Nepal Stock Exchange (NEPSE)

Nepal Stock Exchange Limited (NEPSE) intended to perform the security audit to ensure that the NEPSE has a stable and secure computing environment. By conducting the audit, NEPSE would identify whether their system is exposed to risk, possible vulnerabilities, and unauthorized network connections, and have proper solutions to those risks with the recommendations for the smooth operation of the trading system.

In addition, NEPSE set forth the audit to ensure whether they have proper controls on information and information processing facilities from the information security aspect covering Confidentiality, Integrity, and Availability (CIA) triad.

The purpose of the project was to:

  • communicate gaps in the existing control measures and provide recommendations to comply with the requirement of the international best practices.
  • provide proper solutions for the identified risks with recommendations for the smooth operations of the trading system.
  • share knowledge whether the system is exposed to risk, possible vulnerabilities, and unauthorized network connections.
  • manage and reduce risks related to NEPSE’s information systems and trading data of the end-users.
  • portrays the current scenario of the existing controls and recommends solutions in maintaining confidentiality, availability, and integrity of the information and information systems.

This project is intended to guide NEPSE while implementing security measures within the organization. This project was also intended for all the concerned stakeholders of NEPSE to understand the overall security scenario of NEPSE with its areas of improvement.

The potential effect of any weaknesses includes the compromise of sensitive information; therefore, it is important to rectify and mitigate actions against the absences or inadequacy of effective controls that can result in significant risks to information systems. The tasks carried out by greentick included assurance for:

  • IT Governance & Risk Management Practices
  • Information Technology/ Information Systems Infrastructures Management, Administration and its security
  • Information Security Education/ Competency
  • IT Operations security
  • Human Resource/ Personnel Security
  • Asset Management and its security
  • Data Security/ Privacy
  • Access Control Handling and Management
  • Physical and Environmental Security
  • Third-Party Vendor Management
  • Incident Handling and Management
  • Business Continuity & Disaster Management
  • Threat and Vulnerability Management
  • Performance Management of Trading System

Security Assessment

Apart from the policies, greentick was involved in the identification and resolution of vulnerabilities. Penetration Testing was carried out by greentick team to:

  • Discover the vulnerabilities in the Nepal Stock Exchange (NEPSE) application infrastructure and indicate the subsequent risk level associated with the vulnerabilities.
  • Investigate whether or not an attacker could penetrate the application network being evaluated.
  • Determine the likelihood that an attacker could compromise the “specific system under evaluation” with limited knowledge and restricted access.
  • Provide evidence that verifies the possibility of exploiting the vulnerabilities found, as well as the scope of these vulnerabilities.
  • Determine the strengths and weaknesses of the security measures implemented within the network and systems.

Additionally, the Application Security assessment was performed which was not limited to the following:

  • Port Scanning
  • Fingerprinting
  • Enumeration
  • Running Services
  • Service Vulnerabilities
  • Vulnerability Exploits

The current advancements and dependencies of the public sector to use online services put public information at a risk. greentick as a public sector advisory is playing a vital role in enhancing public data privacy and security.