CSCRF is aimed at improving and offering adequate protection against ever-changing breaches and incidents. The framework is built on a process that includes risk identification, control design to mitigate the risk, detection of risk through tools and intelligence, responding to the risk through apt course of actions, and recovery from cyber threats or cyber-attacks. This blog centers on activities involved in conducting a cyber risk assessment, highlighting the gaps between the Cybersecurity and Cyber Resilience Framework (CSCRF) and the organization’s policy. It emphasizes the prioritization of risks based on sensitivity and concludes in the identification of priority areas and outlining steps for remediation measures.

Cyber Risk Assessment and Identification

The CSCRF mandates that the REs should actively evaluate cyber threats by instituting governance frameworks and processes around the identification of risks. As cyber risk management is critical for organizations, it allows an organization to recognize, rank, treat, and subsequently monitor risks concerning IT and information systems as well as infrastructure concerning them. The guidelines and standards of the CSCRF establish practices pertaining to risk assessments and identification respective to each type of registered entities.

Here is a comprehensive view of the guidelines and standards established by CSCRF: 

  • REs shall ensure an overall cyber risk management practice to identify, assess, treat, and monitor risks. Risk assessments, including the assessment of post-quantum threats, shall be carried out on a regular basis, supported by risk assessment and mitigation strategies to address identified threats. The periodicity for the assessment is semiannually for Market Infrastructure Institutions (MIIs) and annually for qualified and mid-size REs.
  • Full scenario-based assessments shall be conducted to consider internal and external cybersecurity risks to the IT environment. This is done taking into consideration the technology stack currently in use, known vulnerabilities, and third-party services dependencies.
  • Risk assessment is aimed at identifying vulnerabilities of assets, verifying those vulnerabilities, and recording them in a risk register. It is important to assess and respond to risk factors for all IT assets to mitigate risks.
  • This will enable Cyber Threat Intelligence (CTI) to be imported and incorporated with the CERT-In Intelligence platform from trusted sources for issuance of latest advisories. The execution of advisories from CERT-In/CSIRT-Fin will have to be immediate.
  • Red Teaming Exercises are applicable for MIIs and Qualified REs. It helps in identifying the potential weakness in the cyber security defense by simulating real-time attack conditions.
  • Risk evaluation of authentication-based mechanisms will be considered necessary.

REs should assess cyber-threats that they potentially could face, taking into consideration the likelihood of different threats and their potential damage on business operations, actively controlling threats according to their importance. It is the risk assessment and gap analysis that identifies and explains options to manage potential threats successfully. Hence, organizations should be encouraged to implement strategic controls based on the framework to successfully manage risks.

Analysis and Assessment of Gaps

Related Read: Audit Trail Compliance: Key Verification and Testing for Auditors

A standards-based methodology is used by the CSCRF. It comprises guidelines that recommend actions for adhering to those standards, which specify compliance principles. Finding inconsistencies is aided by comparing current practices to these standards. Cyber audits that detail REs’ current standing in respect to the necessary standards will be conducted to make sure they adhere to the CSCRF framework. Here are few significant points mentioned in the CSCRF:

  • To find vulnerabilities in the IT environment, vulnerability scanning will be conducted in scope of Vulnerability Assessment and Penetration Testing (VAPT). The findings of these evaluations will point out areas with insufficient or nonexistent controls (gaps).
  • Within the cybersecurity framework of MIIs and Qualified REs, the Cyber Capability Index (CCI) serves as a metric for assessing readiness and cyber resilience.
  • Incident analysis is used to determine the root causes of cybersecurity incidents. This involves Root Cause Analysis (RCA) and, when necessary, forensic analysis. RCA attempts to determine the technological, process, and human deficiencies responsible for the incident.
  • Red Teaming Exercises based risk assessments provide scope for adopting a pragmatic approach to strengthen cybersecurity by simulating real-time attacks and identifying gaps.

Metrics such as Mean Time to Detect, Mean Time to Respond/Resolve, Mean Time to Contain, number of incidents, and false positives/negatives can be utilized by REs to measure their degree of cybersecurity maturity and incorporating cyber risk quantification. Performance deficiencies could be revealed by these metrics. Remediation efforts could be prioritized, and cyber and information security vulnerabilities could be determined by performing a cybersecurity gap analysis and assessment. The above procedures and measures are necessary to ensure a robust cybersecurity system and facilitate implementation of risk management and risk mitigation strategies. 

Risk Prioritization and Mitigation

During risk assessment, different considerations like threats, vulnerabilities, their probabilities, and impacts are analyzed to know inherent risks and prioritize responses to risk. All major risks that are identified during this assessment must be handled as a priority. Following are the highlights mentioned in CSCRF with respect to risk prioritization and mitigation practices: 

  • A cybersecurity risk management policy must be developed, communicated, and implemented, incorporating risk mitigation methods and techniques. Risk responses should be selected, prioritized, planned, monitored, and communicated. 
  • To mitigate cyber risks, there is a need for identifying controls and measures that can lower risks, as well as methods risk management strategies offor reducing residual risks. Strong mitigation controls, as well as compensatory measure alternatives, should be embedded in the risk management system.
  • A plan for vulnerability management needs to be developed and implemented. Patching critical vulnerabilities as soon as possible is essential. Penetration Testing and Vulnerability Assessment (VAPT) and other audits play a key role in identifying vulnerabilities that need to be addressed.
  • Incident response tactics should be enhanced through lessons learned, contributing to continuous risk mitigation efforts. Root Cause Analysis (RCA) contributes to the strengthening of the security position of the organization, thus decreasing the likelihood of future similar cybersecurity events.

Related Read: Strengthening Cybersecurity: Governance Structure and Board Oversight Under SEBI’s CSCRF

Only after conducting a thorough risk analysis can organizations best prioritize and manage cyber risks, allowing them to target the most pressing threats and react quickly as a part of the risk mitigation process. By focusing mitigation efforts on the relative severity of the threats, companies can solidify their defenses and minimize potential consequences. 

Supply Chain Risk Management (Third-Party Risk Management)

CSCRF underlines the importance of governance and supply chain risk management. REs are fully responsible for all aspects related to third-party services, particularly regarding data security and compliance with SEBI/Government of India rules. The CSCRF outlines the following points related to the supply chain risk management as a part of its compliance: 

  • An eligible cybersecurity supply chain risk management procedure must be identified, set out, assessed, supervised, and agreed upon by all parties involved.
  • Third-party service providers and suppliers must be identified, ranked, and assessed through a cyber supply chain risk assessment process.
  • Terms for agreements with third-party service providers and suppliers must contain provisions sufficient to address the objectives of the RE’s cybersecurity program and cybersecurity supply chain risk management strategy.
  • Detailed due diligence shall be conducted on all third-party service providers with access to IT infrastructure. The concentration risk associated with outsourced parties shall be assessed.
  • Software Bill of Materials (SBOM) shall be compulsory for all new procurements of core and critical software for operations. SBOM ensures REs that only approved third-party components have been used.

Third-Party Risk Management and Effective Supply Chain Risk Management play a crucial role in making an organization run efficiently and securely. For identifying any weakness that may arise, it is important to regularly audit these third parties and make them accountable. Through supply chain risk management practices, such as risk pooling, organizations are able to strengthen their resilience and better handle disruptions in their interdependent systems. 

Related Read: Using SEBI’s Cybersecurity & Cyber Resilience Framework: An IT & Security Team Strategic Guide

Conclusion

In summary, the Cybersecurity and Cyber Resilience Framework (CSCRF) of SEBI presents a holistic approach to enhancing the cyber maturity of regulated entities. Through emphasis on continuous risk assessment, gap analysis, risk prioritization, and third-party risk management, the framework equips organizations with the ability to strengthen their cybersecurity posture. 

Critical requirements necessitate the implementation of a system that will handle all remediation action related to findings. The findings of cyber audits need to be resolved after the submission of the report, adopting a graded method depending on their severity. Any open issues that may have been detected in cyber audits and VAPT revalidations are to be graded and brought before the IT Committee of regulated bodies for review and advice. The follow-up process forms part of Audit Management, and auditors are compelled to mention any open items from previous audits. Adopting these practices ensures not just regulatory compliance but also boosts overall resistance to the continually changing environment of cyber threats. 

Why Choose InCorp Global?

We at InCorp provide services related to cybersecurity, information security, and data privacy. Our experienced team provides consultation and customized assessment tools to perform effective risk assessment and gap analysis with strategic insights to mitigate the gaps. To learn more about our services, you can write to us at info@incorpadvisory.in or reach out to us at (+91) 77380 66622. 

Authored by:
CA Nakul Pranav | Cybersecurity

Frequently Asked Questions