9911796707
TMI BlogCyber Security & Cyber Resilience framework for KYC Registration AgenciesX X X X Extracts X X X X X X X X Extracts X X X X ..... lment of its obligation in the event of cyber-attack. 3. Since KYC Registration Agencies (KRAs) perform important function of maintaining KYC records of the clients in the securities market, it is desirable that KRAs have robust Cyber Security and Cyber Resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market. 4. In view of the above, SEBI s High Powered Steering Committee - Cyber Security decided that the framework on Cyber Security and Cyber Resilience be made applicable for KRAs. The framework placed at Annexure A , would be required to be complied by the KRAs with regard to Cyber Security and Cyber Resilience. KRAs are directed to take necessary steps to put in place systems for implementation of this circular by January 01, 2020. 5. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. Yours faithfully ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... policy should encompass the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO), Government of India, in the report titled Guidelines for Protection of National Critical Information Infrastructure and subsequent revisions, if any, from time to time. 5. KRAs should also incorporate best practices from standards such as ISO 27001, ISO 27002, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 6. KRAs should designate a senior official as Chief Information Security Officer (CISO) whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cyber security and resilience policy approved by the Board of the KRAs. 7. The Board of the KRAs shall constitute a Technology Committee comprising experts proficient in technology. This Technology Committee should on a quarterly basis review the implementation of the Cyber Security and Cyber Resilience policy ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ss should be for the period when the access is required and should be authorized using strong authentication mechanisms. 16. KRAs should implement strong password controls for users access to systems, applications, networks and databases. Password controls should include a change of password upon first log-on, minimum password length and history, password complexity as well as maximum validity period. The user credential data should be stored using strong and latest hashing algorithms. 17. KRAs should ensure that records of user access are uniquely identified and logged for audit and review purposes. Such logs should be maintained and stored in encrypted form for a time period not less than two (2) years. 18. KRAs should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures should inter-alia include restricting the number of privileged users, periodic review of privileged users activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over r ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... . Anti-virus software should be installed on servers and other computer systems. Updation of anti-virus definition files and automatic anti-virus scanning should be done on a regular basis. Security of Data 30. Data-in motion and Data-at-rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc. 31. KRAs should implement measures to prevent unauthorised access or copying or transmission of data / information held in contractual or fiduciary capacity. It should be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. 32. The information security policy should also cover use of devices such as mobile phone, faxes, photocopiers, scanners, etc. that can be used for capturing and transmission of data. 33. KRAs should allow only authorized data storage devices through appropriate validation processes. Hardening of Hardware and Software 34. Only a hardened and vetted hardware / software should be dep ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... a new system which offers internet accessibility and open network interfaces. Monitoring and Detection 43. KRAs should establish appropriate security monitoring systems and processes to facilitate continuous monitoring of security events and timely detection of unauthorised or malicious activities, unauthorised changes, unauthorised access and unauthorized copying or transmission of data / information held in contractual or fiduciary capacity, by internal and external parties. The security logs of systems, applications and network devices should also be monitored for anomalies. 44. Further, to ensure high resilience, high availability and timely detection of attacks on systems and networks, KRAs should implement suitable mechanism to monitor capacity utilization of its critical systems and networks. 45. Suitable alerts should be generated in the event of detection of unauthorized or abnormal system activities, transmission errors or unusual online transactions. Response and Recovery 46. Alerts generated from monitoring and detection systems should be suitably investigate ..... X X X X Extracts X X X X X X X X Extracts X X X X
|
