TMI BlogGuidelines for MIIs regarding Cyber security and Cyber resilienceX X X X Extracts X X X X X X X X Extracts X X X X ..... MIIs) need to have robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in securities market. It is also important that MIIs establish and continuously improve their Information Technology(IT) processes and controls to preserve confidentiality, integrity and availability of data and IT systems. 2. With the change in market dynamics in the Indian Securities markets, the interdependence among the MIIs has seen significant increase. Considering the interconnectedness and interdependency of the MIIs to carry out their functions, the cyber risk of any given MII is no longer limited to the MII s owned or controlled systems, networks and assets. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... Corporations) Regulations, 2018 and Section 19 of the Depositories Act, 1996 read with Regulation 97 of Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. 9. The circular is issued with the approval of Competent Authority. 10. This circular is available on SEBI website at www.sebi.gov.in under the category Legal and dropdown Circulars . Yours faithfully, Ansuman Dev Pradhan Deputy General Manager +91-22-26449622 [email protected] Annexure-A MIIs are required to implement the following practices: - 1) MIIs shall maintain off ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... o deal with such attacks. 5) MIIs should conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface. 6) MIIs should patch and update software and OSs to the latest available versions and it must be reviewed on a quarterly basis to ensure the implementation of the same. 7) MIIs should implement a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g. phishing) or incidents. 8) MIIs should implement filters at the email gateway to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious Internet Protocol (IP) add ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... should ensure that DCs are patched as and when patch is released and it must be reviewed on a quarterly basis to ensure the implementation of the same. b) MIIs should ensure that no unnecessary software is installed on DCs, as these can be leveraged to run arbitrary code on the system. c) MIIs should ensure that access to DCs should be restricted to the Administrators group- Users within this group should be limited and have separate accounts used for day-to-day operations with non-administrative permissions. d) MIIs should ensure that DC host firewalls are configured to prevent direct internet access. e) MIIs shall undertake the penetration testing activity (internal and external) for known Active Directory Domain Controller a ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ons (DNS-Sec) for secure communication shall be used. 23) Management of the critical servers / applications / services / network elements should only be restricted through enterprise identified intranet systems. 24) MIIs should have system(s) in place to manage and incorporate IOCs /malware alert/vulnerability-alert (received from CERT-in or NCIIPC or any linked MII or any other government agency) in their systems. 25) MIIs shall devise standard operating procedure (SoP) to implement the advisories issued by CERT-In, NCIIPC or any other government agency in their IT environment within defined timeframe and the said SoP shall be shared with SEBI. 26) MII s response and recovery plan should be subjected to review and testing. Test ..... X X X X Extracts X X X X X X X X Extracts X X X X
|