MCX Stock Exchange Limited
Market Operations - CTCL Department
| Circular No. MCX-SX/CTCL/363/2010 | May 31,
2010 |
System Audit requirement for CTCL / IBT / DMA / ATF trading facility
for the period April 1, 2009 to March 31, 2010
In terms of the provisions of Rules, Bye-Laws and Regulations of MCX Stock Exchange Limited (hereinafter referred to as ‘the Exchange’) and in continuation to the Exchange’s circulars MCX-SX/CTCL/8/2008 dated October 4, 2008, MCX-SX/CTCL/9/2008 dated October 4, 2008, MCX-SX/IT/47/2008 dated January 5, 2009, MCX-SX/CTCL/305/2010 dated March 9, 2010 and MCX-SX/CTCL/306/2010 dated March 9, 2010, Members of the Exchange are notified as under:
Members using CTCL/ IBT/ DMA / ATF facility (hereinafter referred to as ‘CTCL facility’) are advised to introduce a requirement of regular audit of their systems. The systems audit shall cover, besides the requirements specified in respect of systems audit under CISA or any other professional code of conduct, compliance of systems with the Rules, Regulations, Bylaws of the Exchange, circulars / instructions / undertaking pertaining to CTCL/ IBT/ DMA / ATF systems issued by SEBI and the Exchange from time to time. The audit shall be conducted for the purpose of and with an objective of identifying the system inadequacies / deficiencies, if any, based on compliance requirements and the implications of such inadequacies. The audit shall be conducted by a CISA/CISSP/ISA certified auditor who shall be independent of the empanelled vendors of the Exchange and/or Partners/Directors of the Trading Members.
The audit shall broadly cover the following areas/aspects.
ü Existing features and system parameters implemented in the trading system.
ü Identify the adequacy of input, processing and output controls
ü Identify the adequacy of the application security so that it commensurate to the size and nature of application.
ü Event logging and system monitoring.
ü User management.
ü Password policy/standards
ü Test of adherence to policies
ü Network management and controls
ü Change management and version controls.
ü Backup systems and procedures
ü Business continuity and disaster recovery plan
ü Documentation for system processes
ü Security features such as access control network firewalls and virus protection measures.
ü Any other area/aspect which may be material for inclusion in the audit certificate and/or which may be specified by the Exchange from time to time.
Members are required to submit the System Audit Report for the year ended March 31, 2010 on or before July 31, 2010 to Membership department of the Exchange.
Members may please note the following points:
-
Format of the system audit report is made available in Annexure 1. Members should ensure that the audit report submitted by them is strictly in accordance with the format specified. Any deviation in the format of the report would lead to rejection of submission.
-
The System Audit Report should be on the letterhead of the System Auditor. Annexure 1 of System Audit report should specify the name of the trading member and specifically state that “System Audit Report is for the period from April 1, 2009 to March 31, 2010.”
-
The system audit report certificate shall contain the Name and Registration No. of CISA/CISSP/ISA certified system auditor along with the Stamp / Seal, place and date at the end of the report. Additionally, all the pages of the system audit report should be stamped and signed by the auditor.
-
It is mandatory for the auditors to provide their ratings / remarks / recommendation on all the points of Part A. Further, auditors are required to provide their recommendations on all points of Part C, wherever not complied. Additionally, auditors are required to give ratings ‘Strong’, ‘Medium’ and ‘Weak’ on all points of Summary Sheet of Annexure 2 except where indicated as Not Applicable.
-
Members may also note that in case of multiple branches audited, the audit report should clearly state that all the branches where CTCL facility is provided have been audited and ONE consolidated report has been submitted for all segments.
-
The System Auditor should be independent of the Empanelled vendors of the Exchange and/or partners/Directors of the Trading Members. The system auditor should categorically certify in the report that – “There is no conflict of interest with respect to the member being audited. If any such instance arises, it shall be brought to the notice of the Exchange immediately before undertaking the audit”.
-
Network Diagram should be duly certified by the empanelled CTCL vendors of the Exchange from where the Trading Member had taken the CTCL facility. Network Diagram certified by the Member himself or other than Exchange empanelled CTCL vendors would be treated as non- submission & penalty would be levied accordingly
-
In case it is difficult to represent the location of nodes in a Diagram form due to large number of nodes connected to the server, then details of nodes along with the Network Diagram can be submitted in the following format:
|
Sr. No. |
Server Location |
Particulars of Node Connected to Server |
Location of node |
The details of nodes as per above format should be certified by the empanelled CTCL vendors of the Exchange. Accordingly, above-mentioned details of nodes certified by the Member himself or other than Exchange empanelled CTCL vendors would be treated as non- submission & penalty would be levied accordingly.
-
Trading Members who are providing Internet trading facility are required to submit valid SSL certificate for the website registered with the exchange for IBT.
-
If the Trading Member has taken the CTCL facility but no trading has been done using the CTCL facility during the year ended March 31, 2010, the Trading Member is not required to submit the System Audit Report, Network Diagram & SSL certificate. In this case, Trading Member has to submit an undertaking stating that no trade has been taken place during the year ended March 31, 2010. The undertaking should be on the letterhead of the member and be affixed by common seal of company. In case of wrong undertaking submitted by the Trading Member, suitable disciplinary action may be initiated against such Trading Member.
-
Late submission charges of Rs. 100/- per day w. e. f. August 01, 2010 will be levied on members failing to submit the system audit on or before July 31, 2010. Further, w. e. f. September 01, 2010, members shall render themselves liable for withdrawal of trading facility through CTCL for non-submission of system audit report.
Non-compliant members shall render themselves liable for action besides as enumerated above, as may be deemed fit by the Exchange.
The Trading Members are once again advised to submit the System Audit Report, Network Diagram & SSL certificate for the year ended March 31, 2010 latest by July 31, 2010 on the following address:
Membership Department
MCX
Stock Exchange Limited
2nd Floor, Exchange Square
Suren Road, Chakala, Andheri (East)
Mumbai – 400 093.
For any clarifications kindly contact Customer Service on 022 - 67319010 or send an email to customerservice@mcx-sx.com.
For and on behalf of
MCX Stock Exchange Ltd.
Mukesh Desai
Manager, Market Operations-CTCL
Annexure 1
System Audit Report - Format
(ON THE LETTERHEAD OF THE SYSTEM AUDITOR)
DATE:
NAME OF TRADING MEMBER:
SYSTEM AUDIT REPORT FOR THE PERIOD FROM April 1, 2009 TO March 31, 2010
Part A
|
Controls / Processes |
Test Case |
Results, Observations & Control Risk |
Auditor’s Risk |
|
The installed CTCL system features are as prescribed by the MCX-SX.
|
Risk Management Tools
|
Results |
Opinions |
|
The installed CTCL system parameters are as per MCX-SX norms
|
CTCL Version
|
Results |
Opinions |
|
Trading Process The installed CTCL system allows for placing of trades only for authorized clients
|
Client ID Verification Only duly authorized client’s orders are allowed to be placed. |
Results |
Opinions |
|
|
Proprietary order entry mechanism Order entry for Pro types of orders is executed through specific user ids.
|
Results |
Opinions |
|
Risk Management The installed CTCL system is capable of assessing the risk of the client as soon as the order comes in and informs the client of acceptance/rejection of the order within a reasonable period.
|
Order Parameters There is online risk assessment of all orders placed through the CTCL system. |
Results |
Opinions |
|
Order /Trade Limit Controls The installed CTCL system provides a system based control facility on the trading limits of the clients and exposures taken by the clients including set pre-defined limits on the exposure and turnover of each client.
|
Only orders that are within the parameters specified by the risk management systems are allowed to be placed |
Results |
Opinions |
|
Order Reconfirmation Facility The installed CTCL system provides for reconfirmation of orders which are larger than that as specified by the member’s risk management system.
|
The system has a manual override facility for allowing orders that do not fit the system based risk control parameters |
Results |
Opinions |
|
Execution of Orders / Order Logic The installed CTCL system provides a system based control facility over the order input process
|
Order Numbering Methodology If the system is enabled for internet trading the system has an internal unique order numbering system
|
Results |
Opinions |
|
|
Order Matching The system does not have any order matching function and all orders are passed on to the exchange trading system for matching |
Results |
Opinions |
|
Application Access Control The installed CTCL system provides a system based access control over the CTCL server as well as the risk management and front end dealing applications while providing for security
|
Access controls
|
Results |
Opinions |
|
Session Security The installed CTCL system provides for session security for all sessions established with the CTCL server by the front end application.
|
Session Security
|
Results |
Opinions |
|
Database Security The installed CTCL system has sufficient controls over the access to and integrity of the database
|
Database Security
|
Results |
Opinions |
|
Encryption The installed CTCL system uses confidentiality protection measures to ensure session confidentiality.
|
Session Encryption
|
Results |
Opinions |
|
The installed CTCL system provides a system based event logging and system monitoring facility which monitors and logs all activities / events arising from actions taken on the gateway / database server, authorized user terminal and transactions processed for clients or otherwise and the same is not susceptible to manipulation.
|
The installed CTCL systems has a provision for On-line surveillance and risk management as per the requirements of MCX-SX and includes
|
Results |
Opinions |
|
|
The installed CTCL systems has a provision for off line monitoring and risk management as per the requirements of MCX-SX and includes reports / logs on
|
Results |
Opinions |
|
The installed CTCL system has a User Management system as per the requirements of the MCX-SX.
|
Approved Users: Only users approved by the MCX-SX are allowed to access the CTCL system and documentation regarding the same is maintained in the form of Ø User Approval Application Ø Copy of User Qualifications
|
Results |
Opinions |
|
|
User Creation New CTCL User IDs are created as per the CTCL guidelines.
|
Results |
Opinions |
|
|
User ID All users are uniquely identified through issue of unique CTCL ids.
|
Results |
Opinions |
|
|
User Disablement Users not compliant with the Exchange Requirements are disabled and event logs maintained
|
Results |
Opinions |
|
|
User Deletion Users are deleted as per the MCX-SX guidelines
|
Results |
Opinions |
|
|
Reissue of User Ids User Ids are reissued as per the MCX-SX guidelines.
|
Results |
Opinions |
|
|
Locked User Accounts Users whose accounts are locked are unlocked only after documented unlocking requests are made.
|
Results |
Opinions |
|
The installed CTCL system Authentication mechanism is as per the guidelines of the MCX-SX
|
The installed CTCL system’s uses passwords for authentication. |
Results |
Opinions |
|
|
The password policy / standard is documented.
|
Results |
Opinions |
|
|
The system requests for identification and new password before login into the system.
|
Results |
Opinions |
|
|
The Password is masked at the time of entry.
|
Results |
Opinions |
|
|
System mandated changing of password when the user logs in for the first time.
|
Results |
Opinions |
|
|
Automatic disablement of the user on entering erroneous password on three consecutive occasions.
|
Results |
Opinions |
|
|
Automatic expiry of password on expiry of 14 calendar days.
|
Results |
Opinions |
|
|
System controls to ensure that the password is alphanumeric (preferably with one special character), instead of just being alphabets or just numerical.
|
Results |
Opinions |
|
|
System controls to ensure that the changed password cannot be the same as of the last password |
Results |
Opinions |
|
|
System controls to ensure that the Login id of the user and password should not be the same.
|
Results |
Opinions |
|
|
System controls to ensure that the Password should be of minimum six characters and not more than twelve characters.
|
Results |
Opinions |
|
|
System controls to ensure that the Password is encrypted at members end so that employees of the member cannot view the same at any point of time.
|
Results |
Opinions |
|
Vendor Certified Network diagram
|
Date of submission of network diagram to MCX-SX
(Only in case of change in network setup, member need to submit revised scanned copy network diagram along with this report)
|
Results |
Opinions |
|
|
Verify number of nodes in diagram with actual
|
Results |
Opinions |
|
|
Verify location(s) of nodes in the network |
Results |
Opinions |
|
Physical Security
|
Are adequate provisions in respect of physical security of the hardware / systems at the hosting location and controls on admission of personnel into the location (audit trail of all entries-exits at location etc.)?
|
Results |
Opinions |
|
The Installed CTCL systems backup capability is adequate as per the requirements of the MCX-SX for overcoming loss of product integrity.
|
Are backups of the following system generated files maintained as per the MCX-SX guidelines?
|
Results |
Opinions |
|
|
At the CTCL user level
|
Results |
Opinions |
|
|
Are backup procedures documented and backup logs maintained? |
Results |
Opinions |
|
|
Have the backups been verified and tested? |
Results |
Opinions |
|
|
Are the backup media stored safely in line with the risk involved? |
Results |
Opinions |
|
|
Are there any recovery procedures and have the same been tested?
|
Results |
Opinions |
Part B
|
Controls / Processes |
Test Case |
Results, Observations & control Risk |
Auditors Opinion |
|
The installed CTCL system features are as prescribed by the MCX-SX.
|
Main Features Price Broadcast The system has a feature for receipt of price broadcast data
|
Results |
Opinions |
|
|
Order Processing : The system has a feature :
|
Results |
Opinions |
|
|
Trade Confirmation: The system has a feature which enables confirmation of trades
|
Results |
Opinions |
|
The installed CTCL system parameters are as per MCX-SX norms
|
Gateway Parameters
Market Segment – CDS
|
Results |
Opinions |
|
Execution of Orders / Order Logic The installed CTCL system provides a system based control facility over the order input process
|
Order Entry The system has order placement controls that allow only orders matching the system parameters to be placed.
|
Results |
Opinions |
|
|
Order Modification The system allows for modification of orders placed.
|
Results |
Opinions |
|
|
Order Cancellation The system allows for cancellation of orders placed
|
Results |
Opinions |
|
|
Order Outstanding Check The system has a feature for checking the outstanding orders i.e. the orders that have not yet traded or partially traded.
|
Results |
Opinions |
|
Trades Information The installed CTCL system provides a system based control facility over the trade confirmation process
|
Trade Confirmation and Reporting Feature Should allow confirmation and reporting of the orders that have resulted in trade
|
Results |
Opinions |
|
Settlement of Trades The installed CTCL system provides a system based reports on contracts, margin requirements, payment and delivery obligations
|
Margin Reports feature Should allow for the reporting of client wise / user wise margin requirements as well as payment and delivery obligations.
|
Results |
Opinions |
|
Additional Access Control Security The installed CTCL system provides a dual factor authentication system for access to the various CTCL components.
|
Extra Authentication Security
|
Results |
Opinions |
|
To ensure information security for the Organisation in general and the installed CTCL system in particular policy and procedures as per the MCX-SX requirements must be established, implemented and maintained.
|
Does the organization’s documented policy and procedures include the following policies and if so are they in line with the MCX-SX requirements?
|
Results |
Opinions |
|
|
Does the organization follow any other policy or procedures or documented practices that are relevant?
|
Results |
Opinions |
|
Does the Organisation have a suitable documented Business Continuity or Disaster Recovery or Incident Response process commensurate with the organization size and risk profile to ensure a high degree of availability of the installed CTCL system |
Is there any documentation on Business Continuity / Disaster Recovery / Incident Response?
|
Results |
Opinions |
|
|
Does a BCP / DRP plan exist?
If a BCP/DRP plan exists, has it been tested?
|
Results |
Opinions |
|
|
Are there any documented incident response procedures?
|
Results |
Opinions |
|
|
Are there any documented risk assessments?
|
Results |
Opinions |
|
|
Does the installation have a Call List for emergencies maintained?
|
Results |
Opinions |
|
How will the organization assure customers prompt access to their funds and securities in the event the organization determines it is unable to continue its business in the primary location
|
Network / Communication Link Backup
Is the backup network link adequate in case of failure of the primary link to the MCX-SX?
|
Results |
Opinions |
|
|
Is the backup network link adequate in case of failure of the primary link connecting the CTCL users?
|
Results |
Opinions |
|
|
Is there an alternate communications path between customers and the firm?
|
Results |
Opinions |
|
|
Is there an alternate communications path between the firm and its employees?
|
Results |
Opinions |
|
|
Is there an alternate communications path with critical business constituents, banks and regulators?
|
Results |
Opinions |
|
The CTCL system has been installed after complying with the various MCX-SX circulars |
Copy of Undertaking provided regarding the CTCL system as per relevant circulars |
Results |
Opinions |
|
|
Copy of application of approval for Internet Trading, if any
|
Results |
Opinions |
|
Insurance
|
The insurance policy of the Member covers the additional risk of usage of CTCL and or Internet Trading
|
Results |
Opinions |
|
To ensure system integrity and stability all changes to the installed CTCL system are planned, evaluated for risk, tested, approved and documented. |
Planned Changes Are changes to the installed CTCL system made in a planned manner? Are they made by duly authorized personnel?
|
Results |
Opinions |
|
|
Risk Evaluation Process Is the risk involved in the implementation of the changes duly factored in?
|
Results |
Opinions |
|
|
Change Approval Is the implemented change duly approved and process documented?
|
Results |
Opinions |
|
|
Pre-implementation process Is the change request process documented?
|
Results |
Opinions |
|
|
Change implementation process Is the change implementation process supervised to ensure system integrity and continuity
|
Results |
Opinions |
|
|
Post implementation process Is user acceptance of the change documented?
|
Results |
Opinions |
|
|
Unplanned Changes In case of unplanned changes, are the same duly authorized and the manner of change documented later?
|
Results |
Opinions |
|
|
In case of members self developed CTCL system SDLC documentation and procedures if the installed CTCL system is developed in-house.
|
Results |
Opinions |
|
How will the organization assure customers prompt access to their funds and securities in the event the organization determines it is unable to continue its business in the primary location
|
System Failure Backup Are there suitable backups for failure of any of the critical system components like
|
Results |
Opinions |
|
|
Infrastructure breakdown backup Are there suitable arrangements made for the breakdown in any infrastructure components like
|
Results |
Opinions |
|
Primary Site Unavailability Have any provision for alternate physical location of employees been made in case of non availability of the primary site
|
Results |
Opinions |
|
|
Disaster Recovery Are there suitable provisions for Books and records backup and recovery (hard copy and electronic). |
Results |
Opinions |
|
|
Have all mission-critical systems been identified and provision for backup for such systems been made? |
Results |
Opinions |
|
|
Are documented practices available for various system processes |
Day Begin
Day End
Other system processes · Audit Trails · Access Logs · Transaction Logs · Backup Logs · Alert Logs · Activity Logs · Retention Period · Misc |
Results |
Opinions |
|
Is a log of success / failure of the process maintained
In case of failure, is there an escalation procedure implemented? |
Day Begin
Day End
Other system processes
Details of the various response procedures including for Access Control failure Day Begin failure Day End failure Other system Processes failure
|
Results |
Opinions |
|
Firewall |
Is a firewall implemented? |
Results |
Opinions |
|
Anti virus |
Is a malicious code protection system implemented? If Yes, then
Are the definition files up-to-date? Any instances of infection? Last date of virus check of entire system |
Results |
Opinions |
PART - C
|
Sr. No. |
Area of Audit |
Compliance Part C |
Remarks (if “No”) |
|
1 |
Whether the required details of all the CTCL ids created in the CTCL server of the trading member, for any purpose (viz. administration, branch administration, mini-administration, surveillance, risk management, trading, view only, testing, etc) and any changes therein, have been uploaded as per the requirement of the Exchange? If no, please give details |
YES / NO |
|
|
2 |
Whether all the CTCL user ids created in the CTCL server of the trading member have been mapped to 12 digit codes on a one-to-one basis and a record of the same is maintained? If no, please give details |
YES / NO |
|
DECLARATION:
I) All
the branches where CTCL facility is provided have been audited and ONE
consolidated report has been submitted for
all segments.
II) There is no conflict of interest with respect to the member being audited. If any such instance arises, it shall be brought to the notice of the Exchange immediately before undertaking the audit.
_______________________________
Signature
(Name of the Auditor & Auditing firm)
CISA/CISSP/ISA Reg.
No. :
Date:
Place:
Stamp/Seal:
Annexure
- 2
SUMMARY SHEET
NAME OF THE AUDIT FIRM: __________________________________________________
|
Sr. No. |
Area of Audit |
Compliance Part A S / M / W |
Compliance Part B S / M / W |
Report Reference |
|
1 |
Are existing features and system parameters implemented in the CTCL system in place at the member’s premises |
|
|
|
|
2 |
Are input, processing and output controls in respect of CTCL operations adequate |
|
|
|
|
3 |
Is the application security commensurate to the size and nature of application |
|
|
|
|
4 |
Is Event logging and system monitoring observed. |
|
|
|
|
5 |
Are User management norms defined and observed |
|
NA |
|
|
6 |
Are Password policy/standards defined and observed |
|
NA |
|
|
7 |
Are working processes in adherence with the policies and procedures defined |
|
NA |
|
|
8 |
Is the Network managed adequately in relation to size and nature of operations and are necessary controls present |
|
NA |
|
|
9 |
Are Change management and version controls documented and practiced. |
NA |
|
|
|
10 |
Are Backup systems present, of adequate size and are procedures for backup prescribed |
|
NA |
|
|
11 |
Is there a Business continuity and disaster recovery plan in place and made known to all employees |
NA |
|
|
|
12 |
Is documentation for system processes maintained |
NA |
|
|
|
13 |
Are Security features such as access control, network, firewalls and virus protection present and updated regularly |
NA |
|
|
|
14 |
Is there any other area/aspect which in the auditors opinion is not complied with and which is significant and material in relation to the size and the nature of the operations |
NA |
|
|
Note:
Process Area Controls Evaluation Criteria
|
Control Evaluation Criteria |
Description |
|
Strong |
The controls are defined as Strong if the following criteria are met Implemented controls fully comply with the stated objectives and no material weaknesses are found. |
|
Medium |
The controls are defined as Medium if the following criteria are met Implemented controls substantially comply with the stated objectives and no material weakness result in substantial risk exposure due to the non-compliance with the criteria Compensatory controls exist which reduce the risk exposure to make it immaterial vis-à-vis the non-compliance with the criteria. |
|
Weak |
The controls are defined as Weak if the following criteria are met Implemented controls materially fail to comply with the stated control objectives. Compensating controls fail to reduce the risk so as to make it immaterial vis-à-vis the non-compliance with the compliance criteria. |
-----------------------------------------------
Registered & Corporate office --------------------------------------------------
MCX Stock Exchange Limited
2nd Floor, Exchange Square Suren Road, Chakala, Andheri (East), Mumbai
– 400 093
Tel.: 022 – 67319010, Fax: 022 – 6731 9103
www.mcx-sx.com email:
customerservice@mcx-sx.com