Cyber Security and Cyber Resilience framework for Registrars to an Issue / Share Transfer Agents (hereinafter referred to as RTAs)

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ts obligation in the event of cyber attack. Since RTAs perform important functions in providing services to holders of securities, it is desirable that RTAs have robust cyber security and cyber resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market. In view of the above, SEBI s High Powered Steering Committee - Cyber Security engaged in detailed discussions and decided that the framework prescribed vide SEBI circular CIR/MRD/DP13/2015 dated July 06, 2015 on cyber security and cyber resilience framework be broadly made applicable for large RTAs. Accordingly, the provisions of this circular are applicable only for RTAs servicing more than 2 crore folios (hereinafter referred to as Qualified RTAs or QRTAs ). The framework placed at Annexure A, would be required to be complied by the QRTAs with regard to cyber security and cyber resilience. QRTAs are directed to take necessary steps to put in place systems for implementation of this circular, by December 01, 2017. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ction Centre (NCIIPC) of National Technical Research Organisation (NTRO), Government of India, in the report titled Guidelines for Protection of National Critical Information Infrastructure and subsequent revisions, if any, from time to time. 5. QRTAs should also incorporate best practices from standards such as ISO 27001, ISO 27002, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 6. QRTAs should designate a senior official as Chief Information Security Officer (CISO) whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cyber security and resilience policy approved by the Board of the QRTAs. 7. The Board of the QRTAs shall constitute a Technology Committee comprising experts proficient in technology. This Technology Committee should on a quarterly basis review the implementation of the cyber security and cyber resilience policy approved by their Board, and such review should include review of their current IT and cyber security and cyber resilience capabilities, set goal .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... sword upon first log-on, minimum password length and history, password complexity as well as maximum validity period. The user credential data should be stored using strong and latest hashing algorithms. 17. QRTAs should ensure that records of user access are uniquely identified and logged for audit and review purposes. Such logs should be maintained and stored in encrypted form for a time period not less than two (2) years. 18. QRTAs should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures should inter-alia include restricting the number of privileged users, periodic review of privileged users activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over remote access by privileged users, etc. 19. Account access lock policies after failure attempts should be implemented for all accounts. 20. Employees and outsourced staff such as employees of vendors or service providers, who may be given authorised access to the QRTA's critical systems, networks and other computer resource .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... It should be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. 32. The information security policy should also cover use of devices such as mobile phone, faxes, photocopiers, scanners, etc. that can be used for capturing and transmission of data. 33. QRTAs should allow only authorized data storage devices through appropriate validation processes. Hardening of Hardware and Software 34. Only a hardened and vetted hardware / software should be deployed by the QRTAs. During the hardening process, QRTAs should inter-alia ensure that default passwords are replaced with strong passwords and all unnecessary services are removed or disabled in equipments / software. 35. All open ports which are not in use or can potentially be used for exploitation of data should be blocked. Other open ports should be monitored and appropriate measures should be taken to secure the ports. Application Security and Testing 36. QRTAs should ensure that regression testing is undertaken before new or modified system is implemented. The scope of tests should cover business logic, security co .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... and networks. 45. Suitable alerts should be generated in the event of detection of unauthorized or abnormal system activities, transmission errors or unusual online transactions. Response and Recovery 46. Alerts generated from monitoring and detection systems should be suitably investigated, including impact and forensic analysis of such alerts, in order to determine activities that are to be performed to prevent expansion of such incident of cyber attack or breach, mitigate its effect and eradicate the incident. 47. The response and recovery plan of the QRTAs should aim at timely restoration of systems affected by incidents of cyber attacks or breaches. QRTAs should have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time. 48. The response plan should define responsibilities and actions to be performed by its employees and support / outsourced staff in the event of cyber attacks or breach of cyber security mechanism. 49. Any incident of loss or destruction of data or systems should be thoroughly .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X