The Reserve Bank of India issued a directive vide circular DPSS.CO.OD.No 2785/06.08.005/2017-18 April 8, 2018, making it mandatory for all transaction data to be stored exclusively within India.
The Reserve Bank of India issued a directive vide circular DPSS.CO.OD.No 2785/06.08.005/2017-18 April 8, 2018, making it mandatory for all transaction data to be stored exclusively within India.
A System Audit Report (SAR) is a document that organizations, particularly those involved in handling payment data, are required to submit to the Reserve Bank of India (RBI) in compliance with the data localization mandate. The SAR serves as an official record certifying that the organization has fulfilled the requirement of storing end-to-end transaction data within India.
Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.
Based on our extensive experience with delivering SAR for Data Localization & Storage of Payment System Data, we have developed the following approach:
A detailed questionnaire is shared with your teams and various documentation and evidences are collected on the architecture, implementation and controls in place. These documents are thoroughly reviewed by our experts to understand the implementation and flag any concerns.
In this phase, we thoroughly analyse the documentation and review the provided artifacts to ensure their validity. Additionally, we assess the technical controls according to industry best practices and examine the data flow to identify any potential risks or gaps.
A detailed report will be provided that highlights any areas of concern, risks, or violations. In addition, we will offer appropriate recommendations will work closely with you to facilitate re-validation, ensuring that all gaps are addressed and successful compliance is achieved.
As an auditor certified by CERT-IN, we thoroughly document all activities, including relevant paperwork, evidence, findings, and recommendations. We issue a CERT-IN certification for the System Audit Report (SAR) which focuses on data localization and storage of payment system data.
How much does the RBI Data Localization Audit cost?
The cost of an RBI Data Localization Audit depends on several factors, including the size of your organization, the complexity of your IT systems and infrastructure, and the scope of the audit.
How long does the RBI Data Localization Audit take?
The duration of an RBI Data Localization Audit can vary depending on the size of your organization, the complexity of your IT systems and infrastructure, and the scope of the audit.
What types of reports are included in the RBI Data Localization Audit?The RBI Data Localization Audit includes a System Audit Report for Data Localization (SAR). This report provides a comprehensive analysis of your IT systems and infrastructure, identifying potential risks and vulnerabilities that could impact the security of your data. The SAR report also includes recommendations for improving your security posture and complying with RBI regulations.
What are the key criteria for the SAR report?
The SAR report follows the guidelines provided by the RBI and includes a comprehensive analysis of your IT systems and infrastructure. The report covers several areas, including access control, network security, data protection, and incident management. The SAR report also includes recommendations for improving your security posture and complying with RBI regulations.
How often do I need to conduct an RBI Data Localization Audit?
The RBI guidelines recommend conducting an RBI Data Localization Audit at least once a year. However, the frequency of the audit can vary depending on the size of your organization, the complexity of your IT systems and infrastructure, and the scope of the audit.