Tag Archive for: Framework
Key Principles That Should Guide a Software Security Framework
These days, software development frameworks used to create applications are better than ever. It is now relatively easy to build an app and make it available to the public. Unfortunately, this advancement in technology is matched by an improvement in the tactics hackers use for cyberattacks.
There are also hacking groups that can coordinate large-scale botnet attacks. In some cases, hackers are backed by powerful nations and are encouraged to launch attacks against their enemies.
The internet is now widely used, and software connects many people across the globe. People in different locations transfer sensitive files to one another, which cybercriminals can intercept. This means security should play an important role when developing software. The security systems must be able to withstand numerous hours of runtime and cyberattacks.
Sadly, no application software is 100% secure, and there will always be bugs and hackers that can slip through the cracks. Fortunately, it is possible to create software with a rigorously secure application design, which would limit the damage. Software developers have to follow some essential principles when designing applications, such as the following
- Principle of Least Privilege
This means that people on a network should only be granted as much as they need to get tasks done. For example, a company that keeps its customers’ personal information should make that information only available to people critical to the business. Junior-level employees should be restricted from that sensitive data and information from other departments. These restrictions would limit the information hackers can access if they ever gain access to an employee’s account.
- Principle of Defense in Depth
This principle guides software developers to design their programs such that intruders will not have access to it in the first place. It is done by programming the system to inform cybersecurity personnel once it has been breached. This alert will make the personnel take actions that will ward away the hacker before they can cause any harm to the system.
- Principle of Failing Securely
Application defense systems should be designed to lock down the entire system when it…
Sebi tweaks cyber security, cyber resilience framework for AMCs
Capital markets regulator Sebi on Thursday tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year. Along with the cyber audit reports, AMCs have been asked to submit to stock exchanges and depositories a declaration from the MD and CEO, certifying compliance by them with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular.
The new framework will come into force from July 15.
Under the modified framework, the asset management firms need to identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.
All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.
The board of AMC is required to approve the list of critical systems.
“To this end, Mutual funds/ AMCs shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.
According to Sebi, they must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on their systems and networks.
AMCs are required to conduct VAPT at least once in a financial year. However, for the mutual funds/ AMCs, whose systems have been identified as “protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) need to conduct VAPT at least twice in a financial year.
Further, they are required to engage only CERT-In…