Basics of IT Asset Inventory and Classification

IT asset inventory and classification is a crucial process to set up an organization’s digital asset map as defined in the Cybersecurity and Cyber Resilience Framework (CSCRF) by Securities and Exchange Board of India (SEBI). The standards and guidelines provide structures and procedures for regulated entities (REs) to establish an asset inventory which helps protect IT components against cybersecurity risks. IT asset classification and inventory is a systematic approach that categorizes hardware, software, and network assets based on business operations and data sensitivity. IT assets undergo a structured classification and identification process that follows risk assessment protocols while implementing access controls based on security requirements.   

REs need to classify IT assets based on criticality to execute risk management strategies and build stronger defenses against cybersecurity threats. The protection of crucial systems aligns with SEBI’s functions and objectives to ensure effective safeguarding measures.  

What are Critical Assets?

According to CSCRF, critical assets are defined as those which are significant to an RE’s operations and data security, requiring strong protection. Identifying these assets is necessary to focus on cybersecurity efforts where they are most needed. 

Critical systems are essential for business operations and can be defined as mentioned below:   

Rise of Cyber Resilience: SEBI’s CSCRF and its SOC Mandate

Related Read: Rise of Cyber Resilience: SEBI’s CSCRF and its SOC Mandate

  • Any failure of systems that could negatively impact the core operations.
  • Systems that handle or transmit data in accordance with regulatory requirements.  
  • Devices and networks connected to the critical systems through trusted channels, including internet and client-facing applications.
  • All supporting systems that facilitate access or communication with critical systems for operational or maintenance purposes. 

By identifying critical assets, REs can effectively prioritize cybersecurity controls and access reviews, ensuring vulnerabilities are promptly addressed. This action is vital for sustaining a robust security posture and averting cybersecurity incidents. 

Importance of Maintaining an Updated Inventory

REs require an updated IT asset inventory to counter cyber threats and meet regulatory compliance of CSCRF. The efficient identification and response to risks stems from this fundamental inventory system. 

  • To start effective vulnerability management, a precise inventory of every asset should be maintained. REs must have an awareness of each of the active assets for doing routine vulnerability assessments. REs must apply fixes prior to the CSCRF deadline, which is commonly three months after VAPT. Software risk management initiatives can gain strength using a Software Bill of Materials (SBOM). 
  • The organization must ensure its environment is without ‘shadow IT assets’ or forbidden IT assets. Resources that are indeed unauthorized create cybersecurity concerns and suggest that a company monitors its assets inadequately. 
  • For spotting anomalies in real time, the Security Operations Centers need this inventory. Effective cyberattack security results through REs being able to proactively address threats. This is done effectively via asset data integration for REs.
  • Maintaining a risk register allows for documenting risks and mitigation strategies, forming a foundation for the organization’s risk profile and ensuring alignment with broader business objectives. The board or the leadership offers oversight so as to ensure alignment with business objectives. Such alignment reinforces accountability.

The CSCRF recommends an advanced configuration management database for Market Infrastructure Institutions (MIIs) in order to map interdependencies, catalog IT assets, and determine their criticality. This detailed system supports dynamic risk assessment and decision-making in complex IT environments.   

Conversely, smaller REs with simpler setups can rely on manual inventories, as long as they remain compliant and periodically refreshed. Ultimately, the goal is to achieve a comprehensive and accurate overview of assets. This customized strategy allows for scalable solutions that effectively accommodate the diverse range of regulatory entities under SEBI’s oversight.  

Data Classification 

According to CSCRF, REs needs to organize their data into two separate groups named ‘Regulatory Data’ and ‘IT and Cybersecurity Data’. The classifications outlined by CSCRF are as follows:  

Related Read: Bridging Gaps and Prioritizing Mitigation with SEBI CSCRF

Regulatory Data

  • Relates to records of communications and interactions between investors, REs, any filings required by law, SEBI guidelines, or classified as confidential by the RE or the appropriate body. 
  • For foreign investors, the original data must be retained within India. Appropriate systems should be in place for processing and analyzing the data even when it is formatted beyond readable interpretations. 

IT and Cybersecurity Data 

  • This category includes IT system logs from an organization’s subsystems along with their metadata except for network architecture related information, vulnerability related data or password hashes.  
  • IT and cybersecurity data should not be employed to extract regulatory data.  
  • While global SOCs are permitted to access information without storing it in India; they must first obtain clearance from the IT Committee of Responsible Entity (RE), certifying review with prior yearly endorsement by board/partners/proprietor before disclosing. 

To ensure the security of both data at rest and data in transit, it is essential to employ robust encryption methods such as RSA and AES, along with Data Loss Prevention solutions. Interpreting the CSCRF, IT asset classification ties closely to data classification and access control processes.  Initially, data localization was mandatory for all the REs, however with consultations from the stakeholders, the requirement is kept in abeyance until further notification 

Access Control Principles

Related Read: Audit Trail Compliance: Key Verification and Testing for Auditors

The CSCRF defines access control as a primary defensive barrier which establishes limits for authorized users, processes, and devices to access physical and logical assets. This limitation is always proportionate to the assessed risk profile of unauthorized access, ensuring that your valuable data and systems remain secure. The implementation of Access Control depends on fundamental principles together with specific requirements that include: 

  • The Principle of Least Privilege (PoLP): It demands organizations to supply users only with the exact resources and applications while maintaining duty separation among roles.  
  • The Zero Trust Model: Access to critical systems is denied by default, regardless of the origin of the request. Access is only granted after stringent authentication and authorization.  
  • Authentication: Identities and credentials must be rigorously issued, managed, verified, revoked, and audited. A comprehensive authentication policy, including strong password controls, is crucial.  
  • Multi-Factor Authentication (MFA): MFA stands as a necessary security requirement for every critical system including VPNs and webmail access, especially when users connect from untrusted networks. 
  • Regular Reviews: The evaluation process for access rights with delegated access and unused tokens should take place at regular intervals. The maker-checker framework functions as an essential system to modify user permissions while privileged user operations require quarterly assessment.  
  • Remote Access: The management of remote asset access requires detailed tracking systems while remote support services need structured governance thorough monitoring and logging. 

The application of access control depends on the criticality level of assets to determine the correct access control principles. The implemented access control principles both restrict access to essential resources and perform request verification steps to lower unauthorized access risks. This integration highlights how asset inventory supports a broader security framework. 

Conclusion

One of the significant objectives of an updated inventory is to identify critical systems and infrastructure components as a process of strengthening cyber resilience. It paves the foundation for effective and efficient access control measures and a strong recovery plan. CSCRF takes a proactive approach by incorporating continuous monitoring, vulnerability management, and integration of threat intelligence. The framework emphasizes a collective focus on all elements with an updated inventory list of the organization, data classification, and strict access control protocols. These elements work synergistically to minimize risks, prevent unauthorized access, and uphold regulatory compliance. This strategic alignment empowers regulated entities to effectively address and mitigate emerging cybersecurity threats. 

Why Choose InCorp Global?

We at InCorp provide services related to cybersecurity, information security, and data privacy. Our experienced team provides insights on implementing an effective asset management system and meeting the regulatory compliances. To learn more about our services, you can write to us at info@incorpadvisory.in or reach out to us at (+91) 77380 66622.   

Authored by:
Nakul Pranav | Cybersecurity  

Frequently Asked Questions (FAQs):Â