System Audit ReportData Localization (SAR)
The System Audit Report for Data Localization and Storage of Payment System Data (SAR) is a compliance mandate mandated by the RBI to guarantee suitable security measures and data localization procedures for payment-related data storage.
What we do
All financial technology companies require data localization services, and the audit must be completed by CERT-IN accredited auditors who certify activity completion.
Key Criteria for System Audit Report for Data Localization (SAR)
Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.
- Payment Data Elements
- Transaction / Data Flow
- Application Architecture
- Network Diagram / Architecture
- Data Storage
- Transaction Processing
- Activities subsequent to Payment Processing
- Cross Border Transactions
- Database Storage and Maintenance
- Data Backup & Restoration
- Data Security
- Access Management
SANS25 Secure Coding Guidelines
A well-known compilation of the most frequent security vulnerabilities found in all types of systems, with the goal of installing security into every developer’s head.
- Out-of- Bounds read and Write
- Improper Authentication
- Unrestricted Upload of File with Dangerous Type
- Null Pointer Dereference
- Improper Control of Generation of Code
- Improper Certificate Validation
Approach for System Audit Report for Data Localization (SAR)
Based on our extensive experience with delivering SAR for Data Localization & Storage of Payment System Data, we have developed the following approach:
RNR’s Methodology for Creating a System Audit Report for Data Localization (SAR)
Phase 1 – Information Gathering & Documentation Review
A comprehensive survey is distributed to your teams, collecting various documentation and evidence related to the architecture, implementation, and existing controls. Our experts thoroughly examine these documents to gain insight into the implementation process and address any concerns. The questionnaire is specifically designed with the RBI FAQs in mind.
Phase 2 –Assessment, Validation & In-Depth Control Review
In this phase, we thoroughly analyze the documentation and review the provided artifacts to ensure their validity. Additionally, we assess the technical controls according to industry best practices and examine the data flow to identify any potential risks or gaps.
Phase 3–Remediation & Re-Validation
A detailed report will be provided that highlights any areas of concern, risks, or violations. In addition, we will offer appropriate recommendations and provide detailed proof of concept information to help your teams fully understand the raised concerns. Our team will work closely with you to facilitate re-validation, ensuring that all gaps are addressed and successful compliance is achieved.
Phase 4–CERT-In Empanelled Certification
As an auditor certified by CERT-IN, we thoroughly document all activities, including relevant paperwork, evidence, findings, and recommendations. We issue a CERT-IN certification for the System Audit Report (SAR) which focuses on data localization and storage of payment system data.
Pursuant to the RBI and NPCI guidelines, the following essential criteria must be considered as part of this audit
- Payment Data Elements
- Transaction / Data Flow
- Application Architecture
- Network Diagram / Architecture
- Data Storage
- Transaction Processing
- Activities after Payment Processing
- Cross Border Transactions
- Database Storage and Maintenance
- Data Backup & Restoration
- Data Security
- Access Management
All financial technology companies require data localization services, and the audit must be completed by CERT-IN accredited auditors who certify activity completion. RNR is CERT-In Empaneled Company, with us your SAR Data Localization is in place.
System Audit Report for Data Localization (SAR)
As an auditor certified by CERT-IN, we thoroughly document all the activities and gather relevant documentation, artifacts, findings, and recommendations. We issue a CERT-IN certification for the System Audit Report (SAR), specifically for the localization and storage of payment system data.
Leave us message