TRINETRA SOC — Severity & SLA Reference Card

v1.0 · For SOC operator use
Aligned to: SEBI CSCRF Annexure-O, MII SOP Jan 2025, RBI CSF + CIMS, IRDAI Info & Cyber 2023, CERT-In 2022
Severity Classification (SEBI Annexure-O — verbatim)
Critical
Trinetra SOC P1 · Wazuh L12+
What qualifies Successful penetration / DoS with significant operational impact; ransomware execution; exfiltration of market-sensitive data or large-scale PII; widespread data corruption impacting operations; significant negative financial / PR risk. Auto-action Connectivity disabled (COLO/POP/SFTP/API). PR within 1 working day (QRE/QSB).
High
Trinetra SOC P2 · Wazuh L9–11
What qualifies Penetration/DoS with limited impact; widespread new malware not handled by AV; unauthorised server/network access; unexpected config changes; SEBI/MII official impersonation; data exfiltration; outbound phishing. Auto-action Connectivity disabled. Forensic audit mandatory.
Medium
Trinetra SOC P3 · Wazuh L6–8
What qualifies Target recon/scans; attempted penetration/DoS no impact; widespread known malware handled; isolated new malware not handled; phishing email clicked; data corruption/modification/deletion reported. Auto-action Forensic if RCA inconclusive or SEBI directs.
Low
Trinetra SOC P4 · Wazuh L1–5
What qualifies System probes/scans on external systems; threat intelligence with no asset match; credential-compromise intel; isolated known malware easily handled by AV. Auto-action Log + watchlist. No regulator action unless escalated.
SEBI mandatory upgrade rule
Any incident that results in disruption, stoppage or variance in normal service delivery MUST be classified at least HIGH — regardless of technical root cause.
Trinetra SOC Internal SLA (Platinum tier · multiply ×2 for Silver)
PRI Acknowledge Investigate Contain Resolve Client notify
P12.5 min7.5 min30 min4 hoursImmediate (phone)
P27.5 min30 min2 hours8 hoursWithin 30 min
P330 min2 hours1 BD3 BDsWithin 2 hours
P42 hours1 BD5 BDs10 BDsDaily digest

SEBI / MII timeline CSCRF

  • T+0Detection / notification — clock starts
  • T+6hImmediate report to Exchange + SEBI (mkt_incidents@sebi.gov.in) + CERT-In
  • T+same dayImmediate Mitigation Measure Report
  • T+24hSEBI Incident Reporting Portal submission
  • T+3dInterim Report
  • T+7dMitigation Measure Report
  • T+30dRCA + IT Committee recommendations
  • T+45dVAPT + closure report
  • T+75dForensic audit (max) — mandatory for HIGH/CRITICAL
  • T+1 WDPress release (QRE/QSB only) after normalcy

RBI timeline CSITE / CIMS

  • 2–6hInitial cyber-incident notification via CIMS portal
  • 6hCERT-In notification (parallel) — incident.cert-in.org.in
  • PromptlyUpdates as material new info emerges
  • 21dDetailed RCA submission
  • 30d post-RCAClosure / lessons-learned report
  • QuarterlyUCB/NBFC cyber-posture return
  • RTO 2hDigital payment systems (CR-DPS MD Jul 2024)
  • RPO 15 minDigital payment systems
  • 24hDPDP breach to Data Protection Board (when activated)
Visual SEBI timeline (T = detection)
T+6h
Immediate report ×3 channels
Same day
Mitigation Measure Report
T+24h
SEBI portal
T+3d
Interim Report
T+7d
Mitigation Measure
T+30d
RCA + IT Committee
T+45d
VAPT + closure
T+75d
Forensic max
Penalty Schedule (MII SOP Annexure B — Jan 2025)
Late initial 6-hour report: Rs 20,000/day; max Rs 2 lakh/incident (Members), Rs 10 lakh/incident (QRE/QSB)
Late Mitigation/RCA/VAPT/Forensic — days 1–7: Rs 1,500/day (Member), Rs 3,000/day (QRE/QSB)
Days 8–21: Rs 2,500/day (Member), Rs 5,000/day (QRE/QSB)
Beyond 21 days: New-client onboarding prohibited; 7-day disablement notice issued
Beyond 28 days: Disabled across all segments until submission

IRDAI penalties (Info & Cyber 2023):
Failure to report within 24h: up to Rs 1 crore per incident (Section 102 of Insurance Act)
Non-compliance with CISO/SOC mandate: regulatory action including license review
DPDP overlap: up to Rs 250 crore for PII breach (DPDP Act 2023 max penalty)
Connectivity disablement — critical operational risk
For CRITICAL or HIGH severity at SEBI brokers / DPs, COLO/POP/SFTP/API connectivity to Exchanges & Depositories is automatically disabled. Restored only after the RE submits an Immediate Mitigation Measure Report certified by a CERT-In empanelled auditor confirming risk fully mitigated and no lateral movement potential. → Trinetra SOC engages the CERT-In auditor in parallel with containment, not after.