Security Incident and Event Management Procedure

Governance

Regulatory Mandate

The cyber security and cyber resilience policy (“Policy”) has been formulated in accordance with the regulatory requirements of various RBI circulars.

RBI circulars make it mandatory for all NBFC entities operating in India to adopt a comprehensive policy on Security Incident and Event Management Procedure.

Purpose

The main purpose of Security Incident and Event Management Procedure is to:

  • Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

Scope and Applicability

This Policy informs, protects and is applicable to all informational assets and operational systems accessed and utilised by Zerodha Capital’s employees, partners, service providers, vendors, third party contractors and customers.

The policy statements written in this document are applicable to all of Zerodha Capital’s resources at all levels of sensitivity; including:

  • All full-time, part-time and temporary staff employed by, or working for or on behalf of Zerodha Capital.
  • Contractors and consultants working for or on behalf of Zerodha Capital.
  • All other individuals and groups who have been granted access to Zerodha Capital’s Information and Communication systems and information.

This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a foundation for information security management.

Periodic Review

This policy shall be reviewed once every year by the IT Committee unless the owner considers an earlier review necessary to ensure that the policy remains current. Changes of this policy shall be exclusively performed by the Designated Officer and approved by Management. A change log shall be kept current and be updated as soon as any change has been made.

Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Designated Officer. Zerodha Capital’s tech departments shall ensure continuous compliance monitoring with this policy. In case of ignoring or infringing the information security directives, the fallible persons will be made responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations. A correct and fair treatment of employees who are under suspicion of violating security directives (e.g., disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human Resources Department have to be informed and deal with the handling of policy violations.

Waiver

The IT security team shall consider exceptions on an individual basis. For an exception to be approved, a business case outlining the logic behind the request shall accompany the request. Exceptions to the policy compliance requirement shall be authorized and approved by the Designated Officer. Each waiver request shall include justification and benefits attributed to the waiver. The policy waiver period has a maximum period of 4 months, and shall be reassessed and re-approved, if necessary for maximum three consecutive terms. No policy shall be provided for a waiver for more than three consecutive terms.

Roles and Responsibilities (RACI Matrix)

Table 1 shows the RACI matrix 1 that identifies who is responsible, accountable, consulted or informed for every task that needs to be performed. There are a couple of roles involved in this policy respectively: Management, Information Security Officer/Designated Officer (ISO), IT Committee (ITC), Legal Department and User (Employee and Contractor).

Responsibilities Role: Management Role: ITC Role: ISO Role: Legal Role: User
Establishing security incident management framework. I R,C R,A I
Developing and reviewing the processes, framework, policy and procedures for incident management. I R,C R,A I
Developing and reviewing the guidelines for incident handling and classification. I R,C R,A I
Identifying, documenting and maintaining rules for collection, retention and presentation of information security incident evidence. I R,C R,A I
Coordinating a response to actual or suspected breaches in the confidentiality, integrity or availability of critical Zerodha Capital’s business information. I R,C R,A
Investigating breaches of security controls, and implementing additional compensating controls when necessary. I R,C R,A
Managing the response to an incident and ensuring that all procedures are correctly followed. I R,C R,A
Reviewing incidents to determine what lessons can be learnt and what process improvement may be required. I R,C R,A
Reviewing and recommending technologies to manage and respond to any possible incidents. I R,C R,A
Reporting to Management any serious incidents that may require a critical decision. I R,C R,A
Providing the expert legal advice that is necessary for other departments to provide services in a manner that is fully compliant with existing laws and regulations. C C R,A I
Adhering to information security policies, guidelines and procedures pertaining to the protection of information. C C R,A,I
Reporting actual or suspected security incidents to IC Deanship. I C C R,A,I

R - Responsible, A - Accountable (or Approver), C - Consulted, I - Informed

Relevant Documents

The followings are all relevant policies and procedures to this policy:

  • Information Security Policy
  • Physical and Environmental Security Policy
  • Asset Management Policy
  • Access Control Policy
  • Information Security Aspects of Business Continuity Policy
  • Compliance Policy
  • Risk Management Procedure
  • Incident Response Procedure

SOP Statements

The following subsections present the policy statements in two main aspects:

  • Reporting Information Security Events.
  • Document any and all applicable SIEM use case examples.

Reporting Information Security Events

  1. Designated Officer in cooperation with the Internal Technology Committee shall develop an “Information Security Incident Management Form” in order to report all security violations/incidents which establishes a quick response mechanism to information security incidents.
  2. All of Zerodha Capital’s employees shall understand, and be able to identify any unexpected or unusual behavior on the assets which could be a potentially software malfunction. Security events may include, but not be limited to:
    • Uncontrolled system changes.
    • Access violations (e.g., password sharing).
    • Breaches of physical security.
    • Systems being hacked or manipulated.
    • Loss of information confidentiality (e.g., data theft).
    • Compromise of information integrity (i.e., damage to data or unauthorized modification).
    • Misuse of information, assets and or services.
    • Systems infection by unauthorized or harmful programs and or software.
    • Unauthorized access attempt.
    • Unauthorized changes to hardware, software or infrastructure configuration.
    • Unusual system behavior.
  3. If a security event is detected, users shall perform the following:
    • Note the symptoms and any error messages on screen.
    • Disconnect the workstation from the network if an infection is suspected (with assistance from the IT Committee).
    • Not use any removable media (e.g., USB memory sticks) that may also have been infected.
  4. All of Zerodha Capital’s employees shall immediately report all suspected security related events to the IT Committee. The following information shall be supplied, but not be limited to:
    • Contact name and number of person reporting the incident.
    • The type of information or equipment involved.
    • Whether the loss of the information puts any person or other data at risk.
    • Location of the incident.
    • Inventory numbers of any equipment affected.
    • Date and time the security incident occurred.
    • Location of data or equipment affected.
    • Type and circumstances of the incident.
  5. The IT Committee shall generate reports on incidents on a monthly basis and consolidate into the ITC Service Report every quarter.
  6. Any incident stated under CERT-In Cybersecurity directions and meeting the below criteria shall be mandatorily reported within 6 hours of noticing/ detecting such incidents or being brought to notice about such incidents:
    • Cyber incidents of severe nature (such as Denial of Service, Distributed Denial of Service, intrusion, spread of computer contaminant, including Ransomware) on any part of the public information infrastructure, including backbone network infrastructure.
    • Data Breaches or Data Leaks limited to) a brief of the incident, actions taken to recover, normal operation resumption status (once achieved), etc. and inform all the affected customers/ stakeholders.
    • Large-scale or most frequent incidents such as intrusion into computer resources, websites etc.
    • Cyber incidents are impacting the safety of human beings.
  7. Zerodha Capital shall report the Cyber Security incident to Indian Computer Emergency Response Team (CERT-In). If the Cyber Security incident is not reported to CERT-In, members shall submit the reasons for the same to the RBI. Zerodha Capital shall communicate with CERT-In/ Ministry of Home Affairs (MHA)/ Cyber Security Cell of Police for further assistance on the reported Cyber Security incident.
  8. The details of the reported Cyber Security incident and submission to various agencies by the Zerodha Capital shall also be submitted to Division Chiefs (in-charge of divisions at the time of submission) of RBI.
  9. The Designated Officer of Zerodha Capital shall continue to report any unusual activities and events within 6 hours of receipt of such Information as well as submit the quarterly report on the cyber-attacks & threats within 15 days after the end of the respective quarter in the manner as specified in NSE circular NSE/INSP/44826 dated June 30, 2020.
  10. Zerodha Capital shall, for cybersecurity incidents categorized as Critical or High (which have high impact & have a broad reach for such incidents), issue a press release within one working day from the intimation of normalcy of operation to the Exchange. The press release shall include (but not limited to) a brief of the incident, actions taken to recover, normal operation resumption status (once achieved), etc. and inform all the affected customers/ stakeholders.

REF: [ISO/IEC 27001: A.6.8]

Procedure to be followed for reporting incidents to authorities

SOP in case of instant reporting

  1. As soon as an incident occurs, the IT security team shall seek a report of the incident from Cloudflare and/or AWS.
  2. The IT Security team shall use the incident reporting form as per Annexure A and prepare a report within 6 hours of the occurrence of the event.
  3. The report along with the necessary annexures will be mailed to the Compliance officer.
  4. The compliance officer shall email/ upload the report to the following entities within 6 hours from the occurrence of the incident:
  5. Root cause analysis(RCA) report shall be sought from the service provider (Cloudflare and/or AWS) within 1 week of the occurrence of the incident.
  6. A learning statement will be prepared by the technology team and the same shall be passed onto the IT Security team.

SOP in case of quarterly reporting

  1. The IT security team shall seek reports of the incidents from Cloudflare and/or AWS as and when the events have occurred.
  2. The IT Security team shall use the incident reporting form as per Annexure A and prepare a quarterly report within 7 days from the end of the quarter.
  3. The report along with the necessary annexures will be mailed to the Compliance officer.
  4. The compliance officer shall email/ upload the report to the following entities within 15 days from the end of the quarter:
  5. A consolidated learning statement of the quarter will be prepared by the IT Security team and the same shall be passed onto the technology team.

SOP for AWS (Cloud) Security Events

Log Collection and Configuration:
  • Configure AWS CloudTrail to capture and store logs for API activity across AWS services.
  • Enable AWS Config to capture configuration changes and track compliance.
  • Integrate AWS CloudWatch Logs with the SIEM solution (Grafana, Wazuh) to collect and analyze logs from EC2 instances, Lambda functions, and other AWS resources.
  • Configure VPC Flow Logs to capture network traffic and detect potential security incidents.
  • Implement AWS Security Token Service (STS) to provide temporary credentials for log collection.
Incident Response Phases and Responsibilities:
Phase Responsibilities
Discovery
  • Monitor SIEM alerts, log analysis, and threat intelligence feeds to identify potential security incidents. Recommended SIEM solutions for AWS services: AWS Security Hub, Grafana, Wazuh.
  • Update Incident Management Tracker.
Investigation
  • Conduct a thorough analysis of the incident, including log correlation, network traffic analysis, and system forensics.
  • Tools:
    1. Utilize Grafana as a visualization and monitoring tool to create custom dashboards and visualize SIEM data. Configure Grafana to connect with the SIEM solution and display real-time metrics, alerts, and visualizations for incident investigation.
    2. Wazuh: Integrate Wazuh, an open-source host-based intrusion detection system, with the SIEM solution. Leverage Wazuh's log analysis capabilities and rulesets to detect and investigate security incidents on AWS instances and containers.
Communication
  • Establish communication channels with relevant stakeholders, including incident response team, Cloud Steering Committee, Senior management, and the Board/KMP depending on the severity of the incident. Internal forums, emails, instant messaging systems, phone calls, etc. to be used.
Containment
  • Identify compromised systems or affected resources.
  • Isolate or quarantine the compromised systems from the network to prevent further spread of the incident.
  • Disable or revoke compromised user accounts or credentials.
  • Implement network segmentation or access controls to limit lateral movement.
  • Utilize network security tools, such as firewalls and intrusion prevention systems, to block malicious traffic.
  • Use host-based security tools to enforce restrictions and prevent unauthorized access.
  • Implement temporary compensating controls to ensure critical business functions continue while containing the incident.
Eradication
  • Identify the root cause of the incident and the initial attack vector.
  • Remove or patch vulnerabilities that were exploited during the incident.
  • Conduct a comprehensive system-wide scan for malware or malicious files using tools like ClamAV or Sophos.
  • Utilize open-source malware analysis tools like Cuckoo Sandbox to analyze and understand the behavior of identified malware.
  • Remove or disable any malicious or unauthorized software, user accounts, or backdoors.
  • Update security configurations and policies to mitigate similar incidents in the future.
  • Conduct a thorough review of system logs, including system and application logs, to identify any residual traces of the incident.
Recovery
  • Restore affected systems and services from known good backups.
  • Validate the integrity and security of backups before restoring them.
  • Apply necessary patches and updates to ensure systems are up to date.
  • Conduct post-recovery testing to validate the functionality and security of restored systems.
  • Monitor the restored systems for any signs of re-infection or further compromise.
  • Reinstate access controls and permissions based on the principle of least privilege.
  • Communicate with stakeholders and users about the recovery process and any necessary actions they need to take.
Post-incident Analysis
  • Conduct a thorough review of incident response procedures and identify areas for improvement.
  • Perform a root cause analysis to understand the underlying factors that contributed to the incident.
  • Utilize log analysis tools to analyze and correlate logs from various sources.
  • Share findings and lessons learned with relevant teams and stakeholders to enhance incident response capabilities.
  • Update incident response plans and procedures based on the lessons learned.
  • Engage in threat intelligence sharing communities or forums to stay informed about emerging threats and prevention measures.
Crisis Communication Procedures:

Follow the crisis communication plan as per the predefined communication channels and loop in the designated personnel

Call Trees for necessary POCs:
Order POC
Incident Response Team Esha S Marakini ([email protected])
Board/KMP Meetal T Jain ([email protected])
Reporting Requirements:
  • Draft the incident report with incident details, including the nature of the incident, impact assessment, containment measures, and root cause analysis.
  • Submit the report to management, regulatory bodies, and stakeholders to demonstrate compliance and the effectiveness of the SIEM solution.

SOP to be followed post incident-reporting

As outlined in the aforementioned exchange circular the following timelines will be applicable for post incident reporting(s) / submissions:

Sr. No. Name of the Report / Activity Timeline for Submission
1. Submission of Cyber Incident reporting (Immediate Submission) Within 6 hours
2. Immediate Mitigation Measure Report On same day
3. Interim Report T + 3 Days
4. Mitigation Measure Report T + 7 Days
5. Root Cause Analysis (RCA) report along with recommendations from Technology Committee of the RE T + 30 Days
6. Forensic Audit Report (on the incident) and its closure report* Refer Forensic Investigation/Audit section given below*
7. Vulnerability Assessment and Penetration Testing (VAPT) for cyber incident and its closure reports T + 45 days
8. Any other report advised by RBI To be submitted as per timelines advised by RBI

*Forensic Investigation/Audit

  • For all incidents classified as High or Critical, a forensic audit/ investigation report.
  • For incidents classified as low or medium, a forensic report shall be submitted if the RCA is inconclusive or if the RBI directs the same.
  • After the completion of the forensic audit, a final closure report is to be submitted, which shall include the root cause of the incident, its impact and measures to prevent recurrence. The maximum period for the submission of a forensic audit report shall be 75 days from the date of reporting of the incident.
  • For all the issues/ observations submitted in the forensic report, a timeline for fixing the same should be submitted along with the forensic investigation/ audit report. Once the issues are resolved, a closure report for the same after review (of the report) by the ITC Committee should be filed with the appropriate regulatory bodies (RBI).

Documenting SIEM Use Cases

Security information and event management (SIEM) systems aggregate security data from across the organization (Zerodha Capital); help security teams detect and respond to security incidents; and create compliance and regulatory reports about security-related events. Because SIEM is a core security infrastructure with access to data across Zerodha Capital, there are a large variety of SIEM use cases. .

As such, the IT Security team shall consider the use cases presented in the Policy document to detect any compromising incidents, identify the users and entities affected, investigate the impact such incidents on the organization, and prevent further damage.

Post-mortem of the Information Security Incident

Should there be any Information Security Incident within the organization, it is crucial to learn from the incident, understand its nature, identify its root cause, and implement proactive measures to prevent any recurrence of any incident of a similar nature.

Therefore, a post–mortem report of the incident, must be furnished to all relevant stakeholders using any/all of the organization’s internal communication mediums. The report may comprise the following attributes:

  1. Incident Overview
    • Date and Time: Specify when the incident occurred.
    • Incident Type: Define the nature of the incident (e.g., data breach, DDoS attack, unauthorized access).
    • Impact: Describe the impact on systems, data, operations, and stakeholders.
  2. Timeline of Events
    • Incident Discovery: When and how was the incident first detected?
    • Incident Response: Outline the actions taken during the incident response process.
    • Containment: Detail how the incident was contained to prevent further damage.
  3. Root Cause Analysis
    • Immediate Cause: Identify the trigger that led to the incident.
    • Contributing Factors: List any factors that contributed to the incident (e.g., misconfigurations, lack of employee training).
    • Underlying Issues: Identify systemic issues that allowed the incident to occur.
  4. Impact Assessment
    • Data Affected: Specify the type and volume of data compromised.
    • Financial Impact: Assess the financial losses incurred as a result of the incident.
    • Reputational Impact: Evaluate the impact on the organization's reputation and trustworthiness.
  5. Mitigation and Corrective Actions
    • Immediate Remediation: Detail the steps taken to mitigate the immediate impact of the incident.
    • Long-Term Remediation: Outline the measures implemented to address root causes and prevent future incidents.
    • Monitoring and Testing: Specify how the effectiveness of mitigation measures will be monitored and tested.
  6. Communication and Reporting
    • Internal Communication: Communicate findings and recommendations to relevant stakeholders within the organization.
    • External Communication: If required, inform regulators, customers, or partners about the incident and steps taken to address it, in accordance with the SOP for Communication and Disclosure of the organization.
    • Documentation: Ensure that the incident, analysis, and actions taken are well-documented for future reference.
  7. Lessons Learned
    • Strengths: Identify what worked well during the incident response.
    • Weaknesses: Highlight areas for improvement in incident response procedures.
    • Recommendations: Provide actionable recommendations to prevent similar incidents in the future.
  8. Follow-Up and Review
    • Follow-Up Plan: Define a timeline for reviewing the effectiveness of implemented measures.
    • Incident Response Training: Provide additional training to staff based on lessons learned from the incident.
    • Continuous Improvement: Establish a process for continuous improvement of incident response capabilities.

Annexure A

Incident Reporting Form
1. Letter / Report Subject -
Name of the Member / Depository Participant -
Name of the Stock Exchange / Depository -
Member ID / DP ID -
2. Reporting Periodicity Year -
3. Designated Officer (Reporting Officer details) -
Name: Organization: Title: Compliance Officer
Phone / Fax No: 080-47181888 Mobile: Email:
Address:192A 4th Floor, Kalyani Vista, 3rd Main Road JP Nagar, JP Nagar 4th Phase, Bengaluru, Karnataka 560076
Cyber-attack / breach observed in Quarter:
(If yes, please fill Annexure I)
Yes
Date & Time Brief information on the Cyber-attack / breached observed

Annexure I
1. Physical location of affected computer / network and name of ISP -
2. Date and time incident occurred -
3. Information of affected system -
IP Address: Computer / Host Name: Operating System (incl. Ver. / release No.): Last Patched/ Updated: Hardware Vendor/ Model:
4. Type of incident
  • Phishing
  • Network scanning /Probing Break-in/ Root Compromise
  • Virus/ Malicious Code
  • Website Defacement
  • System Misuse
  • Spam
  • Bot/Botnet
  • Email Spoofing
  • Denial of Service(DoS)
  • Distributed Denial of Service(DDoS)
  • User Account Compromise
  • Website Intrusion
  • Social Engineering
  • Technical Vulnerability
  • IP Spoofing
  • Ransomware
  • Other
5. Description of incident -
6. Unusual behavior/symptoms-
  • System crashes
  • New user accounts/ Accounting discrepancies
  • Failed or successful social engineering attempts
  • Unexplained, poor system performance
  • Unaccounted for changes in the DNS tables, router rules, or firewall rules
  • Unexplained elevation or use of privileges
  • Operation of a program or sniffer device to capture network traffic
  • An indicated last time of usage of a user account that does not correspond to the actual last time of usage for that user
  • A system alarm or similar indication from an intrusion detection tool
  • Altered home pages, which are usually the intentional target for visibility, or other pages on the Web server
  • Anomalies
  • Suspicious probes
  • Suspicious browsing
  • New files
  • Changes in file lengths or dates
  • Attempts to write to system
  • Data modification or deletion
  • Denial of service
  • Door knob rattling
  • Unusual time of usage
  • Unusual usage patterns
  • Unusual log file entries
  • Presence of new setuid or setgid files
  • Changes in system directories and files
  • Presence of cracking utilities
  • Activity during non-working hours or holidays
  • Other (Please specify)
7. Details of unusual behavior/symptoms -
8. Has this problem been experienced earlier? If yes, details -
9. Agencies notified -
Law Enforcement Private Agency Affected Product Vendor Other
10. IP Address of apparent or suspected source -
Source IP address: Other information available:
11. How many host(s) are affected -
1 to 10 10 to 100 More than 100
12. Details of actions taken for mitigation and any preventive measure applied -