System structure & roles and responsibilities defined for

SystemAudit Report for the period from January 2017 to December 2017Date: 20-01-2018AnnexureA                      Areas of Audit Auditors Remarks (Supporting Observations, Findings, References & Substantiation) Organization Policies & Procedures   Description Yes / No   Are Policies related to Information Technology & Information Security are available, approved by management and complied  Yes   Is organization structure & roles and responsibilities defined for IT  Yes Are assets (like application, database, servers, networks etc) identified and ownership assigned towards complete lifecycle of these assets by management.  No Are operators certified for operating the trading systems  Yes Do incident response procedures exists Are incidents reported, resolved / closed and analyzed for root cause Is escalation of incidents done to management and government organization as applicable, based on criticality, impact and type of incidents  No Do Plans related to business continuity and disaster recovery exist  No Are plans related to business continuity and disaster recovery tested and records related to test available  Yes     Perimeter & Environmental Security   Description Yes / No   Are equipment and resources (people, systems, database, network and application) are sited in a manner to protect and prevent risks from environmental threats & hazards, and opportunities for unauthorized access.  Yes Physical Access to the area is controlled by reliable controls and only authorized users have access to these areas and to prevent misuse of facility by unauthorized persons  Yes Logs of access to these areas maintained and reviewed  Yes Is storage of backup secured commensurate to the risks involved and backup stored at a geographically separate location from primary  Yes Contact list for emergency / crisis exists and updated  v     Access Control    Representation            AC_Pro: Access Control Procedure / Process          AC_Auth: Access Control Authentication          AC_Pwd: Access Control Password Each of the above have specific attributes specified in number. Description Yes / No AC_Pro1 Is approval and authorization a required process for creating user and providing access (physical, system, database, application)  Yes AC_Pro2 Are users created by authorized personnel  Yes AC_Pro3 Is there track of user id’s created, disabled, enabled, deleted, unlocked,  log of all such events maintained  Yes AC Pro4 Are passwords (of systems / database / application) changed in event of employee / vendor staff leaving the company / transfers.  Yes AC Pro5 In case of new user / password resets; is password communicated to user securely  Yes AC Pro6 A process exists to block / suspend the user (id) on request from user (case of loss of device / malicious activity)  Yes AC_Auth1 Does the system (Application / System / Database) challenges (prompts) all user  for authentication  Yes AC_Auth2 Is the mechanism for authentication strong enough so as to control the threats that may be applicable  Yes AC_Auth3 Are users uniquely identifiable with a unique user id  Yes AC_Auth4 Are there generic ids existing for access  Yes AC_Auth5 Are two factor authentication for login session implemented for all orders emanating using internet protocol.

Yes AC_Auth6 Is Public Key Infrastructure (PKI) based implementation using digital signatures deployed for authentication, supported by one of the agencies certified by government of India. Yes AC_Auth7 Are the two factors in the two factor authentication framework different Yes AC_Pwd1 Does System requires changing of password when the user logs in for the first time.  Yes AC_Pwd2 Are users automatically disabled (Locked) on entering erroneous password on three consecutive occasions  Yes AC_Pwd3 Does system disable (block/lock) user automatically on expiry of password.

Don't waste your time
on finding examples

We can write the essay sample you need

 Yes       Network and Network Security       Description Yes / No Are networks adequately managed, controlled and monitored  Yes Does network provide security to the data, systems and applications in the network.  Yes The network security protocols and interface standards deployed are as per prevalent industry standards  Yes Do all users adhere to Access Controls like described in (Section 3 of Annexure A)  Yes Is information travelling over network (Wired & / wireless) adequately protected with mechanism such as VPN, TLS /SSL / . WPA2.  Yes Is backup network link available in case of failure of the primary link to the BSE  Yes Is backup network link available in case of failure of the primary link connecting the customers  Yes Does alternate communications path between employees and the firm exists  Yes Does alternate communications path with critical business constituents, banks and regulators exists  Yes ?         Verify location(s) of nodes in the network  Yes ?         Verify number of nodes in diagram with actual ?         Date of submission to BSE. Are parameters identified and logged to enable traceability and non-repudiation of orders / actions performed with relevant details like IP address, MAC address, time and other data Are network device clocks synchronized to atomic clock  Yes Are network segments used to segregate critical, non critical and user systems  Yes Are network devices appropriately patched / upgraded with latest firmware  Yes Log events are identified, monitored, reviewed and escalated  Yes Appropriate validation of all risk parameters is done to ensure that trading limits/ exposure limits/ position limits are set for all DMA clients      Detailsof the IML ID’s used by the trading members:   1.

Whether the required details of all the Ids created in the IML server of the trading member, for any purpose (viz. administration, branch administration, surveillance, risk management, trading, testing, etc) and any changes therein, have been uploaded to the Exchange? If no, please give details         YES 2. Whether all the IML user ids created in the IML server of the trading member has been mapped to 16 digits LOCATION ID on one-to-one basis and a record of the same is maintained? YES AnnexureB (Optional)                               Areas of Audit Auditors Remarks (Supporting Observations, Findings, References & Substantiation) Policies, Procedures and Documents Availability   Description Yes / No Information Security Policy Yes Password Policy Yes User Management and Access Control Policy Yes Network Security Policy Yes Application Software Policy Yes Backup Policy Yes Change Management Policy Yes BCP and Response Management Policy Yes Audit Trail Policy Yes Other policies followed if any and its reference Yes   Approvals, undertaking, agreements, policies: Description Yes / No 1 – Internet Trading 2 – SOR 3 – Wireless (Mobile Trading) 4 – DMA For the above segments are the following documents available Copy of application to exchange Approval / Copy of approval from exchange Undertaking(s) provided as per relevant circulars as required by exchange / SEBI Yes Undertaking provided regarding the IML system as per relevant circulars Yes Whether the Insurance policy of the Member covers the additional risk of usage of IML and or Internet Trading Yes   Change Management Description Yes / No Changes to the system supporting trading are made in a planned manner Yes Changes are made by duly authorized personnel Yes Risk involved in the implementation of the changes duly factored in Yes The implemented change duly approved and process documented Yes The change request process documented Yes Change implementation process supervised to ensure system integrity and continuity Yes User acceptance of the change documented Yes Unplanned changes duly authorized and the manner of change documented later Yes SDLC documentation and procedures if the installed IML system is developed in-house Yes     User Management Description Yes / No No. of user Ids created Yes All users are uniquely identified through issue of unique IML ids. Yes No. of Users are deleted and logs are maintained  Yes No. of Users are disabled and logs are maintained Yes No.

of users reissued and logs are maintained Yes No. of users whose accounts are locked with logs Yes The users in the system are created by authorized personnel at server level Yes   Redundancy & Backup in case of System Failure   Description Yes / No Backups for the critical system components Yes Gateway / Database Server Yes Audit Trails Yes IML router Yes Network Switch Yes Communication lines Yes Infrastructure breakdown backup Yes Electricity Yes Water Yes Air Conditioning Yes Alternate physical location of employees been made in case of non availability of the primary site Yes Provisions for Books and records backup and recovery (hard copy and electronic). Yes Mission-critical systems been identified and provision for backup for such systems been made Yes Are backup and recovery procedures defined, approved and documented Yes Are backup and restoration records and logs maintained. Yes Are backup media stored safely in line with risks Yes     Daily Operational Activities Description Yes / No Provision for Begin of day activity Yes Audit Trails Yes Access Logs Yes Transaction Logs Yes Backup Logs Yes Alert Logs Yes Activity Logs Yes Misc (Please specify): Yes Provision for End of day activity Yes System for log monitoring, escalation & corrective measures taken, if any.

Yes The IML solution should not in any manner suggest to the user by default the name of Exchange, scrip and segment etc. It is the user who should have the option to select the same. Yes   Response Procedures Description   Access Control failure   Beginning of Day failure   End of Day failure   Other system Processes failure    Other information Description   Gateway Parameters ?         Trader ID   Cash Segment ?         IML ID ?         IP Address ?         (BSE Network) ?         VSAT ID ?         Leased Line ID   F&O Segment ?         DIML ID ?         IP Address ?         (BSE Network) ?         VSAT ID ?         Leased Line ID     Auditor comments towards data and information related to trade and orders   Confidentiality:   Integrity:   Availability:   Non-Repudiation:    Annexure C (Mandatory)  INFORMATIONSYSTEM AUDIT OF Mdicine Company  Sr No Area of Audit Classification of Controls in Annexure A S / A / I Classification of Controls in Annexure       B S / A / I   1 Organization structure exists and supports governance through policies, procedures, proceses and guidelines.    NA   2 Systems & processes related to perimeter and environmental security controls exists   NA   3 Access, Authentication and Authorization to systems (systems, database, os, networks etc) is commiserate with the importance of the systems   NA    4 Systems follow policies & procedures to protect from threats that might exploit the system.   NA   5 Network & Network Security follow policies & procedures to protect from threats that might exploit the system.   NA   6 Database systems follow policies & procedures to protect from threats that might exploit the system.   NA   7 Processes and procedures for encryption deployed for protection of data is established     NA   8 Audit logging and monitoring are established to identify and determine accountability of actions performed.

  NA   9 Processes and procedures followed for capacity management are established.   NA   10 Pre-Trade risk control: Value limit per order etc. are implemented and adhere to all applicable circulars from SEBI & BSE Limited   NA   11 Online risk management tool and order entry are supported.

  NA    12 Features of system are established and implemented    NA   13 IML / IBT systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited    NA   14 Securities Trading using Wireless Technology (Mobile Trading) systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited    NA   15 Smart Order Routing systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited    NA   16 Direct Market Access systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited   NA   17 Are policies available, implemented and reviewed for implementation. NA     18 Are communication documents viz application, approval, & undertaking available, valid and secured. NA     19 Is change management an established process and procedures for change are implemented in controlled manner. NA     20 Is user management done according to policy defined and procedures adhere to the policy, records for implementation and adherence are available. NA     21 Is redundancy and backup available and tested in case of system failure. NA     22 Are daily operational activities controlled and logged to demonstrate control NA     23 Are response procedures available and records of use indicate established procedure.

NA     24 Is information related to parameters available and updated periodically  NA     25 Any other comment by auditor towards data and information related to trade and orders NA                          Declaration:MemberSummary Sr # Trading Facilities Trading Facility Offered? (Yes / No) Trading Facility Audited? (Yes / No) 1 IML – IBT Trading (Internet Based Trading) Yes Yes 2 STWT (Securities Trading Using Wireless Technology) Yes Yes 3 SOR (Smart Order Routing) Yes Yes 4 DMA (Direct Market Access) Yes Yes  All the branches where IML-IBT / STWT/ DMA facilityis provided, have been audited and consolidated report has been submitted. I undersigned assure of circulars issued by SEBI anBSE Limited have been referenced for checking the compliances and that thecontents of the report as per audit performed by me and declare there is noconflict of interest with respect to the member being audited. Audit recommendations (if any) in relation to SystemAudit report for the year ended December that have been duly implemented / notimplemented are mentioned separately as annexure (as a part of System Auditreport).In case you have beenrated as “Medium/Weak” in any areas by System auditor between December 2017  (prior to granting approval for Internet basedTrading/ Direct Market Access/ SOR/ Wireless securities trading except forAlgorithmic Trading) please submit “Action Taken Report” duly certified by yoursystem auditor detailing the actions taken by you on various individual”Medium/ Weak areas. Nida PerveenDate:20-01-2018Place: Note: Criteria for Evaluation of Controls are indicated below, based on these”Area of Audit” as mentioned in Annexure A & B are to be rated.  Evaluation of Controls Description Strong Controls are said to be Strong if objectives are fully complied with and no material weaknesses are found.

  Adequate Controls are said to be Adequate if objectives are substantially complied with and no material weakness result in substantial risk exposure due to non-compliance Compensatory controls exist which reduce the risk exposure to make it immaterial vis –a-vis the non-compliance with the criteria. Inadequate Controls are said to be Inadequate if objectives are not complied with. Compensatory controls fail to reduce the risk so as to make it immaterial vis-à-vis the non-compliance with the compliance criteria.  


I'm Owen!

Would you like to get a custom essay? How about receiving a customized one?

Check it out