Inviting comments on the basic draft of the "Relevance of Information Systems Audit in Insurance Sector" (Comments to be received by 30th April 2014) by email at cobip@icai.in Inviting comments on the basic draft of the "Relevance of Information Systems Audit in Insurance Sector" (Comments to be received by 30th April 2014) by email at cobip@icai.in Chartered Accountant CA ICAI Chartered Accountants CA ICAI CAinINDIA ICAI Announcements Accounting Standards CA News ICAI Students ICAI Members Case Laws CPT IPCC Final ICAI Course CA Course ICAI Forum CA Question Papers ICAI Study Material

« Professional Updates »

Open DEMAT Account in 24 hrs
Expert Panel for addressing queries related to Statutory Audit pertaining to auditing aspects
Invitation for contribution to Question Bank in respect of Self-paced Online Module Examinations (Set-C & Set-D)
India to be Accounting and Finance Hub : Invitation for Comments/Suggestions: Consultation Paper on Draft IFSCA (Book-keeping, Accounting, Taxation and Financial Crime Compliance Services) Regulations 2024
Auditing and Assurance Standards Board - Online Panel of Experts for addressing Bank Branch Audit related queries
Board of Internal Audit and Management Accounting of ICAI is organizing Webinar on "Identifying Red Flags and Report Writing by Internal Auditors" - March 27,
Revised Applicability of Peer Review Mandate (Phase II & III)
Important Announcement - Reschedulement of Chartered Accountant Examinations, May 2024
IMPORTANT ANNOUNCEMENT
Extension of Last Date for Online Empanelment of Members to act as Observers for May/June 2024 Examinations up to 15th March 2024
Empanelment of Members to act as Observers at the Examination Centres for the Chartered Accountants Examinations May/June 2024
Guidance Note on Audit of Banks (2024 Edition)


« Inviting comments on the basic draft of the A Practical...	Report on National Convention for CA Students held on 1st... »
Inviting comments on the basic draft of the "Relevance of Information Systems Audit in Insurance Sector" (Comments to be received by 30th April 2014) by email at cobip@icai.in

April, 16th 2014
Inviting comments on the Basic draft on Relevance of Information Systems Audit in Insurance Sector (Last date for comments: April 30th April 2014) Comments should be submitted in writing to the Secretary, Committee on Banking, Insurance and Pension, The Institute of Chartered Accountants of India, ICAI Bhawan, Indraprastha Marg, New Delhi -110002, so as to be received not later than April 30th, 2014. Comments can also be sent by email to cobip@icai.in i Contents I Introduction IT Governance ..........................................................................................................1 a. Insurance ...............................................................................................................................1 b. IT Governance .......................................................................................................................5 II State of Information Systems in Insurance Industry........................................................................7 III Regulatory framework for Information Systems in Insurance.......................................................11 a. The Insurance Act 1938.......................................................................................................11 b. Regulations issued by IRDA (Insurance Regulatory and Development Authority) .............11 c. The Information Technology Act 2000....................................................................................13 d. Prevention of Money Laundering Act .................................................................................14 IV Information Systems Audit in Insurance Sector.............................................................................15 a. IT Governance .....................................................................................................................15 1. Strategic Alignment.....................................................................................................................16 2. Value Delivery .............................................................................................................................17 3. Resource management ...............................................................................................................17 4. Risk management........................................................................................................................17 5. Performance measures ...............................................................................................................18 b. Risk Management................................................................................................................18 1. Security Policy and Implementation ...........................................................................................18 2. Asset Management .....................................................................................................................19 3. Information Systems Acquisition, Development & Maintenance...............................................20 4. Physical & Environmental Security..............................................................................................20 5. Access Controls ...........................................................................................................................21 6. System Parameters .....................................................................................................................21 7. IT Controls review OS, Database, Networking devices ............................................................22 8. Capacity Management ................................................................................................................23 9. Disaster Recovery, Backup & Contingency planning...................................................................24 10. Customer Services...................................................................................................................24 ii Appendix A About COBIT..........................................................................................................................25 Appendix B About COSO ..........................................................................................................................27 Appendix C Guidelines on Outsourcing of Activities by Insurance Companies .......................................29 Appendix D Clarifications on Guidelines on Outsourcing of Activities by Insurance Companies ............42 Appendix E IRDA (Web Aggregators) Regulation, 2013 ...........................................................................44 Appendix F IRDA Circular on Investment Risk Management Systems and Process Audit .......................82 Appendix G Extracts from ICAI Technical Guide.......................................................................................83 iii I Introduction IT Governance a. Insurance Insurance is an assurance of compensation for specific potential future losses in exchange for a periodic payment called `Premium'. Insurance is designed to safeguard the financial well- being of an individual, company or any other entity in the case of an unexpected loss. Some forms of insurance are mandated by law, while others are optional. A contract is enforced between the insured (The Policy Holder) and the insurer (The Insurance Company) on mutual agreement to the terms of an insurance policy. The insured makes a payment towards the policy periodically as premium for which the insurer agrees to pay the policy holder a sum of money upon the occurrence of a specific event. The policy holder bears a part of the loss called the uninsured amount while making a claim and the insurer pays the rest as compensation. Examples of insurance include car insurance, health insurance, disability insurance, life insurance, and business insurance. There are 24 life insurance companies and 27 general insurance companies operating in India as per the details published on IRDA website (www.irda.gov.in) as on 30th June 2013. Some of the key functions in the insurance lifecycle are: New Business Proposal or lead generation, Enrolment, Scanning/ Digitization are some of the key processes in expanding the customer base. Underwriting This is the process of evaluating the risk, acceptability and premium of an entity to be insured. This is typically a complicated process and involves significant time and effort and contributes towards increasing the time taken to finally issue the policy to the customer. Technology has been aggressively deployed to aid the underwriting process; analytics and predictive modelling has advanced considerably to keep pace with the business requirement for speedy issuance of policies in consistent manner throughout the enterprise while appropriately assessing risk. Policy Administration 1 Some of the key processes that fall under this function include Policy holder correspondence Collateral verification Payment processing Policy issuance, printing and dispatch Record changes Issuance of insurance policies is a fairly complicated process though the base model is the same. Every insured has the option to choose from a variety of clauses which must be accurately captured in the insurance document. In addition, personal information of the client including medical, family and other data need to be part of the insurance document. Document management systems are used to manage policies issued and also to meet regulatory requirements regarding the storage of policies issued. Claims Processing One of the key challenges that face insurance companies is the need to provide a seamless and integrated claims processing function across the organization and partners landscape. They need to implement information processing systems that enable the smooth flow of information from claims processing to underwriting to marketing. A smooth flow will enable insurance companies to assess risk more accurately and thereby provide solutions that are tailor made to customer requirements. The progressive adaptation of integrated systems to handle entire ecosystem of processes provides management with a holistic view of the business, thus improving the business offering to customers. 2 New Business Key Claims Processing Business Underwriting Functions Policy Administration Some of the key enabling functions in the insurance lifecycle are represented below: Channel Management HR, Audit, Marketing & Key Investment Other Enabling Management supporting functions Functions Accounts & Finance 3 The above functions are also applicable to Reinsurance and as such would be subject to the same requirements of IT Governance and Risk Management initiatives. Micro-Insurance Micro-insurance is insuring the low-income population. This sector can insure a variety of risks including health, property, crop, livestock/cattle, theft, fire, disability etc. IRDA has issued microinsurance draft norms (as of this writing) which are soon expected to be translated into a final set of regulations. For distribution of these products, IRDA has said regional rural banks, micro finance institutions, district cooperative banks, non-governmental organisations, self- help groups, urban cooperative banks, banking correspondents and individual owners of kirana stores, public call offices, fuel stations and fair price shops in rural areas will be allowed to sell these. Selecting the right technology will be a key to the success of any microinsurance endeavour. The most important question that need to be answered before taking a final call is "what is the technology expected to deliver?" Is it ease of use, mobile capabilities, reduce cost, reduce transaction turnaround time etc. Clarity in this aspect will be a pre-requisite for choosing the most appropriate technology. Smart cards may be issued to customers. These could contain policy details like name, photo ID, biometric fingerprint, insurance history, etc. When the smart card is swiped on a hand held device, this information is made available to the agent. Handheld devices are expected to play a critical role in microinsurance. These devices can have various integrated components including smart card readers, biometric authentication devices, printers etc. Internet connectivity may be through GPRS or Wi-Fi. GPRS has been used to connect hand held devices to central servers. The availability of GPRS connectivity in locations where the hand held devices are expected to operate (typically rural 4 settings) should be examined - trial runs should be made to avoid surprises. In the absence of a robust GPRS connectivity, microinsurance companies have taken the approach of storing the data locally in the device until such time that a connectivity is available. Once the device detects a connection to the internet, the data is sent to the central servers. The transaction is completed seamlessly though there is an invisible time buffer during which the data resides on the device itself. The use of SMS as a technology platform has been used by a microinsurance provider in Brazil. The Brazilian government issues a social security number to each citizen. This number is sent as the primary information during enrollment. The server which receives this number then connects to another central repository of citizen information. This approach vastly reduces the need for elaborate data entry and eliminates multiple entries of the same data. Data entry errors are also eliminated. It is possible that a similar technology may be adopted by Indian insurance companies if the Indian government's Aadhar initiative becomes a success. b. IT Governance IT governance in simple terms refers to the process of how the organizations align the IT strategy with the Business strategy and ensure that the companies stay on track in achieving their strategies and goals and implement good ways to measure its performance. An IT governance framework addresses the functioning of the IT department, the key metrics required by the management and the returns achieved by the business from the investment made in IT. Organizations today are subject to many regulations governing data retention, confidentiality of information, financial accountability and recovery from disasters. One of the goals of IT governance is that, the internal controls of an organization should meet the core guidelines of many of these regulations, as well as adherence to various international standards such as COBIT (refer Appendix A) and COSO (refer Appendix B). India has a high potential for development in insurance as most of its household are still untapped by the insurance companies. With the increase in competition among the insurers, providing service to the customer has become a key issue. Moreover, customers are getting increasingly sophisticated and tech-savvy. This highlights the importance of technology in 5 designing and developing products to suit the personalized need of the customer. As technology is embraced and becomes a core component of the insurance industry, the inbuilt security threats also increase exponentially. This commentary makes an attempt to explore tactics to defeat such threats faced by the insurers. 6 II State of Information Systems in Insurance Industry The insurance sector is now open to private enterprises and this has resulted in the emergence of Insurance Regulatory and Development Authority (IRDA) as the regulator of insurance in India. Insurance companies were forced to introduce a variety of products and to venture into wider diversified areas. This intense competition renders insurance companies more aggressive, slashing premiums and increasing the exposure of the companies. The Insurance sector has a dual role to play. It has to protect and secure its own information and infrastructure to achieve its business objectives apart from promoting the information security through positive reinforcement. The insurance company may do this by distributing rewards and providing insurance cover with lower premium for cyber risks of entities that have information security systems in place. This will drive the importance of securing information technology in organizations. In addition, the integral component of the insurance sector lies in obtaining accurate information as promptly and efficiently as possible. Insurers normally base their rates on actuarial models which determine the likely occurrence of the risks to experience a loss. Insurance companies use technology to analyze the claims of prior years and to scrutinize the data of the policy holder. Technology is also used to explore the correlation between risk characteristics and claims. Actuaries have the opportunity to use technology in analyzing the risk at a much more precise level of granularity. Outsourcing IRDA, in its notification to the CEOs of insurance firms, said that "it is not desirable to outsource the core and important activities which will affect corporate governance, protection of policy holders, solvency and revenue flows of insurer." Core Activities are: - Underwriting - Product design and actuarial functions; enterprise wide risk management - Investment and related functions 7 - Fund accounting and NAV calculations - Admitting or repudiation of claims - Bank Reconciliation - Policyholder grievances redressal - Approving advertisements - Market conduct issues - Appointment of surveyors and loss assessors - Compliance with AML, KYC - Policy servicing Refer Appendix C Guidelines on outsourcing of activities by Insurance Companies Refer Appendix D Clarifications on Guidelines on outsourcing of activities by Insurance Companies The above issues pose a challenge to the insurance industry in India today and also worldwide and need to be addressed on a war footing. A few typical challenges and risks faced by the insurance companies are: a. Storage and processing of data b. Accessing and retrieval of data c. Security of information d. Embracing technology developments e. Safeguarding of information against natural disasters f. Business continuity planning Web Aggregators The term "Web Aggregator" pertains to any online website or portal which provides information and comparison of insurance products by different insurers and provides leads to insurers. Some of the guidelines relating to display of product comparisons on the website are: a. Web aggregators shall not display ratings, rankings, endorsements or bestsellers of insurance products on their website. The content of the websites of the web 8 aggregators shall be unbiased and factual in nature; they shall desist from commenting on insurers or their products in their editorials or at any other location in their websites. b. The default/home page of the websites of the web aggregators shall clearly and prominently provide links to the product comparison charts and tables for each category of products covered by them. The visitor to the website should be given clear product options to choose from and once a particular option is chosen, a product comparison chart relevant to his choice shall be displayed. The product comparison chart shall have, interalia, columns to display a) the premium quoted by each insurer relevant to the age, health and other personal details of the client for the product category, policy/premium term, quantum of cover etc chosen b) the default underwriting requirements such as medical examination, diagnostics or other documents c) exclusions, limits or other conditions, if any c) key features of the product chosen. c. Web aggregators shall disclose prominently on the home page that the client/visitor's particulars could be shared with insurers/insurance brokers. d. Web aggregators shall not carry any advertisements or sponsored content on their websites. e. Product comparisons that are displayed shall be upto date and reflect a true picture of the products. f. Web aggregators shall display product information purely on the basis of the information furnished to them by insurers. Refer Appendix E for the IRDA (Web Aggregators) Regulation, 2013 With the growing use of technology in the insurance industry, some of the potential Game Changers from the Technology Arena are: Hand held devices / Mobile / Tablet based data collection and dissemination Cloud computing enabling users to access data from wherever they are Marketing through social media Digitisation of documents Higher degree of segmentation, customer data analytics and predictive modeling 9 Smart cards that can be swiped on hand held devices in Microinsurance Document management systems to manage policies and customer data Biometric data of customers stored in smart cards GPRS for hand held devices SMS in microinsurance Centralized database of vehicles insured for access by transport and police authorities Use of telematics for vehicle tracking and determining insurance premiums 10 III Regulatory framework for Information Systems in Insurance a. The Insurance Act 1938 In 1938, with a view to protecting the interest of the Insurance public, all the earlier legislation was consolidated and amended by the Insurance Act, 1938 with comprehensive provisions for effective control over the activities of insurers. This Act addresses over 31 provisions applicable to insurers. It also addresses the investigative powers of the authority, appointment of staff, control over management, amalgamation and transfer of insurance business, assignment or transfer of policies and nominations, commission and rebates and licensing of agents, special provisions of law, management by administration and acquisition of the undertakings of insurers in certain cases. b. Regulations issued by IRDA (Insurance Regulatory and Development Authority) The Insurance Regulatory and Development Authority (IRDA) was constituted as an autonomous body to develop the insurance industry based on the recommendations of the `Malhotra Committee report', in 1999. The IRDA was incorporated as a statutory body in April, 2000 to monitor Insurance sector in India. The key objectives of the IRDA are Promotion of competition among insurance companies to enhance customer satisfaction through increased consumer choice and lower premiums. Safeguarding the financial security of the insurance market and to eradicate the shortcomings of the industry. Application for registrations in the market was invited by the IRDA in August 2000. Foreign companies were allowed to own a share up to 26%. IRDA has the power to frame regulations under Section 114A of the Insurance Act, 1938 subsequent to which various regulations ranging from registration of companies for carrying on insurance business to protection of policyholders' interests were framed 11 The Insurance Regulatory and Development Authority (IRDA) is a public authority as defined in the Right to Information Act, 2005. As such, the Insurance Regulatory and Development Authority is obliged to provide information to members of public in accordance with the provisions of the said Act. The subsidiaries of the General Insurance Corporation of India were restructured into independent companies in December, 2000, when GIC was converted into a national re-insurer. The bill to de-link the four subsidiaries from GIC was passed by The Parliament in July, 2002. The Insurance Regulatory and Development Authority was established by the Indian Government, for two significant reasons-to safeguard the interest of the policy holders and for the up gradation of the entire insurance sector right from the approach adopted by the existing insurance companies towards their shareholders to the eradication of the shortcomings of the industry. Scope of Insurance Regulatory and Development Authority The Insurance Regulatory and Development Authority has been authorized to register new insurance companies in India. The list of new insurance companies also includes the collaborations of the renowned insurance companies overseas with the existing Indian companies. The insurance companies in India are required to approach the Insurance Regulatory and Development Authority for the purpose of renewal of the insurance registration. The Insurance Regulatory and Development Authority are allowed to withdraw registration of the companies and even cancel the registration of a company if required. It is also authorized to modify the registration procedure for a company. Functions of Insurance Regulatory and Development Authority The emergence of Insurance Regulatory and Development Authority was to safeguard the interests of the policyholders. The Insurance Regulatory and Development Authority ensures it through various ways such as Nomination by Policyholders Settlement of insurance claim Practical training for Insurance agents and other intermediaries 12 Insurable Interest Surrender value of Policyholders Code of conduct of Insurance intermediaries Assistance in gaining correct information about policies Creation of management information system Promotion of Self regulation within the insurance sector The IRDA has come out with various guidelines/ regulations relating to information technology including but not limited to the following: Guidelines on web aggregators Electronic Transactions Administration and Settlement Systems Audit of investment risk management systems and process, internal, concurrent Anti money laundering guidelines c. The Information Technology Act 2000 The Information Technology Act was passed by the Indian parliament in 2000. It was subsequently amended in 2008. The Act provides legal recognition for electronic transactions and electronic records. It also provides legal recognition for E-Filing of documents with government agencies. Section 43 prescribes penalties for hacking of computing resources. Section 43A prescribes penalties for Corporates who fail to protect sensitive personal data that are available in their computing systems. This Act emerged to curb `Cyber Crime' which is an unlawful act where computer is used as a tool or target or both. Insurance companies are posed with the duty to safeguard the data of the client under the Information Technology Act, specifically section 43A. Insurance companies need to store data securely and share it only with authorized partners for permitted purposes as prescribed in this Act. 13 d. Prevention of Money Laundering Act The Prevention of Money Laundering Act, 2002 (PMLA) forms the core of the legal framework put in place by India to combat money laundering. PMLA and the Rules notified there under came into force with effect from July 1, 2005. The PMLA and rules notified thereunder impose obligation on banking companies, financial institutions and intermediaries to verify identity of clients, maintain records and furnish information to Financial Intelligence Unit -India. PMLA defines money laundering offence and provides for the freezing, seizure and confiscation of the proceeds of crime. The insurance companies are required to comply with the regulations of anti money laundering legislation. The insurers may mandate the norms of "KYC" know your customer" mechanisms to minimize, prevent and detect money laundering abuse. 14 IV Information Systems Audit in Insurance Sector Information System Audit has a significant role to play in the emerging Insurance Sector. Information System Audit aims at providing assurance in respect of Confidentiality, Availability and Integrity for Information systems. It focuses at their efficiency, effectiveness, responsiveness and compliance with laws and regulations. Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business processes of the enterprise. In the context of the growing dependence of Insurance Sector on Information Systems for record keeping, transacting business, reporting, as well as regulatory compliance and providing information and results to stakeholders, Information System Audit has assumed a very significant role. Effective IS Audit systems in place would tantamount to corporate governance; compliance and effective regulation of the insurance sector. IRDA has already issued guidelines for Risk Management System Audit of Investments by Insurance Companies (Refer Appendix F). The Institute of Chartered Accountants of India has also issued a Technical Guide on Review and Certification of Investment Risk Management Systems and Processes of Insurance Companies (Refer Appendix G). ICAI has also issued a Technical Guide on Internal & Concurrent Audit of Investment Functions of Insurance Companies. a. IT Governance Every organization either large or small, either public or private has to ensure that the IT function sustains the organization's strategies and objectives. The level of sophistication that is applied to IT governance however, may vary accordingly to the size, industry or applicable regulations. The larger and more regulated the organization; it becomes essential to have the more detailed IT governance structure. 15 IT governance in simple terms refers to the process of how the organizations align IT strategy with business strategy and ensure that companies stay on track in achieving their strategies and goals also by implementing good ways to measure its performance. IT governance framework focuses on (I) the overall functioning of the IT department, (II) providing the management with the key metrics that it needs, and (III) the returns earned from the investments in IT. According to the IT Governance Institute (formed by ISACA), there are five areas of focus: 1. Strategic Alignment Strategic alignment refers to the process of linking the business strategy and IT strategy in achieving the predetermined goals. Typically, the lightning rod is the planning process, and true alignment can occur only when the corporate side of the business communicates effectively with line-of-business leaders and IT leaders about costs, reporting and impacts. Key business challenges that the Insurance Industry faces include: Growing the business Improving customer experience Providing better products and services using Information Analytics Improving operations like claims processing Complying with various regulatory requirements Improving Risk Management Reducing enterprise cost Technology can be used facilitate many of these issues. 16 For e.g. Data Analytics programs can help insurance companies design products that are customer centric and not based on the experiences and understandings of the underwriters and/or legal department. Such products can vastly enhance the ability of an insurance company to retain customers. Target customers belonging to the 20 30 age group may be very comfortable researching, buying and renewing policies online and increasingly from mobile phones and tablets. Insurance companies need to think of social media marketing, quote aggregators and search engine optimization to improve their brand recall value. Additionally, customers may be willing to change their insurance company based on convenience provided using a particular channel. 2. Value Delivery Value delivery means the benefits reaped from the investments made by the IT department. The optimal approach would be to develop a process to ensure that certain functions are accelerated when the value proposition is growing and by eliminating functions when the value decreases. Adoption of Cloud computing is expected to bring down costs in the insurance sector. 3. Resource management Resource management involves the process of managing resources more effectively in organizing the staff more efficiently based on the skills instead of the line of business. This will allow organizations to deploy employees to various lines of business on a demand basis. Attracting and retaining talent in IT will be a key challenge for insurance companies given that they often operate a mish-mash of legacy and contemporary systems. 4. Risk management Risk management institutes a formal risk framework which imposes rigidity in accepting, measuring and managing risk by the IT and reporting on how IT is managing in terms of risk. 17 5. Performance measures A performance measure is about measuring the business performance. One popular method involves instituting an IT Balanced Scorecard, which examines the contribution made by IT in terms of achieving business goals, by the utilization of resources effectively and by developing people. The qualitative and quantitative measures are used to ascertain these performances. b. Risk Management Risk management of Information Systems is crucial to insurance companies as they handle a huge amount of data relating to customers. A layered approach to security should be adopted to ensure that the information resources within the domain are adequately protected. Insurance companies have adopted technology in a big way and in order to cater to the new- age needs of customers, they have brought in new distribution channels like web and mobile. Also, agents and distributors expect to interact with the insurance company through various channels. Protecting all such data is a critical requirement for insurance companies. Additionally, Section 43A of the Information Technology Act provides for penalties to be imposed on companies that fail to protect sensitive private data. Insurance companies need to adopt the following measures to ensure that an information systems management system is in place. 1. Security Policy and Implementation A well thought out security policy is needed because security is not a technology issue but a business issue. The goal of corporate security policies is to define the procedures, guidelines and practices for configuring and managing security within the operational environment. The goal of implementing security policies, procedures and guidelines is to ensure that a common baseline security framework is defined for the entire enterprise. This framework should ensure that various entities in the computing environment are adequately protected and the confidentiality, availability and integrity of computing resources and data are ensured. Insurance companies have vast computing resources to cater to their clients and business partners and other third party service providers. The insurance sector is faced with challenges relating to retention of customers and providing a better customer experience. The solutions to these challenges include innovative ways to reach out to customers. For e.g. cloud computing, mobile, social media, data aggregators and other new technology needs to be embraced by insurance companies to ensure that they stay in the race. 18 Introduction of any new technology in large enterprises like insurance companies is a long drawn process typically involving analysis of the technology and various solutions and products available from different vendors, procurement, installation, roll-out. Training of staff in optimum use of the technology solution is sometimes followed by training of staff including sales force, agents and distributors when such entities need to interact with the solution. If the solution directly involves the customer like a new smartphone application then some amount of customer engagement will also have to be on the agenda. Maintenance of the technology and continuous training of new staff is also envisaged. All the above mentioned activities need to done within the security framework of the organization. It is therefore imperative that a well thought out set of policies, procedures and guidelines be adopted by all insurance companies. This will only aid them in smooth operations and ensuring that they maintain a secure computing environment. 2. Asset Management Data is the most critical asset of insurance companies. Typically, insurance companies sit on a data mine collected over the years. The data they have includes customer's basic information, premium paying pattern chronic late payers, chronic bad check customers, preferred channels of payment, how this is changing over the years, performance patterns of products, customer preferences with respect to product type, payment modes, claims history, demographic changes. All this data can be used by Analytics Engines to provide insights into customer behavior patterns which insurance companies can use to tailor their products and services accordingly. They also sit on financial investment data. They can find out how their investments have performed over the years, which sectors have given better return on investments etc. Innovative ways of capturing customer data may emerge in the near future. Telematics based insurance, where premiums will be based on how well a person drive, may become available in India once the technology is available. In telematics based insurance, a small black box (or data box) will be fitted in a car. This will collect data like the distance the car travels, the period of time the car is used, the location of the car at all times, types of roads the driver is travelling on, speed and direction of travel prior to and after a collision/ accident, the driver's speed, the driver's braking behavior, force of impact in an accident/ collision. Insurance companies also invest in application software for their various functions like billing, claims processing etc. Software assets also including operating systems and other operational software like Office, Adobe Reader, etc. 19 Assets need to be identified and classified based on criticality. Asset handling methodologies need to be defined for each class of asset. Asset disposal methodology for hardware and software also needs to be defined. Regular monitoring of assets also needs to be done. 3. Information Systems Acquisition, Development & Maintenance Customers and potential customers have come to expect newer ways of interacting with insurance companies. This leads to adoption of new solutions/ products / technology. Insurance companies may either opt to acquire said products/ solutions or develop the same in- house. Since information is a core component of the insurance industry, software acquisition, development and maintenance should be done with information security in mind. Care should be taken to ensure that Before application development begins, security controls should be defined and agreed upon these should include input, processing and output related controls Sufficient access controls should be built into the systems Encryption should be considered for both data at rest and data in transit Application code, configuration files, documentation and other system related files should have proper access control mechanisms protecting them Maintain separate test and production environments avoid leakage of production data through test systems Conduct vulnerability assessments on applications before deploying them Ensure that systems are capable of adhering to the organisation's information security policies and procedures Ensure that no new threats are introduced into the computing infrastructure as a result of implementing the new systems 4. Physical & Environmental Security Confidentiality of data that insurance companies hold needs to be maintained. Physical access to servers can mean access to the data stored on the device. So, preventing unauthorized physical access to servers is very important. Availability of data is also key to the smooth functioning of insurance companies considering that premiums are being paid online, engagement with customers, agents happens using the internet and other similar activities that require that the servers be available at all times. Making sure that proper environmental controls are implemented in data centers is one way to ensure availability of data. Additionally, improper environmental controls can cause damage to services, hardware and lives. Power, heating, ventilation, air-conditioning and air quality controls can be complex and contain many variables. These need to be operating properly and be monitored regularly. 20 Issues that need to be looked into: prevent unauthorized physical access, damage, and interference to premises and information ensure sensitive information and critical information technology are housed in secure areas prevent loss, damage, theft, or compromise of assets prevent interruption of activities protect assets from physical and environmental threats ensure appropriate equipment location, removal, and disposal ensure appropriate supporting facilities (e.g., electrical supply, data and voice cabling infrastructure) 5. Access Controls Insurance companies have critical and sensitive data and information resources. The access to these resources should be authorized and measures should be put in place to prevent unauthorized access to valuable resources. Controls may be technical, physical or administrative in nature. Access to networks, servers and other end user systems, applications and data should be controlled and restricted. Of particular importance is administrative access. Administrative access bestows great power on individuals who have this role. Therefore, administrative access should be granted on a need basis. A regular review of administrative access to resources should be undertaken. This is especially true of insurance companies who may have a plethora of systems, applications, networks and databases being accessed by a vast workforce and also by third party service providers. So, it is critical that a matrix of administrative access to various key resources be maintained up-to-date. Additionally, a regular audit of access control systems including administrative access to resources may be undertaken to ensure that IT management has a dashboard view of accesses granted. 6. System Parameters System Parameters are very critical for insurance companies as these control various important touch points in the application. Applications could have system parameters for commission rates, premium load values for different demographics etc. Therefore system parameters, if not carefully calibrated and regularly monitored/ audited, could lead to revenue leaks. 21 7. IT Controls review OS, Database, Networking devices Insurance companies have information systems that are increasingly being brought online. Cloud computing is being seen as a way to reduce costs. Customer interaction is through websites, social media and mobile applications. As the avenues and modes of interaction with customers' increases, so do the possible attack surfaces. As insurance companies hold critical data that they must protect, they need to adopt a layered approach to security. One layer of this approach would be to securely configure the core elements of their information infrastructure the operating systems, databases and networking devices. Whenever bugs are discovered in operating systems, bug fixes or patches are released. If the bug is not fixed, it may lead to a compromise of confidentiality, integrity and/or availability of the server in question. Insurance companies should make sure they have a defined process to address the issue of patching. Securing the operating system should include the following Enable only those services that are required Enable only secure services do not use telnet, FTP etc. Enforce strong password policies, delete unused accounts Routinely review system logs Databases are the repositories of data which is the most critical asset of any organization, especially insurance companies. It is possible that the data of insurance companies is spread across a variety of databases maybe due to the presence of legacy applications, acquisitions and the new ways and channels through which data is collected. Securing databases is of paramount importance to insurance companies. As stated earlier, all database assets should be identified and categorized. Some of the key measures to be taken to secure databases include: Make sure that applications do not run with privileged database accounts. This will ensure that even if an application account is compromised, the compromise is contained and cannot contaminate other applications/ databases. Even application administrators should not be able to view database metadata. Password policies should be set according to organization information security policy 22 Initialization parameters should be set as per best practices User access should be restricted and should be as per best practices. For e.g. users should not have access to the SYS.USER$ table in oracle as this table stores sensitive authentication information. System privileges should be restricted and given only as per best practices Access to sensitive packages should be restricted Networking devices like routers and switches direct and control much of the data flowing across computer networks. These networking devices need to be configured to control access, resist attacks, shield other network components, and protect the integrity and confidentiality of network traffic. In general, well-configured secure routers can greatly improve the overall security posture of a network. Security policy enforced at a router is difficult for negligent or malicious end-users to circumvent, thus avoiding a very serious potential source of security problems. Some of the key measures to be taken to secure networking devices include: Physically protect the networking device Keep software up-to-date by applying the latest patches A login banner should be set up with a `no trespassing' warning Virtual terminal login should be disabled if remote administration is not needed Secure password protection should be used (e.g. in Cisco devices, the Type 7 password is known to be weak and should not be used) AAA mechanisms may be used Do not use common/ generic user names for administrators who log into the devices If remote administration is required, use SSH or IPSec The auxiliary port on routers should be disabled Run only those services that are required as per best practice recommendation 8. Capacity Management 23 Assess the existing capacity and planned capacity for growth and adequacy of the current capacity to handle existing and future business. The volume of computing resources at the disposal of insurance companies is fairly large and complex in nature. Companies also expect growth of business and this involves increase of computing resources to cater to the needs of a growing footprint. Companies should be able to smoothly handled increased capacity by understanding current processing power, memory etc. If there are increased loads at a particular time of the day, then companies should investigate the root cause of the surge and try to come up with possible solutions like moving non-critical processing to a low-demand time period etc. 9. Disaster Recovery, Backup & Contingency planning This should include review of the existing disaster recovery, backup and contingency plans and policies of the insurance companies and verify and assess the compliance to current policies. Insurance companies require mature capabilities in this domain. Insurance companies are concerned with the protection of a citizen's life and/ or properties as well as national wealth. So, the data that they store is critical and it is imperative that their ability to serve the public continues even in case of a disaster affecting their data centre. Sufficient backups should exist as should an alternative processing facility. Periodically, live processing should be carried out from the disaster recovery site to ensure that the insurance company has the capabilities to handle a disaster in the data centre. Disaster recovery testing should also focus on sufficient human resources backup and training for backup personnel. 10. Customer Services Review the procedures and channels through which services are provided to customers and other partners. In view of the new channels of providing services to customers, the procedures adopted should be audited to ensure that information being disbursed through various channels is accurate and reflect the corporate position. It should also be ensured that these channels do not lead to information leakage. For e.g. If insurance companies have tied up with aggregator websites, ensure that accurate information is being displayed on the said websites and that it is in accordance with the guidelines on web aggregators issued by IRDA. Ensure that customer engagement forums are not avenues for information leakage. 24 Appendix A About COBIT COBIT 5 is the latest edition of ISACA's (www.isaca.org) globally accepted framework, providing an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector. COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to- End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management The COBIT 5 framework describes seven categories of enablers: 1) Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management. 2) Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. 3) Organizational structures are the key decision-making entities in an enterprise. 4) Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. 5) Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 25 6) Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. 7) People, skills and competencies are required for successful completion of all activities, and for making correct decisions and taking corrective actions. 26 Appendix B About COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the following five private sector organizations: American Accounting Association (www.aaahq.org) American Institute of CPAs (www.aicpa.org) Financial Executives International (www.financialexecutives.org) The Association of Accountants and Financial Professionals in Business (www.imanet.org) The Institute of Internal Auditors (www.theiaa.org) COSO is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO through its "Internal Control Integrated Framework" provides principles-based guidance for designing and implementing effective internal controls. The Framework will enable organizations to effectively and efficiently develop and maintain systems of internal control that can enhance the likelihood of achieving the entity's objectives and adapt to changes in the business and operating environments. The updated COSO Framework (2013) lists 5 components of internal control with 17 principles under them. The 5 components of internal control are: 1) Control Environment 2) Risk Assessment 3) Control Activities 4) Information & Communication 5) Monitoring Activities 27 The COSO framework has always presumed that, for internal control to be effective, all components must be present and functioning. If a principle is not attained, then a component is not present and functioning; hence, internal control is deficient. 28 Appendix C Guidelines on Outsourcing of Activities by Insurance Companies IRDA/Life/CIR/GLD/013/02/2011 01st February, 2011 Guidelines on Outsourcing of Activities by Insurance Companies Reference: 1. INV/CIR/031/2004-05 dated 27th July, 2004 2. INV/CIR/058/2004-05 dated 28th December, 2004 3. RBI/2006/167 DBOD.NO.BO.40/21.04.158/2006-07 4. Regulation 7(c) of IRDA (Registration of Companies) Regulations, 2000 1. INTRODUCTION 1.1 Insurers in India are increasingly using outsourcing, as a means of both reducing cost and accessing expertise, not available internally and achieving strategic aims. 'Outsourcing' may be defined as "Insurer's use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the Insurer itself, now or in the future". These outsourcing arrangements are becoming increasingly complex. 1.2 Joint Forum set up by Basel Committee on Banking Supervision, International Organization of Securities Commissions and International Association of Insurance Supervisors has devised high-level principles on outsourcing in financial firms which gives guidance to firms, and to regulators, in effectively managing risks involved in outsourcing without hindering the efficiency and effectiveness of firms. Reserve Bank of India also brought out Guidelines on Managing Risk and Code of Conduct in outsourcing of financial services vide reference 3 cited above. This circular is issued based on best practices adopted internationally as outlined in above document. These instructions are intended to provide direction and guidance to insurers to adopt sound and responsible risk management practices for effective oversight. 1.3 Regulation 7 (c) of IRDA (Registration of Companies) Regulations, 2000, clearly sates "The applicant will carry on "all functions" in respect of insurance business including "management of Investment" within its own organization". It has been observed that certain insurers are outsourcing even core activities such as Investment, Underwriting and Policy servicing. It is not desirable to outsource the core and important activities which will affect corporate governance, protection of policy holders, solvency and revenue flows of insurer. 29 1.4 In order to ensure proper corporate and regulatory oversight over the outsourcing of activities of insurers, the Authority has decided to issue following instructions under Section 14(2) of Insurance Regulatory and Development Authority Act, 1999. These guidelines apply in addition to the instructions given vide reference 2 cited above. 1.5 However this circular supercedes the provisions of para 3 of reference 2 cited above. 1.6 The insurer shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to Policyholders nor impede effective supervision by IRDA. Insurers therefore have to take steps to ensure that the service provider employs the same standards in performing the services as would be employed by them if the activities were conducted in house. Accordingly, insurers should not engage in outsourcing that would result in their internal control, business conduct or reputation being compromised or weakened. 1.7 Activities of insurers are broadly classified into two categories namely `Core' and `Non- Core', in accordance with Regulation 7(c) of IRDA (Registration of companies) Regulation, 2000. 2. CORE ACTIVITIES 2.1 All activities relating to:- Underwriting, Product design and all Actuarial functions and Enterprise wide Risk Management Investment and related functions Fund Accounting including NAV calculations Admitting or Repudiation of all Claims Bank Reconciliation Policyholder Grievances Redressal Approving Advertisements Market Conduct issues Appointment of Surveyors and Loss Assessors Compliance with AML, KYC etc. All integral components of the above activities shall be treated as Core Activities 2.2 Policy Servicing and related activities 2.3 Insurers shall not outsource any of the core activities listed in para 2.1. 30 3. NON CORE ACTIVITIES: Facility management i.e. Housekeeping, Security, Catering, etc. PF Trust Internal audit, Internal / branch /concurrent audit etc. (Note: However, the Board of Directors shall appoint the internal /branch / concurrent auditor based on the recommendation of the Audit Committee / Investment Committee respectively as mandated by the Authority in Corporate Governance Guidelines. The report of internal auditor / concurrent auditor shall be placed before the Audit Committee / Investment Committee / Board Meeting for their information and necessary action) Website Development and Management / Software and other IT Support Pay Roll Management HR Services Service Tax Consultancy and Support TDS filing Compliance with labour laws Data entry Including Scanning, Indexing Services Printing and posting of reminders and other documents Pre employment medical checkups Reminders for Premium Payment Call Centre and outbound calling for registering complaints or answering enquiries Claim Processing for Overseas Medical Insurance Contracts Tele-marketing Consultancy Services pertaining to Service Tax, Income Tax and any other taxes payable by insurer Other Employee Benefits Deployment of personnel within the premises / offices of the Insurer on a contract basis 4. ACTIVITIES SUPPORTING CORE ACTIVITIES: 31 4.1 Certain activities which support the core activities as listed in column 3 of Annexure I may be outsourced as per risk management principles outlined in these guidelines subject to reporting requirements. 4.2 Activities in column 4 of Annexure I, which insurers normally assign to outside professionals, regulated either under different laws or provide outside expertise and economies, may be outsourced to such entity as otherwise legally permitted to carry out those activities. 5. PREMIUM COLLECTION & CHEQUE PICK-UP ACTIVITIES: 5.1 The insurer shall ensure that the entities, other than those referred at Sl No. 3 Column No. 4 of Annexure 1 shall be only a Company registered under Indian Companies Act, 1956. Such entities engaged for cheque pick-up shall have a net worth of at least Rs.10 Crores. However, these conditions are not applicable to Scheduled Commercial Banks and Post Office. 5.2 In respect of outsourcing of premium collection, insurers shall strictly ensure that the same is outsourced only to entities listed at Sl.No.2 of Column 4. 5.3 Notwithstanding what is stated at Sl No. 2 of Column 4 of Annexure 1 Insurers are also permitted to outsource cheque pick up and premium collection to their respective Individual Agents and Corporate Agents in respect of those policies that are not sourced by such intermediaries. Such collection and pick up by agents who have not procured such business is regarded as outsourcing. However, Insurers shall carry out the due diligence on individual agents and corporate agents while outsourcing the same. However, the activity of premium collection / cheque pick up referred in this paragraph shall be subject to the following conditions. 5.4 The total amount entrusted to be collected and picked up by Agents and Corporate Agents for a given financial year shall not exceed three times the renewal commission that the said agent earned in the preceding financial year. Thus it is a prerequisite for carrying out activity that such agents are in existence at least for a period of 2 years. 5.5 The insurer shall assign this activity to agents and corporate agents by allocating only a specified list of the policies, where the services of the agents that procured the business are no longer available to the insurer. 5.6 The above referred conditions are not applicable in respect of Scheduled Commercial Banks, Post Office when these activities are carried out in their capacity as a collecting bank. 5.7 Where an insurer permits its agent to collect premiums on its behalf, it shall be noted that in such instances the agent is acting on behalf of insurers. Insurer shall remain accountable to the receipts issued by the authorised agents / intermediaries. 5.8 Insurers shall notify Policyholders about all the options available for payment of premiums. 6. Bank Reconciliation: With reference to 2.1 (vi) the Insurer is solely responsible for reconciling various Bank Accounts, cash and other instruments; and accountable to any liabilities created through these accounts. However, Insurers are allowed to outsource clerical activities like sorting and organizing the instruments to Scheduled Commercial Banks. The 32 activity of tallying that what is stated in the account and actual availability of instrument shall not be outsourced. The Scheduled Commercial Banks shall be required to submit the certified copies of compilation of various assets inclusive of Cash / Fixed Deposits etc. 7.Policy Servicing and Related Activities: With regard to the activities referred in para 2.2, the following components of the activities, referred at point no. 7.1, are allowed to be outsourced to any service provider at the discretion of the Insurers and as per these guidelines. However, it is reiterated that execution of these services shall remain to be Core Activity to be carried out by the Insurers: 7.1 Receiving requests in physical/electronic/telephonic forms and transmitting to the insurer without accessing the original data base of Insurers for the following areas of Policy Servicing; Issuance of Policy Document / Certificates of Insurance Change of Name / Address Fund Switching/ Premium Redirection Surrender, Maturity, Withdrawals Free look Cancellations Payouts Loan Against Policy Change of Policy Terms and Conditions / Details Change Registration of Assignment / Nomination Revival / Cancellation of Policy Transfer of Policy Substitution of Vehicle Communications, Reports, Printouts to Policyholders / Claimants Laid up Vehicles Withdrawal of No Claim Bonus Declarations Update Extension of Cover Duplicate Policy Document Collection and Investigation for complying with AML and KYC norms 8. General Principles: Outsourcing of activities allowed in these guidelines are subject to following general principles. 33 8.1 To avoid a potential conflict of interest no insurer shall outsource the internal audit to their respective statutory auditors. 8.2. The third party service providers engaged by insurers are subject to the various provisions of Insurance Act, 1938, IRDA Act, 1999, Rules, Regulations or any other orders issued there under. The third party service provider shall comply with provisions of Regulations, Guidelines and any other law under force and the insurer shall be responsible for all acts of omission and commission of its third party service providers in this regard. 8.3. The regulated activities of the Agents, Corporate Agents, Brokers, TPA's, Surveyors and other regulated entities, as provided in the Insurance Act,1938, IRDA Act,1999 and Regulations, guidelines made there under, are not covered by these guidelines. 8.5. Subject to these Guidelines, Agents, Corporate Agents, Brokers, TPA's and Surveyors and other regulated entities shall not be contracted to perform any outsourced activity other than those permitted by the respective regulations/instructions governing their licensing and functioning. 9. Risk Management Principles: While outsourcing activities every insurer shall abide by criteria laid down in the following principles: 9.1 An insurer intending to outsource any of its activities shall put in place a comprehensive outsourcing policy, approved by its Board, which incorporates, inter alia, criteria for selection of such activities as well as service providers, delegation of authority depending on risks and materiality and systems to monitor and review the operations of these activities. 9.2 In case any of the third party service provider becomes a group entity as defined vide IRDA (Investment) Regulations, 2000, the insurer shall report the fact to the Authority within 30 days of such an event. 9.3 The Board of Directors of insurer shall review the performance of all third party service providers every year with respect to compliance with provisions of Insurance Act 1938, Regulations, Rules or any other order issued there under. 9.4 In case of termination of contract between insurer and third party service provider, the compensation or penalty or any payment in lieu of foreclosure shall be reasonable and shall not be excessive. 9.5 Insurer shall establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the service provider. 34 9.6 Some factors that could help in considering materiality in a risk management programme include the following: The financial, reputational and operational impact on the insurance company of the failure of a service provider to adequately perform the activity Cost Benefit Analysis; Potential losses to policyholders and their counterparts in the event of a service provider failure; Consequences of outsourcing the activity on the ability and capacity of the insurer to conform with regulatory requirements and changes in requirements, Interrelationship of the outsourced activity with other activities within the Insurance Company. Affiliation or other relationship between the insurer and the service provider; Regulatory status of the service provider; Degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary; and Complexity of the outsourcing arrangement. For example, the ability to control the risks where more than one service provider collaborates to deliver an end-to-end outsourcing solution. 9.7 Data protection, security and other risks may be adversely affected by the geographical location of an outsourcing service provider. To this end, specific risk management expertise in assessing country risk related, for example, to political or legal conditions, could be required when entering into and managing outsourcing arrangements that are taken outside of the home country. 9.8 Insurer shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to policyholders and regulators, nor impede effective supervision by regulators. 9.9 Outsourcing relationships shall be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities, expectations of all parties. The outsourcing contracts may carry the following components:- The contract shall clearly define what activities are going to be outsourced, including appropriate service and performance levels. The service provider's ability to meet performance requirements in both quantitative and qualitative terms should be assessable in advance; The contract shall neither prevent nor impede Insurer from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers of conducting inspection, investigation, obtaining information from either the insurer or the third party service provider. 35 Insurer must ensure it has the right to access all books, records and information relevant to the outsourced activity in the third party service provider; The contract shall provide for the continuous monitoring and assessment by Insurer of the service provider so that any necessary corrective measures can be taken immediately; A termination clause and minimum periods to execute a termination provision, if deemed necessary, shall be included. The latter should allow the outsourced services to be transferred to another third-party service provider or to the Insurance Company. Such a clause shall include provisions relating to insolvency or other material changes in the corporate form, and clear delineation of ownership of intellectual property following termination, including transfers of information back to the Insurer and other duties that continue to have an effect after the termination of the contract; Material issues unique to the outsourcing arrangement shall be meaningfully addressed. For example, where the third party service provider is located abroad, the contract shall include choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for adjudication of disputes between the parties under the laws of a specific jurisdiction; 9.10 Insurer and its third party service providers shall establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities. 9.11 The Insurer shall take appropriate steps to require that third party service providers protect confidential information of both the Insurer and its clients from intentional or inadvertent disclosure to unauthorized persons. 9.12 The Insurer shall ensure that the third party service provider does not have any conflict of interest. The third party service provider or any of their group entities shall not be able to derive any benefit by causing loss to the insurer or policyholder. For instance the third party service provider shall not have the responsibility of repairing the damaged vehicle, supply of spare parts and marketing of the policy. In case of existence of conflict of interest among group entities, the insurer shall avoid outsourcing to such entities. 9.13 No employee of Insurer shall be directly or indirectly involved in (i) creation of or (ii) any outsourced activity of the outsourced entity. 9.14 The Insurer shall ensure that there is no risk of loss of control over outsourced activity and potential impersonal treatment of policy holder / agents, before outsourcing any activity. 9.15 Where the third party service provider is either a group entity as defined in provisions of Regulation (2) (ca) of IRDA (Investment) Regulations, 2000 and having a common director with the insurer, the insurer shall ensure that the transfer pricing is done according to the sound principles and or all such transactions shall be disclosed to the Authority as soon as the agreement is completed and before payment is made to the third party service provider. 36 However nothing contained herein shall be applicable for outsourcing of activities to a scheduled commercial bank 10. Evaluating the Capability of the Service Provider: In considering or renewing an outsourcing arrangement, appropriate due diligence should be performed to assess the capability of the service provider to comply with obligations in the outsourcing agreement. Due diligence should take into consideration qualitative and quantitative, financial, operational and reputational factors. Insurers should consider whether the service providers' systems are compatible with their own and also whether their standards of performance including in the area of policyholder service are acceptable to it. Where possible, the insurer should obtain independent reviews and market feedback on the service provider to supplement its own findings. 10.1 Due diligence should involve an evaluation of all available information about the service provider, including but not limited to:- Past experience and competence to implement and support the proposed activity over the contracted period; Financial soundness and ability to service commitments even under adverse conditions; Business reputation and culture, compliance, complaints and outstanding or potential litigation; Security and internal control, audit coverage, reporting and monitoring environment, Business continuity management; External factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact service performance. Ensuring due diligence by service provider of its employees. 11. Reporting Requirements: 11.1 The activities outsourced vide point no.4.1 of these guidelines shall be reported to IRDA within 45 days from the date of entering into outsourcing agreement. 11.2 With respect to each of the other outsourced activities all insurers shall file a report in Form A (attached as Annexure-II) within 45 days from the end of every half year. 12. Electronic Issuance of Policies and Data Storage: Where insurers issue policies in electronic form in accordance to the guidelines issued in this regard or where Insurers prefer to outsource the Data Storage, the outsourcing of data storage in electronic form shall be mandatorily with the repository service providers authorised by IRDA. The guidelines for issuance of electronic policies and authorization of repositories will be issued separately. 37 12.1 In respect of policies issued in electronic form, the terms and conditions of the policies shall be drafted in simple and plain language. Insurers shall take prior approval of IRDA for the text format of such policy documents. 12.2 Insurers are also permitted to allow the execution of the activities referred at point no. 7.1 to the authorised repository service providers at their discretion with respect to all category of policies, both electronic policies and otherwise. 13. Classification of any of the activities, that are not explicitly referred herein, as core or noncore shall be done after due diligence. Mere listing of an activity as a non core shall not be taken as freedom to outsource without proper risk assessment/due diligence. Further, Insurers are advised to refer to IRDA for further clarification in case of any ambiguity regarding the classification of the activities as core or noncore which are not specified in these guidelines. 14. Redressal of Grievances related to Outsourced services: Every Insurer shall direct in house Grievance Redressal Machinery to deal with grievances relating to services provided by the outsourced agencies. Wide publicity has to be given through print and electronic media about this. The Grievance Redressal Machinery shall deal with every grievance in a fair, objective and just manner and issue reasoned speaking reply for every grievance rejected. It shall also analyze grievances received to help identification of the problem areas in which modifications of policies and procedures could be undertaken with a view to making the delivery of services easier and more expeditious. The TAT's for redressal of grievances shall be as notified by the Authority from time to time 15. Centralized list of Outsourced Agents: If a service provider services are terminated by an Insurer on grounds of mischief, fraud and non compliance with terms and conditions of outsourcing agreement, they shall inform the Authority with reasons for such termination. The Authority would be maintaining a caution list of such service providers for the entire insurance industry for sharing among insurers. 16. These guidelines shall not be construed to be authorizing, any activity which otherwise is prohibited by any law under force and/or Regulation and Guidelines of the Authority. 17. These guidelines would be reviewed by IRDA periodically. 18. These guidelines come into force with immediate effect. 19. The insurers shall terminate all existing outsourcing contracts entered into in contravention of these guidelines before 31st June, 2011. Beyond the time period specified herein, the Authority may relax time limit by 3 more months, on a case to case basis, in respect of existing contracts that are in contravention of this circular. (A.Giridhar) Executive Director 38 Annexure I Sl. Activity Specified activities that Activities external to Insurers may be can be outsourced with Outsourced No. (2) due reporting (4)** (1) (3)* 1. Underwriting Data collection of Data analysis prospect/insured details, Medical examination Submission of proposals Risk management service at policyholders' / Data Entry insured premises Reinsurance 2. Premium Printing of receipt Collection by RBI approved banks, institutions, Collection business correspondents of banks Dispatch Government, private partnerships like AP Data entry of details Online, e-mitra, e-seva, MP Online etc. Issuance of receipt Government offices like Post office Payment aggregators eg VISA, Mastercard, Bill desk, payments through RBI approved gateway RBI Cleared Payment Collectors, e.g ECS Licensed Insurance Intermediaries, which includes agent / micro insurance agent/ corporate agent/Broker who are authorized and who himself procured the policies related to the premium being collected. 3. Cheque pick up Cash management services of banks and Banking Picking up arrangement with couriers, Post Picking up from office, policyholder premises Drop box Drop box Picking up from 39 acceptance points 4. Data Storage Scanning Physical storage of documents Indexing 5. Admitting and Legal / expert / professional opinion repudiation of Claims Investigation Forensic analysis Salvage / sue and labour Average adjustors Recovery agents Third party claims negotiators Claims document aggregator Accident / road assistance International travel and medical assistance services Global repricing * Refer 4.1 of the Circular ** Refer 4.2 of the Circular 40 Annexure II Form A Sl. Particulars For the Up to For the corresponding Up to the Half Year No. Half the Half Half Year of the preceding of the preceding (2) Year year year year (1) (3) (4) (5) (6) 1. Activity out sourced (detailed description) 2. Name of the Vendor 3. Total Amount Agreed 4. Amount Paid so far 5. Whether vendor belongs to insurer group 6. %of outsourcing payments to Operating Expense Date : Signature of CEO 41 Appendix D Clarifications on Guidelines on Outsourcing of Activities by Insurance Companies Clarification 1 Ref: IRDA/Life/Cir/Misc/ 103 /05/2011 Date: 18-05-2011 Title: Clarification on Guidelines on Outsourcing of Activities by Insurance Companies Reference is invited to point no. 5.1 of Guidelines on Outsourcing of Activities by Insurance Companies (Circular No: IRDA/Life/CIR/GLD/013/02/2011 dated st 01 February, 2011) wherein it is prescribed that entities engaged for the activities referred at Column (4) of Sl. No. 3 of Annexure - 1 (Cheque pick and Banking) shall be only a Company registered under Indian Companies Act, 1956 with a net worth of atleast Rs 10 Cores. It is now clarified that these conditions are not applicable to the entities that are permitted by RBI to facilitate collections using technology platform. Entities permitted by RBI for collection are allowed to carry out the activity of `Cheque pick and Banking' in accordance to the provisions of the within referred outsourcing guidelines and also in compliance with those prescribed by RBI. The insurers shall put in place procedures for issuance of simultaneous receipts to the policyholders through such entities. It is further clarified that insurers shall remain responsible for the receipts issued and date and time of such receipt shall be taken into account for considering the underlying benefits of an insurance contract. This issues with the approval of the Competent Authority. (A Giridhar) Executive Director 42 Clarification 2 Ref: IRDA/Life/CIR/GLD/219 /09/2011 Date: 21-09-2011 Title: Clarifications on Guidelines on Outsourcing of Activities by Insurance Companies With reference to the captioned guidelines the following clarifications are issued for compliance by all insurers. 1. Reference is invited to the Authorities Circular No. IRDA/Life/CIR/GLD/013/02/2011 dated 01st February, 2011 wherein it was prescribed vide proviso 9.15 that the insurer shall report to the Authority before making payment to the third party service providers which is either a group entity as defined in provisions of Regulation (2) (ca) of IRDA (Investment) Regulations, 2000 and having a common director with the insurer. a. In clarification of the above provision it is now clarified that where the terms and quantum of payments agreed are explicitly mentioned in the terms and conditions of the agreement /MOU entered with above referred third party, the disclosure of the same shall be reported as soon as the agreement is made. And all subsequent transactions shall form part of Form A and be reported in accordance to Clause 11.2 of the within referred guidelines. 2. Reference is also invited to proviso 5.2 read in conjunction with Sl No. 2 Column 4 of Annexure 1 of the within referred guidelines. With regard to the Registration Fee collected under RSBY in addition to the entities referred therein, it is clarified that the TPAs which are engaged as Intermediaries for discharging various pre determined functions may also collect the registration fee. The above clarifications will come into effect immediately. Sd/- A.Giridhar Executive Director 43 Appendix E IRDA (Web Aggregators) Regulation, 2013 Since the file size of the Appendix E is too heavy to upload, hence it can be downloaded from the http://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo2168&flag=1&mid=Ins urance%20Laws%20etc.%20%3E%3E%20Regulations 44 Appendix F IRDA Circular on Investment Risk Management Systems and Process Audit 82 Appendix G Extracts from ICAI Technical Guide on Review and Certification of Investment Risk Management Systems and Processes of Insurance Companies (2013) THE SCOPE 3.22. With a view to addressing the concerns of the Regulator and other stakeholders, the review of investment risk and management system should include within its scope the following minimum areas of information system security and audit: i. Risk Management: Ensure that the features and system parameters implemented in the system are in accordance with the policies and procedures covered in IRDA Investment Regulations and applicable Guidelines / Circulars. ii. Application Review: Review and ensure that the software used by the insurance companies is in accordance with the security standards and policies and guidelines as prescribed by IRDA. iii. Security Policy and Implementation: Review the security policy and implementation procedures with special reference to the Hardware Platform, Network, Operating System, Physical Perimeter, Backups and databases. iv. Capacity Management: Assess the existing and planned capacity for growth and adequacy of the current capacity to handle the existing and future business. v. Disaster Recovery, Back-up and Contingency Planning: Review the existing disaster recovery, back-up and contingency plans and policies of the insurance companies and verify and assess the compliance to current policies. vi. Customer Services: Review the procedures for providing services and communicating with clients / investors. vii. Internal Vulnerability Assessment: Ascertain the data integrity, availability and security of the key information present in the network and the efficiency, effectiveness, responsiveness and compliance of the IS processing facilities. THE APPROACH 3.23. The checklist-based review should address and cover the following key activities of an Insurance Company: i. Understanding the Information Technology Infrastructure of the insurance company as it exists at the location. 83 ii. Understanding the business process, related to the Investment function and risk management system. iii. Understanding the transaction mechanism and data flow with respect to investment management function. iv. Inspection and review of the documented policies and procedures, infrastructure and network diagram. v. Collection of evidence in the form of documents, test results, screenshots, confirmations, logs, third party evidence. vi. Conducting a risk analysis in the environment to evaluate and test the existing risk management processes and available controls, both system- based and manual. vii. Vulnerability analysis and audit of host servers. viii. Discussing critical observations / findings with the Insurance Company and generating a report to be submitted to IRDA. Annexure C - Review of Information Technology (IT) Systems and Processes supporting Investment Operations 84 Annexure C REVIEW OF INFOR M ATION TECHNOLOGY (IT) SYSTEMS AND PROCESSES SUPPORTING INVESTMENT OPERATIONS 85 Technical Guide Review of Information Technology (IT) Systems and Processes supporting Investment Operations S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A Planning the IT Function IT Plan and Strategy Very Serious A.1. Does the Organization have an IT strategy / IT plan approved by Management A.2. Is there a process of minimum of annual review of the IT strategy / Plan A.3. Is there a periodic review (minimum annual) of IT performance - covering key parameters in IT strategy such as Data Sizing, Network Performance? Information Architecture Policy and Procedure Review INFORMATION SECURITY Very POLICY DOCUMENT Serious A.4. Is there an Information security policy, approved by the management and adopted by the Board? A.5. Does it state the management commitment and set out the organisational approach in managing information security? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.6. Does the Information Security Policy cover the following key areas of IT Security · Detailed IT Security Policy and Procedures · Organisa0tion and security · Asset Classification and Control · Personnel Security · Physical and Environmental Security · Communications and Operations Manag em ent · Access Control · Systems Development and Maintenance · Information Security Incident Manag em ent · Business Continuity Management · Compliance requirements to Policies and Procedures IT Risk Management Process? A.7. Has the Security Policy been published and communicated as appropriate to all employees and vendors? A.8. Are new members of staff and vendors made aware of Information Security Policy? A.9. Are continuous awareness programmes conducted for security awareness? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.10. Has the role of Information Security Officer with responsibilities for implementation of the Security Policy been assigned? A.11. Whether detailed procedures for each policy statement developed? A.12. Is the Information Security Officer made responsible for: · Reporting non- compliance with the approved policy · Incidents of security breaches to the Top Management, · Initiating and effecting corrective action? INCIDENT MANAGEMENT PROCEDURES A.13. Whether an Incident Management procedure exists to handle security incidents. A.14. Whether there are clearly defined procedures and rules covering the different types of security incidents. A.15. Whether the procedure addresses the incident management responsibilities, orderly and quick response to security incidents. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.16. Whether the procedure addresses different types of incidents ranging from denial of service to breach of confidentiality etc., and ways to handle them. INVENTORY OF ASSETS A.17. Whether an inventory or register is maintained with the important assets associated with each information system. A.18. Whether each asset identified has an owner, the security classification defined and agreed and the location identified. A.19. Is there an up-to-date network diagram? A.20. Is the inventory schedule and networking plan reviewed at regular intervals to ensure that they are complete and up- dated? A.21. Are all the system configurations properly documented? A.22. Is the configuration document regularly updated as per a fixed schedule? INFORMATION LABELING AND HANDLING Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.23. Whether an appropriate set of procedures are defined for information labeling and handling in accordance with the classification scheme adopted by the organization. CORRECT DISPOSAL OF RESOURCES REQUIRING PROTECTION A.24. Is there a policy of identifying resources and media based on their level of sensitivity A.25. Is there a disposal process commensurate with each level of sensitivity A.26. Are the specified disposal provisions complied with A.27. Is the disposal procedure reliable ACCESS CONTROL POLICY A.28. Whether the business requirements for access control have been defined and documented. A.29. Whether the Access control policy does address the rules and rights for each user or a group of user. A.30. Whether the users and service providers were given a clear statement of the business requirement to be met by access controls. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments CLASSIFICATION GUIDELINES A.31. Whether there is an Information classification scheme or guideline in place; which will assist in determining how the information is to be handled and protected. MANAGEMENT OF REMOVABLE COMPUTER MEDIA A.32. Whether there exists a procedure for management of removable computer media such as tapes, disks, cassettes, memory cards and reports. OTHER FORMS OF Serious INFORMATION EXCHANGE A.33. Whether there are any policies, procedures or controls in place to protect the exchange of information through the use of voice, facsimile and video communication facilities. A.34. Whether staffs are reminded to maintain the confidentiality of sensitive information while using such forms of information exchange facility. INFORMATION AND Serious SOFTWARE EXCHANGE AGREEMENT Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.35. Whether there exists any formal or informal agreement between the organisations for exchange of information and software. A.36. Whether the agreement does address the security issues based on the sensitivity of the business information involved. Determine technological direction. INDEPENDENT REVIEW OF Very INFORMATION SECURITY Serious A.37. Whether the implementation of security policy is reviewed independently on regular basis. This is to provide assurance that organisational practices properly reflect the policy, and that it is feasible and effective. TESTING, MAINTAINING AND Very RE-ASSESSING BUSINESS Serious CONTINUITY PLAN A.38. Whether Business continuity plans are tested regularly to ensure that they are up to date and effective. A.39. Whether Business continuity plans were maintained by regular reviews and updates to ensure their continuing effectiveness. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.40. Whether procedures were included within the organisations change management programme to ensure that Business continuity matters are appropriately addressed. MOBILE COMPUTING Serious A.41. Whether a formal policy is adopted that takes into account the risks of working with computing facilities such as notebooks, palmtops etc., especially in unprotected environments. WORKING FROM OFFSITE Very Serious A.42. · Whether policy, operational plan and procedures are developed and implemented for working from offsite. This should cover both employees and partners. · Whether such activity is authorized and controlled by management and does it ensure that suitable arrangements are in place for this way of working. Define the IT Processes, Organization and Relationships AUTHORISATION PROCESS Very FOR INFORMATION Serious PROCESSING FACILITIES Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.43. · Whether there is a management authorisation process in place for any new facilities such as · Hardware · Software incl. applications · information processing facility like data centers, offices etc · changes to configurations in existing Assets. A.44. Are log-books kept of system changes A.45. Are there any guidelines for implementing changes to IT components, software or configuration data? A.46. Are all changes documented? INFORMATION SECURITY Procedural COORDINATION A.47. Whether there is a cross- functional forum of management representatives from relevant parts of the organization to coordinate the implementation of information security controls. ALLOCATION OF Very INFORMATION SECURITY Serious RESPONSIBILITIES A.48. Has an IT Security Officer been appointed? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.49. Whether responsibilities for the protection of individual assets and for carrying out specific security processes are clearly defined. A.50. Is there an establishment of a suitable organisational structure for IT security CONFIDENTIALITY Very AGREEMENTS Serious A.51. Whether employees are asked to sign confidentiality or non- disclosure agreement as a part of their initial terms and conditions of the employment. A.52. Whether this agreement covers the security of the information processing facility and organisation assets. INCLUDING SECURITY IN JOB Procedural RESPONSIBILITIES A.53. Whether security roles and responsibilities as laid down in Organization's information security policy documented were appropriate. A.54. Does it include general responsibilities for: implementing or maintaining security policy, specific responsibilities for protection of particular assets, extension of particular security processes or activities. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments PERSONNEL SCREENING Very AND POLICY Serious A.55. Whether verification checks on permanent staff were carried out at the time of job applications. This should include: · character reference, · confirmation of claimed academic · professional qualifications · independent identity checks. TERMS AND CONDITIONS OF Procedural EMPLOYMENT A.56. Whether terms and conditions of the employment covers the employee's responsibility for information security. Where appropriate: · At the joining date · At time of internal transfers · On termination/end of the em ploym e nt. INFORMATION SECURITY Procedural EDUCATION AND TRAINING A.57. Whether all employees of the organization and third party users (where relevant) receive appropriate Information Security training and regular updates in organisational policies and procedures. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.58. Is the IT Security Management Team involved in the planning and delivery of IT training? DATA PROTECTION AND Serious PRIVACY OF PERSONAL INFORMATION A.59. Whether there is a management structure and control in place to protect data and privacy of personal information. IDENTIFICATION OF Serious APPLICABLE LEGISLATION A.60. Whether all relevant statutory, regulatory and contractual requirements were explicitly defined and documented for each information system. INTELLECTUAL PROPERTY Very RIGHTS Serious A.61. Whether there exist any procedures to ensure compliance with legal restrictions on use of material in respect of which there may be intellectual property (IPR) rights such as copyright, design rights, trade marks. A.62. Whether the procedures are well implemented. A.63. Whether proprietary software products are supplied under a licence agreement that limits the use of the products to specified machines. The only exception might be for making own back- up copies of the software. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments SAFEGUARDING OF Very ORGANISATIONAL RECORDS Serious A.64. Whether important records of the organisation are protected from loss destruction and falsification. SECURING OF EQUIPMENT Very OFF-PREMISES Serious A.65. Whether any equipment usage outside an organisation's premises for information processing has to be authorized by the management.. A.66. Whether the security provided for these equipments while outside the premises is at par with or more than the security provided inside the premises. SEGREGATION OF DUTIES Very Serious A.67. Whether duties and areas of responsibility are separated in order to reduce opportunities for unauthorized modification or misuse of information or services. This should include. Distinction between IT and Business Development and Production. SEPARATION OF Very DEVELOPMENT AND Serious OPERATIONAL FACILITIES Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.68. Whether the development and testing facilities are isolated from operational facilities. For example, development software should run on a computer different from the computer with production software. Where necessary development and production network should be separated from each other. NETWORK CONTROLS Very Serious A.69. Whether effective operational controls such as separate network and system administration facilities were established where necessary. A.70. Whether responsibilities and procedures for management of remote equipment, including equipment in user areas are established. A.71. Whether there exist any special controls to safeguard confidentiality and integrity of data processing over the public network and to protect the connected systems. A.72. Whether access attempts via telnet, ftp are logged and reviewed. IDENTIFICATION OF RISKS Very FROM THIRD PARTY Serious A.73. Whether risks from third party access are identified and appropriate security controls implemented. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.74. Whether security risks with third party contractors working onsite are identified and appropriate controls are implemented. SECURITY REQUIREMENTS Very IN THIRD PARTY CONTRACTS Serious A.75. Whether there is a formal contract containing, or referring to, all the security requirements to ensure compliance with the organization's security policies and standards. WORKING IN SECURE AREAS Very Serious A.76. Whether there exists any security control for third parties or for personnel working in secure area. PREVENTION OF MISUSE OF Very INFORMATION PROCESSING Serious A.77. Whether use of information processing facilities for any non- business or unauthorised purpose, without management approval is treated as improper use of the facility. A.78. Whether at the log-on a warning message is presented on the computer screen indicating that the system facility being entered is private and that unauthorised access is not permitted. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments REGULATION OF Procedural CRYPTOGRAPHIC CONTROLS A.79. Whether the cryptographic controls are used in compliance with all relevant agreements, laws, and regulations. ACCEPTABLE USE OF Very ASSETS Serious A.80. Whether regulations for acceptable use of information and assets associated with an information processing facility were identified, documented and implemented. The auditor is required to understand the policies with respect to use of Information Assets and controls available to prevent their misuse. MANAGEMENT Procedural RESPONSIBILITIES A.81. Whether the management requires employees, contractors and third party users to apply security in accordance with the established policies and procedures of the organization. Manage the IT investment REVIEW AND EVALUATION Procedural Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.82. Whether the IT Security process ensures that a review takes place in response to any changes affecting the basis of the original assessment, for example: significant security incidents, new vulnerabilities or changes to organisational or technical infrastructure. LEARNING FROM INCIDENTS Procedural A.83. Whether there are mechanisms in place to enable the types, volumes and costs of incidents and malfunctions to be quantified and monitored. REPORTING SECURITY Procedural INCIDENTS A.84. Are steps taken to ensure that anything unusual in the log files gets reported? A.85. Are the users regularly advised of the requirement to inform the administrator at once in case of irregularities? Communicate management aims and direction PUBLICLY AVAILABLE Procedural SYSTEMS A.86. Whether there is any formal authorisation process in place for the information to be made publicly available. Such as approval from Change Control which includes Business, Application owner etc., Auditor may also evaluate the control to disclose NAV on the website. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.87. Whether there are any controls in place to protect the integrity of such information publicly available from any unauthorised access. The auditor may obtain VA and PT reports of the website and other web applications where investment related data is hosted. SECURITY REQUIREMENTS Serious IN OUTSOURCING CONTRACTS A.88. · Whether security requirements are addressed in the contract with the third party, when the organization has outsourced the management and control of all or some of its information systems, networks and/ or desktop environments. · The contract should address how the legal requirements are to be met, how the security of the organization's assets are maintained and tested, and the right of audit, physical security issues and how the availability of the services is to be maintained in the event of disaster. INFORMATION ACCESS Serious RESTRICTION Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.89. Whether access to application by various groups/ personnel within the organisation has been defined in the access control policy as per the individual business application requirement and whether it is consistent with the organisation's Information access policy. PASSWORD USE Very Serious A.90. Whether there are any guidelines in place to guide users in selecting and maintaining secure passwords. UNATTENDED USER Procedural EQUIPMENT A.91. Whether the users and contractors are made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibility to implement such protection. CLEAR DESK AND CLEAR Procedural SCREEN POLICY A.92. Whether automatic computer screen locking facility is enabled. This would lock the screen when the computer is left unattended for a period. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.93. Whether employees are advised not to leave any confidential material in the form of paper documents, media, etc., in a locked place while unattended. RETURN OF ASSETS Very Serious A.94. Whether there is a process in place that ensures all employees, contractors and third party users surrender all of the organization's assets in their possession upon termination of their employment, contract or agreement. MANAGEMENT COMMITMENT Serious TO INFORMATION SECURITY A.95. Whether management demonstrates active support for security measures within the organization. This can be done via clear direction, demonstrated commitment, explicit assignment and acknowledgement of information security responsibilities. ROLES AND Procedural RESPONSIBILITIES A.96. · Whether employee security roles and responsibilities, contractors and third party users were defined and documented in accordance with the organization's information security policy. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Were the roles and responsibilities defined and clearly communicated to job candidates during the pre- employment process Manage IT human resources USER DELETION Very Serious A.97. Is there a well defined process for revoking user rights on termination of employment? A.98. Is the IS Team promptly informed of the termination of service by a staff member? A.99. Are there any former staff members who still hold previously issued passes or user ID? A.100. Is it ensured that all entry and access rights of a staff member whose services have been terminated are revoked and deleted, and is the process adequate? A.101. When the contractual relationship with outside staff is terminated, are all access authorisations revoked or deleted? TERMINATION Very RESPONSIBILITIES Serious A.102. Whether responsibilities for performing employment termination, or change of employment, are clearly defined and assigned. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments Manage quality EXTERNAL FACILITIES Serious MANAGEMENT A.103. Whether any of the Information processing facility is managed by external company or contractor (third party). A.104. Whether the risks associated with such management were identified in advance, discussed with the third party, and appropriate controls were incorporated into the contract. OUTSOURCED SOFTWARE Serious DEVELOPMENT A.105. · Whether the outsourced software development is supervised and monitored by the organization. · Whether points such as: Licensing arrangements, escrow arrangements, contractual requirement for quality assurance, testing before installation to detect Trojan code etc., are considered. Manage Projects EMERGENCY PROCEDURES Serious A.106. Is there an authorized person to determine the existence of an emergency? A.107. Is there an Emergency Procedure Manual? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.108. Is a description of the emergency organisation available? A.109. Is consideration given to all possible emergencies? A.110. Are all persons and organisational units stated in the Manual aware of the emergency organization? A.111. Has configuration back-up been produced for every employed computer type and/or every employed operating system and easily accessible in case of emergency? A.112. Is a startup disk available for each configuration PC which can be used to boot the system in the event of a boot failure? NETWORK PERFORMANCE Procedural MEASUREMENT A.113. Are performance measurements and traffic-flow analyses conducted regularly? Is it within the SLA agreed to with the vendor? A.114. Has a security analysis of the network environment been conducted? SENSITIVE SYSTEM Procedural ISOLATION Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.115. Whether sensitive systems are provided with isolated computing environment such as running on a dedicated computer, sharing resources only with trusted application systems, etc. ALTERNATE PROCESSING Procedural A.116. Is there a specification of internal and external alternatives? A.117. Are these available and effective? A.118. Are the configuration, capacity and compatibility of internal and external alternatives being adapted to the current status of procedures? A.119. Are the integrity and confidentiality of IT application and data moved to external resources ensured in the case of recourse to external alternatives? A.120. Are there any contingency plans for failure of individual assets? A.121. Are there contingency plans in case of breakdown of data transmission? A.122. Has the data transmission capacity required for the use of alternative resources been adequately assessed? A.123. Are there any alternative solutions for important communication links? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments A.124. Is there a provision of redundant communication lines? A.125. Is there a sufficient redundant arrangement for network components? A.126. Is there any point of failure in the current infrastructure? B Implement IT Plan Acquire and maintain application software OPERATIONAL CHANGE Very CONTROL Serious B.1 Whether all programs running on production systems are subject to strict change control i.e., whether any change to be made to those production programs needs to go through the change control authorisation. B.2 Whether audit logs are maintained for any change made to the production programs. AUDIT LOGGING Procedural B.3 · Whether audit logs recording user activities, exceptions, and information security events are produced and kept for an agreed period to assist in future investigations and access control monitoring. · Whether appropriate Privacy protection measures are considered in Audit log maintenance Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments FAULT LOGGING Procedural B.4 · Whether faults are logged analysed and appropriate action taken. · Whether level of logging required for individual system are determined by a risk assessment, taking performance degradation into account. APPLICATION ACCEPTANCE Procedural CRITERIA AND TESTS B.5 INPUT DATA VALIDATION · Whether data input to application system is validated to ensure that it is correct and appropriate. · Whether the controls such as: Different types of inputs to check for error messages, Procedures for responding to validation errors, defining responsibilities of all personnel involved in data input process etc., are considered. B.6 CONTROL OF INTERNAL PROCESSING · Whether validation checks are incorporated into applications to detect any corruption of information through processing errors or deliberate acts. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Whether the design and implementation of applications ensure that the risks of processing failures leading to a loss of integrity are minimized. · Auditor needs to review the tests performed on the application at the time of acquisition and during any change B.7 MESSAGE INTEGRITY · Whether requirements for ensuring and protecting message integrity in applications are identified, and appropriate controls identified and implemented. · Whether a security risk assessment was carried out to determine if message integrity is required, and to identify the most appropriate method of implementation. B.8 OUTPUT DATA VALIDATION Whether the data output of application system is validated to ensure that the processing of stored information is correct and appropriate to circumstances. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments B.9 ACCESS CONTROL TO PROGRAM SOURCE CODE Whether strict controls are in place to restrict access to program source libraries. (This is to avoid the potential for unauthorized, unintentional changes.) B.10 RESTRICTION ON CHANGES TO SOFTWARE PACKAGES Whether modifications to software package is discouraged and/ or limited to necessary changes. Whether all changes are strictly controlled Acquire and maintain technology infrastructure EQUIPMENT MAINTENANCE Procedural B.11 Whether the equipment is maintained as per the supplier's recommended service intervals and specifications. B.12 Whether the maintenance is carried out only by authorized personnel. B.13 Whether appropriate controls are implemented while sending equipment off premises. B.14 If the equipment is covered by insurance, whether the insurance requirements are satisfied. LAPTOPS Procedural Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments B.15 Are laptop users instructed as regards safe keeping of their computers during mobile use? B.16 Is there use of an encryption product for laptop PCs? AUTOMATIC TERMINAL Procedural IDENTIFICATION B.17 Whether automatic terminal identification mechanism is used to authenticate connections. PLANNING OF A WINDOWS `OS' NETWORK B.18 Is there any documentation indicating which directories on which computers have been shared for network access? CONFIGURATION OF `OS' Procedural SERVERS B.19 Is there a document detailing the settings of various parameters in the OS Server? B.20 Are these settings adhered to? B.21 Is protection of the registry under Windows in place? B.22 Have the default passwords for local access been replaced by secure ones? PROTECTION OF SYSTEM Procedural TEST Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments B.23 Whether system test data is protected and controlled. Whether use of personal information or any sensitive information for testing operational database is shunned. Enable operation and use DOCUMENTED OPERATING Very PROCEDURES Serious B.24 Whether the Security Policy has identified any Operating procedures such as Back-up, Equipment maintenance etc. B.25 Whether such procedures are documented and used. SECURITY OF SYSTEM Very DOCUMENTATION Serious B.26 Whether the system documentation is protected from unauthorised access. B. 27 Whether the access list for the system documentation is kept to the minimum and authorized by the application owner (for use by a limited number of users.) Manage Changes USE OF SYSTEM UTILITIES Very Serious B.28 Whether system utilities that come with computer installations, but may override system and application control are tightly controlled. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments CHANGE MANAGEMENT Very Serious B.29 Whether all changes to information processing facilities and systems are controlled. B.30 Is there a written SOP covering the change control program that has been approved? TECHNICAL REVIEW OF Very APPLICATIONS AFTER Serious OPERATING SYSTEM CHANGES B.31 Whether there is process or procedure in place to review and test business critical applications for adverse impact on organizational operations or security after the change to Operating Systems. Periodically it is necessary to upgrade operating system i.e., to install service packs, patches, hot fixes etc. C Management of IT Service delivery Procedural C.1 Whether measures are taken to ensure that the security controls, service definitions and delivery levels, included in the third party service delivery agreement, are implemented, operated and maintained by a third party. Manage third party services Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments MONITORING AND REVIEW Serious OF THIRD PARTY SERVICES C.2 · Whether the services, reports and records provided by third party are regularly monitored and reviewed. · Whether audits are conducted on the above third party services, reports and records, on regular interval. MANAGING CHANGES TO Serious THIRD PARTY SERVICES C.3 · Whether changes to provision of services, including maintaining and improving existing information security policies, procedures and controls, are managed. · Does this take into account criticality of business systems, processes involved and re-assessment of risks? Manage Performance and capacity PATCH MANAGEMENT Serious C.4 Are steps taken to ensure that information about the latest patches is always available? How is the patch level status of systems verified? CAPACITY PLANNING Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.5 Whether the capacity demands are monitored and projections of future capacity requirements are made. This is to ensure that adequate processing power and storage are available. Example: Monitoring Hard disk space, RAM, CPU on critical servers. Ensure continuous service BUSINESS CONTINUITY Very PLANNING FRAMEWORK Serious C.6 Whether there is a single framework of Business continuity plan. C.7 Whether this framework is maintained to ensure that all plans are consistent and identify priorities for testing and maintenance. C.8 Whether this identifies conditions for activation and individuals responsible for executing each component of the plan. WRITING AND Very IMPLEMENTING CONTINUITY Serious PLAN C.9 Whether plans were developed to restore business operations within the required time frame following an interruption in or failure of business process. C.10 Whether the plan is regularly tested and updated. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.11 Review the written BCP / DRP (s) and verify whether the BCP / DRP(s): · Address(es) the recovery of each business unit/department/ function, · According to its priority ranking in the Risk Assessment; and · Considering interdependencies among systems. C.12 Whether it take(s) into account: · Personnel; · Facilities; · Technology (hardware, software, operational equipment); · Telecommunications/networks; · Vendors; · Utilities; · Documentation (data and records); · Law enforcement; · Security; · Media; and · Shareholders C.13 Whether it include(s) emergency preparedness and crisis management aspects: · Has an accurate employee/ manager contact tree; Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Clearly defines responsibilities and decision- making authorities for designated teams and/or staff members, including those who have authority to declare a disaster; · Explains actions to be taken in specific emergency situations; · Defines the conditions under which the back-up site would be used; · Has procedures in place for notifying the back-up site; · Designates a public relations spokesperson; and · Identifies sources of needed office space and equipment and list of key vendors (hardware/ software/ communications, etc.) C.14 Whether the BCP / DRP establishes processing priorities to be followed in the event not all applications can be processed. C.15 Whether adequate procedures are in place to ensure the BCP / DRP (s) is (are) maintained in a current fashion and updated regularly. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.16 Whether a senior manager has been assigned responsibility to oversee the development, implementation, testing, and maintenance of the BCP / DRP. C.17 Whether the board reviews and approves the written BCP / DRP(s) and testing results at least annually and documents these reviews in the board minutes. C.18 Whether senior management periodically reviews and prioritizes each business unit, business process, department, and subsidiary for its critical importance and recovery prioritization. If so, determine how often reviews are conducted. C.19 If applicable, determine whether the senior management has evaluated the adequacy of the BCP/DRPs for its service providers, and ensured the organization's BCP/DRP is compatible with those service provider plans, commensurate with adequate recovery priorities. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments BUSINESS IMPACT ANALYSIS Very Serious C.20 Are all functions and departments included in the BIA? C.21 Review the BIA to determine whether the identification and prioritization of business functions are adequate. C.22 Does the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, and the cost and recovery time objectives associated with downtime? C.23 Review the risk assessment and determine if it includes scenarios and probability of occurrence of disruptions of information services, technology, personnel, facilities, and service providers from internal and external sources, including: · Natural events such as fires, floods, and severe weather; · Technical events such as communication failure, power outages, and equipment and software failure; and · Malicious activity including network security attacks, fraud, and terrorism. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.24 Whether the risk assessment and BIA have been reviewed and approved by senior management and the board. C.25 Are reputation, operational, compliance, and other risks considered in plan(s). RISK MITIGATION Procedur STRATEGIES al C.26 Whether adequate risk mitigation strategies have been considered for: · Alternate locations and capacity for: · Data centers and computer operations; · Back-room operations; · Work locations for business functions; and · Telecommunications. C.27 Is there a policy for Back-up of: · Data; · Operating systems; · Applications; · Utility programs; and · Telecommunications? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.28 Is there a policy for Off-site storage of: · Back-up media; · Supplies; and · Documentation, e.g., BCP(s), DRP, operating and other procedures, inventory listings, etc? C.29 Is there a provision for Alternate power supplies such as Uninterruptible power supplies (UPS); and Back-up generators. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.30 Whether there are procedures for, · Duplicates of the operating systems are available both on- and off-site. · Duplicates of the production programs are available both on- and off-site, including both source (if applicable) and object versions. · All programming and system software changes are included in the back up. · Back-up media is stored off- site in a place from which it can be retrieved quickly at any time. · Frequency and number of back-up generations is adequate in view of the volume of transactions being processed and the frequency of system updates. · Duplicates of transaction files are maintained on- and off-site. · Data file back-ups are taken off-site in a timely manner and not brought back until a more current back-up is off- site. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.31 Review the written IT continuity plan(s) and determine whether the plan(s) addresses the back- up of the systems and programming function (if applicable), including, Back-up of programming tools and software; and Off-site copies of program and system documentation. C.32 Does the plan deal with how backlogged transactions and other activity will be brought current. C.33 Whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered to storage, stored, retrieved and loaded, and destroyed. C.34 Do appropriate policies, standards, and processes address business continuity planning issues including: · Systems Development Life Cycle, including project management; · The change control process; · Data synchronization, back up, and recovery; Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Employee training and communication planning; · Insurance; and · Government and community coordination? C.35 Whether personnel are adequately trained as to their specific responsibilities under the plan(s) and whether emergency procedures are posted in prominent locations throughout the facility. C.36 Does the continuity strategy include alternatives for interdependent components and stakeholders, including: · Utilities; · Telecommunications; · Third-party technology providers; · Key suppliers/business partners; and · Customers/members? C.37 · Are there adequate processes in place to ensure the plan(s) are maintained to remain accurate and current? · Designated personnel are responsible for maintaining changes in processes, personnel, and environment(s)? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · The board of directors reviews and approves the plan(s) annually and after significant changes and updates? · Process includes notification and distribution of revised plans to personnel and recovery locations? DISASTER RECOVERY SITE / Very ALTERNATE PROCESSING Serious SITE C.38 Does the Insurer have a clear Off-site Back-up of Data in a City falling under a different Seismic Zone, either on its own or through a Service Provider? C.39 Does the Insurer have, in addition to above, the necessary infrastructure for Mission Critical Systems to address at least the following: · Calculation of daily NAV (Fund wise) Redemption processing? C.40 · Whether satisfactory consideration has been given to geographic diversity for: · Alternate processing locations; Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Alternate locations for business processes and functions; and · Off-site storage. C.41 Are there arrangements for alternative processing capability in the event any specific hardware, the data center, or any portion of the network becomes disabled or inaccessible, and determine if those arrangements are in writing? C.42 If the organization is relying on in-house systems at separate physical locations for recovery, whether the equipment is capable of independently processing all critical applications. C.43 · If the organization is relying on outside facilities for recovery, whether the recovery site, · Has the ability to process the required volume; · Provides sufficient processing time for the anticipated workload based on emergency priorities; and, Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Allows the organization to use the facility until it achieves a full recovery from the disaster and resumes activity at the organization's own facilities. C.44 Review the contract between applicable parties, such as recovery vendors if any. Determine if the terms and conditions of the contract relate to the BCP/DRP C.45 Whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location. C.46 Whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization's software or its recovery plan(s). C.47 Whether there are plans in place that address the return to normal operations and original business locations once the situation has been resolved and permanent facilities are again available. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.48 Whether adequate documentation is housed at the alternate recovery location including: · Copies of each BCP / DRP; · Copies of necessary system documentation C.49 Whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. C.50 · Whether the methods by which personnel are granted temporary access (physical and logical) during continuity planning implementation periods are reasonable. · Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to the levels of systems, operational, data, and facilities access. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Review the assignment of authentication and authorization credentials to determine if they are based upon primary job responsibilities and if they also include business continuity planning responsibilities. C.51 Whether the intrusion detection and incident response plan considers resource availability, and facility and systems changes that may exist when alternate facilities are placed in use. TESTING Very Serious C.52 Whether the BCP / DRP(s) is tested periodically C.53 Whether all critical business units/departments/functions are included in the testing. C. 54 Whether the tests include: · Setting goals and objectives in advance; · Realistic conditions and activity volumes; · Use of actual back-up system and data files while maintaining off-site back-up copies for use in case of an event concurrent with the testing; Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · Participation and review by internal audit; · A post-test analysis report and review process that includes a comparison of test results to the original goals; · Development of a corrective action plan(s) for all problems encountered; and · Board of Directors' review. C.55 Whether interdependent departments, vendors, and key market providers have been involved in testing at the same time to uncover potential conflicts and/or inconsistencies. C.56 Whether the level of testing is adequate for the size and complexity of the organization. Determine if the testing includes: · Testing the operating systems and utilities (infrastructure); · Testing of all critical applications (application level); · Data transfer between applications (integrated testing); and · Testing the complete environment and workload (stress test). Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.57 Whether testing at an alternative location includes: · Network connectivity; · Items processing and backroom operations connectivity and information; and · Other critical data feed connections/interfaces. C.58 Whether testing of the information technology infrastructure includes: · Rotation of personnel involved; and · Business unit personnel involvement. C.59 Whether management considered testing with: · Critical service providers; · Customers; · Affiliates; · Correspondent institutions; and · Payment systems and major financial market participants. C.60 When testing with the critical service providers, determine whether management considered testing, · From the institution's primary location to the TSPs' alternative location; Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments · From the institution's alternative location to the TSPs' primary location; and · From the institution's alternative location to the TSPs' alternative location. INFORMATION BACK-UP Very Serious C.61 Whether Back-up of essential business information such as production server, critical network components, configuration backup etc., were taken regularly. C.62 Whether the backup media along with the procedure to restore the backup are stored securely and well away from the actual site. C.63 Can data restoration be performed with the help of the documentation even by a person other than the one who backed up the data? C.64 Are the persons responsible for data backup and restoration sufficiently trained? C.65 Are data restoration exercises carried out periodically? C.66 Whether the backup media are regularly tested to ensure that they could be restored within the time frame allotted in the operational procedure for recovery. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments Ensure systems security MANAGEMENT INFORMATION Very SECURITY FORUM Serious C.67 Whether there is a management forum to ensure there is a clear direction and visible management support for security initiatives within the organisation. IT SECURITY GUIDELINES AND Very PROCEDURES Serious C.68 Does the organization have a detailed IT Security Guidelines and procedures manual? C.69 Is there a process of reviewing and updating these manuals at periodic intervals? ENDPOINT USAGE Very GUIDELINES Serious C.70 Have Endpoint Use Guidelines been established? C.71 How is compliance with the Endpoint Use Guidelines monitored? C.72 Does every user have a copy of these Endpoint Use Guidelines? SECURITY OF ELECTRONIC Very OFFICE SYSTEMS Serious C.73 Whether there is an acceptable use policy to address the use of Electronic office systems. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.74 Whether there are any guidelines in place to effectively control the business and security risks associated with the electronic office systems. DISABLING REMOVABLE Very DRIVES Serious C.75 Has it been ensured that floppy disk / USB drives will generally be locked and can be accessed only through authorized use? POWER SUPPLIES / UPS Very Serious C.76 Is the equipment protected from power failures by multiple feeds, through uninterruptible power supply (UPS), backup generator etc.? C.77 Are the required intervals for UPS maintenance being observed? C.78 Is the effectiveness of the UPS system being tested on a regular basis? C.79 If any failures due to the location occurred in the past, had remedial action been taken for the same? C.80 Are generators available to protect against prolonged power loss and are they in working condition? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments GRANTING OF Very (SYSTEM/NETWORK) ACCESS Serious RIGHTS C.81 Are the issue and the retrieval of access authorizations and access-granting means documented? C.82 Is separation of functions being observed in the granting of access rights? C.83 Are users being trained in the correct handling of access- granting means? C.84 If use of access-granting means is logged, are such logs also analysed? USER PASSWORD Very MANAGEMENT Serious C.85 Is the allocation and reallocation of passwords controlled through a formal management process? C.86 Are the users asked to sign a statement to keep the password confidential? C.87 Have users been informed on how to handle passwords correctly? C.88 Is the password quality controlled? C.89 Are password changes mandatory? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.90 Has every user been provided with a password? C.91 Are there any fixed procedures relating to the escrow of passwords? C.92 If Yes, are the escrowed passwords complete and up-to- date? C.93 Have provisions been made to ensure proper handling of escrowed passwords? C.94 Is the system of password changes controlled on the basis of updating entries for escrowed passwords? PASSWORD USE Very Serious C.95 Are there any guidelines in place to guide users in selecting and maintaining secure passwords? POLICY ON USE OF NETWORK Very SERVICES Serious C.96 Does a policy exist that does address concerns relating to networks and network services such as: Parts of network to be accessed, Authorisation services to determine who is allowed to do what, Procedures to protect the access to network connections and network services? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.97 Are users provided with standard configuration of work stations? If not, are deviations authorized and documented? TERMINAL LOGON Very PROCEDURES Serious C.98 Has it been ensured that access to information system is attainable only via a secure log- on process? C.99 Are machines configured to boot from hard drives? C.100 Is there a BIOS password set for PC to disable users from booting through CD drives? C.101 Is the number of unsuccessful log-in attempts restricted? C.102 Whether After each unsuccessful log-in attempt, the waiting time until the next log-in prompt increases. C.103 Are unsuccessful log-in attempts reported to the user? C.104 Is access to the console protected by passwords or other means? USER IDENTIFICATION AND Very AUTHORISATION Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.105 Whether unique identifier is provided to every user such as operators, system administrators and all other staff including technical. C.106 Whether the generic user accounts are supplied under exceptional circumstances only where there is a clear business benefit. Additional controls may be necessary to maintain accountability. C.107 Whether the authentication method used does substantiate the claimed identity of the user. Commonly used method: Password that only the user knows. PASSWORD MANAGEMENT Very SYSTEM Serious C.108 Whether there exists a password management system that enforces various password controls such as individual password for accountability, enforcing password changes, storing passwords in encrypted form, not displaying passwords on screen etc. TERMINAL TIMEOUT Very Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.109 Whether Inactive terminal in public areas are configured to clear the screen or shut down automatically after a defined period of inactivity. LIMITATION OF CONNECTION Very TIME Serious C.110 Whether there exists any restriction on connection time for high-risk applications. This type of set up should be considered for sensitive applications for which the terminals are installed in high-risk locations. USER REGISTRATION Very Serious C.111 Whether there is any formal user registration and deregistration procedure for granting access to multi-user information systems and services. The creation of a user account must be approved by the business owner of the application in question or their nominee. C.112 Are there standard rights profiles for different functions or tasks? PRIVILEGE MANAGEMENT Very Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.113 Whether the allocation and use of any privileges in multi-user information system environment is restricted and controlled i.e., privileges are allocated on need- to-use basis; privileges are allocated only after formal authorisation process. C.114 Are there any organisational procedures governing the designation of users or user groups? C.115 Is there any program for the configuration of users or user groups? C.116 Are there records of the authorized users and groups and their authorisation profiles? REVIEW OF USER ACCESS Very RIGHTS Serious C.117 Whether there exists a process to review user access rights at regular intervals. Example: Special privilege review every 3 months, normal privileges every 6 months. INFORMATION ACCESS Very RESTRICTION Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.118 Whether access to application by various groups/ personnel within the organisation has been defined in the access control policy as per the individual business application requirement and whether it is consistent with the organisation's Information access policy. MONITORING SYSTEM USE Very Serious C.119 Whether procedures are set up for monitoring the use of information processing facility. The procedure should ensure that the users are performing only the activities that are explicitly authorized. C.120 Whether the results of the monitoring activities are reviewed regularly. UNAUTHORISED SOFTWARE Very Serious C.121 Has a procedure for the authorisation and registration of software been laid down? C.122 Has the ban on use of non- approved software been put in writing? C.123 Have all staff members been informed of the ban? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.124 What possibilities happen to be there for installation or use of unauthorised software? C.125 Are checks carried out periodically on the software inventory? ADMINISTRATOR FUNCTIONS Very Serious C.126 To which persons is the supervisor password known? C.127 Have administrator roles been divided up? C.128 Are the authorisations assigned by the administrator randomly checked? C.129 How frequently are logins and logouts using administrator ID checked? EVENT LOGGING Very Serious C.130 Whether audit logs recording exceptions and other security relevant events are produced and kept for an agreed period to assist in future investigations and access control monitoring. REPORTING SECURITY Very WEAKNESSES Serious C.131 Whether a formal reporting procedure or guideline exists for users, to report security weakness in, or threats to, systems or services. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.132 Are staff members informed in a suitable form of IT security incidents which have occurred either within the organisation or which have become public knowledge, and are they told how to avoid them? DISCIPLINARY PROCESS Very Serious C.133 Whether there is a formal disciplinary process in place for employees who have violated organisational security policies and procedures. Such a process can act as a deterrent to employees who might otherwise be inclined to disregard security procedures. EQUIPMENT SITING Very PROTECTION Serious C.134 Whether critical equipment is located in appropriate place to minimize unnecessary access into work areas. C.135 Whether the items requiring special protection were isolated to reduce the general level of protection required. C.136 Whether controls were adopted to minimize risk from potential threats such as theft, fire, explosives, smoke, water, dust, vibration, chemical effects, electrical supply interfaces, electromagnetic radiation, flood. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.137 Whether there is a policy towards eating, drinking and smoking in proximity to information processing services. C.138 Whether environmental conditions, which would adversely affect the information processing facilities, are monitored. C.139 Verify that heating, ventilation and air-conditioning systems maintain constant temperatures within the data center. C.140 Verify that ground earthing exists to protect the computer systems. Ensure that power is conditioned to prevent data loss. C.141 Is the Server Room designed as a closed secure area? CABLING SECURITY Procedural C.142 Whether the power and telecommunications cable carrying data or supporting information services are protected from interception or damage. C.143 Whether there are any additional security controls in place for sensitive or critical information. SECURITY OF NETWORK Very SERVICES Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.144 Whether the organisation, using public or private network service does ensure that a clear description of security attributes of all services used is provided. C.145 Are all Internet connections routed through a Firewall? Does a dedicated team manage the Firewall? Are the ports opened only on a "need to have" basis? C.146 Is there an Intruder Detection System (IDS) implemented? C.147 Are the application and database servers kept separated from the web server in the de-militarized zone? C.148 Is the de-militarized zone separated from the Internet cloud by means of a Firewall? C.149 If the de-militarized zone is connected to the Intranet, is it separated by a Firewall? C.150 Is the Firewall rule base treated as a sensitive information and is knowledge of the same restricted to only authorized officials in the IT / Computer operations department? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.151 Is the decision to open specific firewall ports/rule base approved in accordance with IT Security Policy (IT Security Policy should list out such ports) e.g. firewalls should block unwanted ports running services such as ftp, telnet, SMTP, etc. into the de- militarized zone? CLOCK SYNCHRONISATION Procedural C.152 Whether the computer or communication device has the capability of operating a real time clock. If yes, has it been set to an agreed standard such as Universal Coordinated Time or local standard time? The correct setting of the computer clock is important to ensure the accuracy of the audit logs. UNATTENDED USER Procedural EQUIPMENT C.153 Whether the users and contractors are made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibility to implement such protection. SENSITIVE SYSTEM Procedural ISOLATION Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.154 Whether sensitive systems are provided with isolated computing environment such as running on a dedicated computer, sharing resources only with trusted application systems, etc. SECURITY OF ELECTRONIC Procedural EMAIL C.155 Whether there is a policy in place for the acceptable use of electronic mail or does security policy address the issues with regards to use of electronic mail. C.156 Whether there are adequate procedures, which require that all the incoming e-mail messages be scanned for virus to prevent virus infection to the network C.157 Have regulations governing file transfer and exchange of messages with external parties been established? C.158 Are there formal rules based on which e-mail addresses are assigned? C.159 Are security measures such as filtering and text search in emails implemented? C.160 Is the criterion for e-mail filtering adequate? What are the procedures for changes in filtering parameters? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.161 Have controls such as anti-virus checking, isolating potentially unsafe attachments, spam control, anti relaying etc., been put in place to reduce the risks created by electronic mail? CONTROL AGAINST Serious MALICIOUS SOFTWARE C.162 Whether there exists any control against malicious software usage. C.163 Whether the security policy does address software licensing issues such as prohibiting usage of unauthorized software. C.164 Whether there exists any Procedure to verify that all warning bulletins are accurate and informative with regards to the malicious software usage. C.165 Whether Antivirus software is installed on the computers to check and isolate or remove any viruses from computer and media. C.166 Whether this software signature is updated on a regular basis to check any latest viruses. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.167 Whether all the traffic originating from un-trusted network into the organisation is checked for viruses. Example: Checking for viruses on email, email attachments and on the web, FTP traffic. C.168 Are periodic runs of a virus detection program configured? C.169 Are there occasional checks as to whether updates have been performed? Have the results been documented? C.170 Use of a virus scanning program when exchanging of data media and data transmission Is Anti Virus auto enabled to check CDs and floppies? C.171 Are received files and data media checked for virus infection before being imported? REMOTE DIAGNOSTIC PORT Procedural PROTECTION C.172 Whether accesses to diagnostic ports are securely controlled i.e., protected by a security mechanism. SEGREGATION IN NETWORKS Very Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.173 Whether the network (where business partner's and/ or third parties need access to information system) is segregated using perimeter security mechanisms such as firewalls. NETWORK CONNECTION Very PROTOCOLS Serious C.174 Whether there exists any network connection control for shared networks that extend beyond the organisational boundaries. Example: electronic mail, web access, file transfers, etc., NETWORK ROUTING Procedural CONTROL C.175 Are changes to network configuration documented? C.176 Is the system administrator the only person who is able to change the configuration C.177 Is the system administrator the only person who is able to read the network log files SECURITY OF MEDIA IN Procedural TRANSIT C.178 Whether security of media while in transit has been taken into account. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.179 Whether the media is well protected from unauthorised access, misuse or corruption. ELECTRONIC COMMERCE Procedural SECURITY C.180 Whether Electronic commerce is well protected and controls implemented to protect against fraudulent activity, contract dispute and disclosure or modification of information. C.181 Whether Security controls such as Authentication, Authorisation are considered in the E- Commerce environment. C.182 Whether electronic commerce arrangements between trading partners include a documented agreement, which commits both parties to the agreed terms of trading, including details of security issues. USER AUTHENTICATION FOR Procedural EXTERNAL CONNECTIONS C.183 Whether there exists any authentication mechanism for challenging external connections. Examples: Cryptography based technique, hardware tokens, software tokens, challenge/ response protocol etc., Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments FIRE DETECTION AND Serious PREVENTION CONTROLS C.184 Are Fire detection measures adequate such as fire alarms available? C.185 Has staff been informed of the location of hand-held fire extinguishers? C.186 Can the hand-held fire extinguishers actually be accessed in case of a fire? C.187 Is training provided for the use of hand-held fire extinguishers? C.188 Are hand-held fire extinguishers regularly inspected and maintained? C.189 Is the fire alarm system checked periodically to ensure that it is working properly? C.190 Has all the staff been informed of the steps to be taken in the event that an alarm goes off? C.191 Is there an adequate number of fire extinguishers (generally one for every 50 sqft of area)? C.192 · Is a fire suppression system in place consisting of Fire extinguishers and Sprinklers? · Are they in working order and being monitored? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments Manage the configuration CONTROL OF TECHNICAL VULNERABILITIES C.193 · Whether timely information about technical vulnerabilities of information systems being used is obtained. · Whether the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to mitigate the associated risk. SAFEGUARDING OF Very ORGANISATIONAL RECORDS Serious C.194 Whether important records of the organisation are protected from loss destruction and falsification. DISPOSAL OF MEDIA Very Serious C.195 Whether the media that are no longer required are disposed off securely and safely. C.196 Whether disposal of sensitive items is logged where necessary in order to maintain an audit trail. SECURE DISPOSAL OR RE- Very USE OF EQUIPMENT Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.197 Whether storage device containing sensitive information is physically destroyed or securely over- written. INFORMATION HANDLING Procedural PROCEDURES C.198 Whether there exists a procedure for handling the storage of information. Does this procedure address issues such as information protection from unauthorised disclosure or misuse? DATA MANAGEMENT Procedural C.199 Are the persons responsible for the exchange of data media familiar with the process of physical erasure? MANAGEMENT OF Procedural REMOVABLE MEDIA C.200 · Whether procedures exist for management of removable media, such as tapes, disks, cassettes, memory cards, and reports. · Whether all procedures and authorization levels are clearly defined and documented. BUSINESS INFORMATION Procedural SYSTEMS Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.201 Whether policies and procedures have been developed and enforced to protect information associated with the interconnection of business information systems. Manage the physical environment PHYSICAL SECURITY Serious PERIMETER C.202 · Are physical border security facilities implemented adequate to protect the Information processing service? Some examples of such security facilities are: card control for entry gate, walls, manned reception etc.? · Are visitors required to record their entry inside the premises in a separate register? · Are details of their possessions recorded and verified at the time of their exit from the premises · Are cameras disallowed inside the premises? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.203 · Does Data Center exterior Lighting, building orientation provide a secure environment? · Data Centers should be anonymous. Ensure that there is no signage or listings in directories? SECURING OFFICES, ROOMS Serious AND FACILITIES C.204 Whether the rooms, which have the Information processing service, are: · locked · have lockable cabinets · safes. C.205 Whether the Information processing service is protected from natural and man-made disaster such as raised floors, good exterior walls /or other suitable acceptable infrastructure C.206 Whether there is any potential threat from neighboring premises. C.207 Ensure that water alarm system is configured to detect water in high risk areas of the data center C.208 Ensure that burglar alarm is protecting the data center from physical intrusion. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments C.209 Are there adequate controls over modems and other dial up devices for employees and visitors (data cards, etc)? C.210 Ensure that surveillance systems (CCTV) are designed and operating properly? PHYSICAL ENTRY CONTROLS Serious C.211 Are entry controls in place to allow only authorised personnel into various areas within organisation? C.212 Is there a practice of Supervising or escorting outside staff/visitors? REMOVAL OF PROPERTY Serious C.213 Whether equipment, information or software can be taken off-site without appropriate authorisation. PROTECTING AGAINST Serious EXTERNAL AND ENVIRONMENTAL THREATS C.214 Whether physical protection against damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster has been designed and applied. D Maintain IT Monitoring and Compliance Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments COMPLIANCE WITH SECURITY Serious POLICIES AND STANDARDS D.1 · Whether managers ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards. · Do managers regularly review the compliance of information processing facility within their area of responsibility for compliance with appropriate security policy and procedure? ADMINISTRATOR AND Serious OPERATOR LOGS D.2 · Whether system administrator and system operator activities are logged. · Whether the logged activities are reviewed on regular basis. TECHNICAL COMPLIANCE Serious CHECKING Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments D.3 · Whether information systems are regularly checked for compliance with security implementation standards. · Whether the technical compliance check is carried out by, or under the supervision of, competent, authorized personnel. INFORMATION SYSTEMS Serious AUDIT CONTROLS D.4 · Whether audit requirements and activities involving checks on operational systems have been carefully planned and agreed to minimise the risk of disruptions to business process. · Whether the audit requirements, scope are agreed with appropriate management. Application and logical access Very controls Serious Name of the application used for investment operations: Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments D.5 Obtain a list of valid user IDs at the location and, · Reconcile Active users to those present in the location as per attendance roles · Validate User Work Class with the designation of the users at the location · Verify if concurrent auditors have been provided with only view access · Check for user with maximum inactive time greater than 10 minutes · Check for user with password expiry date greater than 40 days from the current day. · For user ID disabled, check whether these have been done immediately after their names have been removed from the attendance register. In case any delays are noticed from the time of removal from attendance register to the actual date of disabling the user Id report the same. Are there any discrepancies in the above? Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments D.6 Are Access privileges defined for each user as per the designation? D.7 Whether the User Ids of employees who have been transferred, or have retired/ resigned are deleted from application. D.8 · Whether the application logs out the user after 5 minutes of inactivity. · Whether the system forces the user to change the initial password given by system manager. · Users acknowledge receipt of the password on the register maintained for the purpose D.9 Whether the user log-off the application whenever they leave the work place for break. D.10 · Check that all user accounts are identifiable to a user and generic user- ids, which cannot be attributed to any individual, are not allowed. · Check that all default vendor accounts shipped with the application have been disabled. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments D.11 Is the user ID temporarily suspended when the staff members are out on training/outstation assignment and the user ID will remain inactive for certain days? D.12 Whether an undertaking for maintaining secrecy and confidentiality of password has been obtained from every user and preserved. D.13 Whether super user passwords are changed immediately after those are used by support persons for rectification of problems and this usage is documented. D.14 Whether every user has only one identifiable user ID and not more than one user id has been given to any user. D.15 Whether Super user passwords (for applications hosted at the location) are confined to systems manager only and the same are kept with the location in charge in a sealed cover. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments D.16 Password Security:- · Whether the users change their password periodically. · Does the application force the user to set an alpha numeric password/ · Is the minimum length of the password set to 8 characters? · Whether password entry is disabled after three unsuccessful log-on attempts? · Whether the system forces the users to change their password after 40 days from the date of last creation / modification. · Whether password history is maintained by the application. From Transaction records, day end reports or audit trails, perform a sample check to verify if user ID has been used on any day when the user is on leave. ENFORCED PATH Procedural D.17 Whether there is any control that restricts the route between the user terminal and the designated computer services the user is authorised to access, for example, enforced path to reduce the risk. Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments NODE AUTHENTICATION Procedural D.18 Whether connections to remote computer systems that are outside organisations security management are authenticated. Node authentication can serve as an alternate means of authenticating groups of remote users where they are connected to a secure, shared computer facility. NETWORK TESTS Serious D.19 Is it ensured that products/services that use the Internet for connectivity or communications have undergone a successful penetration test prior to production implementation? D.20 Is there a penetration test process that ensures that modifications to the product/service that uses the Internet for connectivity or communication have been reviewed to determine whether a subsequent penetration test is warranted? D.21 Is there an intrusion detection system in place for all the external IP connections? ON-LINE TRANSACTIONS Serious Technical Guide S. No Audit Objective A ud itor's R isk O bserv ation C ateg o ry Y N Comments D.22 Whether information involved in online transactions is protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Annexure D APPLICATION CONTROLS CHECKLIST Technical Guide IRDA Regulations S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation 1 Functional The Investment Overall System should have separate modules for Front, Mid and Back Office with separate login 2 Segregation (1) In the case of a of Life Insurer, (SFIN In Shareholders the case of ULIP) each & individual fund, both Policyholders falling under ' funds Shareholder / Policyholders', under any class of business, has `scrip' level investments (except in the case of General Insurance Companies) to comply with the provisions of Section 11(1B) of Insurance Act, 1938 (2) Furthermore the Shareholders funds beyond Solvency Margin, to which the pattern of Investment will not apply, shall have a separate custody account with Please check the parameterisation and configuration of the application related to these. Screen shots may be taken as evidence. Any non compliance is treated as "Very Serious". Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation identified scrip for both Life and General Insurance Companies. 3 To ensure Business continuity, the Insurer should have a clear Off-site Backup of Data in a City falling under a different Seismic Zone, either on his own or through a Service Provider. Further, the Insurer / service provider (if outsourced) is required to have the necessary infrastructure for Mission. Critical Systems to address at least the following: 1. Calculation of daily NAV (Fund wise) 2. Redemption processing 4 System based checks should be in place for investments in an Investee Company, Group, Promoter Group and Industry Sector. The system should signal when the Internal / Regulatory Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation limits are nearly reached PRIOR to taking such exposure and making actual investment. 5 Functional Transfer of data from Overall Front Office to Back Office should be electronic without Manual intervention (Real time basis) i.e., without re-entering data at Back Office. 6 Functional All Investment Overall Systems to be seamlessly integrated without manual intervention. 7 The Insurer may have multiple Data Entry Systems, but all such Systems should be seamlessly integrated without manual intervention. 8 Functional - Audit trail to be Overall available for all data entry points including at the Checker / Authorizer level 9 Functional - Maker Checker Overall process to be enforced 10 Functional - System based checks Overall to be in place for Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation investments as per Internal / Regulatory limits PRIOR to taking such exposure and making actual investment. 11 Inter-Fund transfer capability 12 Inter-Fund transfer capability - Non Switching between Traditional and Unit Linked Funds 13 Functional - The system to be Overall capable of computing various portfolio returns 14 The System should handle Inter Fund transfer as per Circular IRDA-FA-02-10-2003- 04. The Investment Committee may fix the Cut Off time as per Market practice, for such transfer within the fund. (The inter fund transfer should be like any other Market deal and the same needs to be carried out with in the Market hours only) Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation 15 Functional - System to perform Overall regular limits monitoring and Exception Reporting. Also reporting on movement of prices. 16 Functional - Cash Management Overall System should provide the funds available for Investment considering the settlement obligations and subscription and redemption of units 17 Functional - The System to be Overall validated not to accept any commitment beyond availability of funds. 18 Functional - The System to be Overall validated to restrict Short Sales at the time of placing the order 19 Functional - The Investment Overall System to capture Instrument Ratings to enable it to automatically generate FORM 2 (Statement of Downgraded Investments) through the System. 20 Functional - The Investment Overall System to capture Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation Instrument Ratings to enable it to automatically generate FORM 2 (Statement of Downgraded Investments) through the System. 21 Functional - The System to have Overall the ability to track changes in ratings over a period & generate appropriate alerts, along with ability to classify investment between Approved and Other Investments 22 Functional - Track of movement of Overall Securities between Approved and Other Investments Status, as a part of Audit trail, at individual security level 23 Functional - The System should Overall have key limits preset for ensuring compliance with all Regulatory requirements and should be supported by workflow through the System, (Real time basis) for such approval, if Regulatory Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation limit is close to be breached 24 Functional - The System to have Overall capability of generating Exception reports for Audit by Internal / Concurrent Auditor The System should have capability of generating Exception reports for Audit by Internal / Concurrent Auditor 25 Functional - System to Overall automatically track and report all internal limits breaches. All such breaches should be audited by Internal / Concurrent Auditor. 26 Functional - The system to be Overall validated in such a way, that the Deal can only be rejected by the Back Office & NOT edited 27 The System to be capable of computing NAV 28 The System should be capable of computing NAV and compare it with the NAV computed by the Service provider, if Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation outsourced. 29 The Insurer should maintain NAV history (Fund wise) in his Public Domain from the Start of the Fund to Current Date. 30 Functional - Method of computing Overall NAV should be in line with IRDA regulations 31 Methodology Every Purchase, Sale of Operating of Investment, Income Segregated on Investment Fund' (including Corporate Action) shall be identified with reference to the particular `Segregated Fund' and accounted for. 32 Methodology Every `Deal Slip' shall of Operating be identified with Segregated reference to the Fund' `segregated fund' along with `Segregated Fund Identification Number "SFIN" for such Segregated Fund and the respective `sub-code' of Custody and the respective Bank Account. 33 Units Unit Report shall be Creation / reconciled with the Investment Accounting Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation Redemption System's Creation / Redemption Report, after booking of unit capital entries 34 Units Units created on a Creation / `day-to-day' basis Redemption (including switches), shall be backed by `segregated fund wise' Investment assets. In other words, the value / amount for which Units are created for the particular day (at the prevailing NAV, at the opening of the day, of the respective fund), should be equivalent to the premium receipt (net of switches) less applicable charges and other outflows such as benefits paid, surrenders and foreclosures in excluding applicable charges of the `respective segregated fund'. 35 Security 1. Equity Investments Master Based on the inputs Creation from treasury: the investment back-office shall create Security Masters in the system (linked via NSE/BSE Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation codes) and the same shall be validated by the Mid-Office. The procedure includes documentation of supporting and supervisory sign off. 36 Security 2. Debt Investments: Master Security masters for Creation debt Instruments are prepared on the basis of Information memorandum in case of primary and secondary market deals by the Back Office. The procedure includes documentation of supporting and supervisory sign off. 37 Primary 1. Booking of Primary Market Deals Market Deals:Debt / IPO Primary Market Deals shall be booked on the date of application, and on the date of allotment the Securities will be reflected in the Investment Accounts 38 Primary 2. Booking of Equity Market Deals IPO: / IPO Equity Investments shall be accounted on Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation the date of application for IPO Issue as `Application Money' and on the date of allotment the allotted Shares shall be reflected in the Investment accounts. 39 Secondary 1. Debt DealsAll Debt Market Debt / securities as Equity Deal categorised in Authorization IRDA/GLN/001/2003- 04 Categories of Investments, as amended from time to time, shall be executed with counterparties and reported on NSE / BSE / FIMMDA reporting platform and the same shall be confirmed with counterparties. The deals shall be authorised in the investment system and the trade files / information shall be sent to custodian / other online settlement systems as recognised by any financial regulator for settlement. 40 Secondary 2. Equity Deals - STP Market Debt / (Straight Through Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation Equity Deal Process) Authorization Reconciliation: All Secondary Market equity deals shall be put through the STP module in the investment system. The dealer shall put though the deal in the investment system after concluding the transaction. The deal would then flow to the back office which would be compared with the input details and the STP file received from broker. If all details match, the transaction would be authorised in the system for settlement. 41 Secondary 2. Equity Deals - STP Market Debt / (Straight Through Equity Deal Process) Authorization Reconciliation Custodian /Broker settlement: After STP reconciliation the equity trade files ISO files shall be sent to custodian and broker houses through STP. 42 Secondary All deals shall be Market Debt / recorded on trade date Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation Equity Deal accounting basis. Authorization 43 Settlement 1. Equity (Sale) - (as Process per Exchange Compliance Norms, Currently T+2): Bank settlement (trade receivables) entries shall be passed for trades settling on current day. 44 Settlement 2. Equity (Purchase) - Process (as per Exchange Compliance Norms, Currently T+1): Bank settlement (trade payables) entries shall be passed for trades settling on current day. It may also be settled on T+2 basis, if the company had deposited margin money with the exchanges as required for equity settlement. 45 Settlement 3. Debt (purchase/ Process Sale) - (as per Exchange Compliance Norms, Currently T+1): Bank settlement (trade payables/receivables) entries shall be passed for trades settling on current day. Corporate Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation Debt deals dealt on T+0 basis shall be settled on T+0 basis. 46 Settlement 4. Money market Process transactions & Non- SLR - (as per Exchange Compliance Norms, Currently T+1): Bank settlement (trade payables/receivables) entries shall be passed for trades settling on current day. Money market transactions excluding treasury bills could also be dealt and settled on T+O basis. 47 Settlement 5. Reverse Repo Process withdrawal: Reverse Repo maturities shall be posted in bank accounts 48 Settlement 6. Brokerage Process Payments: Brokerage Payment shall be settled in Bank 49 Corporate 2. Debt: The insurer Action shall configure their Investment System for details of interest receivable and Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation redemption dates. Further, details of interest receivable and redemption can also be obtained from the custodian / other online settlement systems as recognised by any financial regulator. 50 Valuation Valuation of securities Process shall be in line with the INV/CIR/020/2008-09 Point. G Statement of Investment Reconciliation - Annexure 2. 51 Valuation The Insurer shall close Process the Investment Front Office system for transactions at 5.30 PM. The Concurrent Auditor shall confirm the compliance of this requirement in their quarterly report to the Board of Directors . 52 Charges - Fund Management Fund Charges (FMC) Management including service tax Charges shall be `accounted' for on a day-to-day basis in the investment accounting system. The actual transfer of Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation accumulated FMC shall be done at the end of the month. 53 Charges - Dealing costs including Dealing brokerage, securities costs transaction tax and service tax shall be adjusted in the cost of investments. 54 NAV The NAV of the Computation Segregated FUND shall be computed as Market Value of investment held by the fund + Value of Current Assets Value of Current Liabilities & Provisions, if any DIVIDED BY Number of Units existing on Valuation Date 55 NAV Number of units Computation derived from the investment accounting system shall be reconciled on a day to day basis with the policy admin system 56 `NAV' error All expenses and Computation incomes accrued up to & the Valuation date Compensation shall be considered for computation of NAV. For this purpose, while major expenses like Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation management fees and other periodic expenses should be accrued on a day to day basis, other minor expenses and income can be accrued on a weekly basis, provided the non-accrual does not affect the NAV calculations by more than 1%. 57 Functional - System to have Overall capability to upload Corporate Actions such as Stock Splits, Dividend, Rights Issue, Buy Back, Bonus issues etc., for computation of NAV / Portfolio valuation 58 Functional - Ability to have Overall Segregation of Shareholders & Policyholders' funds 59 Ability to maintain Fund wise 60 Functional - The Systems to have Overall the capability of providing alerts on transaction to transaction basis, its "current" level of exposure BEFORE taking further Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation exposure. 61 Functional - Investment valuation Overall methodology as per IRDA circular for different asset categories 62 Functional - Investment Category Overall Handling for different categories 63 Functional - NAV Error handling Overall 64 Functional - IRDA forms to be Overall directly generated from the system 65 Functional - Capability to compute Overall Yield on investment for quarter / yearly basis 66 Functional - NPA computation and Overall classification 67 Security Access to information Issues - system should be only Application via a secure log-on security process. controls 68 ULIP `Deal Slip' to be Business identified with reference to the `segregated fund' along with `Segregated Fund Identification Number "SFIN" for such Segregated Fund(s) and the respective `sub-code' Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation of Custodian and the respective Bank Account 69 ULIP Every Purchase, Sale Business of Investment, Income on Investment (including Corporate Action) shall be identified with reference to the particular `Segregated Fund' 70 ULIP Daily Report of Business `Subscription & Redemptions' received from the Policy Admin System (PAS) to be uploaded [without manual intervention through process integration] in the Investment Accounting System 71 ULIP Units created on a Business 'day-to-day' basis (including switches), shall be backed by 'segregated fund wise' Investment assets. In other words, the value / amount for which Units are created for the particular day (at the prevailing NAV, applicable for the day, Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation of the respective fund), should be equivalent to the premium receipt (net of switches) less applicable charges and other outflows such as benefits paid, surrenders and foreclosures in excluding applicable charges of the 'respective segregated fund'. 72 ULIP All Debt securities as Business categorized shall be executed with counterparties and reported on NSE / BSE / FIMMDA reporting platform and the same shall be confirmed with counterparties. The deals to be authorized in the investment system and the trade files / information shall be sent to custodian / other online settlement systems as recognized by any financial regulator for settlement 73 ULIP All Secondary Market Business equity deals shall be put through the STP Technical Guide S. Area or Sub IRDA R equirem ent Auditor's O bserv ation No. A rea (Extracted from its Y es- No Comments Circulars) (refer C o m plies columns 2 and 3) with the regu lation module in the investment system. 74 All Equity deals should be through STP gateway for all broker transactions. 75 ULIP The insurer to Business configure their Investment System for details of interest receivable and redemption dates. 76 ULIP Accounting of coupon Business payments, redemption/maturities for debt investments shall be automatically triggered by the system, based on the interest payment dates and maturity dates defined in the security masters created for 'each' security. 77 ULIP Investment Front Business Office system should close for transactions at 6.00 PM. 78 ULIP The Investment Trial Business Balance, in respect of each `Segregated Fund' with clear link to SFI + is generated through the system.