System Audit Report for Data Localization (SAR)

System Audit ReportData Localization (SAR)

The System Audit Report for Data Localization and Storage of Payment System Data (SAR) is a compliance mandate mandated by the RBI to guarantee suitable security measures and data localization procedures for payment-related data storage.

What we do

All financial technology companies require data localization services, and the audit must be completed by CERT-IN accredited auditors who certify activity completion.

Key Criteria for System Audit Report for Data Localization (SAR)

Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.

Payment Data Elements
Transaction / Data Flow
Application Architecture
Network Diagram / Architecture
Data Storage
Transaction Processing
Activities subsequent to Payment Processing
Cross Border Transactions
Database Storage and Maintenance
Data Backup & Restoration
Data Security
Access Management

The audit should must be conducted by CERT-IN empanelled auditors certifying completion of activity.

SANS25 Secure Coding Guidelines

A well-known compilation of the most frequent security vulnerabilities found in all types of systems, with the goal of installing security into every developer’s head.

Out-of- Bounds read and Write
Improper Authentication
Unrestricted Upload of File with Dangerous Type
Null Pointer Dereference
Improper Control of Generation of Code
Improper Certificate Validation

Approach for System Audit Report for Data Localization (SAR)

Based on our extensive experience with delivering SAR for Data Localization & Storage of Payment System Data, we have developed the following approach:

RNR’s Methodology for Creating a System Audit Report for Data Localization (SAR)

Phase 1 – Information Gathering & Documentation Review

A comprehensive survey is distributed to your teams, collecting various documentation and evidence related to the architecture, implementation, and existing controls. Our experts thoroughly examine these documents to gain insight into the implementation process and address any concerns. The questionnaire is specifically designed with the RBI FAQs in mind.

Phase 2 –Assessment, Validation & In-Depth Control Review

In this phase, we thoroughly analyze the documentation and review the provided artifacts to ensure their validity. Additionally, we assess the technical controls according to industry best practices and examine the data flow to identify any potential risks or gaps.

Phase 3–Remediation & Re-Validation

A detailed report will be provided that highlights any areas of concern, risks, or violations. In addition, we will offer appropriate recommendations and provide detailed proof of concept information to help your teams fully understand the raised concerns. Our team will work closely with you to facilitate re-validation, ensuring that all gaps are addressed and successful compliance is achieved.

Phase 4–CERT-In Empanelled Certification

As an auditor certified by CERT-IN, we thoroughly document all activities, including relevant paperwork, evidence, findings, and recommendations. We issue a CERT-IN certification for the System Audit Report (SAR) which focuses on data localization and storage of payment system data.

Pursuant to the RBI and NPCI guidelines, the following essential criteria must be considered as part of this audit

Payment Data Elements
Transaction / Data Flow
Application Architecture
Network Diagram / Architecture
Data Storage
Transaction Processing
Activities after Payment Processing
Cross Border Transactions
Database Storage and Maintenance
Data Backup & Restoration
Data Security
Access Management

All financial technology companies require data localization services, and the audit must be completed by CERT-IN accredited auditors who certify activity completion. RNR is CERT-In Empaneled Company, with us your SAR Data Localization is in place.