Information security

About the Industry and Company:

IT industry is one of the industries which are emerging fast in the country. The country’s IT industry
contributes around 7.7% to India’s GDP.

The IT sector comprises of companies that produce software, hardware or companies that provide Internet
and other related activities.

Different software companies create and provide services for different domain and one company which
we are going to take is the ABC Company which develops software for Stock Brokers.

ABC Pvt. Ltd is a vibrant and agile set up located at Mumbai, the commercial capital of India. The
company is an establish player in enabling the businesses in financial services sectors. The company is a
leading provider of cutting edge IT solutions with focus on Equity, Derivatives, Commodities, Mutual
funds, Depository services markets in India.

The company is founded and managed by a team of professionals, instrumental in setting up and
operating India’s largest Stock Exchange. The team is also considered to be pioneer in introducing the
exchange traded financial derivatives trading to Indian market place.

The company has a strong team of over 70 professionals for development and support who are well
versed in capital, derivatives, commodities and broking operations.

Software products include products, solutions and services for the capital markets addressing stock and
commodities.

Business model, Business function, Business Volume and some statistics:

The Business model of ABC Company is B2B model, they provide solution and services to Stock brokers
who deals in DEMAT of Stocks, trading and clearing of stocks, maintaining ledger and holding balances
and other providing other services.

The business function of ABC Company is to provide solution and to create logic for stock brokers as
different companies have different logic which needs to be implementing to ensure smooth process.

To implement the regulatory changes initiated by exchange and SEBI.

To fulfill the audit and compliance requirements.

The main logic of the product is backend i.e. database, if any change in the data from backend will create
an huge impact on daily process, reporting, audit, compliance and logic initiated by the clients,
information plays an important role for securing the client data

The company has many clients ranging from small scale broker to corporate brokers and the volume is
also good as per market scenario.
Management perspective of the information security for the organization

Management perspective plays an important role to implement the information security for their
organization, as they are clear about their business objectives, they stakeholders, so that they can link to
information protection attributes. Organizations have to be trusted to achieve customer acquisition and retention, which
directly affect their revenue.

This trust is a key success factor that is directly related to:

1. Business integrity: Avoiding manipulation of the data is the key information security component related to their
customer trust
2. Customer asset protection: Data is the main asset for their customers as data is the new wealth, if any change in
customer data, it will lead to their reputation as well as financial loss
3. Customer privacy: Customer provide their basic information such as PAN number, corporate office address, their email
address, their invoices, purchase orders and bank details which need to be protected
4. Internal and external stake holders: Internal stake holders are their employees and their personal, educational and salary
information which need to be protected. External stack holders are their clients who they are not working for the
company but if any damage to the company they can also suffer.
5. Business impact analysis: Their business must answer certain questions such as
a. How much would it cost to business
b. What would be the indirect cost viz, reputation loss or information lost if any
c. What would be the legal implications
6. Risk analysis: Are there technical controls to safeguard the client data or do procedures exists to
complement the technical security controls
7. ISMS implementation: After the controls have been selected, they should be correlated under a common
information security management system (ISMS). This correlation requires deep understanding of the operation of the
organization; consideration of human, cultural, technical, business and external factors; and continuous improvements.
8. Risk management — the result of the risk analysis is a prioritization of risk in relation to the impact level (the result of
the business impact analysis) and the identification of possible security measures for addressing the risk. The risk
management process—the selection of appropriate security measures for addressing the risk or for risk transferring or
acceptance — is determined by the management of the organization.

Applicable compliance and regulatory framework:

1. Improved security: It provides them base line requirements, this keep data security levels
relatively consistent
2. Minimize losses: Improved security helps to prevent them from breaches; if breaches exist then
they will end up paying huge cost.
3. Increase control: It will go hand in hand, it will help to prevent or minimize employee’s mistake.
4. Maintain trust: Customer trust is their main asset. They need to honor their customer trust by
providing them secure systems.

Regulatory Framework: Internal auditors to evaluate their controls, potential customers to

evaluate their potential risk.
Schematic representation of Data flow

The above is the flow diagram of online trading platform

In each block there is a transmission of data from one block to another and they are chances of data
leakage at each point

Special controls need to be established to safeguard confidentiality and integrity of the client data passing
through over wireless network as to protect the data and applications

Systems on the network need to be authenticated

Systems connected to network need to be restricted from unwanted access

This depends upon the ability of the network service provider to managed agreed services in a secure
way.

Group of modules in order to manage the security of large networks need to be segregate in separate
domain networks.

That network should be treated with special care as it may be affected because of poor network
parameters.
Explain interrelation between business functions and Information security

Since the company is developing software for stock brokers and they business function is define domain
logic for the clients and need to carry out trade processes and depository process, the main logic of the
software is database.

The company implements regulatory changes and format initiated by exchange and SEBI, data plays an
important role.

The main objective of the information security is to preserve the ‘Confidentiality’ of sensitive data,
ensuring the ‘Availability’ of the data, to ensure the ‘Integrity’ of the data and to ensure the ‘Conformity’
to applicable laws, regulations and standards.

Confidentiality deals with the importance of the customer data, bank accounts, Pan Numbers and other
important details for the company.

Availability of the data is all the important data must be accessible to specific users when required

Integrity in the company is to provide correct and complete data

Conformity is to provide regulatory changes initiated by the board.

Policies, Procedures and monitoring mechanism

Information security, HR, Access control and procedures have been implemented in the organization

Information security consists of 8 elements which they have implemented

1. Purpose
2. Audience
3. Objectives
4. Authority and access
5. Data classification
6. Data support and operations
7. Security awareness and behavior
8. Responsibilities’, rights and duties

HR policy

1. Prior to employment
2. During employment
3. Termination or change of employment

Access control policy

1. Authorization
 2. Authentication
3. Accessing
4. Managing
5. Auditing

Monitoring: System monitoring should consider the following aspects

1. Compliance with regulatory and statutory obligations

2. Effective maintenance of IT system
3. Compliance with organizational policies and procedures
4. Review of usage and staffing

Controls, effective working and review mechanism:

Company has implemented security controls to minimize the security risk to data centers and other assets.

 Before the event, preventive controls are intended to prevent an incident from occurring e.g. by
locking out unauthorized intruders;
 During the event, detective controls are intended to identify and characterize an incident in progress
e.g. by sounding the intruder alarm and alerting the security guards or police;
 After the event, corrective controls are intended to limit the extent of any damage caused by the
incident e.g. by recovering the organization to normal working status as efficiently as possible
They can also be classified according to their nature, for example:

 Physical controls e.g. fences, doors, locks and fire extinguishers;

 Procedural controls e.g. incident response processes, management oversight, security awareness and
training;
 Technical controls e.g. user authentication (login) and logical access controls, antivirus software,
firewalls;
 Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.

To measure the effectiveness of working the controls, company has implemented the following points

a. It must be universal, which means that can be applied regardless of the architecture, code,
interface or system conditions
b. It must yield significant results with respect to the issue it seeks to measure
c. It must be accurate and represent what information security officers really want and need to know

Review mechanism includes

Network security: Company has implemented network security to manage and control the system
and applications through which the data is transferred

Segregation in networks: Large networks are divided into separate network domains. It is done by
physically different networks. Companies have given special treatment to wireless networks and
 for the sensitive databases they have made the consideration to treat wireless networks as external
connections

Information security in the business continuity plan and its implementation

Company has implemented business continuity plan in order to respond to disruption, activate
recovery teams and recover critical assets and processes.

Company has followed the following steps for BCP implementation

1. Project initiation: They have develop a contingency policy statement, conducted business
analysis impact, identified preventive controls, developed strategies for recovery,
developed a maintenance plan.
2. Scope: Initiation of the plan and final approval
3. Business impact analysis: They have identified critical assets, conducted risk assessment,
and determined the maximum tolerable downtime and failure and recovery metrics.
4. Identified preventive controls
5. Recovery strategy: Data recovery and applications recovery on daily basis
6. Plan approval: The plan is approved from the management. Senior managers has
understand the plan, own the plan, and they have ensured they have taken the steps to
make a plan a success.
7. BCP Maintenance: Once the plan is approved, it is tested and implemented. They kept it
up to date. If any change management or version change is initiated it must be reviewed
and tested.

Audits and periodic review

It includes:

1. Backup and stand by triggering of system done within the quarter or any system or policy updates
2. User ids changes if any such as change of password, no of IDS activated and deactivated and any
change in admin
3. Backup and archival: Compliance as per changes, log of any data restored, backup status of log of
any trail

Conclusion

As a conclusion, information security is importance to the development of any organization that keeps
the data or information about their customers or company. The development of modern organizations are
depends on the availability, confidentiality and integrity to ensure information security. Other than that,
the extensive use of information technology had improves the efficiency of the business, but exposes the
organization to additional risks and challenges such as failure to understand about information security,
mobile workforce and wireless computing, shortage of information security staff and information security
attacks. The implementation of the information security is a process that is by far more complex than the
implementation of the other management due to the large number of factors that may affect its
effectiveness. To ensure information security, the company should understand that information security is
not solely a technological issue. The company should also consider the non-technical aspect of
information security while developing the information security. Besides, it should be noted that, well
implemented information security in company has the ability to reduce the risk of crisis in the company.