Revision in Terms of Reference (TOR) for submission of system audit report & submission of Vulnerability Assessment and Penetration Testing (VAPT) report for Vendors providing Co-Location as a Service (CaaS) facility

Description

NSE revises Terms of Reference for system audit and mandates VAPT report submission for Co-Location as a Service (CaaS) vendors to strengthen security and compliance requirements.

Summary

NSE has revised the Terms of Reference (TOR) for system audit reports and introduced mandatory Vulnerability Assessment and Penetration Testing (VAPT) report submission requirements for vendors providing Co-Location as a Service (CaaS) facility. The circular outlines comprehensive system details, security requirements, change management protocols, and traffic monitoring obligations that CaaS vendors must comply with to ensure system integrity, data confidentiality, and protection of trading member information.

Key Points

Mandatory system audit requirements covering hardware/software reconciliation, architecture documentation, and version control
System redundancy, fault tolerance, load balancing, and database redundancy (hot/cold standby) provisions required
Comprehensive security requirements including physical access controls, authentication technology, and audit trails
Change management: All hardware/software changes must be tested during mock/simulation market in coordination with NSE COLO support
Changes during market hours restricted to emergency situations only
Traffic monitoring: CaaS vendors must monitor traffic from their infrastructure and prevent spurious/unwanted traffic to Exchange
Trading member data must be maintained confidentially without third-party access, separately for each member
24x7 call center/help desk facilities mandatory for clients
Alternate communication channels with OTP authentication required for disaster scenarios

Regulatory Changes

Updated Terms of Reference (TOR) for system audit as per Annexure A
Introduction of mandatory VAPT report submission requirement for CaaS vendors
Reference to previous NSE circulars NSE/MSD/59764 dated December 14, 2023 and NSE/MSD/60456 dated January 30, 2024 for change management and traffic monitoring compliance verification
Enhanced security requirements as per Annexure 1 of circular NSE/MSD/37707
Stricter change management protocols requiring NSE coordination and testing during mock/simulation markets

Compliance Requirements

For CaaS Vendors:

Conduct periodic reconciliation audits for all hardware and software assets
Maintain detailed System Architecture, Application Architecture, and Network diagrams with periodic review and version control
Implement system redundancy, fault tolerance, load balancing, and database redundancy
Provide system capacity monitoring and scalability provisions
Establish backup systems and data storage provisions
Document contingency planning for technical failures and capacity planning
Ensure trading member data confidentiality with separate, independent maintenance for each member
Provide alternate communication channels with OTP authentication capability
Operate 24x7 call center/help desk facilities
Test all new hardware/software additions/changes during mock or simulation market in coordination with NSE COLO support
Inform NSE before conducting any tests
Monitor traffic originating from IT infrastructure and implement controls to prevent spurious/unwanted traffic
Restrict physical access to critical systems to authorized officials only
Supervise outsourced staff/visitor access with accompaniment by authorized employees
Implement access control monitoring and audit trails for all staff access
Provide second user reconfirmation for critical functions

For System Auditors:

Verify test results including NSE communication, testing scenarios, system performance parameters, and testing results
Verify compliance with NSE circulars NSE/MSD/59764 and NSE/MSD/60456
Verify traffic monitoring controls and compliance
Audit security requirements as per Annexure 1 of circular NSE/MSD/37707

Important Dates

No specific deadlines mentioned in the provided content. Implementation appears to be immediate upon circular issuance on November 4, 2025.

Impact Assessment

High Impact on CaaS Vendors:

Significant compliance burden with comprehensive system audit and VAPT reporting requirements
Operational impact requiring coordination with NSE for all system changes and testing
Investment required in infrastructure for redundancy, monitoring, security controls, and 24x7 support facilities
Restriction on changes during market hours may affect operational flexibility
Enhanced security and access control measures require process and technology upgrades

Positive Impact on Trading Members:

Improved data security and confidentiality protections
Enhanced system reliability through redundancy and fault tolerance requirements
Better disaster recovery capabilities with alternate communication channels
24x7 support availability

Market Integrity Impact:

Strengthened infrastructure security reduces systemic risks
Traffic monitoring controls prevent potential market disruptions from spurious traffic
Change management protocols ensure tested, stable systems during trading hours
Overall enhancement of co-location facility reliability and security posture

Impact Justification

Critical security and compliance requirements for CaaS vendors operating co-location facilities at NSE, impacting system integrity and trading member data protection

Category	Compliance
Circular ID	`4ec5f3ecd39b830b`
Impact	High
Severity	High
Tags	system-audit vapt colocation caas cybersecurity vendor-compliance infrastructure change-management traffic-monitoring
Source	NSE
Links	PDF Document ↗ Original Source ↗ Permalink