6750 Csar Sep2023

General Information
Are you Stock Broker / Auditor Auditor

Clearing No 6750
Member Name VAIBHAV STOCK AND DERIVATIVES BROKING PRIVATE
LIMITED
T
Audit period Start Date 01-04-2023
R
Audit period End Date 30-09-2023
Audit Date 18-11-2023
O
Audited by CERT-IN
Audit firm registration no. U80904HR2019PTC081680
EP
Audit firm name Cybertryzub Infosec Pvt Ltd
Auditor name Jyoti Singh
Auditor Registration no. 20168704
R
Email id of auditor jyoti.singh@cybertryzub.com
Contact no. of auditor 9873784553
IT
Address of audit firm Plot No 76d Udyog Vihar 4 Sector 18, Gurgaon – 122001
Haryana, India
D
Designation of auditor Director
PAN no. of auditor CLWPS4097Q
Audit Mode
Filing for (CSAR/CAR/FOR)
AU
Half yearly
CSAR
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
1 Governance
1a(i Whether the Stockbroker has 18-11- JYOTI 1 Yes, the Complianc Compli
) formulated a comprehensive Cyber 2023 SING Stock Broker e and IT ant
Security and Cyber Resilience policy H has framed
document encompassing the Cyber
framework mentioned in the circular? Security &
Cyber
Resilience
Policy as per
the
requirements
of the
Circular and
policy is
approved.
1a(i In case of deviations from the 18-11- JYOTI 2 There were Complianc Compli
i) suggested framework, whether 2023 SING no e and IT ant
reasons for such deviations, technical H deviations in
or otherwise, are provided in the the policy
policy document? from the
suggested
framework.
1a(i Is the policy document approved by 18-11- JYOTI 3 Yes, the Complianc Compli
ii) the Board / Partners / Proprietor of the 2023 SING Stock Broker e and IT ant
organization? H has framed
Cyber
Security &
Cyber
Resilience
Policy as per
the
requirements
of the
Circular and
T
policy is
approved. R
1a(i Whether the policy document is 18-11- JYOTI 4 The policy Complianc Compli
v) reviewed by the aforementioned group 2023 SING document is e and IT ant
O
at least annually with the view to H reviewed
strengthen and improve its Cyber once in a
EP
Security and Cyber Resilience year. Last

framework. reviewed
1a( Policy Approval Date 18-11- JYOTI 5 Policy Complianc Compli
v) 2023 SING Approval e and IT ant
R
H Date is Jul
30, 2023
1a( Policy Version 18-11- JYOTI 6 Policy Complianc Compli
IT
vi) 2023 SING Version is e and IT ant

H 1.3
D
1a( Policy Approval By 18-11- JYOTI 7 Policy Complianc Compli

vii) 2023 SING approval by e and IT ant
H board of
AU
Directors
1b(i Whether the Cyber Security Policy 18-11- JYOTI 8 The Cyber Complianc Compli
) includes the following process to 2023 SING Security e and IT ant
identify, assess, and manage Cyber H Policy
Security risk associated with includes the
Y
processes, information, networks, and following

systems: process to
IT
identify,
assess, and
manage
R
Cyber
Security risk
U
associated
with
C
processes,
information,
networks,
SE
and
systems:
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
1b(i a. ‘Identify’ critical IT assets and risks 18-11- JYOTI 9 a. Identify. Complianc Compli
i) associated with such assets. 2023 SING e and IT ant
H
1b(i b. ‘Protect’ assets by deploying 18-11- JYOTI 10 b. Protect. Complianc Compli
ii) suitable controls, tools, and 2023 SING e and IT ant
measures. H
1b(i c. ‘Detect’ incidents, anomalies, and 18-11- JYOTI 11 c. Detect. Complianc Compli
v) attacks through appropriate 2023 SING e and IT ant
monitoring tools/processes. H
1b( d. ‘Respond’ by taking immediate 18-11- JYOTI 12 d. Respond. Complianc Compli
v) steps after identification of the 2023 SING e and IT ant
incident, anomaly, or attack. H
1b( e. ‘Recover’ from incident through 18-11- JYOTI 13 e. Recover. Complianc Compli
vi) incident management and other 2023 SING e and IT ant
appropriate recovery mechanisms. H
1c Whether policy / Procedure document 18-11- JYOTI 14 Policy Complianc Compli
refers to best practices from 2023 SING document is e and IT ant
international standards like ISO 27001, H referring to
COBIT 5, etc., or their subsequent best
revisions, if any, from time to time. practices
from
international
standards
like ISO
27001
1d Whether policy document have 18-11- JYOTI 15 Yes Complianc Compli
considered the principles prescribed 2023 SING e and IT ant
by National Critical Information H
Infrastructure Protection Centre
(NCIIPC) of National Technical
Research Organization (NTRO),
Government of India (titled ‘Guidelines
for Protection of National Critical
T
Information Infrastructure’) and
subsequent revisions, if any, from
time to time.
R
1e Stockbrokers / Depository Participants 18-11- JYOTI 16 Designated Complianc Compli
O
should designate a senior official or 2023 SING Officer was e and IT ant
management personnel (henceforth, H appointed.
EP
referred to as the “Designated

Officer”) whose function would be to
assess, identify, and reduce security
and Cyber Security risks, respond to
R
incidents, establish appropriate

standards and controls, and direct the
establishment and implementation of
processes and procedures as per the
IT
Cyber Security Policy.

1f(i) Whether the Member has constituted 18-11- JYOTI 17 Internal Complianc Compli
D
an Technology Committee comprising 2023 SING Technology e and IT ant

experts. H Committee
AU
was formed.
1f(ii This Technology Committee has 18-11- JYOTI 18 Internal Complianc Compli
) reviewed on a half yearly basis the 2023 SING Technology e and IT ant
implementation of the Cyber Security H Committee
and Cyber Resilience policy, which meeting was
Y
includes: conducted
as on Sep
IT
15, 2022 and

Mar 03,
2023.
R
1f(ii - review of their current IT and Cyber 18-11- JYOTI 19 Yes. Complianc Compli
i) Security and Cyber Resilience 2023 SING e and IT ant
U
capabilities, H
C
SE
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
1f(i - if committee has set goals for a 18-11- JYOTI 20 Yes. Complianc Compli
v) target level of Cyber Resilience and 2023 SING e and IT ant
establish plans to improve and H
strengthen Cyber Security and Cyber
Resilience.
1f(v - And the review report is placed 18-11- JYOTI 21 Yes. Complianc Compli
) before the Board / Partners / 2023 SING e and IT ant
Proprietor of the Stockbrokers / H
Depository Participants for
appropriate action.
1g Whether the Designated officer and 18-11- JYOTI 22 Designated Complianc Compli
the technology committee periodically 2023 SING officer and e and IT ant
reviewed instances of cyber-attacks, if H the
any, domestically and globally, and technology
taken steps to strengthen Cyber committee
Security and cyber resilience had
framework. periodically
reviewed
instances of
cyber-
attacks, if
any,
domestically
and globally,
and taken
steps to
strengthen
Cyber
Security and
cyber
resilience
framework.
1h Whether Brokers / Depository 18-11- JYOTI 23 Reporting Complianc Compli
Participants has policy or reporting 2023 SING procedure to e and IT ant
T
procedure to facilitate communication H facilitate
of unusual activities and events to the communicati R
Designated Officer in a timely manner. on of
unusual
O
activities and
events to the
Designated
EP
Officer in a
timely
manner are
established.
R
1i Has Stockbroker/Depository 18-11- JYOTI 24 Roles and Complianc Compli

Participant defined and documented 2023 SING responsibiliti e and IT ant
roles and responsibilities of its H es were
IT
employees, outsourced staff, and defined for

employees of vendors, members or employees,
participants and other entities, who outsourced
D
may have privileged access or use staff,

systems / networks of the employee of
AU
Stockbroker/Depository Participants vendors,

towards ensuring the goal of Cyber participants
Security? and other
entities of
privileged
access to
Y
the
system/netw
IT
ork for
ensuring
goal of
R
Cyber
Security.
U
1j Stockbrokers / Depository Participants 18-11- JYOTI 25 Member has Complianc Compli

should prepare detailed incident 2023 SING prepared e and IT ant
C
response plan and define roles and H incident

responsibilities of Chief Information response
SE
Security Officer (CISO) and other plan and

senior personnel. Reporting and defined roles
compliance requirements shall be and
clearly specified in the security policy. responsibiliti
In addition, share the details of CISO es of CISO
ER
with CERT-In through Email (info AT and other

cert-in.org.in) senior
personnel.
2 Identification
YB
C
E
BS
2a Has the Stock Broker / Depository 18-11- JYOTI 26 Yes, the IT Compli
Participant identified and classified 2023 SING Stock Broker Departme ant
critical assets based on their H has nt
sensitivity and criticality for business maintained
operations, services and data the register
management. The critical assets shall of Hardware,
include business critical systems, Software &
internet facing applications /systems, Network
systems that contain sensitive data, infrastructure
sensitive personal data, sensitive and is
financial data, Personally Identifiable managed by
Information (PII) data, etc. All the the IT Team.
ancillary systems used for
accessing/communicating with critical
systems either for operations or
maintenance shall also be classified
as critical system. The
Board/Partners/Proprietor of the Stock
Brokers / Depository Participants shall
approve the list of critical systems. To
this end, Stock Brokers / Depository
Participants should maintain up-to-
date inventory of its hardware and
systems and the personnel to whom
these have been issued, software and
information assets (internal and
external), details of its network
resources, connections to its network
and data flows.
2b Has the Stockbrokers / Depository 18-11- JYOTI 27 Yes IT Compli
Participants identified / has process to 2023 SING Departme ant
identify cyber isks (threats and H nt
vulnerabilities) that it may face, along
with the likelihood of such threats and
impact on the business and thereby,
deploy controls commensurate to the
criticality.
3 Protection
3a Access control 18-11- JYOTI 28 IT Asset Complianc Compli
No person by virtue of rank or position 2023 SING Register was e and IT ant
should have any intrinsic right to H available.
access Critical
Confidential data, applications, Assets were
system resources or facilities. marked.
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
3b Access control 18-11- JYOTI 29 IT Risk Complianc Compli
Any and all access to Stockbrokers / 2023 SING Assessment e and IT ant
Depository Participants systems, H was done.
applications, networks, databases
etc., have defined purpose and for a
defined period. Stockbrokers /
Depository Participants should grant
access to IT systems, applications,
databases, and networks on a need-to-
use basis and based on the principle
of least privilege to provide security
for both on-and off-premises
resources (i.e. zero-trust models). This
security models requires strict identity
verification for each and every
resource and device attempting to get
access to any information on a private
network, regardless of where they are
situated, within or outside of a
network perimeter. Such access
should be for the period when the
access is required and should be
authorized using multi factor
authentication (MFA). Maker and
Checker framework should be
implemented in strict manner and
Enable multi factor authentication
(MFA) for all users that connect using
online/internet facility and also
particularly for virtual private
networks, webmail and user accounts
that access critical systems and
applications.
3c Have Stockbrokers / Depository 18-11- JYOTI 30 Stock broker IT Compli
Participants implemented an access 2023 SING has Departme ant
T
policy which addresses strong H implemented nt
password controls for users’ access Firewall.
to systems, applications, networks,
R
and databases. The policy should
O
include a clause of:
1. Periodic review of accounts of ex-
employees.
EP
2. Passwords should not be reused

across multiple accounts.
3. List of passwords should not be
stored on the system.
R
Illustrative examples for strong

password controls are given in
Annexure C of
IT
SEBI/HO/MIRSD/CIR/PB/2018/147
dated December 03, 2018
3d All critical systems of the Stockbroker 18-11- JYOTI 31 Yes, Access IT Compli
D
/ Depository Participant accessible 2023 SING policy is Departme ant

over the internet should have two- H documented nt
AU
factor security (such as VPNs, Firewall and the

controls etc.) same has
been
implemented
.
Y
3e Stockbrokers / Depository Participants 18-11- JYOTI 32 Yes IT Compli

should ensure that records of user 2023 SING Departme ant
IT
access to critical systems, wherever H nt

possible, are uniquely identified and
logged for audit and review purposes.
R
Such logs should be maintained and

stored in a secure location for a time
U
period not less than two (2) years.

Stockbrokers / Depository Participants
should implement strong log retention
C
policy as per extant SEBI regulations

and required by CERT-In and IT Act
SE
2000. Stockbrokers / Depository

Participants are advised to audit that
all logs that are being collected.
should monitor incidents to identify
ER
unusual patterns and behaviours.

3f Stockbrokers / Depository Participants 18-11- JYOTI 33 Yes, logs are IT Compli
should deploy controls and security 2023 SING stored Departme ant
measures to supervise staff with H properly and nt
YB
elevated system access entitlements have been

(such as admin or privileged users) to maintained.
Stockbroker / Depository Participant’s
critical systems. Such controls and
C
measures should inter-alia include

restricting the number of privileged
users, periodic review of privileged
users’ activities, disallow privileged
E
users from accessing systems logs in

which their activities are being
BS
captured, strong controls over remote

access by privileged users, Maker-
Checker framework should be
implemented for modifying the user’s
right in internal applications.etc.
3g Employees and outsourced staff such 18-11- JYOTI 34 Yes process IT Compli
as employees of vendors or service 2023 SING is in place Departme ant
providers, who may be given H nt
authorized access to the Stockbrokers
/ Depository Participants critical
systems, networks, and other
computer resources, should be
subject to stringent supervision,
monitoring, and access restrictions.
3h Stockbrokers / Depository Participants 18-11- JYOTI 35 Yes IT Compli
should formulate an Internet access 2023 SING Departme ant
policy to monitor and regulate the use H nt
of internet and internet-based services
such as social media sites, cloud-
based internet storage sites, etc.
within the Stockbroker / Depository
Participant’s critical IT infrastructure.
3i User Management must address 18-11- JYOTI 36 The Stock IT Compli
deactivation of access of privileges of 2023 SING Broker is Departme ant
users who are leaving the organization H managing nt
or whose access privileges have been IT systems
withdrawn. on its own. If
any
access is
required to
be given to
any third
party vendor
then
strict
restrictions &
montoring
is placed.
4 Physical Security
4a Physical access to the critical 18-11- JYOTI 37 Yes IT Compli
systems should be restricted to 2023 SING Departme ant
minimum and only to authorized H nt
officials. Physical access of
outsourced staff/visitors should be
properly supervised by ensuring at the
minimum that outsourced
staff/visitors are always accompanied
by authorized employees.
4b Physical access to the critical 18-11- JYOTI 38 Yes. IT Compli
systems should be revoked 2023 SING Departme ant
immediately if the same is no longer H nt
required.
4c Stockbrokers/ Depository Participants 18-11- JYOTI 39 The server IT Compli
has ensured that the perimeter of the 2023 SING room has Departme ant
critical equipment’s room, if any, are H biometric nt
physically secured and monitored by access
employing physical, human, and control and
procedural controls such as the use of CCTV
security guards, CCTVs, card access cameras are
T
systems, mantraps, bollards, etc. also placed
where appropriate in strategic R
places ;
server room
had CCTV
O
monitoring
screen.
EP
Security
maintain
their
separate
register of
R
their
accesses.
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
5 Network Security Management
5a Stockbrokers / Depository Participants 18-11- JYOTI 40 Yes IT Compli
has established baseline standards to 2023 SING Departme ant
facilitate consistent application of H nt
security configurations to operating
systems, databases, network devices
and enterprise mobile devices within
their IT environment.
5b The LAN and wireless networks 18-11- JYOTI 41 Yes IT Compli
should be secured within the 2023 SING Departme ant
Stockbrokers /Depository Participants’ H nt
premises with proper access controls.
5c For algorithmic trading facilities, 18-11- JYOTI 42 Yes IT Compli
adequate measures should be taken to 2023 SING Departme ant
isolate and secure the perimeter and H nt
connectivity to the servers running
algorithmic trading applications.
5d Stockbrokers / Depository Participants 18-11- JYOTI 43 Firewall IT Compli
should install network security 2023 SING (XG210 Departme ant
devices, such as firewalls, proxy H SPOS nt
servers, intrusion detection and 19.5.3) with
prevention systems (IDS) to protect IDS IPS was
their IT infrastructure which is installed
exposed to the internet, from security
exposures originating from internal
and external sources.
5e Adequate controls must be deployed 18-11- JYOTI 44 Anti-virus IT Compli
to address virus / malware / 2023 SING software Departme ant
ransomware attacks. These controls H (SQURITE nt
may include host / network / End Point
application-based IDS systems, Security
customized kernels for Linux, anti- Version
virus, and anti-malware software etc. 18.0) were
T
updated on
regular R
basis.
Signatures
O
were
updated
regularly.
EP
Regular
scans were
performed.
5f Stockbrokers / Depository Participants 18-11- JYOTI 45 Yes IT Compli
R
should deploy web and email filters on 2023 SING Departme ant
the network. Stockbrokers / H nt
Depository Participants should
IT
configure these devices to scan for

known bad domains, sources, and
addresses, block these before
D
receiving and downloading messages.

AU
should scan all emails, attachments,

and downloads both on the host and
at the mail gateway with a reputable
antivirus solution.
5g Stockbrokers / Depository Participants 18-11- JYOTI 46 Yes, Done IT Compli
Y
should block the malicious 2023 SING on Firewall Departme ant

domains/IPs after diligently verifying H nt
IT
them without impacting the

operations. CSIRT-Fin/CERT-In
advisories which are published
R
periodically should be referred for

latest malicious domains/IPs, C&C
DNS and links.
U
5h Stockbrokers / Depository Participants 18-11- JYOTI 47 Not Used IT Compli

C
should restrict execution of 2023 SING Departme ant

“powershell” and “wscript” in H nt
enterprise environment, if not
SE
required. Stockbrokers / Depository

Participants should ensure installation
and use of the latest version of
PowerShell, with enhanced logging
enabled, script block logging and
ER
transcription enabled. Stockbrokers /

Depository Participants should send
the associated logs to a centralized
log repository for monitoring and
YB
analysis.
5i Stockbrokers / Depository Participants 18-11- JYOTI 48 Yes IT Compli
should utilize host based firewall to 2023 SING Departme ant
prevent Remote Procedure Call (RPC) H nt
C
and Server Message Block (SMB)

communication among endpoints
whenever possible. This limits lateral
E
movement as well as other attack

activities.
BS
5j Stockbrokers / Depository Participants 18-11- JYOTI 49 Yes IT Compli

should implement practice of 2023 SING Departme ant
whitelisting of ports based on H nt
business usage at Firewall level rather
than blacklisting of certain ports.
Traffic on all other ports which have
not been whitelisted should be
blocked by default.
CSAR
ted accept comm
ed ents
6 Data Security
6a Critical/sensitive and Personally 18-11- JYOTI 50 Yes process IT Compli
Identifiable Information (PII) data must 2023 SING is in place Departme ant
be identified, classified and encrypted H nt
in motion and at rest by using strong
encryption methods. Illustrative
measures in this regard are given in
Annexure A and B of SEBI circular
6b Stockbrokers / Depository Participants 18-11- JYOTI 51 Yes IT Compli
should implement measures to 2023 SING Departme ant
prevent unauthorized access or H nt
copying or transmission of data /
information held in contractual or
fiduciary capacity. It should be
ensured that confidentiality of
information is not compromised
during the process of exchanging and
transferring information with external
parties. Illustrative measures to
ensure security during transportation
of data over the internet are given in
Annexure B of SEBI circular
6c The information security policy should 18-11- JYOTI 52 Information IT Compli
also cover use of devices such as 2023 SING Security Departme ant
mobile phones, faxes, photocopiers, H Policy nt
scanners, etc., within their critical IT covers
infrastructure, that can be used for controls on
capturing and transmission of mobile
sensitive data. For instance, defining phones,
access policies for personnel, and faxes,
T
network connectivity for such devices photocopiers
etc. , scanners, R
etc.
6d Stockbrokers / Depository Participants 18-11- JYOTI 53 Yes Policy in IT Compli
O
should allow only authorized data 2023 SING place Departme ant
storage devices within their IT H nt
EP
infrastructure through appropriate

validation processes.
6e Stockbrokers / Depository Participants
should Enforce BYOD (Bring your own
R
device) security policies, like requiring

all devices to use a business-grade
VPN service and antivirus protection
IT
6f Stockbrokers/ Depository Participants 18-11- JYOTI 55 Yes IT Compli

shall deploy detection and alerting 2023 SING Departme ant
tools. Members shall create data H nt
D
leakage prevention (DLP) solutions /

processes inclusive of detection,
AU
alerting, prevention, containment &

response to a data breach/ data leak.
6g Stockbrokers/ Depository Participants 18-11- JYOTI 56 Yes IT Compli
shall enforce effective data protection, 2023 SING Departme ant
backup, and recovery measures. H nt
Y
7 Hardening of Hardware and Software

IT
7a Whether Member only deploys 18-11- JYOTI 57 Yes, IT Compli

hardened hardware / software, 2023 SING Hardening Departme ant
including replacing default passwords H Policy in nt
R
with strong passwords and disabling place

or removing services identified as
unnecessary for the functioning of the
U
system.
7b Whether Open ports on networks and 18-11- JYOTI 58 Yes , Only IT Compli
C
systems which are not in use or that 2023 SING approved Departme ant
can be potentially used for H ports are nt
SE
exploitation of data should be blocked opened on

and measures taken to secure them. Firewall
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
8 Application Security in Customer
Facing Applications
8a Whether over the Internet application 18-11- JYOTI 59 Internet Complianc Compli
like IBTs (Internet Based Trading 2023 SING facing e and IT ant
applications) portal and back-office H applications
application, containing sensitive or had security
private information are secured by as per
using security measures. (Illustrative required
list of measures for ensuring security guideline.
in such applications is provided in
Annexure C of SEBI circular
9 Certification of off-the-shelf products
9a Stockbrokers / Depository Participants 18-11- JYOTI 60 "STQC Complianc Compli
should ensure that off the shelf 2023 SING Certificate e and IT ant
products being used for core business H for Off-the-
functionality (such as Back-office shelf
applications) should 1. bear Indian products
Common criteria certification of were
Evaluation Assurance Level 4. The requested by
Common criteria certification in India auditee to its
is being provided by (STQC) vendors.
Standardisation Testing and Quality However
Certification (Ministry of Electronics STQC
and Information Technology). or 2. certificates
Certified independently on criteria were not
similar to Indian Common Criteria available.
Certificate of Evaluation Assurance Trading g
Level. Custom developed / in-house Applications:
software and components need not 1) ODIN
obtain the certification, but must
undergo intensive regression testing, Back Office
configuration testing etc. The scope of Software:
T
tests should include business logic 1) Comtek
and security controls. R
Custom
developed /
O
in-house
software and
components
EP
are
undergone
intensive
regression
R
testing,
configuration
testing etc. "
IT
10 Patch management
10a Stockbrokers / Depository Participants 18-11- JYOTI 61 Patch IT Compli
D
should include All operating systems 2023 SING management Departme ant
and applications for updating latest H process was nt
patches on a regular basis. in place.
AU

should establish and ensure that the
patch management procedures
including the identification,
categorization and prioritization of
Y
patches and updates. An

implementation timeframe for each
IT
category of patches should be

established to apply them in a timely
manner. As an interim measure for
R
zero-day vulnerabilities and where

patches are not available,
U

can consider virtual patching for
protecting systems and networks.
C
This measure hinders cybercriminals

from gaining access to any system
SE
through vulnerabilities in end-of-

support and end-of-life applications
and software. Patches should be
sourced only from the authorized sites
of the OEM.
ER
10b Stockbrokers / Depository Participants 18-11- JYOTI 62 Testing of IT Compli

should perform rigorous testing of 2023 SING security Departme ant
security patches and updates, where H patches and nt
possible, before deployment into the updates
YB
production environment to ensure that were

the application of patches do not available.
impact other systems. CM for patch
deployment
into the
C
production
environment
was
E
available.
11 Disposal of data, systems, and
BS
storage devices
11a Stockbrokers / Depository Participants 18-11- JYOTI 63 Policy is IT Compli
should frame suitable policy for 2023 SING documented Departme ant
disposal of storage media and H for nt
systems. The critical data / disposal of
Information on such devices and storage
systems should be removed by using media and
methods such as crypto shredding / systems.
degauss / Physical destruction as The critical
applicable. unusable
data is
removed by
the system
safely.
11b Stockbrokers / Depository Participants 18-11- JYOTI 64 Yes, Data IT Compli
should formulate a data-disposal and 2023 SING retention Departme ant
data-retention policy to identify the H was as per nt
value and lifetime of various parcels of different
data. regulator
and tax
authorities
requirements
.
12 Vulnerability Assessment and
Penetration Testing (VAPT)
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
12a Stock Brokers / Depository 18-11- JYOTI 65 VAPT was IT Compli
Participants shall carry out periodic 2023 SING performed Departme ant
Vulnerability Assessment and H by CERT-In nt
Penetration Tests (VAPT) which inter- empaneled
alia include critical assets and organization
infrastructure components like -
Servers, Networking systems, Security SECURIUM
devices, load balancers, other IT SOLUTIONS
systems pertaining to the activities PRIVATE
done as Stock Brokers / Depository LIMITED.
Participants etc., in order to detect
security vulnerabilities in the IT
environment and in-depth evaluation
of the security posture of the system.
12b Stock Brokers / Depository 18-11- JYOTI 66 Yes, VAPT IT Compli
Participants shall conduct VAPT at 2023 SING done by Departme ant
least once in a financial year. All Stock H Cert-IN nt
Brokers / Depository Participants are empannled
required to engage only CERT-In vendor on
empaneled organizations for 20-Nov-2023
conducting VAPT. The final report on
said VAPT shall be submitted to the
Stock Exchanges / Depositories after
approval from Technology Committee
of respective Stock Brokers /
Depository Participants, within 1
month of completion of VAPT activity.
12c In addition, Stock Brokers / Depository 18-11- JYOTI 67 No new IT Compli
Participants shall perform 2023 SING system Departme ant
vulnerability scanning and conduct H which is a nt
penetration testing prior to the critical
commissioning of a new system which system of
is a critical system or part of an part of an
existing critical system. existing
critical
T
system was R
not
commissione
d during
O
audit period.
12d In case of vulnerabilities discovered in 18-11- JYOTI 68 No such IT Compli
EP
off-the-shelf products (used for core 2023 SING vulnerabilitie Departme ant
business) or applications provided by H s were nt
exchange empanelled vendors, reported
Stockbrokers / Depository Participants during the
R
should report them to the vendors and test.

the exchanges in a timely manner.
12e Any gaps/vulnerabilities detected shall 18-11- JYOTI 69 Corrective IT Compli
IT
be remedied on immediate basis 2023 SING action was Departme ant

and compliance of closure of findings H taken for the nt
identified during VAPT shall be points
D
submitted to the Stock Exchanges / reported in

Depositories within 3 months post the VAPT.
AU
submission of final VAPT report.

13 Monitoring and Detection
13a Stockbrokers / Depository Participants 18-11- JYOTI 70 Firewall IT Compli
should establish appropriate security 2023 SING monitoring Departme ant
monitoring systems and processes to H tools used nt
Y
facilitate continuous monitoring of

security events / alerts and timely
IT
detection of unauthorised or malicious

activities, unauthorised changes,
unauthorised access and
R
unauthorised copying or transmission

of data / information held in
U
contractual or fiduciary capacity, by

internal and external parties. The
C
security logs of systems, applications

and network devices exposed to the
internet should also be monitored for
SE
anomalies to identify unusual patterns

and behaviours.
13b Further, to ensure high resilience, 18-11- JYOTI 71 Capacity IT Compli
high availability, and timely detection 2023 SING utilization Departme ant
ER
of attacks on systems and networks H monitoring nt

exposed to the internet, Stockbrokers was done for
/ Depository Participants should - Bandwidth
implement suitable mechanisms to - Storage of
monitor capacity utilization of its servers
YB
critical systems and networks that are

exposed to the internet, for example,
controls such as firewalls to monitor
bandwidth usage.
C
13c Stockbrokers / Depository Participants 18-11- JYOTI 72 Yes IT Compli

should proactively monitor the 2023 SING Departme ant
cyberspace to identify phishing H nt
E
websites w.r.t. to REs/Member domain

and report the same to CSIRT-
BS
Fin/CERT-In for taking appropriate

action.
14 Response and Recovery
14a Alerts generated from monitoring and 18-11- JYOTI 73 Yes IT Compli
detection systems should be suitably 2023 SING Departme ant
investigated to determine activities H nt
that are to be performed to prevent
expansion of such incident of cyber-
attack or breach, mitigate its effect,
and eradicate the incident.
CSAR
ted accept comm
ed ents
14b The response and recovery plan of the 18-11- JYOTI 74 BCP policy IT Compli
Stockbrokers / Depository Participants 2023 SING in place Departme ant
should have plans for the timely H nt
restoration of systems affected by
incidents of cyber-attacks or
breaches, for instance, offering
alternate services or systems to
Customers. Stockbrokers / Depository
Participants should have the same
Recovery Time Objective (RTO) and
Recovery Point Objective (RPO) as
specified by SEBI for Market
Infrastructure Institutions vide SEBI
circular CIR/MRD/DMS/17/20 dated
June 22, 2012 as amended from time
to time
14c The response plan should define 18-11- JYOTI 75 Yes IT Compli
responsibilities and actions to be 2023 SING Departme ant
performed by its employees and H nt
support / outsourced staff in the event
of cyber-attacks or breach of Cyber
Security mechanism.
14d Any incident of loss or destruction of 18-11- JYOTI 76 No such IT Compli
data or systems should be thoroughly 2023 SING incident of Departme ant
analysed H loss or nt
destruction
found during
the
audit period.
14e And lessons learned from such 18-11- JYOTI 77 Yes IT Compli
incidents should be incorporated to 2023 SING Departme ant
strengthen the security mechanism H nt
and improve recovery planning and
processes.
T
14f Stockbrokers / Depository Participants 18-11- JYOTI 78 Yes IT Compli
should also conduct suitable periodic 2023 SING Departme ant
drills to test the adequacy and H nt
R
effectiveness of the response and
O
recovery plan. Whether the
stockbroker has conducted Periodic
EP
DR drills in accordance with Exchange

Circular Exchange Notice 20221216-52
15 Sharing of Information
R
15a All Cyber-attacks, threats, cyber- 18-11- JYOTI 79 Member has IT Compli
incidents and breaches experienced 2023 SING confirmed Departme ant
by Stock Brokers / Depositories H that there nt
IT
Participants shall be reported to Stock were no

Exchanges / Depositories /CERT-IN & cyber attack
SEBI within 6 hours of noticing / incident
D
detecting such incidents or being reported

brought to notice about such during audit
AU
incidents. This information shall be period.

shared to SEBI through the dedicated
e-mail id: incident@cert-in.org.in &
sbdp-cyberincidents@sebi.gov.in.
15b The incident shall also be reported to 18-11- JYOTI 80 No such IT Compli
Y
Indian Computer Emergency 2023 SING case Departme ant

Response team (CERT-In) in H observed nt
IT
accordance with the guidelines / during audit

directions issued by CERT-In from period.
time to time. Additionally, the Stock
R
Brokers / Depository Participants,

whose systems have been identified
as “Protected system” by National
U
Critical Information Infrastructure

Protection Centre (NCIIPC) shall also
C
report the incident to NCIIPC.

15c The quarterly reports containing 18-11- JYOTI 81 Quarterly IT Compli
SE
information on cyber-attacks, threats, 2023 SING reports for Departme ant

cyber-incidents and breaches H Incident nt
experienced by Stock Brokers / Reporting
Depository Participants and measures are
taken to mitigate vulnerabilities, submitted to
ER
threats and attacks including Exchange

information on bugs / vulnerabilities, regularly.
threats that may be useful for other
Stock Brokers / Depository
YB
Participants / Exchanges /Depositories

and SEBI, shall be submitted to Stock
Exchanges / Depositories within 15
days from the quarter ended June,
September, December and March of
C
every year.
16 Training and Education
E
16a Stockbrokers / Depository Participants 18-11- JYOTI 82 Awareness IT Compli

should work on building Cyber 2023 SING programs Departme ant
BS
Security and basic system hygiene H are carried nt

awareness of staff (with a focus on out for
staff from non-technical disciplines). security
awareness.
12-Sept-
2023 done
16b Stockbrokers / Depository Participants 18-11- JYOTI 83 Training is IT Compli
should conduct periodic training 2023 SING conducted Departme ant
programs to enhance knowledge of IT H after nt
/ Cyber Security Policy and standards identifying
among the employees incorporating skill
up-to-date Cyber Security threat alerts requirement.
and advisories issued by CERT-In/
CSIRT-Fin that may be referred for
assistance in conducting exercises for
public awareness. Where possible,
this should be extended to outsourced
staff, vendors etc. The training
programs should be reviewed and
updated to ensure that the contents of
the program remain current and
relevant.
16c Stockbrokers / Depository Participants 18-11- JYOTI 84 Yes IT Compli
should Provide training to the 2023 SING Departme ant
employees to avoid clicking on a link H nt
in a spear-phishing email, reusing
their personal password on a work
account, mixing personal with work
email and/or work documents, or
allowing someone they should not to
use their corporate device- especially
in Work from Home environments.
17 Systems managed by vendors
17a Where the systems (IBT, Back office 18-11- JYOTI 85 Self IT Compli
and other Customer facing 2023 SING certification Departme ant
applications, IT infrastructure, etc.) of H from vendors nt
a Stock Brokers / Depository are asked /
Participants are managed by vendors taken.
and the Stock Brokers / Depository
Participants may not be able to
implement some of the
aforementioned guidelines directly,
the Stock Brokers / Depository
Participants should instruct the
vendors to adhere to the applicable
guidelines in the Cyber Security and
Cyber Resilience policy and obtain the
necessary self-certifications from
them to ensure compliance with the
policy guidelines.
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
18 SEBI and Exchange Compliances
18a Auditor to list all applicable 18-11- JYOTI 86 Yes IT Compli
implementation of Circulars, Notices, 2023 SING Departme ant
Guidelines, and advisories published H nt
by CERT-In/ CSIRT-Fin Advisories,
SEBI and Exchanges.
18b 1- Adherence to all such Circulars, 18-11- JYOTI 87 Yes ,the IT Compli
Notices, Guidelines, and advisories 2023 SING member is Departme ant
published H adherance nt
to all such
circulars,
notices,
guidelines
and
advisories.
18c 2- Reporting adherences based on 18-11- JYOTI 88 Yes IT Compli
prescribed periodicity in point 1 above 2023 SING Departme ant
H nt
19 Advisory for Financial Sector
Organizations:
19a Whether compliance of the SEBI 18-11- JYOTI 89 Not Used IT Compli
circular no. 2023 SING Departme ant
SEBI/HO/MIRSD2/DOR/CIR/P/ 2020/221 H nt
dated November 03, 2020 for Advisory
for Financial Sector Organizations
regarding Software as a Service
(SaaS) based solutions has been
made.
20 Cyber Security Advisory - Standard
Operating Procedure (SOP)
20a Cyber Security Advisory – Standard 18-11- JYOTI 90 The IT Compli
Operating Procedure (SOP) for 2023 SING members Departme ant
T
handling cyber security incidents of H has nt
intermediaries-as per SEBI directives. maintained R
The aspects which shall form part of Standard
the SOP and whether stock-broker has Operating
to complied. Procedure
O
(SOP)
for handling
EP
cyber
security
incidents.
20b Members shall have a well- 18-11- JYOTI 91 Member has IT Compli
R
documented Cyber Security incident 2023 SING a well- Departme ant

handling process document (Standard H documented nt
Operating Procedure - SOP) in place. Cyber
IT
Such policy shall be approved by Security

Board of the Member (in case of incident
corporate trading member), Partners handling
D
(in case of partnership firms) or process

Proprietor (in case of sole document
AU
proprietorship firm) as the case may (Standard

be and shall be reviewed annually by Operating
the “Internal Technology Committee” Procedure -
as constituted under SEBI circular SOP) in
SEBI/HO/MIRSD/CIR/PB/2018/147 place.
dated December 03, 2018 for review of
Y
Security and Cyber Resilience policy.

IT
20c Members shall examine the Cyber 18-11- JYOTI 92 Incident IT Compli
Security incident and classify the 2023 SING report and Departme ant
Cyber Security incidents into High/ H Cyber nt
R
Medium/ Low as per their Cyber Security

Security incident handling process incident
document. The Cyber Security handling
U
incident handling process document process

shall define decision on Action/ document
C
Response for the Cyber Security (Standard

incident based on severity. Operating
SE
Procedure -
SOP) were
available.
However,
theres is no
ER
such incident
reported
during the
audit period.
20d Members shall report the Cyber 18-11- JYOTI 93 Member has IT Compli
YB
Security incident to Indian Computer 2023 SING confirmed Departme ant

Emergency Response Team (CERT- H that no cyber nt
In). incident
during audit
C
period.
E
BS
CSAR
ted accept comm
ed ents
20e Members shall provide the reference 18-11- JYOTI 94 Member has IT Compli
details of the reported Cyber Security 2023 SING confirmed Departme ant
incident with CERTI n to the Exchange H that no cyber nt
and SEBI. Members shall also provide incident
details, regarding whether CERT-In during audit
team is in touch with the Member for period.
any assistance on the reported Cyber
Security incident. If the Cyber Security
incident is not reported to CERT-In,
members shall submit the reasons for
the same to the Exchange and SEBI.
Members shall communicate with
CERT-In/ Ministry of Home Affairs
(MHA)/ Cyber Security Cell of Police
for further assistance on the reported
Cyber Security incident.
20f Members shall submit details whether 18-11- JYOTI 95 Member has IT Compli
Cyber Security incident has been 2023 SING confirmed Departme ant
registered as a complaint with law H that no cyber nt
enforcement agencies such as Police incident
or its Cyber Security cell. If yes, during audit
details need to be provided to period.
Exchange and SEBI. If no, then the
reason for not registering complaint
shall also be provided to Exchange
and SEBI.
20g The details of the reported Cyber 18-11- JYOTI 96 Member has IT Compli
Security incident and submission to 2023 SING confirmed Departme ant
various agencies by the Members H that no cyber nt
shall also be submitted to Division incident
Chiefs (in-charge of divisions at the during audit
time of submission) of DOS-MIRSD period.
and CISO of SEBI
20h The Designated Officer of the Member 18-11- JYOTI 97 Quarterly IT Compli
T
(appointed in terms of para 6 of the 2023 SING reports for Departme ant
aforementioned SEBI Circular dated H Incident nt R
December 03, 2018) shall continue to Reporting
report any unusual activities and has been
O
events within 6 hours of receipt of submitted to
such Information as well as submit the exchange.
quarterly report on the cyber-attacks &
EP
threats within 15 days after the end of

the respective quarter in the manner
as specified in Exchange circular.
21 TECHNICAL GLITCH
R
21a Member has reported all instances of 18-11- JYOTI 98

Security IT Compli
technical glitches within the 2023 SING Policy and Departme ant
prescribed timelines during the audit H Procedure in nt
IT
period in accordance with regulatory place for

guidlines. Member has correctly technical
D
reported the issues faced and duration glitch.

of the downtime. Member has However,
implemented all the measures as the member
AU
mentioned in RCAs and has taken informed to

neccesary steps to prevent the us there
recurrence of such technical glitch. were
no instance
of technical
Y
glitch
requiring
IT
reporting to
the
Exchange.
R
The member
has
U
complied
with the
Circular
C
requirements
to the extent
SE
applicable.
21b Does the organisation have internal 18-11- JYOTI 99 Security IT Compli
policy to handle technical glitches in 2023 SING Policy and Departme ant
accordance with the framework H Procedure in nt
defined in Exchange Notice 20221216- place for
ER
52 dated December 16, 2022 technical

glitch.
21c Does the policy cover following ? 18-11- JYOTI 100 Member is IT Compli
1.Outline the key 2023 SING providing Departme ant
YB
systems/departments handling the H internet and nt

normal function /operation of the wireless
Member and assign responsibilities at technology
business owner and technology owner based
C
level. trading
2.Lay down the processes/steps to be facility and
adopted in case of technical glitches brief internal
E
along with the timelines and policy is

communication with concerned exist to
stakeholders including clients. handle
BS
3.Define the Escalation matrix technical

including reporting of such incident to glitch.
the Exchange.
21d Whether the stock broker has reported 18-11- JYOTI 101 Yes IT Compli
all instances of technical glitches, 2023 SING Departme ant
issues faced due to glitches and H nt
duration of the downtime during the
audit period in accordance with BSE
Notice 20221216-52 dated December
16, 2022.
21e Whether the stock broker has 18-11- JYOTI 102 Yes IT Compli
implemented the measures such as 2023 SING Departme ant
Change Management and Patch H nt
Management and the recommended
measures as per RCA and taken steps
to prevent its recurrence. The System
Auditor should review the
implemented measures.
21f Whether the stock broker has 18-11- JYOTI 103 Yes IT Compli
maintained adequate Capacity 2023 SING Departme ant
Planning and its review in accordance H nt
with Exchange Notice 20221216-52
dated December 16, 2022 for specified
member (List of Specified member's
are provided in Exchange Notice
20230310-67 dated March 10, 2023)
and for QSB's in accordance with
20230601-54 dated June 01, 2023 (List
of QSB's members are provided in
Exchange Notice 20230303-66 dated
March 03, 2023).
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
ted accept comm
ed ents
21g Whether the 'Specified Members' have 18-11- JYOTI 104 Yes IT Compli
setup ‘automated environments’ in 2023 SING Departme ant
accordance with Exchange Notice H nt
20221216-52 dated December 16, 2022.
21h Whether the stock broker has 18-11- JYOTI 105 Yes IT Compli
obtained the required ISO 2023 SING Departme ant
certifications as recommended by H nt
Exchange Notice 20221216-52 dated
December 16, 2022
22 Security of Cloud Services:
22a Stockbrokers / Depository Participants 18-11- JYOTI 106 NA IT Not
should check public accessibility of 2023 SING Departme Applica
all cloud instances in use. Make sure H nt ble
that no server/bucket is inadvertently
leaking data due to inappropriate
configurations.
22b Stockbrokers / Depository Participants 18-11- JYOTI 107 NA IT Not
should ensure proper security of 2023 SING Departme Applica
cloud access tokens. The tokens H nt ble
should not be exposed publicly in
website source code, any
configuration files etc.
22c Stockbrokers / Depository Participants 18-11- JYOTI 108 NA IT Not
should implement appropriate security 2023 SING Departme Applica
measures for testing, staging and H nt ble
backup environments hosted on
cloud. Ensure that production
environment is kept properly
segregated from these.
Disable/remove older or testing
environments if their usage is no
longer required.
22d Stockbrokers / Depository Participants 18-11- JYOTI 109 NA IT Not
T
should consider employing hybrid 2023 SING Departme Applica
data security tools that focus on H nt ble
operating in a shared responsibility
R
model for cloud-based environments.
O
23 Concentration Risk on Outsourced
Agencies:
EP
23a Stockbrokers / Depository Participants 18-11- JYOTI 110 Yes IT Compli

should take into account 2023 SING Departme ant
concentration risk (Single third party H nt
vendors are providing services to
R
multiple Stockbrokers / Depository

Participants) while outsourcing
multiple critical services to the same
IT
vendor.
D
I further confirm that all the branches where IML facility is provided, have been audited and consolidated report has been submitted for all segments. Yes
I further confirm that all the branches where Algo facility is provided, have been audited and consolidated report has been submitted for all segments. Yes
AU
Undertaking : I undertake that I have adhered to and complied with the cyber security audit framework / prerequisites / guidelines of SEBI circular no. Yes
SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 and SEBI/HO/MIRSD/DOP/CIR/P/2019/109 dated October 15, 2019 on Cyber Security & Cyber
Resilience framework for Stock Brokers / Depository Participants and further notices / clarifications / guidelines issued by SEBI / Exchange. I further confirm that I do not
have any conflict of interest in conducting fair, objective and independent audit of the Stock Broker. Further, the directors / partners of my Audit firm are not related to the
stock broker including its directors or promoters either directly or indirectly.
Y
IT
R
U
C
SE
ER
YB
C
E
BS

6750 Csar Sep2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6750 Csar Sep2023

Uploaded by

Copyright:

Available Formats

General Information

Are you Stock Broker / Auditor Auditor

Security and Cyber Resilience year. Last

vi) 2023 SING Version is e and IT ant

1a( Policy Approval By 18-11- JYOTI 7 Policy Complianc Compli

processes, information, networks, and following

referred to as the “Designated

incidents, establish appropriate

Cyber Security Policy.

an Technology Committee comprising 2023 SING Technology e and IT ant

15, 2022 and

1i Has Stockbroker/Depository 18-11- JYOTI 24 Roles and Complianc Compli

employees, outsourced staff, and defined for

may have privileged access or use staff,

Stockbroker/Depository Participants vendors,

1j Stockbrokers / Depository Participants 18-11- JYOTI 25 Member has Complianc Compli

response plan and define roles and H incident

Security Officer (CISO) and other plan and

with CERT-In through Email (info AT and other

2. Passwords should not be reused

Illustrative examples for strong

/ Depository Participant accessible 2023 SING policy is Departme ant

factor security (such as VPNs, Firewall and the

3e Stockbrokers / Depository Participants 18-11- JYOTI 32 Yes IT Compli

access to critical systems, wherever H nt

Such logs should be maintained and

period not less than two (2) years.

policy as per extant SEBI regulations

2000. Stockbrokers / Depository

unusual patterns and behaviours.

elevated system access entitlements have been

measures should inter-alia include

users from accessing systems logs in

captured, strong controls over remote

configure these devices to scan for

receiving and downloading messages.

should scan all emails, attachments,

should block the malicious 2023 SING on Firewall Departme ant

them without impacting the

periodically should be referred for

5h Stockbrokers / Depository Participants 18-11- JYOTI 47 Not Used IT Compli

should restrict execution of 2023 SING Departme ant

required. Stockbrokers / Depository

transcription enabled. Stockbrokers /

and Server Message Block (SMB)

movement as well as other attack

5j Stockbrokers / Depository Participants 18-11- JYOTI 49 Yes IT Compli

infrastructure through appropriate

device) security policies, like requiring

6f Stockbrokers/ Depository Participants 18-11- JYOTI 55 Yes IT Compli

leakage prevention (DLP) solutions /

alerting, prevention, containment &

7 Hardening of Hardware and Software

7a Whether Member only deploys 18-11- JYOTI 57 Yes, IT Compli

with strong passwords and disabling place

exploitation of data should be blocked opened on

Stockbrokers / Depository Participants

patches and updates. An

category of patches should be

zero-day vulnerabilities and where

Stockbrokers / Depository Participants

This measure hinders cybercriminals

through vulnerabilities in end-of-