SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF), effective August 2024, makes logging a central compliance obligation. The framework mandates centralized log collection, continuous monitoring, defined retention and audit-ready evidence trails. This blog breaks down what SEBI CSCRF requires for a logging solution, how to architect one for your entity tier and what your auditors will check when they arrive.
What SEBI CSCRF mandates for logging
The CSCRF does not give you a single “logging requirements” section to work from. The mandate is woven across its SOC, detection, incident response and audit provisions. Together, they form a clear picture of what a compliant logging solution must deliver.
1. Centralized log collection from critical systems
CSCRF requires all critical systems to generate logs that are aggregated, correlated and available for threat detection and audit evidence. Critical systems include trading platforms, order management systems, client-facing applications, network devices, endpoints and privileged identity management tools.
Third-party vendor access must also be logged. Every vendor connection to your environment must be traceable – who accessed what, when and from where.
2. Log retention, integrity and tamper protection
CSCRF mandates a documented log retention and authentication access policy as a mandatory standard under its Protect function. The framework requires logs to be retained with all relevant fields, including verbosity and relevancy, and stored in a tamper-proof format such as write-once or append-only storage to prevent alteration.
Most regulated entities align retention duration with the IT Act 2000, which points to a minimum of two years. The absence of a formally approved, board-documented retention policy is itself a non-compliance finding.
Time synchronization across all log sources using Network Time Protocol (NTP) is equally important. Without consistent timestamps, log correlation fails and your audit evidence becomes unreliable in front of a CERT-In auditor.
What a compliant logging solution looks like
A CSCRF-aligned logging solution is an end-to-end pipeline, from log generation to analyst-ready dashboards. A compliant logging architecture requires five capabilities working together:
- Log ingestion: Agents or API-based collectors on all critical systems, forwarding logs in real time to a central platform
- Normalization: Parsing and standardizing logs from different vendors into a consistent, searchable format
- Centralized storage: A scalable, tamper-proof repository with clearly defined retention policies
- Correlation and detection: Rule-based and behavioural analysis to surface security events from raw log data
- Audit-ready reporting: Dashboards, search capability and exportable evidence trails for auditors and compliance teams
Security Information and Event Management (SIEM) platforms are built to deliver all five. They unify log ingestion, normalization, correlation and reporting in a single platform that maps directly to CSCRF’s monitoring and evidence requirements.
If your organization is already running a Full Stack Observability platform, you have a head start. This would mean the log ingestion infrastructure, agents and centralized storage are already in place. Extending that foundation to cover CSCRF’s security event and audit trail requirements is a much shorter journey than building from scratch.
How requirements differ by RE tier
SEBI CSCRF grades logging obligations based on your entity category. Here is what each tier must deliver:
1. MIIs and Qualified REs
Full log ingestion across critical systems, active correlation, detection use cases and in-house or third-party SOC with half-yearly audit compliance. The CSCRF FAQ (Q.30) additionally requires MIIs and Qualified REs to build an automated compliance dashboard preferably integrated with their log aggregator, making the logging platform central to regulatory reporting.
2. Mid-size REs
SIEM deployment with continuous monitoring; Market SOC, also referred to as M-SOC, is an option but log quality, retention and correlation standards still apply
3. Small-size REs using M-SOC
Critical system logs must be correctly configured and forwarding to the exchange-operated SIEM via the prescribed connector profile. Self-certification REs have lighter obligations, but basic log generation and retention are still expected.
Connecting your logs to SOC and M-SOC
A logging solution in isolation does not satisfy CSCRF. Logs must feed active security monitoring, either your own SOC or the Market SOC (M-SOC) operated by NSE or BSE.
For Qualified REs, your SIEM must have live detection use cases aligned to indicators of compromise, user behaviour anomalies and network threats. Alerts must route to a defined incident response workflow within CSCRF’s prescribed timelines.
For Small-size REs onboarding M-SOC, your responsibility is ensuring log sources are correctly configured and forwarding in the right format. The quality of your log input determines the quality of detection output at the exchange end. Incomplete or improperly formatted log feeds are a common onboarding failure point.
What auditors check in your logging setup
During a CSCRF cyber audit, a CERT-In empanelled auditor will verify specific evidence points in your logging environment. Here is what they look for:
- Complete asset inventory mapped to active, confirmed log sources
- Evidence that all critical systems are generating and forwarding logs
- NTP synchronization across all log-generating devices and applications
- Tamper-proof log storage with a documented, board-approved retention policy
- Detection use cases configured in SIEM with documented alert logic and thresholds
- Incident records showing detection-to-response timelines within CSCRF requirements
- Log coverage for privileged user activity and all third-party vendor access
The most common failure point is incomplete log source coverage where systems present in the asset register with no active log collection behind them.
Conclusion
Getting your logging solution right under SEBI CSCRF means you have to build the visibility infrastructure that makes security operations possible. Without complete log coverage, reliable retention and active correlation, your SOC is operating blind and your auditors will find that quickly.
Three things every regulated entity must get in place: full log source coverage across all critical systems, tamper-proof retention backed by documented policy and a SIEM that delivers detection, correlation and audit-ready dashboards in one place.
At CyberNX, we help regulated entities design and deploy SEBI CSCRF-compliant logging solutions. As a CERT-In empanelled cybersecurity firm and SEBI CSCRF compliance expertise, we offer full stack observability solutions that align your logging architecture to your RE tier and audit obligations. Connect with our team to build a logging setup that holds up under scrutiny.
Logging solution as per SEBI CSCRF FAQs
What is the log retention period under SEBI CSCRF?
CSCRF mandates a documented log retention policy but does not specify a single universal duration in the main circular. In practice, most regulated entities align with the IT Act 2000, which points to a minimum of two years. Your CISO must define and formally approve the retention period in writing – the absence of a documented policy is itself a non-compliance finding during cyber audit.
Is a SIEM mandatory under SEBI CSCRF?
Yes, in effect. Centralized collection, correlation, threat detection and audit-ready reporting for Qualified and Mid-size REs with SOC obligations are only achievable through a SIEM. Small-size REs using M-SOC must integrate logs with the exchange-operated SIEM.
Can cloud logs be used for SEBI CSCRF compliance?
Yes, with care. Logs from AWS, Azure or GCP can be ingested into your SIEM. But SEBI’s data localization requirements mean security log storage must comply with data residency obligations – logs from India-based systems must remain within Indian borders or through a SEBI-approved cloud arrangement.
