IS Audit of Stock Brokers

Transcription

1 IS Audit of Stock Brokers CA Pranay Kochar B.Com, A.C.A, P.G.D.I.T., C.I.S.A., D.I.S.A (ICAI), ISO LA, Dip. Cyber Law Partner Kochar & Associates Chartered Accountants Types of IS Audits for Stock Brokers Bombay Stock Exchange (BSE): National Stock Exchange (NSE): MCX Stock Exchange (MCX-SX): Commodity Exchanges- MCX & NCDEX: 1. Smart Order Routing (SOR) System Audit 2. Direct Market Access (DMA) System Audit 3. Internet Trading Order Routing System (ITORS) Audit 4. Securities Trading using Wireless Technology (STWT) Audit 5. Intermediate Message Layer (IML) System Audit BSE 6. Computer to Computer Link (CTCL) System Audit NSE, MCX-SX, MCX, NCDEX. 1

2 Types of IS Audits for Stock Brokers Smart Order Routing (SOR) System Audit - BSE, NSE & MCX-SX Direct Market Access (DMA) System Audit BSE, NSE & MCX-SX Internet Trading Order Routing System (ITORS) Audit BSE, NSE & MCX-SX Securities Trading using Wireless Technology (STWT) BSE, NSE & MCX-SX - To be conducted by Exchange empanelled / appointed System Auditor Types of IS Audits for Stock Brokers Direct Market Access (DMA) System Audit MCX & NCDEX Internet Trading Order Routing System (ITORS) Audit MCX & NCDEX Securities Trading using Wireless Technology (STWT) MCX & NCDEX - Direct Approval. No audit is required 2

3 Types of IS Audits for Stock Brokers Intermediate Message Layer (IML) System Audit BSE Computer to Computer Link (CTCL) System Audit NSE & MCX-SX - To be conducted by Broker appointed System Auditor (CISA / DISA / CISSP Qualified) Computer to Computer Link (CTCL) System Audit MCX & NCDEX - To be conducted by Broker appointed System Auditor but no report to be submitted to the exchange. CTCL / IML Audit Areas 3

4 CTCL / IML Audits Dates CTCL Audit for NSE to be conducted as on June 30 of each year and report to be submitted by July 31. IML Audit for BSE to be conducted as on March 31 of each year and report to be submitted by July 31. CTCL Audit for MCX-SX to be conducted as on March 31 of each year and report to be submitted by July 31. Non-submission of System Audit Report by July 31, would attract late submission charges of Rs 100/- per day till the date of submission Non-submission of the SSL (Secured Socket Layer) certificate by July 31 would attract late submission charges of Rs 100/- per day till the date of submission Auditor Requirements The System Audit should be carried out by CISA / DISA / CISSP Certified Systems Auditor and their Name, Registration Number, along with the Stamp, Seal, place and date should be mentioned at the end of the report. Every page of the report should be initialed by System Auditor. The System Auditor should be independent of the Empanelled vendors of the Exchange and / or partners / Directors of the Trading members One consolidated report should be submitted for all the branches and for all the segments (Equities, Derivatives & Currency Derivatives). 4

5 Trading Network Architecture Features and system parameters implemented in the system 1. The systems used for trading and supporting purposes should be hosted (Located) in India. 2. The installed system parameters are as per Exchange norms: 1. IML / CTCL Version 2. Order Gateway Version 3. Risk Administration / Manager Version 4. Front End / Order Placement Version 2. The system has a feature for receipt of price broadcast data 3. If the system is enabled for internet / Mobile Trading the system has an internal unique order numbering system 4. The system does not have any order matching function and all orders are passed on to the exchange trading system 5

6 Adequacy of input, processing and output controls The system has a feature for: 1. Allowing only orders matching the system parameters to be placed. 2. Modification of orders placed. 3. Cancellation of orders placed 4. Checking the outstanding orders i.e. the orders that have not yet traded or partially traded. 5. Reporting of client wise / user wise margin requirements as well as payment and delivery obligations. Online Risk Management relating to orders are observed and adequate. The system has a feature for: 1. Placing of trades only for authorized clients 2. Assessing the risk of the client as soon as the order comes in and informs the client of acceptance/rejection of the order within a reasonable period 3. System based control facility on the trading limits of the clients and exposures taken by the clients including set pre-defined limits on the exposure and turnover of each client. 4. Reconfirmation of orders which are larger than that as specified by the member s risk management system. 6

7 IT Systems and System Security All volumes of the server hosting the database and / application has file system that offers enhanced security For Ex: NTFS for windows, Vxfs- for HP Unix, ext3 for Linux etc. Default file &directory shares and simple file sharing if offered by the operating system are disabled. Sharing if any is authorized. Patches, hot fixes and service packs are updated after appropriate testing. Auditing is enabled for events like Account logon events, Account Management, Object access, Policy change, privilege use, system events. Password policies and access control rules for system access to apply. Database and Database Security 1. Database server located behind a firewall with default rules to deny all traffic. 2. Database software owner account granted the minimum set of operating system rights necessary for database operation. 3. The database software version is currently supported 4. Unneeded default accounts removed, or passwords changed from defaults. 5. Database software is patched to include all current security patches. 6. Log events are identified audit trails enabled, reviewed and monitored 7. Password policies and access control rules for database access to apply. 7

8 Network and Network Security 1. Does network provide security to the systems, applications and data that moves through network? 2. Verify network diagram 3. Are network devices appropriately patched / upgraded with latest firmware 4. Log events are identified, monitored, reviewed and escalated 5. Password policies and access control rules for network device access to apply. Adequacy of measures to protect the confidentiality of sessions 1. Information in motion (moving over network) adequately secured using mechanism such as VPN (Virtual Private Network), TLS / SSL (Transport Layer Security / Secure Session Layer) or similar mechanism. 2. The system uses a secure storage mechanism for storing of usernames and passwords. 3. The system adequately protects the confidentiality of the users trade data 4. The installed system provides for session security for all sessions established with the application server by the front end application. 5. The system restricts sessions to authorized user only. 8

9 Adequacy of measures to protect the confidentiality of sessions In case of web based application using SSL Is certificate issued to the member / broker organization Is the certificate used on the server facilitating confidential information like trade data Is the login page and all subsequent authenticated pages exclusively accessed over SSL In case of Client Server application model (Thick Client) Does the application architecture ensure security of information sent over internal / external network Is the information transmitted in encrypted form Supporting letter from vendor on his letterhead to be provided. Event logging and system monitoring activities. 1. The system provides a system based event logging and system monitoring facility which monitors and logs all activities / events arising from actions taken on the gateway / database server, authorized user terminal and transactions processed for clients and the same is not susceptible to manipulation 2. The following reports / logs should be generated: Number of Users Logged In / hooked on to the network incl. privileges of each Number of Authorized Users Activity logs Systems logs Number of active clients 9

10 User management norms defined and observed 1. The system has an User Management procedure as per the requirements of the exchange. 2. Only users approved by the exchanges are allowed to access the system and documentation regarding the same is maintained in the form of User Approval Application & Copy of User Qualifications 3. New User IDs are created as per the exchange guidelines. 4. All users are uniquely identified through issue of unique CTCL / IML ids. 5. Users not compliant with the Exchange Requirements are disabled and event logs maintained 6. Users whose accounts are locked are unlocked only after documented unlocking requests are made. Access Controls / Password policy & standards defined and observed 1. Is there track of user id s created, disabled, enabled, deleted, unlocked & log maintained 2. The systems use passwords for authentication. 3. The password policy / standard is documented. 4. In case of new user / password resets; is password communicated to user securely 5. A process exists to block / suspend the user (id) on request from user (case of loss of device / malicious activity) 6. Extra Authentication Security measures like Smart cards, biometric authentication or tokens etc Second level of password control for critical features 10

11 Password Features 1. The Password is masked at the time of entry. 2. System mandated changing of password when the user logs in for the first time. 3. Automatic disablement of the user on entering erroneous password on three consecutive occasions. 4. Automatic expiry of password on expiry of 14 days. 5. System controls to ensure that the password is alphanumeric 6. System controls to ensure that the changed password cannot be the same as of the last password 7. System controls to ensure that the Login id of the user and password should not be the same. 8. System controls to ensure that the Password should be of minimum six characters and not more than twelve characters. Working processes to adhere to policies and procedures The organization s documented policy and procedures should include the following policies which should be in in line with the exchange requirements. All policies should be documented & approved. 1.Information Security Policy 2.Password Policy 3.User Management and Access Control Policy 4.Network Security Policy 5.Application Software Policy 6.Change Management Policy 7.Backup Policy 8.BCP and Response Management Policy 9.Audit Trail Policy 11

12 Change management and version controls documented and practiced To ensure system integrity and stability all changes to the system are planned, evaluated for risk, tested, approved and documented. 1. Whether changes are made in a planned manner 2. Whether made by duly authorized personnel 3. Is the risk involved in the implementation of the changes duly factored in 4. Is the implemented change duly approved and process documented 5. Is the change request process documented 6. Is the change implementation process supervised to ensure system integrity and continuity 7. Is user acceptance of the change documented Procedure for Backup documented, and practiced Backups of the following system generated files should be maintained: At the server / gateway level Database Audit Trails Reports At the user level Market Watch Logs History Reports Audit Trails 12

13 Procedure for Backup documented, and practiced Verification of Backup procedures include: 1. Are backup procedures documented? 2. Are backup logs maintained? 3. Have the backups been verified and tested? 4. Are the backup media stored safely in line with the risk involved? 5. Are there any recovery procedures and have the same been tested? Business continuity and disaster recovery planning The Organization should have a suitable documented Business Continuity or Disaster Recovery or Incident Response process commensurate with the organization size and risk profile Verification of BCP / DRP includes: 1. Is there any documentation on Business Continuity / Disaster Recovery / Incident Response? 2. Does a BCP / DRP plan exist? 3. If a BCP/DRP plan exists, has it been tested? 4. Are there any documented incident response procedures? 5. Are there any documented risk assessments? 6. Does the installation have a Call List for emergencies maintained? 13

14 Business continuity and disaster recovery planning Verification of BCP / DRP includes: 7. How will the organization assure customers prompt access to their funds and securities in the event of disaster. 8. Are there suitable backups for failure of any of the critical system components like 1. Gateway / Database Application Server 2. Router, Network Switch 3. Electricity, Air Conditioning 9. Have any provision for alternate physical location of employees been made 10. Are there suitable provisions for Books and records backup and recovery (hard copy and electronic). Additional Security Features Adequate provisions for physical security of the hardware / systems at the hosting location and controls on admission of personnel into the location The people, systems, database, network and application are sited in a manner to protect and prevent from hazards and risks Implementation of Firewall Is a malicious code protection system (Anti Virus) implemented and the definition files up-to-date Last date of virus check of entire system The insurance policy of the Member covers the additional risk of usage of CTCL / IML and or Internet Trading 14

15 Backup link for Network / Communication failure 1. Is the backup network link adequate in case of failure of the primary link to the Exchanges 2. Is the backup network link adequate in case of failure of the primary link connecting the IML / CTCL users 3. Is the backup network link adequate in case of failure of the primary internet connectivity 4. Is there an alternate communications path between 1. customers and the firm. 2. firm and its employees. 3. critical business constituents, banks and regulators Clock Synchronization 1. System clocks synchronized to atomic clock 2. Network device clocks synchronized to atomic clock 3. Clock of the system hosting the database is synchronized with atomic clock 15

16 CTCL ID Details 1. Whether the required details of all the CTCL ids created in the CTCL server of the trading member, for any purpose (viz. administration, branch administration, mini-administration, surveillance, risk management, trading, view only, testing, etc) and any changes therein, have been uploaded as per the requirement of the Exchange 2. Whether all the CTCL / IML user ids created in the server of the trading member have been mapped to 12 digit codes / 16 digit codes for NSE BSE & MCX-SX respectively on a one-to-one basis and a record of the same is maintained Auditors Declaration 1. All the branches where CTCL / IML facility is provided have been audited and ONE consolidated report has been submitted. 2. All the audit recommendations given in relation to the system audit certificate for the previous year have been duly implemented. If not, the same have been reported hereunder. 3. There is no conflict of interest with respect to the member being audited. If any such instance arises, it shall be brought to the notice of the Exchange immediately before undertaking the audit. 16

17 Documentation Requirements 1. Members who have been rated overall as Medium by Exchange empanelled System Auditor prior to granting approval for ITORS - IBT/ SOR / DMA / STWT ) are required to submit Action taken Report duly certified by their System auditors detailing the actions taken by the member on various individual Medium / Weak area along with the System audit report. 2. Only the Trading Members who are providing Internet trading facility are requested to submit the SSL certificate.the certificate must have details like name of website, validity period etc. No IML Audit for BSE if A Trading Member is not required to submit the System Audit Report, & SSL certificate provided the Trading Member has taken the IML facility but is used only for viewing purpose. or no trading has been done using the IML facility during the year ended March

18 SEBI Circular on IBT / STWT SEBI Curcular CIR/MRD/DP/ 8 /2011 Dated June 30, 2011 makes it mandatory for the broker to comply before March : 1. The broker shall capture the IP (Internet Protocol) address (from where the orders are originating), for all IBT/ STWT orders. 2. The brokers system should have built-in high system availability to address any single point failure. 3. There should be secure end-to-end encryption for all data transmission between the client and the broker through a Secure Standardized Protocol. SEBI Circular on IBT / STWT 4. The broker system should have adequate safety features to ensure it is not susceptible to internal/ external attacks. 5. In case of failure of IBT/ STWT, the alternate channel of communication shall have adequate capabilities for client identification and authentication. 6. Two-factor authentication for login session may be implemented for all orders emanating using Internet Protocol. Public Key Infrastructure (PKI) based implementation using digital signatures, 7. In case of no activity by the client, the system should provide for automatic trading session logout. 18

19 Thank you Pranay Kochar Kochar & Associates Chartered Accountants Tel : E: pranay@kocharassociates.com 19