System Audit Report for Data Localization (SAR)

Overview

CERT-In Empanelled SAR for Data Localization & Storage of Payment System Data is a compliance mandate driven by RBI to ensure appropriate security measures and data localization controls for storage of payment related data.

The System Audit Report for Data Localization (SAR) & Storage of Payment System Data is a compliance mandate driven by RBI to ensure appropriate security measures and data localization controls for storage of payment related data.

Key Criteria for System Audit Report for Data Localization (SAR)

Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.

  • Payment Data Elements
  • Transaction / Data Flow
  • Application Architecture
  • Network Diagram / Architecture
  • Data Storage
  • Transaction Processing
  • Activities subsequent to Payment Processing
  • Cross Border Transactions
  • Database Storage and Maintenance
  • Data Backup & Restoration
  • Data Security
  • Access Management

The audit should must be conducted by CERT-IN empanelled auditors certifying completion of activity.


First Name*

Last Name*

Work Email*

Company*

Mobile*

Sample Checklists & Data Trackers

Approach for System Audit Report for Data Localization (SAR)

Based on our extensive experience with delivering SAR for Data Localization & Storage of Payment System Data, we have developed the following approach:

Phase 1 – Information Gathering & Documentation Review

A detailed questionnaire is shared with your teams and various documentation and evidences are collected on the architecture, implementation and controls in place. These documents are thoroughly reviewed by our experts to understand the implementation and flag any concerns. This questionnaire is designed keeping in mind the RBI FAQs.

Phase 2 – Assessment, Validation & In-Depth Control Review

As part of this phase, an in-depth analysis of is carried out to validate all the documentation and cross-examine artefacts provided. Along with this the technical controls are assessed in-line with best-practices and data flow is analysed to identify potential risks or gaps.

Phase 3 – Remediation & Re-Validation

A comprehensive report is provided with any areas of concern, risks or violations. Appropriate recommendations are provided along with detailed proof of concept details to help your teams understand the concerns raised.

Our team works with you to carry out re-validation to ensure that you are able to close all the gaps and achieve succesful compliance.

Phase 4 – CERT-In Empanelled Certification

As a CERT-In Empanelled Auditor, we document the entire activity along with relevant documentation, artefacts, findings, recommendations etc. A CERT-In Certification is issued for the System Audit Report (SAR) for Data Localization & Storage of Payment System Data.

 

System-Audit-Report-Data-Localization-Approach.png

Talk to An Expert

Speak to our experts to understand more about our security offerings.