Tech Sys Audit 1

8/17/2019 Tech Sys Audit 1

1/19

Annual System Audit Report Format

(To be on the letterhead of the system auditor)

NSE Trading Member Name:

NSE Trading Member Code:

System Audit Report for NNF facility

(For the period from July 01, 2012 to March 31, 2013)

Part A

Controls / Processes Test Case

Results

!bser"ations

# Control

Ris$

Auditor%

Ris$

T&e installed NNF systems '"i() CTC*/

+,T / -MA / S!R / ST.T system

features are as prescribed by t&e NSE)

T&e installed NNF system parameters

are as per NSE norms

*ocation Confirmation for CTC* / +,T

/ -MA / S!R / ST.T

Ris Mana!ement Tools

• "hould allo# for ris mana!ement of the

orders placed and online ris monitorin!

of the orders bein! placed

$T$% & 'T & M* & "+R & "TT -ersion (as

applicable)

• +rder .ate#ay -ersion

• Ris *dministration & Mana!er -ersion

• Front /nd & +rder lacement -ersion

hether order routin! serer for $T$% & 'T &

M* & "+R & "TT is located in 'ndia

Pro"ide address of the $T$% & 'T & M* &

"+R & "TT serer location (as applicable)

Results +pinions

Trading Process

T&e installed NNF systems allo0 for

placing of trades only for aut&ori(ed

clients

Ris$ Management

T&e installed NNF systems are

capable of assessing t&e ris$ of t&e

client as soon as t&e order comes inand informs t&e client of

acceptance/re1ection of t&e order

0it&in a reasonable period)

Mar$et -ata Feed for S!R system

T&e mar$et data feed integrated to

t&e S!R system are recei"ed

directly from t&e recogni(ed Stoc$

$lient ' -erification

+nly duly authoried client4s orders are

allo#ed to be placed

roprietary order entry mechanism

+rder entry for ro types of orders is e5ecuted

throu!h specific 66F user ids

+rder arameters

There is online ris assessment of all orders

placed throu!h the $T$% & 'T & M* &

"+R & "TT system

The maret prices are receied directly from

reco!nied stoc /5chan!es and are time

stampedThe maret prices of all the reco!nied stoc

Results +pinions

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2 of 23


2/19


Results

!bser"ations

# Control

Ris$

Auditor%

Ris$

E4c&anges

!rder /Trade *imit Controls

T&e installed NNF systems

'including CTC* / +,T / ST.T /

-MA / S!R pro"ide a system

based control facility on t&e trading

limits of t&e clients and e4posures

ta$en by t&e clients including set

pre5defined limits on t&e e4posure

and turno"er of eac& client)

!rder Reconfirmation Facility

T&e installed NNF system pro"ides

for reconfirmation of orders 0&ic&

are larger t&an t&at as specified by

t&e member%s ris$ management

system)

E4ecution of !rders / !rder *ogicT&e installed NNF system pro"ides a

system based control facility o"er

t&e order input process

e5chan!es to #hich the "+R facility routes

orders are consolidated for applyin! the est

/5ecution olicy for routin! orders

• 7uantity limit for each order

• -alue limit for each order

• 8ser alue limit for each user '

• ranch alue limit for each branch '

• "ecurity #ise limit for each user '

• "pread order 7uantity and -alue %imit

• $umulatie +pen order alue chec

(8ne5ecuted +rders)

+nly orders that are #ithin the parameters

specified by the ris mana!ement systems are

allo#ed to be placed

The system has a manual oerride facility for

allo#in! orders that do not fit the system basedris control parameters

+rder 6umberin! Methodolo!y

The system has an internal uni9ue order numberin! system

+rder Matchin!The "+R system adheres to the est

/5ecution olicy #hile routin! the orders to

the e5chan!e

The "+R system routes orders to the

reco!nied stoc e5chan!es in a neutral

manner

The system proides functionality for the

client #ho has aailed of the "+R facility tospecify for indiidual orders for #hich they do

not #ant to route the order usin! "+R facility

The "+R system does not release orders to

enues other than the reco!nied stoc

/5chan!e ("pecify the list of reco!nied "toc /5chan!e(s) and the maret se!ments to

#hich "+R release orders)



3/19


Results

!bser"ations

# Control

Ris$

Auditor%

Ris$

The CTC* / +,T / -MA / ST.T / S!R

system does not hae any order matchin!function and all orders are passed on to the

e5chan!e tradin! system for matchin!

hether roer is usin! similar lo!ic& priorities as used by /5chan!e to treat $T$% &

'T & M* & "+R & "TT client orders

hether $T$% & 'T & M* & "+R & "TTorders are hain! uni9ue fla!& ta! as specified by

the /5chan!e and systems identify the orders

emanatin! from $T$% & 'T & M* & "+R &

"TT by populatin! the 1:;di!it 66F field inthe order structure for eery order

Application Access Control

T&e installed NNF system pro"ides a

system based access control o"er t&e

ser"er as 0ell as t&e ris$

management and front end dealing

applications 0&ile pro"iding for

security

Session Security

T&e installed NNF system pro"idesfor session security for all sessions

establis&ed 0it& t&e ser"er by t&e

front end application)

-atabase SecurityT&e installed NNF system &as

sufficient controls o"er t&e access to

and integrity of t&e database

*ccess controls

• The system allo#s access to only

authoried 66F users

• The system has a pass#ord mechanism

#hich restricts access to authenticate 66F users

• The system has appropriate authority

leels to ensure that the limits can besetup only by persons authoried by the

ris & compliance mana!er

"ession "ecurity

• The system uses session identification

and authentication measures to restrict

sessions to authoried 66F user only

• The system uses session security

measures lie encryption to ensure

confidentiality of sessions initiated

• "ession lo!in details should not be

stored on the deices used for "TT

• 'n case of no actiity by the client, the

system proides for automatic tradin!session lo!out for 'T & "TT systems

atabase "ecurity• The access to the database is allo#ed

only to authoried 66F users &

applications

• The database is hosted on a secured

platform

• The database stores the user names &

pass#ords securely

• "tora!e of pass#ords is encrypted #ith

Results +pinions



4/19


Results

!bser"ations

# Control

Ris$

Auditor%

Ris$

Encryption

T&e installed NNF system uses

confidentiality protection measures

to ensure session confidentiality)

appropriate encryption al!orithm

"ession /ncryption

• The systems use ""% or similar session

confidentiality protection mechanisms

• The systems use a secure stora!e

mechanism for storin! of usernames and

pass#ords

• The systems ade9uately protect the

confidentiality of the users4 trade data

T&e installed NNF systems pro"ides a

system based e"ent logging and system

monitoring facility 0&ic& monitors and

logs all acti"ities / e"ents arising from

actions ta$en on t&e gate0ay / databaseser"er aut&ori(ed user terminal and

transactions processed for clients or

ot&er0ise and t&e same is not

susceptible to manipulation)

The installed $T$% & 'T & M* & "+R & "TT

systems has a proision for +n;line sureillanceand ris mana!ement as per the re9uirements of

6"/ and includes

• 6umber of 8sers %o!!ed in & hooed onto the net#or incl priile!es of each

The installed $T$% & 'T & M* & "+R & "TTsystems has a proision for off line monitorin!

and ris mana!ement as per the re9uirements of

6"/ and includes reports & lo!s on

• 6umber of *uthoried 8sers

• *ctiity lo!s

• "ystems lo!s

• 6umber of actie clients

Results +pinions

T&e installed NNF system &as 8serManagement system as per t&e

re9uirements of t&e NSE)

*pproed 8sers• +nly users approed by the 6"/ are

allo#ed to access the system and

documentation re!ardin! the same is

maintained in the form of 8ser *pproal *pplication

$opy of 8ser 7ualifications

8ser $reation

6e# 8ser 's are created as per the!uidelines

8ser '

*ll users are uni9uely identified throu!h issueof uni9ue user ids

8ser isablement

8sers not compliant #ith the /5chan!e

re9uirements are disabled and eent lo!s aremaintained

8ser eletion

8sers are deleted as per the 6"/ !uidelines

Results +pinions

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e of 23


5/19


Results

!bser"ations

# Control

Ris$

Auditor%

Ris$

Reissue of 8ser 'ds

8ser 'ds are reissued as per the 6"/

!uidelines%oced 8ser *ccounts

8sers #hose accounts are loced are unloced

only after documented unlocin! re9uests are

made

T&e installed NNF system

aut&entication mec&anism is as per t&e

guidelines of t&e NSE

The installed $T$% & 'T & M* & "+R & "TT

systems use pass#ords for authentication

The pass#ord policy & standard is documented

The system re9uests for identification and ne# pass#ord before lo!in into the system

The installed system4s ass#ord features include• The ass#ord is mased at the time of

entry

• "ystem mandated chan!in! of pass#ord

#hen the user lo!s in for the first time

• *utomatic disablement of the user on

enterin! erroneous pass#ord on three

consecutie occasions

• *utomatic e5piry of pass#ord on e5piry

of 1< calendar days for

$T$%&M*&"+R systems

• *utomatic e5piry of pass#ord on e5piry

of reasonable period of time asdetermined by member for 'T&"TT

systems

• "ystem controls to ensure that the

pass#ord is alphanumeric (preferably

#ith one special character), instead of

=ust bein! alphabets or =ust numerical


chan!ed pass#ord cannot be the same as

of the last pass#ord

• "ystem controls to ensure that the %o!in

id of the user and pass#ord should not

be the same

•

"ystem controls to ensure that theass#ord should be of minimum si5characters and not more than t#ele

characters


ass#ord is encrypted at members endso that employees of the member cannot

ie# the same at any point of time

Results +pinions

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e ; of 23


6/19


Results

!bser"ations

# Control

Ris$

Auditor%

Ris$

Controls / Processes Test CaseResults

!bser"ations

# Control

Ris$

Auditor%Ris$

*re bacup procedures documented>

*re bacup lo!s maintained>

@ae the bacups been erified and tested>

*re the bacup media stored safely in line #ith

the ris inoled>

Results +pinions

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e = of 23


7/19

*re there any recoery procedures and hae thesame been tested>

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e > of 23


8/19


Results

!bser"ations

# Control

Ris$

Auditor%

Ris$

-oes t&e !rgani(ation &a"e a suitable

documented ,usiness Continuity or

-isaster Reco"ery or +ncidentResponse process commensurate 0it&

t&e organi(ation si(e and ris$ profile to

ensure a &ig& degree of a"ailability of

t&e installed NNF system?

@o0 0ill t&e organi(ation assure

customers prompt access to t&eir funds

and securities in t&e e"ent t&e

organi(ation determines it is unable to

continue its business in t&e primary

location

+,T / ST.T Compliance

's there any documentation on usiness

$ontinuity & isaster Recoery & 'ncident

Response>

oes a $ & R plan e5ist>

'f a $&R plan e5ists, has it been tested>

*re there any documented incident response

procedures>

*re there any documented ris assessments>

oes the installation hae a $all %ist for

emer!encies maintained>

6et#or & $ommunication %in acup

• 's the bacup net#or lin ade9uate in

case of failure of the primary lin to the

6"/>

• 's the bacup net#or lin ade9uate in

case of failure of the primary lin

connectin! the users>

• 's there an alternate communications

path bet#een customers and the firm>

• 's there e an alternate communications

path bet#een the firm and its

employees>

•

's there an alternate communications path #ith critical business constituents,

bans and re!ulators>

oes the broer4s 'T & "TT system complies#ith the follo#in! proisions A

• The system captures the ' ('nternet

rotocol) address (from #here the orders

are ori!inatin!), for all 'T& "TT

orders

• The system has built;in hi!h system

aailability to address any sin!le point

failure

• The system has secure end;to;end

encryption for all data transmission

bet#een the client and the broer system

throu!h a "ecure "tandardied rotocol

* procedure of mutual authentication

bet#een the client and the broer serer

is implemented

• The system has ade9uate safety features

Results +pinions

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e of 23


9/19

to ensure it is not susceptible to internal&

e5ternal attacs

• 'n case of failure of 'T& "TT, the

alternate channel of communication has

ade9uate capabilities for client

identification and authentication

•

T#o;factor authentication for lo!insession has been implemented for all

orders emanatin! usin! 'nternet rotocol

• 'n case of no actiity by the client, the

system proides for automatic tradin!

session lo!out

• The bac;up and restore systems

implemented by the broer is ade9uate

to delier sustained performance and

hi!h aailability The broer system has

on;site as #ell as remote site bac;up

capabilities



10/19

Part ,

Controls / Processes Test Case Results

!bser"ations

# control

Ris$

Audito

!pini

T&e installed system '"i() CTC*/ +,T /-MA / S!R / ST.T system features

are as prescribed by t&e NSE)

T&e installed system '"i() CTC*/ +,T /

-MA / S!R / ST.T system

parameters are as per NSE norms

Main Features

rice roadcast

The system has a feature for receipt of price

broadcast data

+rder rocessin! A The system has a feature A

• hich allo#s order entry and

confirmation of orders

• #hich allo#s for modification or

cancellation of orders placed

Trade $onfirmation

• The system has a feature #hich enablesconfirmation of trades

• The system has a feature #hich proides

history of trades for the day to the user

.ate#ay arameters

• Trader '

Maret "e!ment ; $M

• $T$% '

• ' *ddress

• (6"/ 6et#or)

•

-"*T '• %eased %ine '

Maret "e!ment B F?+

• $T$% '

• ' *ddress

• (6"/ 6et#or)

• -"*T '

• %eased %ine '

Maret "e!ment B $"

• $T$% '

• ' *ddress

• (6"/ 6et#or)

•

-"*T '• %eased %ine '

Results +pinions

E4ecution of !rders / !rder *ogic

T&e installed system pro"ides a


t&e order input process

+rder /ntryThe system has order placement controls that

allo# only orders matchin! the system

parameters to be placed

+rder Modification

Results +pinions

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2B of 23


11/19


!bser"ations

# control

Ris$

Audito

!pini

Trades +nformation



t&e trade confirmation process

Settlement of Trades


system based reports on contracts

margin re9uirements payment and

deli"ery obligations

The system allo#s for modification of orders

placed

+rder $ancellation

The system allo#s for cancellation of orders

placed

+rder +utstandin! $hec

The system has a feature for checin! the

outstandin! orders ie the orders that hae not

yet traded or partially traded

Trade $onfirmation and Reportin! Feature

• "hould allo# confirmation and reportin!

of the orders that hae resulted in trade

• The system has a feature #hich proides

history of trades for the day to the user

Mar!in Reports feature

"hould allo# for the reportin! of client #ise &

user #ise mar!in re9uirements as #ell as

payment and deliery obli!ations

Additional Access Control Security


dual factor aut&entication system

for access to t&e "arious NNF

components)

/5tra *uthentication "ecurity

• The systems uses additional

authentication measures lie smart

cards, biometric authentication or toensetc

• The system has a second leel of

pass#ord control for critical features

Results +pinions

To ensure information security for t&e

!rgani(ation in general and t&e

installed system in particular policy

and procedures as per t&e NSE

re9uirements must be establis&ed

implemented and maintained)

oes the or!aniation4s documented policy and

procedures include the follo#in! policies and if

so are they in line #ith the 6"/ re9uirements and

#hether they hae been implemented by theor!aniation>

• 'nformation "ecurity olicy

• ass#ord olicy

• 8ser Mana!ement and *ccess $ontrol

olicy

• 6et#or "ecurity olicy

• *pplication "oft#are olicy• $han!e Mana!ement olicy

• acup olicy

• $ and Response Mana!ement olicy

• *udit Trail olicy

• $apacity Mana!ement lan

oes the or!aniation follo# any other policy or

procedures or documented practices that are

Results +pinions



12/19


!bser"ations

# control

Ris$

Audito

!pini

releant>

T&e system &as been installed after

complying 0it& t&e "arious NSEcirculars

+nsurance

$opy of 8ndertain! proided re!ardin! the

$T$% system as per releant circulars

$opy of application for approal of 'nternet

Tradin!, if any

$opy of application for approal of "ecurities

tradin! usin! ireless Technolo!y, if any

$opy of application for approal of irect

Maret *ccess, if any

$opy of application & undertain! proided forapproal of "mart +rder Routin!, if any

The insurance policy of the Member coers the

additional ris of usa!e of $T$%, 'nternetTradin!, "TT, "+R, and & or M* as

applicable

Results +pinions

To ensure system integrity and stability

all c&anges to t&e installed system are

planned e"aluated for ris$ tested

appro"ed and documented)

lanned $han!es*re chan!es to the installed system made in a

planned manner>

*re they made by duly authoried personnel>

Ris /aluation rocess

's the ris inoled in the implementation of the

chan!es duly factored in>

$han!e *pproal's the implemented chan!e duly approed and

process documented>

re;implementation process

's the chan!e re9uest process documented>

$han!e implementation process's the chan!e implementation process superised

to ensure system inte!rity and continuity

ost implementation process

's user acceptance of the chan!e documented>

8nplanned $han!es'n case of unplanned chan!es, are the same duly

authoried and the manner of chan!e documented

later>

'n case of members self;deeloped system

"%$ documentation and procedures if the

installed system is deeloped in;house

Results +pinions



13/19


!bser"ations

# control

Ris$

Audito

!pini

@o0 0ill t&e organi(ation assure

customers prompt access to t&eir funds

and securities in t&e e"ent t&eorgani(ation determines it is unable to

continue its business in t&e primary

location

"ystem Failure acup

*re there suitable bacups for failure of any of

the critical system components lie• .ate#ay & atabase "erer

• router

• 6et#or "#itch

'nfrastructure breado#n bacup

*re there suitable arran!ements made for the

breado#n in any infrastructure components lie

• /lectricity

• ater

• *ir $onditionin!

rimary "ite 8naailability

@ae any proision for alternate physical locationof employees been made in case of non;aailability of the primary site

isaster Recoery

*re there suitable proisions for oos andrecords bacup and recoery (hard copy and

electronic)

@ae all mission;critical systems been identifiedand proision for bacup for such systems been

made>

Results +pinions

Are documented practices a"ailable for

"arious system processes

+s a log of success / failure of t&e

process maintained

+n case of failure is t&ere an escalation

procedure implemented?

ay e!in

ay /nd

+ther system processes

• *udit Trails

• *ccess %o!s

• Transaction %o!s

• acup %o!s

• *lert %o!s

• *ctiity %o!s

• Retention eriod

• Misc

ay e!in

ay /nd

+ther system processes

etails of the arious response procedures inclfor

Results +pinions



14/19


!bser"ations

# control

Ris$

Audito

!pini

*ccess $ontrol failure

ay e!in failure

ay /nd failure+ther system rocesses failure

Access Control

Fire0all

Anti5"irus

*s !ien in *rea (e)

's a fire#all implemented>

*re the rules defined in the fire#all ade9uate to

preent unauthoried access to 'T&M*&"TTsystems

's a malicious code protection system

implemented>'f Ces, then

• *re the definition files up;to;date>

• *ny instances of infection>

• %ast date of irus chec of entire system

Results +pinions



15/19

PART C

Sr)

No

)

Area of Audit Compliance

Part C

Remar$s 'if

NoD

1 hether the re9uired details of all the 66F user ids created in the serer of the tradin!member, for any purpose (i administration, branch administration, mini;administration, sureillance, ris mana!ement, tradin!, ie# only, testin!, etc) and any

chan!es therein, hae been uploaded as per the re9uirement of the /5chan!e>

'f no, please !ie details

C/" & 6+

2 hether all the 66F user ids created in the serer of the tradin! member hae been

mapped to 12 di!it codes on a one;to;one basis and a record of the same is

maintained>

'f no, please !ie details

C/" & 6+

3 *ll the audit recommendations !ien in relation to the system audit certificate for the

year ended June 30, 2012 hae been duly implemented 'F 6+T, please !ie details

C/" & 6+

< *ll orders routed throu!h $T$% & 'T & "TT & M* & "+R are routed throu!h

electronic & automated Ris Mana!ement "ystem of the broer to carry out appropriatealidations of all ris parameters before the orders are released to the /5chan!e

C/" & 6+

: The system and system records #ith respect to Ris $ontrols are maintained as

prescribed by the /5chan!e #hich are as follo#s A

• The limits are setup after assessin! the riss of the correspondin! user ' and

branch '

• The limits are setup after tain! into account the member4s capital

ade9uacy re9uirements

• *ll the limits are reie#ed re!ularly and the limits in the system are up to

date

• *ll the branch or user hae !ot limits defined and that 6o user or branch

in the system is hain! unlimited limits on the aboe stated parameters

• aily record of these limits is presered and shall be produced before the

/5chan!e as and #hen the information is called for

• $ompliance officer of the member has certified the aboe in the 9uarterly

compliance certificate submitted to the /5chan!e

C/" & 6+

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2; of 23


16/19

S8MMAR !F SPEC+A* !,SER


17/19

"8MMAR S@EET

(The detailed findin!s are !rouped under the broad cate!ories as belo# and classified as

E"tron!4, EMedium4 or Eea4 and oerall audit ratin! has been !ien

NAME !F T@E A8-+T F+RM:

Sr)

No)

Area of Audit Compliance

Part A

" & M &

Compliance

Part ,

" & M &

Report

Reference

1 *re e5istin! features and 66F system

parameters implemented in the system in placeat the member4s premises

2 *re all the Ris Mana!ement checs as specified

by the /5chan!e in place and the system and

system records #ith respect to Ris $ontrols are

maintained as prescribed by the /5chan!e

6*

2 *re input, processin! and output controls in

respect of 66F operations ade9uate

3 's the application security commensurate to the

sie and nature of application

< 's /ent lo!!in! and system monitorin!

obsered

: *re 8ser mana!ement norms defined andobsered

6*

*re ass#ord policy&standards defined and

obsered

6*

G *re #orin! processes in adherence #ith the policies and procedures defined

6*

H 's the 6et#or mana!ed ade9uately in relation

to sie and nature of operations and are

necessary controls present 6*

I *re $han!e mana!ement and ersion controls

documented and practiced>

6*

10 *re acup systems present, of ade9uate sie

and are procedures for bacup prescribed

6*

11 's there a usiness continuity and disaster

recoery plan in place and made no#n to all

employees

6*

Regd. Ofce : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumba ! "## #$%a!e 2> of 23


18/19

12 's documentation for system processes

maintained

6*

13 *re "ecurity features such as access control,net#or, fire#alls and irus protection present

and updated re!ularly

6*

1< 's there any other area&aspect #hich in the

auditors opinion is not complied #ith and #hichis si!nificant and material in relation to the sie

and the nature of the operations

6*

!"erall rating: Strong / Medium / .ea$

6oteA rocess *rea $ontrols /aluation $riteria

$ontrol /aluation $riteria escription

"tron! The controls are defined as "tron! if the follo#in! criteria are met

'mplemented controls fully comply #ith the stated ob=ecties and

no material #eanesses are found

Medium The controls are defined as Medium if the follo#in! criteria are met

'mplemented controls substantially comply #ith the stated

ob=ecties and no material #eaness result in substantial ris

e5posure due to the non;compliance #ith the criteria

$ompensatory controls e5ist #hich reduce the ris e5posure to

mae it immaterial is;;is the non;compliance #ith the criteria

ea The controls are defined as ea if the follo#in! criteria are met

'mplemented controls materially fail to comply #ith the stated

control ob=ecties

$ompensatin! controls fail to reduce the ris so as to mae it

immaterial is;;is the non;compliance #ith the compliance

criteria



19/19

'To be on t&e letter &ead of t&e A8-+T!R

To,

CTC* -epartment

National Stoc$ E4c&ange of +ndia *imited

/5chan!e laa, andra;Kurla $omple5,andra (/), Mumbai B

Documents

Tech Sys Audit 1