Upload
avinash-kumar
View
225
Download
0
Embed Size (px)
Citation preview
8/17/2019 Tech Sys Audit 1
1/19
Annual System Audit Report Format
(To be on the letterhead of the system auditor)
NSE Trading Member Name:
NSE Trading Member Code:
System Audit Report for NNF facility
(For the period from July 01, 2012 to March 31, 2013)
Part A
Controls / Processes Test Case
Results
!bser"ations
# Control
Ris$
Auditor%
Ris$
T&e installed NNF systems '"i() CTC*/
+,T / -MA / S!R / ST.T system
features are as prescribed by t&e NSE)
T&e installed NNF system parameters
are as per NSE norms
*ocation Confirmation for CTC* / +,T
/ -MA / S!R / ST.T
Ris Mana!ement Tools
• "hould allo# for ris mana!ement of the
orders placed and online ris monitorin!
of the orders bein! placed
$T$% & 'T & M* & "+R & "TT -ersion (as
applicable)
• +rder .ate#ay -ersion
• Ris *dministration & Mana!er -ersion
• Front /nd & +rder lacement -ersion
hether order routin! serer for $T$% & 'T &
M* & "+R & "TT is located in 'ndia
Pro"ide address of the $T$% & 'T & M* &
"+R & "TT serer location (as applicable)
Results +pinions
Trading Process
T&e installed NNF systems allo0 for
placing of trades only for aut&ori(ed
clients
Ris$ Management
T&e installed NNF systems are
capable of assessing t&e ris$ of t&e
client as soon as t&e order comes inand informs t&e client of
acceptance/re1ection of t&e order
0it&in a reasonable period)
Mar$et -ata Feed for S!R system
T&e mar$et data feed integrated to
t&e S!R system are recei"ed
directly from t&e recogni(ed Stoc$
$lient ' -erification
+nly duly authoried client4s orders are
allo#ed to be placed
roprietary order entry mechanism
+rder entry for ro types of orders is e5ecuted
throu!h specific 66F user ids
+rder arameters
There is online ris assessment of all orders
placed throu!h the $T$% & 'T & M* &
"+R & "TT system
The maret prices are receied directly from
reco!nied stoc /5chan!es and are time
stampedThe maret prices of all the reco!nied stoc
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2 of 23
8/17/2019 Tech Sys Audit 1
2/19
Controls / Processes Test Case
Results
!bser"ations
# Control
Ris$
Auditor%
Ris$
E4c&anges
!rder /Trade *imit Controls
T&e installed NNF systems
'including CTC* / +,T / ST.T /
-MA / S!R pro"ide a system
based control facility on t&e trading
limits of t&e clients and e4posures
ta$en by t&e clients including set
pre5defined limits on t&e e4posure
and turno"er of eac& client)
!rder Reconfirmation Facility
T&e installed NNF system pro"ides
for reconfirmation of orders 0&ic&
are larger t&an t&at as specified by
t&e member%s ris$ management
system)
E4ecution of !rders / !rder *ogicT&e installed NNF system pro"ides a
system based control facility o"er
t&e order input process
e5chan!es to #hich the "+R facility routes
orders are consolidated for applyin! the est
/5ecution olicy for routin! orders
• 7uantity limit for each order
• -alue limit for each order
• 8ser alue limit for each user '
• ranch alue limit for each branch '
• "ecurity #ise limit for each user '
• "pread order 7uantity and -alue %imit
• $umulatie +pen order alue chec
(8ne5ecuted +rders)
+nly orders that are #ithin the parameters
specified by the ris mana!ement systems are
allo#ed to be placed
The system has a manual oerride facility for
allo#in! orders that do not fit the system basedris control parameters
+rder 6umberin! Methodolo!y
The system has an internal uni9ue order numberin! system
+rder Matchin!The "+R system adheres to the est
/5ecution olicy #hile routin! the orders to
the e5chan!e
The "+R system routes orders to the
reco!nied stoc e5chan!es in a neutral
manner
The system proides functionality for the
client #ho has aailed of the "+R facility tospecify for indiidual orders for #hich they do
not #ant to route the order usin! "+R facility
The "+R system does not release orders to
enues other than the reco!nied stoc
/5chan!e ("pecify the list of reco!nied "toc /5chan!e(s) and the maret se!ments to
#hich "+R release orders)
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 6 of 23
8/17/2019 Tech Sys Audit 1
3/19
Controls / Processes Test Case
Results
!bser"ations
# Control
Ris$
Auditor%
Ris$
The CTC* / +,T / -MA / ST.T / S!R
system does not hae any order matchin!function and all orders are passed on to the
e5chan!e tradin! system for matchin!
hether roer is usin! similar lo!ic& priorities as used by /5chan!e to treat $T$% &
'T & M* & "+R & "TT client orders
hether $T$% & 'T & M* & "+R & "TTorders are hain! uni9ue fla!& ta! as specified by
the /5chan!e and systems identify the orders
emanatin! from $T$% & 'T & M* & "+R &
"TT by populatin! the 1:;di!it 66F field inthe order structure for eery order
Application Access Control
T&e installed NNF system pro"ides a
system based access control o"er t&e
ser"er as 0ell as t&e ris$
management and front end dealing
applications 0&ile pro"iding for
security
Session Security
T&e installed NNF system pro"idesfor session security for all sessions
establis&ed 0it& t&e ser"er by t&e
front end application)
-atabase SecurityT&e installed NNF system &as
sufficient controls o"er t&e access to
and integrity of t&e database
*ccess controls
• The system allo#s access to only
authoried 66F users
• The system has a pass#ord mechanism
#hich restricts access to authenticate 66F users
• The system has appropriate authority
leels to ensure that the limits can besetup only by persons authoried by the
ris & compliance mana!er
"ession "ecurity
• The system uses session identification
and authentication measures to restrict
sessions to authoried 66F user only
• The system uses session security
measures lie encryption to ensure
confidentiality of sessions initiated
• "ession lo!in details should not be
stored on the deices used for "TT
• 'n case of no actiity by the client, the
system proides for automatic tradin!session lo!out for 'T & "TT systems
atabase "ecurity• The access to the database is allo#ed
only to authoried 66F users &
applications
• The database is hosted on a secured
platform
• The database stores the user names &
pass#ords securely
• "tora!e of pass#ords is encrypted #ith
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 7 of 23
8/17/2019 Tech Sys Audit 1
4/19
Controls / Processes Test Case
Results
!bser"ations
# Control
Ris$
Auditor%
Ris$
Encryption
T&e installed NNF system uses
confidentiality protection measures
to ensure session confidentiality)
appropriate encryption al!orithm
"ession /ncryption
• The systems use ""% or similar session
confidentiality protection mechanisms
• The systems use a secure stora!e
mechanism for storin! of usernames and
pass#ords
• The systems ade9uately protect the
confidentiality of the users4 trade data
T&e installed NNF systems pro"ides a
system based e"ent logging and system
monitoring facility 0&ic& monitors and
logs all acti"ities / e"ents arising from
actions ta$en on t&e gate0ay / databaseser"er aut&ori(ed user terminal and
transactions processed for clients or
ot&er0ise and t&e same is not
susceptible to manipulation)
The installed $T$% & 'T & M* & "+R & "TT
systems has a proision for +n;line sureillanceand ris mana!ement as per the re9uirements of
6"/ and includes
• 6umber of 8sers %o!!ed in & hooed onto the net#or incl priile!es of each
The installed $T$% & 'T & M* & "+R & "TTsystems has a proision for off line monitorin!
and ris mana!ement as per the re9uirements of
6"/ and includes reports & lo!s on
• 6umber of *uthoried 8sers
• *ctiity lo!s
• "ystems lo!s
• 6umber of actie clients
Results +pinions
T&e installed NNF system &as 8serManagement system as per t&e
re9uirements of t&e NSE)
*pproed 8sers• +nly users approed by the 6"/ are
allo#ed to access the system and
documentation re!ardin! the same is
maintained in the form of 8ser *pproal *pplication
$opy of 8ser 7ualifications
8ser $reation
6e# 8ser 's are created as per the!uidelines
8ser '
*ll users are uni9uely identified throu!h issueof uni9ue user ids
8ser isablement
8sers not compliant #ith the /5chan!e
re9uirements are disabled and eent lo!s aremaintained
8ser eletion
8sers are deleted as per the 6"/ !uidelines
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e of 23
8/17/2019 Tech Sys Audit 1
5/19
Controls / Processes Test Case
Results
!bser"ations
# Control
Ris$
Auditor%
Ris$
Reissue of 8ser 'ds
8ser 'ds are reissued as per the 6"/
!uidelines%oced 8ser *ccounts
8sers #hose accounts are loced are unloced
only after documented unlocin! re9uests are
made
T&e installed NNF system
aut&entication mec&anism is as per t&e
guidelines of t&e NSE
The installed $T$% & 'T & M* & "+R & "TT
systems use pass#ords for authentication
The pass#ord policy & standard is documented
The system re9uests for identification and ne# pass#ord before lo!in into the system
The installed system4s ass#ord features include• The ass#ord is mased at the time of
entry
• "ystem mandated chan!in! of pass#ord
#hen the user lo!s in for the first time
• *utomatic disablement of the user on
enterin! erroneous pass#ord on three
consecutie occasions
• *utomatic e5piry of pass#ord on e5piry
of 1< calendar days for
$T$%&M*&"+R systems
• *utomatic e5piry of pass#ord on e5piry
of reasonable period of time asdetermined by member for 'T&"TT
systems
• "ystem controls to ensure that the
pass#ord is alphanumeric (preferably
#ith one special character), instead of
=ust bein! alphabets or =ust numerical
• "ystem controls to ensure that the
chan!ed pass#ord cannot be the same as
of the last pass#ord
• "ystem controls to ensure that the %o!in
id of the user and pass#ord should not
be the same
•
"ystem controls to ensure that theass#ord should be of minimum si5characters and not more than t#ele
characters
• "ystem controls to ensure that the
ass#ord is encrypted at members endso that employees of the member cannot
ie# the same at any point of time
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e ; of 23
8/17/2019 Tech Sys Audit 1
6/19
Controls / Processes Test Case
Results
!bser"ations
# Control
Ris$
Auditor%
Ris$
Controls / Processes Test CaseResults
!bser"ations
# Control
Ris$
Auditor%Ris$
*re bacup procedures documented>
*re bacup lo!s maintained>
@ae the bacups been erified and tested>
*re the bacup media stored safely in line #ith
the ris inoled>
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e = of 23
8/17/2019 Tech Sys Audit 1
7/19
*re there any recoery procedures and hae thesame been tested>
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e > of 23
8/17/2019 Tech Sys Audit 1
8/19
Controls / Processes Test Case
Results
!bser"ations
# Control
Ris$
Auditor%
Ris$
-oes t&e !rgani(ation &a"e a suitable
documented ,usiness Continuity or
-isaster Reco"ery or +ncidentResponse process commensurate 0it&
t&e organi(ation si(e and ris$ profile to
ensure a &ig& degree of a"ailability of
t&e installed NNF system?
@o0 0ill t&e organi(ation assure
customers prompt access to t&eir funds
and securities in t&e e"ent t&e
organi(ation determines it is unable to
continue its business in t&e primary
location
+,T / ST.T Compliance
's there any documentation on usiness
$ontinuity & isaster Recoery & 'ncident
Response>
oes a $ & R plan e5ist>
'f a $&R plan e5ists, has it been tested>
*re there any documented incident response
procedures>
*re there any documented ris assessments>
oes the installation hae a $all %ist for
emer!encies maintained>
6et#or & $ommunication %in acup
• 's the bacup net#or lin ade9uate in
case of failure of the primary lin to the
6"/>
• 's the bacup net#or lin ade9uate in
case of failure of the primary lin
connectin! the users>
• 's there an alternate communications
path bet#een customers and the firm>
• 's there e an alternate communications
path bet#een the firm and its
employees>
•
's there an alternate communications path #ith critical business constituents,
bans and re!ulators>
oes the broer4s 'T & "TT system complies#ith the follo#in! proisions A
• The system captures the ' ('nternet
rotocol) address (from #here the orders
are ori!inatin!), for all 'T& "TT
orders
• The system has built;in hi!h system
aailability to address any sin!le point
failure
• The system has secure end;to;end
encryption for all data transmission
bet#een the client and the broer system
throu!h a "ecure "tandardied rotocol
* procedure of mutual authentication
bet#een the client and the broer serer
is implemented
• The system has ade9uate safety features
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e of 23
8/17/2019 Tech Sys Audit 1
9/19
to ensure it is not susceptible to internal&
e5ternal attacs
• 'n case of failure of 'T& "TT, the
alternate channel of communication has
ade9uate capabilities for client
identification and authentication
•
T#o;factor authentication for lo!insession has been implemented for all
orders emanatin! usin! 'nternet rotocol
• 'n case of no actiity by the client, the
system proides for automatic tradin!
session lo!out
• The bac;up and restore systems
implemented by the broer is ade9uate
to delier sustained performance and
hi!h aailability The broer system has
on;site as #ell as remote site bac;up
capabilities
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 3 of 23
8/17/2019 Tech Sys Audit 1
10/19
Part ,
Controls / Processes Test Case Results
!bser"ations
# control
Ris$
Audito
!pini
T&e installed system '"i() CTC*/ +,T /-MA / S!R / ST.T system features
are as prescribed by t&e NSE)
T&e installed system '"i() CTC*/ +,T /
-MA / S!R / ST.T system
parameters are as per NSE norms
Main Features
rice roadcast
The system has a feature for receipt of price
broadcast data
+rder rocessin! A The system has a feature A
• hich allo#s order entry and
confirmation of orders
• #hich allo#s for modification or
cancellation of orders placed
Trade $onfirmation
• The system has a feature #hich enablesconfirmation of trades
• The system has a feature #hich proides
history of trades for the day to the user
.ate#ay arameters
• Trader '
Maret "e!ment ; $M
• $T$% '
• ' *ddress
• (6"/ 6et#or)
•
-"*T '• %eased %ine '
Maret "e!ment B F?+
• $T$% '
• ' *ddress
• (6"/ 6et#or)
• -"*T '
• %eased %ine '
Maret "e!ment B $"
• $T$% '
• ' *ddress
• (6"/ 6et#or)
•
-"*T '• %eased %ine '
Results +pinions
E4ecution of !rders / !rder *ogic
T&e installed system pro"ides a
system based control facility o"er
t&e order input process
+rder /ntryThe system has order placement controls that
allo# only orders matchin! the system
parameters to be placed
+rder Modification
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2B of 23
8/17/2019 Tech Sys Audit 1
11/19
Controls / Processes Test Case Results
!bser"ations
# control
Ris$
Audito
!pini
Trades +nformation
T&e installed NNF system pro"ides a
system based control facility o"er
t&e trade confirmation process
Settlement of Trades
T&e installed NNF system pro"ides a
system based reports on contracts
margin re9uirements payment and
deli"ery obligations
The system allo#s for modification of orders
placed
+rder $ancellation
The system allo#s for cancellation of orders
placed
+rder +utstandin! $hec
The system has a feature for checin! the
outstandin! orders ie the orders that hae not
yet traded or partially traded
Trade $onfirmation and Reportin! Feature
• "hould allo# confirmation and reportin!
of the orders that hae resulted in trade
• The system has a feature #hich proides
history of trades for the day to the user
Mar!in Reports feature
"hould allo# for the reportin! of client #ise &
user #ise mar!in re9uirements as #ell as
payment and deliery obli!ations
Additional Access Control Security
T&e installed NNF system pro"ides a
dual factor aut&entication system
for access to t&e "arious NNF
components)
/5tra *uthentication "ecurity
• The systems uses additional
authentication measures lie smart
cards, biometric authentication or toensetc
• The system has a second leel of
pass#ord control for critical features
Results +pinions
To ensure information security for t&e
!rgani(ation in general and t&e
installed system in particular policy
and procedures as per t&e NSE
re9uirements must be establis&ed
implemented and maintained)
oes the or!aniation4s documented policy and
procedures include the follo#in! policies and if
so are they in line #ith the 6"/ re9uirements and
#hether they hae been implemented by theor!aniation>
• 'nformation "ecurity olicy
• ass#ord olicy
• 8ser Mana!ement and *ccess $ontrol
olicy
• 6et#or "ecurity olicy
• *pplication "oft#are olicy• $han!e Mana!ement olicy
• acup olicy
• $ and Response Mana!ement olicy
• *udit Trail olicy
• $apacity Mana!ement lan
oes the or!aniation follo# any other policy or
procedures or documented practices that are
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 22 of 23
8/17/2019 Tech Sys Audit 1
12/19
Controls / Processes Test Case Results
!bser"ations
# control
Ris$
Audito
!pini
releant>
T&e system &as been installed after
complying 0it& t&e "arious NSEcirculars
+nsurance
$opy of 8ndertain! proided re!ardin! the
$T$% system as per releant circulars
$opy of application for approal of 'nternet
Tradin!, if any
$opy of application for approal of "ecurities
tradin! usin! ireless Technolo!y, if any
$opy of application for approal of irect
Maret *ccess, if any
$opy of application & undertain! proided forapproal of "mart +rder Routin!, if any
The insurance policy of the Member coers the
additional ris of usa!e of $T$%, 'nternetTradin!, "TT, "+R, and & or M* as
applicable
Results +pinions
To ensure system integrity and stability
all c&anges to t&e installed system are
planned e"aluated for ris$ tested
appro"ed and documented)
lanned $han!es*re chan!es to the installed system made in a
planned manner>
*re they made by duly authoried personnel>
Ris /aluation rocess
's the ris inoled in the implementation of the
chan!es duly factored in>
$han!e *pproal's the implemented chan!e duly approed and
process documented>
re;implementation process
's the chan!e re9uest process documented>
$han!e implementation process's the chan!e implementation process superised
to ensure system inte!rity and continuity
ost implementation process
's user acceptance of the chan!e documented>
8nplanned $han!es'n case of unplanned chan!es, are the same duly
authoried and the manner of chan!e documented
later>
'n case of members self;deeloped system
"%$ documentation and procedures if the
installed system is deeloped in;house
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 26 of 23
8/17/2019 Tech Sys Audit 1
13/19
Controls / Processes Test Case Results
!bser"ations
# control
Ris$
Audito
!pini
@o0 0ill t&e organi(ation assure
customers prompt access to t&eir funds
and securities in t&e e"ent t&eorgani(ation determines it is unable to
continue its business in t&e primary
location
"ystem Failure acup
*re there suitable bacups for failure of any of
the critical system components lie• .ate#ay & atabase "erer
• router
• 6et#or "#itch
'nfrastructure breado#n bacup
*re there suitable arran!ements made for the
breado#n in any infrastructure components lie
• /lectricity
• ater
• *ir $onditionin!
rimary "ite 8naailability
@ae any proision for alternate physical locationof employees been made in case of non;aailability of the primary site
isaster Recoery
*re there suitable proisions for oos andrecords bacup and recoery (hard copy and
electronic)
@ae all mission;critical systems been identifiedand proision for bacup for such systems been
made>
Results +pinions
Are documented practices a"ailable for
"arious system processes
+s a log of success / failure of t&e
process maintained
+n case of failure is t&ere an escalation
procedure implemented?
ay e!in
ay /nd
+ther system processes
• *udit Trails
• *ccess %o!s
• Transaction %o!s
• acup %o!s
• *lert %o!s
• *ctiity %o!s
• Retention eriod
• Misc
ay e!in
ay /nd
+ther system processes
etails of the arious response procedures inclfor
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 27 of 23
8/17/2019 Tech Sys Audit 1
14/19
Controls / Processes Test Case Results
!bser"ations
# control
Ris$
Audito
!pini
*ccess $ontrol failure
ay e!in failure
ay /nd failure+ther system rocesses failure
Access Control
Fire0all
Anti5"irus
*s !ien in *rea (e)
's a fire#all implemented>
*re the rules defined in the fire#all ade9uate to
preent unauthoried access to 'T&M*&"TTsystems
's a malicious code protection system
implemented>'f Ces, then
• *re the definition files up;to;date>
• *ny instances of infection>
• %ast date of irus chec of entire system
Results +pinions
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2 of 23
8/17/2019 Tech Sys Audit 1
15/19
PART C
Sr)
No
)
Area of Audit Compliance
Part C
Remar$s 'if
NoD
1 hether the re9uired details of all the 66F user ids created in the serer of the tradin!member, for any purpose (i administration, branch administration, mini;administration, sureillance, ris mana!ement, tradin!, ie# only, testin!, etc) and any
chan!es therein, hae been uploaded as per the re9uirement of the /5chan!e>
'f no, please !ie details
C/" & 6+
2 hether all the 66F user ids created in the serer of the tradin! member hae been
mapped to 12 di!it codes on a one;to;one basis and a record of the same is
maintained>
'f no, please !ie details
C/" & 6+
3 *ll the audit recommendations !ien in relation to the system audit certificate for the
year ended June 30, 2012 hae been duly implemented 'F 6+T, please !ie details
C/" & 6+
< *ll orders routed throu!h $T$% & 'T & "TT & M* & "+R are routed throu!h
electronic & automated Ris Mana!ement "ystem of the broer to carry out appropriatealidations of all ris parameters before the orders are released to the /5chan!e
C/" & 6+
: The system and system records #ith respect to Ris $ontrols are maintained as
prescribed by the /5chan!e #hich are as follo#s A
• The limits are setup after assessin! the riss of the correspondin! user ' and
branch '
• The limits are setup after tain! into account the member4s capital
ade9uacy re9uirements
• *ll the limits are reie#ed re!ularly and the limits in the system are up to
date
• *ll the branch or user hae !ot limits defined and that 6o user or branch
in the system is hain! unlimited limits on the aboe stated parameters
• aily record of these limits is presered and shall be produced before the
/5chan!e as and #hen the information is called for
• $ompliance officer of the member has certified the aboe in the 9uarterly
compliance certificate submitted to the /5chan!e
C/" & 6+
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2; of 23
8/17/2019 Tech Sys Audit 1
16/19
S8MMAR !F SPEC+A* !,SER
8/17/2019 Tech Sys Audit 1
17/19
"8MMAR S@EET
(The detailed findin!s are !rouped under the broad cate!ories as belo# and classified as
E"tron!4, EMedium4 or Eea4 and oerall audit ratin! has been !ien
NAME !F T@E A8-+T F+RM:
Sr)
No)
Area of Audit Compliance
Part A
" & M &
Compliance
Part ,
" & M &
Report
Reference
1 *re e5istin! features and 66F system
parameters implemented in the system in placeat the member4s premises
2 *re all the Ris Mana!ement checs as specified
by the /5chan!e in place and the system and
system records #ith respect to Ris $ontrols are
maintained as prescribed by the /5chan!e
6*
2 *re input, processin! and output controls in
respect of 66F operations ade9uate
3 's the application security commensurate to the
sie and nature of application
< 's /ent lo!!in! and system monitorin!
obsered
: *re 8ser mana!ement norms defined andobsered
6*
*re ass#ord policy&standards defined and
obsered
6*
G *re #orin! processes in adherence #ith the policies and procedures defined
6*
H 's the 6et#or mana!ed ade9uately in relation
to sie and nature of operations and are
necessary controls present 6*
I *re $han!e mana!ement and ersion controls
documented and practiced>
6*
10 *re acup systems present, of ade9uate sie
and are procedures for bacup prescribed
6*
11 's there a usiness continuity and disaster
recoery plan in place and made no#n to all
employees
6*
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2> of 23
8/17/2019 Tech Sys Audit 1
18/19
12 's documentation for system processes
maintained
6*
13 *re "ecurity features such as access control,net#or, fire#alls and irus protection present
and updated re!ularly
6*
1< 's there any other area&aspect #hich in the
auditors opinion is not complied #ith and #hichis si!nificant and material in relation to the sie
and the nature of the operations
6*
!"erall rating: Strong / Medium / .ea$
6oteA rocess *rea $ontrols /aluation $riteria
$ontrol /aluation $riteria escription
"tron! The controls are defined as "tron! if the follo#in! criteria are met
'mplemented controls fully comply #ith the stated ob=ecties and
no material #eanesses are found
Medium The controls are defined as Medium if the follo#in! criteria are met
'mplemented controls substantially comply #ith the stated
ob=ecties and no material #eaness result in substantial ris
e5posure due to the non;compliance #ith the criteria
$ompensatory controls e5ist #hich reduce the ris e5posure to
mae it immaterial is;;is the non;compliance #ith the criteria
ea The controls are defined as ea if the follo#in! criteria are met
'mplemented controls materially fail to comply #ith the stated
control ob=ecties
$ompensatin! controls fail to reduce the ris so as to mae it
immaterial is;;is the non;compliance #ith the compliance
criteria
Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2 of 23
8/17/2019 Tech Sys Audit 1
19/19
'To be on t&e letter &ead of t&e A8-+T!R
To,
CTC* -epartment
National Stoc$ E4c&ange of +ndia *imited
/5chan!e laa, andra;Kurla $omple5,andra (/), Mumbai B