In a recent circular, dated 20-Aug-2024, Securities and Exchange Board of India (SEBI) has issued a Cybersecurity and Cyber Resilience Framework (CSCRF) for Regulated Entities (REs). From time to time since 2015, SEBI had issued similar advisories to REs with the objective of strengthening cybersecurity measures in the Indian securities market and building adequate cyber resilience against emerging cyber threats.
The CSCRF framework covers the five goals of cyber resiliency adopted from Cyber Crisis Management Plan (CCMP) of Indian Computer Emergency Response Team (CERT - In) for countering cyber attacks and cyber terrorism. The Five Goals are - Anticipate, Withstand, Contain, Recover, Evolve. These goals are linked with the following cybersecurity functions - Governance, Identity, Protect, Detect, Respond, Recover.
CSCRF ensures that REs of all sizes should be equipped with adequate cybersecurity measures and cyber resilience capabilities. CSCRF contains provisions regarding procurement of IT services, Software as a Service (SaaS) Solutions, hosted services, audit of software solutions/ applications/ products.
Implementation Period
For Six categories of REs where cybersecurity and cyber resilience circular already exists - by January 01, 2025
For other REs where CSCRF is being issues for the first time - by April 01, 2025
CSCRF framework is broadly based on two approaches: cybersecurity and cyber resilience. Cybersecurity approach covers various aspects from governance to operational controls (including Identify, Detect, Protect, Respond, and Recover) and the cyber resilience goals include Anticipate, Withstand, Contain, Recover, and Evolve.
REs are required to comply with the standards and mandatory guidelines as mentioned in the CSCRF.
Guideline on Identity Management, Authentication, and Access Control
1.1 Objective: Access to physical and logical assets and associated facilities is limited to authorized users, processes and devices, and is managed commensurate with the assessed risk of unauthorized access.
1.2 Standard Guidelines
Sl. No
Guidelines
How can InstaSafe help?
1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
InstaSafe can ensure complete identities and credential management from creation, storage, deletion with complete audit trail of users and devices
2
Network integrity is protected (through measures such as network segregation, network segmentation, etc.).
InstaSafe follows network segmentation and instasafe gateway protects and maintain the segregation securely
3
While granting access permissions and authorizations to resources (both on premise and cloud) of the organization, Principle of Least Privilege shall be followed along with segregation of duties
InstaSafe offers least privilege access by default and subsequent access is provided based on role subject to approval
4
REs shall follow Zero Trust Model to allow individuals, devices, and resources to access organization’s resources.
InstaSafe offers completes Zero Trust Access platform which combines User, device, applications parameters to provide access on a Need to Know basis
5
Access rights shall be reviewed and documented on a periodic basis. Maker-Checker framework shall be implemented for granting, revoking, and modifying user rights in applications, databases, etc.
InstaSafe offers complete audit log reports which can be used for Maker-Checker framework implementation
6
A comprehensive authentication policy shall be documented and implemented. Identities shall be proofed and bound to credentials and asserted in interactions. Users, devices, and other assets are authenticated (single-factor or multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
InstaSafe has inbuilt MFA and device binding capabilities which ensure authentication happens taking into consideration of user and device credentials
7
All critical systems shall have MFA implemented for all users accessing from untrusted network to trusted network.
InstaSafe has inbuilt MFA (Authenticator App) which supports various authentication methods like OTP, T-OTP, Biometrics and Hardware token
8
A comprehensive log management policy shall be documented and implemented.
InstaSafe offers complete audit trail and log reports
9
User logs shall be uniquely identified and stored for a specified period.
InstaSafe stores user logs for a time period specified by organization
10
Privileged users’ activities shall be reviewed periodically. Access restriction shall be there for employees as well as third-party service providers. If it is required to grant access, it shall be for the limited time-period, on need-to-know basis and shall be subject to stringent supervision and monitoring.
Privileged user can be monitored and Need to know basis access can be provided for specific time period
11
Remote access to assets shall be strictly tracked and administered.
Remote access to assets can clearly be monitored through the platform
12
A comprehensive data-disposal and data-retention policy shall be documented and implemented.
InstaSafe has clear guidelines of data disposal and data retention policy for customers
InstaSafe, a proud Make in India brand, helps all regulated entities in providing comprehensive identity management, authentication, and access control solutions with enhanced security controls and better visibility of user and network activity.
Our distributor and partner provide a comprehensive cybersecurity solution to help your organization fully meet CSCRF guidelines. You can email us at sales@instasafe.com or contact us through our website https://instasafe.com/contact-us/