Analysis Sheet of ISNP

Name of the Insurer/ Insurance Intermediary:____________

1. Does the applicant employ persons with necessary qualifications, experience, record of
conduct and performance of the persons in management of the applicant’s Insurance
Self-Network Platform? (Yes/ No). If yes, please attach Names, designation,
qualifications, experience, record of conduct and performance of the persons in
management of the applicant’s Insurance Self-Network Platform.

S.No. Name Qualification Experience Conduct Performance Relation to ISNP Comment

2. Does the applicant have in place the manner of protection against unauthorised access,
alteration, destruction, disclosure or dissemination of records and data of the applicant’s
Insurance Self-Network Platform? (Yes/ No). If yes, please furnish details thereof.
(Reference Clause : 14 a ii)

List out controls at each layer

# Layer Controls
1 Application
2 Database
3 Data
4 Operating System
5 Network
6 Physical Access
7 General Security Controls
8 Identity Management
9 Paasword Management
10 Event Management

11 Asset Management
12 Security Awareess and Governance
13 Monitoring and Metrics
14 Assessment and Remedial methodology
15 Audit and accountability

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that it has
adequate protection against above items.

3. Does the applicant have means of establishing network through which electronic means
of communications are established amongst the market participants which is secure
against unauthorized entry or access? (Yes/ No). If yes, please submit details thereof
(Reference Clause : 14 a iii)

 Acceptable use policy

 E-mail and communications activities
 Antivirus policy
  Identity Management policy
 Password policy
 Encryption policy
 Remote access policy
 Content Security
 Intrusion Prevention Methodology
 Compliance Validation methodology
 Details of Infosec Infrastructure (Security Appliances)
 Secure Development Process
 Monitoring Standards (NOC/SNOC/Detetion and Prevention controls)

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that it has
established safe and secure electronic communication between itself and market
participants and is secure against unauthorized entry or access.

4. Does the applicant employ standard transmission and encryption formats amongst the
market participants on Platform in order to protect the information from any disruption,
hacking, etc (Yes/ No). If yes, please furnish details thereof.
Reference Clause : 14 a iv

List out controls at each layer

# Layer Controls
1 Application
2 Database
3 Data
4 Operating System
5 Network
6 Physical Access
7 General Security Controls
8 Identity Management
9 Paasword Management
10 Event Management
11 Asset Management
12 Security Awareess and Governance
13 Monitoring and Metrics
14 Assessment and Remedial methodology
15 Audit and accountability

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that

transmission and encryption are standard that will protect the information from
any disruption and hacking, etc

5. Does the applicant have Details of procedures and facilities to ensure that the Insurance
Self-Network Platform is protected against loss or destruction and arrangements have
been made for disaster recovery at a location different from the existing place? (Yes/
No). If yes, please submit details thereof.
 (Reference Clause : 14 a v)

Company’s protection against loss or destruction methods including ut not

limited to
i) Procedures -
ii) facilities -

 Risk Assessment and Risk Treatment

 Contingency Planning and Monitoring
 Incidence Response Management
 Location of Primary / Near / Far Data Centres
 RTO and RPO
 Testing and Validation Methology
 Media Protection

Company’s arrangements for disaster recovery

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that the
procedures and facilities against loss or destruction and arrangements for
disaster recovery are adequate.

6. Does the applicant have mechanism put in place to ensure that the interests of the
persons buying insurance policies including their privacy on the Insurance Self-Network
Platform are adequately protected? (Yes/ No). If yes, please submit details thereof.
(Reference Clause : 14 a vi)

Company’s mechanism for ensuring customers interests and privacy are

protected

List out controls at each layer

# Layer Controls
1 Application
2 Database
3 Data
4 Operating System
5 Network
6 Physical Access
7 General Security Controls
8 Identity Management
9 Paasword Management
10 Event Management
11 Asset Management
12 Security Awareess and Governance
13 Monitoring and Metrics
14 Assessment and Remedial methodology
15 Audit and accountability
 Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that the
mechanism for ensuring customers interests and privacy are protected

7. Does the applicant have procedures and processes that enables seamless integration of
filling up the proposal form, acceptance of the proposal, compliance of KYC norms,
payment of premiums, issuance of insurance policies and endorsements, acceptance of
policy servicing requests, settlement of claims, payment of benefits and any other
activity that is part of servicing of the insurance policy? (Yes/ No). If yes, please submit
details thereof.

Company’s procedures and processes enable seamless integration of

i) Filling up of proposal form -
ii) Issuance of insurance policies and endorsements -
iii) Compliance of KYC norms –
iv) Acceptance of policyholder servicing requests –
v) Settlement of claims –
vi) Payment of benefits -
vii) Any other activity -

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that

the procedures and processes that enable seamless integration of the
above activities are in place.

8. Does the applicant have Management Information System supporting Internet insurance
business operations in order to realize a real-time connection with Insurance core
systems and of ensuring effective isolation between other application systems of the
insurers, avoiding the external transmission and spread of information security risks in
insurers/ intermediaries? (Yes/ No). If yes, please submit details thereof.

Company’s MIS allows for

i) Real-time connection with insurance core systems
ii) Ensures effective isolation between other application systems
iii) Avoids external transmission and spread of information security risks

List out controls at each layer

# Layer Controls
1 Application
2 Database
3 Data
4 Operating System
5 Network
6 Physical Access
7 General Security Controls
8 Identity Management
9 Paasword Management
10 Event Management
11 Asset Management
12 Security Awareess and Governance
13 Monitoring and Metrics
 14 Assessment and Remedial methodology
15 Audit and accountability

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that the
company’s MIS system allows for the above safeguards

9. Does the applicant have firewall, intrusion detection, data encryption, disaster recovery
and other Internet information security management systems? (Yes/ No). If yes, please
submit details thereof.

Details of Company’s ISNP

i) Firewall –
ii) Intrusion detection –
iii) Data detection –
iv) Disaster recovery –
v) Internet Information security Management System –

List out controls at each layer

# Layer Controls
1 Application
2 Database
3 Data
4 Operating System
5 Network
6 Physical Access
7 General Security Controls
8 Identity Management
9 Paasword Management
10 Event Management
11 Asset Management
12 Security Awareess and Governance
13 Monitoring and Metrics
14 Assessment and Remedial methodology
15 Audit and accountability

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that

the Company has adequate and standard above mentioned safety features
given their size and complexity of their operations.

10. Is the domain name of website registered and is the location of the servers hosting it in
India? (Yes/ No). If yes, please submit details thereof.

 Domain name of company’s registered website

 Location of servers in India
 SSL /TLS Details
 Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA giving the
domain name of company’s registered website & location of servers in India.

11. Does the applicant have means available to ensure that the information displayed on the
webs-site, the processes, procedures and any other mechanism by whatever name
called, displayed and implemented on the platform are available all times for verification
and scrutiny. (Yes/ No). If yes, please submit details thereof.

Details of means available for verification and scrutiny of:

i) Information displayed on the website at all times -
ii) Audit trail of Process and procedures -

Company may be asked to submit a certificate by CERT-IN/ CISA/ DISA that there
are means available and audit trails available for verification and scrutiny of
information displayed in website at all times

12. Any other information considered relevant by the applicant.