify, Protect, Detect, Respond, and Recover, as defined by the National Institute of Standards and Technology (NIST). It references globally recognized standards such as NIST SP 800-53, COBIT 5, and CIS controls for implementing cybersecurity controls and achieving desired outcomes.
The framework emphasizes the identification and classification of critical assets, formulation of comprehensive cybersecurity policies, scenario-based testing, and accountability for third-party services. It also addresses aspects such as log retention, access control, encryption, software development environments, vulnerability assessment, API and endpoint security, SOC establishment, incident response management, and recovery planning.
SEBI mandates compliance reporting in standardized formats, including vulnerability assessment and penetration testing (VAPT) reporting and cyber audit reporting. The framework also introduces requirements specific to MIIs, such as ISO 27001 certification and quarterly self-assessment of cyber resilience using the Cyber Capability Index (CCI).
Conclusion: The consultation paper on the Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) demonstrates SEBI’s commitment to addressing cybersecurity risks and promoting cyber resilience among its regulated entities. The framework provides a structured approach to cybersecurity, incorporating globally recognized standards and best practices. SEBI invites feedback from stakeholders to ensure that the framework effectively meets the evolving cybersecurity needs of the securities market and all entities under its regulation.
Full text is as follows:-
Securities and Exchange Board of India
Plot no. C4-A, G Block, Bandra Kurla Complex,
Bandra (East), Mumbai – 400051, India
Tel.: +91-22-26449000/40459000
Website: www.sebi.gov.in
Consultation Paper on Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities
Version: 1.0
Date: July 04, 2023
Executive Summary
Prevention of damage to, protection of, and restoration of computers, electronic communication systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. – NIST SP 800-531 cybersecurity definition.
The use of Information Technology has grown rapidly in securities market and has become a critical component of SEBI Regulated Entities (REs). However, with these swift technological advancements, protection of IT infrastructure and data through cybersecurity measures has become a key concern for SEBI and its REs. Since 2015, SEBI has issued various cybersecurity and cyber resilience frameworks to address cybersecurity risks and enhance cyber resilience for the SEBI REs. Further, SEBI has also issued an advisory on cybersecurity best practices for all the REs.
In order to enhance the scope of cybersecurity and cyber resilience framework, to address the need of uniformity of cybersecurity guidelines for all REs and to strengthen the mechanism to deal with cyber risks / threats / incidents, the master framework on cybersecurity and cyber resilience has been drafted after discussion with SEBI’s High Powered Steering Committee – Cyber Security (HPSC-CS).
The framework provides a common structure for multiple approaches to cybersecurity to prevent any cyber-risks / incidents. The framework follows graded approach and divides the guidelines in three parts:
i. Applicable to all REs
ii. Applicable to specified REs2
iii. Applicable to Market Infrastructure Institutions (MIIs)3.
The summary of the framework is as follows:
The framework is based on five concurrent and continuous functions of cybersecurity as defined by NIST – Identify, Protect, Detect, Respond, and Recover. It references globally recognized standards, e.g., NIST Special Publication 800-53 Revision 5, COBIT 5, and CIS controls for cybersecurity controls, outcomes, and guidance to achieve those outcomes.
Framework compliance reporting shall be done by REs to their respective authorities4 in the standardized formats notified by SEBI. The format for VAPT reporting and Cyber audit reporting has been added.
i. IDENTIFY
a. REs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The Board / Partner / Proprietor of the REs shall approve the list of critical systems.
b. REs shall formulate a comprehensive cybersecurity and cyber resilience policy and incorporate best practices from standards such as ISO 27001, COBIT 5, etc.
c. Comprehensive scenario-based testing shall be done for assessing risk related to cybersecurity in REs’ IT environment including both internal and external cyber-risks.
d. REs shall be solely accountable for all aspects related to third-party services taken including (but not limited to) confidentiality, integrity, availability, non-repudiation, and security of its data and logs, and ensuring compliance with laws, regulations, circulars, etc. issued by SEBI / Government of India. Accordingly, REs shall be responsible and accountable for any violation of the same.
ii. PROTECT
a. Strong log retention policy, password policy and access policy shall be documented and implemented.
b. REs shall implement network segmentation techniques to restrict access to the sensitive information, hosts, and services.
c. Layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) shall be used for data protection.
d. For the development of all critical software / applications and further feature enhancements, there shall be separate Development, System Integration Testing, User Acceptance Testing and Quality Assurance environments.
e. Periodic audit shall be conducted by a CERT-In empanelled auditor to audit the implementation and compliance to standards mentioned in the consolidated CSCRF.
f. Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect open vulnerabilities in the IT environment for critical assets and infrastructure components as defined in the framework. A comprehensive VAPT scope has also been added.
g. Application Programming Interface (API) security and Endpoint security solution shall be implemented with rate limiting, throttling, and proper authentication and authorisation mechanisms.
h. Applicable to MIIs: ISO 27001 certification shall be mandatory for MIIs as it provides essential security standards with respect to Information Security Management System (ISMS).
i. Applicable to MIIs: MIIs shall conduct self-assessment of their cyber resilience
using Cyber Capability Index (CCI) on a quarterly basis.
iii. DETECT
a. REs shall establish appropriate security mechanism through Security Operation Centre (SOC) [RE’s own SOC, third-party SOC, or a managed SOC] for continuous monitoring of security events and timely detection of anomalous activities.
b. Functional efficacy of SOC shall be measured on a half-yearly basis. A quantifiable method and indicative (but not limited to) list of parameters for measuring SOC efficacy has been formulated.
c. Applicable to MIIs: MIIs shall conduct red teaming exercise as part of their cybersecurity framework.
iv. RESPOND
a. All REs shall formulate an up-to-date Cyber Crisis Management Plan (CCMP).
b. Comprehensive Incident Response management plan and respective SOPs shall be established by REs.
c. Alerts generated from monitoring and detection systems shall be suitably investigated for Root Cause Analysis (RCA).
v. RECOVER
a. A comprehensive response and recovery plan shall be documented and get triggered for the timely restoration of systems affected by the cyber incident.
b. An indicative (but not limited to) recovery plan has been attached.
c. Actions taken during recovery process shall be informed to all related stakeholders.
The framework will continue to be updated and improved as technology and securities market evolves as different REs provide their feedback. This will ensure that the framework is meeting the cybersecurity needs of securities market, MIIs and all other REs.
Abbreviations
| Sr. No. |
Abbreviation | Explanation/Expansion |
| 1. | AIF | Alternative Investment Fund |
| 2. | AMC | Asset Management Company |
| 3. | API | Application Programming Interface |
| 4. | BAS | Breach and Attack Simulation |
| 5. | BYOD | Bring Your Own Device |
| 6. | CART | Continuous Automated Red Teaming |
| 7. | CEO | Chief Executive Officer |
| 8. | CII | Critical Information Infrastructure |
| 9. | CIS | Center for Internet Security |
| 0. | CISO | Chief Information Security Officer |
| 1. | CTI | Cyber Threat Intelligence |
| 2. | DB | Database |
| 3. | DEV | Development |
| 4. | DLP | Data Loss Prevention |
| 5. | DR | Disaster recovery |
| 6. | EDR | Endpoint Detection and Response |
| 7. | EPP | Endpoint Protection Platforms |
| 8. | FDE | Full-disk Encryption |
| 9. | HPSC-CS | High Powered Steering Committee – Cyber Security |
| 10. | GoI | Government of India |
| 11. | IBT | Internet Based Trading |
| 12. | IDS | Intrusion Detection System |
| 13. | IOSCO | International Organization of Securities Commissions |
| 24. | IS | Information Security |
| 25. | ISMS | Information Security Management System |
| 26. | ISO | International Organization for Standardization |
| 27. | IT | Information Technology |
| 28. | MD | Managing Director |
| 29. | MFA | Multi-factor Authentication |
| 30. | MII | Market Infrastructure Institution |
| 31. | MTTC | Mean Time to Contain |
| 32. | MTTD | Mean Time to Detect |
| 33. | MTTR | Mean Time to Resolve |
| 34. | NCIIPC | National Critical Information Infrastructure Protection Centre |
| 35. | NDR | Near Disaster Recovery |
| 36. | NIST | National Institute of Standards and Technology |
| 37. | OS | Operating System |
| 38. | OT | Operational Technology |
| 39. | OWASP | Open Web Application Security Project |
| 40. | PDC | Primary Data Centre |
| 41. | PII | Personal Identifiable Information |
| 42. | PIM | Privileged Identity Management |
| 43. | QA | Quality Assurance |
| 44. | RCA | Root Cause Analysis |
| 45. | RE | Regulated Entity5 |
| 46. | RPO | Recovery Point Objective |
| 47. | RTO | Recovery Time Objective |
| 48. | SBOM | Software Bill of Materials |
| 49. | SCOT | Standing Committee on Technology |
| 50. | SOC | Security Operations Centre |
| 51. | SOP | Standard Operating Procedure |
| 52. | SIT | System Integration Test |
| 53. | SSDLC | Secure Software Development Life Cycle |
| 54. | TLP | Traffic Light Protocol |
| 55. | UAT | User Acceptance Test |
| 56. | VAPT | Vulnerability Assessment & Penetration Testing |
| 57. | VBA | Visual Basic for Application |
| 58. | VPN | Virtual Private Network |
| 59. | WAF | Web Application Firewall |
Definitions
1. Critical assets –
Entities shall identify and classify their critical IT systems. Following systems shall be included in critical systems (both on premise and cloud):
a. Any system that will have adverse impact on any business operations if compromised.
b. Stores/transmits any type of critical data (financial data, trading data, and PII)
c. Devices/Network through which any critical system is connected (either physically or virtually).
d. Internet facing applications / systems
e. Systems directly/indirectly connected to any other critical system.
d. All the ancillary systems used for accessing/communicating with critical systems either for operation or for maintenance.
2. Cyber Capability Index (CCI) –
SEBI has developed a CCI based on the recommendations of HPSC-CS to rate the preparedness and resilience of the cybersecurity framework of the MIIs. CCI is calculated based on 24 parameters extracted from NIST publication ‘Performance Measurement Guide for Information Security’.
3. ISO 27001 certification –
ISO 27001 certification is a globally recognized standard for Information Security Management Systems (ISMS) published by the International Organization for Standardization (ISO). It helps organizations to become risk-aware, promotes a holistic approach to information security, proactively identify, and address weaknesses.
4. Market Infrastructure Institutions (MII) –
Stock Exchanges, Depositories and Clearing Corporations are collectively referred to as Market Infrastructure Institutions (MIIs).
5. Principle of Least Privilege (PoLP) –
Principle of Least Privilege (PoLP) is security concept in which a user or entity shall only have minimum level access to the specific data, resources and applications needed to complete their required task.
6. Red team exercise –
An exercise, reflecting real-world conditions that is conducted as a simulated adversarial attempt to compromise organizational missions or business processes and to provide a comprehensive assessment of the security capabilities of an organization and its systems. – Definition from NIST SP 800-536
7. Regulated Entity (RE) –
The term ‘Regulated Entity’ refers to SEBI registered / recognised intermediaries (for example brokers, mutual funds, KYC Registration Agencies, QRTAs, etc.) and Market Infrastructure Institutions (Stock Exchanges, Depositories and Clearing Corporations) regulated by SEBI.
8. Risk –
As defined by NIST7 and OWASP8, Risk = Likelihood * Impact; where Likelihood = Threat * Vulnerabilities. Likelihood is a measure of how likely a vulnerability is to be discovered and exploited by an attacker. Impact is the magnitude of harm that can be expected as result from the consequences of threat exploitation.
9. Risk-based Authentication (RBA) –
Risk-based authentication is a non-static authentication mechanism which takes into account the profile of the agent requesting to the system to determine the risk profile associated with that transaction. It checks and applies varying level of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised.
10. Root Cause Analysis (RCA) –
The NIST9 has defined RCA as a principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.
11. Secure Software Development Life Cycle (SSDLC) –
Secure Software Development Life Cycle (SSDLC) involves integrating security testing at every stage of software development, from design, to development, to deployment and beyond.
12. Specified Regulated Entities (Specified REs) –
Specified REs are SEBI REs which are critical from the securities market point of view. They are identified on the basis of business volume, market share, business complexity, number of clients, etc. and thus require more stringent cybersecurity measures for the protection of their IT infrastructure than rest of the REs.
The securities market institutions which fall under the criteria mentioned below will be referred as Specified REs.
Criteria for Specified REs will be finalized after consultation with market intermediaries/participants, and practitioners.
Table 1: List of Specified REs and their criteria
|
S. No. |
Regulated Entities (REs) | Criteria |
| 1. | Stock Brokers / Depository Participants | |
| 2. | Asset Management Companies (AMCs) / Mutual Funds | |
| 3. | KYC Registration Agencies (KRAs) |
|
| 4. | Qualified Registrars to an Issue / Share Transfer Agents (QRTAs) | |
| 5. | Portfolio Managers | |
| 6. |
Alternative Investment Funds (AIFs) |
A. Introduction
Technology has become an integral part of securities market since IT industry boomed in India. With these technological developments in securities market, maintaining robust cybersecurity and cyber resilience to protect the organizations operating in securities market from cyber-risks / incidents has become indispensable. SEBI has issued targeted cybersecurity and cyber resilience frameworks for various REs since 2015. To further strengthen cyber-risks / incidents prevention, preparedness, and response capacities, this consolidated cybersecurity and cyber resilience framework has been released.
The consolidated CSCRF will supersede following SEBI circulars which will get deprecated from <DD/MM/YYYY>:
Table 2: List of SEBI cybersecurity circulars to get supersede with CSCRF
| S. No. | Regulated Entity | Circular Subject (Circular Number) | Date of issu-ance |
| 1. | MIIs | Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories (CIR/MRD/DP/13/2015) | July 06, 2015 |
| Modification in Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories (SEBI/HO/MRD1/MRD1_DTCS/P/CIR/2022/6 8) | May 20, 2022 | ||
| 2. | Stock Brokers / Depository Participants | Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants (SEBI/HO/MIRSD/CIR/PB/2018/147) | Dece-mber 03, 2018 |
| Modification in Cyber Security and Cyber resilience framework for Stock Brokers / Depository Participants (SEBI/HO/MIRSD/TPD/P/CIR/2022/80) | June 07, 2022 | ||
| Modification in Cyber Security and Cyber resilience framework for Stock Brokers / Depository Participants (SEBI/HO/MIRSD/TPD/P/CIR/2022/93) | June 30, 2022 | ||
| 3. | Mutual Funds /Asset Management Companies (AMCs) |
Cyber Security and Cyber Resilience framework for Mutual Funds / Asset Management Companies (AMCs) (SEBI/HO/IMD/DF2/CIR/P/2019/12) | January 10, 2019 |
| Modification in Cyber Security and Cyber Resilience Framework of Mutual Funds/ Asset Management Companies (AMCs) (SEBI/HO/IMD/IMD-I/DOF2/P/CIR/2022/81) | June 09, 2022 | ||
| 4. | KYC Registration Agencies (KRAs) | Cyber Security &Cyber Resilience framework for KYC Registration Agencies (SEBI/HO/MIRSD/DOP/CIR/P/2019/111) | October 15, 2019 |
| Modification in Cyber Security and Cyber resilience framework of KYC Registration Agencies(KRAs) (SEBI/HO/MIRSD/DoP/P/CIR/2022/74) | May 30, 2022 | ||
| Modification in Cyber Security and Cyber resilience framework of KYC Registration Agencies (KRAs) (SEBI/HO/MIRSD/TPD/P/CIR/2022/95) | July 05, 2022 | ||
| 5. | Qualified Registrars to an Issue / Share Transfer Agents (QRTAs) | Cyber Security and Cyber Resilience framework for Registrars to an Issue/ Share Transfer Agents (hereinafter referred to as RTAs) (SEBI/HO/MIRSD/CIR/P/2017/100) | Sept-ember 08, 2017 |
| Cyber Security & Cyber Resilience framework for Qualified Registrars to an Issue / Share Transfer Agents (SEBI/HO/MIRSD/DOP/CIR/P/2019/110) | October 15, 2019 | ||
| Modification in Cyber Security and Cyber resilience framework of Qualified Registrars to an Issue and Share Transfer Agents(“QRTAs”) (SEBI/HO/MIRSD/MIRSD_RTAMB/P/CIR/202 2/73) | May 27, 2022 | ||
| Modification in Cyber Security and Cyber resilience framework of Qualified Registrars to an Issue and Share Transfer Agents (“QRTAs”) (SEBI/HO/MIRSD/TPD/P/CIR/2022/96) | July 06, 2022 | ||
| 6 | Portfolio Managers | Cyber Security and Cyber Resilience framework for Portfolio Managers (SEBI/HO/IMD/IMD-PoD-1/P/CIR/2023/046) | March 29, 2023 |
B. Framework Compliance, Audit, Report submission, and Timeline:
This section provides details regarding submission of compliance to this master framework, ISO audit, VAPT, Cyber audit, and timelines for these audits and compliance.
1. ISO Audit and Certification
1.1. Evidence of ISO certifications shall be submitted as follows:
Table 3: REs and their corresponding entity for ISO certification evidence submission
|
Sr. No. |
Regulated Entity | ISO certification and report submission to |
| 1. | Stock Brokers / Depository Participants | Stock exchanges/ Depositories |
| 2. | MIIs and rest of the REs | SEBI |
2. VAPT10
The VAPT scope, periodicity and compliance is defined in the clause D.3.1.3.a. ii.
2.1. The VAPT reporting format has been attached as Annexure-A. The VAPT activity report of SEBI REs, required declaration from MD/ CEO to certify compliance and the audit materiality metrics as given in Annexure-B shall be submitted as per below table:
Table 4: REs and their corresponding entity for VAPT report submission
| Sr. No. | Regulated Entity | VAPT report submission to |
| 1. | Stock Brokers / Depository Participants | Stock exchanges / Depositories |
| 2. | MIIs and rest of the REs | SEBI |
2.2. The Periodicity of the VAPT activity for SEBI REs in a financial year shall be as follows:
Table 5: VAPT periodicity of REs
| Sr. No. |
Regulated Entity | Periodicity |
|
1. |
REs which have been identified as ‘Protected system’ and/or CII by NCIIPC | At least twice
In every half of the financial year, one VAPT activity shall get completed (includes report submission, closure, revalidation) |
| 2. | Rest of the REs |
At least once VAPT activity shall get started in first quarter of the financial year. |
2.3. The timeline for completion of VAPT activity for SEBI REs shall be as follows:
Table 6: Timeline of VAPT report submission and closure compliance for REs
|
Sr. No. |
Activity | Timeline |
| 1. | Final report submission to required authority | Within 1 month of completion of VAPT activity and taking approval from respective technology committees |
| 2. | Compliance of closure of finding identified during VAPT activity | Within next 3 months
A graded approach (based on the criticality of observation in terms of impact) shall be followed for closure of the observations found during VAPT. |
| 3. | Revalidation / Audit of VAPT | Within next 1 month |
3. Cyber Audit
Cyber audit11 here pertains to the audit for the compliance with this framework.
3.1. The periodicity of the cyber audit for SEBI REs in a financial year shall be as follows:
Table 7: Cyber audit periodicity of REs
| Sr. No. | Regulated Entity | Periodicity |
| 1. | MIIs and Specified REs | At least twice |
| 2. | Rest of the REs | At least once |
3.2. The timeline of the cyber audit for SEBI REs shall be as follows:
Table 8: Timeline of Cyber audit findings closure and compliance for REs
| Sr. No. | Activity | Timeline |
| 1. |
Compliance of closure of finding identified during cyber audit |
Within next 3 months A graded approach (based on the criticality of observation in terms of impact) shall be followed for closure of the observations found during VAPT. |
3.3. A submission for compliance to this consolidated CSCRF shall be done by all REs. The format for compliance submission to this consolidated CSCRF has been attached as Annexure-C. The cyber audit reports for compliance to this consolidated CSCRF, required declaration from MD/ CEO to certify compliance and the audit materiality metrics as given in Annexure-B shall be submitted as per below table:
Table 9: REs and their corresponding entity for cyber audit report submission
| Sr. No. |
Regulated Entity |
Cyber audit and declaration report submission to |
| 1. | Stock Brokers / Depository Participants |
Stock exchanges / Depositories |
| 2. | MIIs and rest of the REs | SEBI |
4. Periodicity of other Standards/Guidelines
Periodicity of other standards/guidelines mentioned in this consolidated CSCRF shall be as follows:
Table 10: Periodicity of other standards mentioned in CSCRF
| Sr. No. | Standard/Guidelines and Clause | Periodicity |
| 1. | Self-assessment of REs’ cyber resilience using CCI (1.2.2.b) | Quarterly |
| 2. | Submission of self-assessment evidence using CCI by RE (1.2.3.b.ii.1) | Within first 15 days of next quarter |
| 3. | RE’s cybersecurity and cyber resilience policy review (1.2.2.c) | Annually |
| 4. | Internal Technology Committee – For rest of the REs (1.2.3.a.ix) | Quarterly |
| 5. | Standing Committee on Technology – For MIIs (1.2.3.b.i) | Quarterly |
| 6. | Cybersecurity scenario-based drill exercise for risk management (1.3.2.b) | Quarterly |
| 7. | REs’ risk assessment (1.3.2.c) | Half-yearly |
| 8. | User access rights review (2.1.2.c) | Quarterly |
| 9. | Review of ex-employee passwords not being used across multiple accounts (2.1.3.a.i.8) | Quarterly |
| 10. | Review of privileged users’ activities (2.1.3.c.ii.3) | Quarterly |
| 11. | Cybersecurity training program (2.2.2.c) | Annually |
| 12. | Review of RE’s systems managed by 3rd-party service providers (2.4.3.a.iv.1) | Half-yearly |
| 13. | Red Teaming exercise for MIIs and Specified REs (3.2.2.a) | Half-yearly |
| 14. | Drills for testing adequacy and effectiveness of recovery plan (5.1.2.c) | Quarterly |
C. Cybersecurity Framework
1. The framework is based on five concurrent and continuous functions of cybersecurity as defined by NIST12 – Identify, Protect, Detect, Respond, and Recover.
a. IDENTIFY
The Identify function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
b. PROTECT
The Protect function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect function supports the ability to limit or contain the impact of a potential cybersecurity event.
c. DETECT
The Detect function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect function enables timely discovery of cybersecurity events.
d. RESPOND
The Respond function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond function supports the ability to contain the impact of a potential cybersecurity incident.
e. RECOVER
The Recover function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover function supports timely recovery to normal operations and reduce the impact from a cybersecurity incident.
2. Each function covers different security controls. The controls are divided into three categories namely objectives, standards, and guidelines:
a. Part-1: Objective
The objective highlights the goals which a specific security control wants to achieve.
b. Part-2: Standard
The standard represents established principles for the cybersecurity framework compliance.
c. Part-3: Guidelines
The guidelines are divided into three parts:
i. Applicable to all REs: Baseline cybersecurity measures which will be mandatory and applicable to all REs.
ii. Applicable to Specified REs: Additional cybersecurity measures and guidelines, which are supplementary in nature and will be applicable to specified REs as defined.
iii. Applicable to MIIs: Additional cybersecurity guidelines applicable to MIIs.
D. Cybersecurity Framework Functions
1. IDENTIFY
1.1. ID.AM: Asset Management
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistently with their relative importance to organizational objectives and the organization’s risk strategy.
1.1.1. ID.AM: Objective:
a. Physical devices and systems within the organization are inventoried.
b. Software platforms and applications within the organization are inventoried.
c. Organizational communication and data flows are mapped.
d. External information systems are catalogued.
e. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
f. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, and partners) are established.
1.1.2. ID.AM: Standard:
a. An up-to-date inventory shall be maintained by the organization covering (including but not limited to) all hardware, software, cloud assets, API endpoints and information assets. Any changes in the asset inventory shall be reflected within 24 hours.
b. Identification of vulnerabilities, cyber threats with their likelihood shall be identified.
c. Board / Partner / Proprietor shall approve the list of critical systems.
d. Third-party service providers and outsourcing staff shall also be mandated to follow similar standards of information security.
1.1.3. ID.AM: Guidelines:
a. Applicable to all REs:
i. All REs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The Board/Partners/Proprietors of the REs shall approve the list of critical systems.
ii. All REs shall maintain up-to-date inventory of its (including but not limited to) hardware and systems, software, cloud assets, API endpoints and information assets (internal and external), details of its network resources, connections to its network and data flows.
iii. Any additions/deletions or changes in existing assets shall be reflected in the asset inventory within 24 hours.
iv. For conducting criticality assessment of assets, REs shall maintain comprehensive asset inventory, conduct threat modelling, vulnerability assessment, etc.
v. REs shall prepare and maintain an up-to-date network architecture diagram at the organisational level including wired/wireless networks.
vi. All REs shall also encourage its third-party service providers to have similar standards of Information Security.
b. Applicable to specified REs and MIIs
i. Specified REs and MIIs shall accordingly identify cyber risks13 that they may face, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality.
1.2. ID.GV: Governance
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and cybersecurity risks are informed to the management.
1.2.1. ID.GV: Objective:
a. Organizational cybersecurity policy is established and communicated.
b. Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.
c. Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.
d. Cybersecurity risks are addressed through governance and risk management processes.
1.2.2. ID.GV: Standard:
a. A comprehensive cybersecurity and cyber resilience policy shall be documented and implemented with approval from Board /Partners / Proprietors. The cybersecurity and cyber resilience policy may include guidelines mentioned in this consolidated CSCRF.
b. Clear definition of ownership, custodian of every asset and a proper approval command chain process shall be established and followed.
c. The cyber-security and cyber resilience policy shall be reviewed periodically14.
d. MIIs shall self-assess their cyber resilience using CCI on a periodic15 basis.
1.2.3. ID.GV: Guidelines:
a. Applicable to all REs
i. As part of the operational risk management framework to manage risk to systems, networks and databases from cyber-attacks and threats, REs shall formulate a comprehensive Cybersecurity and Cyber Resilience policy document encompassing the framework mentioned hereunder. In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, shall be provided in the policy document.
The policy document shall be approved by the Board / Partners / Proprietors of the REs. The policy document shall be reviewed by the aforementioned group periodically with the view to strengthen and improve its Cybersecurity and Cyber Resilience framework.
ii. The cybersecurity policy shall include (but not limited to) policy with respect to asset management, patch management, vulnerability management, audit policy, VAPT policy, monitoring of the network and endpoints, configuration management, change management, software development life cycle management, authentication policies, authorization policies and processes, network segmentation policies, commissioning internet facing assets, encryption policies, PII and privacy policies, cybersecurity control management policy, asset ownership documentation, and chain of command for any approval process in the organization with respect to cybersecurity. It shall also contain do’s and don’ts allowed in the organization with respect to usage of cyber assets including desktops, laptops, BYOD, network, internet, etc.
iii. The Cybersecurity Policy shall include the following process to identify, assess, and manage Cybersecurity risk associated with processes, information, networks and systems:
a. ‘Identify’ critical IT assets and risks associated with such assets.
b. ‘Protect’ assets by deploying suitable controls, tools and measures.
e. ‘Detect’ incidents, anomalies and attacks through appropriate monitoring tools/processes.
f. Respond’ by taking immediate steps after identification of the incident, anomaly or attack.
c. ‘Recover’ from incident through incident management and other appropriate recovery mechanisms.
iv. REs shall designate a senior official or management personnel (henceforth, referred to as the “Designated Officer”) whose function would be to assess, identify, and reduce cybersecurity risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cybersecurity Policy.
v. REs shall establish a reporting procedure to facilitate communication of unusual activities and events to the Designated Officer in a timely manner.
vi. REs shall define responsibilities of its employees, outsourced staff, and employees of third-party service providers, members or participants and other entities, who may have privileged access or use their systems / networks towards ensuring the goal of cybersecurity.
vii. REs shall follow Plan-Do-Check-Act concept while creating and using the documented information. For example, activities under the ‘Plan’ phase will be guided by Policies, the ‘Do’ phase will follow Procedures (SOPs), and the ‘Check’ and ‘Act’ phases will refer to the Policies and Procedures.
viii. As part of compliance management with respect to this consolidated CSCRF, REs shall apply following key aspects (including but not limited to) for implementing compliance management:
1. Assess Compliance with applicable laws, regulations, circulars etc.
2. Develop compliance policies and procedures
3. Implement controls such as security measures
4. Train employees
5. Monitor and review compliance management process
6. Regular audits and reporting.
ix. The Board / Partners / Proprietor of the REs shall constitute an internal Technology Committee comprising experts proficient in Technology. This Technology Committee of REs shall meet on a periodic16 basis to review the implementation of the cybersecurity and cyber resilience policy approved by their Board, and such review shall include goal setting for a target level of cyber resilience, and establish a plan to improve and strengthen cybersecurity and cyber resilience. The review shall be placed before the Board of REs for appropriate action.
b. Applicable to MIIs
i. The Oversight Standing Committee on Technology17 of the stock exchanges and of the clearing corporations and the IT Strategy Committee18 of the depositories shall on a periodic19 basis review the implementation of the cybersecurity and resilience policy approved by their Boards, and such review shall include review of their current IT and cybersecurity and resilience capabilities, set goals for a target level of cyber resilience, and establish a plan to improve and strengthen cybersecurity and cyber resilience.
ii. Cyber Capability Index (CCI)
1. MIIs shall conduct self-assessment of their cyber resilience using CCI and submit corresponding evidences on a periodic20 basis. A reference of CCI and its calculation methodology has been attached as Annexure-J.
2. The indicators used in CCI and their weightage will be reviewed on a half-yearly basis to keep it updated and relevant.
c. Applicable to specified REs and MIIs
i. The cybersecurity policy shall encompass the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO), Government of India in the report titled ‘Guidelines for Protection of National Critical Information Infrastructure’ and subsequent revisions, if any, from time to time.
ii. Specified REs and MIIs shall appoint a senior cybersecurity expert as CISO who will work as a ‘Designated officer’.
iii. Specified REs and MIIs shall also incorporate best practices from standards such as ISO 27001, ISO 27002, COBIT 5, etc. or their subsequent revisions, if any, from time to time. ISO 27001 is recommended to be taken as the base standard for governance and management of information security policies.
iv. The aforementioned committee and the senior management of the REs and MIIs, including the CISO, shall periodically review instances of cyber-attacks, if any, domestically and globally, and take steps to strengthen cybersecurity and cyber resilience framework.
1.3. ID.RARM: Risk Assessment and Risk Management Strategy
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
1.3.1. ID.RARM: Objective:
a. Asset vulnerabilities are identified and documented.
b. Cyber threat intelligence is received from information forums and sources.
c. Threats, both internal and external, are identified and documented.
d. Potential business impacts and likelihoods are identified.
e. Threats, vulnerabilities, likelihoods, impacts are used to determine risk.
f. Risk responses are identified and prioritized.
g. Risk management processes are established, managed, and agreed to by organizational stakeholders.
h. Organizational risk tolerance is determined and clearly expressed.
i. The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.
1.3.2. ID.RARM: Standard:
a. Risk factor shall be assessed and managed for all IT assets of the organization.
b. Different scenarios and their respective responses shall be documented and tested on a periodic21 basis to check the risk management plan of the organization.
c. Risk assessment of organization’s IT environment shall be done on a periodic22 basis.
1.3.3. ID.RARM: Guidelines:
a. Applicable to all REs
i. Risk assessment
1. All REs shall conduct a risk assessment of the IT environment of their organization on a half-yearly basis to acquire visibility and a reasonably accurate assessment of the overall cybersecurity risk posture. Risk assessment shall result into quantified cybersecurity risk of the RE.
ii. Risk Management
1. REs shall consider using ISO/IEC 27005:2022 or its subsequent revision, from time to time, as the base document for obtaining guidance on information security risk management.
2. Risk management strategy of REs shall include (but not limited to) steps for risk assessment, risk analysis, risk mitigation, risk monitoring and review, compliance with relevant laws and regulations, communication of risk management policies to all stakeholders, effective mitigating measures with options for compensatory controls where feasible, reduced residual risk and ensuring that the cybersecurity risk tolerance is within acceptable limits.
3. REs shall use metrics like (including but not limited to) MTTD, MTTR, MTTC, number of security incidents detected and resolved within a specific period, number of false positives and false negatives generated by security monitoring tools, and how these numbers are being reduced through continuous refinement of the monitoring process, number of security incidents detected and resolved within a specific period, level of employee security awareness, phishing test success rate, how many devices on the network are running end-of-life (EOL) software no longer receiving security updates, unidentified devices on the internal network, integration of third-party devices and services into the network and process for managing their access and permissions, patching cadence, security rating, third-party security rating, number of known vulnerabilities, number of intrusion attempts detected and blocked by the IDS, number of successful cyber-attacks occurred in the past year, etc. to assess cybersecurity posture of their organization.
4. Adequate manpower in cybersecurity domain shall be hired to safeguard organization from any cyber risk / threat / incident.
iii. Risk-based authentication (RBA)
1. Risk assessment of Authentication-based server shall be done to get insights about context behind every login to servers.
2. When a user attempts to sign-in, risk-based authentication solution shall analyse factors such as device, location, network, sensitivity, etc.
iv. Cyber Threat Intelligence (CTI)
1. REs shall harness CTI provided by CISO forum or CERT-In or any third-party vendor to transform security decision-making when addressing attacks by threat actors, making it more informed, quicker and data driven.
v. Cybersecurity scenario-based Testing
1. Comprehensive scenario-based testing shall be done for assessing risk related to cybersecurity in the organization’s IT assets.
2. Possible attack scenarios and possibilities have been attached as Annexure-D.
1.4. ID.SC: Supply Chain Risk Management
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risks. The organization has established and implemented the processes to identify, assess and manage supply chain risks.
1.4.1. ID.SC: Objective:
a. Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.
b. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber-supply chain risk assessment process.
c. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and cyber-supply chain risk management plan.
d. Suppliers and third-party partners are routinely assessed using audits, test results, and/or other forms of evaluations to confirm that they are meeting their contractual obligations.
e. Response and recovery planning and testing are conducted along with suppliers and third-party providers.
1.4.2. ID.SC: Standard:
a. Concentration risk on outsourced agencies shall be assessed and reviewed.
b. Manpower adequacy in cybersecurity domain shall be estimated and monitored.
1.4.3. ID.SC: Guidelines:
a. Applicable to all REs
i. Concentration risk on third-party service providers /outsourced agencies
1. REs need to take into account concentration risk while outsourcing multiple critical services to the same third-party service provider.
2. It has also been observed that single third-party service providers are providing services to multiple REs, which creates concentration risk. Here, such third parties though being small non-financial organizations, if any cyber-attack happens at such organizations, the same could have systemic implication due to high concentration risk. SEBI circular on ‘Guidelines on Outsourcing of Activities by Intermediaries’23 has been attached as Annexure-E and shall be complied by all REs.
3. REs shall prescribe specific cybersecurity controls, including audit of their systems and protocols from independent auditors, to mitigate such concentration risk.
ii. Software Bill of Materials (SBOMs)
1. REs shall obtain SBOMs for any new products before they procure it. SBOMs containing all the open source and third-party components present in a codebase, versions of the components used in the codebase, and their patch status allows security teams to quickly identify any associated security or license risks.
2. SBOM shall include license information, name of the supplier, all primary (top level) components with all their transitive dependencies (include third-party dependencies whether an in-house or open-source component) and relationships, cryptographic hash of the components, frequency of updates, known unknown (where a SBOM does not include a full dependency graph) access control and methods for accommodating occasional incidental errors.
iii. Manpower deployment
1. Based on the risk assessment, hiring and deployment of professionals/experts in cybersecurity domain on full-time/part-time/contract basis shall be made to ensure cyber resiliency of the REs.
2. Adequate manpower in cybersecurity domain shall be hired to safeguard organization from any cyber risk / threat / incident.
2. PROTECT
2.1. PR.AC: Identity Management, Authentication, and Access Control
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed in consistent with the assessed risk of unauthorized access to authorized activities and transactions.
2.1.1. PR.AC: Objective:
a. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
b. Physical access to assets is managed and protected.
c. Remote access is managed.
d. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
e. Network integrity is protected (e.g., network segregation, network segmentation).
f. Identities are proofed and bound to credentials and asserted in interactions.
g. Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
2.1.2. PR.AC: Standard:
a. While giving access to both on premise and cloud resources of the organization, ‘Principle of Least Privilege’ and ‘Zero Trust Model’ shall be followed. PIM solutions shall be mandated for keeping track of privileged access.
b. Critical systems shall have MFA implemented for all users.
c. Access rights shall be reviewed on a periodic24 basis.
d. User logs shall be uniquely identified and stored for at least 2 years.
e. A comprehensive password policy shall be documented and implemented.
f. Physical access to the critical systems shall be monitored and recorded on a daily basis.
g. Access restriction shall be there for outsourced staff. If access grant is required in special case, it shall be for the limited time-period and shall be subject to stringent supervision and monitoring.
h. Strong authentication and authorization mechanisms shall be enforced for API security.
i. A comprehensive Data-disposal and data-retention policy shall be documented and implemented.
j. Proper SOPs shall be documented for handling storage media devices and their disposal.
2.1.3. PR.AC: Guidelines
a. Applicable to all REs
i. Access Controls, Password Policy / Authentication Mechanism
1. No person by virtue of rank or position shall have any intrinsic right to access confidential data applications, system resources or facilities.
2. Any access to REs systems, applications, networks, database, etc., shall be for a defined purpose and for a defined period. Access grant to IT systems, applications, databases and networks shall be on a need-to-use basis and based on the principle of least privilege. Such access shall be for the period during which the access is required and shall be authorized using strong authentication mechanisms.
3. All critical systems accessible over the internet shall have two-factor security (such as VPNs, Firewall controls, etc.).
4. All REs shall ensure that records of user access to critical systems, wherever possible, are uniquely identified and logged for audit and review purposes. Such logs shall be maintained and stored in a secure location for a time period not less than two (2) years.
5. Account access lock policies after failure attempts shall be implemented for all accounts.
6. Existing user accounts and access rights shall be periodically reviewed by the owner of the system in order to detect dormant accounts and accounts with excessive privileges, unknown accounts or any type of discrepancy.
7. Proper ‘end of life’ mechanism shall be adopted for user management to deactivate access privileges of users who are leaving the organization of whose access privileges have been withdrawn. This includes named user IDs and generic user IDs.
8. Strong password policy shall be implemented. The policy shall include a clause for periodic25 review of accounts of ex-employees passwords shall not be reused across multiple accounts or list of passwords shall not be stored on the system.
9. MFA shall be enabled for all users that connect using online/internet facility and also particularly for virtual private networks, webmail, and accounts that access critical systems.
ii. Log Management
1. An indicative (but not limited to) list of types of log data to be collected by REs are: System logs, Application logs, Network logs, Security logs, and PowerShell logs. REs are advised to ensure that all logs are being collected.
2. Strong log retention policy shall be implemented as per extant SEBI regulations and required by CERT-In and IT Act 2000. Monitoring of all logs of events and incidents to identify unusual patterns and behaviours shall be done.
iii. Physical Security
1. Physical access to the critical systems shall be restricted to minimum and only to authorized officials. Physical access provided to outsourced staff/visitors shall be properly supervised by ensuring at the minimum that outsourced staff/visitors are accompanied at all times by authorized employees.
2. Physical access to the critical systems shall be revoked immediately if the same is no longer required.
3. All REs shall ensure that the perimeter of the critical equipment’s room, if any, are physically secured and monitored by employing physical, human and procedural controls such as the use of security guards, CCTVs, card access systems, mantraps, bollards, etc. wherever appropriate.
iv. Remote Support Service Security
1. As many OEMs and their service partners as well as System Integrators provide remote support services to organisations, REs shall ensure that these services are well-governed, controlled, logged and an oversight maintained on all the activities done by remote support service providers. It shall be complemented by regular inspection and audit to validate the defined policies for privileged remote users and access.
v. Network Security Management
1. REs shall apply appropriate network segmentation techniques to restrict access to the sensitive information, hosts and services. Segment to segment access shall be based on strong access control policy and Principle of Least Privilege.
2. All REs shall install network security devices, such as WAF, proxy servers, IDS to protect their IT infrastructure which is exposed to the internet, from security exposures originating from internal and external sources.
3. Adequate controls shall be deployed to address virus / malware / ransomware attacks on servers and other computer systems. These controls may include host / network / application based IDS systems, customized kernels for Linux, anti-virus and anti-malware software etc. Updation of anti-virus definition files and automatic anti-virus scanning shall be done on a regular basis.
4. All REs shall establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment. The LAN and wireless networks shall be secured within their premises with proper access controls. The REs shall conduct regular enforcement checks to ensure that baseline standards are applied uniformly.
vi. Disposal of data, systems, and storage devices
1. REs shall formulate a data-disposal and data-retention policy to identify the value and lifetime of various parcels of data.
2. REs shall frame suitable policy for disposal of storage media and systems. The critical data / information on such devices and systems shall be removed by using methods such as crypto shredding / wiping / cleaning / overwrite / degauss / physical destruction as applicable.
b. Applicable to Stock Brokers / Depository Participants
i. Network Security Management
1. For algorithmic trading facilities, adequate measures shall be taken to isolate and secure the perimeter and connectivity to the servers running algorithmic trading applications.
c. Applicable to specified REs and MIIs
ii. Access Controls, Password Policy / Authentication Mechanism
1. Specified REs and MIIs shall implement an access policy which addresses strong password controls for users’ access to systems, applications, networks and databases. Illustrative examples for this are given in Annexure-F.
2. Specified REs and MIIs shall implement strong password controls for users’ access to systems, applications, networks and databases. Password controls shall include a change of password upon first log-in, minimum password length and history, password complexity as well as maximum validity period. The user credential data shall be stored using strong and latest hashing algorithms.
3. Specified REs and MIIs shall deploy controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures shall inter-alia include restricting the number of privileged users, periodic26 review of privileged users’ activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over remote access by privileged users, etc.
4. Employees and outsourced staff such as employees of third-party service providers, who may be given authorized access to the critical systems, networks and other computer resources of specified REs and MIIs shall be subject to stringent supervision, monitoring and access restrictions.
5. Specified REs and MIIs shall formulate an Internet access policy to monitor and regulate the use of internet and internet based services such as social media sites, cloud-based internet storage sites, etc. within the critical IT infrastructure of specified REs and MIIs.
2.2. PR.AT: Awareness and Training
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements.
2.2.1. PR.AT: Objective:
a. All users are informed and trained.
b. Privileged users understand their roles and responsibilities.
c. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
d. Senior executives understand their roles and responsibilities.
e. Physical and cybersecurity personnel understand their roles and responsibilities.
2.2.2. PR.AT: Standard:
a. A program for building cybersecurity and system hygiene awareness of staff shall be established.
b. A program on cybersecurity and system hygiene shall be made for senior management.
c. A mandatory training program shall be conducted on a periodic27 basis to enhance the knowledge and understanding of cybersecurity among the staff.
d. Training programs and programs for system hygiene shall be updated as per the state-of-the-art technologies and industry trends.
2.2.3. PR.AT: Guidelines:
a. Applicable to specified REs and MIIs
i. Specified REs and MIIs shall work on building cybersecurity and basic system hygiene awareness of staff (with a focus on staff from non-technical disciplines).
ii. Specified REs and MIIs shall conduct periodic training programs to enhance knowledge of IT / cybersecurity Policy and standards among the employees incorporating up-to-date cybersecurity threat alerts. Wherever possible, this shall be extended to outsourced staff, third-party service providers, etc.
iii. The training programs shall be reviewed and updated to ensure that the contents of the program remain current and relevant.
2.3. PR.DS: Data Security
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
2.3.1. PR.DS: Objective:
a. Data-at-rest and Data-in-transit is protected.
b. Assets are formally managed throughout removal, transfers, and disposition.
c. Adequate capacity to ensure availability is maintained.
d. Protections against data leaks are implemented.
e. Integrity checking mechanisms are used to verify software, firmware, and information integrity.
f. The development and testing environment(s) are separate from the production environment.
g. Integrity checking mechanisms are used to verify hardware integrity.
2.3.2. PR.DS: Standard:
a. Strong data protection measures (both at-rest and in-transit) with industry standard encryption algorithms shall be put in place.
b. Backup and recovery plan of data shall be documented to ensure that there is no data loss.
c. Appropriate tools shall be put in place to prevent any data leakage.
d. Off-the-shelf products shall be certified with common criteria certification provided by GoI before deploying to production.
2.3.3. PR.DS: Guidelines:
a. Applicable to all REs
i. Data and Storage Devices security
1. Critical data shall be identified and encrypted in motion and at rest by using strong encryption methods. Layering of Full-disk Encryption (FDE) along with File-based Encryption (FBE) shall be used wherever possible. Use industry standard, strong encryption algorithms (eg: RSA, AES, etc.) wherever encryption is implemented. Illustrative measures in this regard are given in Annexure-G and Annexure-H.
2. Enforce effective data protection, backup, recovery measures.
3. Deploy Data Loss Prevention (DLP) solutions / processes.
4. REs shall block administrative rights on end-user workstations/PCs/laptops and provide access rights on a need-to-know basis and for specific duration for which it is required following an established process and approval.
5. REs shall implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems.
ii. Application Security in Customer Facing Applications 1. Application security for Customer facing applications offered over the Internet such as IBTs (Internet Based Trading applications), portals containing sensitive or private information and back office applications (repository of financial and personal information offered by specified REs and MIIs to Customers) are paramount as they carry significant attack surfaces by virtue of being available publicly over the Internet for mass use. An illustrative list of measures for ensuring security in such applications is provided in Annexure-F.
iii. Certification of off-the-shelf products
1. Stock Exchanges and Depositories shall ensure that vendors empanelled by them for supply of software/product to their respective regulated agencies stock brokers and depository participants shall mandatorily obtain Indian Common Criteria certification of Evaluation Assurance Level 4. Specified REs and MIIs shall ensure that off-the-shelf products being used for core business functionality (such as Back office applications) shall bear Indian Common Criteria Certification of Evaluation Assurance Level 4. The Common criteria certification in India is being provided by (STQC) Standardisation Testing and Quality Certification (Ministry of Electronics and Information Technology). In-house software and components need not obtain the certification, but have to undergo intensive regression testing, configuration testing etc. The scope of tests shall include business logic and security controls.
b. Applicable to specified REs and MIIs
i. Data and Storage Devices security
1. Specified REs and MIIs shall implement measures to prevent unauthorized access or copying or transmission of data / information held in contractual or fiduciary capacity. It shall be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. Illustrative measures to ensure security during transportation of data over the internet are given in Annexure-H.
2. The information security policy shall also cover use of devices such as mobile phones, photocopiers, scanners, etc., within their critical IT infrastructure, that can be used for capturing and transmission of sensitive data. For instance, defining access policies for personnel, and network connectivity for such devices etc.
3. Specified REs and MIIs shall allow only authorized data storage devices within their IT infrastructure through appropriate validation processes.
c. Applicable to MIIs
i. Data and Storage Devices security
1. Along with encrypting data-at-rest and data-in-transit, Confidential Computing shall be used to protect sensitive personal data, sensitive financial data and PII even when it is being processed.
2.4. PR.IP: Information Protection Processes and Procedures
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
2.4.1. PR.IP: Objective:
a. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
b. A System Development Life Cycle to manage systems is implemented.
c. Configuration change control processes are in place.
d. Backups of information are conducted, maintained, and tested.
e. Policy and regulations regarding the physical operating environment for organizational assets are met.
f. Data is destroyed according to policy.
g. Protection processes are continually improved.
h. Effectiveness of protection technologies is shared.
i. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
j. Response and recovery plans are tested.
k. IT, OT and IS infrastructure is ‘secure by design’, ‘secure by engineering / implementation’ and the infrastructure has appropriate elements to ensure ‘secure IT operations’.
l. cybersecurity is included in human resources practices (e.g., DE provisioning, personnel screening).
m. A vulnerability management plan is developed and implemented.
2.4.2. PR.IP: Standard:
a. Proper scans of critical software/applications shall be done to ensure no malicious code is present.
b. All anomalies and alerts generated shall be properly investigated and monitored within stipulated time.
c. For all cloud instances of REs, SEBI circular ‘Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)’ shall be followed.
d. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) shall be followed with a recovery plan in place for the restoration of systems after cyber-incidents.
e. Only CERT-In empanelled auditors shall be on boarded for external audit of REs.
f. MIIs and Specified REs shall obtain ISO 27001 certification.
g. REs shall follow globally recognised standards like CIS Critical Security Controls to enhance the RE’s cyber resilience.
2.4.3. PR.IP: Guidelines:
a. Applicable to all REs
i. Secure Software Development Life Cycle (SSDLC)
1. For the development of all critical software / applications and further feature enhancements, there shall be separate DEV, SIT, UAT, and QA environments.
2. After development of any critical feature enhancement, SIT shall be done to ensure that the complete software / application is working as required.
3. For deployment purpose, rolling updates or Blue-green deployment strategies shall be followed.
4. During the development phase of any software/application to be used by the REs or customers of REs, it shall be ensured that vulnerabilities based on best practices baselines such as OWASP and top 25 software security vulnerabilities identified by CWE/SANS are addressed.
5. All REs shall ensure that regression testing is undertaken before new or modified system is implemented. The scope of test shall cover business logic, security control and system performance under various stress-load scenarios and recovery conditions.
6. For any production release, vulnerability assessment shall be undertaken. For all major release, limited purpose VAPT shall be conducted by the REs to assess the risk and vulnerabilities generated from recent additions in applications / software.
7. For the critical software/applications, undertaking from the OEMs/application providers shall be taken such that application is free from embedded malicious/fraudulent code.
ii. Measures against Phishing attacks / websites
1. The REs need to proactively monitor the cyberspace to identify phishing websites w.r.t. REs domain and report the same to CSIRT-Fin/CERT-In for taking appropriate action.
2. Majority of the infections are primarily introduced via phishing emails, malicious adverts on websites, and third-party apps and programs. Hence, thoughtfully designed security awareness campaigns that stress the avoidance of clicking on links and attachments in email, shall be established as an essential pillar of defence. Additionally, the advisories issues by CERT-In/CSIRT-Fin may be referred for assistance in conducting exercises for public awareness.
iii. Security of Cloud Services
1. Check public accessibility of all cloud instances in use. Make sure that no server/bucket is inadvertently leaking data due to inappropriate configurations.
2. Proper security of cloud access tokens28 shall be ensured. The tokens shall not be exposed publicly in website source code, any configuration files etc. SEBI circular ‘Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)’ has been attached as Annexure-I and shall be complied by all REs.
iv. Systems managed by third-party service providers
1. REs have outsourced many of their critical activities to different agencies / vendors / third-party service providers. The responsibility, accountability and ownership of those outsourced activities lies primarily with REs. Therefore, REs have to come out with appropriate monitoring mechanism through clearly defined framework to ensure that all the requirements as specified in this framework is complied with. The periodic29 report submitted to SEBI shall highlight the critical activities handled by the agencies and to certify the above requirement is complied.
2. Where the systems (IBT, Back office and other Customer facing applications, IT infrastructure, etc.) of a RE are managed by third-party service providers and the RE may not be able to implement some of the aforementioned guidelines directly, the RE shall instruct the third-party service provider to adhere to the applicable guidelines in the cybersecurity and Cyber Resilience framework and obtain the necessary cyber audit certifications from them to ensure compliance with the framework standards.
v. Systems managed by MIIs
1. Where applications are offered to customers over the internet by MIIs (Market Infrastructure Institutions), for eg.: NSE’s NOW, BSE’s BEST etc., the responsibility of ensuring Cyber Resilience on those applications reside with the MIIs and not with the RE who is getting it from MIIs.
vi. Periodic Audit
1. REs shall engage only CERT-In empanelled auditors for their external audits and to audit the implementation of all standards mentioned in this framework.
2. An auditor empanelled by the REs shall be valid for the maximum period of three consecutive years. After the expiry of audit contract, REs shall wait for at least two years as cooling off period to re-empanel that auditor.
3. The periodicity, timeline and report submission for cyber audit by respective authorities has been provided in the ‘Framework compliance, Audit, Report submission, Timeline’ section.
4. Along with the cyber audit reports, henceforth, all REs shall submit a declaration from the Managing Director (MD) / Chief Executive Officer (CEO) certifying that:
a. Comprehensive measures and processes including suitable incentive / disincentive structures, have been put in place for identification / detection and closure of vulnerabilities in the organization’s IT systems.
b. Adequate resources have been hired for staffing their Security Operations Centre (SOC).
c. There is compliance by the RE with all SEBI circulars and advisories related to cybersecurity.
5. To ensure that all the open vulnerabilities in the IT assets of REs have been fixed and closed, revalidation / audit of VAPT shall also be done within 30 days of compliance of closure VAPT report given by auditor .
6. Audit Management process of the REs shall include (but not limited to) Audit Program / Audit Calendar, Audit Planning, Audit Preparation, Audit Delivery, Audit Evaluation, Audit Reporting, and Audit Follow-up steps. An indicative (but not limited to) list of audit metrics to help analyse materiality has been attached as Annexure-B.
7. Due diligence with respect audit process and tools used for such audit shall be undertaken to ensure competence and effectiveness of audits.
b. Applicable to MIIs
i. ISO Certification
1. ISO 27001 certification shall be mandatory for MIIs as it provides essential security standards with respect to ISMS. The scope for ISO 27001 certification shall include (but not limited to) PDC site, DR site, NDR site, SOC.
ii. CIS Critical Security Controls
1. MIIs shall follow latest version of CIS Controls which are prioritized set of safeguards and actions for cyber defence and provide specific and actionable ways to mitigate prevalent cyber-attacks.
2.5. PR.MA: Maintenance
Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.
2.5.1. PR.MA: Objective:
a. Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools.
b. Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
2.5.2. PR.MA: Standard:
a. Patches shall be identified and categorized based on their severity. And, critical patches shall be closed by the earliest.
2.5.3. PR.MA: Guidelines:
a. Applicable to all REs
i. Hardening of Hardware and Software
1. REs shall deploy only hardened and vetted hardware / software. During the hardening process, REs shall inter-alia ensure that default username and password are replaced with non-standard username and strong passwords and all unnecessary services are removed or disabled in software / system.
2. Hardening of OS shall be done to protect servers’/ endpoints’ OS and minimize attack surface and exposure to threats.
3. For running services, non-default ports shall be used. Open ports on networks and systems which are not in use or can be potentially used for exploitation of data shall be blocked. Other open ports shall be monitored and appropriate measures shall be taken to secure them.
4. Practice of whitelisting of ports based on business usage at Firewall level shall be implemented rather than blacklisting of certain ports. Traffic on all other ports which have not been whitelisted shall be blocked by default.
5. Restrict execution of “PowerShell” and “wscript” in the enterprise environment, if not required. Ensure installation and use of latest version of PowerShell, with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
6. REs shall utilize host based firewall to prevent Remote Procedure Call (RPC) and Server Message Block (SMB) communication among endpoints whenever possible to limit lateral movement as well as other attack activities.
ii. Patch Management
1. REs shall establish and ensure that the patch management procedures include the identification, categorization and prioritization of patches and updates. An implementation timeframe for each category of patches shall be established to apply them in a timely manner.
2. All operating systems and applications shall be updated with the latest patches on a regular basis. As an interim measure for zero-day vulnerabilities and where patches are not available, virtual patching can be considered for protecting systems and networks. These measures hinders cybercriminals from gaining access to any system through vulnerabilities in end-of-support and end-of-life applications and software. Patches shall be sourced only from the authorized sites of the OEM.
3. REs shall perform rigorous testing of security patches and updates, wherever possible, before deployment into the production environment so as to ensure that application of patches do not impact other systems.
4. All patches shall be tested in non-production environment which is identical to production environment.
2.6. PR.PT: Protective Technology and Resilience
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
2.6.1. PR.PT: Objective:
a. Endpoint devices, user authentication, removable media is protected and its use restricted according to policy.
b. Proper mechanisms are implemented to achieve resilience requirements in normal and adverse situation.
2.6.2. PR.PT: Standard:
a. Restriction for using endpoint devices, network, user authentication, API security, removable media, BYOD, Laptops / mobiles, etc. shall be defined and implemented.
b. API security with proper authentication and authorization mechanisms shall be defined and implemented.
2.6.3. PR.PR: Guidelines:
a. Applicable to all REs
i. API security
1. API security secures vulnerabilities and misconfigurations in the APIs and prevents their misuse. Thus, effective API security strategies shall be used while developing APIs.
2. Rate limiting and throttling shall be used to save APIs from getting overused or abused.
3. Proper access management, authentication and authorization shall be done to ensure that only desired entities have access to the APIs.
4. OWASP documentation for developing APIs shall be followed and OWASP top 10 API security risks shall be mitigated.
ii. Endpoint security
1. EPP and EDR solutions shall be implemented to provide active threat detection, detect attacks on endpoint devices, and to enable immediate response to incidents.
2. IPS shall be used to continuously monitor the organizations’ network for malicious activity.
iii. Guidance on usage of Active Directory (AD) servers
1. All REs shall regularly review the Active Directory (AD) to locate and close existing backdoors such as compromised service accounts, which often have administrative privileges and are a potential target of attacks.
iv. Restricted use of removable media and electronic devices 1. Define and implement policy for restriction and secure use of removable media / BYOD including (but not limited to) laptops / mobile devices, servers, etc. and secure erasure of data to ensure that no data is in recoverable form on such media after use.
b. Applicable to Specified REs and MIIs
ii. Guidelines for Application Security and Emerging Technologies
1. Specified REs and MIIs shall prepare SOPs for open source application security and emerging technologies like Generative AI security concerns.
3. DETECT
3.1. DA.CM: Security Continuous Monitoring
The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
3.1.1. DA.CM: Objective:
a. The network and endpoints are monitored to detect potential cybersecurity events.
b. The physical environment is monitored to detect potential cybersecurity events.
c. Personnel activity is monitored to detect potential cybersecurity events.
d. Malicious code is detected.
e. Unauthorized mobile code is detected.
f. External service provider activity is monitored to detect potential cybersecurity events.
g. Monitoring for unauthorized personnel, connections, devices, and software is performed.
h. Vulnerability scans are performed.
3.1.2. DA.CM: Standard:
a. Security Operations Centre (SOC) shall be up and running 24*7*365 to monitor, prevent, detect, investigate, and respond to cyber threats round the clock.
b. Appropriate continuous security monitoring shall be established in SOC for the timely detection of anomalous or malicious activities.
c. Security audit, Vulnerability Assessment and Penetration Testing (VAPT) shall be conducted to detect open security vulnerabilities in IT environment.
d. Capacity utilization shall be monitored for all the critical assets in the organization.
3.1.3. DA.CM: Guidelines:
a. Applicable to all REs
i. Security Continuous Monitoring
1. REs shall establish appropriate security monitoring systems and processes to facilitate continuous monitoring of security events / alerts and timely detection of unauthorized or malicious activities, unauthorized changes, unauthorized access and unauthorized copying and transmission of data / information held in contractual or fiduciary capacity, by internal and external parties. The security logs of systems, applications and network devices exposed to the internet shall also be monitored for anomalies.
2. Suitable alerts shall be generated in the event of detection of unauthorized or abnormal system activities, transmission errors or unusual online transactions.
3. To enhance the security monitoring system, REs are mandated to employ SOC services for their systems. REs may choose any of the following models to use SOC services:
a. RE’s own SOC
b. Market SOC setup by MIIs
c. Any other 3rd party managed SOC
ii. Vulnerability Assessment and Penetration Testing (VAPT)
1. The periodicity, timeline for remedial actions, closure and report submission for VAPT activity by respective authorities has been provided in the ‘Framework compliance, Audit, Report submission, Timeline’ section.
2. REs shall regularly conduct security audit / Vulnerability Assessment and Penetration Tests (VAPT) in accordance with this consolidated CSCRF to detect security vulnerabilities in their IT environments. The assets for VAPT include (but not limited to) all critical assets, infrastructure components (like networking systems, security devices, load balancer, servers, databases, applications, systems accessible through WAN, LAN as well as with Public IP’s, websites, etc.), and other IT systems pertaining to the activities done by REs in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks.
3. In addition, REs shall perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.
4. The REs which have been identified as CII by NCIIPC are mandated to send regular updates / closure status of the vulnerabilities found in their respective protected system to NCIIPC.
5. VAPT shall be comprehensive in nature and provide in-depth evaluation of the security posture of the REs. An indicative (but not exhaustive and limited to) VAPT scope has been attached as Annexure-K.
6. Revalidation of VAPT shall also be done to ensure that all the open vulnerabilities in the REs assets have been fixed and closed.
b. Applicable to specified REs and MIIs
i. Security Continuous Monitoring
1. To ensure high resilience, high availability and timely detection of attacks on systems and networks exposed to the internet, specified REs and MIIs shall implement suitable mechanisms to monitor capacity utilization of its critical systems and networks that are exposed to the internet.
c. Applicable to specified REs
i. Vulnerability Assessment and Penetration Testing (VAPT) 1. In case of vulnerabilities discovered in off-the-shelf products (used for core business) or applications provided by stock exchange empanelled vendors, specified REs shall report them to the vendors and the stock exchanges in a timely manner.
d. Applicable to MIIs
i. Security Continuous Monitoring
1. MIIs shall have a cybersecurity Operation Centre (C-SOC) that would be a 24*7*365 set-up manned by dedicated security analysts to identify, respond, recover and protect from cybersecurity incidents30. The C-SOC for MIIs shall function in accordance with SEBI circular CIR/MRD/CSC/148/2018 dated December 07, 2018 which has been attached as Annexure-L.
3.2. DA.DP: Detection Process
Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
3.2.1. DA.DP: Objective:
a. Roles and responsibilities for detection are well defined to ensure accountability.
b. Detection activities comply with all applicable requirements.
c. Detection processes are tested.
d. Event detection information is communicated.
e. Detection processes are continuously improved.
3.2.2. DA.DP: Standard:
a. MIIs and Specified REs shall conduct goal-based adversarial simulation red teaming exercise on a periodic31 basis to identify potential weaknesses with the organization’s cyber defence.
3.2.3. DA.DP: Guidelines:
a. Applicable to all REs
i. Functional efficacy of SOC
1. Functional efficacy of SOC of the REs shall be measured. Further, it is suggested to categorize SOC efficacy parameters into three categories (mandatory, desirable, good to have) for auditing SOC efficacy from governance perspective. A quantifiable method and an indicative (but not exhaustive and limited to) list of parameters for measuring SOC efficacy and parameters categorisation is attached as Annexure-M.
2. REs shall review the functional efficacy of SOC on a half-yearly basis.
b. Applicable to Specified REs and MIIs
i. MIIs and Specified REs shall deploy BAS, decoy and Vulnerability Management solution to enhance their cybersecurity posture.
ii. Red Teaming exercise
1. MIIs and Specified REs shall conduct red teaming exercises as part of their cybersecurity framework on a half-yearly basis. To begin with, a coordinated red team exercise of MIIs can be conducted. CART solution shall be deployed for continuous and automated process of testing the security of the system and achieve greater visibility on attack surfaces.
4. RESPOND
4.1. RS.RP: Response Planning
Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
4.1.1. RS.PL: Objective:
a. Response plan is executed during or after an incident.
b. Incidents are contained and mitigated. Further, newly identified vulnerabilities are mitigated or documented as accepted risks.
4.1.2. RS.PL: Standard:
a. A comprehensive response plan shall be documented with scenarios based Standard Operating Procedures (SOP). Also, response plan and execution of specific SOP shall be triggered as soon as an incident occurs.
4.1.3. RS.PL: Guidelines
a. Applicable to all REs
i. Cyber Crisis Management Plan (CCMP)
1. All REs shall formulate an up-to-date Cyber Crisis Management Plan (CCMP).
2. CCMP shall be approved from Board of respective REs.
ii. Incident Response Management
1. All REs shall come up with an Incident Response Management Plan.
2. For incident, following SOPs shall be put in place:
|
For self |
Every REs shall have a SOP for cybersecurity incident response and recovery for itself. |
| REs under MIIs supervision | Every MII shall have a SOP plan for cybersecurity incident response and recovery for REs under their supervision. |
| Cyber incident response to SEBI |
The SOP to be followed for handling and classifying incidents in the securities market has been attached as Annexure-O. |
iii. The response plan shall define responsibilities and actions to be performed by its employees and support / outsourced staff in the event of cyber-attacks or breach of cybersecurity mechanism.
4.2. RS.CO: Communication
Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).
4.2.1. RS.CO: Objective:
a. Personnel know their roles and order of operations when a response is needed.
b. Incidents are reported consistent with established criteria.
c. Information is shared consistent with response plan.
d. Coordination with stakeholders occurs consistent with response plans.
e. Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.
4.2.2. RS.CO: Standard:
a. Incident reporting shall be done to SEBI and CERT-In as soon as incident occurs. Further, all stakeholders shall coordinate in response to the cyber incident.
4.2.3. RS.CO: Guidelines:
a. Applicable to all REs
i. Cyber Threat Intelligence
1. REs shall share Threat Intelligence data that is collected, processed, and analysed to gain insights into the motives of an attacker, target, attack pattern and behaviour of the threat actor in SEBI CISO forum.
ii. All Cyber-attacks, threats, cyber-incidents and breaches experienced by REs shall be reported to SEBI within 6 hours of noticing / detecting such incidents or being brought to notice about such incidents. This information shall be shared to SEBI through the Incident Report Portal of SEBI. Stock Brokers / Depository Participants shall report the incidents to Stock Exchanges / Depositories also along with SEBI within 6 hours of notice about such incidents.
iii. The incident shall also be reported to Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines / directions issued by CERT-In from time to time. Additionally, the REs, whose systems have been identified as “Protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) shall also report the incident to NCIIPC. The quarterly reports containing information on cyber-attacks, threats, cyber-incidents and breaches experienced by REs and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs / vulnerabilities, threats that may be useful for other REs and SEBI, shall be submitted to SEBI within 15 days from the quarter ended June, September, December and March of every year.
iv. Such details as are felt useful for sharing with other REs and MIIs in masked manner shall be shared using mechanism to be specified by SEBI from time to time. While sharing sensitive information, TLP shall be followed with four levels of sensitivity: white, green, amber, or red.
v. REs shall provide regular reports on the progress of the incident analysis.
b. Applicable to specified REs and MIIs
i. The Oversight SCOT of the stock exchanges and of the clearing corporations, the IT Strategy Committee of the depositories, and the internal Technology Committee of rest of the REs shall hold a meeting to discuss response plans, coordination with stakeholders for consistency in response actions, and information sharing for better awareness.
ii. If the cyber-attack is of high impact and had broad breach, then the RE has to do a press release and give a brief of incident, actions taken to recover, and normal operation resumption status (once achieved).
iii. If the cyber-attack is of low impact and had narrow breach, then REs has to inform all the affected customers / stakeholders.
4.3. RS.AN: Analysis
Analysis is conducted to ensure effective response and support recovery activities.
4.3.1. RS.AN: Objective:
a. Notifications from detection systems are investigated.
b. The impact of the incident is understood.
c. Forensics are performed.
d. Incidents are categorized consistent with response plans.
e. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers).
4.3.2. RS.AN: Standard:
a. Detailed forensics and investigation of alerts and incident shall be done to prevent any such incidents.
b. RCA shall be done to determine the root cause of the attacks / incidents and to further enhance security posture to mitigate these kinds of attacks / incidents in future.
4.3.3. RS.AN: Guidelines:
a. Applicable to all REs
i. Alerts generated from monitoring and detection systems shall suitably investigated in order to determine activities that are to be performed to prevent spread of such incident of cyber-attack or breach, mitigate its effect and eradicate the incident.
ii. Data collection: REs shall collect and preserve data related to the incident, such as system logs, network traffic, forensic images of affected systems.
iii. Incident Analysis: Analyse the data to understand the scope, cause, and impact of the incident, including how the incident occurred, what systems and data were affected, and who was responsible.
iv. Evidence Preservation: Preserve evidence related to the incident, including digital artefacts, network captures, and memory dumps, in a secure and forensically sound manner.
v. Root Cause Analysis: Perform a root cause analysis (RCA) to identify the specific control that has failed, underlying cause of the incident and to identify potential areas of improvement.
vi. Forensic: Forensic analysis as per SEBI directions/SOP.
vii. Any incident of loss or destruction of data or systems shall be thoroughly analysed and lessons learned from such incidents shall be incorporated to strengthen the security mechanism and improve recovery planning and processes.
viii. Reporting: Create a detailed incident report that includes information on the scope, cause, and impact of the incident, as well as recommendations for improving incident response and recovery capabilities.
4.4. RS.IM: Improvements
Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
4.4.1. RS.IM: Objective:
a. Response plans are updated by incorporating lessons learned.
4.4.2. RS.IM: Standard:
a. Incorporate lessons learned from incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly.
b. Communicate response plan changes to organization designated key personnel.
4.4.3. RS.IM: Guidelines:
a. Applicable to all REs
i. REs shall review bi-annually and update their response plan to strengthen their capability in the event of a future incident / attack.
5. RECOVERY
5.1. RC.PL: Recovery Planning
Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. Recovery planning and processes are improved by incorporating lessons learned into future activities.
5.1.1. RC.PL: Objective:
a. Recovery plan is executed during or after a cybersecurity incident.
b. Recovery plans incorporate lessons learned.
c. Recovery strategies are updated.
5.1.2. RC.PL: Standard:
a. Recovery plan of REs shall have different scenarios based classifications.
b. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) shall be mandated as specified by SEBI while executing recovery plan.
c. Drill for testing different recovery scenarios shall be conducted periodically32.
5.1.3. RC.PL: Guidelines:
a. Applicable to all REs
i. The response and recovery plan of the REs shall have plans for the timely restoration of systems affected by incidents of cyber-attacks or breaches, for instance, offering alternate services or systems to Customers.
ii. In the event of disruption of any one or more of the ‘Critical Systems’, the RE shall, within 30 minutes of the incident, declare that incident as ‘Disaster’. Accordingly, the RTO shall be two (2) hours as recommended by IOSCO33. The RPO shall be 15 minutes for all REs. The recovery plan shall be scenario-based and in line with the RTO and RPO specified. All REs shall comply with the mandated RTO and RPO for different scenarios attached as Annexure-D.
iii. An indicative (but not exhaustive and limited to) recovery plan to be followed by the REs has been attached as Annexure-P.
iv. All REs shall also conduct suitable periodic drills to test the adequacy and effectiveness of the aforementioned response and recovery plan.
5.2. RC.CO: Communications
Restoration activities are coordinated with internal and external parties (e.g. coordinating centres, Internet Service Providers, victims, other CSIRTs, and third-party service providers).
5.2.1. RC.CO: Objective:
a. Public relations are managed.
b. Reputation is repaired after an incident.
c. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.
5.2.2. RC.CO: Standard:
a. Actions taken during recovery process shall be informed to all related stakeholders.
5.2.3. RC.CO: Guidelines:
a. Applicable to all REs
i. Recovery plans shall be discussed within Oversight SCOT of the stock exchanges and of the clearing corporations, the IT Strategy Committee of the depositories, and the internal Technology Committee of rest of the REs. This plan shall include stakeholders’ coordination in recovery process, and both internal and external communication.
Notes:-
1 Refer NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information System and Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
2 Refer Definitions section for the specified REs criteria.
3 Refer Definitions section for the MIIs definition.
4 Refer Framework Compliance section.
5 Refer Securities Contracts (Regulation) Act 1956, SEBI Act 1992, and Depository Act 1996.
6 Refer NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information System and Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
7 Refer NIST SP 800-30 Rev. 1: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
8 Refer Risk-rating methodology: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
9 Refer NIST SP 800-30 Rev. 1: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
10 Unless otherwise specified, all certifications / audits mentioned in consolidated CSCRF have to be conducted by CERT-In empanelled auditor.
11 Unless otherwise specified, all certifications / audits mentioned in consolidated CSCRF have to be conducted by CERT-In empanelled auditor.
12 Cybersecurity Framework’s five functions defined by NIST: https://www.nist.gov/cyberframework/online-learning/five-functions
13 Refer Definitions section for the Risk definition.
14 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
15 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
16 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
17 Refer SEBI Circulars SMD/POLICY/Cir-2/98 dated January 14, 1998 and CIR/MRD/DSA/33/2012 dated December 13, 2012.
18 Refer SEBI CIR/MRD/DMS/ 03 /2014 dated January 21, 2014.
19 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
20 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
21 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
22 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
23 Refer SEBI CIR/MIRSD/24/2011 dated December 15, 2011.
24 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
25 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
26 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
27 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
28 Refer SEBI/HO/ITD/ID_VAPT/P/CIR/2023/033 dated March 06, 2023.
29 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
30 Refer SEBI circular CIR/MRD/CSC/148/2018 dated December 07, 2018.
31 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
32 Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
33 Refer https://www.bis.org/cpmi/publ/d146.pdf.
