Cyber Security Resilience Framework Overview

Welcome to the YouTube channel of Hi everyone, very good morning and We are back with the next session on the CBCSCRF, which is the Cyber Security Resilience and Framework. Today we're going to talk about how we're going to automate the CBCSCRF and more specifically the CCI, which is the Cyber Capability Index. As mentioned on page 55 of the circular, every organization needs to put in their efforts to automate the capabilities to calculate. the Cyber Capability Index, which is the CCI Index. But before that, what we're going to do is we're going to get a brief on the different kind of questions that we have been seeing from different kind of customers, different kinds of regulated entities in the industry who had been asking a few of the questions. And also, why is this needed? Who are the people or who are the organizations or which are the entities which have a compilation of doing it? right so feel free to shoot your questions uh in the comment boxes and we will take that up as well and we'll also give you a brief of this abcscrf right so i'll be sharing my screen and we're going to have an interactive session in terms of you can ask us questions we'll be giving you a glimpses of the presentation and also the tool that uh is helping a lot of organizations automate the cci and uh and a lot of explorations that we will come to know today as well. All right. So just allow me a moment to share my screen. So understanding the SEBI cybersecurity and cyber resilience framework. Right. So What is the cybersecurity and cyber resilience framework? Well, as we get more interconnected with different kinds of things, as we go more digital, risks with respect to cyber increases a lot. And in the world of cybersecurity, we know that if someone comes and tells you that we cannot be hacked or we never have been hacked, well, it's just a matter of time. Because every organization, either they are hacked or will be hacked. And that's the reason cyber resilience is very much important because you might get attacked, but how you recover from that is very important. And that's what makes an organization stand out from other organizations on how they come back from an incident. And that's the reason the CSCRF has been brought into the account. Now, you might be thinking, OK, we understand about the cybersecurity and cyber resilience, but why? SEBI came up with this and why it has asked so many organizations, so many entities to follow it. So let's understand that piece as well. Well, the CSCRF was developed to address the going sophistication of the cyber threats. We have seen in the recent past as well how many organizations, institutional organizations, have faced cyber attacks. Now, there are many people who think that. i'm a smaller organization i won't be targeted what would the hacker get out of it but just to tell you we get to see the news when big hacks come up right but there are a lot of smaller organizations who are a piece of this chain so it's designed to protect investors and financial market infrastructures from cyber risks Strengthen the cyber resilience of entities under SEBI's purview and ensure a uniform cyber security standard that are implemented across financial entities. Well, we come across this very often now that the next decade is going to be India's decade and digital is the way forward. Now, when we say that, when that a lot of things are happening from globally, a lot of attacks are going to come to this particular region. And we should be prepared to. tackle that else the economy can be at risk how does that happen we'll cover it in a bit but before that who does it apply to all investment funds all alternative investment funds all bankers to an issue self-certified syndicate banks all clearing corporations all collective investment schemes all credit rating agencies all custodians all debenture trustees all depositories all designated depository participants all depository participants through depositories all investment advisors research analysts all kyc registrations agencies all merchant bankers all mutual funds and asset management companies all portfolio managers all registered to an issue and share transfer agents all stock brokers through exchanges all stock exchanges and all vc funds as well this Extensive list of entities have to comply, have to align with this ABCSCRF. But the reason that is required is, take for example, this is the entire Indian financial market. These entities have immense assets associated with them. And cyber attack in one of the ARIs can have a domino effect and bring a downfall to the Indian financial markets. It might not seem that what can a hack do? but when one hack happens it has a cascading effect on the entire value chain on entire all the related parties take for example you are using an upi service right now when a upi service goes down or there's a cyber attack it's just not the upi service that's getting attacked it's even the kirana shop who is not being able to do a transaction and the business goes down i'm just giving one example but there can be multiple like this and that kind of creates a ripple effect in the entire space So there are five pillars in the CSC RF and it has a close connection with the NIST framework as well. So this anticipate, so your ability to understand what are the threats that are going to come. Next is withstand. So now we're moving to the resilience part. So if a attack is happening or a threat is there, how capable is the organization in withstanding that, containing that and if something has happened, how you recover from that. Now these four pillars are governed by the EVOL1. right which means you keep on evolving your cyber risk posture you keep on evolving your cyber risk maturity which would in that essentially enhance your cyber capability index so the cci the cyber capability index is divided into six different categories from 91 to 100 it's exceptional from 81 to 90 it's optimal from 71 to 80 it's manageable From 61 to 70 it's developing, from 51 to 60 it's bare minimum, less than 50 you will have a failed cyber capability index and which is not a good sign for your organization in terms of your business operations or running your business as well. So as far our understanding and as far the communications that we have had, the conversations that we have had, we see there are many of the organizations who are falling in the failing part. there are a couple of them who are in the bare minimum to developing and there are very very very few few like almost like one to two percent who are in the optimal to exceptional level so there's a lot that needs to be done the time is short and organizations are having a time crunch on implementing this as well because they have other things to do and that's one of the challenges that we they are facing so we said okay since we already have the capabilities Let's put our ZCF, which is the Xeron Control Framework, right, and put that to play. So we have the ZCF, which particularly takes into consideration all the different factors that are required for the SEBI CCA automation. And we pull out that data, make the reports for you. You can download it. You can get it audited by an auditor from the platform itself and submit it to SEBI as well. So just to make a mention here. the cci is one step towards cyber risk quantification by the way it's Starting of the measurement of the maturity indexes so that you know by knowing a CCI of organization that where do they stand in terms of cybersecurity. So there are two deadlines, 1st January for entities where cybersecurity and cyber resilience already exists. And 1st April, which is all the other entities where CSRF made applicable for the first time. So the time is very short, but don't worry, we are there to help you. Right. So. thank you that's the presentation that i had i'll cover few of the queries that we have seen while talking to particular customers right so one question is what is applicable for us in the entire circular we are we fall under that regulated entity but what is applicable for us just to answer that everything mentioned in the circular is applicable to every other entity that is there All the 19 categories that have been shown, the entire circular is applicable for them. We have also seen many organizations asking for representations to talk with SEBI with respect to extending the deadlines and all, but the news are that SEBI is not willing to take back on that. And there's a specific reason to it because the kind of state that we are at, It actually poses a risk to the financial markets, to the entire economy of the country. And this is a very important time to build in this kind of an infrastructure and level up the security standards of the country. So if we have any questions from the audience, we'd love to take that. Else, we would just move on to showcase you the platform demo. And we'll keep this particular interaction very short. you can reach out to us uh later on as well uh so that we if you need any help in terms of how to automate it in terms of understanding the circular as well and all of it so i don't see any questions as of right now in the comment section what i'll do is i'll move on to the demo section So as we can see in the CCI management when someone comes in you would be able to see where do you stand for right the maturity level of the particular compliance that is there. Now you go to the CCI parameters and we talk about automation we have achieved an amazing feat of automating around 80 percent of the controls that are there. The 20% which are there are manual controls which cannot be automated. So if you talk in terms of how much automation has been done on the platform, the answer is 100% of it has been automated. So we go in any one of them and let's go to the one which talks about the SOC efficacy. So we can integrate with 400 plus different solutions, cyber security solutions. And when you see this, you get to see the data being automatically filled in here. from where you would be able to get all the results here and it would automatically get filled. If there is a technology which hasn't been integrated, it would be manual. Now, there can be sections as well where an automated data is there, but you feel that there are a couple of things which is not integrated. For example, you have vulnerability measure, right? Now, in the vulnerability measure, you see that this much has been identified and this has been mitigated. Now you might not have a solution in your organization through which you can track how much has been mitigated and you maintain it on excel sheets. So as per auto it would become zero but you can select on this switch mode to manual and you can put this as a entry where you would see this much have been mitigated which would give you the self assessment score automatically calculated to the particular level it's required for now once that is done all of this has been done you can go to the overview section and you can configure an assessment complete the entire thing and create a report out of that as well i'll also show you how the report generation happens Just allow me a moment. Thank you. yeah sorry of the technical glitch on the system so you go here you can configure this right you can submit it for audit so what happens here is configure an assessment click on submit for report you can put the order mail id and submit for reports so let's we'll do that You can set the expiry date for the auditor to access the particular report. When you do this particular thing, just click for submit for audit, your auditor would automatically get the link to access this. Now, once that submission is done, you would be able to Figure out what are the comments that have been given by the auditor and take actions on that. Isn't that interesting? Now, once the auditor has done, you would be able to download the particular report and send it to SEBI. So, okay, so we see a question here. I'll take that up because we have got like seven more minutes left. Question is, how are organizations acting on it? I mean, how seriously are organizations taking this? Well, there are organizations who are taking it very seriously. They want to implement it at the earliest because they want to be on top of it. There are organizations who are waiting for the longer deadlines, which is in April, because they think that they have a lot of time. So there are two kinds of scenarios that we have come across till now. Right. And that's exactly how people are acting to it. Do we have any other questions? Is there a template for this particular framework? Does Xeron support that too? Well yes, Xeron supports that particular template as well. Right, just a second, let me see if I can find out the template and show it to you. Okay, I have just been informed that I cannot show that on this particular session, right, because this is something which is confidential to organizations. But yes, we do have the report as mentioned by the different annexures in SAPI's document and organizations can download it automatically from there and send it to SAPI. okay i have a couple of questions uh coming on the personal chat as well i'll take that up so a question um from ashok okay so ashok is asking what happens if we do not take this up well nothing happens the only thing that happens is sebi would ask you or sebi would say do you notice of not following this and we have seen that with many organizations previously right do we have any other questions okay then we've got three more minutes left i'll just like to show you how we have been automating the entire thing and what are the different advantages you can get so would be just playing a short video as well so as you saw in the video we have automated the entire savee cscrf you can just visit our website uh download the guide as well and along with that you can also book a demo for your organization and we'll be more than happy to help you with that just along with the cci tool as well we help you with the gap assessment and also with different kind of policies that are required for your cscrf and cci and this is particular reason why is around wanted to take this up as an industry leader in this particular implementation and the automation of say the cscrf because this aligns very much with what we want to uh achieve through zeron right and that aligns with the vision that we have in having a standardized way of looking at organizations in terms of cyber security which can help them make informed decisions it becomes a single point of truth for making the cyber security decisions in the organization and it's a step towards it well i'm pretty sure there would be more that would be coming in towards the advancements of the cci as well and you have zeron for that uh which would be always there to help organizations in terms of how they would be automating it and make their lives easier also a special mention on page 55 the circular you will find that you just cannot submit report by doing excel sheets for us this abcci you will have to automate that and have an automated way of collecting that before calculating the cci calculations with that i'll take a bye for today but would be again joining in some other sessions and till then stay secured stay cyber resilient and because security matters And for any issues with respect to your cybersecurity or cyber resilience, feel free to reach out to Zeron because it is the single point of truth for cybersecurity and making informed decisions. Thank you, everyone.

the Cyber Capability Index, which is the CCI Index. But before that, what we're going to do is we're going to get a brief on the different kind of questions that we have been seeing from different kind of customers, different kinds of regulated entities in the industry who had been asking a few of the questions. And also, why is this needed? Who are the people or who are the organizations or which are the entities which have a compilation of doing it?

right so feel free to shoot your questions uh in the comment boxes and we will take that up as well and we'll also give you a brief of this abcscrf right so i'll be sharing my screen and we're going to have an interactive session in terms of you can ask us questions we'll be giving you a glimpses of the presentation and also the tool that uh is helping a lot of organizations automate the cci and uh and a lot of explorations that we will come to know today as well. All right. So just allow me a moment to share my screen. So understanding the SEBI cybersecurity and cyber resilience framework. Right.

So What is the cybersecurity and cyber resilience framework? Well, as we get more interconnected with different kinds of things, as we go more digital, risks with respect to cyber increases a lot. And in the world of cybersecurity, we know that if someone comes and tells you that we cannot be hacked or we never have been hacked, well, it's just a matter of time. Because every organization, either they are hacked or will be hacked.

And that's the reason cyber resilience is very much important because you might get attacked, but how you recover from that is very important. And that's what makes an organization stand out from other organizations on how they come back from an incident. And that's the reason the CSCRF has been brought into the account. Now, you might be thinking, OK, we understand about the cybersecurity and cyber resilience, but why?

SEBI came up with this and why it has asked so many organizations, so many entities to follow it. So let's understand that piece as well. Well, the CSCRF was developed to address the going sophistication of the cyber threats.

We have seen in the recent past as well how many organizations, institutional organizations, have faced cyber attacks. Now, there are many people who think that. i'm a smaller organization i won't be targeted what would the hacker get out of it but just to tell you we get to see the news when big hacks come up right but there are a lot of smaller organizations who are a piece of this chain so it's designed to protect investors and financial market infrastructures from cyber risks Strengthen the cyber resilience of entities under SEBI's purview and ensure a uniform cyber security standard that are implemented across financial entities.

Well, we come across this very often now that the next decade is going to be India's decade and digital is the way forward. Now, when we say that, when that a lot of things are happening from globally, a lot of attacks are going to come to this particular region. And we should be prepared to. tackle that else the economy can be at risk how does that happen we'll cover it in a bit but before that who does it apply to all investment funds all alternative investment funds all bankers to an issue self-certified syndicate banks all clearing corporations all collective investment schemes all credit rating agencies all custodians all debenture trustees all depositories all designated depository participants all depository participants through depositories all investment advisors research analysts all kyc registrations agencies all merchant bankers all mutual funds and asset management companies all portfolio managers all registered to an issue and share transfer agents all stock brokers through exchanges all stock exchanges and all vc funds as well this Extensive list of entities have to comply, have to align with this ABCSCRF. But the reason that is required is, take for example, this is the entire Indian financial market.

These entities have immense assets associated with them. And cyber attack in one of the ARIs can have a domino effect and bring a downfall to the Indian financial markets. It might not seem that what can a hack do?

but when one hack happens it has a cascading effect on the entire value chain on entire all the related parties take for example you are using an upi service right now when a upi service goes down or there's a cyber attack it's just not the upi service that's getting attacked it's even the kirana shop who is not being able to do a transaction and the business goes down i'm just giving one example but there can be multiple like this and that kind of creates a ripple effect in the entire space So there are five pillars in the CSC RF and it has a close connection with the NIST framework as well. So this anticipate, so your ability to understand what are the threats that are going to come. Next is withstand. So now we're moving to the resilience part.

So if a attack is happening or a threat is there, how capable is the organization in withstanding that, containing that and if something has happened, how you recover from that. Now these four pillars are governed by the EVOL1. right which means you keep on evolving your cyber risk posture you keep on evolving your cyber risk maturity which would in that essentially enhance your cyber capability index so the cci the cyber capability index is divided into six different categories from 91 to 100 it's exceptional from 81 to 90 it's optimal from 71 to 80 it's manageable From 61 to 70 it's developing, from 51 to 60 it's bare minimum, less than 50 you will have a failed cyber capability index and which is not a good sign for your organization in terms of your business operations or running your business as well.

So as far our understanding and as far the communications that we have had, the conversations that we have had, we see there are many of the organizations who are falling in the failing part. there are a couple of them who are in the bare minimum to developing and there are very very very few few like almost like one to two percent who are in the optimal to exceptional level so there's a lot that needs to be done the time is short and organizations are having a time crunch on implementing this as well because they have other things to do and that's one of the challenges that we they are facing so we said okay since we already have the capabilities Let's put our ZCF, which is the Xeron Control Framework, right, and put that to play. So we have the ZCF, which particularly takes into consideration all the different factors that are required for the SEBI CCA automation. And we pull out that data, make the reports for you. You can download it.

You can get it audited by an auditor from the platform itself and submit it to SEBI as well. So just to make a mention here. the cci is one step towards cyber risk quantification by the way it's Starting of the measurement of the maturity indexes so that you know by knowing a CCI of organization that where do they stand in terms of cybersecurity.

So there are two deadlines, 1st January for entities where cybersecurity and cyber resilience already exists. And 1st April, which is all the other entities where CSRF made applicable for the first time. So the time is very short, but don't worry, we are there to help you.

Right. So. thank you that's the presentation that i had i'll cover few of the queries that we have seen while talking to particular customers right so one question is what is applicable for us in the entire circular we are we fall under that regulated entity but what is applicable for us just to answer that everything mentioned in the circular is applicable to every other entity that is there All the 19 categories that have been shown, the entire circular is applicable for them.

We have also seen many organizations asking for representations to talk with SEBI with respect to extending the deadlines and all, but the news are that SEBI is not willing to take back on that. And there's a specific reason to it because the kind of state that we are at, It actually poses a risk to the financial markets, to the entire economy of the country. And this is a very important time to build in this kind of an infrastructure and level up the security standards of the country. So if we have any questions from the audience, we'd love to take that. Else, we would just move on to showcase you the platform demo.

And we'll keep this particular interaction very short. you can reach out to us uh later on as well uh so that we if you need any help in terms of how to automate it in terms of understanding the circular as well and all of it so i don't see any questions as of right now in the comment section what i'll do is i'll move on to the demo section So as we can see in the CCI management when someone comes in you would be able to see where do you stand for right the maturity level of the particular compliance that is there. Now you go to the CCI parameters and we talk about automation we have achieved an amazing feat of automating around 80 percent of the controls that are there.

The 20% which are there are manual controls which cannot be automated. So if you talk in terms of how much automation has been done on the platform, the answer is 100% of it has been automated. So we go in any one of them and let's go to the one which talks about the SOC efficacy.

So we can integrate with 400 plus different solutions, cyber security solutions. And when you see this, you get to see the data being automatically filled in here. from where you would be able to get all the results here and it would automatically get filled. If there is a technology which hasn't been integrated, it would be manual.

Now, there can be sections as well where an automated data is there, but you feel that there are a couple of things which is not integrated. For example, you have vulnerability measure, right? Now, in the vulnerability measure, you see that this much has been identified and this has been mitigated. Now you might not have a solution in your organization through which you can track how much has been mitigated and you maintain it on excel sheets. So as per auto it would become zero but you can select on this switch mode to manual and you can put this as a entry where you would see this much have been mitigated which would give you the self assessment score automatically calculated to the particular level it's required for now once that is done all of this has been done you can go to the overview section and you can configure an assessment complete the entire thing and create a report out of that as well i'll also show you how the report generation happens Just allow me a moment.

Thank you. yeah sorry of the technical glitch on the system so you go here you can configure this right you can submit it for audit so what happens here is configure an assessment click on submit for report you can put the order mail id and submit for reports so let's we'll do that You can set the expiry date for the auditor to access the particular report. When you do this particular thing, just click for submit for audit, your auditor would automatically get the link to access this.

Now, once that submission is done, you would be able to Figure out what are the comments that have been given by the auditor and take actions on that. Isn't that interesting? Now, once the auditor has done, you would be able to download the particular report and send it to SEBI.

So, okay, so we see a question here. I'll take that up because we have got like seven more minutes left. Question is, how are organizations acting on it? I mean, how seriously are organizations taking this?

Well, there are organizations who are taking it very seriously. They want to implement it at the earliest because they want to be on top of it. There are organizations who are waiting for the longer deadlines, which is in April, because they think that they have a lot of time. So there are two kinds of scenarios that we have come across till now. Right.

And that's exactly how people are acting to it. Do we have any other questions? Is there a template for this particular framework?

Does Xeron support that too? Well yes, Xeron supports that particular template as well. Right, just a second, let me see if I can find out the template and show it to you.

Okay, I have just been informed that I cannot show that on this particular session, right, because this is something which is confidential to organizations. But yes, we do have the report as mentioned by the different annexures in SAPI's document and organizations can download it automatically from there and send it to SAPI. okay i have a couple of questions uh coming on the personal chat as well i'll take that up so a question um from ashok okay so ashok is asking what happens if we do not take this up well nothing happens the only thing that happens is sebi would ask you or sebi would say do you notice of not following this and we have seen that with many organizations previously right do we have any other questions okay then we've got three more minutes left i'll just like to show you how we have been automating the entire thing and what are the different advantages you can get so would be just playing a short video as well so as you saw in the video we have automated the entire savee cscrf you can just visit our website uh download the guide as well and along with that you can also book a demo for your organization and we'll be more than happy to help you with that just along with the cci tool as well we help you with the gap assessment and also with different kind of policies that are required for your cscrf and cci and this is particular reason why is around wanted to take this up as an industry leader in this particular implementation and the automation of say the cscrf because this aligns very much with what we want to uh achieve through zeron right and that aligns with the vision that we have in having a standardized way of looking at organizations in terms of cyber security which can help them make informed decisions it becomes a single point of truth for making the cyber security decisions in the organization and it's a step towards it well i'm pretty sure there would be more that would be coming in towards the advancements of the cci as well and you have zeron for that uh which would be always there to help organizations in terms of how they would be automating it and make their lives easier also a special mention on page 55 the circular you will find that you just cannot submit report by doing excel sheets for us this abcci you will have to automate that and have an automated way of collecting that before calculating the cci calculations with that i'll take a bye for today but would be again joining in some other sessions and till then stay secured stay cyber resilient and because security matters And for any issues with respect to your cybersecurity or cyber resilience, feel free to reach out to Zeron because it is the single point of truth for cybersecurity and making informed decisions.

Thank you, everyone.

Transcript for:Cyber Security Resilience Framework Overview

Transcript for:
Cyber Security Resilience Framework Overview