Cyber Resilience Through IT Asset and Infrastructure Management for REs

Cyber Resilience Through IT Asset and Infrastructure Management for REs
Building Blocks of Cyber Resilience: Learn How IT Asset Inventory, Data Classification, and Access Controls Drive SEBI CSCRF Compliance and Resilience
- Last Updated
Basics of IT Asset Inventory and Classification
IT asset inventory and classification is a crucial process to set up an organization’s digital asset map as defined in the Cybersecurity and Cyber Resilience Framework (CSCRF) by Securities and Exchange Board of India (SEBI). The standards and guidelines provide structures and procedures for regulated entities (REs) to establish an asset inventory which helps protect IT components against cybersecurity risks. IT asset classification and inventory is a systematic approach that categorizes hardware, software, and network assets based on business operations and data sensitivity. IT assets undergo a structured classification and identification process that follows risk assessment protocols while implementing access controls based on security requirements.  Â
REs need to classify IT assets based on criticality to execute risk management strategies and build stronger defenses against cybersecurity threats. The protection of crucial systems aligns with SEBI’s functions and objectives to ensure effective safeguarding measures. Â
What are Critical Assets?
According to CSCRF, critical assets are defined as those which are significant to an RE’s operations and data security, requiring strong protection. Identifying these assets is necessary to focus on cybersecurity efforts where they are most needed.Â
Critical systems are essential for business operations and can be defined as mentioned below:Â Â Â
- Any failure of systems that could negatively impact the core operations.
- Systems that handle or transmit data in accordance with regulatory requirements. Â
- Devices and networks connected to the critical systems through trusted channels, including internet and client-facing applications.
- All supporting systems that facilitate access or communication with critical systems for operational or maintenance purposes.Â
By identifying critical assets, REs can effectively prioritize cybersecurity controls and access reviews, ensuring vulnerabilities are promptly addressed. This action is vital for sustaining a robust security posture and averting cybersecurity incidents.Â
Importance of Maintaining an Updated Inventory
REs require an updated IT asset inventory to counter cyber threats and meet regulatory compliance of CSCRF. The efficient identification and response to risks stems from this fundamental inventory system.Â
- To start effective vulnerability management, a precise inventory of every asset should be maintained. REs must have an awareness of each of the active assets for doing routine vulnerability assessments. REs must apply fixes prior to the CSCRF deadline, which is commonly three months after VAPT. Software risk management initiatives can gain strength using a Software Bill of Materials (SBOM).Â
- The organization must ensure its environment is without ‘shadow IT assets’ or forbidden IT assets. Resources that are indeed unauthorized create cybersecurity concerns and suggest that a company monitors its assets inadequately.Â
- For spotting anomalies in real time, the Security Operations Centers need this inventory. Effective cyberattack security results through REs being able to proactively address threats. This is done effectively via asset data integration for REs.
- Maintaining a risk register allows for documenting risks and mitigation strategies, forming a foundation for the organization’s risk profile and ensuring alignment with broader business objectives. The board or the leadership offers oversight so as to ensure alignment with business objectives. Such alignment reinforces accountability.
The CSCRF recommends an advanced configuration management database for Market Infrastructure Institutions (MIIs) in order to map interdependencies, catalog IT assets, and determine their criticality. This detailed system supports dynamic risk assessment and decision-making in complex IT environments.  Â
Conversely, smaller REs with simpler setups can rely on manual inventories, as long as they remain compliant and periodically refreshed. Ultimately, the goal is to achieve a comprehensive and accurate overview of assets. This customized strategy allows for scalable solutions that effectively accommodate the diverse range of regulatory entities under SEBI’s oversight. Â
Data ClassificationÂ
According to CSCRF, REs needs to organize their data into two separate groups named ‘Regulatory Data’ and ‘IT and Cybersecurity Data’. The classifications outlined by CSCRF are as follows: Â
Regulatory Data
- Relates to records of communications and interactions between investors, REs, any filings required by law, SEBI guidelines, or classified as confidential by the RE or the appropriate body.Â
- For foreign investors, the original data must be retained within India. Appropriate systems should be in place for processing and analyzing the data even when it is formatted beyond readable interpretations.Â
IT and Cybersecurity DataÂ
- This category includes IT system logs from an organization’s subsystems along with their metadata except for network architecture related information, vulnerability related data or password hashes. Â
- IT and cybersecurity data should not be employed to extract regulatory data. Â
- While global SOCs are permitted to access information without storing it in India; they must first obtain clearance from the IT Committee of Responsible Entity (RE), certifying review with prior yearly endorsement by board/partners/proprietor before disclosing.Â
To ensure the security of both data at rest and data in transit, it is essential to employ robust encryption methods such as RSA and AES, along with Data Loss Prevention solutions. Interpreting the CSCRF, IT asset classification ties closely to data classification and access control processes. Initially, data localization was mandatory for all the REs, however with consultations from the stakeholders, the requirement is kept in abeyance until further notificationÂ
Access Control Principles

Related Read: Strengthening Cybersecurity: Governance Structure and Board Oversight Under SEBI’s CSCRF
The CSCRF defines access control as a primary defensive barrier which establishes limits for authorized users, processes, and devices to access physical and logical assets. This limitation is always proportionate to the assessed risk profile of unauthorized access, ensuring that your valuable data and systems remain secure. The implementation of Access Control depends on fundamental principles together with specific requirements that include:Â
- The Principle of Least Privilege (PoLP): It demands organizations to supply users only with the exact resources and applications while maintaining duty separation among roles. Â
- The Zero Trust Model: Access to critical systems is denied by default, regardless of the origin of the request. Access is only granted after stringent authentication and authorization. Â
- Authentication: Identities and credentials must be rigorously issued, managed, verified, revoked, and audited. A comprehensive authentication policy, including strong password controls, is crucial. Â
- Multi-Factor Authentication (MFA): MFA stands as a necessary security requirement for every critical system including VPNs and webmail access, especially when users connect from untrusted networks.Â
- Regular Reviews: The evaluation process for access rights with delegated access and unused tokens should take place at regular intervals. The maker-checker framework functions as an essential system to modify user permissions while privileged user operations require quarterly assessment. Â
- Remote Access: The management of remote asset access requires detailed tracking systems while remote support services need structured governance thorough monitoring and logging.Â
The application of access control depends on the criticality level of assets to determine the correct access control principles. The implemented access control principles both restrict access to essential resources and perform request verification steps to lower unauthorized access risks. This integration highlights how asset inventory supports a broader security framework.Â
Conclusion
One of the significant objectives of an updated inventory is to identify critical systems and infrastructure components as a process of strengthening cyber resilience. It paves the foundation for effective and efficient access control measures and a strong recovery plan. CSCRF takes a proactive approach by incorporating continuous monitoring, vulnerability management, and integration of threat intelligence. The framework emphasizes a collective focus on all elements with an updated inventory list of the organization, data classification, and strict access control protocols. These elements work synergistically to minimize risks, prevent unauthorized access, and uphold regulatory compliance. This strategic alignment empowers regulated entities to effectively address and mitigate emerging cybersecurity threats.Â
Why Choose InCorp Global?
We at InCorp provide services related to cybersecurity, information security, and data privacy. Our experienced team provides insights on implementing an effective asset management system and meeting the regulatory compliances. To learn more about our services, you can write to us at info@incorpadvisory.in or reach out to us at (+91) 77380 66622.  Â
Authored by:
Nakul Pranav | Cybersecurity Â
Frequently Asked Questions (FAQs):Â
ISO 27001:2022 specifies the requirement of asset management in Clause A.8. which focuses on asset management, a key process for safeguarding an organization's information assets. ISO 27001 classifies assets by requiring organizations to create a comprehensive inventory, assign clear ownership, and categorize assets based on their value and sensitivity.
CSCRF mandates every organization to classify their data into 2 types: Regulatory Data and IT and Cybersecurity Data. Regulatory Data encompasses information related to core and critical business operations, investor communications, legally mandated records and any data classified sensitive by regulatory authorities, whereas IT and Cybersecurity Data includes logs and metadata from IT systems.
For small organizations, implementing effective access control is essential to safeguard sensitive data without overwhelming limited resources. Small organizations can adopt and practice principles like the Principle of Least Privilege (PoLP), Role-Based Access Control (RBAC) and Strong Authentication methods like multi-factor authentication to verify user identities and prevent unauthorized access.
A Software Bill of Materials (SBOM) is a formal record that details the components, and their supply chain relationships used in building software. REs are required to obtain SBOMs for all software or applications used for core and critical business operations. If SBOM cannot be obtained for legacy or proprietary systems, the RE's Board, Partners, or Proprietor must approve this with a documented rationale, limitations, and risk management approach.
Share
Share