SharePro: Cyber Security and Certification Requirement
SEBI, vide its circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 has provided guidelines to Brokers/DPs pertaining to Cyber Security in their systems to guard against breach of privacy and maintaining data integrity. Though most of the proposed measures have to be initiated at the end of the broker and not by backoffice vendors, yet there are some important guidelines that impact us too. The action (some of it at least) to be taken to ensure this compliance is as follows along with our feedback on the status of things that have bearing with backoffice:
- A comprehensive Cyber Security and Cyber Resilience policy document has to be formulated by you. The policy should encompass the guidelines provided in the circular.
- Limit access to the systems on the principle of least privilege. Note that SharePro provides a comprehensive user and access management built in. If you have not limited access to people on a can-as-much-as-required policy, it is time to use this feature. You can create user groups, assign privileges to groups, and throw users into groups, as shown below :
This way you can limit access to users to only jobs that concern them. You can even switch-off menu items from specific groups. The interesting thing is that you may exclude users from a part of the activity. For instance, a user could be allowed to add a client, but not modify it, or may be allowed no access to the bank and dp details of clients. SharePro allows access control to a deep granular level.
- Strong password control for users. The ADMIN component of SharePro allows you to enforce strong passwords on your users. See the snapshot below :
- Your systems need to be behind firewalls and VPN structures, if possible. Consult your IT team to implement this.
- Access to staff of the vendors need to be supervised. You need to ensure that, in the course of our servicing to you, access is given to our executives in a secured manner, meaning, that tools like AnyDesk, RAdmin need to be password protected and switched off when not used. Not just that, the activity by our staff should be monitored on-screen.
- Your database passwords should definitely be strong. Consult your IT team to ensure that this is implemented asap.
- Your webserver that publishes SharePro to the world should be behind a protected firewall and preferably, with multiple network adapters – one facing the web, and one facing the internal database.
- In an ideal world, when SharePro is upgraded at your end, it should be deployed at UAT servers, tested for new features as much as possible and then deployed on Production servers. StanSoft does provide a facility for you to maintain UAT servers, where regular database restores can be affected, and SharePro deployed, at 25% of the Licensing cost. These servers can be used for rigorous testing before deployment.
- VAPT tests – Vulnerability Assessment and Penetration Tests – should be conducted, preferably with third-party consultants on your exposed systems, including the backoffice. The reports of the tests, especially any vulnerabilities detected, should immediately be notified to us for emergency action. Remember that hacking and attacks are a reality and a regular check can be a saviour.
- Backups are not just a responsibility, they are a life-saving necessity. Please please please, review your backup policy, again and again, maintain logs of backups with signatures for accountability. Please consider moving your backups every day out of the premises, even to the cloud. StanSoft has repeatedly insisted to regular backups and even suggested products like Iperius backup that take backups and post them to FTP. Please consider procuring them. Read Annexure A, point 6, carefully regarding backups. Remember that backups and not the responsibility of your vendor.
- For systems not managed by you, your vendors need to comply with the guidelines and should self-certify their readiness. This does not apply to SharePro as all its components are installed in your systems and under your control.
- SEBI has asked brokers/DPs that systems that form the core functionality of business should bear the Indian Common criteria certification of Evaluation Assurance Level 4. See the snapshot below :
SharePro does not, currently, hold the Indian Common criteria certification of Evaluation Assurance Level 4 certification.
However, the big question is: Is SharePro an off-the-shelf product as implied by SEBI in their circular? In our assessment, this is questionable as, by its very nature, the system, due to the frequency of changes in regulations, has a new release multiple times every week. Can a system with this level and frequency of upgrades be under the preview of a stringent process like STQC? In our understanding, products like RDBMS Systems, Zipping tools, Operating Systems, Anti-Virus, or Office Products may only be called truly off-the-shelf. However, in its wording, the SEBI circular has specifically given Backoffice applications as an example. So, an immediate clarification needs to be sought by broker associations.
Therefore, as it stands, SharePro does not have STQC certification and is unlikely to get in in the near future. And also we strongly recommend that you insist on your respective associations to seek urgent clarification on our stand.
Standard Software Pvt. Ltd.
699F, Block P, New Alipore, Kolkata 700053, India
☏ 98303-26277, ✉ firstname.lastname@example.org