The Central Securities Depository (CSD) system is a web-based application which runs on https. It uses Oracle Certificate for point to point data encryption. The Depository also manages an automated Treasury Auction system for the Bank of Ghana and Government of Ghana for online submission and processing of bid at each of the auctions of Government and Bank of Ghana securities.
Key to CSD’s Information Technology infrastructure is a private wide area network known as the PWAN. This network infrastructure is made up of a combination of fibre and radio connectivity. Participants connect to the CSD systems via a browser over this wide area network. The Depository has deployed other technologies to enhance its operations. One of such is a secured File Transfer Protocol (sFTP) infrastructure for the exchange of bulk files between itself and its members. The depository system has been interfaced with the RTGS of the Bank of Ghana for straight-through funds settlement via SWIFT messaging infrastructure.
The CDS computer system includes advanced industry-standard security and auditing features. Password control and password ageing functions are implemented for system access control. The system is located at the company's site and the environment includes UPS, backup generator, fire protection, and physical access control to the computer room.
The CSD’s Information Security Management System (ISMS) is ISO27001 certified. The scope of the certification includes all the activities and operations of the depository including IT services and Business Continuity.
A comprehensive Business Continuity Plan (BCP) is in place to cater for various scenarios. The BCP which meets the ISO27001 standard is also aligned to ISO22301 standards. The ISO22301 standard is the international standard for Business Continuity Management. The BCP covers both preventive and corrective measures that will enable CSD to deal with various types of disaster that can disrupt normal systems and business operation. The BCP is tested periodically, at least once every year.
Tape Backups – Prevention of loss of data in the event of media failures is achieved through the implementation of redundant and cyclical backup tapes that are stored both on-site and off-site. The Depository follows the Grandfather-Father-Son concept for Daily, Weekly and Monthly backups for this implementation. Tape backups are tested periodically to ascertain if they are in good and usable conditions. Reusable tapes under this backup regime are also replaced periodically within their useful lifespan.
Mirrored Backup Site – The Depository has a remote hot backup site which is an exact replica of the production site in term of equipment. Transactions that affect the Production Servers are automatically shipped and updated to the Backup Servers at the Disaster Recovery Site (DR). The CSD uses Oracle Data Guard technology to implement real time online replication between its Production and DR site. Failover or Role Switching process takes less than five (5) minutes to complete.
Network Redundancy – The CSD has put in place some redundancies within its network infrastructure to ensure Business Continuity. There is first the PWAN which acts as our primary connectivity to all Participants. CSD has also implemented Internet Virtual Private Network (VPN) which is our secondary connectivity and is used in a scenario where a Participant loses access to the CSD system via the PWAN and also when the PWAN goes down. The CSD monitors all it networks to ensure that they are always active. As the PWAN and the Internet VPN are active all the time, Participants can switch automatically to which ever at any time.
Bureau Services – The Depository always has workstation setup at its premises for use by any of its members in the event where the member loses access to its premises of some other scenario where they cannot access the CSD systems from their premises.
IT Audit – As part of periodic audit, external auditors perform security audits of the IT systems of the CSD on a regular basis. Internal audit of the ISMS is performed by Bank of Ghana’s internal ISMS audit unit. There are external auditors who also audit the ISMS and also perform assessments and testing of the IT systems. Lloyd’s Register Quality Assurance Limited (LRQA) is the certification body for CSD’s ISO27001 certification. They perform certification, surveillance, upgrade and recertification audits. Any issues that are raised at any of the audits are discussed at the Board level and their rectification followed through.
Monitoring – The depository has several monitoring systems in place to assist in prevention of business disruption.
There is a monitoring system that monitors system logs to ensure that data replication to the DR site goes on as expected. Production site system logs are also monitored in real time.
There is also monitoring of logs from security systems including antivirus and firewall systems.
An environmental monitoring system including a 24 hour closed circuit television (CCTV) surveillance is also available to monitor and report in real time any changes in the environment of the main IT systems. Some of the environmental variables being monitored include temperature and flooding.
There is a state of the art fire suppression system in place to monitor any fire alarm situations. Also in place is an alert system which alerts key staff in case of fire, intrusion, power failure or a change in any of the monitored environmental variables.
The CSD systems were developed by Millennium IT of Sri Lanka, a member of the London Stock Exchange. The systems have been customized to suit requirements of the Ghanaian market as well as to meet the G30 Recommendations as well as other international standards. Similar systems have been implemented at the Mauritius Stock Exchange, Nairobi Stock Exchange, Dar es Salaam Stock Exchange, Zambian Stock Exchange and the Botswana Stock Exchange by Millennium IT Ltd and CDS.