Karachi: Responding to recent news reports, the management of Karachi Stock Exchange (KSE) emphatically stated Friday that no information security breach exists in the Exchange.
A KSE release Friday said in the second half of calendar 2013, the Board of KSE hired the services of independent external consultants to provide a strategic review of the IT function and how it was placed with regard to current and future business prospects. As the consultants were working on this project, the management received information in August 2013 alleging that in 2008 there was misappropriation in the purchase of some IT hardware and some IT personnel had access to KSE’s IT system during that period. Immediately upon receipt of this information management informed the Board of the same and the Board appointed outside forensic specialists to investigate these allegations. The relevant regulators were also informed of these developments.
A forensic report was submitted to the Board by the outside consultants in December 2013. The said report did not find any evidence of leakage of trading data. Based on the findings of the report and recommendations of the consultants, certain vulnerabilities identified in the KSE network related to e-mail servers were immediately rectified, along with additional security measures put in place to protect the Exchange’s IT data & network infrastructure as recommended by the consultants.
The management also removed from service several IT staff as they were deemed to have acted inappropriately with respect to not following operational procedures. At the same time, the Board requested the main Strategic Review of IT department to be completed quickly with focus on IT infrastructure security and specific recommendations for improvement based on international best practices. This report is expected to be received by the end of February 2014 and its recommendations should be implemented forthwith.
The Board also constituted a group consisting of outside forensic specialists and senior management personnel of the Exchange to further investigate and ascertain if there was any actual leakage of propriety and/or confidential information due to past vulnerabilities identified by the consultants, which have already been rectified. This internal enquiry is ongoing and its findings will be reported to the Board in due course.
The Exchange has already initiated the process of hiring a senior level IT security executive who will oversee all aspects of Information and Communications Security at KSE acting outside the IT department and reporting directly to Audit Committee and the MD.
The release said that KSE is extremely cognizant of the sensitive nature of data within the Exchange’s IT and operational systems and has in place information access matrix requiring several levels of authorizations to access data relevant to the normal functioning of specific departments.
It said no one including the managing director has access to live data and even the Surveillance department can access data after due authorization on a minimum t plus 1 basis while the SECP itself receives data feeds at end of the day only since 2011. The security aspects, as with other operating procedures, have continued to be improved over time and after the above noted forensic analysis, even more tightened.