IS Audit of Stock Brokers
|
|
- Joan Gardner
- 6 years ago
- Views:
Transcription
1 IS Audit of Stock Brokers CA Pranay Kochar B.Com, A.C.A, P.G.D.I.T., C.I.S.A., D.I.S.A (ICAI), ISO LA, Dip. Cyber Law Partner Kochar & Associates Chartered Accountants Types of IS Audits for Stock Brokers Bombay Stock Exchange (BSE): National Stock Exchange (NSE): MCX Stock Exchange (MCX-SX): Commodity Exchanges- MCX & NCDEX: 1. Smart Order Routing (SOR) System Audit 2. Direct Market Access (DMA) System Audit 3. Internet Trading Order Routing System (ITORS) Audit 4. Securities Trading using Wireless Technology (STWT) Audit 5. Intermediate Message Layer (IML) System Audit BSE 6. Computer to Computer Link (CTCL) System Audit NSE, MCX-SX, MCX, NCDEX. 1
2 Types of IS Audits for Stock Brokers Smart Order Routing (SOR) System Audit - BSE, NSE & MCX-SX Direct Market Access (DMA) System Audit BSE, NSE & MCX-SX Internet Trading Order Routing System (ITORS) Audit BSE, NSE & MCX-SX Securities Trading using Wireless Technology (STWT) BSE, NSE & MCX-SX - To be conducted by Exchange empanelled / appointed System Auditor Types of IS Audits for Stock Brokers Direct Market Access (DMA) System Audit MCX & NCDEX Internet Trading Order Routing System (ITORS) Audit MCX & NCDEX Securities Trading using Wireless Technology (STWT) MCX & NCDEX - Direct Approval. No audit is required 2
3 Types of IS Audits for Stock Brokers Intermediate Message Layer (IML) System Audit BSE Computer to Computer Link (CTCL) System Audit NSE & MCX-SX - To be conducted by Broker appointed System Auditor (CISA / DISA / CISSP Qualified) Computer to Computer Link (CTCL) System Audit MCX & NCDEX - To be conducted by Broker appointed System Auditor but no report to be submitted to the exchange. CTCL / IML Audit Areas 3
4 CTCL / IML Audits Dates CTCL Audit for NSE to be conducted as on June 30 of each year and report to be submitted by July 31. IML Audit for BSE to be conducted as on March 31 of each year and report to be submitted by July 31. CTCL Audit for MCX-SX to be conducted as on March 31 of each year and report to be submitted by July 31. Non-submission of System Audit Report by July 31, would attract late submission charges of Rs 100/- per day till the date of submission Non-submission of the SSL (Secured Socket Layer) certificate by July 31 would attract late submission charges of Rs 100/- per day till the date of submission Auditor Requirements The System Audit should be carried out by CISA / DISA / CISSP Certified Systems Auditor and their Name, Registration Number, along with the Stamp, Seal, place and date should be mentioned at the end of the report. Every page of the report should be initialed by System Auditor. The System Auditor should be independent of the Empanelled vendors of the Exchange and / or partners / Directors of the Trading members One consolidated report should be submitted for all the branches and for all the segments (Equities, Derivatives & Currency Derivatives). 4
5 Trading Network Architecture Features and system parameters implemented in the system 1. The systems used for trading and supporting purposes should be hosted (Located) in India. 2. The installed system parameters are as per Exchange norms: 1. IML / CTCL Version 2. Order Gateway Version 3. Risk Administration / Manager Version 4. Front End / Order Placement Version 2. The system has a feature for receipt of price broadcast data 3. If the system is enabled for internet / Mobile Trading the system has an internal unique order numbering system 4. The system does not have any order matching function and all orders are passed on to the exchange trading system 5
6 Adequacy of input, processing and output controls The system has a feature for: 1. Allowing only orders matching the system parameters to be placed. 2. Modification of orders placed. 3. Cancellation of orders placed 4. Checking the outstanding orders i.e. the orders that have not yet traded or partially traded. 5. Reporting of client wise / user wise margin requirements as well as payment and delivery obligations. Online Risk Management relating to orders are observed and adequate. The system has a feature for: 1. Placing of trades only for authorized clients 2. Assessing the risk of the client as soon as the order comes in and informs the client of acceptance/rejection of the order within a reasonable period 3. System based control facility on the trading limits of the clients and exposures taken by the clients including set pre-defined limits on the exposure and turnover of each client. 4. Reconfirmation of orders which are larger than that as specified by the member s risk management system. 6
7 IT Systems and System Security All volumes of the server hosting the database and / application has file system that offers enhanced security For Ex: NTFS for windows, Vxfs- for HP Unix, ext3 for Linux etc. Default file &directory shares and simple file sharing if offered by the operating system are disabled. Sharing if any is authorized. Patches, hot fixes and service packs are updated after appropriate testing. Auditing is enabled for events like Account logon events, Account Management, Object access, Policy change, privilege use, system events. Password policies and access control rules for system access to apply. Database and Database Security 1. Database server located behind a firewall with default rules to deny all traffic. 2. Database software owner account granted the minimum set of operating system rights necessary for database operation. 3. The database software version is currently supported 4. Unneeded default accounts removed, or passwords changed from defaults. 5. Database software is patched to include all current security patches. 6. Log events are identified audit trails enabled, reviewed and monitored 7. Password policies and access control rules for database access to apply. 7
8 Network and Network Security 1. Does network provide security to the systems, applications and data that moves through network? 2. Verify network diagram 3. Are network devices appropriately patched / upgraded with latest firmware 4. Log events are identified, monitored, reviewed and escalated 5. Password policies and access control rules for network device access to apply. Adequacy of measures to protect the confidentiality of sessions 1. Information in motion (moving over network) adequately secured using mechanism such as VPN (Virtual Private Network), TLS / SSL (Transport Layer Security / Secure Session Layer) or similar mechanism. 2. The system uses a secure storage mechanism for storing of usernames and passwords. 3. The system adequately protects the confidentiality of the users trade data 4. The installed system provides for session security for all sessions established with the application server by the front end application. 5. The system restricts sessions to authorized user only. 8
9 Adequacy of measures to protect the confidentiality of sessions In case of web based application using SSL Is certificate issued to the member / broker organization Is the certificate used on the server facilitating confidential information like trade data Is the login page and all subsequent authenticated pages exclusively accessed over SSL In case of Client Server application model (Thick Client) Does the application architecture ensure security of information sent over internal / external network Is the information transmitted in encrypted form Supporting letter from vendor on his letterhead to be provided. Event logging and system monitoring activities. 1. The system provides a system based event logging and system monitoring facility which monitors and logs all activities / events arising from actions taken on the gateway / database server, authorized user terminal and transactions processed for clients and the same is not susceptible to manipulation 2. The following reports / logs should be generated: Number of Users Logged In / hooked on to the network incl. privileges of each Number of Authorized Users Activity logs Systems logs Number of active clients 9
10 User management norms defined and observed 1. The system has an User Management procedure as per the requirements of the exchange. 2. Only users approved by the exchanges are allowed to access the system and documentation regarding the same is maintained in the form of User Approval Application & Copy of User Qualifications 3. New User IDs are created as per the exchange guidelines. 4. All users are uniquely identified through issue of unique CTCL / IML ids. 5. Users not compliant with the Exchange Requirements are disabled and event logs maintained 6. Users whose accounts are locked are unlocked only after documented unlocking requests are made. Access Controls / Password policy & standards defined and observed 1. Is there track of user id s created, disabled, enabled, deleted, unlocked & log maintained 2. The systems use passwords for authentication. 3. The password policy / standard is documented. 4. In case of new user / password resets; is password communicated to user securely 5. A process exists to block / suspend the user (id) on request from user (case of loss of device / malicious activity) 6. Extra Authentication Security measures like Smart cards, biometric authentication or tokens etc Second level of password control for critical features 10
11 Password Features 1. The Password is masked at the time of entry. 2. System mandated changing of password when the user logs in for the first time. 3. Automatic disablement of the user on entering erroneous password on three consecutive occasions. 4. Automatic expiry of password on expiry of 14 days. 5. System controls to ensure that the password is alphanumeric 6. System controls to ensure that the changed password cannot be the same as of the last password 7. System controls to ensure that the Login id of the user and password should not be the same. 8. System controls to ensure that the Password should be of minimum six characters and not more than twelve characters. Working processes to adhere to policies and procedures The organization s documented policy and procedures should include the following policies which should be in in line with the exchange requirements. All policies should be documented & approved. 1.Information Security Policy 2.Password Policy 3.User Management and Access Control Policy 4.Network Security Policy 5.Application Software Policy 6.Change Management Policy 7.Backup Policy 8.BCP and Response Management Policy 9.Audit Trail Policy 11
12 Change management and version controls documented and practiced To ensure system integrity and stability all changes to the system are planned, evaluated for risk, tested, approved and documented. 1. Whether changes are made in a planned manner 2. Whether made by duly authorized personnel 3. Is the risk involved in the implementation of the changes duly factored in 4. Is the implemented change duly approved and process documented 5. Is the change request process documented 6. Is the change implementation process supervised to ensure system integrity and continuity 7. Is user acceptance of the change documented Procedure for Backup documented, and practiced Backups of the following system generated files should be maintained: At the server / gateway level Database Audit Trails Reports At the user level Market Watch Logs History Reports Audit Trails 12
13 Procedure for Backup documented, and practiced Verification of Backup procedures include: 1. Are backup procedures documented? 2. Are backup logs maintained? 3. Have the backups been verified and tested? 4. Are the backup media stored safely in line with the risk involved? 5. Are there any recovery procedures and have the same been tested? Business continuity and disaster recovery planning The Organization should have a suitable documented Business Continuity or Disaster Recovery or Incident Response process commensurate with the organization size and risk profile Verification of BCP / DRP includes: 1. Is there any documentation on Business Continuity / Disaster Recovery / Incident Response? 2. Does a BCP / DRP plan exist? 3. If a BCP/DRP plan exists, has it been tested? 4. Are there any documented incident response procedures? 5. Are there any documented risk assessments? 6. Does the installation have a Call List for emergencies maintained? 13
14 Business continuity and disaster recovery planning Verification of BCP / DRP includes: 7. How will the organization assure customers prompt access to their funds and securities in the event of disaster. 8. Are there suitable backups for failure of any of the critical system components like 1. Gateway / Database Application Server 2. Router, Network Switch 3. Electricity, Air Conditioning 9. Have any provision for alternate physical location of employees been made 10. Are there suitable provisions for Books and records backup and recovery (hard copy and electronic). Additional Security Features Adequate provisions for physical security of the hardware / systems at the hosting location and controls on admission of personnel into the location The people, systems, database, network and application are sited in a manner to protect and prevent from hazards and risks Implementation of Firewall Is a malicious code protection system (Anti Virus) implemented and the definition files up-to-date Last date of virus check of entire system The insurance policy of the Member covers the additional risk of usage of CTCL / IML and or Internet Trading 14
15 Backup link for Network / Communication failure 1. Is the backup network link adequate in case of failure of the primary link to the Exchanges 2. Is the backup network link adequate in case of failure of the primary link connecting the IML / CTCL users 3. Is the backup network link adequate in case of failure of the primary internet connectivity 4. Is there an alternate communications path between 1. customers and the firm. 2. firm and its employees. 3. critical business constituents, banks and regulators Clock Synchronization 1. System clocks synchronized to atomic clock 2. Network device clocks synchronized to atomic clock 3. Clock of the system hosting the database is synchronized with atomic clock 15
16 CTCL ID Details 1. Whether the required details of all the CTCL ids created in the CTCL server of the trading member, for any purpose (viz. administration, branch administration, mini-administration, surveillance, risk management, trading, view only, testing, etc) and any changes therein, have been uploaded as per the requirement of the Exchange 2. Whether all the CTCL / IML user ids created in the server of the trading member have been mapped to 12 digit codes / 16 digit codes for NSE BSE & MCX-SX respectively on a one-to-one basis and a record of the same is maintained Auditors Declaration 1. All the branches where CTCL / IML facility is provided have been audited and ONE consolidated report has been submitted. 2. All the audit recommendations given in relation to the system audit certificate for the previous year have been duly implemented. If not, the same have been reported hereunder. 3. There is no conflict of interest with respect to the member being audited. If any such instance arises, it shall be brought to the notice of the Exchange immediately before undertaking the audit. 16
17 Documentation Requirements 1. Members who have been rated overall as Medium by Exchange empanelled System Auditor prior to granting approval for ITORS - IBT/ SOR / DMA / STWT ) are required to submit Action taken Report duly certified by their System auditors detailing the actions taken by the member on various individual Medium / Weak area along with the System audit report. 2. Only the Trading Members who are providing Internet trading facility are requested to submit the SSL certificate.the certificate must have details like name of website, validity period etc. No IML Audit for BSE if A Trading Member is not required to submit the System Audit Report, & SSL certificate provided the Trading Member has taken the IML facility but is used only for viewing purpose. or no trading has been done using the IML facility during the year ended March
18 SEBI Circular on IBT / STWT SEBI Curcular CIR/MRD/DP/ 8 /2011 Dated June 30, 2011 makes it mandatory for the broker to comply before March : 1. The broker shall capture the IP (Internet Protocol) address (from where the orders are originating), for all IBT/ STWT orders. 2. The brokers system should have built-in high system availability to address any single point failure. 3. There should be secure end-to-end encryption for all data transmission between the client and the broker through a Secure Standardized Protocol. SEBI Circular on IBT / STWT 4. The broker system should have adequate safety features to ensure it is not susceptible to internal/ external attacks. 5. In case of failure of IBT/ STWT, the alternate channel of communication shall have adequate capabilities for client identification and authentication. 6. Two-factor authentication for login session may be implemented for all orders emanating using Internet Protocol. Public Key Infrastructure (PKI) based implementation using digital signatures, 7. In case of no activity by the client, the system should provide for automatic trading session logout. 18
19 Thank you Pranay Kochar Kochar & Associates Chartered Accountants Tel : E: pranay@kocharassociates.com 19
Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No
PROPOSAL FORM Cyber Insurance Underwritten by The Hollard Insurance Co. Ltd, an authorised Financial Services Provider www.itoo.co.za @itooexpert ITOO is an Authorised Financial Services Provider. FSP.
More information1) Carry out System audit of their trading facility as per applicability criteria as given in Annexure A.
NATIONAL COMMODITY & DERIVATIVES EXCHANGE LIMITED Circular to all trading and clearing members of the Exchange Circular No. : NCDEX/COMPLIANCE-009/2016/184 Date : August 04, 2016 Subject : System Audit
More informationNATIONAL STOCK EXCHANGE OF INDIA LIMITED DEPARTMENT : CAPITAL MARKET SEGMENT. Download Ref No : NSE/CMTR/29317 Date : March 31, 2015
NATIONAL STOCK EXCHANGE OF INDIA LIMITED DEPARTMENT : CAPITAL MARKET SEGMENT Download Ref No : NSE/CMTR/29317 Date : March 31, 2015 Circular Ref. No : 14 / 2015 All Trading Members and Participants System
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationChecklist for member using Empanelled Vendor CTCL
Checklist for member using Empanelled Vendor CTCL Vendor/Member: Product Name: Version:- Module Validation Checklist CTCL IBT/STWT Status General All transactions must be secure (using SSL encryption)
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationDEPARTMENT : Trading Download Ref No : NSEIFSC/TRADE/111 Date : April 03, 2018 Circular Ref. No : 029/2018
NSE IFSC LIMITED DEPARTMENT : Trading Download Ref No : NSEIFSC/TRADE/111 Date : April 03, 2018 Circular Ref. No : 029/2018 To All Members, Sub: System Audit of Stock Brokers / Trading Members SEBI has
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationCyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No
PROPOSAL FORM Cyber Insurance Underwritten by The Hollard Insurance Co. Ltd, an authorised Financial Services Provider www.itoo.co.za @itooexpert ITOO is an Authorised Financial Services Provider. FSP.
More informationTable of Contents. Page 1 of 6 (Last updated 27 April 2017)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationAs used in these Rules and unless the context otherwise requires: CMIC shall refer to the Capital Markets Integrity Corporation.
Section 1. Short Title These Rules may be cited as the DMA Rules. Section 2. Definition of Terms As used in these Rules and unless the context otherwise requires: Algorithmic Trading shall mean the use
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationSFC strengthens internet trading regulatory controls
SFC strengthens internet trading regulatory controls November 2017 Internet trading What needs to be done now? For many investors, online and mobile internet trading is now an everyday interaction with
More informationCircular No: MCX/TECH/205/2018 May 29, Mock Trading
Circular No: MCX/TECH/205/2018 May 29, 2018 Mock Trading In terms of provisions of the Rules, Bye-Laws and Regulations of the Exchange and in continuation to the Exchange circular no MCX/TECH/461/2017,
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing
More informationMorningstar ByAllAccounts Service Security & Privacy Overview
Morningstar ByAllAccounts Service Security & Privacy Overview Version 3.8 April 2018 April 2018, Morningstar. All Rights Reserved. 10 State Street, Woburn, MA 01801-6820 USA Tel: +1.781.376.0801 Fax: +1.781.376.8040
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCyber Security Requirements for Electronic Safety and Security
This document is to provide suggested language to address cyber security elements as they may apply to physical and electronic security projects. Security consultants and specifiers should consider this
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationPayment Card Industry (PCI) Qualified Integrator and Reseller (QIR)
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR) Implementation Instructions Version 4.0 March 2018 Document Changes Date Version Description August 2012 1.0 Original Publication November
More informationتاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم
بنام خدا تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم امنیت بخشی به سیستمهای فناوری اطالعات Securing Information Systems 1 Learning Objectives Describe the business value of security and control.
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationInformation Security in Corporation
Information Security in Corporation System Vulnerability and Abuse Software Vulnerability Commercial software contains flaws that create security vulnerabilities. Hidden bugs (program code defects) Zero
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationHP Instant Support Enterprise Edition (ISEE) Security overview
HP Instant Support Enterprise Edition (ISEE) Security overview Advanced Configuration A.03.50 Mike Brandon Interex 03 / 30, 2004 2003 Hewlett-Packard Development Company, L.P. The information contained
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informatione-authentication guidelines for esign- Online Electronic Signature Service
e-authentication guidelines for esign- Online Electronic Signature Service (Issued under Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015) Version 1.3 April 2017 Controller
More informationCERTIFICATE POLICY CIGNA PKI Certificates
CERTIFICATE POLICY CIGNA PKI Certificates Version: 1.1 Effective Date: August 7, 2001 a Copyright 2001 CIGNA 1. Introduction...3 1.1 Important Note for Relying Parties... 3 1.2 Policy Identification...
More informationIBM Security Intelligence on Cloud
Service Description IBM Security Intelligence on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means and includes the company, its authorized users or recipients
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationPCI COMPLIANCE IS NO LONGER OPTIONAL
PCI COMPLIANCE IS NO LONGER OPTIONAL YOUR PARTICIPATION IS MANDATORY To protect the data security of your business and your customers, the credit card industry introduced uniform Payment Card Industry
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationPayment Card Industry Internal Security Assessor: Quick Reference V1.0
PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationAltius IT Policy Collection
Altius IT Policy Collection Complete set of cyber and network security policies Over 100 Policies, Plans, and Forms Fully customizable - fully customizable IT security policies in Microsoft Word No software
More informationShip Chartering Process:
Ship Chartering Process: 1. Online Tender to registered Bidders followed by online time-bound Counter Offer/Offer process for multiple rounds. 2. Price bid format enclosed as Annexure II. BPCL will float
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationSafeguarding Cardholder Account Data
Safeguarding Cardholder Account Data Attachmate Safeguarding Cardholder Account Data CONTENTS The Twelve PCI Requirements... 1 How Reflection Handles Your Host-Centric Security Issues... 2 The Reflection
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationPA-DSS Implementation Guide For
PA-DSS Implementation Guide For, CAGE (Card Authorization Gateway Engine), Version 4.0 PCI PADSS Certification 2.0 December 10, 2013. Table of Contents 1. Purpose... 4 2. Delete sensitive authentication
More informationRADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE
ADIAN6 SECUITY, PIVACY, AND ACHITECTUE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers. Integral to this
More informationCLIQ Remote - System description and requirements
CLIQ Remote - System description and requirements 1. Introduction CLIQ Remote - Access at a distance CLIQ Remote is an electromechanical lock system with an additional level of security and flexibility,
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationCompTIA Security+(2008 Edition) Exam
http://www.51- pass.com Exam : SY0-201 Title : CompTIA Security+(2008 Edition) Exam Version : Demo 1 / 7 1.An administrator is explaining the conditions under which penetration testing is preferred over
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationDaxko s PCI DSS Responsibilities
! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise
More informationAfilias DNSSEC Practice Statement (DPS) Version
Afilias DNSSEC Practice Statement (DPS) Version 1.07 2018-02-26 Page 1 of 8 1. INTRODUCTION 1.1. Overview This document was created using the template provided under the current practicing documentation.
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationRequest for Proposal (RFP)
Request for Proposal (RFP) BOK PENETRATION TESTING Date of Issue Closing Date Place Enquiries Table of Contents 1. Project Introduction... 3 1.1 About The Bank of Khyber... 3 1.2 Critical Success Factors...
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationApril Appendix 3. IA System Security. Sida 1 (8)
IA System Security Sida 1 (8) Table of Contents 1 Introduction... 3 2 Regulatory documents... 3 3 Organisation... 3 4 Personnel security... 3 5 Asset management... 4 6 Access control... 4 6.1 Within AFA
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationGLOBAL PAYMENTS AND CASH MANAGEMENT. Security
GLOBAL PAYMENTS AND CASH MANAGEMENT Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationRFP FOR INFORMATION SYSTEM AUDIT
RFP FOR INFORMATION SYSTEM AUDIT 2018-19 I. Introduction II. The Kerala State Cooperative Bank Ltd. is the apex bank of the Cooperative Banking structure in Kerala that is approved by the Registrar of
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationOn line Thermal Performance Monitoring System. Annexure B1. IEC IT Compliance & Cyber Security Requirements
POWER & ENERGY GROUP GENERATION DEVISION MONITOR & DIAGNOSTICS CENTER On line Thermal Performance Monitoring System Annexure B1 IT Compliance & Cyber Security Requirements Approved by: Name / Signature
More informationStripe Terminal Implementation Guide
Stripe Terminal Implementation Guide 12/27/2018 This document details how to install the Stripe Terminal application in compliance with PCI 1 PA-DSS Version 3.2. This guide applies to the Stripe Terminal
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationInformation Security for Mail Processing/Mail Handling Equipment
Information Security for Mail Processing/Mail Handling Equipment Handbook AS-805-G March 2004 Transmittal Letter Explanation Increasing security across all forms of technology is an integral part of the
More informationCyber Security Guidelines for Securing Home and Small Office Routers
Cyber Security Guidelines for Securing Home and Small Office Routers Author: CS Risk Management Section Document Published Date: March 2018 Document History: Version Description Date 1.0 Published V1.0
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationAnnex 2 to the Agreement on Cooperation in the Area of Trade Finance & Cash Management Terms and Conditions for Remote Data Transmission
Annex 2 to the Agreement on Cooperation in the Area of Trade Finance & Cash Management Terms and Conditions for Remote Data Transmission 1. Scope of services (1) The Bank is available to its Customer (account
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationMessage Networking 5.2 Administration print guide
Page 1 of 421 Administration print guide This print guide is a collection of system topics provided in an easy-to-print format for your convenience. Please note that the links shown in this document do
More informationSyllabus: The syllabus is broadly structured as follows:
Syllabus: The syllabus is broadly structured as follows: SR. NO. TOPICS SUBTOPICS 1 Foundations of Network Security Principles of Network Security Network Security Terminologies Network Security and Data
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo
ISC2 Exam Questions CISSP Certified Information Systems Security Professional (CISSP) Version:Demo 1. How can a forensic specialist exclude from examination a large percentage of operating system files
More informationING Public Key Infrastructure Technical Certificate Policy
ING Public Key Infrastructure Technical Certificate Policy Version 5.4 - November 2015 Commissioned by ING PKI Policy Approval Authority (PAA) Additional copies Document version General Of this document
More informationAuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives
AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives As companies extend their online
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing
More informationISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.
ISSUE N 1 MAJOR MODIFICATIONS Version Changes Related Release No. 01 First issue. 2.8.0 PREVIOUS VERSIONS HISTORY Version Date History Related Release No. N/A N/A N/A N/A APPROVAL TABLE Signatures below
More informationFTD MERCURY X2 IMPLEMENTATION GUIDE FOR PA-DSS
FTD MERCURY X2 IMPLEMENTATION GUIDE FOR PA-DSS FTD Mercury X2 Implementation Guide for PA-DSS 2010 Florists Transworld Delivery, Inc. All Rights Reserved. Last Updated: March 1, 2010 Last Reviewed: February
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationPoint ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,
More informationExhibit A Questionnaire
Exhibit A Questionnaire Thank you for your interest in NYSE data. This questionnaire is intended to simplify user application requirements while furnishing customers and data providers with the information
More informationDevelopment Authority of the North Country Governance Policies
Development Authority of the North Country Governance Policies Subject: Electronic Signature Policy Adopted: March 28, 2018 (Annual Meeting) Resolution: 2018-03-35 Table of Contents SECTION 1.0 INTRODUCTION...
More informationANNEX. Organizational and technical measures
ANNEX Organizational and technical measures The Data Processor has implemented the measures as described in this exhibit insofar as the respective measure contributes or is capable of contributing directly
More informationAppPulse Point of Presence (POP)
AppPulse Point of Presence Micro Focus AppPulse POP service is a remotely delivered solution that provides a managed environment of Application Performance Management. AppPulse POP service supplies real-time
More informationInformation Services IT Security Policies L. Network Management
Information Services IT Security Policies L. Network Management Version 1.1 Last updated: 11th August 2010 Approved by Directorate: 2nd July 2009 Review date: 1st August 2011 Primary owner of security
More information