SEBI Cyber Security & Cyber Resilience Framework

(CSCRF) Framework

SEBI Cyber Security & Cyber Resilience Framework

To align with SEBI’s Cyber Security and Cyber Resilience Framework, Mutual Funds and Asset Management Companies (AMCs) must adopt a holistic approach to cybersecurity. This involves integrating advanced tools and technologies across various domains to safeguard sensitive data, mitigate risks, and ensure compliance.

Below is a thoughtfully curated list of tools and solutions designed to meet these requirements while ensuring ease of use, adaptability, and seamless integration into daily operations.

CSCRF Roadmap

1.) Governance, Risk, and Compliance (GRC) Management

GRC Platform: A centralized tool for managing compliance, audits, and regulatory reporting. Think of it as your command center for staying on top of SEBI requirements.
Risk Assessment & Management Tool: Helps identify, assess, and mitigate cyber risks proactively, ensuring your organization stays ahead of potential threats.
Third-Party Risk Management (TPRM) Tool: Keeps a close eye on vendors and partners, ensuring they meet your security standards through continuous monitoring and assessments.

2.) IT Asset Management & Risk Assessment

IT Asset Management (ITAM) Tool: Tracks hardware, software, and data inventory, giving you a clear picture of your digital landscape.
Enterprise Risk Management (ERM) Tool: Helps assess cyber risks and plan effective treatment strategies.
Data Discovery & Classification Tool: Identifies sensitive data like PII and financial information, ensuring it’s encrypted and protected.

3.) Identity & Access Management (IAM)

Privileged Access Management (PAM) Solution: Controls access for administrators and privileged users, reducing the risk of insider threats.
Identity & Access Management (IAM) Solution: Ensures only authorized users can access sensitive systems through role-based controls.
Multi-Factor Authentication (MFA) Solution: Adds an extra layer of security by requiring two-factor authentication.
Single Sign-On (SSO) Solution: Simplifies user authentication while maintaining security.

4.) Network & Endpoint Security

Next-Generation Firewall (NGFW): Enforces network security policies to keep malicious traffic at bay.
Intrusion Detection & Prevention System (IDS/IPS): Monitors your network for suspicious activity and blocks potential threats.
Endpoint Detection & Response (EDR) Solution: Protects laptops, desktops, and servers from advanced threats.
Data Loss Prevention (DLP) Solution: Prevents sensitive data from being leaked or stolen.
Web Security Gateway: Controls internet access and blocks malicious websites.
USB Device Control Tool: Stops data theft via external storage devices.

5.) Encryption & Data Protection

Full Disk Encryption (FDE) Solution: Protects data stored on endpoints.
Email Encryption Solution: Keeps your email communications secure.
Cloud Access Security Broker (CASB): Monitors and controls access to cloud-based applications.

6.) Security Information & Event Management (SIEM) & Threat Monitoring

SIEM Solution: Collects and analyzes logs in real-time, helping detect threats and ensure compliance.
Security Operations Center (SOC) Monitoring: Provides 24/7 threat intelligence and incident response.
User & Entity Behavior Analytics (UEBA) Tool: Detects insider threats and unusual user activity.
Threat Intelligence Platform: Keeps you updated on emerging cyber threats.

7.) Application Security & Vulnerability Management

Web Application Firewall (WAF): Shields web applications from common threats like the OWASP Top 10.
Vulnerability Management & Patch Management Tool: Identifies and patches security gaps.
Vulnerability Assessment & Penetration Testing (VAPT) Tools: Tests your systems for weaknesses.
Source Code Analysis Tool: Analyzes code for security flaws during development.

8.) Incident Response & Forensics

Incident Response & Forensic Investigation Tool: Helps investigate and recover from cyber incidents.
Backup & Disaster Recovery (BCP/DR) Solution: Ensures business continuity in the face of disruptions.

9.) Security Awareness & Training

Security Awareness Training Platform: Educates employees and vendors on cybersecurity best practices.
Phishing Simulation Tool: Tests and trains employees to recognize and avoid phishing attacks.

10.) Regulatory Reporting & Audit Compliance

Regulatory Compliance Reporting Tool: Automates SEBI quarterly reports and internal audits.
Audit & Log Management Tool: Ensures compliance with audit trails and evidence collection.

CSCRF Framework Checklist

Cybersecurity Compliance Checklist

Provide Your Information

Name: Email Address: Phone: Organisation:

1. Governance & Policy Framework

Cyber Security & Resilience Policy approved by the Board of AMC and Trustees, reviewed annually. Policy covers Identify, Protect, Detect, Respond, and Recover framework. Policy aligns with NCIIPC Guidelines and international standards (ISO 27001, ISO 27002, COBIT 5). Appointment of a Chief Information Security Officer (CISO) with clear roles and responsibilities. Establishment of a Technology Committee to review cyber security implementation quarterly. Incident reporting structure for unusual cyber activities to senior management. Periodic review of global and domestic cyber-attacks trends for strengthening security measures. Define security responsibilities for employees, vendors, and third parties accessing AMC systems.

2. Identify – Critical IT Assets & Risk Management

Maintain an up-to-date IT asset inventory (hardware, software, databases, network resources). Classify critical IT assets based on their importance to operations and data sensitivity. Identify and document cyber risks, threats, and vulnerabilities with impact assessments. Ensure third-party service providers follow similar security standards.

3. Protect – Access & Data Security

Role-based access control (RBAC) implemented. Multi-factor authentication (MFA) for accessing critical systems. Strong password policies enforced. Audit logging of user access with logs encrypted and stored for at least 2 years. Privileged access management (PAM) with strict controls for administrators. Automatic account lockout after multiple failed login attempts. Proper deactivation of accounts for employees leaving the organization. Restrict physical access to critical IT infrastructure. CCTV surveillance, biometric access controls, and security guards for data centers. Baseline security standards for OS, databases, and network devices. Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) implemented. Antivirus and malware protection on all IT assets with regular updates. Encryption of data-in-motion and data-at-rest (AES-256, RSA, SHA-2). Secure disposal of data storage devices using methods like wiping, degaussing, or physical destruction. Secure coding practices and regression testing for new software releases. Regular security patching with defined timelines based on risk levels.

4. Detect – Continuous Monitoring & VAPT

Implement Security Information and Event Management (SIEM) for monitoring security events. Real-time detection of unauthorized access, system changes, and cyber threats. Vulnerability Assessment and Penetration Testing (VAPT) conducted at least once a year. Additional VAPT before commissioning any internet-facing system.

5. Respond & Recover – Incident Management & Business Continuity

Alerts and forensic analysis for security breaches and cyber incidents. Cyber Incident Response Plan (CIRP) aligned with Recovery Time Objective (RTO) & Recovery Point Objective (RPO). Periodic incident response drills to test readiness. Post-incident analysis to incorporate lessons learned and strengthen security.

6. Sharing of Cyber Incident Data with SEBI

Submit quarterly reports on cyber threats, incidents, and mitigation measures to SEBI. Share useful cyber threat intelligence with other AMCs/MFs via SEBI-specified mechanisms.

7. Employee & Vendor Security Awareness Training

Conduct regular cybersecurity training for employees, vendors, and outsourced staff. Special cyber awareness programs for non-technical staff. Annual updates to training content to keep up with emerging threats.

8. Annual Compliance Audit & SEBI Reporting

Conduct annual cybersecurity audits by CISA/CISM-certified or CERT-IN empaneled auditors. Submit audit report with AMC Board & Trustee comments to SEBI within 3 months after fiscal year-end.

9. Vendor & Third-Party Compliance

Clearly define cybersecurity requirements in contracts with vendors, RTAs, service providers. Establish monitoring frameworks to ensure vendor compliance. Include critical outsourced functions in SEBI’s periodic compliance reports.

Audit Checklist Summary

Section	Total Items	Compliance Score (%)
Governance & Policy Framework	8	0%
Identify – Critical IT Assets & Risk Management	4	0%
Protect – Access & Data Security	17	0%
Detect – Continuous Monitoring & VAPT	4	0%
Respond & Recover – Incident Management & Business Continuity	4	0%
Sharing of Cyber Incident Data with SEBI	2	0%
Employee & Vendor Security Awareness Training	3	0%
Annual Compliance Audit & SEBI Reporting	2	0%
Vendor & Third-Party Compliance	3	0%
Total	47	0%

SEBI Cyber Security & Cyber Resilience Framework

(CSCRF) Framework

SEBI Cyber Security & Cyber Resilience Framework

CSCRF Roadmap

1.) Governance, Risk, and Compliance (GRC) Management

2.) IT Asset Management & Risk Assessment

3.) Identity & Access Management (IAM)

4.) Network & Endpoint Security

5.) Encryption & Data Protection

6.) Security Information & Event Management (SIEM) & Threat Monitoring

7.) Application Security & Vulnerability Management

8.) Incident Response & Forensics

9.) Security Awareness & Training

10.) Regulatory Reporting & Audit Compliance

CSCRF Framework Checklist

Cybersecurity Compliance Checklist

Provide Your Information

1. Governance & Policy Framework

2. Identify – Critical IT Assets & Risk Management

3. Protect – Access & Data Security

4. Detect – Continuous Monitoring & VAPT

5. Respond & Recover – Incident Management & Business Continuity

6. Sharing of Cyber Incident Data with SEBI

7. Employee & Vendor Security Awareness Training

8. Annual Compliance Audit & SEBI Reporting

9. Vendor & Third-Party Compliance

Audit Checklist Summary

Assessment Service

Managed Service

Quick Links

Contact Info

Phone no.

E-mail

Submit Details to Get Full Case Study

Submit Details to Get Full Case Study

Submit Details to Get Full Case Study

SEBI Cyber Security & Cyber Resilience Framework

(CSCRF) Framework

SEBI Cyber Security & Cyber Resilience Framework

CSCRF Roadmap

1.) Governance, Risk, and Compliance (GRC) Management

2.) IT Asset Management & Risk Assessment

3.) Identity & Access Management (IAM)

4.) Network & Endpoint Security

5.) Encryption & Data Protection

6.) Security Information & Event Management (SIEM) & Threat Monitoring

7.) Application Security & Vulnerability Management

8.) Incident Response & Forensics

9.) Security Awareness & Training

10.) Regulatory Reporting & Audit Compliance

CSCRF Framework Checklist

Cybersecurity Compliance Checklist

Provide Your Information

1. Governance & Policy Framework

2. Identify – Critical IT Assets & Risk Management

3. Protect – Access & Data Security

4. Detect – Continuous Monitoring & VAPT

5. Respond & Recover – Incident Management & Business Continuity

6. Sharing of Cyber Incident Data with SEBI

7. Employee & Vendor Security Awareness Training

8. Annual Compliance Audit & SEBI Reporting

9. Vendor & Third-Party Compliance

Audit Checklist Summary

MAKE AN IMPRESSION WITH US