Being a Stock Exchange, the NSE views data protection and security as one of the most crucial and sensitive factors for the entire Indian securities industry. Data security is provided for both online and offline data. Online data pertains to trading, clearing and settlement, and surveillance. In a decade of operations, no order keyed in by trading members on the trading system has been lost because of the integrated transaction protection mechanism deployed. Data security is achieved throughout the trade life cycle from the time the trading member punches in an order on his terminal and till the time the trade is processed by fault-tolerant servers and stored in our off-site facilities. The data is classified into three major categories:
business critical, system critical and operations critical. Trading, clearing and settlement, and surveillance data are 'Business critical'. Different security levels are used depending upon this classification.
|
For offline data, established procedures are in place to transfer older data into newer media so as to mitigate the risks due to deterioration of quality of older media over a period of time. With a Business Continuity Plan (BCP) in place, replication of data is carried out at more than one geographical location to ensure availability and to safeguard against any damage.
Challenges and solutions
The NSE faces not one but four challenges in maintaining data security, namely
- Ever increasing volume of data (millions of transactions on a daily basis).
- Making the data easily available in the form and manner required by business users.
- Data retention and manageability for longer durations.
- Exponential increase in data requires upgrading the infrastructure, facilities and the media from time to time.
After trading and clearing activities, there is a short time window for data processing which requires efficient techniques to back up the data. This is done at the central facility on automated tape libraries that use robotic arms. To ensure data availability, the NSE has been keeping in pace with technology and constantly upgrading the systems and respective processes. The techniques deployed provide for better compression, security and data transfer rates. The policies put in place ensure that the data at both the primary and BCP sites are secured. Customised applications using workflow have been developed in-house for managing both the data and the media by respective teams. Data audits and validation is carried out by a separate team on periodic basis.
Internal security and tackling breaches
Employees are governed by a 'Code of Ethics'. NSE's electronic policy covers the threats from employees. Access to servers is restricted, tracked and enabled based on need, followed by a change management procedure. Audit trails are possible for changes done on the systems. Physical level access security allows only authorised personnel to access the data center facilities. A breach of security is considered most severe. The action taken varies from immediate termination of services (of the employee) to prosecution and initiating legal action against him. Organisational electronic policy covers security and integrity breaches.
Technology and regulation
The last half a decade has completely revolutionised the industry. Regulation may be expected in future for enforcement of data security techniques. In the next five years, the use of biometric devices can be necessary for most organisations for ensuring a higher level of security. Multifactor authentication techniques may also be
necessary.