NSDL

THREAT PERCEPTIONS
&
SECURITY MEASURES

Visit us at : www.nsdl.co.in 1
 AGENDA
• Introduction to Depository
• NSDL System Overview
• Threat Perception
• Security Measures
• IT Audit Practices

Visit us at : www.nsdl.co.in 2
 NSDL - Bank -- An Analogy

BANK
BANK NSDL
NSDL

➨H oldsfundsin ➨H oldssecuritiesin
accounts accounts
➨Transfersfunds ➨Transferssecurities
betweenaccounts betweenaccounts
➨Transferswithout ➨Transfersw ithout
handlingcash handlingphysical
securities
➨Safekeepingofmoney ➨Safekeepingofsecurities

Visit us at : www.nsdl.co.in 3
 Legislation/Regulations

• Service only through Participants

• Depository to maintain client level data

• Daily Reconciliation

• Continuos Connectivity with Encryption

• Backup facility at an alternate site

Visit us at : www.nsdl.co.in 4
 NSDL System Overview
ANOTHER
DEPOSITORY

CC -1 SR-1
DEPOSITORY
CLEARING REGISTRAR
CORP.
CC - 2 NSDL SR-2 /ISSUERS
CC - 3 SR-3

DP - 1 DP - 2 DP - 3 DP - 4 DP - 5
DEPOSITORY PARTICIPANTS

STAR NETWORK
SWIFT MESSAGING CONVENTION

Visit us at : www.nsdl.co.in 5
 NSDL Today

• Beneficiary Accounts : 48.85 lac

• Positions : > 2 crore
• Custody : Rs. 9 lac crore
• Settlement thru Demat : 99.99%
• No. of Comp. / Securities : 5000 + / 14000+
• Settlement value : > Rs. 2000 cr.
• Bookings : 6-12 lacs
• SWIFT Messages : 60-100 lacs
Visit us at : www.nsdl.co.in 6
 Threat Perception

• Authenticity of Debit instruction

• Privacy of account holder’s information
• Disruption of Service
• Reconciliation
• Software Integrity

Visit us at : www.nsdl.co.in 7
 Security Measures Scope

• Participants System
• Depository Network
• Depository Central System
• NSDL Internal Office Infrastructure
• Internet based Services

Visit us at : www.nsdl.co.in 8
 Participants System
• Maker / Checker Implementation
• Audit Trails
• Inspection / Audit
• System Mandated Reconciliation
• Remote site backup + Log shipping
• Dial-up - Readiness Checks

Visit us at : www.nsdl.co.in 9
 Depository Network Set-up

• Closed User Group (CUG) Network

• Hardware based Authentication
• Encryption - Dynamic Key change
• IP Filtering + Access List on Gateway
• Port Restriction
• Telnet / Direct Login / File Transfer
prohibited
• Accepts only Message with valid format
Visit us at : www.nsdl.co.in 10
 Depository System
• System Enforced Password Policy
• Failed Login Alerts
• Discretionary Access Control (DAC)
• Audit Trail
• De-activation of user-id with Direct Access
rights
• MAC Address authentication for Access
• LAN Switch Port mapped to MAC address
Visit us at : www.nsdl.co.in 11
 Depository Internal Office
Infrastructure
• Office Systems
– Switch based LAN / VLANs
– Roving Port disabled on all LAN Switches
– Local PC Data Protection Policy
– Media Disposal Policy
– Licensed Software Usage only
Visit us at : www.nsdl.co.in 12
 Depository Internal Office
Infrastructure - Cont.
• Internet Access
– Governed by Internet Usage Policy
– Access only through Proy Server
– Firewall / IDS / URL Categorisation
– E-Mail send / receive to server hosted
outside
– Only HTTP / HTTPs ports allowed
– ICMP blocked, No access from outside
Visit us at : www.nsdl.co.in 13
 Depository Internal Office
Infrastructure - Cont.
• Virus Protection Mechanism
– Gateway Scanner
– Emails / Attachments scanned on Mail Server
– Desktop Anti Virus Protection
• Physical Access
– Proximity Card
– Video Surveillance
– Asset Movement Monitoring
Visit us at : www.nsdl.co.in 14
 Internet based Services
• SPEED-e
• SSL
• Authentication
– Password
– PKI / SMART Card
• 3 Tier architecture
• Clustering
• Firewall / IDS
Visit us at : www.nsdl.co.in 15
 Internet based Services - Cont.
V L A N V L A N V L A N

I n t r u s i o n D e t e c t i o n S y s t e m D a t a b a s e
S e r v e r

L 3 S w i t c h
a t T I CS PI S C O P I X F i r e S w e ca ul l r 1 i t y G a t e w a y
I n t e r n e t N S D L S e t u p ( a t T I S P ) A p
p l i c a t i o n /
C l o u d L o c a l D i r e c t o r 1 D a t a b a s e
R o u t e r S e r v e r
a t T I S P
C I S C O P I X F i r e w a l l 2
N S D L S e t u p ( a t T I S P )
S t o r a g
L o c a l D i r e c t o r 2
A p p l i c a t i o n
S e r v e r
N M S S e c u r i t y G a t e w a y

W E B S e r v e r s

6 4 K b p s L e a s e d
S P E E D e O N L I N E - 1
l i n e

S P E E D e O N L I N E - 2

N S D L S e t u p
Visit us at : www.nsdl.co.in 16
 Software Change Management

• SRC (Software Review Committee)

• SDLC approach with documentation
• Separate environments (Dev./ Test / Prod)
• Source management system (VSS / SCLM)
• Acceptance Testing
• Managed DPM software distribution
• Formal Software Release Reviews
Visit us at : www.nsdl.co.in 17
 Business Continuity Planning
Facilities

• Dual UPS with Battery Back-up

• Standby Diesel generator
• Fire/Smoke detector & FM 200 Sprinklers
• Standby Air Conditioners
• Periodic Drill

Visit us at : www.nsdl.co.in 18
 Business Continuity Planning
System and Data
• Processor/Disk Sparring
• Standby controller/Router
• Dual Logging
• Log file replication at another site
• Fire proof back-up storage
• Safe copy of software & critical documents
• Periodic Operations from DRS Facility
Visit us at : www.nsdl.co.in 19
 Business Continuity Planning
Network
NSE Primary NSE DRS HUB
HUB, Mumbai,

X. 25 VSAT Cloud
NSENET

NSDL Primary
Production Site ISDN / PSTN
Mumbai
NSDL NET
Fall Back

NSDL TC
NSDL DRS
Leased Line
NSDLNET
Visit us at : www.nsdl.co.in Business 20
7
Partners
 IT Audit Practices
• Security Committee
• Vulnerability Assessment Group
• Risk Analysis Group
• Security Audit and Penetration Testing
• Surprise audit by Security Officer
Reporting to MD

Visit us at : www.nsdl.co.in 21