Visit us at : 1 NSDL THREAT PERCEPTIONS & SECURITY MEASURES

Visit us at : 2 AGENDA Introduction to Depository NSDL System Overview Threat Perception Security Measures IT Audit Practices

Visit us at : 3 NSDL - Bank -- An Analogy BANKBANKNSDLNSDL

Visit us at : 4Legislation/Regulations Service only through Participants Depository to maintain client level data Daily Reconciliation Continuos Connectivity with Encryption Backup facility at an alternate site

Visit us at : 5 NSDL System Overview CLEARING CORP. REGISTRAR /ISSUERS DEPOSITORY PARTICIPANTS STAR NETWORK SWIFT MESSAGING CONVENTION ANOTHER DEPOSITORY CC - 2 CC - 3 DP - 3DP - 4DP - 5 DEPOSITORY NSDL SR-1 SR-2 SR-3 DP - 1DP - 2 CC -1

Visit us at : 6 NSDL Today Beneficiary Accounts : lac Positions : > 2 crore Custody : Rs. 9 lac crore Settlement thru Demat : 99.99% No. of Comp. / Securities : / Settlement value : > Rs cr. Bookings : 6-12 lacs SWIFT Messages : lacs

Visit us at : 7 Threat Perception Authenticity of Debit instruction Privacy of account holder’s information Disruption of Service Reconciliation Software Integrity

Visit us at : 8 Participants System Depository Network Depository Central System NSDL Internal Office Infrastructure Internet based Services Security Measures Scope

Visit us at : 9 Participants System Maker / Checker Implementation Audit Trails Inspection / Audit System Mandated Reconciliation Remote site backup + Log shipping Dial-up - Readiness Checks

Visit us at : 10 Depository Network Set-up Closed User Group (CUG) Network Hardware based Authentication Encryption - Dynamic Key change IP Filtering + Access List on Gateway Port Restriction Telnet / Direct Login / File Transfer prohibited Accepts only Message with valid format

Visit us at : 11 Depository System System Enforced Password Policy Failed Login Alerts Discretionary Access Control (DAC) Audit Trail De-activation of user-id with Direct Access rights MAC Address authentication for Access LAN Switch Port mapped to MAC address

Visit us at : 12 Depository Internal Office Infrastructure Office Systems –Switch based LAN / VLANs –Roving Port disabled on all LAN Switches –Local PC Data Protection Policy –Media Disposal Policy –Licensed Software Usage only

Visit us at : 13 Depository Internal Office Infrastructure - Cont. Internet Access –Governed by Internet Usage Policy –Access only through Proy Server –Firewall / IDS / URL Categorisation – send / receive to server hosted outside –Only HTTP / HTTPs ports allowed –ICMP blocked, No access from outside

Visit us at : 14 Depository Internal Office Infrastructure - Cont. Virus Protection Mechanism –Gateway Scanner – s / Attachments scanned on Mail Server –Desktop Anti Virus Protection Physical Access –Proximity Card –Video Surveillance –Asset Movement Monitoring

Visit us at : 15 Internet based Services SPEED-e SSL Authentication –Password –PKI / SMART Card 3 Tier architecture Clustering Firewall / IDS

Visit us at : 16 Internet based Services - Cont.

Visit us at : 17 Software Change Management SRC (Software Review Committee) SDLC approach with documentation Separate environments (Dev./ Test / Prod) Source management system (VSS / SCLM) Acceptance Testing Managed DPM software distribution Formal Software Release Reviews

Visit us at : 18 Business Continuity Planning Facilities Dual UPS with Battery Back-up Standby Diesel generator Fire/Smoke detector & FM 200 Sprinklers Standby Air Conditioners Periodic Drill

Visit us at : 19 Business Continuity Planning System and Data Processor/Disk Sparring Standby controller/Router Dual Logging Log file replication at another site Fire proof back-up storage Safe copy of software & critical documents Periodic Operations from DRS Facility

Visit us at : Business Continuity Planning Network NSE DRS HUB NSDL DRS NSE Primary HUB, Mumbai, Leased Line NSDLNET ISDN / PSTN NSDL NET Business Partners NSDL Primary Production Site Mumbai NSDL TC Fall Back X. 25 VSAT Cloud NSENET

Visit us at : 21 IT Audit Practices Security Committee Vulnerability Assessment Group Risk Analysis Group Security Audit and Penetration Testing Surprise audit by Security Officer Reporting to MD