Blog Home  »  Compliance Security   »   Decoding SEBI’s CSCRF: VAPT and Steps to Cyber Resilience?
Managed WAF

Decoding SEBI’s CSCRF: VAPT and Steps to Cyber Resilience?

Posted DateDecember 18, 2024
Author Bio
Posted Time 6   min Read

The Securities and Exchange Board of India (SEBI) has raised the bar on cybersecurity with its newly introduced Cybersecurity and Cyber Resilience Framework (CSCRF), effective August 20, 2024.

For regulated entities (REs)—including stockbrokers, depositories, asset managers, and alternative investment funds—the framework not only requires compliance but also lays out a clear path toward resilience.

These new guidelines require REs to implement VAPT and risk management, among other mandates. Let’s break down these requirements for clarity.

VAPT: A Core Component of CSCRF

Vulnerability Assessment and Penetration Testing (VAPT) isn’t just a box to check—it’s a recurring, deliberate practice to uncover and address weaknesses before attackers exploit them. For SEBI-regulated entities, this is now non-negotiable.

The framework’s guidelines (GV.PO.S1 and PR.IP.S14) mandate regular VAPT activities for all REs to ensure their systems are continuously safeguarded from emerging threats.

According to CSCRF Standard GV.PO.S1, all REs are required to conduct VAPT after every major release of applications or software.

PR.IP.S14: Entities must engage CERT-In empanelled IS Auditing Organizations for conducting VAPT, ensuring the use of certified, trusted experts for thorough vulnerability assessments. The VAPT process is expected to follow industry standards such as those outlined by OWASP and SANS to detect vulnerabilities effectively.

The guidelines PR.IP.S4 and PR.IP.S6, mandate regular testing of all systems before their deployment and after any major changes. This includes assessments of business logic, security controls, and system performance under stress scenarios.

Integrating security testing during development helps catch vulnerabilities early, saving time and costs on later fixes. With built-in DAST scanner, AppTrana WAAP ensures continuous vulnerability detection, including zero-day vulnerabilities. Further, its premium plan offers manual penetration testing, where security experts identify business logic and hidden vulnerabilities that automated scans may miss.

VAPT Report and Timeline

Under CSCRF, the timing and quality of VAPT reports are crucial:

  • GV.PO.S1: VAPT reports must be submitted within one month of the testing being completed. The report should be detailed, providing insights into the vulnerabilities found, their severity, and recommendations for fixes.
  • PR.IP.S15: Any identified vulnerabilities must be addressed and closed within three months of the VAPT report submission. This timeline ensures that risks are mitigated promptly.
  • Revalidation of VAPT: After vulnerabilities are closed, REs must carry out a revalidation of the system’s security to ensure all issues are fully addressed. This revalidation should occur within five months of the original VAPT testing.

Yet, these timelines can be a challenge for most organizations. Traditional “fix-in-code” approaches often involve lengthy testing, approval, and deployment cycles, leaving systems exposed in the meantime.

Virtual patching can provide immediate protection, blocking exploits while waiting for the official patch.

AppTrana offers a managed WAAP platform with SLA-backed virtual patching, ensuring zero false positives. It also includes SwyftComply, a service where the managed services team delivers a clean, zero-vulnerability report within 72 hours. This service ensures faster compliance and reduced security risks.

Check out the detailed blog on how SwyftComply works.

Further, as per SEBI’s requirements, all REs must implement security monitoring systems via SOCs (onboarding own/grouped SOC or third party manged SOC) to ensure constant surveillance and timely detection of security incidents.

SEBI relaxes guidelines for small-size and self-certification REs due to limited resources, but they must still engage with the Market SOC (NSE or BSE) for regular vulnerability testing. While annual VAPT is not mandatory, periodic assessments are required to ensure security.

Other Key Elements of CSCRF

The CSCRF provides comprehensive guidelines to manage and protect digital assets, ensuring both robust cybersecurity measures and strategic resilience. The structure of the CSCRF includes a focus on key objectives, standards, and governance measures that address various critical areas such as risk management, incident response, data protection, and identity management.

1. Cybersecurity Function: GOVERNANCE

Effective cybersecurity begins with a solid governance framework. The CSCRF underscores the importance of Cybersecurity Governance (GV), which includes identifying roles, responsibilities, and authorities (GV.RR), setting policies (GV.PO), and managing risks across the organization (GV.RM).

GV.RM fosters a culture of proactive risk management that doesn’t just react to current threats but anticipates and adapts to future challenges.

A critical part of this framework is Cybersecurity Supply Chain Risk Management (GV.SC), ensuring third-party vendors do not compromise security. The framework mandates adopting a Software Bill of Materials (SBOM) for all critical software, providing several advantages:

  1. Transparency: Clear breakdown of software components and dependencies.
  2. Vulnerability Tracking: Ongoing monitoring of each component’s security status.
  3. Risk Mitigation: Effective management of risks from third-party dependencies.
  4. Auditability: Ensures only authorized components are used, simplifying audits.

AppTrana’s client-side protection mitigates supply chain risks by ensuring that only authorized JavaScript executes across applications. It continuously monitors JavaScript behavior, alerts security teams to unauthorized changes, and keeps an updated inventory of all scripts, enhancing transparency and compliance.

2. Cybersecurity Function: IDENTIFY 

Another critical aspect of the CSCRF is Asset Management (ID.AM). Organizations must maintain accurate inventories of their IT assets, including physical devices, cloud infrastructure, data, and personnel.

Key standards include the maintenance of inventories for IT assets, ensuring that no shadow IT exists, and that critical systems are approved by the organization’s leadership. This is essential to keep track of assets throughout their lifecycle, ensuring compliance with risk strategies.

In parallel, Risk Assessment (ID.RA) helps organizations assess and document vulnerabilities in IT systems, while analysing cyber threats, their likelihood, and potential impacts. This ongoing process helps organizations prioritize risks and take necessary actions to mitigate them.

Organizations should define their risk appetite and employ risk-based vulnerability management tools, such as Indusface WAS, to prioritize and address vulnerabilities based on their risk scores. Depending on the severity of the vulnerabilities, they can choose to treat, transfer, tolerate, or terminate the risk.

Additionally, Indusface WAS offers asset discovery capabilities, enabling organizations to identify and catalog all assets in their environment, ensuring comprehensive visibility for effective risk management.

3. Cybersecurity Function: PROTECT

A key pillar of the CSCRF is PR.AA: Identity Management, Authentication, and Access Control. It focuses on strong access management to reduce the risk of unauthorized access and data breaches.

Breaking Down PR.AA Standards:

  1. Identity and Credential Management: Issuing, managing, verifying, and revoking credentials is essential. Identities must be tied to credentials, with authentication based on the risk level.
  2. Zero Trust Model: This approach ensures access is granted only after verifying users, devices, and resources.
  3. Multi-Factor Authentication (MFA): SEBI mandates MFA for critical systems, especially when accessed from untrusted networks, to prevent unauthorized access.
  4. Principle of Least Privilege: Access rights should be limited to what’s necessary, reducing exposure and ensuring proper segregation of duties.
  5. Periodic Reviews and Logging: Access rights, privileged activities, and user logs must be reviewed regularly and kept according to policies.

Awareness and Training (PR.AT): The CSCRF highlights that a strong cybersecurity posture starts with awareness and training. Ensuring all personnel, including privileged users and third parties, understand their cybersecurity roles is crucial. Regular training updates on new threats and technologies help keep staff prepared.

Data Security (PR.DS): Protecting both data-at-rest and data-in-transit using encryption is essential. By classifying data appropriately and restricting access within legal and operational boundaries, entities can prevent data leaks, ensure integrity, and achieve compliance. Implementing these measures aligns with CSCRF’s goal to establish resilient security controls that protect critical systems and data from evolving cyber threats.

To align with SEBI’s PR.AA standards, implementing a WAAP is an effective strategy. AppTrana WAAP acts as a shield for web applications and APIs, filtering malicious traffic, blocking unauthorized access, and protecting sensitive data. It supports the Zero Trust model by verifying every request and preventing suspicious activities. AppTrana also helps with compliance by ensuring periodic access reviews and tracking activities, while protecting against vulnerabilities like cross-site scripting, unauthorized access, and API risks.

4. Cybersecurity Function: RESPOND

The CSCRF outlines a clear RESPOND strategy to ensure organizations can effectively address and mitigate security incidents. Incident Management (RS.MA) protocols are put in place to ensure that security events are effectively managed.

Incident Response Reporting and Communication (RS.CO) ensure that relevant stakeholders are promptly informed, while Incident Analysis (RS.AN) allows organizations to understand the root causes and impacts of incidents. Continuous improvements (RS.IM) based on incident analysis ensure that the response system evolves to handle future incidents more effectively.

5. Cybersecurity Function: RECOVER

Post-incident recovery is integral to ensuring business continuity. The Incident Recovery Plan Execution (RC.RP) specifies the steps to restore affected systems and services. Communication during recovery (RC.CO) ensures stakeholders remain informed throughout the process. Regular testing of recovery plans and improvements (RC.IM) help prepare organizations to respond efficiently to any future incidents.

This structured approach of CSCRF ensures that all aspects of cybersecurity and resilience are comprehensively addressed, aligning with the organization’s strategic goals while maintaining a proactive stance against evolving cyber threats.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

 

Vinugayathri - Senior Content Writer
Vinugayathri Chinnasamy

Vinugayathri is a dynamic marketing professional specializing in tech content creation and strategy. Her expertise spans cybersecurity, IoT, and AI, where she simplifies complex technical concepts for diverse audiences. At Indusface, she collaborates with cross-functional teams to produce high-quality marketing materials, ensuring clarity and consistency in every piece.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.