Addressing The Requirements of Cybersecurity and Cyber Resilience Framework

How Thales solutions help with SEBI CSCRF compliance

Cybersecurity and Cyber Resilience Framework (CSCRF) by SEBI

On August 20th, 2024, the Securities and Exchange Board of India (SEBI) released the Cybersecurity and Cyber Resilience Framework (CSCRF) to SEBI-regulated entities (REs) to enhance the current cybersecurity measures in the Indian securities market and strengthen the mechanism for dealing with cyber risks or threats.

The CSCRF aims to provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs. The CSCRF framework shall supersede existing SEBI cybersecurity circulars/ guidelines/ advisories/ letters.

Global

    The CSCRF is standards-based and broadly covers the five cyber resiliency goals adopted from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In): Anticipate, Withstand, Contain, Recover, and Evolve. These cyber resiliency goals have been linked with the following cybersecurity functions: Governance, Identify, Protect, Detect, Respond, and Recover.

    The CSCRF is structured into four parts:

    • Part I: Objectives and Standards
    • Part II: Guidelines
    • Part III: Structured formats for compliance
    • Part IV: Annexures and References

    The framework shall apply to the following REs and also further sub classifies the REs into different categories based on their operational scale, number of clients, trade volume, and assets under management, and provides for specific compliance requirements for each category.

    • For REs where cybersecurity and cyber resilience circular already exists – by January 01, 2025.
    • For other REs where CSCRF is being issued for the first time – by April 01, 2025.
    Compliance brief

    Cybersecurity and Cyber Resilience Framework (CSCRF)

    Explore solutions for CSCRF compliance by addressing cybersecurity function guidelines of Governance, Identity and Protect in the framework.

    Get the Compliance Brief

    How Thales Helps with CSCRF compliance

    Thales can help REs comply with CSCRF by addressing cybersecurity function guidelines of Governance, Identity and Protect in the framework.

    We provide solutions in three key areas of cybersecurity: Application Security, Data Security, and Identity & Access Management.

    CSCRF Compliance

    CSCRF Compliance Solutions

      Application Security

      Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).

      Data Security

      Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.

      Identity & Access Management

      Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.

      Address CSCRF Standard Code and Guidelines

        SafeNet Authentication Service Private Cloud Edition (PCE) is a cost-effective, easy-to-use on-premises authentication platform that offers over 200 pre-tested configurations, supports third-party solutions, and offers diverse token types.

        CipherTrust Data Discovery & Classification (DDC) identifies and classifies data across various data stores, enhancing data privacy and security by managing assets across on-premises, hybrid, cloud, and multi-cloud environments.

        Imperva Data Security Fabric Data Activity Monitoring (DAM) enables REs to identify risks related to critical data by continuously monitoring data store activity, providing detailed audit trails.

        Imperva Data Security Fabric Data Activity Monitoring (DAM) streamlines auditing across various platforms, including relational, NoSQL, mainframe, big data, and data warehouses, and supports Microsoft Azure and AWS, capturing detailed data activity automatically.

        Thales Luna HSMs and High-speed Encryptors provide a crypto-agile approach to ensure PQC readiness for REs.

        • Fortify your encryption keys with Quantum-safe Thales Luna HSM which is commercially available with NIST quantum-resistant finalist algorithms added.
          • Quantum-Resistant Algorithms (QRA) with PQC FM with Hash Based Signing (SP800-208)
          • Integrated/ Custom-made PQC: Implement your own Post- Quantum Crypto using Luna’s Functionality Module (FM) or with various Partner FMs/integrations
          • QRNG: Inject quantum entropy with QRNG and Luna HSM’s secure key storage
        • Thales High Speed Encryption (HSE) network encryption solutions offer secure data in transit, supporting Post-Quantum Cryptography (PQC) with a crypto-agile, FPGA-based architecture, providing long-term protection against quantum attacks and encrypting everywhere.

        PQC starter kit enables REs to safely test quantum-safe solutions in a trusted environment, partnering with Quantinuum to set up a Luna HSM for PQC-ready keys.

        Imperva Web Application Firewall (WAF) offers comprehensive security for web applications, detecting and preventing cyber threats. It blocks attacks in real-time and updates rules daily.

        Imperva Data Security Fabric Data Risk Analytics monitors data access and activity, providing visibility for all users. It uses deep domain security expertise and machine learning to identify suspicious behaviors.

        SafeNet Authentication Service Private Cloud Edition (PCE) allows organizations to limit access to confidential resources and supports third-party solutions via SAML, RADIUS, Agents, or APIs.

        Imperva Web Application Firewall (WAF) offers comprehensive web application security, detecting and preventing cyber threats like cross-site scripting and illegal resource access. It blocks attacks in real time, with daily updates from the threat research team.

        Imperva API Security provides full API visibility, automatically discovering endpoints and assessing risks. It classifies sensitive APIs using call data, enabling proactive security measures. Continuous monitoring promotes faster, secure software releases, available as an add-on or part of API Security Anywhere offering.

        CipherTrust Transparent Encryption offers continuous file-level encryption, centralized key management, and privileged user access control, ensuring unauthorized access in physical, virtual, and cloud environments, ensuring seamless implementation.

        CipherTrust Enterprise Key Management enhances key management in cloud and enterprise environments, providing high security and centralization for home-grown encryption and third-party applications using FIPS 140-2-compliant virtual or hardware appliances.

        SafeNet Authentication Service Private Cloud Edition (PCE) provides centralized, secure access to enterprise applications through various authentication methods like OTP, PKI credentials, Kerberos, and various form factors.

        Thales OneWelcome Identity and Access Management Solutions offer comprehensive security measures and reporting capabilities for organizations, utilizing multi-factor authentication devices for multiple applications.

        Thales OneWelcome Consent & Preference Management module allows financial institutions to gather consumer consent, manage data access, and manage B2B delegation based on user roles and responsibilities.

        CipherTrust Manager simplifies key lifecycle management, including activities such as generation, backup and restore, deactivation, and deletion. Its key destruction phases allow organizations to achieve digital shredding of data.

        Imperva API Security provides security teams with comprehensive API visibility, enabling faster, more secure software release cycles and preventing resource-intensive workflows, thereby ensuring they stay updated with new risks.

        Data-at-rest

        Thales offers multiple solutions for data at rest that can coexist with native encryption provided by Cloud Service Provider (CSP).

        • CipherTrust Transparent Encryption offers continuous file-level encryption to protect against unauthorized access in physical, virtual, and cloud environments. It uses strong, standard-based protocols like AES and ECC, and is FIPS 140-2 Level 1 validated.
        • CipherTrust Tokenization provides tokenization, dynamic data masking for data anonymization and deidentification in the cloud.
        • CipherTrust Application Data Protection provides format preserving or traditional encryption to applications using RESTful APIs. All of the above solutions can be used to provide protection for data at rest in the cloud.
        • CipherTrust Manager is the central management point for the CipherTrust Data Security Platform. It manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role based access control to keys and policies, supports robust auditing and reporting, and offers developer-friendly REST API.

        Data-in-transit

        • Thales High Speed Network Encryption (HSE) solutions secure data in motion as it moves across the network between data centers and headquarters, branch and satellite offices, to backup and disaster recovery sites, on premises and in the cloud.

        CipherTrust Data Discovery and Classification (DDC) simplifies the process of identifying and classifying sensitive data across various data stores, thereby reducing security risks and enabling better decision-making for cloud transformation and remediation.

        Imperva API Security provides comprehensive API visibility for security teams by automatically detecting endpoints and determining risks around sensitive data. It enhances protection against OWASP API Security Top 10 Risks for REs, allowing developers to build microservices and APIs across different environments.

        CipherTrust Secrets Management (CSM) automates access to secrets across DevOps tools and cloud workloads, powered by Akeyless Vault, and integrates with third-party applications like GitHub and Kubernetes.

        Thales High Speed Encryptors (HSE) offer network-independent, data-in-motion encryption, protecting data, video, voice, and metadata from eavesdropping, surveillance, and interception. Available as physical and virtual appliances, they support a wide network speed range.

        Framework for Adoption of Cloud Services

        CipherTrust Data Security Platform provides secure cloud storage for REs, utilizing advanced encryption and centralized key management, ensuring data mobility across multiple cloud vendors. 

        CipherTrust Cloud Key Manager (CCKM) supports Bring Your Own Key (BYOK) use cases across multiple cloud infrastructures and SaaS applications. It provides robust safeguards for enterprise data, enabling compliance and control over encryption key life cycles. 

        CipherTrust Transparent Encryption provides transparent encryption and access control for data residing in Amazon S3, Azure Files and more.

        CipherTrust Tokenization tokenizes the data before it is migrated to the cloud in the obfuscated form to protect the data from any breach.

        Thales Luna Hardware Security Modules (HSM) provide organizations with dedicated hardware for crypto key control, offering a tamper-resistant environment for secure cryptographic processing, key generation, and encryption.

        Other key data protection and security regulations

        PCI HSM

        Global

        MANDATE | ACTIVE NOW

        The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.

        DORA

        Global

        REGULATION | ACTIVE NOW

        DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.

        Data Breach Notification Laws

        Global

        REGULATION | ACTIVE NOW

        Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.

        GLBA

        Americas

        REGULATION | ACTIVE NOW

        The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.

        Contact a Compliance Specialist

        Contact Us