AI OCR 
TaxTMI 
TaxTMI 
TaxTMI 
Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)
X X X X Extracts X X X X
X X X X Extracts X X X X
....e Institutions (MIIs) in 2015. Subsequently, SEBI had issued other Cybersecurity and Cyber resilience frameworks in line with MIIs circular of 2015 for following REs: 1.1. Stock Brokers and Depository Participants 1.2. Mutual Funds (MFs)/ Asset Management Companies (AMCs) 1.3. KYC Registration Agencies (KRAs) 1.4. Qualified Registrar to an Issue and Share Transfer Agents (QRTAs) 1.5. Portfolio Managers 2. Further, SEBI has also issued various advisories to REs, from time to time, on Cybersecurity best practices. 3. In order to strengthen the cybersecurity measures in Indian securities market, and to ensure adequate cyber resiliency against cybersecurity incidents/ attacks, Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs has been formulated in consultation with the stakeholders. The CSCRF aims to provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs. This framework shall supersede existing SEBI cybersecurity circulars/ guidelines/ advisories/ letters (list of such superseded circulars/ guidelines/ advisories/ letters are given as part of the framework attached as Annexure-1). Objective: ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....OC) and measuring its efficacy, Software Bill of Materials (SBOM), etc. 10. CSCRF aims to ensure that even smaller REs are equipped with adequate cybersecurity measures and achieve resiliency against cybersecurity incidents/ attacks. 11. Cyber Capability Index (CCI) for MIIs and Qualified REs shall help these REs to monitor and assess their progress and cyber resilience on a periodic basis. 12. CSCRF mandates that all REs are required to establish appropriate security monitoring mechanisms through Security Operation Centre (SOC). The onboarding of SOC can be done through RE's own/ group SOC or Market SOC or any other third-party managed SOC for continuous monitoring of security events and timely detection of anomalous activities. 13. As compliance with the cybersecurity guidelines may be onerous for smaller REs due to the lack of knowledge and expertise in cybersecurity and the cost factor involved in setting up own SOC. Therefore, CSCRF mandates NSE and BSE to set up Market SOC (M-SOC) with the objective of providing cybersecurity solutions to such categories of REs. 14. CSCRF contains provisions with respect to various areas such as requirements of IT services, Software....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... The circular is issued with the approval of Competent Authority. 23. This circular is available on SEBI website at www.sebi.gov.in under the category "Legal" and drop "Circulars". Yours Faithfully, Shweta Banerjee Deputy General Manager Phone: 022-26449509 Email: [email protected] ============= Document 1SZ31 Annexure-1 Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (RES) Version 1.0 Date: August 20, 2024 Securities and Exchange Board of India Plot no. C4-A, G Block, Bandra Kurla Complex, - Bandra (East), Mumbai – 400051, India Tel.: +91-22-26449000/40459000 Website: www.sebi.gov.in SZ31 CSCRF This page intentionally left blank Page 12 of 205 Version 1.0 Executive Summary The Information Technology Act, 2000 defines Cybersecurity as “Protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction". Technology has been a driving force in shaping the securities market, enabling greater efficiency, accessibility, and affordability. However, with swift technological advancements, prote....
X X X X Extracts X X X X
X X X X Extracts X X X X
....REs as applicable. iii. Part III: Structured formats for compliance iv. Part IV: Annexures and References For ease of compliance, REs are required to comply with the all applicable standards and mandatory guidelines as mentioned in CSCRF. The Structure of CSCRF The framework is broadly based on two approaches: cybersecurity and cyber resilience. Cybersecurity approach covers various aspects from governance measures to operational controls and the cyber resilience goals include Anticipate, Withstand, Contain, Recover, and Evolve. The framework also specifies guidelines to ensure standards are implemented in a uniform manner. The summary of the CSCRF is as follows: i. Cyber Resilience Goal: Anticipate | Cybersecurity function: Governance a. REs shall establish, communicate and enforce cybersecurity risk management roles, responsibilities, and authorities to foster accountability and continuous improvement. b. A comprehensive cybersecurity and cyber resilience policy shall be documented and implemented with the approval of the Board/ Partners/ Proprietor. c. CSCRF mandates MIIS, Qualified REs, and mid-size REs to prepare cyber risk management framework for identification and analysis,....
X X X X Extracts X X X X
X X X X Extracts X X X X
..... f. Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect vulnerabilities in the IT environment for all critical systems, infrastructure components and other IT systems as defined in the framework. To undertake this activity, a comprehensive VAPT scope has also been specified. g. Application Programming Interface (API) security and Endpoint security solutions shall be implemented with rate limiting, throttling, and proper authentication and authorisation mechanisms. h. ISO 27001 certification: ISO 27001 certification shall be mandatory for MIls and Qualified REs as it provides essential security standards with respect to Information Security Management System (ISMS). 2 Quantum computing is a rapidly emerging technology that exploits quantum mechanics' laws to solve complex problems. Post-quantum cryptography solutions can avert post-quantum risks and provide protection against quantum attacks. 3 With all relevant fields including verbosity and relevancy. Version 1.0 Page 15 of 205 S=31 CSCRF iv. Cyber Resilience Goal: Anticipate | Cybersecurity function: Detect a. REs shall establish appropriate security mechanisms through Security Operations Centre (SOC)....
X X X X Extracts X X X X
X X X X Extracts X X X X
....framework as per the stated periodicity. A glide-path has been given to REs to comply with the CSCRF standards and mandatory guidelines. Since new standards and controls have been added in CSCRF, a glide-path for adoption of CSCRF provisions has been provided as under: a. For six categories of REs where cybersecurity and cyber resilience circular already exists - by January 01, 2025. b. For other REs where CSCRF is being issued for the first time - by April 01, 2025. Further, to ensure the uniformity in auditing REs w.r.t. CSCRF, an auditors' checklist and guidelines has been included in this framework. Future proofing of CSCRF It is envisaged that quantum computing may be a reality in near future and it may be able to break the encryption schemes widely used today. Thus, quantum computing may evolve into one of the biggest cybersecurity threats and it may potentially expose financial systems to cyber-attacks. While it is still uncertain when quantum technology would be adopted on a large scale, its potential as a cyber threat to the securities market ecosystem is already a matter of concern. The CSCRF has provisions to address ‘harvest now - decrypt later' attacks through co....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... Compliance...... 133 Annexure-A: VAPT Report Format. 133 Annexure-B: Cyber Audit Report Format. 142 Annexure-C: Recovery Plan Template (Reference Guide)... 150 Part IV: CSCRF Annexures and References. 152 Annexure-D: Audit Guidelines... 152 Annexure-E: Scenario-based Cyber Resilience Testing 155 Annexure-F: Guidelines on Outsourcing of Activities. 158 Annexure-G: Application Authentication Security... 159 Annexure-H: Data Security on Customer Facing Applications . 160 Annexure-I: Data Transport Security. 161 Annexure-J: Framework for Adoption of Cloud Services 162 Annexure-K: Cyber Capability Index (CCI).. 163 Annexure-L: VAPT Scope. 188 Annexure-M: Cyber-SOC Framework for MIls. 189 Annexure-N: Functional Efficacy of SOC. 190 Annexure-O: Classification and Handling of Cybersecurity Incidents. 198 Annexure-P: Reporting Format for Self-certification REs..... 205 Version 1.0 Page 19 of 205 S=31 Abbreviations SN. Abbreviation Explanation/Expansion 1. ACL Access Control List 2. AIF Alternative Investment Fund 3. AMC Asset Management Company 4. ΑΡΙ 5. ASVS 6. AUC Application Programming Interface Application Security Verification Standard Asset Under Custody 7. AUM Asset Unde....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ity Verification Standard Managing Director Ministry of Electronic and Information Technology Multi-Factor Authentication 71. MII Market Infrastructure Institution 72. MTTC Mean Time to Contain 73. MTTD Mean Time to Detect Version 1.0 Page 22 of 205 5=31 CSCRF 74. MTTR Mean Time to Respond 75. NCIIPC 76. NDR 77. NEAT 78. NIST National Critical Information Infrastructure Protection Centre Near Disaster Recovery National Exchange for Automated Trading National Institute of Standards and Technology 79. NSE National Stock Exchange 80. OS 81. OT 82. OTP Operating System Operational Technology One Time Password 83. OWASP Open Web Application Security Project 84. PaaS Platform as a Service 85. PDC Primary Data Centre 86. PII Personal Identifiable Information 87. PIM 88. POLP Privileged Identity Management Principle of Least Privilege 89. PQC Post Quantum Cryptography 90. QA 91. QKD 92. QRTA 93. RAT Quality Assurance Quantum Key Distribution Qualified Registrar to an Issue and Share Transfer Agent Remote Access Trojan 94. RBA Risk Based Authentication 95. RBI 96. RCA 97. RDP Reserve Bank of India Root Cause Analysis Remote Desktop Protocol Page 23 of 205 Version 1.0 SZ31 98. RE 99. RPO Reg....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... calculated based on certain parameters as specified in this framework. The purpose of CCI is to ascertain the cyber resilience capabilities of MIls and Qualified REs and their maturity in terms of implementation of cybersecurity measures. 4. Cyber Event - Any observable occurrence in an information system. Cyber events sometimes provide indication that a cybersecurity incident is occurring. – FSB Cyber Lexicon 5. Cyber Resilience - The ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing, and rapidly recovering from cyber incidents. - FSB Cyber Lexicon 6 https://www.fsb.org/wp-content/uploads/P130423-3.pdf 7 https://www.fsb.org/wp-content/uploads/P130423-3.pdf 8 https://www.fsb.org/wp-content/uploads/P130423-3.pdf Version 1.0 Page 26 of 205 5=31 6. Cyber Threat - CSCRF A circumstance with the potential to exploit one or more vulnerabilities that adversely affects cybersecurity. - FSB Cyber Lexicon⹠7. Cybersecurity Incident (Incident)- Any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implic....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ps organizations become risk-aware, proactively identify, and address weaknesses and promote a holistic approach to information security. 10.IT and Cybersecurity Data IT and Cybersecurity Data includes the following data (but not limited to): a. Logs and metadata related to IT systems and their operations. However, such data should not contain the following: i. Any Regulatory Data, and ii. Sensitive data such as internal network architecture, vulnerability details, details of admin/ privileged users of REs, password hashes, system configuration, etc. b. Further, it should not be ordinarily possible to generate Regulatory Data from IT and Cybersecurity Data. 11. Major Change/ Major Release CSCRF has mandated VAPT after every major release. The following changes (including but not limited to) are broadly considered as major release(s) or major change(s): a. Implementation of a new SEBI circular. b. Changes in core versions of software (e.g., .net, SQL, Oracle, Java, etc.) c. Any changes in policy of login and/ or password management. d. Significant system modifications that alter how data is exchanged with stock exchanges (e.g., file format changes, message protocol changes, etc.). e....
X X X X Extracts X X X X
X X X X Extracts X X X X
....y Data shall be stored in an easily accessible, legible and usable form, within the legal boundaries of India. However, for the investors whose country of incorporation is outside India, the REs shall keep the data, available and easily accessible in legible and usable form, within the legal boundaries of India. Further, if the copy retained within India is not in readable format, the REs must maintain an application/system to read/ analyse the saved data. 17. Risk- As defined by OWASP 13, Risk = Likelihood × Impact; where Likelihood = Threat × Vulnerabilities. Likelihood is a measure of how likely a vulnerability is to be discovered and exploited by an attacker. Impact is the magnitude of harm that can be expected as a result from the consequences of threat exploitation. 12 Entities within SEBI's purview, refer to Securities Contracts (Regulation) Act 1956, SEBI Act 1992, and Depositories Act 1996. 13 Refer Risk-rating methodology: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology Page 29 of 205 Version 1.0 S=31 18. Risk-based Authentication (RBA) - CSCRF Risk-based authentication is a non-static authentication mechanism that takes into account the profile of t....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... successful execution of an attack by an adversary. CONTAIN - Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyber-attacks. RECOVER - Restore mission/ business functions to the maximum extent possible, subsequent to successful execution of an attack by an adversary. EVOLVE - To change mission/ business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks. The cyber resiliency goals have been mapped to cybersecurity functions in CSCRF. The framework is broadly based on two approaches: cybersecurity and cyber resilience. Cybersecurity approach covers various aspects from governance to operational controls (including Identify, Detect, Protect, Respond, and Recover) and the cyber resilience goals include Anticipate, Withstand, Contain, Recover, and Evolve. Page 31 of 205 Version 1.0 Version 1.0 Cyber Resilience Goal Cyber Resilience Goal: EVOLVE ANTICIPATE 531 WITHSTAND & CONTAIN RECOVER DETECT RESPOND RECOVER Identify and analyze possible cybersecurity attacks and compromises Targeted actions, processes and procedures ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ing issued for the first time - by April 01, 2025. Accordingly, the following SEBI circulars/ guidelines/ letters/ advisories shall be deprecated as per the above-mentioned timelines. Table 1: List of SEBI cybersecurity circulars to get supersede with CSCRF S. No. Regulated Entity Circular Subject (Circular Number) Date issuance of 1. MIls July 06, 2015 Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories (CIR/MRD/DP/13/2015) Modification in Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories (SEBI/HO/MRD1/MRD1_DTCS/P/CIR/2 022/68) May 20, 2022 Page 33 of 205 Version 1.0 531 S. No. 2. Regulated Entity Circular Subject (Circular Number) Modification in Cyber Security and Cyber Resilience framework for Stock Exchanges, Clearing Corporations and Depositories (SEBI/HO/MRD/TPD/P/CIR/2023/147) Guidelines for MIls regarding Cyber Security and Cyber Resilience (SEBI/HO/MRD/TPD/P/CIR/2023/146) Stock Brokers / Cyber Security & Cyber Resilience Depository Participants 3. Asset Management Companies (AMCs) 4. framework for Stock Brokers / Depository Participants (SEBI/HO/MIRSD/CIR/PB/2018/147....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... framework for Portfolio Managers (SEBI/HO/IMD/IMD-POD- 1/P/CIR/2023/046) Advisory for SEBI Regulated Entities (RES) regarding Cybersecurity best practices (SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/0 32) Cyber Security Operations Center for SEBI registered intermediaries (CIR/MRD/CSC/151/2018) Date CSCRF of issuance May 30, 2022 July 05, 2022 September 08, 2017 October 15, 2019 May 27, 2022 July 06, 2022 March 29, 2023 February 22, 2023 December 14, 2018 Version 1.0 Page 35 of 205 531 S. No. Regulated Entity Circular Subject (Circular Number) CSCRF Date of issuance Derivatives Exchanges and their Clearing Corporations) Table 2: List of SEBI cybersecurity letters/ advisories to get supersede with CSCRF S. No. Entity to which letter is Letter Number) Subject (Letter Date issuance of issued 1. National Stock Submission of Cyber Audit December Exchange of India Ltd. Report 26, 2022 (SEBI/HO/ITD/ITD_INSADT_D /P/OW/2022/0000063905/1) 2. Bombay Stock Submission of Cyber Audit December Exchange of India Report 26, 2022 (SEBI/HO/ITD/ITD_INSADT_D /P/OW/2022/0000063956/1) 3. Central Depository Submission of Cyber Audit December Services Ltd. Report 26, 2022 (SEBI/HO/ITD/ITD_INSADT_D /P/OW/2022/0000063....
X X X X Extracts X X X X
X X X X Extracts X X X X
....9 19/28528/1) 16. Bombay Stock Exchange of India (SEBI/HO/MRD/CSC/OW/P/20 Implementation of Cyber October Capability Index (SEBI/HO/MRD/CSC/OW/P/20 19/28516/1) 30, 2019 17. Central Depository Services Ltd. Implementation of Cyber October Capability Index 30, 2019 (SEBI/HO/MRD/CSC/OW/P/20 19/28517/1) 18. Indian Clearing Corporation Ltd. 19. Metropolitan Stock Exchange of India Ltd. 20. Metropolitan Clearing Corporation of India Ltd. 21. NSE Clearing Limited 22. National Securities Depositories Ltd. Implementation of Cyber October Capability Index (SEBI/HO/MRD/CSC/OW/P/20 19/28523/1) 30, 2019 Implementation of Cyber October Capability Index (SEBI/HO/MRD/CSC/OW/P/20 19/28525/1) 30, 2019 Implementation of Cyber October Capability Index (SEBI/HO/MRD/CSC/OW/P/20 19/28524/1) Implementation of Capability Index 30, 2019 Cyber October 30, 2019 (SEBI/HO/MRD/CSC/OW/P/20 19/28526/1) Implementation of Cyber October 30, 2019 Capability Index (SEBI/HO/MRD/CSC/OW/P/20 19/28527/1) Page 38 of 205 Version 1.0 S=31 2. Thresholds for REs' categorization: CSCRF The applicability of various standards and guidelines of CSCRF is based on different categories of REs. CSCRF follows a graded approach and class....
X X X X Extracts X X X X
X X X X Extracts X X X X
....and Lakh crores above but less than Rs. 10 Lakh crores Rs. 10 Lakh crores and above 7. Debenture Trustee (DT) DTs which have not added any new issuer of listed debt security as client in the last three financial years shall be excluded from submission of compliance with CSCRF. Remaining DTs shall be under the Self-certification REs category. 8. Depository Participants (DPS) Table 6: Criteria and thresholds for DPs categorization Sr. Criteria Small-size RES No. 1 Type of DP N.A. Mid-size RES Qualified RES Non-institutional DP Institutional DP 9. Designated Depository Participants (DDPs) To get approval as a DDP, an entity, inter alia, is required to have valid SEBI registration as a Depository Participant (DP) as well as a Custodian. Therefore, 14 As per SEBI circular SEBI/HO/MIRSD/MIRSD-POD-1/P/CIR/2023/24 dated February 06, 2023, enhanced obligations and responsibilities have been casted upon Qualified Stock Brokers (QSBs) defined based on their size of operations, trading volumes, amount of client funds handled by them etc. Hence, such QSBs shall be categorized as Qualified REs. Page 40 of 205 Version 1.0 SZ31 CSCRF categorization of highest category among DPs and Custodians sha....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ble above. Small-size RES a. Wherever the MB is a listed entity, the compliance requirement shall also be intimated to Stock Exchanges. 16. Mutual Funds (MFS)/ Asset Management Companies (AMCs) Table 10: Criteria and thresholds for MFs/ AMCs categorization Sr. Criteria Small-size RES Mid-size RES Qualified RES No. 1 AUM Less than Rs. Rs. 10,000 crores 10,000 crores and above but less than Rs. 1 lakh crore Rs. 1 lakh crores and above 17. Portfolio Managers Table 11: Criteria and thresholds for Portfolio Managers categorization Sr. Criteria No. Self- certification RES Small-size RES Mid-size RES Qualified RES 1 AUM Less than Rs. Rs. 1000 crores crores above but less than Rs. 3000 crores 1000 and Rs. 3000 N.A. crores and above 18. Qualified Depository Participants (QDPs) QDPS shall be excluded from CSCRF compliance. 19. Real Estate Investment Trust (REIT)/ Infrastructure Investment Trust (InvIT) REITs/ InvITs shall be excluded from submission of compliance with CSCRF. Version 1.0 Page 42 of 205 S=31 20. Registrar to an Issue and Share Transfer Agents (RTA) Table 12: Criteria and thresholds for RTA categorization Small-size Mid-size CSCRF Sr. No. Criteria RES RES Qualified RES Mils 1 S....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... expert on cybersecurity. For common reference in CSCRF, all the above-mentioned committees (SCOT, Technology Committee, and IT Committee) shall be termed as 'IT Committee for RES'. 3.4. While it is not mandatory for Small-size REs and Self-certification REs to setup an IT Committee for REs, it is desirable to include and IT expert in Page 44 of 205 Version 1.0 SZ31 CSCRF decision-making given the ever expanding role of IT in securities market. In the absence of IT Committee for RES for Small-size REs and Self- certification REs, the compliance to CSCRF shall be reviewed and approved by MD/ CEO/ Board member/ Partners/Proprietor. 3.5. The brief 15 Terms of Reference (ToRs) of IT Committee for REs with respect to CSCRF shall be as follows: i. The committee shall undertake periodic reviews of implementation of cybersecurity and cyber resilience policy of the RE. ii. The committee shall also perform periodic reviews of cybersecurity incident (if any), its impact, RCA and plans to strengthen the cyber resilience in order to mitigate re-occurrence of such incidents in future. iii. The committee shall deliberate on the matters which may be referred by the Board/ Partners/ Proprietor of t....
X X X X Extracts X X X X
X X X X Extracts X X X X
....Cybersecurity training All RES Annually program (PR.AT.S1) 10. Review of RE's systems MIls and Half-yearly managed by service (GV.SC.S4) third-party Qualified RES providers Other RES Annually 11. Functional Efficacy of SOC (DE.CM.S1 - Guideline 4) MIls and Half-yearly Qualified RES Other REs who are utilizing third- party managed SOC or Market Annually SOC services 12. Red Teaming exercise MIls and Half-yearly (DE.DP.S4) Qualified RES Mils and Quarterly Qualified RES MIls and Half-yearly Qualified RES Other RES Annually 13. Threat hunting (DE.DP.S5) 14. Cybersecurity scenario- based drill exercise for testing adequacy and effectiveness of recovery plan (RC.RP.S3) 15. Review of periodically and MIls update their contingency plan, continuity of operations plan (COOP) (RS.MA.S3) 16. Evaluation of cyber resilience posture (EV.ST.S5) and Half-yearly Qualified RES Mid-size and Annually small-size RES Mid-size and Annually Small-size RES Note: During cyber audit, auditors shall also validate the adherence to the above-mentioned periodicities. 4.2.ISO Audit and Certification 4.2.1. It is mandated (as per standard PR.IP.S16) that MIls and Qualified REs shall obtain ISO 27001 (latest version....
X X X X Extracts X X X X
X X X X Extracts X X X X
....oval from respective IT Committee for REs, within one (1) month of completion of VAPT activity. Within 3 months of submission of VAPT report A graded approach (based on the criticality of observations) shall be followed for closure of the observations found during VAPT. Revalidation of VAPT shall be completed within 5 months of completion of VAPT. 4.3.4. The closure of vulnerabilities shall be regularly tracked by IT Committee for REs. Additionally, any open vulnerabilities after 3 months of VAPT activity shall be approved by IT Committee for REs and shall be closed before start of next VAPT exercise. REs are also expected to maintain risk register which shall be reviewed by the IT Committee for REs. 4.3.5. The report of revalidation of VAPT exercise, and open observations must be placed before the respective IT Committee for REs for their confirmation and appropriate directions. Box Item 2: Categorisation of open observations w.r.t. VAPT and cyber audit All open observations after follow-on audit of cyber audit and/ or VAPT shall be appropriately categorised (indicative categories are mentioned below). These open observations to be placed before the IT Committee for REs and shall ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ws: Table 21: Cyber audit periodicity for RES Sr. No. 1. Regulated Entity MIls, Qualified RES Periodicity 17 Unless otherwise specified, all certifications / audits mentioned in CSCRF have to be conducted by CERT-In empanelled IS auditing organization. Page 50 of 205 Version 1.0 5-31 Sr. No. 2. 3. Regulated Entity Mid-size REs and Small-size RES who are providing IBT or Algo trading facility Rest of the RES Periodicity CSCRF At least twice in a year At least once in a year 4.4.2. The timeline of the cyber audit for SEBI REs shall be as follows: Table 22: Cyber audit report submission and observations closure timeline Sr. Activity No. 1. Cyber submission audit 2. Timeline report The final cyber audit report shall be submitted after approval from respective IT Committee for REs, within 1 month of completion of cyber audit. Within 3 months of cyber audit report Closure of findings identified during cyber submission audit 3. Follow-on audit A graded approach (based on the criticality of observation) shall be followed for closure of the observation found during cyber audit. The follow-on audit shall completed within 5 months of completion of cyber audit. be 4.4.3. Cyber audit report sha....
X X X X Extracts X X X X
X X X X Extracts X X X X
....onal Context (GV.OC): Cyber Resilience Goal Cybersecurity Cyber Resilience Goal: EVOLVE ANTICIPATE Function GOVERNANCE Establish and monitor the RE's cybersecurity risk management strategy, expectations, and policy with appropriate roles and responsibilities Organizational Context Roles, Responsibilities and Authorities Policy Oversight Risk Management Cybersecurity Supply Chain Risk Management Figure 2: Overview of Governance function i. GV.OC: Objective The essential concomitants surrounding the REs' cybersecurity risk management decisions are understood. This includes mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements. ii. GV.OC: Standard 1. Critical objectives, capabilities, and services that external stakeholders depend on or expect from the REs shall be understood and communicated. 2. Legal and regulatory requirements regarding cybersecurity, including data protection and data privacy, shall be understood and managed. 3. REs shall understand and communicate the outcomes, capabilities, and services dependency on external resources such as third-party service providers. Page 53 of 205 S=31 CSCRF 1.2. GV.RR: Roles, Responsibiliti....
X X X X Extracts X X X X
X X X X Extracts X X X X
....tcomes are used to inform, improve, and adjust the risk management strategy. ii. GV.OV: Standard 1. Cybersecurity risk management strategy outcomes shall be reviewed to inform and adjust strategy and directions. 2. The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks. 3. Organizational cybersecurity risk management performance is evaluated and reviewed for adjustment needed. 4. Organizations to assess their cyber resilience posture using CCI on a periodic basis. Box Item 4: Cyber Capability Index Under the guidance of SEBI's High Powered Steering Committing on Cybersecurity (HPSC- CS), SEBI has developed a Cyber Capability Index (CCI) for the securities market. The above-mentioned CCI is calculated on the basis of 23 parameters with different weightages. Based on the value of the index, the cybersecurity maturity level of the REs shall be determined as follows: SN. Table 24: Rating categories of REs based on CCI Rating 1 Exceptional Cybersecurity Maturity Index Score Rating 100-91 2 Optimal Cybersecurity Maturity 90-81 3 Manageable Cybersecurity Maturity 80-71 4 Developing Cybersecurity Maturity 70-61 5 Bare....
X X X X Extracts X X X X
X X X X Extracts X X X X
....f Applications //List the count of IPs audited - Internal and External 3. External Penetration Testing – Infrastructure and Applications 4. Wi-Fi Testing //List the count of IPs audited 5. API Security Testing 6. Network Segmentation Testing 7. VA and PT of Mobile Applications 8. OS and DB Assessment 9. VAPT of Cloud implementation and Deployments 10. Configuration audit //List the number of Wi-Fi access points/ routers/devices audited //List the APIs audited //List the network segmentation audited //List the number of APK files and IPA files audited // List the type and number of OS and DBs audited. //Name the cloud service provider and list the IPs audited //List the systems for which configuration audit has been conducted 4. Tools used: 4.1. Name of the Tool: 4.2. Type: Open source/ Commercial 4.3. Operations: manual/ automated/ both 5. Exclusions, if any: Il Please enclose attachments regarding exclusions as approved by 'IT Committee for REs' along with MoM of the meeting where the exclusions were approved. Version 1.0 Page 136 of 205 S331 6. Summary of the VAPT Report: 6.3. Details of Vulnerability Assessment findings: CSCRF Vulnerability Assessment Findings Details Ann....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ational loss. These observations need to be addressed within a reasonable timeframe. Represents weaknesses in control, which in combination with other weakness can develop into an exposure. Suggested improvements for situations not immediately/directly affecting controls. Page 141 of 205 Version 1.0 S=31 Annexure-B: Cyber Audit Report Format Cyber audit report format for compliance submission CSCRF Annexure-B NAME OF THE ORGANISATION: ENTITY TYPE: ENTITY CATEGORY: RATIONALE FOR THE CATEGORY: <> PERIOD OF AUDIT: <> NAME OF THE AUDITING ORGANISATION: Date on Which Cyber Audit Report presented to ‘IT Committee for REs' : RE's Authorised signatory declaration: I/We hereby confirm that the information provided herein is verified by me/ us and I/ we shall take the responsibility and ownership of this cyber audit report. Further, this is to certify that: a. Comprehensive measures and processes including suitable incentive/ disincentive structures, have been put in place for identification/detection and closure of vulnerabilities in the organization's IT systems. b. Adequate resources have been hired for staffing our Security Operations Centre (SOC). c. There is compliance by us....
X X X X Extracts X X X X
X X X X Extracts X X X X
....asset locations/Third-party vendors name, applications, etc.) of the Infrastructure assessed 1. PDC 2. DR 3. Near-site 4. Co-location Facility (if applicable) 5. Cloud Infrastructure 6. Third-party service provider 7. Others 3.3. Any other specific item(s) Page 145 of 205 Version 1.0 S=31 CSCRF Annexure-B 4. Methodology/Audit approach (audit subject identification, pre-audit planning, data gathering methodology, sampling methodology etc. followed by the Auditing Organization) 5. Summary of findings (including identification tests, tools used and results of tests performed) S.No Number of Non- Number of Risk rating conformity observations Critical High Medium Low Any other comments 1 S.N 6. Control-wise Compliance status of SEBI CSCRF: Standards Description Name of Status/natu Risk ° prescribed of the re of by SEBI CSCRF Finding(s)/ Observation( system belongs findings rating (C/H/M/ C/I/A Test Root affecte case Cause d Analysi S Impact analysi Auditor Deadline Manageme Wheth recommendatio (Clause s) to RE or L) of the finding used S ns/ Corrective actions of correcti nt er response ve action(s) number and text) third- party vendor d in the last similar issue was reporte three a....
X X X X Extracts X X X X
X X X X Extracts X X X X
....s - A detailed analysis on the cause of the non-conformity. ix. Impact Analysis - An analysis of the likely impact on the operations/ activity of the RE. X. Auditor recommendations/ Corrective actions - The actions to be taken (by the RE) to correct the non-conformity. Version 1.0 Page 147 of 205 SZ31 CSCRF Annexure-B xi. Deadline of corrective action(s) -The RE shall specify the deadline not only for the corrective action(s) to be taken on the system(s) where NC/ observation was found, but also specify the deadline for corrective action on systems with related functionalities/configurations where similar observations could have been found/are found. xii. Management response recommendation - Management action plan/taken to address the observation and/ or implementation of auditor's xiii. Whether similar issue was reported in the last three audits - Yes/No xiv. List of documentary evidence including physical inspection/ sample size taken by the auditor 8. Format for exception reporting by the RE: These exceptions shall be approved by the IT Committee for RES S. No Standard of CSCRF Descriptio n of non- complianc Auditor observatio Auditor recommendati Managemen t comments n on e Com....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... latest data backup (as per prescribed RPO) available? e. Have the copies of the infected machines preserved for digital forensics and incident response experts for analysis? f. Has the threat been removed from the infected devices? Resolving the cause of the incident: a. Removing malware, b. Patching vulnerabilities, c. Taking other measures etc. Please specify resolution method. Version 1.0 Page 150 of 205 SZ31 2 v. Recovery checklist CSCRF Annexure-C a. Recover lost or corrupted data, b. Restore normal operations by returning systems and networks to a known good state c. Taking other measures etc. Cybersecurity incident recovery plan scenarios Key assumptions and pre-requisites Authorization Details of the Incident Response Team (IRT) (Internal/External) Details of other teams involved (Internal/External) Cybersecurity incident recovery invocation 3 Categorization of incidents 4 5 6 7 8 9 10 11 12 13 14 Off site location address where 'golden' copy of server images and data are stored Recover System(s) and Services Recovery Actions Lessons learned: Document lessons learned from the incident and incorporate them into incident response and recovery plans. Post-incident: Measures t....
X X X X Extracts X X X X
X X X X Extracts X X X X
..... RE shall ensure that NDA is signed between the RE and auditor prior to initiation of the cyber audit. Version 1.0 Page 152 of 205 SZ31 CSCRF Annexure-D b. All audit reports shall be submitted strictly as per the format provided in CSCRF. c. The coverage of the audit shall be as follows: i. REs which have been declared as Clls by NCIIPC shall follow the guidelines/ circulars issued by NCIIPC for selecting sample size for critical/non-critical assets. ii. Rest of the REs shall take the sample size as mentioned in 'CSCRF Compliance, Audit Report'. iii. RE shall ensure that 100% of their critical systems should get covered under cyber audit. Further, RE shall ensure that for 25% of non-critical systems, sample size and sampling method should be mentioned explicitly in the audit report with the rationale of checking it on sample basis and the chosen sample size. iv. As part of audit of the RE, the auditor shall verify, and certify, whether there is a clear delineation/ demarcation of roles and responsibilities between the RE and Hosted service provider (as given in definitions section). The auditor shall also verify, and certify, whether the above- mentioned demarcations of roles and ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....Auditor Guidelines.pdf Page 154 of 205 Version 1.0 SZ31 Annexure-E: Scenario-based Cyber Resilience Testing Scenario-based Cyber Resilience Testing CSCRF Annexure-E This is a sample template for Stock Exchange. REs are encouraged to make their scenarios in consultation with their IT Committee for REs. Sample scenarios that are targeted to cover in Cyber Response plan as well as Cyber Resiliency Testing (Types of Attack × Potential Targeted Time intervals- On Core Systems): Pre-open Sessions Cyber Attack-> DNS DDoS Time Interval Malware/ Malicious Code Attack Application Level Attacks (SaaS Model) Based Brute Attacks Force/Authentication (Internal & based attack Internet) AD attack Before BOD/early Morning Before 9:00 hrs B/W 9:00 9:15 hrs - Regular 09:15 - Trading Sessions 15:30 hrs 15:30-16:00 Closing Session hrs Post 16:00 hrs Version 1.0 Page 155 of 205 5331 Attack Scenario Category Types of attacks Impact DDOS Service Unavailability Ransomware Spyware Malware Attacks Trojans Worms Bots Injection Broken Authentication & Session Application Level Attacks Management Version 1.0 Cross-Site Scripting/request forgery CSCRF Annexure-E Response & Recovery DDOS Protection services f....
X X X X Extracts X X X X
X X X X Extracts X X X X
....'Outsourcing by Depositories' dated Dec 09, 2015 (Refer: https://www.sebi.gov.in/legal/circulars/dec-2015/outsourcing-by- depositories 31219.html) 'Guidelines on Outsourcing of Activities by Intermediaries' dated Dec 15, 2011 (Refer: https://www.sebi.gov.in/legal/circulars/dec-2011/guidelines-on- outsourcing-of-activities-by-intermediaries 21752.html) Version 1.0 Page 158 of 205 S=31 Annexure-G: Application Authentication Security Illustrative Measures for Application Authentication Security are given below: CSCRF 1. Any Application offered by REs to Customers containing sensitive, private, or critical data such as IBTS, SWSTS, Back office etc. referred to as "Application" hereafter) over the Internet should be password protected. A reasonable minimum length (and no arbitrary maximum length cap or character class requirements) should be enforced. While it is difficult to quantify password "complexity", longer passphrases have more entropy and offer better security in general. REs should attempt to educate Customers of these best practices. 2. Passwords, security PINS etc. should never be stored in plain text and should be one-way hashed using strong cryptographic hash functions (e.....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ensitive data. For instance, rather than displaying the full phone number or a bank account number, display only a portion of it, enough for the Customer to identify, but useless to an unscrupulous party who may obtain covertly obtain it from the Customer's screen. For instance, if a bank account number is "123 456 789â€, consider displaying something akin to “XXX XXX 789" instead of the whole number. This also has the added benefit of not having to transmit the full piece of data over various networks. 3. Analyse data and databases holistically and draw out meaningful and “silos†(physical or virtual) into which different kinds of data can be isolated and cordoned off. For instance, a database with personal financial information need not be a part of the system or network that houses the public facing websites of the REs. They should ideally be in discrete silos or DMZs. 4. Implement strict data access controls amongst personnel, irrespective of their responsibilities, technical or otherwise. It is infeasible for certain personnel such as System Administrators and developers to not have privileged access to production databases. For such cases, take strict m....
X X X X Extracts X X X X
X X X X Extracts X X X X
....romised with MITM attacks. Instead, adopt secure protocols such as FTP(S), SSH and VPN tunnels, etc. Page 161 of 205 Version 1.0 5=31 CSCRF Annexure-J: Framework for Adoption of Cloud Services SEBI's 'Framework for Adoption of Cloud Services by SEBI Regulated Entities (RES)' circular dated March 06, 2023: (Refer: https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of- cloud-services-by-sebi-regulated-entities-res- 68740.html) Version 1.0 Page 162 of 205 S=31 CSCRF Annexure-K: Cyber Capability Index (CCI) REPORTING FORMAT FOR MIIS AND QUALIFIED RES TO SUBMIT THEIR CCI SCORE NAME OF THE ORGANISATION: ENTITY TYPE: ENTITY CATEGORY: RATIONALE FOR THE CATEGORY: <> PERIOD: <> NAME OF THE AUDITING ORGANISATION (applicable for MIls): RE's Authorised signatory declaration: I/We hereby confirm that Cyber Capability Index (CCI) has been verified by me/ us and I/We shall take the responsibility and ownership of the CCI report. Signature: Name of the signatory: Designation (choose whichever applicable): Company stamp: Annexures: 1. CCI report as per the format given in Table 27 and CCI score Page 163 of 205 Version 1.0 5=31 CSCRF Cyber Capability Index (CCI) A. Backgroun....
X X X X Extracts X X X X
X X X X Extracts X X X X
....age score s w.r.t. cyber audit (for Mils) 3. Security Information Percentage Training Measure Security Goal: (%) of Implement ation organization's [PR.AT.S 1] Ensure that information personnel are security adequately trained to carry system of 100 % (Number information system security personnel that have completed security training within the past year/total number information personnel that have received out their security of assigned training within information security-related the past one years. system security personnel) x100 duties and responsibilities 3. Time taken to close identified vulnerabilities. the 1. Details of the 5% training/ awareness sessions scheduled within the past 1 year. 2. Cyber audit observation against Standard mentioned in 'Protect: Awareness and Training' header in CSCRF Part-I and respective guidelines in Part-II. Version 1.0 Page 166 of 205 S31 CSCRF Annexure-K S Self- Auditor No Measure ID Goal/Objective Measure Measure Type Formula et Targ Implementation Weig Evidence htage asses sment comment score s w.r.t. cyber audit (for Mils) (Number of 100 remote users % logging through 1. Does the 2% organization use automated tools 4. Remote Access Informati....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ment score s w.r.t. cyber audit (for Mils) 6. Configurat Information Percentage ion Security Goal: (%) approved Implement ation (Number Changes Establish and and implemented Measure maintain implemented baseline configuration [DE.CM.S changes configuration 5] and inventories the of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. identified in latest automated baseline configuration. configuration changes identified in the latest automated baseline configuration/ total number of configuration changes identified through automated or manual scans) × 100 1. Does the 2% organization manage configuration changes information systems using an organizationally approved process? 2. Does the organization use automated scanning identify to configuration changes that were implemented on its systems and networks? 3. If yes, how many configuration changes were of 100 approved and % to Version 1.0 identified through Page 170 of 205 S31 CSCRF Annexure-K S Self- Auditor No Measure ID Goal/Objective Measure Measure Type Formula et asses Targ Implementation Weig sment Evidence htage score comme....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... Formula et Targ Implementation Weig sment Evidence htage score s w.r.t. cyber audit (for Percentage Effectiven of ess incidents (number incidents reported of 100 % time/ on total the 1. How many 2% incidents were reported during period? number of reported 2. Of the incidents) ×100 incidents Security Goal: (%) 9. Incident Information Response Measure Track, [RS.CO.S 2] document, and reported report incidents within to appropriate organizational required time frame. officials and/or authorities. Version 1.0 Page 174 of 205 reported, how many were reported within the prescribed time frame? Mils) S31 CSCRF Annexure-K S Self- Auditor No asses comment Measure Goal/Objective ID Measure Measure Туре Formula et Targ Implementation Weig sment Evidence htage score s w.r.t. cyber audit (for Mils) 10. Maintenan Information Percentage Efficiency ce Measure Security Goal: (%) of system Perform periodic components and timely that undergo undergo [PR.MA.S maintenance on maintenance (Number system components that maintenance of 100 % 1] in organizational according information systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct ....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... mentioned in 'Protect: Identity Management, Authentication, and Access Control' header in CSCRF Part-I and respective guidelines in Part-II. Mils) S31 CSCRF Annexure-K S Self- Auditor No Measure ID Goal/Objective Measure Measure Туре Formula et Targ Implementation Weig Evidence htage asses sment comment score s w.r.t. cyber audit (for Mils) 13. Planning Measure Information Security Goal: Percentage Implement of employees ation: (Number users who are of 100 % Develop, [GV.RR.S document, who authorized get granted system access 5] periodically update, and implement security access information systems only after they sign to an measures for acknowledge authorised ment that access to the they have information read and systems of the understood organisation. confidentiality and integrity agreement. after signing confidentiality and integrity agreement/total number of users who are granted system access) ×100 1. How many 1% users accessed the system? 2. How many users signed confidentiality and integrity agreement acknowledgeme nts? 3. How many users have been granted access to the information system only after signing confidentiality and integrity agreement acknowledge....
X X X X Extracts X X X X
X X X X Extracts X X X X
....SCRF Part-I and respective guidelines in Part-II. 1. How many 3% active service acquisition contracts does the organization have? 2. How many active service acquisition contracts include security requirements and specifications? 3. How many contracts includes integration of systems with SOC technologies? Version 1.0 Page 180 of 205 Mils) S31 CSCRF Annexure-K S Self- Auditor No asses comment Measure ID Goal/Objective Measure Measure Туре Formula et Targ Implementation Weig sment Evidence htage score s w.r.t. cyber audit (for 17. System and Communic Allocate Information Security Percentage Goal: of mobile Implement (Number of 100 ation computers mobile computers and % ation sufficient and devices Protection resources to that perform all Measure adequately cryptographic protect [PR.DS.S 4] operations. electronic information infrastructure. devices that perform all cryptographic operations/total number of mobile computers and devices) ×100 Version 1.0 Page 181 of 205 4. Whether the acquisition contract includes SLA for vulnerabilities closure timely and implementation of patches? 5. Contracts for adoption of Cloud includes implementation of 'security of the cloud', etc....
X X X X Extracts X X X X
X X X X Extracts X X X X
....asure (Total number of 100 CSK reported % events closed in 15 days/ Total number of CSK reported events the to 00 organization)×1 Version 1.0 Page 184 of 205 1. Summary 4% report of the events reported by CSK. S31 CSCRF Annexure-K S Self- Auditor No asses comment Measure ID Goal/Objective Measure Measure Type Formula et Targ Implementation Weig sment Evidence htage score s w.r.t. cyber audit (for Mils) 21. Cybersecu Develop, Non quantifiable rity Policy document, measure Document periodically update, and [GV.PO.S implement 1] cybersecurity policies and procedures for organizational information systems that describe the security controls in place or planned information systems. for Version 1.0 Page 185 of 205 1. Cybersecurity 4% Policy document of organization. the 2. Frequency of the revision of the document. policy 3. Approval of the document. policy 4. Cyber audit observation against Standard mentioned 'Governance: 1 in Policy' header in CSCRF Part-I and respective guidelines Part-II. in S31 CSCRF Annexure-K S Self- Auditor No Measure ID Goal/Objective Measure Measure Type Formula et Targ Implementation Weig Evidence htage asses sment score comment s w.r.t. cyber audit (for M....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ed in order to have holistic visibility over RE's IT environment. It shall help the RE in measuring the extent to which SOC technologies encompass the RE's entire asset base. Table 29: IT Asset distribution of RE System Sr. No. System Types* Type ID Count Network Devices (Switches, Load Balancers, Routers, 1 Firewalls, etc.) S1 2 3 Security Solutions (SOC and NOC technologies deployed) End-Points S2 S3 4 Applications (Internal or External) S4 5 Databases S5 6 All Servers (such as AD, DHCP, DNS, Patch mgmt., NTP, IPT, WiFi, Application server, Database servers, server- based security solutions, etc.) S6 n Sn *The data in Table 29 shall be extracted from Asset Inventory. If there is some other category of systems in the asset inventory maintained by REs, the same may be added in this table with another category and based on applicability, it may be added to Table 30. Table 30: Methodology to assess the level of asset integration with SOC Technologies 34 For the purpose of calculation, zero score shall be given for a category/ sub-category if the denominator is zero. Version 1.0 Page 191 of 205 S=31 CSCRF Annexure-N Systems Count of Systems to be Count of Systems Sr. SOC Weightage ID ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....205 SZ31 CSCRF Annexure-N Sr. No. Metric Use-cases/rules configured on SIEM for critical systems? Privilege access to critical systems verified on a weekly basis? Configuration and data back-ups being taken periodically? Total Weightage Weighted Value (W) (%) Score Yes=1 ' 2 U×W No=0 (U) Yes=1 ' 2 VxW No=0 (V) Yes=1 2 XXW No=0 (X) 75 Y *The above metric for SOC operations is not exhaustive, REs are required to add other metrics depending upon the maturity of their security infrastructure and availability of tools and technologies. 25% weightage is left to the REs. c) Competency of deployed SOC personnel: To assess the skill level of security professionals deployed in SOC through a combination of appropriate industry level certifications and years of experience to ensure that SOC operations are carried out in smooth and effective manner. Table 32: Methodology to assess the competency of deployed SOC personnel Sr. No. Categor y of engineer Minimum Weight Certificatio age of Years of Experie n requireme S nt categor y [C] (%) nce Count of Engineer Weighta s having ge of minimum sub- required category certificati Actual sub- categor Weight catego y-wise ed ry Score Score (YoE) [w] ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....lytics Using Native technology Yes=1, 1.1 dashboard No=0 Yes=1, 1.2 Custom developed dashboard No=0 AxW 5 AxW 5 2 Threat Hunting Threat Hunting Exercise Carried 2.1 out by: Specialized Threat Hunting Yes=1, AxW service provider No=0 5 Yes=1, Internal Team AxW No=0 3 2.2 Periodicity of the Exercise: Quarterly Yes=1, AxW No=0 5 Yes=1, Half-Yearly A*W No=0 3 2.3 Hypotheses: Total no. of hypotheses [T] No. of hypotheses based on the open vulnerabilities [X] No. of Hypotheses based on locs [Y] No. of Hypotheses based on loAs [7] 3 Automation Yes=1, Threat intel integration with SIEM 3.1 No=0 3.2 No. of SOAR actions triggered [T] Total no. of different SOAR actions created [S] 4 | Technologies implemented Version 1.0 Decoy LO 5 (X/T)*W LO 5 (Y/T)*W 5 (Z/T) W A*W LO 5 LO 5 (T/S) W Yes=1, No=0 AxW 3 Page 196 of 205 S=31 CSCRF Annexure-N Weighted Sr. Weightage No. Metric Value(A) (W)(%) Score Sandboxing Solution Yes=1, A*W No=0 3 UEBA Yes=1, AxW No=0 3 Vulnerability Management Yes=1, AxW Solution No=0 3 Yes=1, Encrypted Traffic Management AxW No=0 ♡ Yes=1, AxW DNS Security No=0 3 Yes=1, Intrusion prevention system AxW No=0 3 Yes=1, Data classification solution AxW No=0 3 Total 75 E *T....
X X X X Extracts X X X X
X X X X Extracts X X X X
....er Q 30 in CERT-In Cybersecurity directions: https://www.cert- in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf Version 1.0 Page 198 of 205 5=31 Critical CSCRF Annexure-O unauthorized access to servers and network devices; unauthorized or unexpected configuration changes on network devices detected; impersonation of SEBI officials in email communications; data exfiltration; unusually high count of phishing emails; instances of outbound phishing emails; some risk of negative financial or public relations impact, etc. Successful penetration or Denial of Service attacks detected with significant impact on operations; ransomware attack; exfiltration of market sensitive data; widespread instances of data corruption causing impact on operations; significant risk of negative financial or public relations impact, etc. 4. Any cyber incident that results in disruption, stoppage or variance in the normal functions/operations of systems of the entity thereby impacting normal/ regular service delivery and functioning of the entity, must be classified as High or Critical incident. Version 1.0 Page 199 of 205 S=31 B: Guidelines on Handling of Cybersecurity Incidents CSCRF Annexure-O 1. A....
X X X X Extracts X X X X
X X X X Extracts X X X X
...._May2022.pdf 38 Cybersecurity incidents have to be reported by SEBI REs in accordance with the framework/circular/Standard Operating Procedure issued by SEBI. Version 1.0 Page 200 of 205 S=31 CSCRF Annexure-O c. Whether the RE has communicated to all relevant stakeholders about the incident. d. Whether RE has taken sufficient measures to control, mitigate and remediate the incident. e. Whether Root cause analysis (RCA) has been performed by RE. f. Whether lessons learnt have been implemented by RE. g. Whether the issues/loopholes identified in RCA stage have been addressed/plugged by the RE. h. Whether RE has hired any independent agency to conduct IS Audit/ forensic audit related to the incident (as per applicability). i. Whether RE has addressed/plugged vulnerabilities identified in the audit mentioned in point h above. 3.3. RE shall undertake the necessary activities and submit the relevant reports as per the following timelines: Table 36: Timelines for post-cyber incident activity(ies) and report submission Sr. No. Name of the Report/ Activity 1 Interim Report* Timeline for Submission (from the date of reporting the incident or being brought to notice about the incident) 3 Days....
X X X X Extracts X X X X
X X X X Extracts X X X X
....uracy, for submitting the accurate and complete report. 3.7. In the event of RE not submitting accurate and complete reports after being provided additional time, appropriate regulatory action may be taken by SEBI (over and above the action mentioned in clause 3.6 above). 3.8. Critical or High category of cybersecurity incidents experienced by MIls, Qualified REs, and Mid-size REs shall be mandatorily put up for the review for HPSC-CS. Remaining incidents i.e., low and medium for all REs, and high and critical severity incidents for small-size and self-certification REs shall be processed by SEBI internally. The review by HPSC-CS and SEBI shall be as follows: 3.8.1. Review by HPSC-CS Version 1.0 i. For all the incidents placed before HPSC-CS, the committee may confirm the severity or may recommend a different severity on the basis of its analysis. ii. The committee will examine the reports, review the severity of the incident and provide its recommendations on the same. Page 202 of 205 SZ31 CSCRF Annexure-O iii. Further, if the committee determines that the incident occurred on account of non-compliance of SEBI cybersecurity framework/ advisories, appropriate regulatory action may ....