Capital markets regulator Sebi has recently tweaked the cyber security and cyber resilience framework for asset management companies (AMCs). According to Sebi, AMCs must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on their systems and networks. Importantly, the new framework will come into force from July 15. Read all the details here. Previously, the regulator introduced a modified cybersecurity and cyber resiliency framework for AMCs.
Considering the increasing number of cyber-attacks, such regulatory mandate can be applicable across all industries sooner or later.
What should organizations do to remain compliant?
As per Sebi’s guidelines, Data-in motion and Data-at-rest should be iencrypted by using strong encryption methods. Sebi also mentions that no person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities. Further, AMCs should identify cyber risks (threats and vulnerabilities) that it may face, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality.
Keeping the above-mentioned requirements in mind, here 10 key solutions that organizations should opt for in order to remain compliant:
- Transparent Data Encryption – TDE enables you to encrypt sensitive data that you store in tables and tablespaces. After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data.
- Database Activity Monitoring (DAM) – DAM is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies.
- Access Control – The below mentioned access control solutions help in safeguarding data and systems by managing who has access and what they’re allowed to see and do.
- Identity and Access Management (IAM)
- Privileged Identity Management (PIM)
- Privileged Access Management (PAM)
- Network Security – It is the practice of managing the firewalls and policies to prevent and monitor access across the network.
- Endpoint Security – It refers to securing endpoints, or end-user devices like desktops, laptops, and mobile devices. These endpoints serve as points of access to the corporate network and sensitive data. Today more than ever, endpoint security plays a critical role due to remote or hybrid workforce.
- Data Loss Prevention (DLP) – DLP is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies defined by organizations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR. Following Data Loss Prevention technology to ensure the PII Data are not leaked outside the organization,
- Network DLP
- Endpoint DLP
- Cloud DLP
- Vulnerability Assessment and Penetration Testing (VAPT) – The goal of a VAPT audit is to identify the overall vulnerabilities present in the software, which hackers can exploit. VAPT is carried out through a systematic process involving various tools, techniques, and methodologies.
- Security Information and Event Management (SIEM) – SIEM offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.
- Application Security – This involves ensuring the application security testing is done on critical applications to rule out the vulnerabilities found following methodologies like DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing).
- Patch Management – It consists of scanning computers, mobile devices or other machines on a network for missing software updates, known as ‘patches’ and fixing the problem by deploying those patches as soon as they become available.
The above-mentioned list can enable you to remain compliant and avoid hefty penalties by regulatory authorities.
Get a free consultation with our database and cybersecurity experts today. Write to us at firstname.lastname@example.org and our team of database and cybersecurity experts will be glad to assist you.