Under the modified framework, MIIs should identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
The critical assets should include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, personally identifiable information data, among others.
All the ancillary systems used for accessing or communicating with critical systems either for operations or maintenance should also be classified as critical system. Further, the board of the MII will be required to approve the list of critical systems.
“To this end, MII should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.
According to Sebi, MIIs should carry out periodic vulnerability assessment and penetration testing (VAPT) which includes all critical assets and infrastructure components like servers, networking systems, security devices and other IT systems in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the system’s security posture through simulations of actual attacks on its systems and networks.
It further said MIIs should conduct VAPT at least once in a financial year.
However, for the MIIs whose systems have been identified as “protected system” by the National Critical Information Infrastructure Protection Centre (NCIIPC), Sebi said the VAPT needs to be conducted at least twice in a fiscal.
Further, all MIIs are required to engage only CERT-In empanelled organisations for conducting VAPT.
The final report on the VAPT should be submitted to Sebi after approval from the Standing Committee on Technology of respective MIIs, within one month of completion of VAPT activity.
“Any gaps/vulnerabilities detected have to be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to Sebi within 3 months post the submission of final VAPT report to Sebi,” the regulator said.
In addition, MIIs should also perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.
The new framework will come into force with immediate effect, Sebi said, adding that all MIIs need to communicate the status of the implementation of the circular to the regulator within 10 days.