Saaa

United Stock Exchange Limited Systems Audit Report March, 2013
DRAFT REPORT
This is a draft for discussion only. It represents work in progress and may contain preliminary information which is subject to change. This draft is subject to our Quality Assurance Review
TABLE OF CONTENTS
1.
EXECUTIVE SUMMARY ............................................................................................................ 2

1.1. 1.2. 1.3. BACKGROUND ............................................................................................................................... 2 SCOPE ............................................................................................................................................. 2 Issue Log .......................................................................................................................................... 4
2.
DETAILED APPROACH FOR THE ASSESSMENT................................................................ 6

2.1. APPROACH ..................................................................................................................................... 6 Phase I Project kick off and Audit Plan .................................................................................................. 6 Phase II Information Gathering, Current State Assessment................................................................. 6 Phase III Gap Analysis & Draft Report Generation ............................................................................... 6 2.2. DEFINITION OF PRIORITY ............................................................................................................ 7
3. 4. 5. 6.
LIMITATION ................................................................................................................................. 9 SUMMARY OF FINDINGS ....................................................................................................... 10 DISCLAIMER ............................................................................................................................. 13 FINDINGS & RECOMMENDATION ........................................................................................ 14
6.1. GENERAL CONTROL FOR DATA CENTER FACILITIES ......................................................... 14 ANNEXURE 1 VULNERABILITY ASSESSMENT .............................................................................. 43 1. HP Data Protector Remote Command Execution (V01)................................................................. 43
7.
Glossary ...........................................................................................Error! Bookmark not defined.
Preliminary & Tentative for discussion purposes only
System Audit United Stock Exchange Ltd. 1. EXECUT IVE SUMM ARY
1.1. BACK GROUN D United stock Exchange Ltd (USE) engaged Deloitte Touch Tohmatsu India Private Limited (DTTIPL or Deloitte) for carrying out assessment of system and process controls at USE in terms of the scope of work mentioned herein below. The work has been performed in accordance with and subject to the terms and conditions set forth in the engagement letter dated XXXX.
1.2. SCOPE The scope of work covers policies & procedures, physical security and vulnerability assessment and penetration testing (VAPT), as required by USE specified in SEBI circulars CIR/MRD/DMS/13/2011 of November 29, 2011 and CIR/MRD/DMS/ 12 /2012 of April 13, 2012 read with Circular CIR/MRD/DMS/ 17 /2012, dated June 22, 2012. The domain areas under scope of work are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. General Controls Software change control Data Communication/Network Controls Security Controls- General Office Infrastructure Access policy and controls Electronic Document controls General access controls Performance audit Business Continuity/Disaster Recovery Facilities IT support and IT Asset Management Entity Specific software Electronic waste disposal Review of Last year System Audit Report and Action taken
Applications under Scope: Sr. No.

1 2 3
Description
Trading platform and matching engine Front end application for trading Terminal for administrative activities.
Name
CDX FOW MOPS
System Audit United Stock Exchange Ltd. For application specific controls, the following sampled applications were tested:
CDX MOPS FOW
Management representation for no changes or incidents with FOW has not been shared with Deloitte.
System Audit United Stock Exchange Ltd.
1.3.
Issue Log
As per the audit report guidelines issued by the regulator, an executive summary has been formulated for each of the domains.
Line Item Description of the Observation Reference Process/ Unit Category of Findings Audited By Root Cause Analysis Remediation Target completion Date for Remedial Action The date by which remedial action must be/ will be completed Status Verified By Closing date
Description
Describe the findings in sufficient detail, referencing any accompanyin g evidence
Reference to the section in the detailed report where full background information of the findings are available Auditor
Process or Unit where the audit is conducted
Major/Minor Nonconformi ty, Observation, Suggestion, etc.
Which Auditor covered the finding
A detailed analysis on the cause of the nonconformit y
The action (to be) taken to correct the nonconformity
Status of finding on reportin g date (open/c lose)
Auditing personne l (upon verificatio n that finding can be closed)
Date when finding is verified and can be closed
Responsibility
Auditor
Auditor
Auditor
Auditor
Auditee
Auditee
Auditor/Audi tee
Auditor /Audite e
Auditor
Auditor
Major Area: General Controls

Description Reference Process/ Unit Category of Findings Audited By Root Cause Analysis Remediation Target completion Date for Remedial Action Status Verified By Closing date
Major Area: Software Change Control

Description Reference Process/ Unit Category of Findings Audited By Root Cause Analysis Remediation Target completion Date for Remedial Action Status Verified By Closing date
2.
DET AIL ED APPROACH F OR T HE ASSESSMENT
2.1. APPROAC H A high level explanation of our assessment approach and phases to meet USEs requirement is detailed below: Phase I Project kick off and Audit Plan
The objectives of this phase were to establish a project plan with the following: Finalized engagement scope & objectives Defined rules of engagement Identified & allocated resources for the project Arrangement for the necessary technical logistics Conduct project kick-off meeting Identify key stakeholders for the areas scoped in Schedule assessment interview sessions with key personnel Identify information and documentation on key business drivers, operating environments, security policies, standards, etc. that need to be collected Phase II Information Gathering, Curre nt State Asses sment
Deloitte team studied the existing IT Infrastructure and conducted current state assessment of the existing IT infrastructure. During this phase Deloitte gained an understanding of the IT processes in scope through study of existing process documentation including policies and procedures and by conducting interviews for the scoped in areas. Phase III Ga p An alysis & Draft Rep ort Generation The primary objective of the gap analysis phase of the AS IS Current state was to identify key inherent risks in the existing process and infrastructure and identify control mechanisms to mitigate these risks. Deloitte also performed user profiling and evaluated critical duties performed by personnel and evaluated whether there exist any incompatible duties which needed to be segregated.
2.2.
DEFINIT ION OF PRI ORIT Y
The observations during our IS audit have been classified as under type used to assess the category of gaps noted during the gap assessment is based on a qualitative criterion defined as follows: Major Non conformity A deficiency in auditees practices resulting in noncompliance to a mandatory requirement specified for the Auditee at the time of audit. In this category the deficiency would indicate additional risk of reputational risk, business interruption or financial loss to stakeholders. Minor Nonconformity A deficiency in auditees practices resulting in noncompliance to a mandatory requirement specified for the Auditee at the time of audit. Observation Suggestion
Gap Type Definitions
A deficiency in auditees practices resulting in non compliance to auditees approved policies and procedures/ standards.
An opportunity to improve the auditees practices based on the practices adopted by similar organizations or industry best practices.
The priority used to assess the level of risk of gaps noted during the gap assessment is based on a qualitative criterion defined as follows: High A High priority rating indicates that the gaps noted may lead to a relatively significant financial, legal/ regulatory or business operation impact and requires immediate attention of USE to remediate the issue. Medium A Medium risk rating indicates that the gaps noted may lead to a relatively moderate business operation impact and should be remediated by USE within a short period of time. Low A Low risk rating indicates that the gaps noted may lead to a relatively minimal business operation impact and should be remediated by USE within a span of at least one year of the report.
Priority Definition
System Audit United Stock Exchange Ltd. Throughout the report, prioritizations of gaps have been done based on our subjective analysis of the parameters for such classification in discussion with the management of USE.
System Audit United Stock Exchange Ltd. 3. LIM IT AT ION
The work was performed based on samples of selected data and controls. Given the nature of the assignment, the findings should not be considered an exhaustive list of all security and controls related issues that may be prevalent in the infrastructure and systems for USE and associated systems. The engagement did not cover: comprehensive functionality review; code review; penetration tests on any component of USEs application or network environment; revision of policies and procedures for various business processes; and running any tools on USE systems to collect data for performance metrics.
While DTTIPL has provided advice and recommendations, based on the results and the observations, all decisions in connection with the implementation of such advice and recommendations shall be the responsibility of, and made by, USE. The work is significantly based on the approved policies and procedure documents in use by USE as provided to us. DTTIPLs advice is solely based on the level of security observed during the review period.
System Audit United Stock Exchange Ltd. 4. Sr. SUMM ARY OF FINDIN GS Referenc e Assessment Domain Total Number of Observations Medium Complied Under Progress Suggestions/ No Actions Required Medium
Medium
Medium
Total
Total
Total
1 2 3 4
6.1 6.2 6.3 6.4
General control for data center facilities Software change control Data Communication/ network control Security Controlgeneral office infrastructure Access Policy & Controls Electronic Document Controls 1 -
1 3 4 3
2 -
3 3 5 3
5 6
6.5
No findings 1 1 -
Total
10
High
High
High
High
low
low
low
low
System Audit United Stock Exchange Ltd. Sr. Referenc e Assessment Domain Total Number of Observations Medium Complied Under Progress Suggestions/ No Actions Required Medium
Medium
Medium
Total
Total
Total
7 8 9
6.6 -
General Access Control Performance Business Continuity/Disaster Recovery Facilities IT support and IT asset Management Entity Specific Software Electronic Waste Disposal Vulnerability Assessment/ Database review
No findings No findings
10 11 12 13.
6.7 6.8 6.9 Annexure 1
1 1 1
1 2 6
3 4
2 3 3 11
Total
11
High
High
High
High
low
low
low
low
System Audit United Stock Exchange Ltd. Sr. Referenc e Assessment Domain Total Number of Observations Medium Complied Under Progress Suggestions/ No Actions Required Medium
Medium
Medium
Total
Total
Total
Total
22
37
Total
12
High
High
High
High
low
low
low
low
IS Audit Central BSE Services (India) Limited
5.
DISCL AIM ER
The work was performed based on samples of selected data and controls. Given the nature of the assignment, the findings should not be considered an exhaustive list of all security and controls related issues that may be prevalent in the infrastructure and systems for USEs USE and associated systems. While DTTIPL has provided advice and recommendations, based on the results and the observations, all decisions in connection with the implementation of such advice and recommendations shall be the responsibility of, and made by, USE. The work is significantly based on the approved policies and procedure documents in use by USE as provided to us. DTTIPLs advice is solely based on the level of security observed during the review period.
13
System audit- United Stock Exchange Limited
6. 6.1. Sr.
1
FINDINGS & RECOMM ENDAT ION GENERAL C ONT R OL F OR DAT A CENT ER F ACILIT IES Finding
Generic Administrator ID sysadmin.h is shared amongst 6 administrators. This was shared amongst Sanjyot Kharul, Vasant Sakpal, Sagar Desai, Mahendra Parab, Manish Vengurlekar and Ravi Kumar Chennuri. These are all employees of market place technologies. Moreover, it was noted that this ID is not required for beginning of day (BOD) and end of day (EOD) activities. Also, accountability cannot be established since this ID is shared amongst the administrators.
Nature of Deficiency
Operating Deficiency
Risk
Accountability for data modification cannot be established if common or group ids are used.
Priority
High
Recommendation
Unique IDs must be created for each of the 6 administrators. Accountability can be established for administrative activities conducted by each of the administrator users.
Responsibili ty
Windows Operations Team FOW application
Management Response
The MSSQL administrators have super admin privileges i.e. 'bsesa' in development and production environment. Noted that for daily activities they have BSERTRMS\rtrmsdbsaadmin (service owner used for restart),
Accountability for data modification cannot be established if group ids are used.
High
Super admin privileged IDs should be maintained in the custody of authorized BSE personnel. These IDs should be shared only for deployment of a
MSSQL Database/ Fasttrade application
14

BSERTRMS\rtrms.ops (used for daily operations) and BSERTRMS\rtrmsdbaadmin to conduct their daily operational activities. Also, superadmin privileges are not required for conducting their daily operational activities. Currently, the logs of the administrative activities are currently not being monitored for the MSSQL database. This was also highlighted in the ENY Report for SEBI IS Audit dated April 2012. 5 The two Sybase database administrators have SA privileges. Through corroborative enquiry with the database administrators noted that super admin privileges are not required their daily operational activities. The use of the super admin privileges is required for occasional changes that need to be deployed. Moreover, these IDs are not required for EOD and BOD operations. Also there is no log monitoring procedure defined for the Sybase database Design and Implement Accountability for data modification cannot be established if ids are shared. High Access to the Super admin privileged IDs should be restricted only on a need to know basis. Post usage of these super admin ID, the password of the ID should be changed and recorded through the Password change management process. Moreover, activities conducted by such IDs should be logged and reviewed on a periodic basis by authorized BSE personnel. Also, access to the Sybase Database/ CDX, MOPS application change in the production environment. Also, a password change management process must be followed when the password is shared.
15

administrators. This was also highlighted in the ENY Report for SEBI IS Audit dated April 2012. Both the administrators have access to the audit logs. However, as noted in the ' Log and Security Monitoring Procedures ver 3.3', sec 25.7 'Monitoring of system use' , it was noted that monitoring procedures should be identified, documented and followed by systems, database, application and network administrators. Any exception should be escalated with appropriate details. Hence, this is noncompliance to the defined organizational policies and procedures. audit logs should be restricted to authorized BSE personnel only.
The DR Data center located on Ground floor of PJ Towers has a single entry and exit point. Currently, there is no provision of a fire exit from the data center. Access enabled access cards currently not stored
Design
Lack of a separate fire exit may result in operational risk in the event of a disaster.
High
Provision should be made for a fire exit. Alternatively, a management approved exception must be taken for single entry and exit point. Access enabled access cards must be
Physical Security Team, USE.
Operational Deficiency
Usage of these cards by unauthorized personnel
Medium
Physical Security Team,
16

securely in a drawer. may result in unauthorized access to sensitive area. maintained securely in a drawer. Access to the drawer and access cards should be restricted only to authorized personnel. High Physical access logs should be reviewed on a periodic basis. A formal process must be defined and implemented for periodic review of the access to the data center by users as well as vendors. The unsuccessful attempts must be tracked and root cause analysis for the same must be recorded. USE.
A formal process is not defined and implemented for review of the access to the DR data center by users as well as vendors. This was also reported in the ENY SEBI IS Audit Report dated April 2012
Design
Absence of review process for the physical access logs may result in unauthorized access not being detected
Physical Security Team, USE.
6.2. Sr.
SOFT WARE CHANGE C ONT ROL Finding

Currently there is no policy and procedure in place for software change control defined for USE.
Design
Risk
Lack of documented policies and procedures may result in inconsistencies. Lack of standardized and documented process may result in inconsistencies in the process.
Priority
High
Recommendation
Responsibility
Management Response
Change requests management is not standardized across the application, some change requests are tracked on
Design and implement
Medium
A standardized process should be implemented and followed for managing all change requests. A
CDX and MOPS Application Team
17

Redmine whereas some are simply made and tracked via email communication. There is no consolidated list of changes that is maintained by the application team to track the changes made on the application. Moreover, only changes that are deemed critical are analyzed and comply with the change management process. However, there is no defined guideline for categorization of a change request as a critical change. 2 A standard process has not been defined for managing the change requests in CDX and MOPS application. There is no SOP in place for change management for these applications. Authorization matrix for approval of the changes is currently not documented. . Design and Implement Lack of standardized and documented process may result in inconsistencies in the process. Medium consolidated list of change requests should be maintained in a central repository to track all the changes implemented on the application. A clear guideline must be defined for categorization of Change requests. This will assist in a consistent process for identifying and categorization of change requests. A standardized process should be implemented and followed for managing all change requests. Approval Matrix must be defined, documented and approved specifying the roles for approving changes being made to CDX and MOPS application Change Management Process for CDX and MOPS application must include the following: Categorization i.e. Major, Minor or emergency change must be defined CDX and MOPS Application,
18

Prioritization of changes must be done Roll back plan must be documented Release note for deployment into the production environment must be documented Post implementation review of the change deployed in production environment must be done Evidence of the testing (I.e. logs or screenshots) must be captured/documented.
Discrepancies noted in the change request forms for CDX and MOPS application: A clear guideline for defining the criticality of a CR is not documented. For the sample CR No. CR-CDX-1213-21: No physical copy of acceptance document was present. Acceptance was communicated verbally The change record has not been reviewed to validate the completeness of CR details. For migration into production
Design and implement
Lack of standardized and documented process may result in inconsistencies in the process.
Medium
A standardized process should be implemented and followed for managing all change requests. Approval Matrix must be defined, documented and approved specifying the roles for approving changes being made to CDX and MOPs application
CDX and MOPS Application
19

there was no review and signoff from end user documented CR-CDX-1213-20: corresponding RA document had the incorrect CR No. mentioned which was CRCDX-1213-18 Release note has not been attached and was not stored in VSS. Acceptance testing email for this CR was not signed by Sanjeev Kapoor, Operations head. Moreover for the following change requests for changes made in MOPS application: CDX-CR-CDX-1213-23, CRCDX-1213-22 and CR-CDX1213-21 the CR Nos have been defined for CDX environment. 5 Defect and bug tracking is currently not standardized across the application for the following reasons: - SOP for defect/bug tracking is not documented - There is no clear guideline defined for management of defects or bugs and their categorization. Discrepancies noted for IRF_USE_001_2012/12: Design and Implement Lack of standardized and documented process may result in inconsistencies in the process. Medium Standardized process should be documented and implemented for resolution of all identified bugs/problem/issues. Clear guideline should be documented on categorization of the identified bugs/ problems/ issues. CDX and MOPS Application team
20

resolution time was not present IRF_USE_001_2012/13: The following details were obtained: Critical incident report time was 9:45 AM on 24/12/12 problem was resolved on 11:15 AM. Incident detail recorded: Around 9:45 AM some members reported some problem in login and could not trade. Action Taken: no action was taken on CMCs side reported at 11AM Immediate action taken: the problem was resolved on 11:15 AM RCA was recorded as N.A on 3:30 PM Hence noted that the detail of appropriate action taken has not been recorded and root cause analysis has not been documented without which the IRF has been deemed close. - No appropriate signoffs have been taken for the IRFs from authorized USE personnel.
21
6.3. Sr.
1
DAT A COMM UNICAT ION /NET WORK CO NT ROLS Finding

Noted for following users the privileges assigned on TACACS is read write during business hours. However, while reviewing the user access creation forms for these users it was noted that they are provided with read and write privileges only. o Avinash Jaipure - User created on May 14, 2012. Users has read and write privilege after business hours. o Gauri Chaudhari - User created on June 26, 2012. User has read and write privilege after business hours. o Sandip shete - He has been assigned RO privileges for Network Devices and RW for the rest of the groups. User created on May 21,
Risk
Inconsistencies in the user access management process (i.e. registration and deregistration) may result in unauthorized access being granted to users. This may result into unauthorized data modification/delet ion due to privilege access.
Priority
High
Recommendation
Every user registration and deregistration on devices should follow the formal user access management process.
Responsibili ty
Network Administration Team
Management Response
22

2012. User has read and write privilege after business hours. o Mahesh Sindhur - User created on June 14, 2012. User has read and write privilege after business hours. o Manoj Gawde - User created on June 13, 2012. User has read and write privilege after business hours. 2 Currently, there is no provision to track the temporary rule sets in the firewall. Could not demonstrate evidence for the management of temporary firewall rule sets. Currently post implementation review results/confirmation is not attached as supporting documentation with the change requests in Tivoli. 3 Noted in the password policy setting for TACACS: o Minimum Password length =6 o Account lockout = 5 attempts o Not enabled complexity i.e. Implementation Non -compliance to the Password Management policy. Weak passwords may result in easy access being provided to unauthorized users. Medium Password parameters should be defined in line with the organizations password policy. Network Administration Team Design and Implement High Network Administration Team
23

Alpha numeric, lower case, upper case not enabled o Account inactivity i.e. Account disabled after 365 days o Password History i.e. 1 o Password lifetime i.e. password age is not set This is not in line with the organizations password policy. 4 Through corroborative enquiry, noted that all network administrative monitoring activities have been outsourced to the vendor team lead. However, there is no formal process defined for monitoring the network administrative activities. Design and Implement Absence of process for log monitoring may result in unauthorized activities being undetected. This may result in operational risk and data loss. High Define a formal process to review and monitor the administrative logs by the vendor team lead. A report must be shared with authorized BSE personnel for reviewing the monitoring reports on a periodic basis. Network Administration Team
24
6.4. Sr.
1
SECURIT Y CONT RO LS GENERAL OFF ICE INFRAST RUCT URE Finding

Noted that the systems located in the Auditor room were running and connected to the network on a periodic basis with outdated virus definition files. On March 8, 2013 it was observed that system 0981 (in the auditor room) was running with a virus definition file dated March 3, 2013. However, the latest DAT file was dated March 7, 2013 on the EPO. Moreover, it is mentioned in the Procedure document ' 20 Virus Protection Procedures ver 3.3' section 20.4.4 "Updating of 'DAT files' on stand-alone workstations" that the vendor/anti-virus helpdesk must ensure that all stand-alone workstations are regularly updated with the DAT files. Hence, there is a potential
Risk
New threats may go undetected by antivirus with old definitions.
Priority
Medium
Recommendation
Antivirus should be updated with Latest virus definitions to detect & quarantine new viruses and threats.
Responsibility
IT Helpdesk Team
Management Response
25

risk of these systems connected to the network with outdated virus definition files and being vulnerable to virus outbreaks. (accepted and fixed)
On the EPO console, it was observed that there are 11 systems with 7000.00 as virus definition file, 12 systems with 7005.00 as virus definition file, 17 systems with 7003.00 and 46 systems with 7006.00 as the virus definition file while the current definition file was 7007.00. A tracking mechanism is not in place to ensure and record the corrective action that has been taken for the identified systems with outdated DAT files. Also, root cause analysis is currently not being recorded for the work around/ corrective actions implemented on systems with recurring issues. A Patch management procedure document has not been defined for Sybase database. Patch management for Sybase database is currently not being conducted. Through corroborative
Design and Implement
Vulnerable systems may go undetected.
Medium
A process for tracking the updating outdated desktops should be defined and implemented by the IT Helpdesk team to ensure all systems are running with updated DAT definitions. Also, for issues relating to antivirus management, RCA must be conducted, recorded and documented by the Anti-virus helpdesk team. This should be maintained in a central repository for future reference.
IT Helpdesk Team
Lack of a documented process and control mechanism, for tracking, testing and deployment of the patches may result in
Medium
Standard Operating Procedures for Sybase patch management should be defined. A management risk acceptance must be approved and documented for
Sybase Database/ CDX and MOPS Application
26

enquiry with Sybase database administrator, it was noted that the last EBF i.e. emergency bug fix was applied over 2 years back. However, as noted in ' 17 operating system security procedure ver 3.3.pdf' , under section '17.4.6 Technical review of operating system changes' in 'Minimum Baseline Security Standard ' the system administrators, along with IT representative must carry out a review of the patches/hot fixes that need to be applied to a system. This review must be documented. Once the patches/hot fixes have been identified, they must first be deployed on a test system. Only after confirming that the patch/hot fix do not cause instability to the system, the same can be deployed onto the production systems. Hence, absence of a management risk acceptance of this exception is noncompliance to the organization's policy and procedures. 5 Through corroborative enquiry with the email administrator, it was noted that email Archival logs are Design inconsistencies in the deployment of the patches on systems, rendering the systems susceptible to any exploits by unauthorized users or intruders patches not being updated on Sybase database.
Lack of documentation may result in inconsistencies in the process.
Medium
A formal process for reviewing failed archival logs must be defined, documented,
27

currently reviewed. However, there is no formal process defined for the email archival log monitoring For failed email archival logs, there is no evidence of RCA being conducted. The detailed procedure for following processes is currently not illustrated in the Standard Operating Procedure document: - Restoration process - Service request management for archival and restoration approved and implemented. A detailed root cause analysis must be done for the failed archival logs. Standard Operating Procedure for Email Archival and Management must include the following: - Detailed steps for the restoration process - Service request management with supporting screenshots for processing requests for archival and restoration Design Lack of a documented process and control mechanism, for tracking, testing and deployment of the patches may result in inconsistencies in the deployment of the patches on systems, rendering the systems susceptible to any exploits by unauthorized users Medium User acceptance must be recorded prior to deployment of the patch in the production environment.
Windows OS is patched on a periodic basis through WSUS. However, there is no defined formal process defined through which UAT signoff is taken prior to deployment in production in environment on servers. Currently there is no control to track the patches deployed on the servers No documentation is
28

maintained currently for the RCA in case a patch deployment fails on a production server. or intruders
6.5. Sr.
ACCESS POLICY AND CONT R OLS Finding

Currently USE is adhering to the BSE IT policies and procedures; however there are no documented policy
Design
Risk
Lack of documented policies and procedures may result in
Priority
High
Recommendation
Define and implement IT policies and procedures for USE
Responsibili ty
USE
Management Response
29

and procedures specifically for USE. 1 Noted the Group Password policy defined on the Windows systems is as follows: Max Password Age : 30 days Min Password Length: 7 Password must meet complexity requirements: Enabled Min Password Age: 1 Password History: 24 However, while reviewing the '23 Password Security and control Procedures ver 3.4.pdf', sec 23.4.1 Password Standards, it was noted that Password length is minimum eight characters. Hence, noncompliance to the procedure document noted. Noted that the password configuration for FOW application has been defined as Enforce password history: 8 passwords remembered Maximum password age: 30days Minimum password age: 0 Minimum password length: 8 characters FOW application team Operating Deficiency inconsistencies. Password Policy non compliance Medium Password length must be set to minimum eight characters to ensure compliance with the organization's password policy. Windows Operations Team
30

Password must meet complexity requirements: Enabled. Observation: minimum password age should be 1 not 0 as per password policy
6.6. Sr.
ELECT RONIC DO CUMENT CONT ROLS Finding

The agreement between the united stock exchange india ltd. and Bombay stock exchange india ltd. dated nd 22 September 2011 was shared with the Deloitte team however this agreement was effective from April 1st 2011 st till march 31 2012 As of date this agreement is invalid. Moreover there are no specific agreement with each of the vendors and
Risk
Priority
Recommendation
Responsibili ty
Management Response
31

service providers and USE. 1 Versions for procedure documents have not been updated post August 2011, however as per the Documents and Records Control Procedures of the organization all the documents must be reviewed annually. Documents for which the version control has not been updated are listed as follows: Data classification Procedure ver 3.3 Document - last updated Dec 2010 Network Security Procedure ver 3.3 Document - last updated Dec 2010 Internet and Intranet security Procedure ver 3.3 Document - last updated August 2011 Password Security and Control Procedure ver 3.4 Document - last updated august 2011 Log and Security Monitoring Procedure ver 3.3 Document - last updated Dec 2010 IT Management ver 3.4 Document - last updated August 2011 Corrective and Preventive Action Procedure ver 2.0 Document - last updated Feb 2011 Operating Deficiency
Absence of a review and updation process of the policy and procedure documents may result in operational risk.
Low
All documents including forms as well as checklists should have version control. Policies and procedures must be reviewed on an annual basis. The version control for all documents should be updated on a periodic basis.
Information Security SPOC
32

Management of Hardware and Software and License Procedure ver 3.3 Document - last update date not recorded in the version history of the document Helpdesk management Procedure ver 3.2 Document - Version control not documented for this procedure document Program Change Management Procedure ver 3.2 Document - Version control not documented for this procedure document Version Control Procedure ver 3.3 Document - Last updated on August 2011 Outsourcing Procedure ver 3.3 Document - Version control not documented for this procedure document Disaster Recovery Procedure ver 3.3 Document - Last updated in August 2011 Business Continuity Procedure ver 3.3 Document - Last updated in August 2011 Management Review Procedure ver 3.3 Document - Version control not documented for this procedure document Document and Record
33

Procedure ver 3.3 Document - Last updated in August 2011 Physical and Environmental Security Procedures ver 3.2 Version control not documented for this procedure document Application Security Procedures ver 3.2 - Version control not documented for this procedure document
There is a standard operating procedure maintained for all the administrative activities conducted for Email management namely 'Email system administrators manual v1.3'. However, the approval details i.e. date and signature of the approvers is not captured for the SOP.
Absence of an approved document may result in operational inconsistencies.
Low
Approval details such as name, date and signature of the approvers must be documented in the standard operating procedure.
Email Archival Team
6.7.
PERFORM ANCE AUDIT
34
Sr.
1
Finding
Currently USE is adhering to the BSE IT policies and procedures for performance monitoring; however there are no documented policy and procedures specifically for USE. The BSE IT Procedure ver. 1.4 and BSE - IS Policy ver. 1.3 does not cover requirements for performance audit review hence we are unable ascertain whether the performance reviews conducted are in line with management mandate.
Design
Risk
Absence of a formal performance management procedure and policy results in having practices that are followed on an informal basis and may not be consistently followed throughout the organization as intended by the management
Priority
Medium
Recommendation
Define the performance management process and maintain a formally updated and approved document
Responsibili ty
Management Response
6.8. Sr.
BUSINESS CONT INUIT Y /DISAST ER RECOVERY FACILIT IES Finding

There is no defined business continuity management policy and procedure defined for USE. The drill report is documented as part of a change request. Moreover they do not document the
Risk
Priority
Recommendation
Responsibili ty
Management Response
35

time for each activity, team members involved, learning and whether the activities were a success or not. There is no BIA or risk assessment conducted and not representation from the USE stake holders in the business continuity management. 1 Call tree for the critical BCM team members has not been documented. Contact details of the BCMT personnel are present on the mobiles of personnel. However, an escalation matrix has been defined. Business related risks are currently identified, evaluated and documented. However, non- availability of vendors in the event of a disaster has not been documented as a part of the RA or BIA document. Fire marshals have been identified for each of the floors. However, they are not provided with fluorescent jackets / bands to identify themselves as a part of BCM team in the event of a disaster. Design Incomplete documentation of details in the BCP manual may hamper the business operations for a longer period of time. This may result in operational risk which may lead to data and reputational loss. Incomplete risk assessment and business impact analysis may result in operational risk. High Contact details of the core BCMT personnel should be updated in the document.
Design
Medium
Risk of non-availability of vendor employees should be documented in the risk assessment.
36

4 Critical technology personnel and their backup personnel are currently not documented in the revised BCM manual or the roles and responsibility document. However, an escalation matrix for incident management has been defined within the service continuity and recovery procedure ver 3.2.1 5 RTO and RPO currently is defined application specific and there is no single RTO and RPO defined for the organization. The following were noted for the in scope applications while reviewing the Revised business continuity manual ver3.2 : BOLT RTO is 40 mins and RPO is 10 min BOSSi RTO is 30 mins and RPO is 10 mins RTRMS not defined Lieps not defined Esettle and ECOLL not defined IDB RTO is 20 mins and RPO is 60 mins FOW not defined Design Design Incomplete documentation of details in the BCP manual may hamper the business operations for a longer period of time. This may result in operational risk which may lead to data and reputational loss. High
Alternate team members for the business resumption team should be updated in the document.
Incomplete documentation of details in the BCP manual may hamper the business operations for a longer period of time. This may result in operational risk which may lead to data and reputational loss.
High
The RTO and RPO for the organization should be defined. Also, for each of the scoped in applications, the RTO and RPO should be defined and should meet the organizations recovery time and point objectives.
37

6 The BCP drill reports do not include the response time of the emergency services such as 7 Fire brigade Ambulance Medical teams from hospitals
For certain floors, the emergency exits are currently secured using a lock and key. Through corroborative inquiry with the physical Security Head it was determined that in the event of a disaster, the locks would be broken. However, there are two entry and exit points.
DR facility for BSE is located at DAKC i.e. New Mumbai and is susceptible to common threats
Design
There is a possibility of secondary site exposed to same threats if both are present in the same seismic region.
High
Management should plan the DR setup in a different seismic zone to avoid similar threats.
6.9.
IT SUPPORT AND ASSET MANAGEM ENT
38
Sr.
Finding
Certain IT assets are being managed by USE through a manual process nomenclature used for labeling the asset is as follows: USEIL/11-09/PC/1 however the nomenclature has not been defined in the asset management policy and procedures. The insurance for the IT assets for USE has been taken from reliance. A risk confirmation letter was stared dated 11-02-2013 however the final policy has not been shared with the Deloitte team. Moreover the location details of each of their offices under coverage of the insurance have not been mentioned explicitly in this letter.
Risk
Priority
Recommendation
Responsibili ty
Management Response
For the Antivirus server, the CPU and memory is currently being monitored through Tivoli during trading hours for spike or sudden increase in the system parameters. Thresholds are defined at 90% on the Tivoli system. However, observed that there is no documented procedure
Lack of documented capacity monitoring process and periodic trend analysis monitoring may result in increasing system capacity utilization going undetected and resulting in
Medium
Document the capacity management process for effective management of the system resources of the Antivirus server. A proactive capacity management trend analysis process should be developed
Windows operations team
39

for capacity management process. Moreover, reports are currently not being generated through Tivoli on a periodic basis (i.e. weekly/ fortnightly or monthly basis) to analyze the trend in the capacity utilization of the system resources. Hence, proactive capacity planning cannot be conducted. 3 Thresholds are defined for the performance monitoring parameters for the SQL database. During Market hours, the threshold is monitored through the Tivoli. However, the utilization of the system parameters is not being recorded and tracked. There is a provision in Tivoli to generate reports on periodic basis. However, there are no reports being generated for capacity monitoring. Hence, trend analysis is currently being conducted for proactive identification and root cause analysis of a potential issue. While reviewing the HP-UX System administrator's manual sec 6.2, 'Monitoring Procedures and Parameters', it was noted that the threshold defined for CPU Design
performance issues for production systems.
and implemented by generating reports through Tivoli and reviewing the same on a periodic bias.
Lack of documented capacity monitoring process and periodic trend analysis monitoring may result in increasing system capacity utilization going undetected and resulting in performance issues for production systems.
Medium
Capacity monitoring must be tracked and recorded during market hours. This will help in identifying underlying issues through reviewing the trend analysis and proactive capacity monitoring.
MSSQL Database
Lack periodic trend analysis monitoring may result in increasing system capacity utilization
Medium
Proactive capacity monitoring of system parameters will help in identifying underlying issues.
HP-UX Operating System
40

utilization was 30% (for BOD). Discrepancies were noted in the capacity monitoring process for the following dates there were no health checklists available for th th review: march 8 march 9 th th march 10 march 13 march th th th 14 march 16 and 17 . th March 19 the threshold exceeded 30% and went up to 36% however there was no alert generated or RCA conducted. 5 The IT Asset Inventory is being maintained online through Tivoli. The details of the disposed assets are not being maintained through the Tivoli application. However, one of the disposed monitors 3912A274 showed the status of the IT Asset as Decommissioned. Currently, there are no standard operating procedures defined for Software License Management through Tivoli. The license details are maintained through Tivoli. However, for the identified samples (EMC_10) and (Compaq_1) it was noted that Operating Deficiency
going undetected and resulting in performance issues for production systems.
Lack of a defined process may result in process inconsistencies.
A consistent process must be adopted for management of details for disposed assets.
IT Helpdesk
Lack of documentation may result in inconsistencies in the process. Lack of alert mechanism for tracking renewal of licenses may result in usage of unlicensed software resulting in operational risk.
Medium
Standard operating procedures should be defined for Software License Management through Tivoli. The correct Issue and expiry date in the license details should be updated in Tivoli application. Also, renewal of the
IT Helpdesk
41

the issue date was dated in the year 1899 which was auditee agreed was incorrect. Currently, there is no alert mechanism or process for tracking the license renewal for the software licenses. licenses must be tracked through the Tivoli application.
42
ANNEXURE 1 VULNERABILIT Y ASSESSM ENT 1. HP Data Prote ctor Remote Co mman d Ex ecution (V01) Vulnerable Systems Details of Vulnerability Observation Risk Priority Recommendation Respons ibility Managemen t response
43
ANNEXURE 2 SUPPORT ING DOCUM ENT S REFERRED
44

Saaa

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Saaa

Cargado por

Copyright:

Formatos disponibles

United Stock Exchange Limited Systems Audit Report March, 2013

EXECUTIVE SUMMARY ............................................................................................................ 2

DETAILED APPROACH FOR THE ASSESSMENT................................................................ 6

Glossary ...........................................................................................Error! Bookmark not defined.

Preliminary & Tentative for discussion purposes only

Applications under Scope: Sr. No.

Preliminary & Tentative for discussion purposes only

Preliminary & Tentative for discussion purposes only

System Audit United Stock Exchange Ltd.

Describe the findings in sufficient detail, referencing any accompanyin g evidence

Process or Unit where the audit is conducted

Major/Minor Nonconformi ty, Observation, Suggestion, etc.

Which Auditor covered the finding

A detailed analysis on the cause of the nonconformit y

The action (to be) taken to correct the nonconformity

Status of finding on reportin g date (open/c lose)

Auditing personne l (upon verificatio n that finding can be closed)

Date when finding is verified and can be closed

Preliminary & Tentative for discussion purposes only

System Audit United Stock Exchange Ltd.

Major Area: General Controls

Major Area: Software Change Control

Preliminary & Tentative for discussion purposes only

System Audit United Stock Exchange Ltd.

DET AIL ED APPROACH F OR T HE ASSESSMENT

Preliminary & Tentative for discussion purposes only

System Audit United Stock Exchange Ltd.

DEFINIT ION OF PRI ORIT Y

Gap Type Definitions

Preliminary & Tentative for discussion purposes only

Preliminary & Tentative for discussion purposes only

System Audit United Stock Exchange Ltd. 3. LIM IT AT ION

Preliminary & Tentative for discussion purposes only

6.1 6.2 6.3 6.4

Preliminary & Tentative for discussion purposes only

6.7 6.8 6.9 Annexure 1

Preliminary & Tentative for discussion purposes only

Preliminary & Tentative for discussion purposes only

IS Audit Central BSE Services (India) Limited

Preliminary & Tentative for discussion purposes only

System audit- United Stock Exchange Limited

MSSQL Database/ Fasttrade application

Preliminary & Tentative for discussion purposes only

System audit- United Stock Exchange Limited

Preliminary & Tentative for discussion purposes only

System audit- United Stock Exchange Limited

Physical Security Team, USE.

Usage of these cards by unauthorized personnel

Physical Security Team,

Preliminary & Tentative for discussion purposes only

System audit- United Stock Exchange Limited

Physical Security Team, USE.

SOFT WARE CHANGE C ONT ROL Finding

Design and implement

CDX and MOPS Application Team

Preliminary & Tentative for discussion purposes only

System audit- United Stock Exchange Limited

Preliminary & Tentative for discussion purposes only

System audit- United Stock Exchange Limited

Design and implement

CDX and MOPS Application

Preliminary & Tentative for discussion purposes only

System audit- United Stock Exchange Limited