System Audit Report

System
Audit Report for the period from January 2017 to December 2017

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Date: 20-01-2018

Annexure
A

                     Areas of Audit

Auditors Remarks
(Supporting
Observations, Findings, References & Substantiation)

Organization Policies & Procedures

 

Description

Yes
/ No

 

Are Policies related to Information Technology
& Information Security are available, approved by management and complied

 Yes

 

Is organization structure & roles and
responsibilities defined for IT

 Yes

Are assets (like application, database, servers,
networks etc) identified and ownership assigned towards complete lifecycle of
these assets by management.

 No

Are operators certified for operating the trading
systems

 Yes

Do incident response procedures exists
Are incidents reported, resolved / closed and analyzed for root cause
Is escalation of incidents done to management and government organization as
applicable, based on criticality, impact and type of incidents

 No

Do Plans related to business continuity and
disaster recovery exist

 No

Are plans related to business continuity and
disaster recovery tested and records related to test available

 Yes

 

 

Perimeter & Environmental Security

 

Description

Yes
/ No

 

Are equipment and resources (people, systems,
database, network and application) are sited in a manner to protect and
prevent risks from environmental threats & hazards, and opportunities for
unauthorized access.

 Yes

Physical Access to the area is
controlled by reliable controls and only authorized users have access to
these areas and to prevent misuse of facility by unauthorized persons

 Yes

Logs of access to these areas
maintained and reviewed

 Yes

Is storage of backup secured
commensurate to the risks involved and backup stored at a geographically
separate location from primary

 Yes

Contact list for emergency / crisis
exists and updated

 v

 

 

Access Control

 

 Representation

 

        
AC_Pro: Access Control Procedure / Process

        
AC_Auth: Access Control Authentication

        
AC_Pwd: Access Control Password

Each of the above have specific attributes
specified in number.

Description

Yes
/ No

AC_Pro1 Is approval and authorization a required
process for creating user and providing access (physical, system, database,
application)

 Yes

AC_Pro2 Are users created by authorized personnel

 Yes

AC_Pro3 Is there track of user id’s created,
disabled, enabled, deleted, unlocked, 
log of all such events maintained

 Yes

AC Pro4 Are passwords (of systems / database /
application) changed in event of employee / vendor staff leaving the company
/ transfers.

 Yes

AC Pro5 In case of new user / password resets; is
password communicated to user securely

 Yes

AC Pro6 A process exists to block / suspend the
user (id) on request from user (case of loss of device / malicious activity)

 Yes

AC_Auth1 Does the system (Application / System /
Database) challenges (prompts) all user 
for authentication

 Yes

AC_Auth2 Is the mechanism for authentication
strong enough so as to control the threats that may be applicable

 Yes

AC_Auth3 Are users uniquely identifiable with a
unique user id

 Yes

AC_Auth4 Are there generic ids existing for access

 Yes

AC_Auth5 Are two factor authentication for login
session implemented for all orders emanating using internet protocol.

Yes

AC_Auth6 Is Public Key Infrastructure (PKI) based
implementation using digital signatures deployed for authentication,
supported by one of the agencies certified by government of India.

Yes

AC_Auth7 Are the two factors in the two factor
authentication framework different

Yes

AC_Pwd1 Does System requires changing of password
when the user logs in for the first time.

 Yes

AC_Pwd2 Are users automatically disabled (Locked)
on entering erroneous password on three consecutive occasions

 Yes

AC_Pwd3 Does system disable (block/lock) user
automatically on expiry of password.

 Yes

 

 

 

Network and Network Security

 

 

 

Description

Yes
/ No

Are networks adequately managed, controlled
and monitored

 Yes

Does network provide security to the
data, systems and applications in the network.

 Yes

The network security protocols and interface
standards deployed are as per prevalent industry standards

 Yes

Do all users adhere to Access Controls
like described in (Section 3 of Annexure A)

 Yes

Is information travelling over network
(Wired & / wireless) adequately protected with mechanism such as VPN, TLS
/SSL / . WPA2.

 Yes

Is backup network link available in
case of failure of the primary link to the BSE

 Yes

Is backup network link available in
case of failure of the primary link connecting the customers

 Yes

Does alternate communications path
between employees and the firm exists

 Yes

Does alternate communications path
with critical business constituents, banks and regulators exists

 Yes

?        
Verify location(s) of nodes in the network

 Yes

?        
Verify number of nodes in diagram with actual

?        
Date of submission to BSE.

Are parameters identified and logged to enable
traceability and non-repudiation of orders / actions performed with relevant
details like IP address, MAC address, time and other data

Are network device clocks synchronized
to atomic clock

 Yes

Are network segments used to segregate
critical, non critical and user systems

 Yes

Are network devices appropriately
patched / upgraded with latest firmware

 Yes

Log events are identified, monitored,
reviewed and escalated

 Yes

Appropriate validation of all risk parameters is
done to ensure that trading limits/ exposure limits/ position limits are set
for all DMA clients

 

 

 

Details
of the IML ID’s used by the trading members:

 

 

1.

Whether the required details of all the Ids created in the IML
server of the trading member, for any purpose (viz. administration, branch
administration, surveillance, risk management, trading, testing, etc) and any
changes therein, have been uploaded to the Exchange?
If no, please give details        

YES

2.

Whether all the IML user ids created
in the IML server of the trading member has been mapped to 16 digits LOCATION
ID on one-to-one basis and a record of the same is maintained?

YES

Annexure
B (Optional)

                              Areas of Audit

Auditors
Remarks
(Supporting
Observations, Findings, References & Substantiation)

Policies, Procedures and Documents
Availability

 

Description

Yes / No

Information
Security Policy

Yes

Password
Policy

Yes

User
Management and Access Control Policy

Yes

Network
Security Policy

Yes

Application
Software Policy

Yes

Backup
Policy

Yes

Change
Management Policy

Yes

BCP
and Response Management Policy

Yes

Audit
Trail Policy

Yes

Other
policies followed if any and its reference

Yes

 

Approvals, undertaking, agreements,
policies:

Description

Yes / No

1
– Internet Trading
2
– SOR
3
– Wireless (Mobile Trading)
4
– DMA
For
the above segments are the following documents available
Copy
of application to exchange
Approval
/ Copy of approval from exchange
Undertaking(s)
provided as per relevant circulars as required by exchange / SEBI

Yes

Undertaking
provided regarding the IML system as per relevant circulars

Yes

Whether
the Insurance policy of the Member covers the additional risk of usage of
IML and or Internet Trading

Yes

 

Change Management

Description

Yes / No

Changes
to the system supporting trading are made in a planned manner

Yes

Changes
are made by duly authorized personnel

Yes

Risk
involved in the implementation of the changes duly factored in

Yes

The
implemented change duly approved and process documented

Yes

The
change request process documented

Yes

Change
implementation process supervised to ensure system integrity and
continuity

Yes

User
acceptance of the change documented

Yes

Unplanned
changes duly authorized and the manner of change documented later

Yes

SDLC
documentation and procedures if the installed IML system is developed
in-house

Yes

 

 

User Management

Description

Yes / No

No.
of user Ids created

Yes

All
users are uniquely identified through issue of unique IML ids.

Yes

No.
of Users are deleted and logs are maintained 

Yes

No.
of Users are disabled and logs are maintained

Yes

No.
of users reissued and logs are maintained

Yes

No.
of users whose accounts are locked with logs

Yes

The
users in the system are created by authorized personnel at server level

Yes

 

Redundancy & Backup in case of System
Failure

 

Description

Yes / No

Backups
for the critical system components

Yes

Gateway
/ Database Server

Yes

Audit
Trails

Yes

IML
router

Yes

Network
Switch

Yes

Communication
lines

Yes

Infrastructure
breakdown backup

Yes

Electricity

Yes

Water

Yes

Air
Conditioning

Yes

Alternate
physical location of employees been made in case of non availability of the
primary site

Yes

Provisions
for Books and records backup and recovery (hard copy and electronic).

Yes

Mission-critical
systems been identified and provision for backup for such systems been made

Yes

Are
backup and recovery procedures defined, approved and documented

Yes

Are
backup and restoration records and logs maintained.

Yes

Are
backup media stored safely in line with risks

Yes

 

 

Daily Operational Activities

Description

Yes / No

Provision
for Begin of day activity

Yes

Audit
Trails

Yes

Access
Logs

Yes

Transaction
Logs

Yes

Backup
Logs

Yes

Alert
Logs

Yes

Activity
Logs

Yes

Misc
(Please specify):

Yes

Provision
for End of day activity

Yes

System
for log monitoring, escalation & corrective measures taken, if any.

Yes

The
IML solution should not in any manner suggest to the user by default the
name of Exchange, scrip and segment etc. It is the user who should have
the option to select the same.

Yes

 

Response Procedures

Description

 

Access
Control failure

 

Beginning
of Day failure

 

End
of Day failure

 

Other
system Processes failure

 

 Other
information

Description

 

Gateway
Parameters
?        
Trader ID

 

Cash
Segment
?        
IML ID
?        
IP Address
?        
(BSE Network)
?        
VSAT ID
?        
Leased Line ID

 

F&O
Segment
?        
DIML ID
?        
IP Address
?        
(BSE Network)
?        
VSAT ID
?        
Leased Line ID

 

 

Auditor comments towards
data and information related to trade and orders

 

Confidentiality:

 

Integrity:

 

Availability:

 

Non-Repudiation:

 

 

Annexure C (Mandatory)

 

INFORMATION
SYSTEM AUDIT OF Mdicine Company

 

Sr No

Area of Audit

Classification of Controls
in Annexure A
S / A / I

Classification of Controls
in Annexure       B
S / A / I

 

1

Organization structure exists and supports governance through
policies, procedures, proceses and guidelines.

 

 NA

 

2

Systems & processes related to perimeter and environmental
security controls exists

 

NA

 

3

Access,
Authentication and Authorization to systems (systems, database, os, networks
etc) is commiserate with the importance of the systems

 

NA 

 

4

Systems follow
policies & procedures to protect from threats that might exploit the
system.

 

NA

 

5

Network & Network
Security follow policies & procedures to protect from threats that might
exploit the system.

 

NA

 

6

Database systems
follow policies & procedures to protect from threats that might exploit
the system.

 

NA

 

7

Processes and
procedures for encryption deployed for protection of data is established 

 

 NA

 

8

Audit logging and monitoring are established to identify and
determine accountability of actions performed.

 

NA

 

9

Processes and procedures followed for capacity management are
established.

 

NA

 

10

Pre-Trade risk control: Value limit per order etc. are
implemented and adhere to all applicable circulars from SEBI & BSE
Limited

 

NA

 

11

Online risk management tool and order entry are supported.

 

NA 

 

12

Features of system are established and implemented

 

 NA

 

13

IML / IBT systems are controlled and adhere to all applicable
circulars from SEBI & BSE Limited

 

 NA

 

14

Securities Trading using Wireless Technology (Mobile Trading)
systems are controlled and adhere to all applicable circulars from SEBI &
BSE Limited

 

 NA

 

15

Smart Order Routing
systems are controlled and adhere to all applicable circulars from SEBI & BSE
Limited

 

 NA

 

16

Direct Market Access
systems are controlled and adhere to all applicable circulars from SEBI & BSE
Limited

 

NA

 

17

Are policies available, implemented and reviewed for
implementation.

NA

 

 

18

Are communication
documents viz application, approval, & undertaking available, valid and
secured.

NA

 

 

19

Is change management
an established process and procedures for change are implemented in
controlled manner.

NA

 

 

20

Is user management
done according to policy defined and procedures adhere to the policy, records
for implementation and adherence are available.

NA

 

 

21

Is redundancy and
backup available and tested in case of system failure.

NA

 

 

22

Are daily operational
activities controlled and logged to demonstrate control

NA

 

 

23

Are response
procedures available and records of use indicate established procedure.

NA

 

 

24

Is information related
to parameters available and updated periodically 

NA

 

 

25

Any other comment by
auditor towards data and information related to trade and orders

NA

 

 

 

 

 

 

 

 

 

 

 

 

 

Declaration:

Member
Summary

Sr
#

Trading
Facilities

Trading
Facility Offered?
(Yes
/ No)

Trading
Facility Audited?
(Yes
/ No)

1

IML – IBT Trading
(Internet Based
Trading)

Yes

Yes

2

STWT (Securities Trading Using Wireless
Technology)

Yes

Yes

3

SOR (Smart Order Routing)

Yes

Yes

4

DMA (Direct Market Access)

Yes

Yes

 

All the branches where IML-IBT / STWT/ DMA facility
is provided, have been audited and consolidated report has been submitted.

I undersigned assure of circulars issued by SEBI an
BSE Limited have been referenced for checking the compliances and that the
contents of the report as per audit performed by me and declare there is no
conflict of interest with respect to the member being audited.

Audit recommendations (if any) in relation to System
Audit report for the year ended December that have been duly implemented / not
implemented are mentioned separately as annexure (as a part of System Audit
report).

In case you have been
rated as “Medium/Weak” in any areas by System auditor between December 2017  (prior to granting approval for Internet based
Trading/ Direct Market Access/ SOR/ Wireless securities trading except for
Algorithmic Trading) please submit “Action Taken Report” duly certified by your
system auditor detailing the actions taken by you on various individual
“Medium/ Weak areas.

 

Nida Perveen

Date:20-01-2018

Place:

 

Note: 
Criteria for Evaluation of Controls are indicated below, based on these
“Area of Audit” as mentioned in Annexure A & B are to be rated.

 Evaluation of Controls

Description

Strong

Controls are said to be
Strong if objectives are fully complied with and no material weaknesses are
found.
 

Adequate

Controls are said to be Adequate if
objectives are substantially complied with and no material weakness result in
substantial risk exposure due to non-compliance
Compensatory controls exist which
reduce the risk exposure to make it immaterial vis –a-vis the non-compliance
with the criteria.

Inadequate

Controls are said to be Inadequate if
objectives are not complied with.
Compensatory controls fail to reduce
the risk so as to make it immaterial vis-à-vis the non-compliance with the
compliance criteria.