MSEI - System Audit Report - 2014

Metropolitan Stock Exchange of India Ltd.
(MSEI)
(formerly known as MCX Stock Exchange Ltd.)
Follow Up Audit Report on

Information Systems Audit 2014
September 18, 2015
Contents
Slide 2
1.
Context setting & background
2.
Scope of work
3.
Approach & methodology
4.
Executive summary
5.
Detailed observations
6.
Disclaimer
(Privileged and Confidential)
BUSINESS CONTEXT
TIMELINES
Audit Coverage
1 January 2014 to 31 December 2014
Audit conducted during the period
25 February 2015 to 6 April 2015
Draft Report issued on
29 April 2015
Final Report issued on
12 June 2015
Draft Follow Up Audit Report issued on
18 September 2015
Final Follow Up Audit Report issued on
Scope Exclusion & Limitations

Testing of transactions is based on the prevailing systems and procedures as on date of audit, and the exceptions noted are
included in the report. Our Information Systems Audit is not designed to address the risk of frauds. The recommendations for
improvement are suggestive and it is the prerogative of the management for implementation.
Slide 4
CONTEXT SETTING AND BACKGROUND

Metropolitan Stock Exchange Of India Ltd. (MSEI) is recognised by Securities and Exchange Board of
India (SEBI). It offers an electronic, transparent and hi-tech platform for trading in Capital Market,
Futures & Options, Currency Derivatives and Debt Market segments. The clearing and settlement of
trades done on the Exchange are conducted through a separate clearing corporation MCX-SX Clearing
Corporation Ltd.
MSEIs ability to use and apply technology efficiently is a key factor in the development of its
business. The exchanges technology framework is designed to provide high availability for all critical
components, which guarantees continuous availability of trading facilities. The robust technology
infrastructure of the exchange, along with its with rapid customisation and deployment capabilities
enables it to operate efficiently with fast order routing, immediate trade execution, trade reporting,
real-time risk management, market surveillance and market data dissemination. MSEI is certified with
ISO 27001: 2005 Information Security Standard along with ISO 9001:2008 for Quality Management
System and ISO 14001:2004 Environment Management System.
Keeping in view the rapid technological developments in the Securities Markets, MSEI wanted to
engage an independent audit firm to carry out comprehensive systems audit.
Towards this end, we , Haribhakti & Co. LLP, Chartered Accountants were awarded the above
mentioned contract and had submitted the detailed report on 12 June 2015. We carried out the follow
up audit in the month of September 2015 and are privileged to present the report to the Management.
Slide 5
SCOPE OF WORK
SCOPE FOR INFORMATION SYSTEMS AUDIT

We have covered the following systems related to MSEIs market operations.
The following applications are covered for IT related review:
Trading
Monitoring and Surveillance
Membership
Listing
General Controls
Information Security Policy review and Quality of Implementation
Application Security Controls
- Segregation of duties
- Audit Logging
- Database controls
- Application access controls
- User Management etc.
Physical and Environmental Controls related to Data Centre
Maintenance of IT Facility and Infrastructure
Fault resolution mechanism
Folder sharing & back up controls- safeguard critical information on local desk top
Review of Incident Management Process and Records
Slide 7

Change Management Controls
Management of changes related to software / hardware
Development/Test/ production environment - Segregation
user awareness
Processing of new change request
Fault reporting/tracking mechanism & process of resolution.
Testing of new releases / bug fixes - testing process
Version control -History, change management process etc.
New release in Production-Promotion, Release note approvals.
Production issues/ disruptions reported during last year & corrective actions taken.
Data Communication / Network Controls including

Network Administration
Redundancy, Monitoring, Breakdown resolution etc.
WAN Management- Connectivity provision for business continuity.
Encryption - Router based as well as during transmission
Connection permission - Restriction on need to have basis.
Fall back mechanism - Dial up connections controls etc.
Hardware based signing process
Incidents of access violations in last year & corrective actions taken.
Slide 8

Security Controls General office Infrastructure
Access Policy and Controls
Vulnerability Assessment and Penetration Testing of Critical Infrastructure
LAN security control & monitoring.
OS & database security controls & monitoring
Internet connections controls - Firewall protection, Intrusion Detection system, access
rights & privileges.
Virus protection - Controls to mitigate the virus attack/outbreaks
Secured (digitally signed) communication (electronic) with others entities like SEBI,
others partner.
Controls over Email Archival Process and Management.
Incidents of security violations in last year & corrective action taken.
Electronics Document Management
General access Controls
Slide 9

Performance Audit
Comparison of changes in transaction volumes since previous audit
Review of systems (hardware, software, network) performance over a period.
Review of the current volumes against the last performance test performed.
Review of Business Continuity / Disaster Recovery Plan and Process

BCP and DR Plan including Business impact Analysis
Risk assessment & DR process.
Implementation of policies
Back-up procedures & recovery mechanism using backups.
Storage of Back up (Remote site, DRS etc.)
Redundancy- Equipment, network, Site, etc.
DRS installations and Drills - management statement on targeted resumption capability
(in terms of time required & extent of loss of data)
Evidence of achieving the set targets during DRS drills in event of various disasters
scenarios.
Review of any actual event when the DR/BCP was invoked during the year.
Slide 10

IT Asset Management and IT Support
Utilization monitoring
Capacity Planning - including projections of business volumes
IT(S/W, H/W & N/W) assets, licenses & maintenance contracts
Insurance
Disposal- Equipment, media, etc.
IT Service Desk Support
Electronic Waste Disposal
Asset identification and classification and labelling
Asset ownership and accountability
Asset inventorization
DMZ and Network Architecture Design Review
Audit the existing network architecture.
Audit the configurations of critical network components such as firewall, IDS, routers,
switches etc.
Audit the updations / upgrades.
Check the Log review process, check whether network scanning /monitoring is done on
regular basis for the denial of service attack as well as other intrusion and spyware.
Slide 11

VPN Configuration Review
User management
Authentication / authorization over VPN connections
Log monitoring and review
Security Controls implemented on VPN device
IT Vendor Selection and Management
Identification of eligible vendors

Dissemination process of RFPs
Definition of criteria of evaluation
Process of competitive analysis
Approach for selection
E-Mail system
Existence of policy for the acceptable use of electronic mail
Regulations governing file transfer and exchange of messages with external parties
Rules based on which e-mail addresses are assigned
Security measures implemented and procedures for changes in filtering parameters
Storage, backup and retrieval
Slide 12

Human Resource Security.
Skill requirement in the operations and management

Pre and Post Recruitment, Governance
NDAs and confidentiality agreement
Background Checks.
Training for managing systems and applications.
Review of Last Year Audit report and actions taken

Any other point as mentioned (TOR) in the SEBI circular, CIR/MRD/DMS/13/2011 dated
November 29, 2011.
Any other additional areas subsequently asked by SEBI or other regulatory bodies.
Slide 13
APPROACH & METHODOLOGY
SPECIFIC APPROACH & METHODOLOGY

Area
1
Area as per the scope
Approach & Methodology
General Controls
Policy and Procedures
User Management
Physical and
Environmental Controls
Slide 15
Incident Management
Change Management
Controls
Review the policies and procedures for the areas of information security for
coverage, approvals, communication, implementation and benchmark against the
leading security standards.
Walkthrough of the user management process for users of applications, servers,
network and network security devices, third party vendors as applicable.
Review the users from application/Servers/Firewalls/ Database against the
corresponding data received from the HR department and check the alignment of
the process with respect to documented policy and procedure.
Review the Password policy
Review the exceptions, Segregation of Duties and allocation of Sensitive Access
Review of user access against the documented authorization matrix
Take a walkthrough of the premises and sensitive areas like server room, data
centers to inspect the controls for maintaining the recommended environmental
conditions like temperature, humidity, Controls implemented for detecting fire
Review the physical and environmental controls implemented for Access Controls.
Walkthrough of the incident management process

Review the sample recorded incidents and check its compliance with the laid
down procedures.
Walkthrough of the change management process for applications/infrastructure.
Review the sample recorded change requests for the given period and
applications/supporting infrastructure under scope and check its compliance with
the laid down procedures.

Area
3, 5,
9, 10
Data Communication /
Network Controls , DMZ
and Network
Architecture Design
Review, VPN
Configuration Review,
Performance Audit
Security Controls
General office
Infrastructure
(Vulnerability Assessment
Penetration Testing)
Slide 16
Study the Network Diagram for appropriate segregation of networks, access

controls, segmentation and NATing, redundancy, adequacy etc.
Compare the network diagram against the actual set up in the DC.
Review the Hardening documents for Operating system, Database, firewall,
router, switch and compare it with the actual configuration.
Walkthrough of patch management process for Operating system, Database,
firmware
Review the set threshold limits configured
Review the process of log management
Profiling : In this stage, profiling of the target infrastructure is performed using
passive reconnaissance or non-invasive techniques such as browsing client
websites, domain-based discovery, network information from web, newsgroups
and more.
Discovery :This stage involves use of several scanning tools to identify live hosts
and active services that includes Network mapping, banner grabbing, operating
systems fingerprinting, service identification, protocol discovery and supported
versions.
Assessment : Assessment stage involves automated scanning of vulnerabilities in
network services, information systems and perimeter security controls by
enterprise class tools with most updated feeds. In addition, manual assessments
helps verify the automated scan results to eliminate the false positives.
Exploitation : This stage uses the information gathered on active ports and
services with the related vulnerabilities to safely exploit the services exposed.
Attack scenarios for production environment will use a combination of exploit
payloads in strict accordance with agreed rules of engagement.

Area
VAPT Contd
Reporting : All exploitable security vulnerabilities in the target system are

reported to the client. The identified security vulnerability is thoroughly assessed
and reported along with appropriate recommendation or mitigation measures.
Review of Business
Continuity / Disaster
Recovery Plan and
Process
IT Asset Management and
IT Support
Review the Business Continuity and Disaster Recovery Plan for Business impact
Analysis, Risk assessment & DR process
Review DRS installations and Drills
11
IT Vendor Selection and

Management
12
E-Mail system
Slide 17
Review the process of Capacity Planning and utilization monitoring

Review the process of Licenses & maintenance contracts
Review the sample of record of disposal ( Equipment, media, etc) against laid
down procedures
Review the process of Asset identification, classification and labeling and
ownership and accountability
Enquire about the process of raising the request for proposal (RFP)/ tenders
Review its alignment with the plan/ budget/ strategy
Review the compliance with the laid down procedures for the selected sample
RFP
Review the email ID nomenclature process for uniformity
Review the security measures implemented for spam mails, quota, content
filtering parameters, storage, backup and retrieval
EXECUTIVE SUMMARY
OBSERVATION AND RISK RATING CRITERIA
Risk rating
Observation rating
The observation rating criteria and risk rating criteria are as per our pre-defined
parameters, as follows:
Slide 19
Process
deficiency
PD
Observations related to absence of defined process or weakness in existing

processes. Example : Absence of periodic review of access rights
Operational
inefficiencies
OI
Observations related to non-adherence to defined process. Example : Non

adherence to change management process
System
limitation
SL
Observations related to a specific desired functionality /feature that is not

available in the current version of the system. Example : Password History
parameter is not available in the application.
Major
Nonconformity
Significant / major control gap which may result into severe financial impact
or major violation of laws and regulations.
Minor
Nonconformity
Deviations from controls, which may impact adversely or some weakness in

existing controls or non compliance with processes/ regulations
Observation
All other observations not falling under above categories
SUMMARY OF COMPLIANCE
#
Area Under Scope
Risk Rating
Total
Major
NC
Current Status
Minor
NC
Observa
tion
Closed
Open
General Controls
--
--
--
--
--
--
Change Management Controls
--
--
--
--
--
--
Data Communication / Network Controls
--
--
--
--
--
--
Security
Controls
Infrastructure
16
--
15
16
--
Performance Audit
--
--
--
--
--
--
Review of Business Continuity / Disaster

Recovery Plan and Process
--
--
--
IT Asset Management and IT Support
--
--
--
--
--
--
Slide 20
General
office
SUMMARY OF COMPLIANCE
#
Area Under Scope
Risk Rating
Total
Major
NC
Current Status
Minor
NC
Observa
tion
Closed
Open
DMZ and Network Architecture Design Review
--
--
--
--
--
--
VPN Configuration Review
--
--
--
--
--
--
--
--
--
--
--
--
10
IT Vendor Selection and Management
11
E-Mail system
--
--
--
--
--
--
12
Human Resource Security.
--
--
--
Total
18
--
16
18
--
Previous Audit Observations
--
Slide 21
SUMMARY OF FINDINGS CURRENT ASSESSMENT

The graph
remain
the same
as it is
the
presenta
tion only
18
16
14
12
10
8
15
Observation
Minor Noncompliance
Major Noncompliance
4
2
0
Slide 22
1
0
0
1
COMPLIANCE STATUS OF THE PREVIOUS AUDIT

OBSERVATIONS
STATUS OF COMPLIANCE OF THE PREVIOUS AUDIT

#
Implementation
Status
Observation
Software license & Maintenance agreement dated 25Aug-2008 established between MCX-SX and outsourced
vendor was not updated as per the present service
delivery mode
Critical elements such as periodic reports to monitor the

services outsourced , SLA measurement, penalty clause
were not defined in the "Software license & Maintenance
agreement" dated 25- Aug-2008 established between
MCX-SX and outsourced vendor.
Closed
Change management procedure "MCX-SX Exchange IT

procedure v1.5" defined and adopted by the exchange is
not comprehensive and does not include certain
elements.
Closed
Slide 24
Software escrow agreement was not established for the

core application DOME and CnS software.
Closed
In Process
Auditors Remarks
The points mentioned in the
observation are mutually
agreed between MSEI and the
outsourced vendor viz.
Financial Technologies (FT)
and a consensus is provided
by them via letter dated
12/12/2014 from FT to Sushil
Limbulkar VP IT Signed by
Mehmood Vaid Head
Exchange Technology)
confirmed on behalf of MSEI
by the director, Mr. Suniel
Vichare.
MSEI has given the draft
agreement covering these
points to FT for finalization.
The organization is in a
process of negotiating with
the identified vendor for
escrow arrangements at the
time of follow up audit.
PREVIOUS AUDIT FINDING
Report Issued By Deloitte Touche Tohmatsu (I) Pvt. Ltd on 10/09/2014

2.1.2
System Audit Finding
Recommendation
Software license & Maintenance agreement dated 25Aug-2008 established between MCX-SX and outsourced
vendor was not updated as per the present service
delivery model.
It is recommended to update the agreement to reflect

the actual services that are being outsourced.
Detailed Finding
As informed by MCX-SX and review of Software license &
Maintenance agreement dated 25-Aug-2008 established
between MCX- SX and outsourced vendor, out of 73
activities listed in Schedule III only 24 activities were
being performed by the outsourced vendor.
These changes to procured services were not updated in
the agreement.
Further during our review, it was noted that Hardware
asset management was performed by the outsourced
vendor, but the same was not listed as a part of the
outsourced service in the "Software license &
Maintenance agreement" dated 25-Aug-2008.
Closed. We have reviewed the letter dated 12/12/2014

from FT to MSEI addressed to Sushil Limbulkar VP IT
Signed by Mehmood Vaid, Head-Exchange Technology and
countersigned by the Director, Mr. Suniel Vichare, which
mentions that the points in the observation related to
updated services are mutually agreed between MSEI and
FT. MSEI has also provided us with a Management
response stating that they have given the draft
agreement covering these points to FT for finalization
and that FT has started providing the services in the
manner mentioned in the above letter to adequately
cover the risk mentioned in the previous audit report.
We will verify the final agreement during our follow-up
audit. (Please refer to page 36 of this report for details)
Risk
Follow Up Audit 16 September 2015
If the contract is not updated as per the present service

delivery model then it may lead to unstructured delivery
of service leading to accountability issues.
Mentioned risk is adequately covered through FTIL letter

dt. 12/12/2014. We have been informed by MSEI
management that, amendment in agreement is under
discussion.
Slide 25
Status As Verified By H&Co. in June 2015

2.1.3
Recommendation
Critical elements such as periodic reports to monitor the

services outsourced , SLA measurement, penalty clause
were not defined in the "Software license & Maintenance
agreement" dated 25- Aug-2008 established between
MCX-SX and outsourced vendor.
Detailed Finding
Through the review of 'Software license & Maintenance
agreement' between MCX-SX and outsourced vendor
dated 25- Aug-2008 it was noted that the outsourced
vendor has agreed to provide upgradation and
maintenance of DOME and C&S software and related
services with respect to all segments as per Schedule I
and in subsequent schedules.
Related services mentioned in Schedule III included
administration of Exchange application, data backup
management, System administration and management,
database management, network management, security
and technical help desk.
Slide 26
The legal agreement should include the following :

Clause to obtain the periodic reports from the
outsourced vendor. These reports should be reviewed
and maintained.
Database management
Health check monitoring report should include
information on but not limited to:
Optimization of resources within and the database
and operating system;
Sufficiency of existing hardware resources ; and
Status of database schema normalization or denormalization.
License upgrade monitoring report should include
information on but not limited to:
Number of database license procured versus installed;
Validity of licenses;
Details of database servers on which licenses have
been installed or procured for; and
Ownership of licenses.

2.1.3
Detailed Finding (Contd)
Recommendation (Contd)
The said agreement did not cover the following critical

points:
1) Obtaining periodic (monthly or quarterly) monitoring
reports from the outsourced vendor for below listed
services:
Network management
Maintenance report of Data center should include but
not limited to
Physical and logical access controls; and
Environmental controls.
Periodic inspection report of structured network
cabling;
Periodic report of maintenance services conducted for
MDF for LL termination;
Re-conciliation of member request to actual
configuration performed on member router for leased
connectivity;
Periodic report s from NMS tool including details on
usage of WAN and internet links with uptime; and
Periodic reports on analysis conducted for on internet
traffic to various servers at Datacenter & VSNL IDC.
This should mention if any suspicious activities were
noticed and the same shall be reported.
a)Database management
i)Health check - DBCC commands execution;
ii)License upgrades.
b)Network management
i)Services for maintenance of Data center;
ii)Services for maintenance of structured network
cabling;
iii)Services for maintenance of MDF for LL termination;
iv)Configuration of member router for leased
connectivity;
v)Monitoring of WAN and internet links with the help of
NMS tool to generate uptime and utilization reports; and
vi)Analysis of the internet traffic to various servers at
Datacenter & VSNL IDC.
Slide 27
Security
Firewall and IDS monitoring and log analysis report
should include but not be limited to:

2.1.3

c)Security
i)Monitoring the firewall;
Ii) Log analysis of firewall;
iii)Firewall and IDS policy management; and
iv)Managing firewall & IDS updates and upgrades.
2)SLA Measurement activities by MCX-SX for the below
outsourced activities:
a)System Administration and Management
i)Patch management for all Exchange resources.
List of rules configured;

List of rules changed;
Maintenance and review of firewall access logs;
Reporting and action taken on anomalies detected;
and
Updates implemented on firewall and IDS.
3)Penalty clause to be executed in case of delay in

agreed delivery of outsourced services;
4)Change Management with respect to revisions to SLA;
5)Contact details of MCX-SX representative for receiving

legal notices;
Slide 28
Detailed service level agreement should be defined,

periodically measured and documented for outsourced
activities. Service level agreement should include but
not be limited to :
List of application related changes raised versus
implemented ; and
Measurement of efficient delivery of changes as per
the category of requested change.
Penalty clause to be executed in case of delay in
agreed delivery of outsourced services should be
included in the legal agreement;
Change Management with respect to revisions of SLA
should be maintained and documented ;
Contact details of MCX-SX representative for receiving
legal notices should be included in the agreement;
Clause for conducting an audit by MCX-SX on
outsourced service provider;

2.1.3
6)Clause for conducting an

outsourced service provider
audit
by MCX-SX
on
7)Adherence to MCX-SX policies and procedures; and

8)Signing the Non-Disclosure Agreement (NDA) before the
service commencement.
Risk
Absence of critical components in the agreement may
result in unstructured service delivery and accountability
issues. This will further result in disruption of services
and may result in revenue loss.
Adherence to MCX-SX policies and procedures; and

Signing the Non-Disclosure Agreement (NDA) before
the service commencement.

Closed. We have reviewed the letter dated 12/12/2014 from
FT to MSEI addressed to Sushil Limbulkar VP IT Signed by
Mehmood Vaid, Head-Exchange Technology and countersigned
by the Director, Mr. Suniel Vichare, which mentions that the
points in the observation related to updated services are
mutually agreed between MCX-SX and FT. MSEI has also
provided us with a Management response stating that they
have given the draft agreement covering these points to FT
for finalization and that FT has started providing the
services in the manner mentioned in the above letter to
adequately cover the risk mentioned in the previous audit
report. We will verify the final agreement during our followup audit. (Please refer to page 36 of this report for details)

discussion.
Slide 29

2.2.2
Recommendation
Change management procedure "MCX-SX Exchange IT

procedure v1.5" defined and adopted by the exchange is
not comprehensive and does not include certain
elements.
It is recommended to implement the following:

Include the definition of the guidelines for the change
categories i.e. Major and Minor change categories in the
approved change management procedure and implement
the same;
Detailed Finding
Through review of approved Change Management
Procedure defined in MCXSX Exchange IT procedure v1.5
the following discrepancies were noted:
The existing change management forms were
categorized as ' Major' or 'Minor' changes. However, the
guidelines for these change categories were not defined
and documented in the approved procedure document;
Guideline for change priority was not defined,
documented and implemented;
The service level agreements for the existing change
categories i.e. Major, Minor and Emergency changes were
not defined and documented in the approved change
management procedure. Also, the existing legal contract
i.e. 'Software License and Maintenance' agreement dated
August 25, 2008 did not include suitable clauses for
mandating the service level agreements for change
management process; and
Slide 30
Include the definition of the guidelines for the change

priorities in the approved change management procedure
and implement the same;
Define and document the service level agreements for
all the existing change categories i.e. Major, Minor and
Emergency change requests in the approved change
management procedure and implement the same.
Moreover, the existing legal contract i.e. 'Software
License and Maintenance' agreement dated August 25,
2008 must include suitable clauses for mandating the
service level agreements for change management
process;

2.2.2
The escalation matrix for the existing change

categories (Major, Minor and emergency changes) was
not defined in the approved Change Management
Procedure document in MCX-SX Exchange IT procedure
v1.5. Also, the existing legal contract i.e. 'Software
2008 did not include suitable clauses for mandating the
escalation matrix for change management process.
Further, through review of all the sampled change
management forms it was noted that change priority
were not captured.
Define and document the escalation matrix for the

existing change categories (Major, Minor and emergency
changes) in the approved Change Management Procedure
document in MCX-SX Exchange IT Procedure v1.5.
Moreover, the existing legal contract i.e. 'Software
2008 must incorporate suitable clauses for mandating the
escalation matrix for change management process; and
Slide 31
All the change management forms should capture change

priority.

2.2.2
Recommendation

---
(Contd)
Partially closed
Software license & Maintenance agreement dated 25Aug-2008 not yet amended.
Deloitte team has not been informed of a target date of
completion for this point.
We observed that change Management procedure has
been amended by defining following points
The change categories were defined as Critical, Major
and Minor;
Priority for implementing a change were defined as
Emergency, High, Medium and Low;
Escalation matrix for application related changes was
defined as below:
o Level 1- MCX-SX Systems team - contact numbers and
mail ids provided;
o Level 2-PMG (Mr. Kundan Zamvar)-contact details and
email ids;
o Level 3-Mr. Sushil Limbulkar and Mr. Mehul Chandecontact details and emails ids;
Slide 32

2.2.2
Risk
Absence of details such as guidelines for defining the

change category or priority, service level agreements,
escalation matrix, etc. may result in an inconsistent
change management process being implemented and
ineffective services being rendered by the service
provider. This will result in implementation delays of
critical changes that may affect the business operations
adversely.
Closed. We have reviewed the letter dated 12/12/2014 from

mutually agreed between MSEI and FT.
MSEI has also
provided us with a Management response stating that they
have given the draft agreement covering these points to FT
for finalization and that FT has started providing the
services in the manner mentioned in the above letter to
adequately cover the risk mentioned in the previous audit
report. We will verify the final agreement during our followup audit. (Please refer to page 36 of this report for details)
Follow Up Audit Status Deloitte (10 Sep 14)

Escalation matrix for network related changes was defined
as below:
o Level 1- MCX-SX Systems team - contact numbers and mail
ids provided;
o Level 2-PMG (Mr. Kundan Zamvar)-contact details and email
ids; and
o Level 3-Mr. Sushil Limbulkar and Mr. Mehul Chande-contact
details and emails ids.
MCX-SX Amended IT Procedures document (covering above
changes) has been appended as Annexure B to the MCX-SX
Exchange IT procedure v1.5 document.
Slide 33

discussion.

2.2.1
Recommendation
Software escrow agreement was not established for the

core application DOME and CnS software.
Detailed Finding
It is recommended to define, document and implement a

software escrow agreement on an immediate basis with
trusted third party and outsourced service provider for
the core "DOME and CnS software".
As informed by MCX-SX Information Security team it was

noted that the existing contract agreement established
between the outsourced vendor and MCXSX namely
"Software license & Maintenance agreement " dated 25th
August 2008 does not include a suitable clause for
enforcing an escrow agreement for the core application
"DOME and CnS software".
It was also noted that MCX-SX and the outsourced vendor
currently does not have a software escrow agreement
with a trusted third party for the source code of
Exchange Suite which includes all their below
business applications:
DOME matching and trading engine;
Risk Management Engine;
Exchange Administrator;
Trader Work Station;
Member Administrator; and
Clearing & Settlement System.
Slide 34

2.2.1
Escrow agreement is a method of protecting against

software vendor failure wherein a copy of source code
for the procured core application is kept within the
custody of a trusted third party to ensure that MCX-SX
will have access to the same in the event that the
outsourced vendor is unable to support the software.
Open. We have reviewed the letter dated 12/12/2014 from

mutually agreed between MSEI and FT.
MSEI has also
provided us with a Management response stating that the
Exchange & FTIL have also identified the vendor for Escrow
arrangement for source code & finalizing the same is in
process.
We will verify the final agreement during our follow-up audit.
(Please refer to page 36 of this report for details)
Risk
In the event of a legal dispute, absence of an escrow
agreement may lead to termination of the services
rendered by the service provider or failure of software
vendor to provide requisite support and services in
future resulting to revenue loss, reputational loss and
huge capital outflow to the exchange.
Recommendation
It is recommended to define, document and implement a
software escrow agreement on an immediate basis with
trusted third party and outsourced service provider for
the core "DOME and CnS software".
Slide 35

It was informed that one vendor has been shortlisted for
the escrow arrangements of DOME and CnS software and
draft agreement has also being shared with the vendor
however,
till the time of follow up audit, final
agreement with the vendor for the escrow arrangement
was not established.
Management Response on previous year open

audit observations
As current year auditors remark against the status of the previous year open audit observation, the
Exchange has shared the revised draft agreement covering the changes pertaining to audit observations
has been shared with FTIL on 9th March, 2015. FTIL & the Exchange management also had joint
discussion on the same & we are expecting to finalize the revised agreement or amendment to the
existing agreement within three months.
Meanwhile, as mentioned by the current auditor in their remark, through official letter dated 12th Dec,
2014, FTIL has given the consensus of incorporating the audit observations in the revised agreement.
The Exchange & FTIL have also identified the vendor for Escrow arrangement for source code &
finalizing the same is in process.
However, FTIL has started providing us with the services as mentioned in this letter and hence the risk
that is mentioned in the audit report (2013) that lack of agreement between FTIL and MSEI may lead to
unstructured service delivery and accountability issues is now adequately being covered.
Slide 36
DETAILED OBSERVATIONS
CURRENT AUDIT
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation
The infrastructure components should be secured from

known vulnerabilities.
It is suggested that the use of SSL as a transport layer is

enforced for this service if supported. Alternatively ,
select the "Allow connections only from computers
running Remote Desktop with Network Level
Authentication" setting if it is available
Detailed Finding
The RDP server stores a hard-coded RSA private key in
the mstlsapi.dll library. Any local user with access to this
file (on any Windows system) can retrieve the key and
use it for this attack.
Risk
Remediated
The remote version of the Remote Desktop Protocol

Server (Terminal Service) is vulnerable to a man-in-themiddle (MiTM) attack. The RDP client makes no effort to
validate the identity of the server when setting up
encryption. An attacker with the ability to intercept
traffic from the RDP server can establish encryption with
the client and server without being detected. A MiTM
attack of this nature would allow the attacker to obtain
any sensitive information transmitted, including
authentication credentials.
Slide 38
Management Response
The remote desktop has been disabled

Implementation Date : 18-03-2015
Responsibility & Timeline

Responsibility : -Timeline : --
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation

It is suggested that Network Level Authentication (NLA)

is enabled on the remote RDP server. This is generally
done on the 'Remote' tab of the 'System' settings on
Windows
Detailed Finding
NLA uses the Credential Security Support Provider
(CredSSP)
protocol
to
perform
strong
server
authentication either through TLS/SSL or Kerberos
mechanisms, which protect against man-in-the-middle
attacks. In addition to improving authentication, NLA
also helps protect the remote computer from malicious
users and software by completing user authentication
before a full RDP connection is established.
It was observed that the Remote Terminal Services
doesn't use Network Level Authentication (NLA) for the
RDP Host.
Management Response
Remediated
The remote desktop has been disabled

Risk
As remote terminal service is not configured to us NLA,
the host may remain vulnerable to the man in the
middle attack.
Slide 39
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation

It is suggested that the user access reviews are carried

out to ensure that the principles of 'least privileges'
based on business need and segregation of incompatible
roles and functions are implemented. Such reviews will
should also verify and validate that user access to
systems and applications is appropriate given users' roles
and responsibilities within the organization.
Detailed Finding
It was observed that the user access review have not
been carried out for the following users of the server
ECMDB1.
ECMTRADE_OLD
RO
Risk
Remediated
User Review has been carried out at ECMDB1
Organization may not able to actively monitor and verify

the appropriateness of a users' access to systems and
applications based on an understanding of the minimum
necessary for users to perform or support business
activities or functions.
Slide 40
Management Response

SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
SL
Recommendation
The access to the system should be controlled

implementing strong password policy rules.
by
Detailed Finding
It was observed that the weak/default password is used
for the following Routers:
BKC-CANMS-RTR#XXX.XXX.XXX.XX
MCXSX-CCIL-RTR1#XXX.XXX.XXX.XX
MCXSX-VSAT-DC-R1#XXX.XX.X.XX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
NOS-PRI-RTR-PRI#XXX.XXX.XXX.XXX
NOS-PRI-RTR-SEC#XXX.XXX.XXX.XXX
Terminal_Server_DC#XXX.XXX.XXX.XXX
NOS-SW-PRI#XXX.XXX.XXX.XXX
NOS-SW-SEC#XXX.XXX.XXX.XXX
SX-DMZ-2960#XXX.XXX.XXX.XXX
Risk
It is recommended that the password identified be

immediately changed to something that is more difficult
to guess. We recommends that passwords be made up of
at least eight characters in length and contain either
uppercase or lowercase characters and numbers.
Management Response
Remediated
Password has been removed since centralized

authentication server is being used (i.e. TACACS)

Weak passwords may compromise the system security

and allow the attacker to gain access to the system.
Slide 41
Risk Rating
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
5
PD
OI
Control Description
implementing vendor specific hardening guidelines.
Risk Rating
SL
Recommendation
by
It is recommended that a timeout period as per the

hardening policy to be configured for connections to the
device.
Detailed Finding
It was observed that the connections were not
configured with secure connection timeout periods for
the following routers/devices.
Equity_Feed_Inside_SW1#XXX.XXX.XXX.XXX
Extranet_PRI#XXX.XXX.XXX.XX
MCXSXEQ_Monitoring_NOS#XXX.XXX.XXX.XXX
NOS-SW-PRI#XXX.XXX.XXX.XXX
NOS-SW-SEC#XXX.XXX.XXX.XXX
OPS-MGMT-SW-2#XXX.XXX.XXX.XX
VIBGYOR_PRI_SW1#XXX.XXX.XXX.XXX
OPS-MGMT-SW-1#1XXX.XXX.XXX.XXX
Management Response
Remediated
Session time out has been configured as per requirement

Risk
An attacker who is able to gain access to a connection
that had not expired, would be able to continue using
that connection. A connection could be a console port
on the device that was not correctly terminated or a
remote administrative connection.
Slide 42
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation

by
Detailed Finding
It is recommended the organization evaluates the need

for the auxiliary port exec any disable it if not required.
If the auxiliary port is required for remote
administration, the callback feature can be configured to
dial a specific preconfigured telephone number.
It was observed that the Auxiliary Port is enabled on the

following routers:
Management Response
Remediated
Risk
Auxiliary ports has been disabled
An attacker may discover the modem number for the

device during a war-dial. If an attacker were able to
connect to the device remotely, then they may be able
to brute-force the login to gain access to the device.

Slide 43
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation

by
It is recommended that the IP source routing should be

disabled.
Detailed Finding
It was observed that the IP source routing was enabled
on following routers :
IDC-Equity-Feed-R2#XXX.XXX.XXX.X
MCXSX-ETCC-10Mb#XXX.XXX.XXX.XX
Management Response
Remediated
IP source routing has been disabled
Risk
IP source routing can allow an attacker to specify a route

for a network packet to follow, possibly to bypass a
Firewall device or an Intruder Detection System (IDS). An
attacker could also use source routing to capture
network traffic by routing it through a system controlled
by the attacker.
Slide 44

SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation

by
It is recommended that the ICMP redirect should be

disabled.
Detailed Finding
It was observed that the ICMP redirect were not disabled
on following routers:
IDC-Equity-Feed-R1#1XXX.XXX.XXX.X
IDC-OPS-ROUTER-PRI#XXX.XXX.XXX.XXX
IDC-OPS-ROUTER-SEC#XXX.XXX.XXX.XXX
Terminal_Server_DC#1XXX.XXX.XXX.XXX
VIB-DC-PRI#XXX.XXX.XXX.XX
VIB-DC-SEC#XXX.XXX.XXX.XX
Management Response
Remediated
ICMP redirect has bee disabled.
Risk
An attacker could use ICMP redirect messages to route
network traffic through their own router, possibly
allowing them to monitor network traffic.
Slide 45
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation

by
It is recommended that the proxy ARP should be

disabled.
Detailed Finding
It was observed that the ARP request proxying was not
disabled for following routers:
IDC-Equity-Feed-R1#XXX.XXX.XXX.X
VIB-DC-PRI#XXX.XXX.XXX.XXX
Risk
A router that acts as a proxy for ARP requests will extend
layer two access across multiple network segments,
breaking perimeter security.
Slide 46
Management Response
Remediated
Proxy ARP has been disabled.

SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
10
Risk Rating
SL
Recommendation

by
It is recommended that IP unreachable should be

disabled on network interfaces. However, whilst
disabling IP unreachable will not stop scans, it does
make it more difficult for an attacker.
Detailed Finding
It was observed that the IP unreachable have not been
disabled for following routers:
IDC-Equity-Feed-R1#1XXX.XXX.XXX.X
MCXSX_CTCL_ACTIVE#1XXX.XXX.XXX.XX
VIB-DC-PRI#XXX.XXX.XXX.XXX
Management Response
Remediated
IP unreachables has been disabled.

Risk
An attacker who was performing network scans to
determine what services were available would be able to
scan a device more quickly.
Slide 47
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
11
SL
Recommendation

by
It is recommended that the Syslog and Buffered logging

should be enabled.
Management Response
Detailed Finding
It was observed that the Insufficient logging was
configured for following routers:
MCXSX-CCIL-RTR1#XXX.XXX.XXX.XXX
MCXSX-VSAT-DC-R2#XXX.XX.X.XXX
COLO-SW2#XXX.XX.XXX.X
COLO_SW1#XXX.XX.XXX.X
Remediated
Syslogging have been configured on the mentioned
devices/Servers
Risk
An attacker could attempt to map and bypass any
configured ACL or to gain access to the Cisco Router
without network administrators being alerted to the
attempts. Furthermore, after an unauthorised intrusion
into the network had been detected, it would be more
difficult for an investigation to identify the source of the
attack or the entry point without access to logs.
Slide 48
Risk Rating
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
12
Risk Rating
SL
Recommendation

by
It is recommended that the

synchronized with time server.
device
Detailed Finding
It was observed that the NTP server is not been
configured for following router:
MCXSX-VSAT-DC-R2#1XXX.XX.X.XX
Risk
Management Response
Remediated
NTP has been configured
In such case the device time will not synchronized, this

will lead correct logs will not be provided by device with
correct timestamp to identify unauthorized activity in
certain time.

Slide 49
should
be
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
Control Description
13
by
Detailed Finding
It was observed that the switch was running the out of
date software Internet Operating System (IOS) version.
Equity_Feed_Inside_SW1#XXX.XXX.XXX.XXX
Equity_Feed_Outside_SW1#XXX.XXX.XXX.XXX
Extranet_BKP#XXX.XXX.XXX.XX
Extranet_PRI#XXX.XXX.XXX.XX
MCXSXEQ_Monitoring_NOS#XXX.XXX.XXX.XX
NOS-SW-PRI#XXX.XXX.XXX.XX
NOS-SW-SEC#XXX.XXX.XXX.XX
SERVERFARM-A#XXX.XXX.XXX.XX
SERVERFARM-P#XXX.XXX.XXX.XX
SX-DMZ-2960#XXX.XXX.XXX.XXX,
VIBGYOR_PRI_SW1#XXX.XXX.XXX.XXX
OPS-MGMT-SW-1#XXX.XXX.XXX.XXX
Risk
Slide 50
exploit
OI
SL
Recommendation

An attacker could
vulnerabilities.
PD
Risk Rating
known
It is recommended that the switch should be configured

with latest IOS.
Furthermore, additional security features and other
functionality are normally added or extended with each
software revision.
Management Response
Switches will be configured with latest IOS.

Responsibility : Network Team
Timeline : by 31st Aug, 2015
Follow Up Audit Remark 16 September 15

Closed
The IOS is now upgraded to the latest version on the
switches mentioned in the detailed finding section of the
observation. The switches ,Extranet_PRI and Extranet _BKP
were replaced with the new switches with the latest IOS.
software
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
14
SL
Recommendation

by
It is recommended to disable HTTP service.
Management Response
Detailed Finding
It was observed that the clear-text remote web-based
administration was enabled using HTTP for following
devices.
MCX-SX-Cash-L3-A#XXX.XXX.XXX.XXX
MCX-SX-Cash-L3-P#XXX.XXX.XXX.XXX
MCXSX_CASH_DMZ_A#XXX.XXX.XXX.XXX
MCXSX_CASH_DMZ_P#XXX.XXX.XXX.XX
MCXSX_CASH_SF_A#XXX.XXX.XXX.XXX
MCXSX_CASH_SF_P#XXX.XXX.XXX.XXX
Server_Farm_FNO_Active#XXX.XXX.XXX.XX
Server_Farm_FNO_Passive#XXX.XXX.XXX.XX
Remediated
HTTP service has been disabled
Risk
The HTTP server allows remote management of switch.
It uses simple HTTP authentication which sends
passwords in the clear. This could allow unauthorized
access if the password is sniff.
Slide 51
Risk Rating
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
15
Risk Rating
SL
Recommendation

by
It is recommended that configure the device to accept

only SSH connection for remote administration.
Detailed Finding
Management Response
It was observed that the Telnet was enabled without ssh

on following device.
Remediated
Telnet disabled and SSH access has been configured.
Risk
Telnet protocol transmits all information, including login
credentials in clear text. To prevent password stealing,
SSH should be used for remote administration, as SSH
encrypts all the traffic between the device and the SSH
client.
Slide 52

SECURITY CONTROLS
Category
Root Cause
Observation
PD
OI
Control Description
16
Risk Rating
SL
Recommendation

by
It is recommended that a banner should be configured

that warns against unauthorised access.
Management Response
Detailed Finding
It was observed that the Login banner has not been
configured on following router:
Remediated
Login Banners have been configured as suggested.
Risk
Attackers who have gained access to a device could
avoid legal action if no banner is configured to warn
against unauthorised access.

Slide 53
BUSINESS CONTINUITY &

DISASTER RECOVERY
Category
Root Cause
Observation
PD
OI
Risk Rating
SL
Control Description
Recommendation
Document requirement at the Disaster Recovery (DR) site

should be identified during Business Impact Analysis (BIA)
stage and these documents should be available at the
DR site
It is recommended that the availability of updated plans

and checklists in physical form is ensured at the DR site.
17
Detailed Finding
It is a practice to maintain the updated version of the
BCP related documents on a local machine accessible
from DR location. However, it was observed that the
current version of Business continuity Plan (Version 4
dated 09 , 2015) , Disaster Recovery Plan ( Version 2.0
Feb 9 2015) were not available in a physical form at the
DR site.
Risk
Management Response
Remediated
Updated BCP /DRP plans were kept at central
repository. Updated physical copies have been kept in DR
Box at DR Site.
If the updated plans and checklists are not available

readily at the DR site, the recovery operations may not
be as efficient as expected by the Organization.

Responsibility :Timeline :-
Slide 54
HUMAN RESOURCES
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation
The employees are made aware of their duties during the

disaster /disaster like situations through induction
trainings and information security awareness trainings ,
BCP workshops , fire drills etc.
It is recommended that the HR conducts the induction

trainings in a timely manner and include the business
continuity aspects in it. The record of the same shall be
maintained for the future reference.
Detailed Finding
Management Response
18
It was observed that the induction training has not been

carried out for 7 new joinee.
Remediated.
Induction training is conducted for the new joinee on
June 10, 2015.
Risk
If the regular trainings and workshops are not conducted,
the preparedness of the employees to carry out their
duties during the disaster/disaster like situations may
not be ensured.
Slide 55
GOOD TO HAVE PRACTICES

1
Inventory of Digital Signature

It is suggested that the inventory of all digital signatures used in the organization should be centrally maintained by
IT.
Register of sealed passwords

It is suggested that the periodic replacement of envelops containing sensitive passwords at the DR site is recorded in
a register.
Tabletop Exercise
A periodic tabletop exercise for BCP is suggested for the staff members of the BCP team at the DR location to ensure
that they are prepared to handle the challenging situation in an efficient and effective manner.
It is suggested that tabletop testing should be carried out on half yearly basis for HR and Admin Fire & Emergency
Evacuation and Power Outage
The BMT members should also carry out the tabletop test for declaration of the disaster
Slide 56
DISCLAIMER
DISCLAIMER
1.As it is practically not possible to study all aspects of a process in its entirety thoroughly during the limited time period of an review, based on
our methodology for conducting self assessment of a system , we conducted a review of the system and held discussions with the
process/application owners and other key people in the process during the planning stage of audit which helped us in identifying specific areas
where control weaknesses & process gaps may exist or opportunities for improvement may exist. Our subsequent test work, study of issues in
detail and developing action plans are directed towards the issues identified. Consequently this report may not necessarily comment on all the
function / process related matters perceived as important by the management.
2.The issues identified in this report are based on our discussions with the people engaged in the process, review of relevant documents/records
and our physical observation of the activities in the process/application. We made specific efforts to verify the accuracy and authenticity of the
information gathered only in those cases where it was felt necessary. The work carried out and the analysis thereof is based on the interviews
with the personnel and the records provided by them.
3.The identification of the issues in the report is mainly based on the review of process/application and records, sample verification of
documents / transactions and physical observation of the events. As the basis of sample selection is purely judgmental in view of the time
available, the outcome of the analysis may not be exhaustive and representing all possibilities, though we have taken reasonable care to cover
the major eventualities.
4.This report does not comment upon any change/development taken place in the process/ application and functioning of processes after the
last date of our field work i.e.6 April 2015.
5. Configurations of Network Devices, Network Security Devices and Operating System were checked as per assessment dates.
6.This report is meant for the management of
without our prior written consent.
MSEI, the Board and the regulatory authorities only and should not be quoted or referred to
Limitation of Liability
In no event shall Haribhakti & Co. LLP & its Directors and its employees be liable for consequential, special, incidental or positive loss, damage or
expenses (including limitation, lost profits, opportunity cost, indemnification etc.) even if we have been advised of their possible existence.
Circulation of Report
The above report is solely for the benefit of the management and the audit committee, related regulatory bodies and associations as mentioned
in the distribution list. Any circulation beyond the intended audience requires prior written permission from Haribhakti & Co. LLP
Slide 58
THANK YOU
Slide 59

MSEI - System Audit Report - 2014

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

MSEI - System Audit Report - 2014

Diunggah oleh

Hak Cipta:

Format Tersedia

Metropolitan Stock Exchange of India Ltd.

Follow Up Audit Report on

Context setting & background

Approach & methodology

(Privileged and Confidential)

1 January 2014 to 31 December 2014

Audit conducted during the period

25 February 2015 to 6 April 2015

Draft Report issued on

Final Report issued on

Draft Follow Up Audit Report issued on

Final Follow Up Audit Report issued on

Scope Exclusion & Limitations

(Privileged and Confidential)

CONTEXT SETTING AND BACKGROUND

(Privileged and Confidential)

SCOPE FOR INFORMATION SYSTEMS AUDIT

(Privileged and Confidential)

SCOPE FOR INFORMATION SYSTEMS AUDIT

Data Communication / Network Controls including

(Privileged and Confidential)

SCOPE FOR INFORMATION SYSTEMS AUDIT

(Privileged and Confidential)

SCOPE FOR INFORMATION SYSTEMS AUDIT

Review of Business Continuity / Disaster Recovery Plan and Process

(Privileged and Confidential)

SCOPE FOR INFORMATION SYSTEMS AUDIT

(Privileged and Confidential)

SCOPE FOR INFORMATION SYSTEMS AUDIT

Identification of eligible vendors

(Privileged and Confidential)

SCOPE FOR INFORMATION SYSTEMS AUDIT

Skill requirement in the operations and management

Review of Last Year Audit report and actions taken

(Privileged and Confidential)

APPROACH & METHODOLOGY

SPECIFIC APPROACH & METHODOLOGY

Area as per the scope

Approach & Methodology

Walkthrough of the incident management process

(Privileged and Confidential)

SPECIFIC APPROACH & METHODOLOGY

Area as per the scope

Approach & Methodology

Study the Network Diagram for appropriate segregation of networks, access

(Privileged and Confidential)

SPECIFIC APPROACH & METHODOLOGY

Area as per the scope

Approach & Methodology

Reporting : All exploitable security vulnerabilities in the target system are

IT Vendor Selection and

Review the process of Capacity Planning and utilization monitoring

(Privileged and Confidential)

OBSERVATION AND RISK RATING CRITERIA

Observations related to absence of defined process or weakness in existing

Observations related to non-adherence to defined process. Example : Non

Observations related to a specific desired functionality /feature that is not

Deviations from controls, which may impact adversely or some weakness in

All other observations not falling under above categories

(Privileged and Confidential)

Area Under Scope

Change Management Controls

Data Communication / Network Controls

Review of Business Continuity / Disaster