Let's Build a Responsible Cyber Society

Visit
www.ceac.in


Visit
www.arbitration.in

 

Application of IISF-309 for Share Broking firms

Naavi


In our earlier article, we have highlighted the 21 point IS framework for ITA 2008 compliance suggested by the undersigned. In order to demonstrate how the framework gets translated into an IS implementation specification, a typical Share broking firm  is taken as a target organization and we present here the standard suggested  under this framework by Ujvala Consultants Pvt Ltd.

The business of the firm is described roughly as follows:

1. Members are enrolled for share transactions

2.Members place orders for buying and selling securities

3.Orders are executed

4.Contract information is sent to the members

5. Financial account subsystem manages receipt of money in advance, on execution of orders etc.

Disputes arise often when there are mismatches between the orders placed and executed as well as on payment issues which need to be settled.

Frauds happen both because of employees of the firm or through identity theft at the member's end.

Security breaches occur also due to Virus, Trojan, DDOS etc.

Firm collects and maintains sensitive financial information of the customers which are subject to data theft threats. "Reasonable Security Practices" under section 43A will become relevant under these circumstances.

Frauds may also occur at the Stock Exchange level or at listed company level and information at the broker's end may be required by law enforcement agencies. The data retention norms under Section 67(C) may become relevant under these circumstances.

Under certain circumstances such as the broker providing investment sensitive information which may turn out to be wrong or fraudulent or otherwise contravene ITA 2008, "Due Diligence" under Section 79 also become relevant.

The Techno Legal Information Security standard should therefore address the above threats in addition to any other threats identified.

The specification therefore may include:

1. Account opening form with relevant disclosures, identity verification, etc. A copy of the terms and conditions should always be provided to the customer along with a copy of the PSPS (Privacy and Security Policy Statement) of the firm.

2. All employees should be "Certified Cyber Law Aware" through appropriate training mechanism

3. Information should be classified as "Third party news", "Customer information", "Trading instructions", "security sensitive internal information", "Administrative", "Financial", "Marketing", "Legal", "Customer relations" etc. The users are to be grouped into different domains and provided access to areas of relevance to them. Certain types of information may be further classified as "Confidential" and will be retained only in encrypted form while on the systems. Different data retention norms are tagged to different types of information as may be relevant.

4.Whenever a security breach incident is reported, the information relevant to the breach should be copied onto an archive under the "Legal" domain and retained indefinitely.

5. All communication with the customers should be digitally signed. Customer's inward communication should also be suitably archived for future reference with a third party.

6. All other normal technical security policies such as use of Firewalls, IDS, Adequate Access control measures, Hardware/Software purchase policies, Employee hiring, transfer and termination policies, vendor policies,  etc should be determined and implemented.

The specifications may be ideally developed by the user and declared on their websites. A model policy document can be developed for the guidance of members by the respective trade associations.

CERT-IN may develop a mechanism to review the security policy documents from time to time or on specific request and point out inadequacies if any.

Specialized audit agencies may also endeavor to point out the deficiencies in the policies so that corrective measures can be initiated. The audit certificates also should be disclosed through annual statements and on the web.

The foregoing is an approach which can be further refined.

(Comments are welcome)

Naavi

March 22, 2009

Visit
www.Naavi.net

Visit
www.lookalikes.in