Application of IISF-309 for Share Broking firms
Naavi
In our earlier article, we have
highlighted the 21 point IS framework for ITA 2008 compliance suggested by
the undersigned. In order to demonstrate how the framework gets translated
into an IS implementation specification, a typical Share broking firm
is taken as a target organization and we present here the standard
suggested under this framework by Ujvala Consultants Pvt Ltd.
The business of the firm is described
roughly as follows:
1. Members are enrolled for share
transactions
2.Members place orders for buying and
selling securities
3.Orders are executed
4.Contract information is sent to the
members
5. Financial account subsystem manages
receipt of money in advance, on execution of orders etc.
Disputes arise often when there are
mismatches between the orders placed and executed as well as on payment
issues which need to be settled.
Frauds happen both because of
employees of the firm or through identity theft at the member's end.
Security breaches occur also due to
Virus, Trojan, DDOS etc.
Firm collects and maintains sensitive
financial information of the customers which are subject to data theft
threats. "Reasonable Security Practices" under section 43A will become
relevant under these circumstances.
Frauds may also occur at the Stock
Exchange level or at listed company level and information at the broker's
end may be required by law enforcement agencies. The data retention norms
under Section 67(C) may become relevant under these circumstances.
Under certain circumstances such as
the broker providing investment sensitive information which may turn out to
be wrong or fraudulent or otherwise contravene ITA 2008, "Due Diligence"
under Section 79 also become relevant.
The Techno Legal Information Security
standard should therefore address the above threats in addition to any
other threats identified.
The specification therefore may
include:
1. Account opening form with relevant
disclosures, identity verification, etc. A copy of the terms and conditions
should always be provided to the customer along with a copy of the PSPS
(Privacy and Security Policy Statement) of the firm.
2. All employees should be "Certified
Cyber Law Aware" through appropriate training mechanism
3. Information should be classified as
"Third party news", "Customer information", "Trading instructions",
"security sensitive internal information", "Administrative", "Financial",
"Marketing", "Legal", "Customer relations" etc. The users are to be grouped
into different domains and provided access to areas of relevance to them.
Certain types of information may be further classified as "Confidential"
and will be retained only in encrypted form while on the systems. Different
data retention norms are tagged to different types of information as may be
relevant.
4.Whenever a security breach incident
is reported, the information relevant to the breach should be copied onto
an archive under the "Legal" domain and retained indefinitely.
5. All communication with the
customers should be digitally signed. Customer's inward communication
should also be suitably archived for future reference with a third party.
6. All other normal technical security
policies such as use of Firewalls, IDS, Adequate Access control measures,
Hardware/Software purchase policies, Employee hiring, transfer and
termination policies, vendor policies, etc should be determined and
implemented.
The specifications may be ideally
developed by the user and declared on their websites. A model policy
document can be developed for the guidance of members by the respective
trade associations.
CERT-IN may develop a mechanism to
review the security policy documents from time to time or on specific
request and point out inadequacies if any.
Specialized audit agencies may also
endeavor to point out the deficiencies in the policies so that corrective
measures can be initiated. The audit certificates also should be disclosed
through annual statements and on the web.
The foregoing is an approach which can
be further refined.
(Comments are welcome)
Naavi
March 22, 2009
