This document provides a framework for corporate cybersecurity in securities markets. It outlines key aspects of cyber risk and threats posed by different cyber attackers. The framework is based on standards from SEBI, NIST, and other organizations. It details steps for companies to identify critical assets, protect systems and data, detect security events, respond to incidents, and recover from attacks. The framework emphasizes governance, policies, employee training, and continual improvement of cybersecurity practices to mitigate risks to systems and information in securities markets.
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Corporate cyber security in securities market dissertation_g sudhakar reddy
1. CORPORATE CYBERSECURITY in Securities Market
Corporate CyberSecurity in Securities Market
G Sudhakar Reddy
Institute of Directors
Corporate Directorship Certification
30-11-2017
2. CORPORATE CYBER SECURITY 2
G Sudhakar Reddy
Table of Contents
EXECUTIVE SUMMARY...................................................................................................................................3
INTRODUCTION................................................................................................................................................3
CYBER RISK..............................................................................................................................................................4
CYBER-ATTACK ACTORS.........................................................................................................................................5
PROJECT SCOPE...............................................................................................................................................8
CYBER SECURITY FRAMEWORK .................................................................................................................9
GOVERNANCE .........................................................................................................................................................11
IDENTIFY.................................................................................................................................................................12
PROTECTION...........................................................................................................................................................14
Access Control ....................................................................................................................................................14
Physical Security.................................................................................................................................................16
Network Security Management...........................................................................................................................16
Securing Data .....................................................................................................................................................17
Software and Hardware Hardening....................................................................................................................18
Patch Management .............................................................................................................................................19
System and Storage Equipment Disposal............................................................................................................20
VULNERABILITY TESTING......................................................................................................................................20
MONITORING AND DETECTION..............................................................................................................................21
RESPONSE AND RECOVERY....................................................................................................................................21
INFORMATION SHARING.........................................................................................................................................22
EMPLOYEE TRAINING ............................................................................................................................................22
CYBER SECURITY PLAN ...............................................................................................................................22
DELIVERABLES .......................................................................................................................................................24
RESOURCES.............................................................................................................................................................24
TIMELINES..............................................................................................................................................................25
CONCLUSION................................................................................................................................................... 27
REFERENCES................................................................................................................................................... 29
APPENDIX......................................................................................................................................................... 32
Table of Figures
FIGURE 1: CRITICAL ASSET IDENTIFICATION MODEL ....................................................................................................14
FIGURE 2: STEPS INVOLVED TO ACCESS A CRITICAL IT ASSET ......................................................................................15
FIGURE 3: FIREWALL AND ID/PS USED TO PROVIDE NETWORK SECURITY ....................................................................17
FIGURE 4: SECURING DATA THROUGH ENCRYPTION .....................................................................................................18
FIGURE 5: PATCH MANAGEMENT PROCESS...................................................................................................................19
FIGURE 6: SECURITY POSTURE IMPROVEMENT (ABDEL-AZIZ, 2011)............................................................................20
3. CORPORATE CYBER SECURITY 3
G Sudhakar Reddy
Executive Summary
Today, there is an increased use of technology in various industries and markets, and firms and
regulators should activate checks to protect critical information. IT services are crucial for the
smooth and efficient functioning of the securities market. Lately, there has been a rapid increase
in the adoption of high-frequency trading activities that use robust information systems. The
increased technological development and deployment in securities markets have led to the need
for creating and maintaining a healthy cybersecurity framework to prevent data integrity and
confidentiality and mitigate information loss. In the field of financial services and trading, there
are particular regulations and procedures on the required levels of cybersecurity, such as
encryption, by various stakeholders. There is a need to put in place efficient and sophisticated
cybersecurity framework for capital markets. This document features corporate cybersecurity
details for a firm from the perspective of Companies Act, 2013 and Security Exchange Board
Act, 2013. It highlights the credible sources of security risks and outlines various systems,
procedures, and policies that can be used to mitigate the threats.
Introduction
4. CORPORATE CYBER SECURITY 4
G Sudhakar Reddy
Moreover, the comprehensive application of technology in the modern economy in India has
both rewards and risks. Firstly, the benefits are widely known to many users. For instance,
technology enables the delivery of products and services at lower costs and with attributes that
are attractive to customers, such as convenience, speed, and reliability (Iberahim et al., 2015).
Security markets have a nature that requires them to develop and deploy technology solutions for
service delivery, For example, in this fields, securities are traded primarily on an electronic
system and high speeds that immensely exceed traditional human interactions (International
Organization for Securities Commissions, 2017).
Nevertheless, the same technology that offers such benefits also associated with adverse risks.
For instance, failure of a central electronic system in security markets can result in the generation
of ripple effects that have negative impact on traders and other stakeholders. Moreover, such
failure can affect the stability of the entire financial system and economy. Fortunately, such
threats have been identified and analysed for the design and creation of a set of safeguards to
mitigate them or minimise the impact they cause if such incidents occur. Besides, a set of
regulatory frameworks have also been developed to improve the safety of security markets’
information systems (IOSCO, 2017). Notably, the security measures have mainly focused on
ensuring system resilience through the prevention of the occurrence of different technology
malfunctions. Unfortunately, the approach has in the past neglected system failure that could be
as a result of malicious intent. In this case, the focus is on cyber-attacks and the risks associated
with these threats form the subject of this dissertation.
5. CORPORATE CYBER SECURITY 5
G Sudhakar Reddy
The impetus of this study is the explicit recognition by The Security Exchange Board of India
(SEBI) that cybersecurity involves a critical and significant threat to the efficiency and reliability
of financial markets in India. Today, cyber risk consists of a growing and significant threat to the
integrity, safety, and availability of commercial market globally. This threat affects different
components of the security markets in different ways. In effect, a board-level coordinator has
consequently focused on coordinating and guiding firms on cybersecurity issues. SEBI
investigates a set of approaches that can be applied to support member firms and market players
in enhancing cybersecurity in financial markets. Outstandingly, cyber risk is a complex and
rapidly evolving sphere and phenomenon. In effect, a standard and static risk management
strategy may not be sufficient.
This report covers the regulatory issues and challenges related to cybersecurity for the various
segments of security markets. The document incorporates many SEBI recommendations and
other stakeholders that include different elements of cyber security in financial markets.
Moreover, this dissertation leverages additional case studies and projects, including but not
limited to those related to Securities Exchange Board. They include surveys and other relevant
and related work involving the research and development of robust and secure electronic trading
systems and those involving business continuity.
Cyber Risk
There is still some ambiguity concerning different words and phrases that refer to the
same thing as cyber risk. However, the terms have been defined in various sectors. Mostly,
according to Biener, Eling, and Wirfs (2015), cyber threat is the potential adverse outcomes
caused by cyber-attacks. On the other hand, cyber-attacks refers to a set of attempts to
6. CORPORATE CYBER SECURITY 6
G Sudhakar Reddy
compromise the availability, privacy, and integrity of computer systems and crucial information
(Cichonski et al., 2012).
This definition of cyber-attacks features terminologies that are crucial in any information system.
Firstly, confidentiality is vital in any system. An attack on privacy mostly involves the
unauthorised access to essential information, such as client credit card numbers, corporate
information assets, and financial markets accounts (Reurink, 2016). Malicious actors then use
this information to commit identity theft and other fraud, such as engaging in illegal buying and
selling orders for financial gain, without the authorisation of the account owner. Attacks on
information and system confidentiality do not only entail theft of personal information. Instead,
it also covers other intellectual property assets such as proprietary algorithms, negotiation deals,
and additional crucial details used by a trading company.
On the other hand, an attack on integrity modifies the original data or status of a system. It
affects the consistency of information and solutions used in trading financial assets and personal
information that is collected, processed, and stored in digital format (European Data Protection
Supervisor, 2015). For instance, an attacker can illegally access information and change the
ownership or destroy parts or all of it.
Availability is another crucial feature of electronic systems and data. An attack on availability
disrupts and delays the accessibility of essential information (Pawar & Anuradha, 2015). In
effect, the risk adversely interferes with the operations and availability of systems that facilitated
execution of a transaction. Notably, this affects the performance of the capital market that mostly
runs on a real-time basis.
The National Institute of Standards and Technology (NIST) features a comprehensive definition
of cyber-attack on its Glossary of Key Information Security Terms that integrates the crucial
7. CORPORATE CYBER SECURITY 7
G Sudhakar Reddy
features of systems and data discussed above. NIST defines cyber-attacks as those incidents that
take place via cyberspace and targets the application of the context by various companies.
Further, the body notes that these attacks are focused on accessing, disrupting, destroying, and
illegally controlling a computer environment and destroying the integrity of the system or data
and stealing private information. Similarly, Kumar (2015) notes that cyber-attacks and
vulnerabilities compromise the integrity, confidentiality, and availability (CIA) of networks, data
centres, and systems.
Cyber-Attack Actors
8. CORPORATE CYBER SECURITY 8
G Sudhakar Reddy
Essentially, various actors can perform cyber-attacks based on a set of motivations and
capabilities. Threat actors include criminals, insiders, hacktivists, nation states, and terrorist
groups (Mueller, 2012). Firstly, criminal actors are mostly motivated by financial gains
generated by stealing valuable information that can be traded on the dark web. The group has
different capabilities and a large number of members in various geographical locations. In some
cases, cybercriminals deploy sophisticated techniques and tools to access some of the most
secure capital markets.
Secondly, insider actors include both current and former workers and other parties that collude
and misuse genuine and authorised access privileges (Ali, 2014). In most cases, employers trust
workers and give them access to critical data and information systems. However, disgruntled
employees may engage in various malicious activities fueled by financial and other gains, such
as the intention to destroy the reputation of an employer due to differences and unresolved
conflicts. In other cases, some employees may pose a threat unknowingly because of lack of
proper training on the use of the system and handle confidential data.
The third group of actors include the hacktivists. Members of the group focus on promoting
ideological views through cyber-attacks that can result in financial loss and destruction of
reputation to targeted firms and entities (Abomhara & Koien, 2014). In most cases, hacktivists
are motivated by the need to push for social agenda and change. Notably, these actors are limited
regarding skill-set and techniques.
9. CORPORATE CYBER SECURITY 9
G Sudhakar Reddy
Finally, nations and terrorists can aim to steal crucial information from their target to gain a
competitive and economic advantage (Samuel & Osman, 2014). Further, governments target
other nations to destroy their cyber capabilities. Notably, there exist few actors in this group, but
with sophisticated skill-set and availability of resources and modern tools and techniques to gain
access to other country’s cyberspace.
Project Scope
This project is targeted at SEBI members and market participants in Indian securities markets.
The report offers an overview of some of the regulatory procedures and recommendations related
to cybersecurity that the Securities Exchange Board Act (2013) has already developed and
implemented. Notably, various regulators are still in the infant stages of developing security
measures and policy responses in the field of cybersecurity. As such, the review of the available
tools for regulators can offer a valuable point of reference to SEBI members as they consider
developing their internal security policies. For the market participants, this document provides a
set of plans and measures that companies have employed to improve cybersecurity in the
organisation. It features some solutions adopted by stakeholders and recommends the most
reliable ones.
10. CORPORATE CYBER SECURITY 10
G Sudhakar Reddy
This report is crucial in the field of security markets since cyber risk is a growing threat. In most
cases, organisations fail to disclose cyber incidents for fear that their reputation will be
destroyed. Moreover, other organisations are unaware that an attack occurred and crucial data
was transferred to an actor’s premises (Conteh & Schmick, 2016). In effect, available statistics
may undermine efforts and focus needed to create safety measures. Nevertheless, available
evidence demonstrates that cyber-attacks are becoming frequent and costly to the victim.
Statistics reported by PwC’s Global State of Information Security Survey (2016) that involve
data collected from 127 countries and thousands of company executives indicate that cyber
incidents increased by 38% in 2015. Moreover, other reports suggest that costs incurred due to
cyber-attacks are also growing. The Ponemon Institute’s 2015 Cost of Data Breach Study
indicates that the average price of a data breach to an organisation is $3.79 million, which is a
23% increase within two years. Therefore, this document has identified cybersecurity as crucial
for securities markets.
The implementation of the recommendation given in this document will help protect the
company’s IT assets. This is the primary goals of implementing security mechanism on computer
systems and network. The strategy preserves crucial information and methods that are valuable
and essential for the functioning of a firm. Secondly, implementing this policy will help a
business to comply with industry and regulatory requirements and meet critical ethical
responsibilities. Undoubtedly, protection of significant IT assets protects a company from the
penalties and costs needed to address duties of the firm.
11. CORPORATE CYBER SECURITY 11
G Sudhakar Reddy
Cyber Security Framework
SEBI has adopted the Principles for Financial Market Infrastructure (PFMIs) laid down by CPMI
IOSCO (Kumar, 2015). The body has issued a framework for the implementation of security
measures in the securities market. This solution focuses on identifying credible sources of
internal and external risks and application of a set of standards, policies, and controls to mitigate
their impact. Overall, organisations should design systems in a way that ensures a high degree of
security and reliability. Moreover, they should have a scalable and adequate capacity. Another
critical feature of this framework is the development and deployment of a business continuity
plan that ensures timely essential recovery of information and systems after an event that causes
disruptions.
Notably, market infrastructure institutions, such as stock exchanges and depositories, are crucial,
yet highly targeted by cybercriminals (Kumar, 2015). As such, this document recommends that
such organisations should develop and employ robust cybersecurity strategies to offer essential
services and reliably perform various roles, such as settlements and trading in the capital market.
This section highlights corporate cybersecurity from the perspective of Security Exchange Board
Act. It offers information on various cybersecurity issues and security control as recommended
by SEBI along with the Technical Advisory Committee that collaborates with firms in this sector
to develop practical guidance in the field of cyber resilience and security. Companies will be
required to comply with this framework to ensure information and system safety and integrity.
The recommendations are issued under the section of the Security and Exchange Board of India
Act that focuses on protecting an investor’s interests in securities.
12. CORPORATE CYBER SECURITY 12
G Sudhakar Reddy
This framework features a set of tools, measures, and procedures that have been developed to
prevent cyber incidents and improve resilience (Kumar, 2015). According to Kumar (2015),
cyber resilience is the ability to plan, prepare, and react to cyber issues and to continue offering
services and to recover from a cyber-attack.
Governance
The framework also involves the management of threats to systems and information. Companies
should develop and deploy robust security policies that should be reviewed and regularly
updated to ensure that it can help prevent new and evolving risks (Kumar, 2015). This policy
should include a process that identifies, assesses, and manages risks associated with the critical
information. The goals of the framework are as follows:
i) To identify essential assets of information in an organisation
ii) To establish risks associated with the IT assets classified in (i) above
iii) To deploy suitable measures and safeguards to protect critical information assets
iv) To implement appropriate tools to detect and predict anomalies, incidents, and attacks
before they occur
v) To employ immediate steps to respond to defects identified in (iv) above
vi) To develop and implement a business continuity strategy to recover from attacks and
manage incidents
13. CORPORATE CYBER SECURITY 13
G Sudhakar Reddy
Notably, the cybersecurity policy proposed in this dissertation encompasses the principles
prescribed by the National Critical Information Protection Center (NCIIPC), Government of
India. Other references for this framework include the best practices from common standards
such as COBIT 5, ISO 27001 and 27002, as well as their revisions. Significantly, a senior
employee of the organisation, such as the Chief Information Security Officer is given the
responsibility to examine, determine, and establish adequate controls and manage and lead in the
implementation of procedures and actions as per the policy instructs. Moreover, the Oversight
Standing Committee on the technology of the securities markets and other companies should
meet regularly to review the implementation of the policy and to set goals for improving security
and resilience and establishing a plan to improve cybersecurity (Kumar, 2015). Organizations
should also set a reposting strategy to enhance communication of anomalies and events to CISO
and other security personnel in a timely and convenient manner.
The committee and management should continuously review cyber-attacks instances both locally
and internationally and recommends steps to improve the cybersecurity framework. The
company should also define employees’ roles and responsibilities and that of outsourced
workers, vendors, and other contractors who have access to the company systems and
information.
Identify
Companies should develop techniques and control measures to identify critical IT assets
based on their importance to business and sensitivity. During this step, a firm should create and
update an inventory system for all software programs, hardware, information assets, network
resources, and data flows. Correspondingly, an organisation should discover cyber risks and
threats that the IT assets face and the likelihood as well as the impact of the incidents on the
14. CORPORATE CYBER SECURITY 14
G Sudhakar Reddy
operations of the business. Accordingly, the management should deploy measures and controls
based on the risk rating. The firm should also encourage third-party service providers,
stockbrokers, and other market participants to implement a similar cybersecurity framework.
Figure 1: Critical asset identification model
The cyber security program team should examine the company to identify critical assets
and to prioritize them for protection.
Protection
Access Control
Protection involves access controls, physical security, network security management, data
security, hardware and software hardening, security testing, and patch management (Kumar,
2015). Firstly, no employee will have intrinsic access to private applications and data. Access to
information and systems in an organisation should have a defined timeline and purpose. In other
words, companies should operate its systems and network on a need-to-use basis and the policy
of least privilege. The access should be limited to minimum time and should be authorised using
the latest and reliable authentication mechanisms. Access control at the company can be
15. CORPORATE CYBER SECURITY 15
G Sudhakar Reddy
improved through using strong password controls for access authorisation. The password
requirements should also include a change of password from default and system generated
credentials during the first log-on. Moreover, the policy should indicate the length of the
passwords, characters allowed, and period of validity. Additionally, user credential details will
be stored using strong encryption and hashing algorithms. User access records should be tracked
and logged for audit and future review. The logs should be maintained in an encrypted format for
a convenient time. Staff will high level privilege and elevated system access authorisation, such
as admins, should be continuously monitored. Organizations should have a restricted number of
high users, and their activities should be reviewed to ensure that they cannot access critical data
such as other people’s usernames and activity logs. In other words, high controls should be
exercised over access of information and systems by privileged users. Additionally, companies
should implement access lock rules after users fail to enter the correct credentials after three
attempts.
Figure 2: Steps involved to access a critical IT asset
16. CORPORATE CYBER SECURITY 16
G Sudhakar Reddy
As noted earlier, apart from direct employees, a different organisation also gives access to its
system and information assets to outsourced workers and other third-party service providers. In
such cases, CISO and the management team should practice stringent monitoring, access
restrictions, and supervision to enhance data confidentiality and integrity through improved
security. Securities market systems also allow users to access databases and platforms via the
Internet. Kumar (2015) recommends the use of a two-factor authentication log-in for users of
online portals. Finally, under access control, an organisation should ensure that it implements a
proper phase-out mechanism to destroy access privileges of employees after they leave the
company, pass away, or after their rights have been withdrawn.
Physical Security
Physical security measures are also crucial in a cyber-security policy. Firstly, physical access to
critical systems should be kept minimum and supervised to ensure that there is no unauthorised
access. Moreover, a perimeter wall should be constructed around essential servers and IT
equipment. Such assets should also be monitored by hiring physical, procedural, and human
interventions, such as the use of mantrap, biometric and card access, and CCTV monitoring.
Network Security Management
Organizations should implement baseline standards to facilitate consistent deployment of
security mechanisms and configuration to databases, operating systems, mobile devices
(companies with BYOD policies) and network components. The firm should deploy enforcement
checks to apply the baseline standards. Other network safeguards, such as firewalls, intrusion
detection and prevention systems (ID/PS) should be installed to secure network infrastructure
17. CORPORATE CYBER SECURITY 17
G Sudhakar Reddy
from security threats posed by internal and external actors, such as insiders and criminals (Sharifi
et al., 2014).
Figure 3: Firewall and ID/PS used to provide network security
Another crucial tool that should be deployed is an updated anti-virus tool that is installed on end-
user workstations and company servers. Antivirus should be updated vendor releases necessary
updates and security patches immediately. The programs should be instructed to perform
automatic scanning on computers.
Securing Data
Both stored, and in-motion traffic should be encrypted using secure encryption mechanism. In
this case, this report recommends the use of AES, SHA-2, and RSA. Measures should be
implemented to monitor and control data transfer and copying to ensure that the availability and
confidentiality are not affected during the process of transferring data from a company to a
18. CORPORATE CYBER SECURITY 18
G Sudhakar Reddy
service provider, such as clients and cloud models.
Figure 4: Securing data through encryption
In most cases, companies allow users to bring and use their devices to access critical data and
systems. In such cases, it is advisable to implement an information security framework that
covers the use of devices such as mobile phones in a BYOD program that quickly accesses and
transfer company data. Storage should also be validated.
Software and Hardware Hardening
Organizations should only use hardened IT assets. Access requirement for hardened software and
hardware should ensure that default (manufacturer’s) password are changed, and new strong
passwords are used to access the assets. Moreover, unnecessary features and services should be
disabled in new hardware and software. Notably, such unused services and open ports can be
exploited by cybercriminals to access critical information and data. In effect, it is essential to
ensure that they are blocked and monitored using effective mechanisms.
19. CORPORATE CYBER SECURITY 19
G Sudhakar Reddy
Security Testing on Applications
Security testing should take place before fully deploying new and modified systems. The testing
process should feature a scope that should cover broad areas, such as the business logic, security
measures, system performance, and recover and stress-load capabilities.
Patch Management
Companies should establish path management policy that includes identification and ranking of
security updates. An implementation timeframe should be defined for the security patches.
Security patches should undergo rigorous testing before deploying into production platform to
ensure that the updates do not have an adverse impact on the operation of the rest of the system.
Figure 5: Patch Management process
20. CORPORATE CYBER SECURITY 20
G Sudhakar Reddy
System and Storage Equipment Disposal
Companies should develop and deploy suitable frameworks outlining the procedures for disposal
of storage media. In most cases, phased-out networks and storage devices contain crucial data
and criminals, and other people can manipulate them even without any hacking skills. Therefore,
organisations should destroy this information using physical destruction and tools for wiping and
cleaning.
Vulnerability Testing
Companies should regularly conduct vulnerability testing to assess and discover threats in the
production environment that relies on a set of IT services and equipment. This activity should
take place in parallel with penetration testing on a regular basis. The security posture of a system
is tested through hiring an expert to simulate a real attack on the networks and information.
Nevertheless, the process should be monitored to prevent denial of service to clients. After
identifying the vulnerabilities, firms should employ remedial solutions to address the gaps
identified during the assessment.
Figure 6: Security posture improvement (Abdel-Aziz, 2011)
21. CORPORATE CYBER SECURITY 21
G Sudhakar Reddy
Monitoring and Detection
Organizations should deploy appropriate monitoring tools and procedures to ensure continuous
and automated scanning and timely detection of anomalies and malicious traffic. Moreover,
application of this policy allows CISO and management to detect unauthorised modification,
access, and copying of critical data. In this stage, the company should deploy a security
information and event management system (SIEMs) that collects, analyses, preserves, and
reports activities taking place in the systems and company network (Kostrecova & Binova,
2015). The policy also recommends the development of measures that enhance resilience and
availability of systems and networks. A SIEM can generate severe alerts when an anomaly is
detected.
Response and Recovery
As mentioned above, a SIEM tool generates alerts based on the monitoring and detection
process. In effect, the outcomes of the detection step should be investigated to determine the
actions to be taken to prevent the distribution of the malicious scripts or data breach incident and
to eradicate the attack. In this step, the firm is required to create a response and recovery plan
that should be focused on rapid recovery of information systems after a cyber-attack takes place.
SEBI specifies the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) that
should guide in the development of a recovery and response strategy (Kumar, 2015). The
response policy should also define the activities and responsibilities to be performed by
employees and contracted security experts. Loss of data should be analysed, and the process
22. CORPORATE CYBER SECURITY 22
G Sudhakar Reddy
should be documented to improve future recovery processes. Also, firms should conduct a
regular test to determine the effectiveness of the response strategy.
Information Sharing
Organizations should develop a culture that promotes the sharing of attacks and threats detected
as well as mitigation strategies with SEBI, regulators, and other industry security experts. The
information is essential in improving existing standards to enhance the system, network, and
information security and mitigation against future attacks.
Employee Training
Companies should undertake regular training sessions to improve the level of understanding and
awareness of cybersecurity framework among system users. The training should be offered to
both technical and non-technical staff. The programs should be reviewed periodically to update it
with new information about the latest attacks and security measures.
Cyber Security Plan
This section outlines the deliverables, timeframes, and resource estimate required for the
execution of the cybersecurity policy highlighted above. Final date by which the various security
controls will be implemented is provided within the proposed implementation schedule. The
priority implementation of critical elements of this cybersecurity policy will be accomplished by
establishing the following aspects:
• The training of staff
23. CORPORATE CYBER SECURITY 23
G Sudhakar Reddy
• Implementation of the technical, operational, management, and physical cyber security
controls that address attacks caused by use of IT assets
• Ongoing assessment and monitoring activities will commence
Notably, full implementation of this cyber security program requires supporting tasks.
• Cyber security milestones
o Initiate
Developing a project charter
• Security impact assessment (Deliverable)
o Planning
Developing a project management plan
• Project management plan (Deliverable)
Requirement collections
• Security requirements (Deliverable)
o Executing
Developing a project team
Acquiring tools and relevant technologies
• Security training
• Tool installation
Project handoff
• Transfer of responsibility
o Closing
• Documentation and lessons learned
24. CORPORATE CYBER SECURITY 24
G Sudhakar Reddy
Deliverables
Security requirements will be collected in line with the company policy and regulatory
framework. These conditions will impact the costs of the project. A systematic approach will be
deployed to elicit requirements. The methodology used in this stage include interviews, policy
reviews, observations, checklists, and system investigation. Apart from security requirements,
another deliverable is the change control. The main activities involved include procedure
development, critical IT asset examination, identification, scheduling, and implementing IT asset
security control measures.
Resources
The cybersecurity team will also be established for the execution of the project
requirements. The team is required to have extensive experience and skills in cybersecurity
control tools and technology. Moreover, a comprehensive training session will be conducted to
ensure competent experts take place during program implementation and execution.
The table below shows the resources required for the execution.
Critical Control/ Process/
Tool
Applicability Resources
Inventory of IT assets
(Devices and software)
Requirements gathering People, documentation,
and time
Vulnerability assessment Project team
Application security Gather requirements Firewalls, patches,
antivirus, penetration
testers
Data recovery Backup plan Servers
Training and security skills
assessment
Training, staff expertise,
recruiting experts
Trainer, time and money
25. CORPORATE CYBER SECURITY 25
G Sudhakar Reddy
Network equipment security Firewalls, SIEM, and
ID/PS
User privileges Requirements gathering User levels, least privilege
policy
Timelines
The following cyber security program implementation schedule and milestones will
apply:
Implementation Milestone Duration Description and Deliverables
Team training 2 weeks The cyber security assessment team will be need specialized
knowledge of cyber security space and control measures.
The team will require additional training in the area to equip
them with information they need to meet the program
requirements and objectives
After two weeks, the following will be achieved:
• Development and availability of cyber security
assessment procedures
• Development of team qualifications
• Completion of team training
Identification of critical IT
assets to be protected
4 weeks Identification of critical assets will be performed
After 4 weeks, the following will be achieved:
• Critical information assets will be established
• Critical systems will be identified
Develop cyber security
defensive model
5 weeks The defensive strategy requires the analysis of the existing
site, and includes policies, revisions, communication to
stakeholders, and comparison to requirements
At the end of 5 weeks, the following will be achieved:
26. CORPORATE CYBER SECURITY 26
G Sudhakar Reddy
• Detailed documentation of the defense strategy
• Revisions to exiting security policies
• Planning the implementation of the new security
program
Implement cyber security
program
40 weeks The implementation of control measures protects critical IT
assets from cyber-attacks. The threat vectors associated with
electronic data access will be recognized. Installation of
hardware-based security measures, and development of
software revisions to support the defense model.
By the end of 40 weeks, the following will be achieved:
• Installation of hardware to implement a defensive
layer
• Implementation of operational, physical, and
technical cyber security control measures that address
attacks and threats on IT assets
Establish cyber security
program policy
60 weeks The cyber security program will require policy development
and upgrades in the organization. The proposed security
controls will require development of new technical processes
for implementing the proposed measures. It also needs the
development of approaches for automatic monitoring and
review.
By end of 60 weeks, the following will be performed:
• Procedures and policies will be created and modified
to establish the cyber security framework
• Common controls will be developed, documented,
and implemented
• Staff will be trained
Perform and document cyber
security assessment
40 weeks Assessment performance will require document review,
system configuration assessment, physical walk downs, and
electronic verification of communication
27. CORPORATE CYBER SECURITY 27
G Sudhakar Reddy
By end of 40 weeks, the following will be achieved:
Cyber security assessment will be conducted and
documented.
Conclusion
This project is aimed at identifying and addressing cybersecurity issues in line with SEBI
Act 2013. In an always dynamic security market, players and other participants must
continuously adapt and respond to new threats. According to the above analysis, it is clear that
cybersecurity is the most crucial challenge facing companies today. This report provides an
overview of the issue concerning SEBI requirements. It outlines a set of measures that
participants should develop and deploy to enhance the security of their systems and information.
The controls proposed in this project helps identify, detect, protect, respond, and recover from
cyber-attacks.
As cyber-attacks evolve, this cybersecurity program will an organisation maintain its
operations, brand image, save money, and other resources. Based on the above analysis, many
companies today are experiencing data breach incidents that have led to the loss of crucial and
valuable personal information. In this document, it has been recommended that cybersecurity
policy should be developed, documented, reviewed, and updated on a regular basis.
Significantly, the regulations and standards are given by governments, regulators, and the
industry has formed a crucial starting point for the development of this cybersecurity framework.
Companies should make sure that the plan will help them operate within the legal requirements.
Moreover, the policy outlines the systems that should be put in place to protect critical
applications, devices, networks, and information from cyber incidents. The policy communicates
28. CORPORATE CYBER SECURITY 28
G Sudhakar Reddy
best practices for employers and employees to help mitigate attacks and recover in case of an
event.
The dissertation described the solutions and tools that companies should adopt to ensure
that information remains secure and confidential. Similarly, the document serves as a reference
for other regulators to improve existing industry standards and frameworks. Based on the above
analysis, it is palpable that securities market participants have a wide range of vulnerabilities to
discover and mitigate. Fortunately, such organisations can deploy some of the existing security
controls and tools to enhance information and system safety. Significantly, this cybersecurity
policy should be integrated into the overall risk management program. Apart from adopting the
security measures, information sharing has been considered crucial since it helps the industry,
firms, and regulators to change their security practices as threats evolve.
Nevertheless, documenting this cybersecurity framework is just an initial step towards
protecting critical IT assets in the business. Once it has been created, firms must now generate a
strategy needed to deploy, manage, maintain, train users, and create accountability. Additionally,
the document will be updated periodically.
29. CORPORATE CYBER SECURITY 29
G Sudhakar Reddy
References
2015 Cost of data breach: Global. (2015). Ponemon Institute. Retrieved from
https://www.ponemon.org/blog/2015-cost-of-data-breach-global
Abdel-Aziz, A. (2012). Scoping security assessments – A project management approach. SANS
Institute InfoSec Reading Room. Retrieved from https://www.sans.org/reading-
room/whitepapers/auditing/scoping-security-assessments-project-management-approach-
33673
Abomhara, M., & Koien, G. M. (2015). Cyber security and the Internet of Things:
Vulnerabilities, threats, intruders, and attacks. Journal of Cyber Security, 4, 65-88.
Ali, H. (2014). Enemy within: The danger of insider hacking. CNBC. Retreieved from
https://www.cnbc.com/2014/09/12/n-the-danger-of-insider-hacking.html
Biener, C., Eling, M., & Wirfs, J. H. (2017). Insurability of cyber risk: An empirical analysis.
Working Papers on Risk Management and Insurance, 151.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident
handling guide. NIST Special Publication 800-61 Revision 2. Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Conteh, N. Y., & Schmick, P. J. (2016). Cybersecurity: Risks, vulnerabilities, and
countermeasures to prevent social engineering attacks. International Journal of Advanced
Computer Research, 6(23).
Iberahim, H., et al. (2016). Customer satisfaction on reliability and responsiveness of self-service
technology for retail banking services. Procedia Economics and Finance, 37, 13-20.
European Data Protection Supervisor. (2015). Meeting the challenges of big data. Retrieved from
https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf
30. CORPORATE CYBER SECURITY 30
G Sudhakar Reddy
IOSCO (2017). IOSCO research report on financial technologies (Fintech). Retrieved from
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD554.pdf
Kostrecova, E., & Binova, H. (2015). Security information and event management. Indian
Journal of Research, 4(2).
Kumar, M. (2015). Circular: Cyber security and cyber resilience framework of stock exchnages,
clearing corporation, and depositories. Security and Exchange Board of India. Retrieved from
http://www.sebi.gov.in/legal/circulars/jul-2015/cyber-security-and-cyber-resilience-framework-
of-stock-exchanges-clearing-corporation-and-depositories_30221.html
Mueller, R. S. (2012). RSA Cybersecurity Conference. The FBI. Retrieved from
https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-
outsmarting-terrorists-hackers-and-spies
Pawar, M. V., & Anuradha, J. (2015). Network security and types of attacks in network.
Procedia Computer Science, 48, 503-506.
PwC’s Global State of Information Security Survey (2016) Report. Retrieved from
http://www.cyberriskinsuranceforum.com/content/pwc-global-state-information-security-
survey-2016-report
Reurink, A. (2016). Financial fraud: A literature review. Max Planck Institute for the Study of
Societies. Retrieved from
http://pubman.mpdl.mpg.de/pubman/item/escidoc:2281585:4/component/escidoc:228158
3/mpifg_dp16_5.pdf
Samuel, K. O., & Osman, W. R. S. (2014). Cyber terrorism attack of the contemporary
information technology age: Issues, consequences, and panacea. International Journal of
Computer Science and Mobile Computing, 3(5), 1082-1090.
31. CORPORATE CYBER SECURITY 31
G Sudhakar Reddy
Sharifi, A. A., et al. (2014). Intrusion detection and prevention systems (IDPS) and security
issues. International Journal of Computer Science and Network Security, 14(11).
32. CORPORATE CYBER SECURITY 32
G Sudhakar Reddy
APPENDIX
Overview of documents and regulations crucial to corporate cybersecurity
This sections outlines the important documents and regulations that are crucial in successful
implementation of cyber security frameworks.
I) NIST – Framework for enhancing security of critical data and information systems
II) IOSCO AMCC – The Affiliate Committee Members Consultative Committee
(AMCC) is the cyber resilience task force that offer preliminary findings