System Audit Report for Data Localization (SAR Audit)

Overview

CERT-In Empanelled System Audit Report (SAR Audit) for Data Localization & Storage of Payment System Data is a compliance mandate driven by RBI, NPCI among others.
Get CERT-In Certified!

The System Audit Report for Data Localization (SAR Audit) & Storage of Payment System Data is a compliance mandate driven by RBI & NPCI to ensure appropriate security measures and data localization controls for storage of payment related data.

At its core, it’s about storing and processing data within the geographical borders of a particular country, a requirement that’s gaining momentum across various regulatory and compliance mandates.

Key Criteria for System Audit Report for Data Localization (SAR Audit)

Based on the RBI Cyber Security Compliance & NPCI Cyber Security Guidelines, the following key criteria need to be covered as part of this audit.

  • Payment Data Elements
  • Transaction / Data Flow
  • Application Architecture
  • Network Diagram / Architecture
  • Data Storage
  • Transaction Processing
  • Activities subsequent to Payment Processing
  • Cross Border Transactions
  • Database Storage and Maintenance
  • Data Backup & Restoration
  • Data Security
  • Access Management

The audit should must be conducted by CERT-IN empanelled security auditors certifying completion of activity

Sample Checklists & Data Trackers

SAR Data Localization Payment Data Elements

SAR Data Localization Payment Data Elements

SAR Data Localization Payment Data Elements

SAR Data Localization Checklist

SAR Data Localization Checklist

SAR Data Localization Checklist

Speak To Our Experts


First Name*

Last Name*

Work Email*

Company*

Mobile*

Client Speak

Indus Valley Partners
Nishith Desai Associates
Perficient
Netmagic
L & T Realty
WorkApps
FBB
Au Small Finance Bank
ICICI Bank
Juby P - Botree Software
{In an age where cyber threats constantly evolve, having a trusted ally like Security Brigade is essential. The Security Brigade team consistently delivered well-structured reports that spotlighted critical vulnerabilities and potential security weaknesses. These reports were accompanied by actionable recommendations, allowing our teams to prioritize and rectify issues efficiently. Professionalism, responsive, and depth of expertise well appreciated, and we are happy to have engaged Security Brigade as our VAPT provider.
Juby Pappachan
Senior Manager - InfoSec, Botree Software
Gobinda Chandra Patra - ISIT Consultants
{We started working with Security Brigade as a cost effective solution for doing VAPT for applications and networks for our customers. But we have developed a great partnership with Security Brigade over the last 6+ years. They treat our customers as their own customers and provide solutions and do the activities as per agreed terms and sometimes even they don’t mind going beyond and deliver to customer. We will be happy to continue working with them and refer others as well.
Gobinda Chandra Patra
CEO and Co-Founder, ISIT Consultants
Peter Theobald Author Of Cybersecurity Demystified
{I have been using Security Brigade services for the past fourteen years. In my role as leading the cybersecurity Initiative at multiple national system integrators in India, I have worked with them to provide VA/PT, External Attack Surface Management, and Red Teaming services to large corporate customers. In each case they have met or exceeded expectations resulting in repeat business. I have no hesitation recommending their services for quality conscious customers wanting to enhance their security posture.
Peter Theobald, A.C.A
Cybersecurity Industry Veteran, Author of Cybersecurity Demystified

Approach for System Audit Report for Data Localization (SAR)

Based on our extensive experience with delivering SAR for Data Localization & Storage of Payment System Data, we have developed the following approach:

Phase 1 – Information Gathering & Documentation Review

A detailed questionnaire is shared with your teams and various documentation and evidences are collected on the architecture, implementation and controls in place. These documents are thoroughly reviewed by our experts to understand the implementation and flag any concerns. This questionnaire is designed keeping in mind the RBI FAQs.

Phase 2 – Assessment, Validation & In-Depth Control Review

As part of this phase, an in-depth analysis of is carried out to validate all the documentation and cross-examine artefacts provided. Along with this the technical controls are assessed in-line with best-practices and data flow is analysed to identify potential risks or gaps.

Phase 3 – Remediation & Re-Validation

A comprehensive report is provided with any areas of concern, risks or violations. Appropriate recommendations are provided along with detailed proof of concept details to help your teams understand the concerns raised.

Our team works with you to carry out re-validation to ensure that you are able to close all the gaps and achieve successful compliance.

Phase 4 – CERT-In Empanelled Certification

As a CERT-In Empanelled Security Auditor, we document the entire activity along with relevant documentation, artefacts, findings, recommendations etc. A CERT-In Certification is issued for the System Audit Report (SAR) for Data Localization & Storage of Payment System Data.

System Audit Report Data Localization - Approach & Methodology

Data Localization for RBI & NPCI Cyber Security Compliance

The Reserve Bank of India (RBI) and the National Payments Corporation of India (NPCI) are key players in shaping data localization policies in India. Their guidelines ensure that financial data of Indian citizens is stored within the country, providing a framework that balances operational flexibility with security needs.

RBI’s Data Localization Mandate

RBI mandates financial firms to store all transactional data about Indian customers within the country. This includes everything from payment transactions to customer information.

NPCI’s Data Localization Mandate

NPCI focuses on payment systems and mandates localization of payment data. This ensures quicker access to data for regulatory purposes and aids in resolving customer grievances efficiently.

 

Deliverables of Compliance Audit & Certification

  • Executive Presentation: provide high level executive summaries of the complete engagement, root cause analysis of the identified issues & best practice recommendations for the long-term to help leaders better understand their risk and incorporate our recommendations into their roadmap.
  • Detailed Audit Reports: The audit report will typically be a detailed document that is divided into several sections, including:
    • Introduction: This section will provide an overview of the audit, including the scope, objectives, and methodology.
    • Findings: This section will identify the areas of compliance and non-compliance.
    • Recommendations: This section will make recommendations for improvement.
    • Appendices: This section may include supporting documentation, such as interview transcripts, policies and procedures, and risk assessments.
  • Certificate of Compliance: The certificate of compliance is a formal document that is issued by the auditor to the organization. This document states that the organization has been found to be in compliance with the guidelines.
  • List of Recommendations for Improvement: The list of recommendations for improvement will identify areas where the organization can strengthen its technology risk management framework. These recommendations can be used by the organization to improve its security posture and reduce its risk of a data breach or other security incident.
  • Plan for Remediation: The plan for remediation will outline the steps that the organization will take to address any non-compliance findings. This plan should be specific and measurable, and it should include a timeline for completion.
Download Sample Reports

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.