Auditor Report 2225 30112023190106

Executive Summary Report
Cyber Security Audit Report for the period APRIL 01, 2023 TO SEPTEMBER 30, 2023
I/We, M/s. auditor Jyoti Singh on behalf of audit firm Cybertryzub Infosec Pvt Ltd having CISA qualification bearing Auditor membership no 20168704 have conducted the
Cyber security audit of Trading system facility/ies for trading member FORTUNE CAPITAL SERVICES having TM code 13000 of National Stock Exchange of India Limited
in accordance with the provisions and scope laid down by the Exchange.The detailed audit report has been submitted to the trading member. The summary of findings are
grouped under the broad categories as below and classified as 'High Risk', 'Medium Risk' or 'Low Risk'.
Declaration
1. I/We not have any cases pending against its previous audited companies/firms, which fall under SEBI's jurisdiction, which point to its incompetence and/or
unsuitability to perform the audit task
2. Resources employed from CERT-In empanelled organisation for the purpose of system audit have relevant industry recognized certifications.
3. With regard to the areas mentioned in the Terms of Reference (ToR), compliance / non-compliance status has been specified. Observations on minor / major
deviations as well as qualitative comments for scope for improvement also have been specified in the report.
4. I/We confirm that we have not conducted more than 3 successive audits of the aforementioned stock broker/ trading member.
5. All the branches/locations where trading software facility is provided have been audited and one consolidated report has been submitted for all trading software for
all market segments.
6. I/We have minimum 3 years of experience in IT audit of securities market participants e.g. stock exchanges, clearing corporations, depositories, stock brokers,
depository participants etc. The audit experience covers all the major areas mentioned under Terms of Reference (ToR) of the system audit specified by SEBI /
stock exchange.
7. I/We do not have any conflict of interest in conducting fair, objective and independent audit of the Stock Broker. Further, the directors / partners of Auditor firm shall
not be related to any stock broker including its directors or promoters either directly or indirectly.
8. I/We have experience of IT audit/governance frameworks and processes conforming to industry leading practices like Cobit.
Signer: JYOTI SINGH

Date: Thursday, November 30, 2023 7:03 PM
AUDITOR REPORT
Audit Details Audit Audited Observat Descripti Departm Status/N Risk Root Impact Suggest Deadline Follow Verified Closing ATR to
TOR Date By ion No on of ent ature of Rating of Cause Anlaysis ed for up Audit by date be
Clause finding Finding Findings Anlaysis Correctiv correctiv required Submitte
/observa e Action e Action d
tion
1 Governance
1(a)(i) Whether the 18-Nov-2023 JYOTI 1 The Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Stockbroker SINGH Stockbroker and IT Applicable Applicable Applicable SINGH
has has
formulated a formulated a
comprehensi comprehensi
ve Cyber ve Cyber
Security and Security and
Cyber Cyber
Resilience Resilience
policy policy
document document
encompassi encompassi
ng the ng the
framework framework
mentioned in mentioned in
the circular? the circular.
1(a)(ii) In case of 18-Nov-2023 JYOTI 2 There were Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
deviations SINGH no deviation and IT Applicable Applicable Applicable SINGH
from the from the
suggested framework.
framework,
whether
reasons for
such
deviations,
technical or
otherwise,
are provided
in the policy
document?
1(a)(iii) Is the policy 18-Nov-2023 JYOTI 3 The policy is Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
document SINGH document and IT Applicable Applicable Applicable SINGH
approved by approved by
the Board / the Board.
Partners /
Proprietor of
the
organization
?
1(a)(iv) Whether the 18-Nov-2023 JYOTI 4 The policy Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
policy SINGH document is and IT Applicable Applicable Applicable SINGH
document is reviewed
reviewed by once in a
the year.
aforementio
ned group at
least
annually with
the view to
strengthen
and improve
its Cyber
Security and
Cyber
Resilience
framework. Signer: JYOTI SINGH
1(a)(v) Policy 18-Nov-2023 JYOTI 5 Policy Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Approval SINGH Approval and IT Applicable Applicable Applicable SINGH
Date Date is 15
April 2023
1(a)(vi) Policy 18-Nov-2023 JYOTI 6 Policy Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Version SINGH Version is and IT Applicable Applicable Applicable SINGH
1.0
1(a)(vii) Policy 18-Nov-2023 JYOTI 7 Policy Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Approval By SINGH Approval By and IT Applicable Applicable Applicable SINGH
Board of
Directors
1(b)(i) Whether the 18-Nov-2023 JYOTI 8 The Cyber Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Cyber SINGH Security and IT Applicable Applicable Applicable SINGH
Security Policy
Policy includes the
includes the following
following process to
process to identify,
identify, assess, and
assess, and manage
manage Cyber
Cyber Security risk
Security risk associated
associated with
with processes,
processes, information,
information, networks,
networks, and
and systems:
systems:
1(b)(ii) a. ‘Identify’ 18-Nov-2023 JYOTI 9 a. Identify. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
critical IT SINGH and IT Applicable Applicable Applicable SINGH
assets and
risks
associated
with such
assets.
1(b)(iii) b. ‘Protect’ 18-Nov-2023 JYOTI 10 b. Protect. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
assets by SINGH and IT Applicable Applicable Applicable SINGH
deploying
suitable
controls,
tools, and
measures.
1(b)(iv) c. ‘Detect’ 18-Nov-2023 JYOTI 11 c. Detect. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
incidents, SINGH and IT Applicable Applicable Applicable SINGH
anomalies,
and attacks
through
appropriate
monitoring
tools/proces
ses.
1(b)(v) d. ‘Respond’ 18-Nov-2023 JYOTI 12 d. Respond. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
by taking SINGH and IT Applicable Applicable Applicable SINGH
immediate
steps after
identification
of the
incident,
anomaly, or
attack.
Signer: JYOTI SINGH

1(b)(vi) e. ‘Recover’ 18-Nov-2023 JYOTI 13 e. Recover. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
from incident SINGH and IT Applicable Applicable Applicable SINGH
through
incident
managemen
t and other
appropriate
recovery
mechanisms
.
1(c) Whether 18-Nov-2023 JYOTI 14 Policy Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
policy / SINGH document is and IT Applicable Applicable Applicable SINGH
Procedure referring to
document best
refers to practices
best from
practices international
from standards
international like ISO
standards 27001,
like ISO COBIT 5.
27001,
COBIT 5,
etc., or their
subsequent
revisions, if
any, from
time to time.
1(d) Whether 18-Nov-2023 JYOTI 15 Principals Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
policy SINGH prescribed and IT Applicable Applicable Applicable SINGH
document by National
have Critical
considered Information
the Infrastructur
principles e Protection
prescribed Centre
by National (NCIIPC) of
Critical National
Information Technical
Infrastructur Research
e Protection Organization
Centre (NTRO),
(NCIIPC) of Government
National of India
Technical (titled
Research ‘Guidelines
Organization for
(NTRO), Protection of
Government National
of India Critical
(titled Information
‘Guidelines Infrastructur
for e’) are
Protection of considered
National in the Cyber
Critical Security
Information Policy.
Infrastructur
e’) and
subsequent
revisions, if
any, from
time to time.
Signer: JYOTI SINGH

1(e) Stockbroker 18-Nov-2023 JYOTI 16 Designated Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH Officer was and IT Applicable Applicable Applicable SINGH
Depository appointed.
Participants
should
designate a
senior
official or
managemen
t personnel
(henceforth,
referred to
as the
“Designated
Officer”)
whose
function
would be to
assess,
identify, and
reduce
security and
Cyber
Security
risks,
respond to
incidents,
establish
appropriate
standards
and controls,
and direct
the
establishme
nt and
implementati
on of
processes
and
procedures
as per the
Cyber
Security
Policy.
1(f)(i) Whether the 18-Nov-2023 JYOTI 17 Internal Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Member has SINGH Technology and IT Applicable Applicable Applicable SINGH
constituted Committee
an was formed.
Technology
Committee
comprising
experts.
1(f)(ii) This 18-Nov-2023 JYOTI 18 Internal Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Technology SINGH Technology and IT Applicable Applicable Applicable SINGH
Committee Committee
has was formed.
reviewed on
a half yearly
basis the
implementati
on of the
Cyber
Security and
Cyber
Resilience
policy, which
includes:
Signer: JYOTI SINGH
1(f)(iii) - review of 18-Nov-2023 JYOTI 19 Yes. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
their current SINGH and IT Applicable Applicable Applicable SINGH
IT and Cyber
Security and
Cyber
Resilience
capabilities,
1(f)(iv) - if 18-Nov-2023 JYOTI 20 Yes. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
committee SINGH and IT Applicable Applicable Applicable SINGH
has set
goals for a
target level
of Cyber
Resilience
and
establish
plans to
improve and
strengthen
Cyber
Security and
Cyber
Resilience.
1(f)(v) - And the 18-Nov-2023 JYOTI 21 Yes. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
review report SINGH and IT Applicable Applicable Applicable SINGH
is placed
before the
Board /
Partners /
Proprietor of
the
Stockbroker
s/
Depository
Participants
for
appropriate
action.
1(g) Whether the 18-Nov-2023 JYOTI 22 Designated Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Designated SINGH officer and and IT Applicable Applicable Applicable SINGH
officer and the
the technology
technology committee
committee had
periodically periodically
reviewed reviewed
instances of instances of
cyber- cyber-
attacks, if attacks, if
any, any,
domestically domestically
and globally, and globally,
and taken and taken
steps to steps to
strengthen strengthen
Cyber Cyber
Security and Security and
cyber cyber
resilience resilience
framework. framework.
Signer: JYOTI SINGH

1(h) Whether 18-Nov-2023 JYOTI 23 Reporting Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Brokers / SINGH procedure to and IT Applicable Applicable Applicable SINGH
Depository facilitate
Participants communicati
has policy or on of
reporting unusual
procedure to activities and
facilitate events to the
communicati Designated
on of Officer in a
unusual timely
activities and manner are
events to the established.
Designated
Officer in a
timely
manner.
1(i) Has 18-Nov-2023 JYOTI 24 Roles and Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Stockbroker/ SINGH responsibiliti and IT Applicable Applicable Applicable SINGH
Depository es were
Participant defined for
defined and employees,
documented outsourced
roles and staff,
responsibiliti employee of
es of its vendors,
employees, participants
outsourced and other
staff, and entities of
employees privileged
of vendors, access to
members or the
participants system/netw
and other ork for
entities, who ensuring
may have goal of
privileged Cyber
access or Security.
use systems
/ networks of
the
Stockbroker/
Depository
Participants
towards
ensuring the
goal of
Cyber
Security?
Signer: JYOTI SINGH

1(j) Stockbroker 18-Nov-2023 JYOTI 25 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH and IT Applicable Applicable Applicable SINGH
Depository
Participants
should
prepare
detailed
incident
response
plan and
define roles
and
responsibiliti
es of Chief
Information
Security
Officer
(CISO) and
other senior
personnel.
Reporting
and
compliance
requirement
s shall be
clearly
specified in
the security
policy. In
addition,
share the
details of
CISO with
CERT-In
through
Email (info
AT cert-
in.org.in)
2 Identification
Signer: JYOTI SINGH

2(a) Has the 18-Nov-2023 JYOTI 26 IT Asset Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Stock Broker SINGH Register was and IT Applicable Applicable Applicable SINGH
/ Depository available.
Participant Critical
identified Assets were
and marked.
classified
critical
assets
based on
their
sensitivity
and criticality
for business
operations,
services and
data
managemen
t. The critical
assets shall
include
business
critical
systems,
internet
facing
applications
/systems,
systems that
contain
sensitive
data,
sensitive
personal
data,
sensitive
financial
data,
Personally
Identifiable
Information
(PII) data,
etc. All the
ancillary
systems
used for
accessing/co
mmunicating
with critical
systems
either for
operations
or
maintenance
shall also be
classified as
critical
system. The
Board/Partn
ers/Proprieto
r of the
Stock
Brokers /
Depository
Participants
shall
approve the
list of critical
systems. To Signer: JYOTI SINGH
this end, Date: Thursday, November 30, 2023 7:03 PM
Stock
Brokers /
Depository
Participants
should
maintain up-
to-date
inventory of
its hardware
and systems
and the
personnel to
whom these
have been
issued,
software and
information
assets
(internal and
external),
details of its
network
resources,
connections
to its
network and
data flows.
2(b) Has the 18-Nov-2023 JYOTI 27 IT Risk Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Stockbroker SINGH Assessment and IT Applicable Applicable Applicable SINGH
s/ was done.
Depository
Participants
identified /
has process
to identify
cyber isks
(threats and
vulnerabilitie
s) that it may
face, along
with the
likelihood of
such threats
and impact
on the
business
and thereby,
deploy
controls
commensura
te to the
criticality.
3 Protection
3(a) Access 18-Nov-2023 JYOTI 28 Yes, Access Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
control SINGH controls are and IT Applicable Applicable Applicable SINGH
No person in place. IT
by virtue of Team has
rank or control on
position granting
should have access
any intrinsic rights to
right to each user
access and
Confidential machine.
data,
applications,
system
resources or
facilities.
Signer: JYOTI SINGH
3(b) Access 18-Nov-2023 JYOTI 29 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
control SINGH and IT Applicable Applicable Applicable SINGH
Any and all
access to
Stockbroker
s/
Depository
Participants
systems,
applications,
networks,
databases
etc., have
defined
purpose and
for a defined
period.
Stockbroker
s/
Depository
Participants
should grant
access to IT
systems,
applications,
databases,
and
networks on
a need-to-
use basis
and based
on the
principle of
least
privilege to
provide
security for
both on-and
off-premises
resources
(i.e. zero-
trust
models).
This security
models
requires
strict identity
verification
for each and
every
resource
and device
attempting
to get
access to
any
information
on a private
network,
regardless
of where
they are
situated,
within or
outside of a
network
perimeter.
Such access
should be for Signer: JYOTI SINGH
the period Date: Thursday, November 30, 2023 7:03 PM
when the
access is
required and
should be
authorized
using multi
factor
authenticatio
n (MFA).
Maker and
Checker
framework
should be
implemented
in strict
manner and
Enable multi
factor
authenticatio
n (MFA) for
all users
that connect
using
online/intern
et facility
and also
particularly
for virtual
private
networks,
webmail and
user
accounts
that access
critical
systems and
applications.
Signer: JYOTI SINGH

3(c) Have 18-Nov-2023 JYOTI 30 Yes Access Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Stockbroker SINGH control is and IT Applicable Applicable Applicable SINGH
s/ defined
Depository
Participants
implemented
an access
policy which
addresses
strong
password
controls for
users’
access to
systems,
applications,
networks,
and
databases.
The policy
should
include a
clause of:
1. Periodic
review of
accounts of
ex-
employees.
2.
Passwords
should not
be reused
across
multiple
accounts.
3. List of
passwords
should not
be stored on
the system.
Illustrative
examples for
strong
password
controls are
given in
Annexure C
of
SEBI/HO/MI
RSD/CIR/PB
/2018/147
dated
December
03, 2018
3(d) All critical 18-Nov-2023 JYOTI 31 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
systems of SINGH and IT Applicable Applicable Applicable SINGH
the
Stockbroker
/ Depository
Participant
accessible
over the
internet
should have
two-factor
security
(such as
VPNs, Signer: JYOTI SINGH
Firewall
controls etc.) Date: Thursday, November 30, 2023 7:03 PM
3(e) Stockbroker 18-Nov-2023 JYOTI 32 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
ensure that
records of
user access
to critical
systems,
wherever
possible, are
uniquely
identified
and logged
for audit and
review
purposes.
Such logs
should be
maintained
and stored in
a secure
location for a
time period
not less than
two (2)
years.
Stockbroker
s/
Depository
Participants
should
implement
strong log
retention
policy as per
extant SEBI
regulations
and required
by CERT-In
and IT Act
2000.
Stockbroker
s/
Depository
Participants
are advised
to audit that
all logs that
are being
collected.
Stockbroker
s/
Depository
Participants
should
monitor
incidents to
identify
unusual
patterns and
behaviours.
Signer: JYOTI SINGH

3(f) Stockbroker 18-Nov-2023 JYOTI 33 Yes Control Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH and process and IT Applicable Applicable Applicable SINGH
Depository is in place
Participants
should
deploy
controls and
security
measures to
supervise
staff with
elevated
system
access
entitlements
(such as
admin or
privileged
users) to
Stockbroker
/ Depository
Participant’s
critical
systems.
Such
controls and
measures
should inter-
alia include
restricting
the number
of privileged
users,
periodic
review of
privileged
users’
activities,
disallow
privileged
users from
accessing
systems logs
in which
their
activities are
being
captured,
strong
controls over
remote
access by
privileged
users,
Maker-
Checker
framework
should be
implemented
for modifying
the user’s
right in
internal
applications.
etc.
Signer: JYOTI SINGH

3(g) Employees 18-Nov-2023 JYOTI 34 Yes process Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
and SINGH is in place and IT Applicable Applicable Applicable SINGH
outsourced
staff such as
employees
of vendors
or service
providers,
who may be
given
authorized
access to
the
Stockbroker
s/
Depository
Participants
critical
systems,
networks,
and other
computer
resources,
should be
subject to
stringent
supervision,
monitoring,
and access
restrictions.
3(h) Stockbroker 18-Nov-2023 JYOTI 35 Yes, Internet Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH access and IT Applicable Applicable Applicable SINGH
Depository policy is
Participants formulated
should
formulate an
Internet
access
policy to
monitor and
regulate the
use of
internet and
internet-
based
services
such as
social media
sites, cloud-
based
internet
storage
sites, etc.
within the
Stockbroker
/ Depository
Participant’s
critical IT
infrastructur
e.
Signer: JYOTI SINGH

3(i) User 18-Nov-2023 JYOTI 36 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Managemen SINGH and IT Applicable Applicable Applicable SINGH
t must
address
deactivation
of access of
privileges of
users who
are leaving
the
organization
or whose
access
privileges
have been
withdrawn.
4 Physical
Security
4(a) Physical 18-Nov-2023 JYOTI 37 Responsible Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
access to SINGH staff were and IT Applicable Applicable Applicable SINGH
the critical required to
systems be present
should be when
restricted to outsourced
minimum staff/ visitors
and only to /
authorized housekeepin
officials. g staff /
Physical maintenance
access of staff were
outsourced present.
staff/visitors
should be
properly
supervised
by ensuring
at the
minimum
that
outsourced
staff/visitors
are always
accompanie
d by
authorized
employees.
4(b) Physical 18-Nov-2023 JYOTI 38 Yes. Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
access to SINGH Physical and IT Applicable Applicable Applicable SINGH
the critical access was
systems given for the
should be required
revoked period.
immediately
if the same
is no longer
required.
Signer: JYOTI SINGH

4(c) Stockbroker 18-Nov-2023 JYOTI 39 The server Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH room has and IT Applicable Applicable Applicable SINGH
Depository biometric
Participants access
has ensured control and
that the CCTV
perimeter of cameras are
the critical also placed
equipment’s in strategic
room, if any, places ;
are server room
physically had CCTV
secured and monitoring
monitored by screen.
employing Security
physical, maintain
human, and their
procedural separate
controls register of
such as the their
use of accesses.
security
guards,
CCTVs, card
access
systems,
mantraps,
bollards, etc.
where
appropriate
5 Network
Security
Managemen
t
5(a) Stockbroker 18-Nov-2023 JYOTI 40 Hardening Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH was done for and IT Applicable Applicable Applicable SINGH
Depository a) operating
Participants systems
has b) Database
established c) Network
baseline Devices
standards to
facilitate
consistent
application
of security
configuration
s to
operating
systems,
databases,
network
devices and
enterprise
mobile
devices
within their
IT
environment.
Signer: JYOTI SINGH

5(b) The LAN 18-Nov-2023 JYOTI 41 Hardening Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
and wireless SINGH was done for and IT Applicable Applicable Applicable SINGH
networks Network
should be Devices.
secured
within the
Stockbroker
s
/Depository
Participants’
premises
with proper
access
controls.
5(c) For 18-Nov-2023 JYOTI 42 Separate Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
algorithmic SINGH VLANs were and IT Applicable Applicable Applicable SINGH
trading created for
facilities, different
adequate purposes.
measures
should be
taken to
isolate and
secure the
perimeter
and
connectivity
to the
servers
running
algorithmic
trading
applications.
5(d) Stockbroker 18-Nov-2023 JYOTI 43 Firewall with Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH IDS IPS was and IT Applicable Applicable Applicable SINGH
Depository installed
Participants
should install
network
security
devices,
such as
firewalls,
proxy
servers,
intrusion
detection
and
prevention
systems
(IDS) to
protect their
IT
infrastructur
e which is
exposed to
the internet,
from security
exposures
originating
from internal
and external
sources.
Signer: JYOTI SINGH

5(e) Adequate 18-Nov-2023 JYOTI 44 Anti-virus Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
controls SINGH software and IT Applicable Applicable Applicable SINGH
must be were
deployed to updated on
address regular
virus / basis.
malware / Signatures
ransomware were
attacks. updated
These regularly.
controls may Regular
include host scans were
/ network / performed.
application-
based IDS
systems,
customized
kernels for
Linux, anti-
virus, and
anti-malware
software etc.
5(f) Stockbroker 18-Nov-2023 JYOTI 45 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
deploy web
and email
filters on the
network.
Stockbroker
s/
Depository
Participants
should
configure
these
devices to
scan for
known bad
domains,
sources, and
addresses,
block these
before
receiving
and
downloading
messages.
Stockbroker
s/
Depository
Participants
should scan
all emails,
attachments,
and
downloads
both on the
host and at
the mail
gateway with
a reputable
antivirus
solution.
Signer: JYOTI SINGH

5(g) Stockbroker 18-Nov-2023 JYOTI 46 Yes, Done Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH on Firewall and IT Applicable Applicable Applicable SINGH
Depository
Participants
should block
the
malicious
domains/IPs
after
diligently
verifying
them without
impacting
the
operations.
CSIRT-
Fin/CERT-In
advisories
which are
published
periodically
should be
referred for
latest
malicious
domains/IPs,
C&C DNS
and links.
Signer: JYOTI SINGH

5(h) Stockbroker 18-Nov-2023 JYOTI 47 Not Used Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
restrict
execution of
“powershell”
and “wscript”
in enterprise
environment,
if not
required.
Stockbroker
s/
Depository
Participants
should
ensure
installation
and use of
the latest
version of
PowerShell,
with
enhanced
logging
enabled,
script block
logging and
transcription
enabled.
Stockbroker
s/
Depository
Participants
should send
the
associated
logs to a
centralized
log
repository
for
monitoring
and
analysis.
5(i) Stockbroker 18-Nov-2023 JYOTI 48 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should utilize
host based
firewall to
prevent
Remote
Procedure
Call (RPC)
and Server
Message
Block (SMB)
communicati
on among
endpoints
whenever
possible.
This limits
lateral Signer: JYOTI SINGH
movement
as well as Date: Thursday, November 30, 2023 7:03 PM
other attack
activities.
5(j) Stockbroker 18-Nov-2023 JYOTI 49 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
implement
practice of
whitelisting
of ports
based on
business
usage at
Firewall level
rather than
blacklisting
of certain
ports. Traffic
on all other
ports which
have not
been
whitelisted
should be
blocked by
default.
6 Data
security
6(a) Critical/sensi 18-Nov-2023 JYOTI 50 Yes process Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
tive and SINGH is in place and IT Applicable Applicable Applicable SINGH
Personally
Identifiable
Information
(PII) data
must be
identified,
classified
and
encrypted in
motion and
at rest by
using strong
encryption
methods.
Illustrative
measures in
this regard
are given in
Annexure A
and B of
SEBI circular
SEBI/HO/MI
RSD/CIR/PB
/2018/147
dated
December
03, 2018
Signer: JYOTI SINGH

6(b) Stockbroker 18-Nov-2023 JYOTI 51 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
implement
measures to
prevent
unauthorized
access or
copying or
transmission
of data /
information
held in
contractual
or fiduciary
capacity. It
should be
ensured that
confidentialit
y of
information
is not
compromise
d during the
process of
exchanging
and
transferring
information
with external
parties.
Illustrative
measures to
ensure
security
during
transportatio
n of data
over the
internet are
given in
Annexure B
of SEBI
circular
SEBI/HO/MI
RSD/CIR/PB
/2018/147
dated
December
03, 2018
Signer: JYOTI SINGH

6(c) The 18-Nov-2023 JYOTI 52 Information Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
information SINGH Security and IT Applicable Applicable Applicable SINGH
security Policy
policy should covers
also cover controls on
use of mobile
devices such phones,
as mobile faxes,
phones, photocopiers
faxes, , scanners,
photocopiers etc.
, scanners,
etc., within
their critical
IT
infrastructur
e, that can
be used for
capturing
and
transmission
of sensitive
data. For
instance,
defining
access
policies for
personnel,
and network
connectivity
for such
devices etc.
6(d) Stockbroker 18-Nov-2023 JYOTI 53 Yes Policy in Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH place and IT Applicable Applicable Applicable SINGH
Depository
Participants
should allow
only
authorized
data storage
devices
within their
IT
infrastructur
e through
appropriate
validation
processes.
6(e) Stockbroker 18-Nov-2023 JYOTI 54 BYOD not Compliance Not Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH allowed and IT Applicable Applicable Applicable Applicable SINGH
Depository
Participants
should
Enforce
BYOD (Bring
your own
device)
security
policies, like
requiring all
devices to
use a
business-
grade VPN
service and
antivirus
protection
Signer: JYOTI SINGH
Depository
Participants
shall deploy
detection
and alerting
tools.
Members
shall create
data leakage
prevention
(DLP)
solutions /
processes
inclusive of
detection,
alerting,
prevention,
containment
& response
to a data
breach/ data
leak.
6(g) Stockbroker 18-Nov-2023 JYOTI 56 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
shall enforce
effective
data
protection,
backup, and
recovery
measures.
7 Hardening of
Hardware
and
Software
7(a) Whether 18-Nov-2023 JYOTI 57 Yes, Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Member only SINGH Hardening and IT Applicable Applicable Applicable SINGH
deploys Policy in
hardened place
hardware /
software,
including
replacing
default
passwords
with strong
passwords
and
disabling or
removing
services
identified as
unnecessary
for the
functioning
of the
system.
Signer: JYOTI SINGH

7(b) Whether 18-Nov-2023 JYOTI 58 Yes , Only Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Open ports SINGH approved and IT Applicable Applicable Applicable SINGH
on networks ports are
and systems oponed on
which are Firewall
not in use or
that can be
potentially
used for
exploitation
of data
should be
blocked and
measures
taken to
secure them.
8 Application
Security in
Customer
Facing
Applications
8(a) Whether 18-Nov-2023 JYOTI 59 No IBT Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
over the SINGH and IT Applicable Applicable Applicable SINGH
Internet
application
like IBTs
(Internet
Based
Trading
applications)
portal and
back-office
application,
containing
sensitive or
private
information
are secured
by using
security
measures.
(Illustrative
list of
measures
for ensuring
security in
such
applications
is provided
in Annexure
C of SEBI
circular
SEBI/HO/MI
RSD/CIR/PB
/2018/147
dated
December
03, 2018
9 Certification
of off-the-
shelf
products
Signer: JYOTI SINGH

9(a) Stockbroker 18-Nov-2023 JYOTI 60 Yes, Compliance Compliant Medium Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH Backoffice and IT Applicable Applicable Applicable SINGH
Depository shilpi used
Participants offline not on
should internet
ensure that
off the shelf
products
being used
for core
business
functionality
(such as
Back-office
applications)
should
1. bear
Indian
Common
criteria
certification
of Evaluation
Assurance
Level 4. The
Common
criteria
certification
in India is
being
provided by
(STQC)
Standardisat
ion Testing
and Quality
Certification
(Ministry of
Electronics
and
Information
Technology).
or
2. Certified
independentl
y on criteria
similar to
Indian
Common
Criteria
Certificate of
Evaluation
Assurance
Level.
Custom
developed /
in-house
software and
components
need not
obtain the
certification,
but must
undergo
intensive
regression
testing,
configuration
testing etc.
The scope of
tests should Signer: JYOTI SINGH
include Date: Thursday, November 30, 2023 7:03 PM
business
logic and
security
controls.
10 Patch
managemen
t
Signer: JYOTI SINGH

10(a) Stockbroker 18-Nov-2023 JYOTI 61 Patch Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH managemen and IT Applicable Applicable Applicable SINGH
Depository t process
Participants was in place.
should
include All
operating
systems and
applications
for updating
latest
patches on a
regular
basis.
Stockbroker
s/
Depository
Participants
should
establish
and ensure
that the
patch
managemen
t procedures
including the
identification
,
categorizatio
n and
prioritization
of patches
and updates.
An
implementati
on
timeframe
for each
category of
patches
should be
established
to apply
them in a
timely
manner. As
an interim
measure for
zero-day
vulnerabilitie
s and where
patches are
not
available,
Stockbroker
s/
Depository
Participants
can consider
virtual
patching for
protecting
systems and
networks.
This
measure
hinders
cybercrimina
ls from Signer: JYOTI SINGH
gaining Date: Thursday, November 30, 2023 7:03 PM
access to
any system
through
vulnerabilitie
s in end-of-
support and
end-of-life
applications
and
software.
Patches
should be
sourced only
from the
authorized
sites of the
OEM.
10(b) Stockbroker 18-Nov-2023 JYOTI 62 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
perform
rigorous
testing of
security
patches and
updates,
where
possible,
before
deployment
into the
production
environment
to ensure
that the
application
of patches
do not
impact other
systems.
11 Disposal of
data,
systems,
and storage
devices
Signer: JYOTI SINGH

11(a) Stockbroker 18-Nov-2023 JYOTI 63 Data Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH Disposal and IT Applicable Applicable Applicable SINGH
Depository policy and
Participants procedures
should frame were in
suitable place.
policy for
disposal of
storage
media and
systems.
The critical
data /
Information
on such
devices and
systems
should be
removed by
using
methods
such as
crypto
shredding /
degauss /
Physical
destruction
as
applicable.
11(b) Stockbroker 18-Nov-2023 JYOTI 64 Data Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH retention and IT Applicable Applicable Applicable SINGH
Depository was as per
Participants different
should regulator
formulate a and tax
data- authorities
disposal and requirement
data- s.
retention
policy to
identify the
value and
lifetime of
various
parcels of
data.
12 Vulnerability
Assessment
and
Penetration
Testing
(VAPT)
Signer: JYOTI SINGH

12(a) Stock 18-Nov-2023 JYOTI 65 VAPT was Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Brokers / SINGH performed and IT Applicable Applicable Applicable SINGH
Depository on periodic
Participants basis for
shall carry application
out periodic servers,
Vulnerability firewall and
Assessment switch.
and
Penetration
Tests
(VAPT)
which inter-
alia include
critical
assets and
infrastructur
e
components
like Servers,
Networking
systems,
Security
devices,
load
balancers,
other IT
systems
pertaining to
the activities
done as
Stock
Brokers /
Depository
Participants
etc., in order
to detect
security
vulnerabilitie
s in the IT
environment
and in-depth
evaluation of
the security
posture of
the system.
Signer: JYOTI SINGH

12(b) Stock 18-Nov-2023 JYOTI 66 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Brokers / SINGH and IT Applicable Applicable Applicable SINGH
Depository
Participants
shall
conduct
VAPT at
least once in
a financial
year. All
Stock
Brokers /
Depository
Participants
are required
to engage
only CERT-
In
empaneled
organization
s for
conducting
VAPT. The
final report
on said
VAPT shall
be submitted
to the Stock
Exchanges /
Depositories
after
approval
from
Technology
Committee
of respective
Stock
Brokers /
Depository
Participants,
within 1
month of
completion
of VAPT
activity.
12(c) In addition, 18-Nov-2023 JYOTI 67 No new Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Stock SINGH system and IT Applicable Applicable Applicable SINGH
Brokers / which is a
Depository critical
Participants system of
shall perform part of an
vulnerability existing
scanning critical
and conduct system was
penetration not
testing prior commission
to the ed during
commissioni audit period.
ng of a new
system
which is a
critical
system or
part of an
existing
critical
system.
Signer: JYOTI SINGH
12(d) In case of 18-Nov-2023 JYOTI 68 No such Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
vulnerabilitie SINGH incident and IT Applicable Applicable Applicable SINGH
s discovered occurred.
in off-the-
shelf
products
(used for
core
business) or
applications
provided by
exchange
empanelled
vendors,
Stockbroker
s/
Depository
Participants
should
report them
to the
vendors and
the
exchanges
in a timely
manner.
12(e) Any 18-Nov-2023 JYOTI 69 Corrective Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
gaps/vulnera SINGH action was and IT Applicable Applicable Applicable SINGH
bilities taken for the
detected points
shall be reported in
remedied on VAPT.
immediate
basis
and
compliance
of closure of
findings
identified
during VAPT
shall be
submitted to
the Stock
Exchanges /
Depositories
within 3
months post
the
submission
of final
VAPT report.
13 Monitoring
and
Detection
Signer: JYOTI SINGH

13(a) Stockbroker 18-Nov-2023 JYOTI 70 Continuous Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH monitoring of and IT Applicable Applicable Applicable SINGH
Depository security
Participants events was
should performed.
establish
appropriate
security
monitoring
systems and
processes to
facilitate
continuous
monitoring of
security
events /
alerts and
timely
detection of
unauthorised
or malicious
activities,
unauthorised
changes,
unauthorised
access and
unauthorised
copying or
transmission
of data /
information
held in
contractual
or fiduciary
capacity, by
internal and
external
parties. The
security logs
of systems,
applications
and network
devices
exposed to
the internet
should also
be
monitored
for
anomalies to
identify
unusual
patterns and
behaviours.
Signer: JYOTI SINGH

13(b) Further, to 18-Nov-2023 JYOTI 71 Capacity Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
ensure high SINGH utilization and IT Applicable Applicable Applicable SINGH
resilience, monitoring
high was done for
availability, - Bandwidth
and timely - Storage of
detection of servers
attacks on
systems and
networks
exposed to
the internet,
Stockbroker
s/
Depository
Participants
should
implement
suitable
mechanisms
to monitor
capacity
utilization of
its critical
systems and
networks
that are
exposed to
the internet,
for example,
controls
such as
firewalls to
monitor
bandwidth
usage.
13(c) Stockbroker 18-Nov-2023 JYOTI 72 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
proactively
monitor the
cyberspace
to identify
phishing
websites
w.r.t. to
REs/Membe
r domain
and report
the same to
CSIRT-
Fin/CERT-In
for taking
appropriate
action.
14 Response
and
Recovery
Signer: JYOTI SINGH

14(a) Alerts 18-Nov-2023 JYOTI 73 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
generated SINGH and IT Applicable Applicable Applicable SINGH
from
monitoring
and
detection
systems
should be
suitably
investigated
to determine
activities that
are to be
performed to
prevent
expansion of
such
incident of
cyber-attack
or breach,
mitigate its
effect, and
eradicate the
incident.
Signer: JYOTI SINGH

14(b) The 18-Nov-2023 JYOTI 74 BCP policy Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
response SINGH in place and IT Applicable Applicable Applicable SINGH
and recovery
plan of the
Stockbroker
s/
Depository
Participants
should have
plans for the
timely
restoration
of systems
affected by
incidents of
cyber-
attacks or
breaches,
for instance,
offering
alternate
services or
systems to
Customers.
Stockbroker
s/
Depository
Participants
should have
the same
Recovery
Time
Objective
(RTO) and
Recovery
Point
Objective
(RPO) as
specified by
SEBI for
Market
Infrastructur
e Institutions
vide SEBI
circular
CIR/MRD/D
MS/17/20
dated June
22, 2012 as
amended
from time to
time
14(c) The 18-Nov-2023 JYOTI 75 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
response SINGH and IT Applicable Applicable Applicable SINGH
plan should
define
responsibiliti
es and
actions to be
performed
by its
employees
and support
/ outsourced
staff in the
event of
cyber-
attacks or Signer: JYOTI SINGH
breach of
Cyber Date: Thursday, November 30, 2023 7:03 PM
Security
mechanism.
14(d) Any incident 18-Nov-2023 JYOTI 76 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
of loss or SINGH and IT Applicable Applicable Applicable SINGH
destruction
of data or
systems
should be
thoroughly
analysed
14(e) And lessons 18-Nov-2023 JYOTI 77 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
learned from SINGH and IT Applicable Applicable Applicable SINGH
such
incidents
should be
incorporated
to
strengthen
the security
mechanism
and improve
recovery
planning and
processes.
Depository
Participants
should also
conduct
suitable
periodic
drills to test
the
adequacy
and
effectivenes
s of the
response
and recovery
plan.
Whether the
stock broker
has
conducted
Periodic DR
drills in
accordance
with
Exchange
Circular
NSE/COMP/
54876 dated
December
16, 2022
15 Sharing of
Information
Signer: JYOTI SINGH

15(a) All Cyber- 18-Nov-2023 JYOTI 79 Member has Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
attacks, SINGH confirmed and IT Applicable Applicable Applicable SINGH
threats, that no cyber
cyber- incident
incidents during audit
and period.
breaches
experienced
by Stock
Brokers /
Depositories
Participants
shall be
reported to
Stock
Exchanges /
Depositories
/CERT-IN &
SEBI within
6 hours of
noticing /
detecting
such
incidents or
being
brought to
notice about
such
incidents.
This
information
shall be
shared to
SEBI
through the
dedicated e-
mail id:
incident@ce
rt-in.org.in &
sbdp-
cyberinciden
ts@sebi.gov.
in.
Signer: JYOTI SINGH

15(b) The incident 18-Nov-2023 JYOTI 80 Member has Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
shall also be SINGH confirmed and IT Applicable Applicable Applicable SINGH
reported to that no cyber
Indian incident
Computer during audit
Emergency period.
Response
team
(CERT-In) in
accordance
with the
guidelines /
directions
issued by
CERT-In
from time to
time.
Additionally,
the Stock
Brokers /
Depository
Participants,
whose
systems
have been
identified as
“Protected
system” by
National
Critical
Information
Infrastructur
e Protection
Centre
(NCIIPC)
shall also
report the
incident to
NCIIPC.
Signer: JYOTI SINGH

15(c) The 18-Nov-2023 JYOTI 81 Quarterly Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
quarterly SINGH reports for and IT Applicable Applicable Applicable SINGH
reports Incident
containing Reporting
information are
on cyber- submitted to
attacks, Exchange
threats, regularly.
cyber-
incidents
and
breaches
experienced
by Stock
Brokers /
Depository
Participants
and
measures
taken to
mitigate
vulnerabilitie
s, threats
and attacks
including
information
on bugs /
vulnerabilitie
s, threats
that may be
useful for
other Stock
Brokers /
Depository
Participants /
Exchanges
/Depositorie
s and SEBI,
shall be
submitted to
Stock
Exchanges /
Depositories
within 15
days from
the quarter
ended June,
September,
December
and March
of every
year.
16 Training and
Education
16(a) Stockbroker 18-Nov-2023 JYOTI 82 Awareness Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH programs and IT Applicable Applicable Applicable SINGH
Depository are carried
Participants out for
should work security
on building awareness.
Cyber 05-Aug-2023
Security and done
basic system
hygiene
awareness
of staff (with
a focus on
staff from Signer: JYOTI SINGH
non- Date: Thursday, November 30, 2023 7:03 PM
technical
disciplines).
16(b) Stockbroker 18-Nov-2023 JYOTI 83 Training is Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH conducted and IT Applicable Applicable Applicable SINGH
Depository after
Participants identifying
should skill
conduct requirement.
periodic
training
programs to
enhance
knowledge
of IT / Cyber
Security
Policy and
standards
among the
employees
incorporating
up-to-date
Cyber
Security
threat alerts
and
advisories
issued by
CERT-In/
CSIRT-Fin
that may be
referred for
assistance in
conducting
exercises for
public
awareness.
Where
possible, this
should be
extended to
outsourced
staff,
vendors etc.
The training
programs
should be
reviewed
and updated
to ensure
that the
contents of
the program
remain
current and
relevant.
Signer: JYOTI SINGH

16(c) Stockbroker 18-Nov-2023 JYOTI 84 Security Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH Awareness and IT Applicable Applicable Applicable SINGH
Depository Emails were
Participants sent to staff
should on periodic
Provide basis.
training to
the
employees
to avoid
clicking on a
link in a
spear-
phishing
email,
reusing their
personal
password on
a work
account,
mixing
personal
with work
email and/or
work
documents,
or allowing
someone
they should
not to use
their
corporate
device-
especially in
Work from
Home
environment
s.
17 Systems
managed by
vendors
Signer: JYOTI SINGH

17(a) Where the 18-Nov-2023 JYOTI 85 Not Used Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
systems SINGH and IT Applicable Applicable Applicable SINGH
(IBT, Back
office and
other
Customer
facing
applications,
IT
infrastructur
e, etc.) of a
Stock
Brokers /
Depository
Participants
are
managed by
vendors and
the Stock
Brokers /
Depository
Participants
may not be
able to
implement
some of the
aforementio
ned
guidelines
directly, the
Stock
Brokers /
Depository
Participants
should
instruct the
vendors to
adhere to
the
applicable
guidelines in
the Cyber
Security and
Cyber
Resilience
policy and
obtain the
necessary
self-
certifications
from them to
ensure
compliance
with the
policy
guidelines.
18 SEBI and
Exchange
Compliances
Signer: JYOTI SINGH

18(a) Auditor to list 18-Nov-2023 JYOTI 86 Auditee was Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
all applicable SINGH complaint for and IT Applicable Applicable Applicable SINGH
implementati points listed
on of above where
Circulars, compliant
Notices, status is
Guidelines, given as
and compliant.
advisories For any
published by control being
CERT-In/ Non-
CSIRT-Fin complaint is
Advisories, given status
SEBI and as non-
Exchanges. complaint.
18(b) 1- 18-Nov-2023 JYOTI 87 Auditee was Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Adherence SINGH complaint for and IT Applicable Applicable Applicable SINGH
to all such points listed
Circulars, above where
Notices, compliant
Guidelines, status is
and given as
advisories compliant.
published For any
control being
Non-
complaint is
given status
as non-
complaint.
18(c) 2- Reporting 18-Nov-2023 JYOTI 88 Auditee was Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
adherences SINGH complaint for and IT Applicable Applicable Applicable SINGH
based on points listed
prescribed above where
periodicity in compliant
point 1 status is
above given as
compliant.
For any
control being
Non-
complaint is
given status
as non-
complaint.
19 Advisory for
Financial
Sector
Organization
s:
Signer: JYOTI SINGH

19(a) Whether 18-Nov-2023 JYOTI 89 Not Used Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
compliance SINGH and IT Applicable Applicable Applicable SINGH
of the SEBI
circular no.
SEBI/HO/MI
RSD2/DOR/
CIR/P/
2020/221
dated
November
03, 2020 for
Advisory for
Financial
Sector
Organization
s regarding
Software as
a Service
(SaaS)
based
solutions
has been
made.
20 Cyber
Security
Advisory -
Standard
Operating
Procedure
(SOP)
20(a) Cyber 18-Nov-2023 JYOTI 90 Standard Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Security SINGH Operating and IT Applicable Applicable Applicable SINGH
Advisory – Procedure
Standard (SOP)
Operating for handling
Procedure cyber
(SOP) for security
handling incidents
cyber was exist.
security
incidents of
intermediarie
s-as per
SEBI
directives.
The aspects
which shall
form part of
the SOP and
whether
stock-broker
has to
complied.
Signer: JYOTI SINGH

20(b) Members 18-Nov-2023 JYOTI 91 Member has Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
shall have a SINGH a well- and IT Applicable Applicable Applicable SINGH
well- documented
documented Cyber
Cyber Security
Security incident
incident handling
handling process
process document
document (Standard
(Standard Operating
Operating Procedure -
Procedure - SOP) in
SOP) in place.
place. Such
policy shall
be approved
by Board of
the Member
(in case of
corporate
trading
member),
Partners (in
case of
partnership
firms) or
Proprietor (in
case of sole
proprietorshi
p firm) as
the case
may be and
shall be
reviewed
annually by
the “Internal
Technology
Committee”
as
constituted
under SEBI
circular
SEBI/HO/MI
RSD/CIR/PB
/2018/147
dated
December
03, 2018 for
review of
Security and
Cyber
Resilience
policy.
Signer: JYOTI SINGH

20(c) Members 18-Nov-2023 JYOTI 92 Incident Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
shall SINGH report and and IT Applicable Applicable Applicable SINGH
examine the Cyber
Cyber Security
Security incident
incident and handling
classify the process
Cyber document
Security (Standard
incidents Operating
into High/ Procedure -
Medium/ SOP) were
Low as per available.
their Cyber
Security
incident
handling
process
document.
The Cyber
Security
incident
handling
process
document
shall define
decision on
Action/
Response
for the Cyber
Security
incident
based on
severity.
20(d) Members 18-Nov-2023 JYOTI 93 Member has Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
shall report SINGH confirmed and IT Applicable Applicable Applicable SINGH
the Cyber that no cyber
Security incident
incident to during audit
Indian period.
Computer
Emergency
Response
Team
(CERT-In).
Signer: JYOTI SINGH

20(e) Members 18-Nov-2023 JYOTI 94 Member has Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
shall provide SINGH confirmed and IT Applicable Applicable Applicable SINGH
the that no cyber
reference incident
details of the during audit
reported period.
Cyber
Security
incident with
CERTI n to
the
Exchange
and SEBI.
Members
shall also
provide
details,
regarding
whether
CERT-In
team is in
touch with
the Member
for any
assistance
on the
reported
Cyber
Security
incident. If
the Cyber
Security
incident is
not reported
to CERT-In,
members
shall submit
the reasons
for the same
to the
Exchange
and SEBI.
Members
shall
communicat
e with
CERT-In/
Ministry of
Home Affairs
(MHA)/
Cyber
Security Cell
of Police for
further
assistance
on the
reported
Cyber
Security
incident.
Signer: JYOTI SINGH

20(f) Members 18-Nov-2023 JYOTI 95 Member has Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
shall submit SINGH confirmed and IT Applicable Applicable Applicable SINGH
details that no cyber
whether incident
Cyber during audit
Security period.
incident has
been
registered as
a complaint
with law
enforcement
agencies
such as
Police or its
Cyber
Security cell.
If yes,
details need
to be
provided to
Exchange
and SEBI. If
no, then the
reason for
not
registering
complaint
shall also be
provided to
Exchange
and SEBI.
20(g) The details 18-Nov-2023 JYOTI 96 Member has Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
of the SINGH confirmed and IT Applicable Applicable Applicable SINGH
reported that no cyber
Cyber incident
Security during audit
incident and period.
submission
to various
agencies by
the
Members
shall also be
submitted to
Division
Chiefs (in-
charge of
divisions at
the time of
submission)
of DOS-
MIRSD and
CISO of
SEBI
Signer: JYOTI SINGH

20(h) The 18-Nov-2023 JYOTI 97 Quarterly Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Designated SINGH reports for and IT Applicable Applicable Applicable SINGH
Officer of the Incident
Member Reporting
(appointed in are
terms of submitted to
para 6 of the exchange
aforementio regularly.
ned SEBI
Circular
dated
December
03, 2018)
shall
continue to
report any
unusual
activities and
events within
6 hours of
receipt of
such
Information
as well as
submit the
quarterly
report on the
cyber-
attacks &
threats
within 15
days after
the end of
the
respective
quarter in
the manner
as specified
in Exchange
circular.
21 TECHNICAL
GLITCH
Signer: JYOTI SINGH

21(a) Member has 18-Nov-2023 JYOTI 98 Security Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
reported all SINGH Policy and and IT Applicable Applicable Applicable SINGH
instances of Procedure in
technical place for
glitches technical
within the glitch.
prescribed
timelines
during the
audit period
in
accordance
with
regulatory
guidlines.
Member has
correctly
reported the
issues faced
and duration
of the
downtime.
Member has
implemented
all the
measures as
mentioned in
RCAs and
has taken
neccesary
steps to
prevent the
recurrence
of such
technical
glitch.
21(b) Does the 18-Nov-2023 JYOTI 99 Security Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
organisation SINGH Policy and and IT Applicable Applicable Applicable SINGH
have internal Procedure in
policy to place for
handle technical
technical glitch.
glitches in
accordance
with the
framework
defined in
Exchange
circular
NSE/COMP/
54876 dated
December
16, 2022
Signer: JYOTI SINGH

21(c) Does the 18-Nov-2023 JYOTI 100 Member is Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
policy cover SINGH not providing and IT Applicable Applicable Applicable SINGH
following ? internet and
1.Outline the wireless
key technology
systems/dep based
artments trading
handling the facility and
normal brief internal
function policy is
/operation of exist to
the Member handle
and assign technical
responsibiliti glitch.
es at
business
owner and
technology
owner level.
2.Lay down
the
processes/st
eps to be
adopted in
case of
technical
glitches
along with
the timelines
and
communicati
on with
concerned
stakeholders
including
clients.
3.Define the
Escalation
matrix
including
reporting of
such
incident to
the
Exchange.
21(d) Whether the 18-Nov-2023 JYOTI 101 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
stock broker SINGH and IT Applicable Applicable Applicable SINGH
has reported
all instances
of technical
glitches,
issues faced
due to
glitches and
duration of
the
downtime
during the
audit period
in
accordance
with NSE
circular
NSE/COMP/
54876 dated
December
16, 2022.
Signer: JYOTI SINGH
21(e) Whether the 18-Nov-2023 JYOTI 102 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
has
implemented
the
measures
such as
Change
Managemen
t and Patch
Managemen
t and the
recommend
ed measures
as per RCA
and taken
steps to
prevent its
recurrence.
The System
Auditor
should
review the
implemented
measures.
21(f) Whether the 18-Nov-2023 JYOTI 103 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
has
maintained
adequate
Capacity
Planning
and its
review in
accordance
with
Exchange
Circular
NSE/COMP/
54876 dated
December
16, 2022 for
specified
member
(List of
Specified
member's
are provided
in Exchange
circular
NSE/COMP/
57720 dated
July 26,
2023) and
for QSB's in
accordance
with
NSE/INSP/5
6927 dated
June 01,
2023 (List of
QSB's
members
are provided
in Exchange
Circular
NSE/INSP/5
5875 dated Signer: JYOTI SINGH
March 03,
2023). Date: Thursday, November 30, 2023 7:03 PM
21(g) Whether the 18-Nov-2023 JYOTI 104 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
'Specified SINGH and IT Applicable Applicable Applicable SINGH
Members'
have setup
‘automated
environment
s’ in
accordance
with
Exchange
Circular
NSE/COMP/
54876 dated
December
16, 2022.
21(h) Whether the 18-Nov-2023 JYOTI 105 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
has obtained
the required
ISO
certifications
as
recommend
ed by
Exchange
Circular
NSE/COMP/
54876 dated
December
16, 2022
22 Security of
Cloud
Services:
22(a) Stockbroker 18-Nov-2023 JYOTI 106 NA Compliance Not Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
s/ SINGH and IT Applicable Applicable Applicable Applicable SINGH
Depository
Participants
should
check public
accessibility
of all cloud
instances in
use. Make
sure that no
server/bucke
t is
inadvertently
leaking data
due to
inappropriat
e
configuration
s.
Signer: JYOTI SINGH

22(b) Stockbroker 18-Nov-2023 JYOTI 107 NA Compliance Not Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
ensure
proper
security of
cloud access
tokens. The
tokens
should not
be exposed
publicly in
website
source code,
any
configuration
files etc.
22(c) Stockbroker 18-Nov-2023 JYOTI 108 NA Compliance Not Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
implement
appropriate
security
measures
for testing,
staging and
backup
environment
s hosted on
cloud.
Ensure that
production
environment
is kept
properly
segregated
from these.
Disable/rem
ove older or
testing
environment
s if their
usage is no
longer
required.
22(d) Stockbroker 18-Nov-2023 JYOTI 109 NA Compliance Not Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
consider
employing
hybrid data
security
tools that
focus on
operating in
a shared
responsibility
model for
cloud-based
environment
s.
Signer: JYOTI SINGH
23 Concentratio Date: Thursday, November 30, 2023 7:03 PM
n Risk on
Outsourced
Agencies:
23(a) Stockbroker 18-Nov-2023 JYOTI 110 Yes Compliance Compliant Low Risk Not Not Not 18-Nov-2023 No JYOTI 18-Nov-2023 No
Depository
Participants
should
consider
employing
hybrid data
security
tools that
focus on
operating in
a shared
responsibility
model for
cloud-based
environment
s.
Signer: JYOTI SINGH


Auditor Report 2225 30112023190106

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditor Report 2225 30112023190106

Uploaded by

Copyright:

Available Formats

Executive Summary Report

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

Signer: JYOTI SINGH

You might also like