Cyber Framework
Cyber Framework
Cyber Framework
Version: 1.0
Tel.: +91-22-26449000/40459000
Website: www.sebi.gov.in
Consolidated CSCRF version 1.0
Page 2 of 129
Consolidated CSCRF version 1.0
Executive Summary
Prevention of damage to, protection of, and restoration of computers, electronic
communication systems, electronic communication services, wire communication, and
electronic communication, including information contained therein, to ensure its
availability, integrity, authentication, confidentiality, and nonrepudiation. – NIST SP
800-531 cybersecurity definition.
The use of Information Technology has grown rapidly in securities market and has
become a critical component of SEBI Regulated Entities (REs). However, with these
swift technological advancements, protection of IT infrastructure and data through
cybersecurity measures has become a key concern for SEBI and its REs. Since 2015,
SEBI has issued various cybersecurity and cyber resilience frameworks to address
cybersecurity risks and enhance cyber resilience for the SEBI REs. Further, SEBI has
also issued an advisory on cybersecurity best practices for all the REs.
1
Refer NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information System and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
2
Refer Definitions section for the specified REs criteria.
3
Refer Definitions section for the MIIs definition.
Page 3 of 129
Consolidated CSCRF version 1.0
i. IDENTIFY
a. REs shall identify and classify critical assets based on their sensitivity and
criticality for business operations, services and data management. The Board /
Partner / Proprietor of the REs shall approve the list of critical systems.
b. REs shall formulate a comprehensive cybersecurity and cyber resilience policy
and incorporate best practices from standards such as ISO 27001, COBIT 5,
etc.
c. Comprehensive scenario-based testing shall be done for assessing risk related
to cybersecurity in REs’ IT environment including both internal and external
cyber-risks.
d. REs shall be solely accountable for all aspects related to third-party services
taken including (but not limited to) confidentiality, integrity, availability, non-
repudiation, and security of its data and logs, and ensuring compliance with
laws, regulations, circulars, etc. issued by SEBI / Government of India.
Accordingly, REs shall be responsible and accountable for any violation of the
same.
ii. PROTECT
a. Strong log retention policy, password policy and access policy shall be
documented and implemented.
b. REs shall implement network segmentation techniques to restrict access to the
sensitive information, hosts, and services.
c. Layering of Full-disk Encryption (FDE) along with File-based Encryption (FE)
shall be used for data protection.
d. For the development of all critical software / applications and further feature
enhancements, there shall be separate Development, System Integration
Testing, User Acceptance Testing and Quality Assurance environments.
e. Periodic audit shall be conducted by a CERT-In empanelled auditor to audit the
implementation and compliance to standards mentioned in the consolidated
CSCRF.
f. Vulnerability Assessment and Penetration Testing (VAPT) shall be done to
detect open vulnerabilities in the IT environment for critical assets and
infrastructure components as defined in the framework. A comprehensive
VAPT scope has also been added.
g. Application Programming Interface (API) security and Endpoint security
solution shall be implemented with rate limiting, throttling, and proper
authentication and authorisation mechanisms.
4
Refer Framework Compliance section.
Page 4 of 129
Consolidated CSCRF version 1.0
The framework will continue to be updated and improved as technology and securities
market evolves as different REs provide their feedback. This will ensure that the
framework is meeting the cybersecurity needs of securities market, MIIs and all other
REs.
Page 5 of 129
Consolidated CSCRF version 1.0
Table of Contents
Executive Summary........................................................................................................................... 3
Abbreviations ...................................................................................................................................... 10
Definitions ............................................................................................................................................ 13
A. Introduction ............................................................................................................................... 16
B. Framework Compliance, Audit, Report submission, and Timeline: ........................... 19
1. ISO Audit and Certification ............................................................................................ 19
2. VAPT .................................................................................................................................... 19
3. Cyber Audit ........................................................................................................................ 21
4. Periodicity of other Standards/Guidelines ................................................................ 22
C. Cybersecurity Framework ...................................................................................................... 24
D. Cybersecurity Framework Functions.................................................................................. 26
1. IDENTIFY ............................................................................................................................ 26
1.1. ID.AM: Asset Management ................................................................................ 26
1.1.1. ID.AM: Objective:.............................................................................................. 26
1.1.2. ID.AM: Standard: .............................................................................................. 26
1.1.3. ID.AM: Guidelines: ........................................................................................... 26
1.2. ID.GV: Governance .............................................................................................. 27
1.2.1. ID.GV: Objective: .............................................................................................. 27
1.2.2. ID.GV: Standard: .............................................................................................. 27
1.2.3. ID.GV: Guidelines:............................................................................................ 28
1.3. ID.RARM: Risk Assessment and Risk Management Strategy .................. 31
1.3.1. ID.RARM: Objective: ........................................................................................ 31
1.3.2. ID.RARM: Standard: ........................................................................................ 31
1.3.3. ID.RARM: Guidelines:...................................................................................... 32
1.4. ID.SC: Supply Chain Risk Management ......................................................... 33
1.4.1. ID.SC: Objective: .............................................................................................. 33
1.4.2. ID.SC: Standard: .............................................................................................. 34
1.4.3. ID.SC: Guidelines: ............................................................................................ 34
2. PROTECT ........................................................................................................................... 35
2.1. PR.AC: Identity Management, Authentication, and Access Control ...... 35
2.1.1. PR.AC: Objective: ............................................................................................ 35
2.1.2. PR.AC: Standard: ............................................................................................. 36
Page 6 of 129
Consolidated CSCRF version 1.0
Page 7 of 129
Consolidated CSCRF version 1.0
Page 8 of 129
Consolidated CSCRF version 1.0
Page 9 of 129
Consolidated CSCRF version 1.0
Abbreviations
Sr. Abbreviation Explanation/Expansion
No.
12. DB Database
Page 10 of 129
Consolidated CSCRF version 1.0
5
Refer Securities Contracts (Regulation) Act 1956, SEBI Act 1992, and Depository Act 1996.
Page 11 of 129
Consolidated CSCRF version 1.0
Page 12 of 129
Consolidated CSCRF version 1.0
Definitions
1. Critical assets –
Entities shall identify and classify their critical IT systems. Following systems shall
be included in critical systems (both on premise and cloud):
a. Any system that will have adverse impact on any business operations if
compromised.
b. Stores/transmits any type of critical data (financial data, trading data, and PII)
c. Devices/Network through which any critical system is connected (either
physically or virtually).
d. Internet facing applications / systems
e. Systems directly/indirectly connected to any other critical system.
d. All the ancillary systems used for accessing/communicating with critical systems
either for operation or for maintenance.
Page 13 of 129
Consolidated CSCRF version 1.0
8. Risk –
As defined by NIST7 and OWASP8, Risk = Likelihood * Impact; where Likelihood
= Threat * Vulnerabilities. Likelihood is a measure of how likely a vulnerability is to
be discovered and exploited by an attacker. Impact is the magnitude of harm that
can be expected as result from the consequences of threat exploitation.
6
Refer NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information System and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
7
Refer NIST SP 800-30 Rev. 1: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
8
Refer Risk-rating methodology: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
9
Refer NIST SP 800-30 Rev. 1: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Page 14 of 129
Consolidated CSCRF version 1.0
Criteria for Specified REs will be finalized after consultation with market
intermediaries/participants, and practitioners.
Page 15 of 129
Consolidated CSCRF version 1.0
A. Introduction
Technology has become an integral part of securities market since IT industry
boomed in India. With these technological developments in securities market,
maintaining robust cybersecurity and cyber resilience to protect the organizations
operating in securities market from cyber-risks / incidents has become
indispensable. SEBI has issued targeted cybersecurity and cyber resilience
frameworks for various REs since 2015. To further strengthen cyber-risks /
incidents prevention, preparedness, and response capacities, this consolidated
cybersecurity and cyber resilience framework has been released.
The consolidated CSCRF will supersede following SEBI circulars which will get
deprecated from <DD/MM/YYYY>:
Page 16 of 129
Consolidated CSCRF version 1.0
Page 17 of 129
Consolidated CSCRF version 1.0
Page 18 of 129
Consolidated CSCRF version 1.0
Table 3: REs and their corresponding entity for ISO certification evidence
submission
Sr. No. Regulated Entity ISO certification and
report submission to
2. VAPT10
The VAPT scope, periodicity and compliance is defined in the clause D.3.1.3.a.
ii.
2.1. The VAPT reporting format has been attached as Annexure-A. The VAPT
activity report of SEBI REs, required declaration from MD/ CEO to certify
compliance and the audit materiality metrics as given in Annexure-B shall
be submitted as per below table:
Table 4: REs and their corresponding entity for VAPT report submission
Sr. No. Regulated Entity VAPT report
submission to
2.2. The Periodicity of the VAPT activity for SEBI REs in a financial year shall be
as follows:
10
Unless otherwise specified, all certifications / audits mentioned in consolidated CSCRF have to be conducted
by CERT-In empanelled auditor.
Page 19 of 129
Consolidated CSCRF version 1.0
2.3. The timeline for completion of VAPT activity for SEBI REs shall be as follows:
Table 6: Timeline of VAPT report submission and closure compliance for REs
Sr. No. Activity Timeline
Page 20 of 129
Consolidated CSCRF version 1.0
3. Cyber Audit
Cyber audit11 here pertains to the audit for the compliance with this framework.
3.1. The periodicity of the cyber audit for SEBI REs in a financial year shall be as
follows:
3.2. The timeline of the cyber audit for SEBI REs shall be as follows:
Table 8: Timeline of Cyber audit findings closure and compliance for REs
Sr. No. Activity Timeline
3.3. A submission for compliance to this consolidated CSCRF shall be done by all
REs. The format for compliance submission to this consolidated CSCRF has
been attached as Annexure-C. The cyber audit reports for compliance to this
consolidated CSCRF, required declaration from MD/ CEO to certify compliance
and the audit materiality metrics as given in Annexure-B shall be submitted as
per below table:
Table 9: REs and their corresponding entity for cyber audit report submission
Sr. No. Regulated Entity Cyber audit and
declaration report
submission to
11
Unless otherwise specified, all certifications / audits mentioned in consolidated CSCRF have to be conducted
by CERT-In empanelled auditor.
Page 21 of 129
Consolidated CSCRF version 1.0
Page 22 of 129
Consolidated CSCRF version 1.0
Page 23 of 129
Consolidated CSCRF version 1.0
C. Cybersecurity Framework
1. The framework is based on five concurrent and continuous functions of
cybersecurity as defined by NIST12 – Identify, Protect, Detect, Respond, and
Recover.
a. IDENTIFY
The Identify function assists in developing an organizational understanding
of managing cybersecurity risk to systems, people, assets, data, and
capabilities. Understanding the business context, the resources that
support critical functions, and the related cybersecurity risks enables an
organization to focus and prioritize its efforts, consistent with its risk
management strategy and business needs.
b. PROTECT
The Protect function outlines appropriate safeguards to ensure delivery of
critical infrastructure services. The Protect function supports the ability to
limit or contain the impact of a potential cybersecurity event.
c. DETECT
The Detect function defines the appropriate activities to identify the
occurrence of a cybersecurity event. The Detect function enables timely
discovery of cybersecurity events.
d. RESPOND
The Respond function includes appropriate activities to take action
regarding a detected cybersecurity incident. The Respond function
supports the ability to contain the impact of a potential cybersecurity
incident.
e. RECOVER
The Recover function identifies appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired
due to a cybersecurity incident. The Recover function supports timely
recovery to normal operations and reduce the impact from a cybersecurity
incident.
2. Each function covers different security controls. The controls are divided into
three categories namely objectives, standards, and guidelines:
a. Part-1: Objective
The objective highlights the goals which a specific security control wants
to achieve.
b. Part-2: Standard
The standard represents established principles for the cybersecurity
framework compliance.
c. Part-3: Guidelines
12
Cybersecurity Framework’s five functions defined by NIST: https://www.nist.gov/cyberframework/online-
learning/five-functions
Page 24 of 129
Consolidated CSCRF version 1.0
Page 25 of 129
Consolidated CSCRF version 1.0
Page 26 of 129
Consolidated CSCRF version 1.0
13
Refer Definitions section for the Risk definition.
Page 27 of 129
Consolidated CSCRF version 1.0
14
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
15
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 28 of 129
Consolidated CSCRF version 1.0
Page 29 of 129
Consolidated CSCRF version 1.0
b. Applicable to MIIs
i. The Oversight Standing Committee on Technology17 of the stock
exchanges and of the clearing corporations and the IT Strategy
Committee18 of the depositories shall on a periodic19 basis review the
implementation of the cybersecurity and resilience policy approved by
their Boards, and such review shall include review of their current IT and
cybersecurity and resilience capabilities, set goals for a target level of
cyber resilience, and establish a plan to improve and strengthen
cybersecurity and cyber resilience.
ii. Cyber Capability Index (CCI)
1. MIIs shall conduct self-assessment of their cyber resilience using
CCI and submit corresponding evidences on a periodic20 basis. A
reference of CCI and its calculation methodology has been attached
as Annexure-J.
2. The indicators used in CCI and their weightage will be reviewed on
a half-yearly basis to keep it updated and relevant.
16
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
17
Refer SEBI Circulars SMD/POLICY/Cir-2/98 dated January 14, 1998 and CIR/MRD/DSA/33/2012
dated December 13, 2012.
18
Refer SEBI CIR/MRD/DMS/ 03 /2014 dated January 21, 2014.
19
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
20
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 30 of 129
Consolidated CSCRF version 1.0
Page 31 of 129
Consolidated CSCRF version 1.0
21
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
22
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 32 of 129
Consolidated CSCRF version 1.0
Page 33 of 129
Consolidated CSCRF version 1.0
23
Refer SEBI CIR/MIRSD/24/2011 dated December 15, 2011.
Page 34 of 129
Consolidated CSCRF version 1.0
2. PROTECT
2.1. PR.AC: Identity Management, Authentication, and Access Control
Access to physical and logical assets and associated facilities is limited to
authorized users, processes, and devices, and is managed in consistent
with the assessed risk of unauthorized access to authorized activities and
transactions.
Page 35 of 129
Consolidated CSCRF version 1.0
24
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 36 of 129
Consolidated CSCRF version 1.0
25
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 37 of 129
Consolidated CSCRF version 1.0
Page 38 of 129
Consolidated CSCRF version 1.0
Page 39 of 129
Consolidated CSCRF version 1.0
26
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 40 of 129
Consolidated CSCRF version 1.0
27
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 41 of 129
Consolidated CSCRF version 1.0
Page 42 of 129
Consolidated CSCRF version 1.0
Page 43 of 129
Consolidated CSCRF version 1.0
c. Applicable to MIIs
i. Data and Storage Devices security
1. Along with encrypting data-at-rest and data-in-transit,
Confidential Computing shall be used to protect
sensitive personal data, sensitive financial data and PII
even when it is being processed.
Page 44 of 129
Consolidated CSCRF version 1.0
Page 45 of 129
Consolidated CSCRF version 1.0
28
Refer SEBI/HO/ITD/ID_VAPT/P/CIR/2023/033 dated March 06, 2023.
29
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 46 of 129
Consolidated CSCRF version 1.0
Page 47 of 129
Consolidated CSCRF version 1.0
b. Applicable to MIIs
i. ISO Certification
1. ISO 27001 certification shall be mandatory for MIIs as it
provides essential security standards with respect to
ISMS. The scope for ISO 27001 certification shall include
(but not limited to) PDC site, DR site, NDR site, SOC.
ii. CIS Critical Security Controls
1. MIIs shall follow latest version of CIS Controls which are
prioritized set of safeguards and actions for cyber
defence and provide specific and actionable ways to
mitigate prevalent cyber-attacks.
Page 48 of 129
Consolidated CSCRF version 1.0
Page 49 of 129
Consolidated CSCRF version 1.0
Page 50 of 129
Consolidated CSCRF version 1.0
3. DETECT
3.1. DA.CM: Security Continuous Monitoring
The information system and assets are monitored to identify cybersecurity
events and verify the effectiveness of protective measures.
Page 51 of 129
Consolidated CSCRF version 1.0
Page 52 of 129
Consolidated CSCRF version 1.0
Page 53 of 129
Consolidated CSCRF version 1.0
d. Applicable to MIIs
i. Security Continuous Monitoring
1. MIIs shall have a cybersecurity Operation Centre (C-
SOC) that would be a 24*7*365 set-up manned by
dedicated security analysts to identify, respond, recover
and protect from cybersecurity incidents30. The C-SOC
for MIIs shall function in accordance with SEBI circular
CIR/MRD/CSC/148/2018 dated December 07, 2018
which has been attached as Annexure-L.
30
Refer SEBI circular CIR/MRD/CSC/148/2018 dated December 07, 2018.
31
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
Page 54 of 129
Consolidated CSCRF version 1.0
4. RESPOND
4.1. RS.RP: Response Planning
Response processes and procedures are executed and maintained, to
ensure response to detected cybersecurity incidents.
Page 55 of 129
Consolidated CSCRF version 1.0
REs under MIIs Every MII shall have a SOP plan for
supervision cybersecurity incident response and recovery
for REs under their supervision.
Page 56 of 129
Consolidated CSCRF version 1.0
Page 57 of 129
Consolidated CSCRF version 1.0
Page 58 of 129
Consolidated CSCRF version 1.0
5. RECOVERY
5.1. RC.PL: Recovery Planning
Recovery processes and procedures are executed and maintained to
ensure restoration of systems or assets affected by cybersecurity incidents.
Recovery planning and processes are improved by incorporating lessons
learned into future activities.
Page 59 of 129
Consolidated CSCRF version 1.0
32
Refer Table 10 in ‘Framework Compliance, Audit, Report submission, and Timeline’ section.
33
Refer https://www.bis.org/cpmi/publ/d146.pdf.
Page 60 of 129
Consolidated CSCRF version 1.0
Page 61 of 129
Consolidated CSCRF version 1.0
Contact details:
ii. Comments, as per the aforementioned format, may be sent to SEBI by July
25, 2023 through any of the following modes:
1. By email to: [email protected]
2. By post to the following address:
Page 62 of 129
Consolidated CSCRF version 1.0
ENTITY TYPE:
YEAR OF AUDIT:
CISO DETAILS:
I/We hereby confirm that the information provided herein is verified by me/us and I/we
shall take the responsibility and ownership of this VAPT report.
Signature:
Company seal:
Page 63 of 129
Consolidated CSCRF version 1.0
Table of Contents
1 Executive Summary
3 Detailed Report
Page 64 of 129
Consolidated CSCRF version 1.0
Executive Summary
Scope of Audit
Exclusions, if any:
Page 65 of 129
Consolidated CSCRF version 1.0
Cert-in empanelled:
VA Start Date:
VA End Date:
Vulnerability Assessment
Critical Assets
VA of infrastructure -
Internal and External
VA of Applications -
Internal and External
WiFi Testing
Consolidated CSCRF version 1.0
Network Segmentation
VA of mobile applications
OS and DB Assessment
VA of cloud deployments
Exclusions, if any
Page 67 of 129
Consolidated CSCRF version 1.0
Cert-in empanelled:
PT Start Date:
PT End Date:
Critical Assets
External Penetration
Testing - Infrastructure and
Application
Internal Penetration
Testing - Infrastructure and
Application
PT of mobile applications
PT of cloud deployments
Page 68 of 129
Consolidated CSCRF version 1.0
Exclusions, if any
Page 69 of 129
Consolidated CSCRF version 1.0
3. Detailed Report
Detailed report to be submitted for all the items in the scope as per the below mentioned format (to be submitted when sought by
SEBI):
2.
Page 70 of 129
Consolidated CSCRF version 1.0
Annexure-B: Audit Metrics
Audit Metrics
An indicative (but not limited to) list of metrics that would help to analyse materiality
are given by ISACA IS Auditing Guidelines G634:
9. Cost of loss of critical and vital information in terms of money and time to
reproduce
12. Nature, timing and extent of reports prepared and files maintained
34
Refer Para 3.1.10:
https://cs.uns.edu.ar/~mc/ADS/downloads/Material%20Complementario/Material%20modulo%202/isaca%20
guidelines/G6-Materiality-Concepts-6Mar08.pdf
Consolidated CSCRF version 1.0
15. Penalties for failure to comply with legal, regulatory and contractual
requirements
Page 72 of 129
Consolidated CSCRF version 1.0
ENTITY TYPE:
YEAR OF AUDIT:
CISO DETAILS:
I/We hereby confirm that the information provided herein is verified by me/us and I/we
shall take the responsibility and ownership of this cyber audit report.
Signature:
Company seal:
Page 73 of 129
Consolidated CSCRF version 1.0
1. Background
2. Details of Auditee
Auditor name
Auditor address
Contact information
Location of audit
4. Scope of audit/Terms of reference (as agreed between the auditee and auditor),
including the standard/specific scope for audit:-
a) Audit Period –
c) Engagement period-
e) List of all IT infrastructure (including IT systems of PDC, DR, Near site, Co-lo
facility) covered under audit
---
Page 74 of 129
Consolidated CSCRF version 1.0
5. Methodology /Audit approach (audit subject identification, pre-audit planning, data gathering methodology, sampling methodology
etc. followed)
6. Executive Summary of findings (including identification tests, tools used and results of tests performed)
*Explicit reference to the key auditee organisational documents (by date or version) including policy and procedure documents
*Audit report should provide terms of reference of audit which shall indicate the scope/perimeter of the coverage of the systems
audited in the cyber audit report regarding the compliances checked including areas but not limited to computer hardware, business
Page 75 of 129
Consolidated CSCRF version 1.0
applications, software, cyber governance, linkage with vendor systems like RTAs, Fund Accountants, email systems etc.
*Audit report should include open observations from previous audits and comments of auditors for compliances checked for the
same.
* The auditor shall mention in the audit report the methodology adopted to check compliance and the reason for disagreement
between auditor and management, if any shall be recorded in audit report.
CERT
CERT
CERT
Page 76 of 129
Consolidated CSCRF version 1.0
a. Non-compliant (Major/Minor)
b. Work in progress
c. Observation
d) Risk Rating of finding - A rating has to be given for each of the observations
based on its impact and severity to reflect the risk exposure as well as the
suggested priority for action
Consolidated CSCRF version 1.0
Rating Description
10. Specific best practices implemented by the auditee in generalized manner without
infringing on Intellectual Property Rights (IPRs)
Page 78 of 129
Consolidated CSCRF version 1.0
Scenarios which are targeted to cover in Cyber Response plan as well as Cyber Resiliency Testing (Types of Attack × Potential
Cyber DNS
Attack-> Application Based Brute
Malware/Malicious AD
DDoS Level Attacks Attacks Force/Authentication
Code Attack attack
Time Interval (SaaS Model) (Internal & based attack
Internet)
Before
BOD/early
Morning
Pre-open
Before 9:00
Sessions
hrs
B/W 9:00 -
9:15 hrs
Regular
09:15 -
Trading
15:30 hrs
Sessions
15:30 -16:00
Closing hrs
Session Post 16:00
hrs
Targeted Time intervals- On Core Systems):
Consolidated CSCRF version 1.0
Bots
Service Unavailability,
Application Level Attacks
Broken Authentication & Website Defacement 2. Disable suspected user accounts and change
Session Management access credentials.
Page 80 of 129
Consolidated CSCRF version 1.0
Cross-Site
3. Apply patches/changes for vulnerability.
Scripting/request forgery
DNS Spoofing/Cache
1. Analyse the traffic requests.
Poisoning
DNS Flood Attack 2. Restore DNS entries
DNS Based Attacks Service Unavailability
It is a method, It may
Spam filtering policy should be configured in
Social Engineering Attacks Phishing lead to any of the
available tools as a precaution.
other attack
Page 81 of 129
Consolidated CSCRF version 1.0
Page 82 of 129
Consolidated CSCRF version 1.0
https://www.sebi.gov.in/legal/circulars/dec-2011/guidelines-on-outsourcing-of-
activities-by-intermediaries_21752.html
Page 83 of 129
Consolidated CSCRF version 1.0
Page 84 of 129
Consolidated CSCRF version 1.0
1. Analyse the different kinds of sensitive data shown to the Customer on the frontend
application to ensure that only what is deemed absolutely necessary is transmitted
and displayed.
2. Wherever possible, mask portions of sensitive data. For instance, rather than
displaying the full phone number or a bank account number, display only a portion
of it, enough for the Customer to identify, but useless to an unscrupulous party who
may obtain covertly obtain it from the Customer’s screen. For instance, if a bank
account number is “123 456 789”, consider displaying something akin to “XXX XXX
789” instead of the whole number. This also has the added benefit of not having to
transmit the full piece of data over various networks.
3. Analyse data and databases holistically and draw out meaningful and “silos”
(physical or virtual) into which different kinds of data can be isolated and cordoned
off. For instance, a database with personal financial information need not be a part
of the system or network that houses the public facing websites of the REs. They
should ideally be in discrete silos or DMZs.
4. Implement strict data access controls amongst personnel, irrespective of their
responsibilities, technical or otherwise. It is infeasible for certain personnel such as
System Administrators and developers to not have privileged access to databases.
For such cases, take strict measures to limit the number of personnel with direct
access, and monitor, log, and audit their activities. Take measures to ensure that
the confidentiality of data is not compromised under any of these scenarios.
5. Use industry standard, strong encryption algorithms (eg: RSA, AES etc.) wherever
encryption is implemented. It is important to identify data that warrants encryption
as encrypting all data is infeasible and may open up additional attack vectors. In
addition, it is critical to identify the right personnel to be in charge of, and the right
methodologies for storing the encryption keys, as any compromise to either will
render the encryption useless.
6. Full-disk Encryption (FDE) for protecting sensitive data-at-rest at the hardware level
by encrypting all data on a disk drive shall be used wherever possible. File-based
Encryption (FBE) encrypts specific files or directories instead of the complete data
on a disk. Therefore, both FDE and FBE with strong industry-standard algorithms
shall be used together.
7. Ensure that all critical and sensitive data is adequately backed up, and that the
backup locations are adequately secured. For instance, on servers on isolated
networks that have no public access endpoints, or on-premise servers or disk drives
that are off-limits to unauthorized personnel. Without up-to-date backups, a
meaningful recovery from a disaster or cyber-attack scenario becomes increasingly
difficult.
Page 85 of 129
Consolidated CSCRF version 1.0
2. For Applications carrying sensitive data that are served as web pages over the
internet, a valid, properly configured TLS (SSL) certificate on the web server is
mandatory, making the transport channel HTTP(S).
3. Avoid the use of insecure protocols such as FTP (File Transfer Protocol) that can
be easily compromised with MITM attacks. Instead, adopt secure protocols such as
FTP(S), SSH and VPN tunnels, RDP (with TLS) etc.
Page 86 of 129
Consolidated CSCRF version 1.0
https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-
services-by-sebi-regulated-entities-res-_68740.html
Page 87 of 129
Consolidated CSCRF version 1.0
A. Background-
CCI is an index framework to rate the preparedness and resilience of the cybersecurity
framework of the Market Infrastructure Institutions (MIIs). MIIs are directed to conduct
self-assessment of their cyber resilience using the index, on a quarterly basis, starting
from the quarter ending September 2019.
2. The list of CCI parameters, their corresponding target and weightages in the index
is as follows:
35
Refer https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-55r1.pdf
Page 88 of 129
Consolidated CSCRF version 1.0
Page 89 of 129
Consolidated CSCRF version 1.0
3. Security Information Security Percentage (%) of Implementa (Number of 100 1. Details of the 5%
Training Goal: Ensure that information system tion information % training/awareness
Measure organization personnel security personnel system security session scheduled
that have received personnel that within past 1 year.
are adequately trained
security training. have completed 2. Cyber audit
to carry out their within the past observation against
assigned information year/total clause 2.2 of the
security- related duties number security SEBI master
and responsibilities training of framework.
information
system security
personnel) *100
Page 90 of 129
Consolidated CSCRF version 1.0
Page 91 of 129
Consolidated CSCRF version 1.0
Page 92 of 129
Consolidated CSCRF version 1.0
Page 93 of 129
Consolidated CSCRF version 1.0
Page 94 of 129
Consolidated CSCRF version 1.0
Page 95 of 129
Consolidated CSCRF version 1.0
Page 96 of 129
Consolidated CSCRF version 1.0
Page 97 of 129
Consolidated CSCRF version 1.0
Page 98 of 129
Consolidated CSCRF version 1.0
Page 99 of 129
Consolidated CSCRF version 1.0
2. Of the incidents
reported, how
many were
reported within
the prescribed
time frame for
their category,
according to the
time frames
established by
14. Planning Information Security Percentage of Implement (Number of 100 1. How many 1%
Measure Goal: Develop, employees who ation users who are % users access the
document, periodically are authorized granted system system?
update, and implement access to access after 2. How many
security plans for information signing rules of users signed rules
organizational systems only after behaviour/total of behaviour
information systems they sign an number of users acknowledgement
that describe the acknowledgement with system s?
security controls in that they have access) *100 3. How many
read and users have been
place or planned for
understood rules granted access to
information systems,
of behaviour. the information
and the rules of
system only after
behaviour for
signing rules of
individuals accessing behaviour
these systems acknowledgement
s?
21. Cybersecuri Objective of this Percentage of the Implementa (Principles 100 1. Mappings 1%
ty principles measure to improve the principles tion incorporated in % between Principles
(prescribed quality of the (prescribed by Measure organization's prescribed by
NCIIPC) policy from NCIIPC and
by NCIIPC) cybersecurity policy
incorporated in NCIIPC/Total cybersecurity Policy
encompass document of the MIIs policy document. principles Document of MIIs.
ed in policy. prescribed by
(Based on NCIIPC)*100 2. Cyber Audit
clause-4 of Observation against
SEBI this clause 1.2.3.c.i
circular) of SEBI master
framework.
22. CSK Events Objective of this Number of events Effectivenes Number of events 0 1. Summary report 4%
measure to mitigate reported by CSK. s Measure reported by CSK of the events
threats upon external to the reported by CSK.
organization.
IPs
3. Based on the value of the index, the cybersecurity maturity level of the MIIs shall
be determined as follows:
1. The scope of the IT environment taken for VAPT should be made transparent to
SEBI and should include all critical assets and infrastructure components (not
limited to) like Networking systems, Security devices, Servers, Databases,
Applications, Systems accessible through WAN, LAN as well as with public IP’s,
websites, etc.
5. WIFI Testing
6. Network Segmentation
8. OS & DB Assessment
https://www.sebi.gov.in/legal/circulars/dec-2018/cyber-security-and-cyber-resilience-
framework-of-stock-exchanges-clearing-corporations-and-depositories_41244.html
2.1. Following are domains and their respective minimum weightage for measuring
functional efficacy of SOC:
2.2. For each of the domains listed above, following are the sub-domains and their
respective minimum weightage:
All REs are required to send responses to parameters given above to measure
SOC efficacy from governance perspective.
The baseline for these categories as well as inclusion of other parameters (for
auditing SOC efficacy) may be updated on the basis of feedback/ inputs received
during the auditing process.
Incident36: Any adverse event or the threat of such an event on a RE’s and/ or its
Third Party Service Provider’s (TPSP) information systems or networks that results in
or could result in misuse/ compromise/ damage/ destruction of (i) information assets
of the RE and/ or (ii) the physical infrastructure and/or environment hosting the
information assets of the RE; in terms of confidentiality, integrity and availability, shall
be considered as an incident.
36
Incident definition taken from RBI’s guidelines on Reporting of unusual cybersecurity incidents for unified
approach of incident response and management in banking sector and securities market.
37
Refer Cert-IN direction No. 20(3)/2022 dated April 28, 2022
1. As per the cybersecurity and cyber resilience frameworks issued by SEBI for
various market participants, cybersecurity incidents have to be reported by all MIIs
and REs to SEBI in a time bound manner. It may be noted that in case any
Intermediary does not report any cybersecurity incident to SEBI (when the
Intermediary is aware of the incident) in a manner as laid down in the applicable
cybersecurity framework, a financial disincentive/ regulatory action may be taken
by SEBI as deemed fit depending on the nature of the incident.
2.1. The incident shall be reported on the SEBI Incident Reporting portal by the
intermediary. The incident shall also be reported to Indian Computer
Emergency Response Team (CERT-In) in accordance with the
guidelines/regulations/circular issued by CERT-In from time to time.
Additionally, any entity whose systems have been identified as “Critical
Information Infrastructure (CII)/ protected system” by National Critical
Information Infrastructure Protection Centre (NCIIPC), should report the
incident to NCIIPC.
2.2. The Intermediary shall undertake the necessary activities and submit the
following reports as per the following timeline:
Table 1-
Sr. Name of the Report / Activity Timeline for
No. Submission (from
the date of reporting
the incident or
being made aware
of the incident)
4 Forensic Audit Report (on the incident) and its Refer Below
closure report
39
Cybersecurity incidents have to be reported by MIIs and SEBI registered intermediaries in accordance with
the framework/circular/Standard Operating Procedure issued by SEBI.
*The interim report must contain, inter alia, the following: Details of the incident
including time of occurrence, information regarding affected processes/ systems
/network /services, severity of the incident40, and the steps taken to initiate the
process of response and recovery.
**The RCA report should inter-alia include exact cause of the incident (including
root cause from vendor(s), if applicable), exact timeline and chronology of the
incident, details of impacted processes/ systems /network /services, details of
corrective/ preventive measures taken (or to be taken) by the entity along with
timelines and any other aspect relevant to the incident. Additionally, it should also
include time when operations/ functions/ services were restored and in the event
of a disaster, time when disaster was declared.
# Additional time may be provided by SEBI for the submission of RCA on a case-
by-case basis on the prayers of the Intermediary taking into account the
complexity and nature of the incidents. The same should be an exception rather
than the rule.
2.3. The RCA, forensic audit, VAPT reports, and closure reports should be
reviewed by SCOT/ Technology Committee of the MII/Intermediary before the
reports are submitted to SEBI. A report on the review
conducted/recommendations provided by SCOT/ Technology Committee
should also be submitted to SEBI along with the above mentioned reports.
2.4. On the basis of the time of submission of the interim, mitigation measure and
RCA reports (along with comments/recommendations of SCOT/Internal
technology committee), the following are the possible scenarios-
a. Scenario 1: The Intermediary submits all the reports within the stipulated
timeline.
40
Guidelines to determine the severity of the incident are given in Annexure-N
2.6. In the event of the Intermediary not submitting accurate and complete reports
after being provided additional time, a further financial disincentive may be
levied on the intermediary (over and above the disincentive mentioned in
clause 5 above). The matter will then be reviewed by HPSC-CS/ SEBI
(whichever is applicable).
Scenario 1
i. On the basis of the reports submitted by the intermediary, the matter may be put
up for the review41 of HPSC-CS by SEBI.
Review by HPSC-CS
ii. The committee will examine the reports, review the severity of the incident42 and
provide its recommendations on the same.
iii. Further, if the committee determines that the incident occurred on account of
non-compliance of SEBI cybersecurity framework/advisories, a financial
disincentive may be levied by SEBI on the Intermediary notwithstanding any
disincentive levied above.
Review by SEBI
i. If the matter is not put up for the review of HPSC-CS, SEBI will examine the
same (on the basis of the documents submitted by the Intermediary).
41
Incidents classified as High or Critical will be mandatorily put up for the review for HPSC-CS
42
The committee may confirm the severity as decided by the Intermediary or may recommend a different severity
on the basis of its analysis.
iii. SEBI, after discussion with the intermediary, shall formulate a remediation and
mitigation plan. The timelines for implementation of the measures shall also be
decided based on the discussions (between SEBI and Intermediary). In case the
measures are not implemented by the Intermediary within the prescribed
timeline, Financial Disincentives/ Regulatory Action may be taken by SEBI.
Scenario 2
ii. After all the reports have been submitted by the Intermediary, the process
established in Scenario 1 (above) will be followed.
Scenario 3
3.2. For incidents classified as low or medium, forensic report should be submitted if
it is required to find out the root cause or if the SEBI/ HPSC-CS directs the same.
3.3. After the completion of forensic audit, the Intermediary shall submit a final closure
report, which must include the root cause of the incident, its impact and measures
to prevent recurrence. The timeline for submission of the reports (including
closure reports), shall be decided based on discussion with all stakeholders.
However, the maximum period for the submission of forensic audit report shall be
as follows:
In case the report is not submitted by the Intermediary within the prescribed
timeline, a financial disincentive/ regulatory action may be taken by SEBI.
3.4. For all the issues/ observations submitted in the forensic report, the intermediary
shall provide a timeline for fixing the same. This timeline should be submitted
along with the forensic investigation/ audit report. Once the issues are resolved,
the intermediary shall file a closure report for the same.
3.5. In case the issues are not fixed within the prescribed timeline, a financial
disincentive/ regulatory action may be taken by SEBI.
b. When it is discovered?
c. What is discovered?
3 Categorization
of incidents
5 Authorization
9 Off site location address where ‘golden’ copy of server image and data is
stored
11 Recovery Actions
14 Perform Hotwash