Register Daily Newsletters My Bookmarks My Queries (D. Forum) My Replies (D. Forum) My Articles My Inbox (PM) Feedback/ Suggestions
Tax Management India. Com
Law and Practice  :  Digital eBook
Research is most exciting & rewarding


Case Laws Acts Notifications Circulars Classification Forms Manuals Articles News D. Forum Highlights Notes
TMI - e-Newsletter     TaxTMI    CESTAT Chennai addressed the issue of including...     TaxTMI    The High Court examined the legality of a seizure...     TaxTMI    The Appellate Authority for Advance Ruling in...     TaxTMI    The Rajasthan High Court addressed the issue of...     TaxTMI    The Delhi High Court dismissed an appeal due to...     TaxTMI    The case concerns the classification of services...     TaxTMI    The Securities and Exchange Board of India (SEBI)...     TaxTMI    The case involved a refund claim for duty paid...     TaxTMI    The communication announces the migration of CBIC...     TaxTMI    The High Court considered the challenge to...     TaxTMI    The Advance Ruling Authority (AAR) addressed the...     TaxTMI    The High Court addressed a case involving the...     TaxTMI    The case involved denial of exemption u/s 11 due to...     TaxTMI    The High Court considered a case involving income...     TaxTMI    The petitioner sought direction for acceptance of...     TaxTMI    Latest Case-Laws     TaxTMI    Latest Notifications + Circulars     TaxTMI    GST Council Decisions     TaxTMI       Right Stop
  TMI - Tax Management India. Com
Follow us:
  Facebook   Twitter   Linkedin   Telegram

TMI Blog

Home

Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... management should aim for timely recovery of operations and fulfilment of the FMI s obligations, including in the event of a wide-scale or major disruption. 3. Stock Exchanges, Depositories and Clearing Corporations (hereafter referred as Market Infrastructure Institutions or MIIs in this document) are systemically important market infrastructure institutions. As part of the operational risk management, these MIIs need to have robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in securities market. 4. In view of the above, SEBI along with the Technical Advisory Committee (TAC) engaged in detailed discussions with MIIs to develop necessary guidance in the area of cyber security and cyber resilience. 5. Based on the consultations and recommendations of TAC, it has been decided to lay down the framework placed at Annexure A that MIIs would be required to comply with regard to cyber security and cyber resilience. 6. MIIs are directed to take necessary steps to put in place systems for implementation of the circular, including necessary amendments to the relevant bye-laws, .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ident, anomaly or attack, e. Recover from incident through incident management, disaster recovery and business continuity framework. 4. The Cyber security policy should encompass the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO), Government of India in the report titled Guidelines for Protection of National Critical Information Infrastructure and subsequent revisions, if any, from time to time. 5. MII should also incorporate best practices from standards such as ISO 27001, ISO 27002, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 6. MII should designate a senior official as Chief Information Security Officer (CISO) whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cyber security and resilience policy approved by the Board of the MII. 7. The Oversight Standing Committee on Technology Refer SEBI Circulars SMD/POLICY/Cir-2/98 dated January 14, 1998 and CIR/MRD/ .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... bases and networks on a need-to-use basis and based on the principle of least privilege. Such access should be for the period when the access is required and should be authorized using strong authentication mechanisms. 16. MII should implement strong password controls for users access to systems, applications, networks and databases. Password controls should include a change of password upon first log-on, minimum password length and history, password complexity as well as maximum validity period. The user credential data should be stored using strong and latest hashing algorithms. 17. MII should ensure that records of user access are uniquely identified and logged for audit and review purposes. Such logs should be maintained and stored in encrypted form for a time period not less than two (2) years. 18. MII should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures should inter-alia include restricting the number of privileged users, periodic review of privileged users activities, disallow privileged users from accessing systems logs in which their act .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... on a regular basis. Security of Data 30. Data-in motion and Data-at-rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc. 31. MII should implement measures to prevent unauthorised access or copying or transmission of data / information held in contractual or fiduciary capacity. It should be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. 32. The information security policy should also cover use of devices such as mobile phone, faxes, photocopiers, scanners, etc. that can be used for capturing and transmission of data. 33. MII should allow only authorized data storage devices through appropriate validation processes. Hardening of Hardware and Software 34. Only a hardened and vetted hardware / software should be deployed by the MII. During the hardening process, MII should inter-alia ensure that default passwords are replaced with strong passwords and all unnecessary services are removed or disabled in equipments / software. 35. All open ports which are not in use or can potentially .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... al and external parties. The security logs of systems, applications and network devices should also be monitored for anomalies. 44. Further, to ensure high resilience, high availability and timely detection of attacks on systems and networks, MII should implement suitable mechanism to monitor capacity utilization of its critical systems and networks. 45. Suitable alerts should be generated in the event of detection of unauthorized or abnormal system activities, transmission errors or unusual online transactions. Response and Recovery 46. Alerts generated from monitoring and detection systems should be suitably investigated, including impact and forensic analysis of such alerts, in order to determine activities that are to be performed to prevent expansion of such incident of cyber attack or breach, mitigate its effect and eradicate the incident. 47. The response and recovery plan of the MII should aim at timely restoration of systems affected by incidents of cyber attacks or breaches. The recovery plan should be in line with the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) specified by SEBI. 48. The response plan should define responsibilitie .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

 

 

 

 

Quick Updates:Latest Updates

What's New:
    Latest Case Laws
What's New:
    Latest Notifications
What's New:
    Latest Circulars
F: Notice received Service tax on labour supply
H: Input Tax Credit restrictions u/s 16(2)(c) and 16(4). Legislation vali...
C: Customs duty on Display Assembly of a cellular mobile phone
F: Credit note issued but not amended in GSTR1 return accordingly
F: ITC Disallowed Under 16(4)
N: Enabling provisions for import of inputs that are subjected to mandato...
H: Amended rule allows SEZ Units in International Financial Services Cent...
H: Notification: Amends Income-Tax Act, 1961 u/s 120(1) & (2) for Income ...
N: Seeks to amend Notification No. 77/2014 dated 10th December, 2014 - Se...
H: Exemption from Income Tax: Central Govt. u/s 10(46) of IT Act 1961 not...
H: New exchange rates for foreign currencies to Indian Rupees are out! Ef...
H: New rule allows Advance Authorisation holders, EOU, and SEZ to import ...
H: New rules for uploading KYC info by intermediaries to CKYCRR for ease ...
C: Uploading of KYC information by KYC Registration Agencies (KRAs) to Ce...
N: Special Economic Zones (Third Amendment) Rules, 2024 - Rule 29A - Proc...
N: Rate of exchange of one unit of foreign currency equivalent to Indian ...
T: Navigating Section 43B: Supreme Court Decision on Unutilised MODVAT Cr...
T: Failure to deduct TDS and Disallowance of expenses: Supreme Court Clar...
N: U/s 10(46) of IT Act 1961 – Central Government notifies Real Estate Ap...
C: Enabling provisions for import of inputs that are subjected to mandato...
A: Income Tax Compliance Calendar: June 2024
A: Zeroing In: Understanding Amendments Limiting Zero-Rated Supply to SEZ...
A: RECENT DEVELOPMENTS IN GST
A: REPLACEMENT OF RESOLUTION PROFESSIONAL IN THE INSOLVENCY RESOLUTION PR...
H: Violation of natural justice found! No notice served before account lo...
H: Violation of natural justice - impugned order u/s 73 of CGST Act disre...
H: Challenge to order u/s 74 of CGST Act/WBGST Act - Extended period invo...
H: Violation of natural justice found in failure to provide personal hear...
H: Petitioner's request for GST reimbursement rejected, but High Court di...
H: Validity of garnishee order questioned due to mismatch in tax statemen...