SEBI's CSCRF: Identity, Authentication & Access Control

Introduction

Identity management, authentication, and access control form a critical component of cybersecurity, ensuring that only authorized users, devices, and processes can access sensitive systems and data. As per the SEBI Cybersecurity and Cyber Resilience Framework (CSCRF), Regulated Entities (REs) are required to implement strict access control policies to minimize the risk of unauthorized access, data breaches, and insider threats. This article explores how REs can effectively approach access control (PR.AA) in compliance with the CSCRF guidelines.

?

Understanding PR.AA (Identity Management, Authentication, and Access Control)

PR.AA focuses on enforcing identity verification, access restrictions, and privileged access management to protect organizational data, networks, and systems.

Key Objectives:

1. Restrict Access to Authorized Users – Ensure that only approved personnel, third-party vendors, and applications access critical IT resources.
2. Implement Strong Authentication Mechanisms – Utilize Multi-Factor Authentication (MFA) and robust password policies.
3. Monitor and Review Access Rights Periodically – Conduct regular audits of user permissions and privileges.
4. Prevent Unauthorized Network Access – Enforce Zero Trust security models to limit internal and external risks.
5. Secure Privileged Accounts – Deploy Privileged Identity Management (PIM) solutions to restrict administrative access.

?

Approach to PR.AA Implementation in Line with SEBI CSCRF

1. Establish a Comprehensive Access Control Policy

• Develop a documented access control policy that defines who can access what based on role-based access control (RBAC) and principle of least privilege (PoLP).
• Ensure MFA implementation for all users accessing critical systems, especially from external or untrusted environments.
• Integrate automated identity lifecycle management solutions to onboard, modify, and revoke access dynamically.

CSCRF Compliance Reference: ?? “Access granted to IT systems, applications, databases, and networks shall be on a need-to-use basis and based on the principle of least privilege.”

2. Strengthen Authentication Mechanisms

• Require strong password policies that include: Minimum password length and complexity Frequent password changes with history tracking Restrictions on default and shared passwords
• Enforce Multi-Factor Authentication (MFA) for: All critical systems accessible over the internet VPN, remote access, privileged accounts
• Implement biometric authentication for high-risk transactions and privileged access.

CSCRF Compliance Reference: ?? “All critical systems accessible over the internet shall have multi-factor authentication (MFA).”

?

3. Implement Zero Trust Security Model

• Ensure that no device or user is trusted by default, even if they are inside the organization’s network.
• Use identity and context-based access policies to limit exposure.
• Segment network access to restrict east-west traffic, preventing lateral movement in case of compromise.

CSCRF Compliance Reference: ?? “REs shall follow Zero Trust Model to allow individuals, devices, and resources to access organization's resources.”

?

4. Secure Privileged Access with Privileged Identity Management (PIM)

• Implement a Privileged Access Management (PAM) solution to manage admin accounts.
• Monitor privileged account activities using session recording and real-time alerts.
• Use time-bound and approval-based access for critical changes.

CSCRF Compliance Reference: ?? “Privileged users' activities shall be reviewed periodically. Access restriction shall be there for employees as well as third-party service providers.”

?

5. Continuous Monitoring and Audit of Access Control

• Conduct quarterly access reviews to detect inactive, excessive, or unauthorized permissions.
• Maintain detailed access logs of all activities and retain them for at least two years.
• Deploy Security Information and Event Management (SIEM) tools to monitor anomalous access patterns.

CSCRF Compliance Reference: ?? “User logs shall be uniquely identified and stored for a specified period.”

?

Challenges and Solutions

Conclusion

Access control under SEBI’s CSCRF is not just about restricting access but ensuring a secure, monitored, and risk-aware environment. By implementing strong authentication mechanisms, Zero Trust models, privileged access management, and continuous monitoring, REs can meet compliance requirements and enhance their cybersecurity resilience.

By proactively securing access to sensitive IT resources, REs can significantly reduce risks associated with insider threats, cyber-attacks, and unauthorized data breaches.

?