IT audit firm linked to ex-Mumbai CP didn’t red-flag NSE server breach: CBI

When the firm iSec Services Pvt Ltd was incorporated in March 2001, Pandey was not in service. He quit the directorship in May 2006, with his mother Santosh and son Armaan becoming directors in the company. Based out of Oshiwara in Andheri, it was one of the IT companies tasked with conducting security audits at NSE during 2010 to 2015 when the co-location scam is believed to have taken place. The CBI has recorded the statement of one of the company employees, a source said.

The CBI’s investigation over the course of the last four years long had led to the arrest of former NSE managing director Chitra Ramkrishna and its former group operating officer Anand Subramanian.

“The security audit company should have been able to detect the breaches in the NSE system during the period when the scam took place. We are looking into the processes followed by the company to test the security of the systems,” a source added, speaking of iSec Services Pvt Ltd.

However, sources close to the company said that iSec was merely responsible for conducting audits of the devices used by the brokers who were using the co-location facility provided by the NSE, to check if they had proper Internet connection, firewall facility, among other technical aspects. A source said, “iSec did not have any access to the NSE servers, so there was no way they could detect that the system had been compromised and a co-location scam was underway.”

An expert told The Sunday Express that an IT auditor is responsible for analysing and assessing an organisation’s technological infrastructure to find problems with efficiency, risk management and compliance. An IT auditor also identifies any IT issues that fall under the audit, specifically those related to security and risk management. The audit process can extend to networks, software, programmes, communication systems, security systems and any other services that rely on the company’s technological infrastructure.

IT audits are important for evaluating internal control and processes in an effort to keep the organisation and its data secure from external or internal threats.

“Audits are meant to examine controls on client-connected servers and networks. An audit examines current technology in the organisation and future technologies that will need to be adopted. Any step against regulation and compliance must be red flagged by IT auditors as they are the watchdogs of internal and external information flows,” the expert said.

Some BJP leaders had accused Pandey of going after its leaders at the behest of the then MVA government, a charge denied by the officer. BJP leader Mohit Kamboj against whom an FIR was registered in connection with a bank fraud had hinted that Pandey could face action after his retirement on June 30. Soon after recording his statement with police last month, Kamboj had said: “While the 1st (June 1) belongs to the person who registered this case against me, the 30th (June 30) will belong to us.”

As per iSec’s financial records, the company was incorporated by Pandey and one Pankaj Chandra, with 5,000 shares each. Pandey quit the directorship in May 2006, with his mother Santosh and son Armaan becoming directors in the company.

Currently Santosh is the whole-time director while one Anand Narayan is the other director. As per the shareholding pattern provided by the company as on March 31, 2021, Santosh and Armaan each hold 50% each in the company and Sanjay Pandey is not a shareholder.

iSec Private Security Ltd’s website says it was established in 2001 and is an ISO certified company. “We are engaged in ensuring security of information through a variety of security services, helping detect and prevent theft of information. iSec has been providing information security management services to various clients both in India as well as abroad. iSec’s efforts are supported by professional information security consultants….”