SystemAudit Report for the period from January 2017 to December 2017Date: 20-01-2018AnnexureA Areas of Audit Auditors Remarks (Supporting Observations, Findings, References & Substantiation) Organization Policies & Procedures Description Yes / No Are Policies related to Information Technology & Information Security are available, approved by management and complied Yes Is organization structure & roles and responsibilities defined for IT Yes Are assets (like application, database, servers, networks etc) identified and ownership assigned towards complete lifecycle of these assets by management. No Are operators certified for operating the trading systems Yes Do incident response procedures exists Are incidents reported, resolved / closed and analyzed for root cause Is escalation of incidents done to management and government organization as applicable, based on criticality, impact and type of incidents No Do Plans related to business continuity and disaster recovery exist No Are plans related to business continuity and disaster recovery tested and records related to test available Yes Perimeter & Environmental Security Description Yes / No Are equipment and resources (people, systems, database, network and application) are sited in a manner to protect and prevent risks from environmental threats & hazards, and opportunities for unauthorized access. Yes Physical Access to the area is controlled by reliable controls and only authorized users have access to these areas and to prevent misuse of facility by unauthorized persons Yes Logs of access to these areas maintained and reviewed Yes Is storage of backup secured commensurate to the risks involved and backup stored at a geographically separate location from primary Yes Contact list for emergency / crisis exists and updated v Access Control Representation AC_Pro: Access Control Procedure / Process AC_Auth: Access Control Authentication AC_Pwd: Access Control Password Each of the above have specific attributes specified in number. Description Yes / No AC_Pro1 Is approval and authorization a required process for creating user and providing access (physical, system, database, application) Yes AC_Pro2 Are users created by authorized personnel Yes AC_Pro3 Is there track of user id’s created, disabled, enabled, deleted, unlocked, log of all such events maintained Yes AC Pro4 Are passwords (of systems / database / application) changed in event of employee / vendor staff leaving the company / transfers. Yes AC Pro5 In case of new user / password resets; is password communicated to user securely Yes AC Pro6 A process exists to block / suspend the user (id) on request from user (case of loss of device / malicious activity) Yes AC_Auth1 Does the system (Application / System / Database) challenges (prompts) all user for authentication Yes AC_Auth2 Is the mechanism for authentication strong enough so as to control the threats that may be applicable Yes AC_Auth3 Are users uniquely identifiable with a unique user id Yes AC_Auth4 Are there generic ids existing for access Yes AC_Auth5 Are two factor authentication for login session implemented for all orders emanating using internet protocol.
Yes AC_Auth6 Is Public Key Infrastructure (PKI) based implementation using digital signatures deployed for authentication, supported by one of the agencies certified by government of India. Yes AC_Auth7 Are the two factors in the two factor authentication framework different Yes AC_Pwd1 Does System requires changing of password when the user logs in for the first time. Yes AC_Pwd2 Are users automatically disabled (Locked) on entering erroneous password on three consecutive occasions Yes AC_Pwd3 Does system disable (block/lock) user automatically on expiry of password.
Yes Network and Network Security Description Yes / No Are networks adequately managed, controlled and monitored Yes Does network provide security to the data, systems and applications in the network. Yes The network security protocols and interface standards deployed are as per prevalent industry standards Yes Do all users adhere to Access Controls like described in (Section 3 of Annexure A) Yes Is information travelling over network (Wired & / wireless) adequately protected with mechanism such as VPN, TLS /SSL / . WPA2. Yes Is backup network link available in case of failure of the primary link to the BSE Yes Is backup network link available in case of failure of the primary link connecting the customers Yes Does alternate communications path between employees and the firm exists Yes Does alternate communications path with critical business constituents, banks and regulators exists Yes ? Verify location(s) of nodes in the network Yes ? Verify number of nodes in diagram with actual ? Date of submission to BSE. Are parameters identified and logged to enable traceability and non-repudiation of orders / actions performed with relevant details like IP address, MAC address, time and other data Are network device clocks synchronized to atomic clock Yes Are network segments used to segregate critical, non critical and user systems Yes Are network devices appropriately patched / upgraded with latest firmware Yes Log events are identified, monitored, reviewed and escalated Yes Appropriate validation of all risk parameters is done to ensure that trading limits/ exposure limits/ position limits are set for all DMA clients Detailsof the IML ID’s used by the trading members: 1.
Whether the required details of all the Ids created in the IML server of the trading member, for any purpose (viz. administration, branch administration, surveillance, risk management, trading, testing, etc) and any changes therein, have been uploaded to the Exchange? If no, please give details YES 2. Whether all the IML user ids created in the IML server of the trading member has been mapped to 16 digits LOCATION ID on one-to-one basis and a record of the same is maintained? YES AnnexureB (Optional) Areas of Audit Auditors Remarks (Supporting Observations, Findings, References & Substantiation) Policies, Procedures and Documents Availability Description Yes / No Information Security Policy Yes Password Policy Yes User Management and Access Control Policy Yes Network Security Policy Yes Application Software Policy Yes Backup Policy Yes Change Management Policy Yes BCP and Response Management Policy Yes Audit Trail Policy Yes Other policies followed if any and its reference Yes Approvals, undertaking, agreements, policies: Description Yes / No 1 – Internet Trading 2 – SOR 3 – Wireless (Mobile Trading) 4 – DMA For the above segments are the following documents available Copy of application to exchange Approval / Copy of approval from exchange Undertaking(s) provided as per relevant circulars as required by exchange / SEBI Yes Undertaking provided regarding the IML system as per relevant circulars Yes Whether the Insurance policy of the Member covers the additional risk of usage of IML and or Internet Trading Yes Change Management Description Yes / No Changes to the system supporting trading are made in a planned manner Yes Changes are made by duly authorized personnel Yes Risk involved in the implementation of the changes duly factored in Yes The implemented change duly approved and process documented Yes The change request process documented Yes Change implementation process supervised to ensure system integrity and continuity Yes User acceptance of the change documented Yes Unplanned changes duly authorized and the manner of change documented later Yes SDLC documentation and procedures if the installed IML system is developed in-house Yes User Management Description Yes / No No. of user Ids created Yes All users are uniquely identified through issue of unique IML ids. Yes No. of Users are deleted and logs are maintained Yes No. of Users are disabled and logs are maintained Yes No.
of users reissued and logs are maintained Yes No. of users whose accounts are locked with logs Yes The users in the system are created by authorized personnel at server level Yes Redundancy & Backup in case of System Failure Description Yes / No Backups for the critical system components Yes Gateway / Database Server Yes Audit Trails Yes IML router Yes Network Switch Yes Communication lines Yes Infrastructure breakdown backup Yes Electricity Yes Water Yes Air Conditioning Yes Alternate physical location of employees been made in case of non availability of the primary site Yes Provisions for Books and records backup and recovery (hard copy and electronic). Yes Mission-critical systems been identified and provision for backup for such systems been made Yes Are backup and recovery procedures defined, approved and documented Yes Are backup and restoration records and logs maintained. Yes Are backup media stored safely in line with risks Yes Daily Operational Activities Description Yes / No Provision for Begin of day activity Yes Audit Trails Yes Access Logs Yes Transaction Logs Yes Backup Logs Yes Alert Logs Yes Activity Logs Yes Misc (Please specify): Yes Provision for End of day activity Yes System for log monitoring, escalation & corrective measures taken, if any.
Yes The IML solution should not in any manner suggest to the user by default the name of Exchange, scrip and segment etc. It is the user who should have the option to select the same. Yes Response Procedures Description Access Control failure Beginning of Day failure End of Day failure Other system Processes failure Other information Description Gateway Parameters ? Trader ID Cash Segment ? IML ID ? IP Address ? (BSE Network) ? VSAT ID ? Leased Line ID F&O Segment ? DIML ID ? IP Address ? (BSE Network) ? VSAT ID ? Leased Line ID Auditor comments towards data and information related to trade and orders Confidentiality: Integrity: Availability: Non-Repudiation: Annexure C (Mandatory) INFORMATIONSYSTEM AUDIT OF Mdicine Company Sr No Area of Audit Classification of Controls in Annexure A S / A / I Classification of Controls in Annexure B S / A / I 1 Organization structure exists and supports governance through policies, procedures, proceses and guidelines. NA 2 Systems & processes related to perimeter and environmental security controls exists NA 3 Access, Authentication and Authorization to systems (systems, database, os, networks etc) is commiserate with the importance of the systems NA 4 Systems follow policies & procedures to protect from threats that might exploit the system. NA 5 Network & Network Security follow policies & procedures to protect from threats that might exploit the system. NA 6 Database systems follow policies & procedures to protect from threats that might exploit the system. NA 7 Processes and procedures for encryption deployed for protection of data is established NA 8 Audit logging and monitoring are established to identify and determine accountability of actions performed.
NA 9 Processes and procedures followed for capacity management are established. NA 10 Pre-Trade risk control: Value limit per order etc. are implemented and adhere to all applicable circulars from SEBI & BSE Limited NA 11 Online risk management tool and order entry are supported.
NA 12 Features of system are established and implemented NA 13 IML / IBT systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited NA 14 Securities Trading using Wireless Technology (Mobile Trading) systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited NA 15 Smart Order Routing systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited NA 16 Direct Market Access systems are controlled and adhere to all applicable circulars from SEBI & BSE Limited NA 17 Are policies available, implemented and reviewed for implementation. NA 18 Are communication documents viz application, approval, & undertaking available, valid and secured. NA 19 Is change management an established process and procedures for change are implemented in controlled manner. NA 20 Is user management done according to policy defined and procedures adhere to the policy, records for implementation and adherence are available. NA 21 Is redundancy and backup available and tested in case of system failure. NA 22 Are daily operational activities controlled and logged to demonstrate control NA 23 Are response procedures available and records of use indicate established procedure.
NA 24 Is information related to parameters available and updated periodically NA 25 Any other comment by auditor towards data and information related to trade and orders NA Declaration:MemberSummary Sr # Trading Facilities Trading Facility Offered? (Yes / No) Trading Facility Audited? (Yes / No) 1 IML – IBT Trading (Internet Based Trading) Yes Yes 2 STWT (Securities Trading Using Wireless Technology) Yes Yes 3 SOR (Smart Order Routing) Yes Yes 4 DMA (Direct Market Access) Yes Yes All the branches where IML-IBT / STWT/ DMA facilityis provided, have been audited and consolidated report has been submitted. I undersigned assure of circulars issued by SEBI anBSE Limited have been referenced for checking the compliances and that thecontents of the report as per audit performed by me and declare there is noconflict of interest with respect to the member being audited. Audit recommendations (if any) in relation to SystemAudit report for the year ended December that have been duly implemented / notimplemented are mentioned separately as annexure (as a part of System Auditreport).In case you have beenrated as “Medium/Weak” in any areas by System auditor between December 2017 (prior to granting approval for Internet basedTrading/ Direct Market Access/ SOR/ Wireless securities trading except forAlgorithmic Trading) please submit “Action Taken Report” duly certified by yoursystem auditor detailing the actions taken by you on various individual”Medium/ Weak areas. Nida PerveenDate:20-01-2018Place: Note: Criteria for Evaluation of Controls are indicated below, based on these”Area of Audit” as mentioned in Annexure A & B are to be rated. Evaluation of Controls Description Strong Controls are said to be Strong if objectives are fully complied with and no material weaknesses are found.
Adequate Controls are said to be Adequate if objectives are substantially complied with and no material weakness result in substantial risk exposure due to non-compliance Compensatory controls exist which reduce the risk exposure to make it immaterial vis –a-vis the non-compliance with the criteria. Inadequate Controls are said to be Inadequate if objectives are not complied with. Compensatory controls fail to reduce the risk so as to make it immaterial vis-à-vis the non-compliance with the compliance criteria.