Achieving the SEBI's Cybersecurity and Cyber Resilience Framework with workforce password management

Understand how Zoho Vault helps organizations meet the stringent requirements of the SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF).

Try it for free
SEBI compliance banner iconSEBI compliance banner icon
Quick Glance

What is workforce password management?

Workforce password management (WPM) is a user-friendly software solution designed to securely store and manage sensitive business information—including usernames, passwords, payment details, confidential notes, and URLs—within a centralized, encrypted vault. It leverages industry-standard encryption protocols, such as 256-bit AES, to ensure robust protection of your data.

With increasing digital touchpoints and remote workforces, businesses face the challenge of maintaining secure access to countless apps, services, and systems. WPM solutions streamline this process by offering centralized control over password generation, storage, access control, activity monitoring, and compliance—greatly enhancing your organization’s security posture and operational efficiency.

Enhancing business security with Zoho Vault workforce password management 

Workforce password managers play a vital role in reducing human error—often the weakest link in cybersecurity. By automating password hygiene and providing centralized visibility and control, WPM solutions help prevent data breaches, improve compliance, and support zero-trust security frameworks. Adopting Zoho Vault for workforce password management significantly enhances an organization's security posture by ticking crucial boxes such as:

  • Centralized encrypted vault for passwords, passkeys, bank details, payment cards, documents, and secrets.
  • Password and passphrase generation.
  • Built-in password policies.
  • Secure role-based sharing.
  • Security dashboard and dark-web monitoring.
  • Multifactor authentication.
  • Single sign-on (SSO) for 100+ cloud apps.
  • IP and geolocation restrictions.
  • Tamper-proof audit trails and security reports.
  • Security information and event management (SIEM) tools.
  • Tighter integrations with the Zoho ecosystem and third-party applications.

Introduction to the Securities and Exchange Board of India (SEBI)  

The Securities and Exchange Board of India, established in 1992, functions as the regulatory authority for India's securities markets. Operating under the Ministry of Finance, SEBI is responsible for overseeing stock exchange operations and ensuring that financial transactions are conducted fairly and transparently, with a primary focus on protecting investor interests.

What are the objectives of SEBI?

Regulation: SEBI's main objective is to regulate the stock market, creating an environment where companies can confidently and easily raise capital through securities.

Protection: SEBI protects investors by educating them and providing essential investment guidelines. It ensures that investors receive accurate and reliable information about companies, empowering them to make informed investment decisions.

Prevention: A core reason for SEBI's establishment was to prevent malpractices in securities trading, such as insider trading, rule violations, and non-compliance with the Companies Act. These unethical practices erode investor confidence. SEBI combats them by balancing self-regulation within businesses with statutory legal oversight.

Code of conduct: Through its regulatory framework, SEBI establishes a code of conduct to ensure fair trading practices among intermediaries like brokers, merchant bankers, and underwriters. It oversees their activities, fostering a professional and competitive market environment.

Understanding SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF)

Organizations regulated by SEBI are experiencing an ever-increasing volume of data, a trend only expected to accelerate. This makes secure access to critical business information paramount and a key concern for SEBI. To address this, SEBI has developed the Cybersecurity and Cyber Resilience Framework (CSCRF). The CSCRF is designed to bolster organizations' preparedness and resilience against cyber threats. It operates on the principle of anticipating attacks and proactively implementing strategies to enhance their security posture. The framework's key goals are Anticipate, Withstand, Contain, Recover, and Evolve.

Cyber Resilience Goal: Evolve
Cyber Resilience GoalAnticipateWithstand and ContainRecover
Cybersecurity FunctionGovernanceIdentityProtectDetectRespondRecover

How can workforce password management help securities markets address these recommendations?

Effective WPM is no longer an option, but a critical imperative for securities markets facing an escalating tide of cyber threats. With a single compromised credential capable of unleashing extensive damage and compromising sensitive data, robust cybersecurity controls are paramount. A comprehensive WPM strategy offers proactive defense, meticulously safeguarding confidential information, meticulously monitoring access, and pinpointing vulnerabilities at their source.

Strengthening securities market cybersecurity with workforce password management  

The capital markets, inherently reliant on trust and data integrity, are prime targets for cyberattacks. Adopting a cutting-edge WPM solution directly addresses evolving SEBI cybersecurity recommendations, empowering financial institutions to significantly enhance their security posture and mitigate risks. Here’s how:

  • Assessing cybersecurity maturity and tailored protection: WPM enables organizations to accurately assess their current cybersecurity maturity level. This understanding is crucial for determining the precise extent of protection required for all workforce credentials, particularly those governing high-level access to sensitive and critical data.
  • Granular access control and role-based privileges: A core tenet of effective security is defining and enforcing appropriate access. WPM facilitates the precise definition of roles and privileges for all members of financial institutions, ensuring that they only have access to the resources necessary to perform their critical actions. This prevents unauthorized access and limits potential exposure
  • Streamlined and secure access provisioning: WPM streamlines access control workflows for highly confidential data. This ensures that access is provisioned securely, adhering to predefined policies and approvals, minimizing the risk of insider threats and unauthorized access.
  • Eliminate excessive privileges and contain adversaries: Excessive access privileges are a prime target for cyber attackers. WPM actively eliminates the effects of such privileges, significantly limiting the scope of potential adversaries and drastically reducing the overall impact on an organization's security posture. By adhering to the principle of least privilege, WPM creates a smaller attack surface.
  • Comprehensive audit trails for proactive security: A robust WPM solution meticulously logs every activity related to credential usage. This provides detailed and comprehensive reports on the "who, what, when, and where" of every activity. This tamper-proof audit trail offers organizations a proactive approach to identifying and responding to security breaches, enabling rapid detection and swift mitigation, ultimately fostering greater resilience against sophisticated cyberattacks.

What is a regulated entity (RE) in the context of SEBI?  

The term regulated entity (RE) refers to entities recognized by SEBI such as:

  1. Alternative investment funds (AlFs)
  2. Bankers to an issue (BTI) and self-certified syndicate banks (SCSBs)
  3. Clearing corporations
  4. Collective investment schemes (CIS)
  5. Credit rating agencies (CRAs)
  6. Custodians
  7. Debenture trustees (DTs)
  8. Depositories
  9. Designated depository participants (DDPs)
  10. Depository Participants through Depositories
  11. Investment advisors (IAs) and research analysts (RAS)
  12. KYC registration agencies (KRAs)
  13. Merchant bankers (MBs)
  14. Mutual funds (MFs) and asset management companies (AMCs)
  15. Portfolio managers
  16. Registrar to an issue and share transfer agents (RTAs)
  17. Stock Brokers through Exchanges
  18. Stock Exchanges
  19. Venture Capital Funds (VCFs)

Timelines for CSCRF

Report submission

  • Timelines defined for REs in the circular based on the category that the RE falls under.
  • Evidence of compliance with the CSCRF, including reports for an ISO audit, VAPT assessments, cyber audits, etc. shall be submitted per the timelines defined.
  • The timelines for reporting are based on the category of the REs and spread across quarterly, half-yearly, or annual time periods.

Implementation

  • For entities where the cybersecurity and cyber resilience circular already exists: January 1, 2025.
  • All other entities where CSCRF is made applicable for the first time: April 01, 2025.

How Zoho Vault’s workforce password manager aligns with SEBI’s CSCRF requirements

SEBI standardsApplicabilityHow Zoho Vault meets the CSCRF standards

Cyber resilience goal: ANTICIPATE

Cybersecurity control: GOVERNANCE

GV.OC.S2

GV.OC.S3

Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.

To ensure the goal of cybersecurity, REs shall define responsibilities of its own employees, third-party service providers’ employees, and other entities, who may have privileged access or use their systems and/or networks.

All REs except small, self-certification REs

Zoho Vault assigns exclusive permissions to administrative accounts so they can configure, customize, and monitor sensitive information effectively. There are two default admin roles: Super Admin and Admin. Super Admins wield complete control, including user management, while Admins function as moderators, assisting with high-level tasks but without user management rights. A user, however, will not be able to perform any admin operations.

For emergencies, Zoho Vault has break-glass permissions, which temporarily provide trusted users with full access to all resources. This feature is strictly intended for urgent administrative interventions and should be assigned only when necessary.

Role customization options and limited time access control help administrators grant more granular access to third-party users based on the operation to be performed, ensuring confidential resources remain protected.

Cyber resilience goal: ANTICIPATE

Cybersecurity control: PROTECT

PR.AA.S1

PR.AA.S2

PR.AA.S3

PR.AA.S7

PR.AA.S9

PR.MA.S2

Any access to REs’ systems, applications, networks, databases, etc., shall be for a defined purpose and for a defined period. Access granted to IT systems, applications, databases, and networks shall be on a need-to-use basis and based on the principle of least privilege. Such access shall be given for a specific duration and using effective authentication mechanisms.

REs shall ensure that records of user access to critical systems, wherever possible, are uniquely identified and logged for audit and review purposes.

Existing user accounts and access rights shall be periodically reviewed by the owner of the system to detect dormant accounts, accounts with excessive privileges, unknown accounts, or any type of discrepancy.

Proper “end of life” mechanisms shall be adopted for user management to deactivate access privileges of users who are leaving the organization or whose access privileges have been withdrawn. This includes named user IDs, default user IDs, and generic email IDs.

All critical systems accessible over the internet shall have multifactor security (such as VPNs, firewall controls, etc.) and MFA. MFA shall be enabled for all users and systems that connect using online/internet facilities and also particularly for VPNs, webmail, and accounts that access critical systems from non-trusted environments to trusted environments.

All REs (mandatory)

Zoho Vault enforces the principle of least privilege by granting users access to sensitive information strictly based on their roles and operational needs. When sharing credentials, administrators can assign granular access levels:

  • One-click login only: Users can auto-log into websites without viewing the password in plain text.
  • View: Grants visibility of the password in plain text.
  • Modify: Allows users to view and edit the password.
  • Manage: Provides full control, including the ability to edit, delete, and share the password with others.

Access permissions can be swiftly revoked when no longer required, helping minimize potential security risks and ensuring tight control over sensitive data.

Zoho Vault implements access control measures and ensures that all attempts to access financial data are monitored, audited, and documented. Beyond just implementing role-based access control, all access requests are directed through an administrator before being approved, which enhances responsibility and decreases the likelihood of unauthorized access and supply chain risks.

Zoho Vault simplifies the periodic review of user accounts and access rights by providing centralized management and clear visibility into all user activities and privileges. It helps system owners easily identify excessive or unauthorized access through comprehensive reports. With role-based access controls and integrations with identity providers like Zoho Directory, Google Workspace, Microsoft 365, Active Directory, Microsoft Entra ID, and Okta, Zoho Vault ensures that access is always aligned with user roles and organizational policies.

Zoho Vault ensures secure employee offboarding by enabling administrators to swiftly revoke all shared credentials, folder access, and user-specific permissions, eliminating any residual access that could pose a security risk. Additionally, passwords can be temporarily shared with third parties, such as contractors or freelancers, even if they don’t have a Zoho Vault account or aren’t part of your organization. Access is granted for a specified period and automatically revoked after that.

Zoho Vault collaborates with leading MFA vendors to offer secure authentication based on every organization’s requirements. This includes methods like SMS-based one-time passwords (OTP), third-party authenticator apps like Google Authenticator and Microsoft Authenticator, security keys, passkeys, and Zoho OneAuth. By adding an extra layer of verification beyond passwords, Zoho Vault strengthens protection against cyber threats, reduces the risk of unauthorized access, and ensures robust access control.

PR.AA.S4

PR.AA.S5

REs shall follow zero-trust security models in such a way that access (from within or outside REs’ network) to their critical systems is denied by default and allowed only after proper authentication and authorization.

MIIs and Qualified REs (mandatory)

Zoho Vault enables a zero-trust approach by denying default access and allowing it only after strict authentication and authorization. With role-based permissions, MFA, and detailed audit logs, Vault ensures that only verified users can access confidential data.

PR.AA.S6

REs shall implement strong password controls for users’ access to systems, applications, networks, databases, etc. Password controls shall include (but are not limited to) a change of password upon first login, minimum password length and history, password complexity, as well as a maximum validity period.

The user credential data shall be stored using strong hashing algorithms.

All REs except small-size, self-certification REs (mandatory)

Zoho Vault's password policies define the required strength of user passwords and the frequency of renewal. Restrictions on allowed IP addresses and geo locations help prevent sign-in attempts from unauthorized locations.

By default, Zoho Vault encrypts passwords using the AES-256 symmetric encryption algorithm. It serves as a centralized, tamper-proof space to store and manage shared sensitive information such as passwords, passkeys, documents, bank account details, payment card details, and digital certificates of a regulated entity, ensuring secure access to financial information.

PR.DS.S4

REs shall enforce effective data protection, backup, and recovery measures

All REs (mandatory)

Zoho Vault supports effective data protection and recovery by periodically sending encrypted backups of stored confidential information to your preferred email or cloud account. This ensures that critical data remain secure and accessible, enabling swift recovery during cybersecurity incidents.

Resources 

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF)

Disclaimer

The information in this document is intended for general guidance only. Zoho Vault does not guarantee SEBI CSCRF compliance for organizations using its services. However, it can support efforts to meet specific requirements for handling sensitive financial information. Full compliance requires the integration of appropriate solutions, processes, controls, and policies. This content is not legal advice, and Zoho Vault makes no warranties—express, implied, or statutory—regarding its accuracy or applicability. We recommend consulting a legal advisor to understand your obligations under the SEBI CSCRF framework.

FAQs

  • Zoho Vault is a cloud-based workforce password manager that securely stores and manages passwords, credit cards, certificates, secrets, and other sensitive data. It offers advanced security features like passwordless single sign-on (SSO), multifactor authentication, and passkeys management for secure access to business applications. Zoho Vault integrates with directory services for centralized access control and simplified user management. It also supports API and CLI access for easy integration with existing IT systems and automated security workflows.

Simplify security compliance with Zoho Vault.

Try it for free