Professional Documents
Culture Documents
6750 Csar Sep2023
6750 Csar Sep2023
T
Audit period Start Date 01-04-2023
R
Audit period End Date 30-09-2023
Audit Date 18-11-2023
O
Audited by CERT-IN
Audit firm registration no. U80904HR2019PTC081680
EP
Audit firm name Cybertryzub Infosec Pvt Ltd
Auditor name Jyoti Singh
Auditor Registration no. 20168704
R
Email id of auditor jyoti.singh@cybertryzub.com
Contact no. of auditor 9873784553
IT
Address of audit firm Plot No 76d Udyog Vihar 4 Sector 18, Gurgaon – 122001
Haryana, India
D
Designation of auditor Director
PAN no. of auditor CLWPS4097Q
Audit Mode
Filing for (CSAR/CAR/FOR)
AU
Half yearly
CSAR
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
1 Governance
1a(i Whether the Stockbroker has 18-11- JYOTI 1 Yes, the Complianc Compli
) formulated a comprehensive Cyber 2023 SING Stock Broker e and IT ant
Security and Cyber Resilience policy H has framed
document encompassing the Cyber
framework mentioned in the circular? Security &
Cyber
Resilience
Policy as per
the
requirements
of the
Circular and
policy is
approved.
1a(i In case of deviations from the 18-11- JYOTI 2 There were Complianc Compli
i) suggested framework, whether 2023 SING no e and IT ant
reasons for such deviations, technical H deviations in
or otherwise, are provided in the the policy
policy document? from the
suggested
framework.
1a(i Is the policy document approved by 18-11- JYOTI 3 Yes, the Complianc Compli
ii) the Board / Partners / Proprietor of the 2023 SING Stock Broker e and IT ant
organization? H has framed
Cyber
Security &
Cyber
Resilience
Policy as per
the
requirements
of the
Circular and
T
policy is
approved. R
1a(i Whether the policy document is 18-11- JYOTI 4 The policy Complianc Compli
v) reviewed by the aforementioned group 2023 SING document is e and IT ant
O
at least annually with the view to H reviewed
strengthen and improve its Cyber once in a
EP
H Date is Jul
30, 2023
1a( Policy Version 18-11- JYOTI 6 Policy Complianc Compli
IT
Directors
1b(i Whether the Cyber Security Policy 18-11- JYOTI 8 The Cyber Complianc Compli
) includes the following process to 2023 SING Security e and IT ant
identify, assess, and manage Cyber H Policy
Security risk associated with includes the
Y
identify,
assess, and
manage
R
Cyber
Security risk
U
associated
with
C
processes,
information,
networks,
SE
and
systems:
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
1b(i a. ‘Identify’ critical IT assets and risks 18-11- JYOTI 9 a. Identify. Complianc Compli
i) associated with such assets. 2023 SING e and IT ant
H
1b(i b. ‘Protect’ assets by deploying 18-11- JYOTI 10 b. Protect. Complianc Compli
ii) suitable controls, tools, and 2023 SING e and IT ant
measures. H
1b(i c. ‘Detect’ incidents, anomalies, and 18-11- JYOTI 11 c. Detect. Complianc Compli
v) attacks through appropriate 2023 SING e and IT ant
monitoring tools/processes. H
1b( d. ‘Respond’ by taking immediate 18-11- JYOTI 12 d. Respond. Complianc Compli
v) steps after identification of the 2023 SING e and IT ant
incident, anomaly, or attack. H
1b( e. ‘Recover’ from incident through 18-11- JYOTI 13 e. Recover. Complianc Compli
vi) incident management and other 2023 SING e and IT ant
appropriate recovery mechanisms. H
1c Whether policy / Procedure document 18-11- JYOTI 14 Policy Complianc Compli
refers to best practices from 2023 SING document is e and IT ant
international standards like ISO 27001, H referring to
COBIT 5, etc., or their subsequent best
revisions, if any, from time to time. practices
from
international
standards
like ISO
27001
1d Whether policy document have 18-11- JYOTI 15 Yes Complianc Compli
considered the principles prescribed 2023 SING e and IT ant
by National Critical Information H
Infrastructure Protection Centre
(NCIIPC) of National Technical
Research Organization (NTRO),
Government of India (titled ‘Guidelines
for Protection of National Critical
T
Information Infrastructure’) and
subsequent revisions, if any, from
time to time.
R
1e Stockbrokers / Depository Participants 18-11- JYOTI 16 Designated Complianc Compli
O
should designate a senior official or 2023 SING Officer was e and IT ant
management personnel (henceforth, H appointed.
EP
was formed.
1f(ii This Technology Committee has 18-11- JYOTI 18 Internal Complianc Compli
) reviewed on a half yearly basis the 2023 SING Technology e and IT ant
implementation of the Cyber Security H Committee
and Cyber Resilience policy, which meeting was
Y
includes: conducted
as on Sep
IT
1f(ii - review of their current IT and Cyber 18-11- JYOTI 19 Yes. Complianc Compli
i) Security and Cyber Resilience 2023 SING e and IT ant
U
capabilities, H
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
1f(i - if committee has set goals for a 18-11- JYOTI 20 Yes. Complianc Compli
v) target level of Cyber Resilience and 2023 SING e and IT ant
establish plans to improve and H
strengthen Cyber Security and Cyber
Resilience.
1f(v - And the review report is placed 18-11- JYOTI 21 Yes. Complianc Compli
) before the Board / Partners / 2023 SING e and IT ant
Proprietor of the Stockbrokers / H
Depository Participants for
appropriate action.
1g Whether the Designated officer and 18-11- JYOTI 22 Designated Complianc Compli
the technology committee periodically 2023 SING officer and e and IT ant
reviewed instances of cyber-attacks, if H the
any, domestically and globally, and technology
taken steps to strengthen Cyber committee
Security and cyber resilience had
framework. periodically
reviewed
instances of
cyber-
attacks, if
any,
domestically
and globally,
and taken
steps to
strengthen
Cyber
Security and
cyber
resilience
framework.
1h Whether Brokers / Depository 18-11- JYOTI 23 Reporting Complianc Compli
Participants has policy or reporting 2023 SING procedure to e and IT ant
T
procedure to facilitate communication H facilitate
of unusual activities and events to the communicati R
Designated Officer in a timely manner. on of
unusual
O
activities and
events to the
Designated
EP
Officer in a
timely
manner are
established.
R
the
system/netw
IT
ork for
ensuring
goal of
R
Cyber
Security.
U
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
3b Access control 18-11- JYOTI 29 IT Risk Complianc Compli
Any and all access to Stockbrokers / 2023 SING Assessment e and IT ant
Depository Participants systems, H was done.
applications, networks, databases
etc., have defined purpose and for a
defined period. Stockbrokers /
Depository Participants should grant
access to IT systems, applications,
databases, and networks on a need-to-
use basis and based on the principle
of least privilege to provide security
for both on-and off-premises
resources (i.e. zero-trust models). This
security models requires strict identity
verification for each and every
resource and device attempting to get
access to any information on a private
network, regardless of where they are
situated, within or outside of a
network perimeter. Such access
should be for the period when the
access is required and should be
authorized using multi factor
authentication (MFA). Maker and
Checker framework should be
implemented in strict manner and
Enable multi factor authentication
(MFA) for all users that connect using
online/internet facility and also
particularly for virtual private
networks, webmail and user accounts
that access critical systems and
applications.
3c Have Stockbrokers / Depository 18-11- JYOTI 30 Stock broker IT Compli
Participants implemented an access 2023 SING has Departme ant
T
policy which addresses strong H implemented nt
password controls for users’ access Firewall.
to systems, applications, networks,
R
and databases. The policy should
O
include a clause of:
1. Periodic review of accounts of ex-
employees.
EP
SEBI/HO/MIRSD/CIR/PB/2018/147
dated December 03, 2018
3d All critical systems of the Stockbroker 18-11- JYOTI 31 Yes, Access IT Compli
D
T
systems, mantraps, bollards, etc. also placed
where appropriate in strategic R
places ;
server room
had CCTV
O
monitoring
screen.
EP
Security
maintain
their
separate
register of
R
their
accesses.
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
5 Network Security Management
5a Stockbrokers / Depository Participants 18-11- JYOTI 40 Yes IT Compli
has established baseline standards to 2023 SING Departme ant
facilitate consistent application of H nt
security configurations to operating
systems, databases, network devices
and enterprise mobile devices within
their IT environment.
5b The LAN and wireless networks 18-11- JYOTI 41 Yes IT Compli
should be secured within the 2023 SING Departme ant
Stockbrokers /Depository Participants’ H nt
premises with proper access controls.
5c For algorithmic trading facilities, 18-11- JYOTI 42 Yes IT Compli
adequate measures should be taken to 2023 SING Departme ant
isolate and secure the perimeter and H nt
connectivity to the servers running
algorithmic trading applications.
5d Stockbrokers / Depository Participants 18-11- JYOTI 43 Firewall IT Compli
should install network security 2023 SING (XG210 Departme ant
devices, such as firewalls, proxy H SPOS nt
servers, intrusion detection and 19.5.3) with
prevention systems (IDS) to protect IDS IPS was
their IT infrastructure which is installed
exposed to the internet, from security
exposures originating from internal
and external sources.
5e Adequate controls must be deployed 18-11- JYOTI 44 Anti-virus IT Compli
to address virus / malware / 2023 SING software Departme ant
ransomware attacks. These controls H (SQURITE nt
may include host / network / End Point
application-based IDS systems, Security
customized kernels for Linux, anti- Version
virus, and anti-malware software etc. 18.0) were
T
updated on
regular R
basis.
Signatures
O
were
updated
regularly.
EP
Regular
scans were
performed.
5f Stockbrokers / Depository Participants 18-11- JYOTI 45 Yes IT Compli
R
should deploy web and email filters on 2023 SING Departme ant
the network. Stockbrokers / H nt
Depository Participants should
IT
analysis.
5i Stockbrokers / Depository Participants 18-11- JYOTI 48 Yes IT Compli
should utilize host based firewall to 2023 SING Departme ant
prevent Remote Procedure Call (RPC) H nt
C
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
6 Data Security
6a Critical/sensitive and Personally 18-11- JYOTI 50 Yes process IT Compli
Identifiable Information (PII) data must 2023 SING is in place Departme ant
be identified, classified and encrypted H nt
in motion and at rest by using strong
encryption methods. Illustrative
measures in this regard are given in
Annexure A and B of SEBI circular
SEBI/HO/MIRSD/CIR/PB/2018/147
dated December 03, 2018
6b Stockbrokers / Depository Participants 18-11- JYOTI 51 Yes IT Compli
should implement measures to 2023 SING Departme ant
prevent unauthorized access or H nt
copying or transmission of data /
information held in contractual or
fiduciary capacity. It should be
ensured that confidentiality of
information is not compromised
during the process of exchanging and
transferring information with external
parties. Illustrative measures to
ensure security during transportation
of data over the internet are given in
Annexure B of SEBI circular
SEBI/HO/MIRSD/CIR/PB/2018/147
dated December 03, 2018
6c The information security policy should 18-11- JYOTI 52 Information IT Compli
also cover use of devices such as 2023 SING Security Departme ant
mobile phones, faxes, photocopiers, H Policy nt
scanners, etc., within their critical IT covers
infrastructure, that can be used for controls on
capturing and transmission of mobile
sensitive data. For instance, defining phones,
access policies for personnel, and faxes,
T
network connectivity for such devices photocopiers
etc. , scanners, R
etc.
6d Stockbrokers / Depository Participants 18-11- JYOTI 53 Yes Policy in IT Compli
O
should allow only authorized data 2023 SING place Departme ant
storage devices within their IT H nt
EP
system.
7b Whether Open ports on networks and 18-11- JYOTI 58 Yes , Only IT Compli
C
systems which are not in use or that 2023 SING approved Departme ant
can be potentially used for H ports are nt
SE
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
8 Application Security in Customer
Facing Applications
8a Whether over the Internet application 18-11- JYOTI 59 Internet Complianc Compli
like IBTs (Internet Based Trading 2023 SING facing e and IT ant
applications) portal and back-office H applications
application, containing sensitive or had security
private information are secured by as per
using security measures. (Illustrative required
list of measures for ensuring security guideline.
in such applications is provided in
Annexure C of SEBI circular
SEBI/HO/MIRSD/CIR/PB/2018/147
dated December 03, 2018
9 Certification of off-the-shelf products
9a Stockbrokers / Depository Participants 18-11- JYOTI 60 "STQC Complianc Compli
should ensure that off the shelf 2023 SING Certificate e and IT ant
products being used for core business H for Off-the-
functionality (such as Back-office shelf
applications) should 1. bear Indian products
Common criteria certification of were
Evaluation Assurance Level 4. The requested by
Common criteria certification in India auditee to its
is being provided by (STQC) vendors.
Standardisation Testing and Quality However
Certification (Ministry of Electronics STQC
and Information Technology). or 2. certificates
Certified independently on criteria were not
similar to Indian Common Criteria available.
Certificate of Evaluation Assurance Trading g
Level. Custom developed / in-house Applications:
software and components need not 1) ODIN
obtain the certification, but must
undergo intensive regression testing, Back Office
configuration testing etc. The scope of Software:
T
tests should include business logic 1) Comtek
and security controls. R
Custom
developed /
O
in-house
software and
components
EP
are
undergone
intensive
regression
R
testing,
configuration
testing etc. "
IT
10 Patch management
10a Stockbrokers / Depository Participants 18-11- JYOTI 61 Patch IT Compli
D
should include All operating systems 2023 SING management Departme ant
and applications for updating latest H process was nt
patches on a regular basis. in place.
AU
production
environment
was
E
available.
11 Disposal of data, systems, and
BS
storage devices
11a Stockbrokers / Depository Participants 18-11- JYOTI 63 Policy is IT Compli
should frame suitable policy for 2023 SING documented Departme ant
disposal of storage media and H for nt
systems. The critical data / disposal of
Information on such devices and storage
systems should be removed by using media and
methods such as crypto shredding / systems.
degauss / Physical destruction as The critical
applicable. unusable
data is
removed by
the system
safely.
11b Stockbrokers / Depository Participants 18-11- JYOTI 64 Yes, Data IT Compli
should formulate a data-disposal and 2023 SING retention Departme ant
data-retention policy to identify the H was as per nt
value and lifetime of various parcels of different
data. regulator
and tax
authorities
requirements
.
12 Vulnerability Assessment and
Penetration Testing (VAPT)
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
12a Stock Brokers / Depository 18-11- JYOTI 65 VAPT was IT Compli
Participants shall carry out periodic 2023 SING performed Departme ant
Vulnerability Assessment and H by CERT-In nt
Penetration Tests (VAPT) which inter- empaneled
alia include critical assets and organization
infrastructure components like -
Servers, Networking systems, Security SECURIUM
devices, load balancers, other IT SOLUTIONS
systems pertaining to the activities PRIVATE
done as Stock Brokers / Depository LIMITED.
Participants etc., in order to detect
security vulnerabilities in the IT
environment and in-depth evaluation
of the security posture of the system.
12b Stock Brokers / Depository 18-11- JYOTI 66 Yes, VAPT IT Compli
Participants shall conduct VAPT at 2023 SING done by Departme ant
least once in a financial year. All Stock H Cert-IN nt
Brokers / Depository Participants are empannled
required to engage only CERT-In vendor on
empaneled organizations for 20-Nov-2023
conducting VAPT. The final report on
said VAPT shall be submitted to the
Stock Exchanges / Depositories after
approval from Technology Committee
of respective Stock Brokers /
Depository Participants, within 1
month of completion of VAPT activity.
12c In addition, Stock Brokers / Depository 18-11- JYOTI 67 No new IT Compli
Participants shall perform 2023 SING system Departme ant
vulnerability scanning and conduct H which is a nt
penetration testing prior to the critical
commissioning of a new system which system of
is a critical system or part of an part of an
existing critical system. existing
critical
T
system was R
not
commissione
d during
O
audit period.
12d In case of vulnerabilities discovered in 18-11- JYOTI 68 No such IT Compli
EP
off-the-shelf products (used for core 2023 SING vulnerabilitie Departme ant
business) or applications provided by H s were nt
exchange empanelled vendors, reported
Stockbrokers / Depository Participants during the
R
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
14b The response and recovery plan of the 18-11- JYOTI 74 BCP policy IT Compli
Stockbrokers / Depository Participants 2023 SING in place Departme ant
should have plans for the timely H nt
restoration of systems affected by
incidents of cyber-attacks or
breaches, for instance, offering
alternate services or systems to
Customers. Stockbrokers / Depository
Participants should have the same
Recovery Time Objective (RTO) and
Recovery Point Objective (RPO) as
specified by SEBI for Market
Infrastructure Institutions vide SEBI
circular CIR/MRD/DMS/17/20 dated
June 22, 2012 as amended from time
to time
14c The response plan should define 18-11- JYOTI 75 Yes IT Compli
responsibilities and actions to be 2023 SING Departme ant
performed by its employees and H nt
support / outsourced staff in the event
of cyber-attacks or breach of Cyber
Security mechanism.
14d Any incident of loss or destruction of 18-11- JYOTI 76 No such IT Compli
data or systems should be thoroughly 2023 SING incident of Departme ant
analysed H loss or nt
destruction
found during
the
audit period.
14e And lessons learned from such 18-11- JYOTI 77 Yes IT Compli
incidents should be incorporated to 2023 SING Departme ant
strengthen the security mechanism H nt
and improve recovery planning and
processes.
T
14f Stockbrokers / Depository Participants 18-11- JYOTI 78 Yes IT Compli
should also conduct suitable periodic 2023 SING Departme ant
drills to test the adequacy and H nt
R
effectiveness of the response and
O
recovery plan. Whether the
stockbroker has conducted Periodic
EP
15a All Cyber-attacks, threats, cyber- 18-11- JYOTI 79 Member has IT Compli
incidents and breaches experienced 2023 SING confirmed Departme ant
by Stock Brokers / Depositories H that there nt
IT
every year.
16 Training and Education
E
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
18 SEBI and Exchange Compliances
18a Auditor to list all applicable 18-11- JYOTI 86 Yes IT Compli
implementation of Circulars, Notices, 2023 SING Departme ant
Guidelines, and advisories published H nt
by CERT-In/ CSIRT-Fin Advisories,
SEBI and Exchanges.
18b 1- Adherence to all such Circulars, 18-11- JYOTI 87 Yes ,the IT Compli
Notices, Guidelines, and advisories 2023 SING member is Departme ant
published H adherance nt
to all such
circulars,
notices,
guidelines
and
advisories.
18c 2- Reporting adherences based on 18-11- JYOTI 88 Yes IT Compli
prescribed periodicity in point 1 above 2023 SING Departme ant
H nt
19 Advisory for Financial Sector
Organizations:
19a Whether compliance of the SEBI 18-11- JYOTI 89 Not Used IT Compli
circular no. 2023 SING Departme ant
SEBI/HO/MIRSD2/DOR/CIR/P/ 2020/221 H nt
dated November 03, 2020 for Advisory
for Financial Sector Organizations
regarding Software as a Service
(SaaS) based solutions has been
made.
20 Cyber Security Advisory - Standard
Operating Procedure (SOP)
20a Cyber Security Advisory – Standard 18-11- JYOTI 90 The IT Compli
Operating Procedure (SOP) for 2023 SING members Departme ant
T
handling cyber security incidents of H has nt
intermediaries-as per SEBI directives. maintained R
The aspects which shall form part of Standard
the SOP and whether stock-broker has Operating
to complied. Procedure
O
(SOP)
for handling
EP
cyber
security
incidents.
20b Members shall have a well- 18-11- JYOTI 91 Member has IT Compli
R
20c Members shall examine the Cyber 18-11- JYOTI 92 Incident IT Compli
Security incident and classify the 2023 SING report and Departme ant
Cyber Security incidents into High/ H Cyber nt
R
Procedure -
SOP) were
available.
However,
theres is no
ER
such incident
reported
during the
audit period.
20d Members shall report the Cyber 18-11- JYOTI 93 Member has IT Compli
YB
period.
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
20e Members shall provide the reference 18-11- JYOTI 94 Member has IT Compli
details of the reported Cyber Security 2023 SING confirmed Departme ant
incident with CERTI n to the Exchange H that no cyber nt
and SEBI. Members shall also provide incident
details, regarding whether CERT-In during audit
team is in touch with the Member for period.
any assistance on the reported Cyber
Security incident. If the Cyber Security
incident is not reported to CERT-In,
members shall submit the reasons for
the same to the Exchange and SEBI.
Members shall communicate with
CERT-In/ Ministry of Home Affairs
(MHA)/ Cyber Security Cell of Police
for further assistance on the reported
Cyber Security incident.
20f Members shall submit details whether 18-11- JYOTI 95 Member has IT Compli
Cyber Security incident has been 2023 SING confirmed Departme ant
registered as a complaint with law H that no cyber nt
enforcement agencies such as Police incident
or its Cyber Security cell. If yes, during audit
details need to be provided to period.
Exchange and SEBI. If no, then the
reason for not registering complaint
shall also be provided to Exchange
and SEBI.
20g The details of the reported Cyber 18-11- JYOTI 96 Member has IT Compli
Security incident and submission to 2023 SING confirmed Departme ant
various agencies by the Members H that no cyber nt
shall also be submitted to Division incident
Chiefs (in-charge of divisions at the during audit
time of submission) of DOS-MIRSD period.
and CISO of SEBI
20h The Designated Officer of the Member 18-11- JYOTI 97 Quarterly IT Compli
T
(appointed in terms of para 6 of the 2023 SING reports for Departme ant
aforementioned SEBI Circular dated H Incident nt R
December 03, 2018) shall continue to Reporting
report any unusual activities and has been
O
events within 6 hours of receipt of submitted to
such Information as well as submit the exchange.
quarterly report on the cyber-attacks &
EP
glitch
requiring
IT
reporting to
the
Exchange.
R
The member
has
U
complied
with the
Circular
C
requirements
to the extent
SE
applicable.
21b Does the organisation have internal 18-11- JYOTI 99 Security IT Compli
policy to handle technical glitches in 2023 SING Policy and Departme ant
accordance with the framework H Procedure in nt
defined in Exchange Notice 20221216- place for
ER
level. trading
2.Lay down the processes/steps to be facility and
adopted in case of technical glitches brief internal
E
T
R
O
EP
R
IT
D
AU
Y
IT
R
U
C
SE
ER
YB
C
E
BS
CSAR
Au Details Audit Audite Ob Description Departme Status/ Deviati Risk Root Impact Sugge Deadli Verifie Closin Correc Follow Wheth Tradin
dit Date d by ser of finding nt Nature ons Rating Cause Anlays sted ne for d by g date tive up er g
TO vati /observatio of of Anlays is Correc correc action Audit Audito memb
R on n Findin Findin is tive tive report requir r er
Cla no g gs Action Action to be ed comm manag
use submit ents ement
ted accept comm
ed ents
21g Whether the 'Specified Members' have 18-11- JYOTI 104 Yes IT Compli
setup ‘automated environments’ in 2023 SING Departme ant
accordance with Exchange Notice H nt
20221216-52 dated December 16, 2022.
21h Whether the stock broker has 18-11- JYOTI 105 Yes IT Compli
obtained the required ISO 2023 SING Departme ant
certifications as recommended by H nt
Exchange Notice 20221216-52 dated
December 16, 2022
22 Security of Cloud Services:
22a Stockbrokers / Depository Participants 18-11- JYOTI 106 NA IT Not
should check public accessibility of 2023 SING Departme Applica
all cloud instances in use. Make sure H nt ble
that no server/bucket is inadvertently
leaking data due to inappropriate
configurations.
22b Stockbrokers / Depository Participants 18-11- JYOTI 107 NA IT Not
should ensure proper security of 2023 SING Departme Applica
cloud access tokens. The tokens H nt ble
should not be exposed publicly in
website source code, any
configuration files etc.
22c Stockbrokers / Depository Participants 18-11- JYOTI 108 NA IT Not
should implement appropriate security 2023 SING Departme Applica
measures for testing, staging and H nt ble
backup environments hosted on
cloud. Ensure that production
environment is kept properly
segregated from these.
Disable/remove older or testing
environments if their usage is no
longer required.
22d Stockbrokers / Depository Participants 18-11- JYOTI 109 NA IT Not
T
should consider employing hybrid 2023 SING Departme Applica
data security tools that focus on H nt ble
operating in a shared responsibility
R
model for cloud-based environments.
O
23 Concentration Risk on Outsourced
Agencies:
EP
vendor.
D
I further confirm that all the branches where IML facility is provided, have been audited and consolidated report has been submitted for all segments. Yes
I further confirm that all the branches where Algo facility is provided, have been audited and consolidated report has been submitted for all segments. Yes
AU
Undertaking : I undertake that I have adhered to and complied with the cyber security audit framework / prerequisites / guidelines of SEBI circular no. Yes
SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 and SEBI/HO/MIRSD/DOP/CIR/P/2019/109 dated October 15, 2019 on Cyber Security & Cyber
Resilience framework for Stock Brokers / Depository Participants and further notices / clarifications / guidelines issued by SEBI / Exchange. I further confirm that I do not
have any conflict of interest in conducting fair, objective and independent audit of the Stock Broker. Further, the directors / partners of my Audit firm are not related to the
stock broker including its directors or promoters either directly or indirectly.
Y
IT
R
U
C
SE
ER
YB
C
E
BS