BHARAT HEAVY ELECTRICALS LIMITED POWER SECTOR – SOUTHERN REGION
ISMS-01/PS/001 Version 3.1 Date: 29th September 2015
Information Security Management System (ISMS) Manual
DOCUMENT CHANGE CONTROL Document No: ISMS-01 / PS / 001 Document Title: ISMS Manual Version No: 3 Issue Date: 31/10/2014 Manual Change History: Revision Date of No. Issue
Details of Changes
D S Jagannathan Bandyopadhyay (ISSO) CEO / PSSR AGM / MSX, IT & Comml AK Mukhopadhyay S Jagannathan CEP / PSSR (ISSO) AGM / MSX, IT & Comml
Manual Revised as per ISO/IEC 27001:2013 standard
E Bhamini SM / IT
A.18.1.5 - Regulation of cryptographic controls made applicable Scope mentioned in Sl. No. 1 is revised Scope determination changed to include external and internal issues
E Bhamini SM / IT
[For Internal Use] Page 1 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
TABLE OF CONTENTS 0. 1. 2. 3. 4.
Introduction Scope Normative References Terms and Definitions Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the ISMS 4.4 Information security management system 5. Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 6. Planning 6.1 Actions to address risks and opportunities 6.2 Information security objectives and planning to achieve them 7. Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 8. Operation 8.1 Operational planning and control 8.2 Information security risk assessment 8.3 Information security risk treatment 9. Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review 10. Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement 11. ISMS Controls A.5 Information security policies A.5.1 Management direction for information security A.6 Organization of information security A.6.1 Internal organization A.6.2 Mobile devices and teleworking A.7 Human resource security A.7.1 Prior to employment A.7.2 During employment
5 5 5 6 7 7 11 11 11 12 12 13 13 16 16 17 17 17 17 17 18 19 21 21 21 21 21 21 21 22 22 22 22 23 23 23 24 24 25 25 25 26
[For Internal Use] Page 2 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.7.3 Termination and change of employment A.8 Asset management A.8.1 Responsibility for assets A.8 .2 Information classification A.8.3 Media handling A.9 Access control A.9.1 Business requirements of access control A.9.2 User access managements A.9.3 User responsibilities A.9.4 System and application access control A.10 Cryptography A.10.1 Cryptographic controls A.11 Physical and environmental security A.11.1 Secure areas A.11.2 Equipment A.12 Operations security A.12.1 Operational procedures and responsibilities A.12.2 Protection from malware A.12.3 Backup A.12.4 Logging and monitoring A.12.5 Control of operational software A.12.6 Technical vulnerability management A.12.7 Information systems audit considerations A.13 Communications security A.13.1 Network security management A.13.2 Information transfer A.14 System acquisition, development and maintenance A.14.1 Security requirements of information systems A.14.2 Security in development and support processes A.14.3 Test data A.15 Supplier relationships A.15.1 Information security in supplier relationships A.15.2 Supplier service delivery management A.16 Information security incident management A.16.1 Management of information security incidents and improvements A.17 Information security aspects of business continuity management A.17.1 Information security continuity A.17.2 Redundancies A.18 Compliance A.18.1 Compliance with legal and contractual requirements A.18.2 Information security reviews
26 27 27 27 28 29 29 29 30 30 31 31 31 31 33 35 35 36 36 37 37 37 38 38 38 39 40 40 40 41 42 42 42 43 43 44 44 45 45 45 46
[For Internal Use] Page 3 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
ISMS CISSO ISSO IT HR DB OEM ED SOA CIA RA RTP BCP DR NDA NC HRDD HOD IPR
Information Security Management System Chief Information System Security Officer Information System Security Officer Information Technology Department Human Resources Department Database Original Equipment Manufacturer Executive Director Statement of Applicability Confidentiality, Integrity and Availability Risk Assessment Risk Treatment Plan Business Continuity Plan Disaster Recovery Non Disclosure Agreement Non Conformity Human Resource Development Department Head of Department Intellectual Property Rights
[For Internal Use] Page 4 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
0. Introduction 0.1 General This ISMS manual specifies the requirements for establishing, implementing, maintaining and continually improving Information Security Management System within the context of the BHEL PSSR’s overall Business requirements. It specifies the implementation of security controls customized to the objectives and needs of the organization.
0.2 Compatibility with other management system standards The high level structure and sub-clause titles of this ISMS Manual is in accordance with the Annex SL to Part 1 of ISO / IEC Directives and hence it helps the organization to align or integrate other related Management Systems that have adopted the Annex SL.
1. Scope The Scope of the ISMS Manual specifies the requirements for establishing, implementing, maintaining and continually improving the Information Security Management System in PSSR within the context of PSSR’s business operations.
2. Normative References The following documents were referred for the creation of this document. These include:
ISO/IEC 27002:2013, Information Technology – Security Techniques - Code of practice for information Security Controls
ISO/IEC 27001:2013 Information technology-Security Information security management systems-Requirements
ISO 31000:2009 – Risk Management – Principles and Guidelines
ISO 9001:2000, Quality Management Systems – Requirements
BHEL PSSR Quality Management System (QMS) Manual,
BHEL Personnel Manual
BHEL Conduct, Discipline and Appeal (CDA) rules
[For Internal Use] Page 5 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Corporate Information System Security Policy (ISMS-00-AA-001)
3. Terms and Definitions
Availability – Ensuring that authorized users have access to information and associated assets when required.
Business Continuity Plan (BCP) – A plan to Build in proper redundancies and avoid contingencies to ensure continuity of Business.
Computer Media – Includes all devices that can electronically store information. This includes but not limited to diskettes, CD’s, tapes, cartridges, and portable hard disks.
Confidentiality – Ensuring that information is accessible only to those authorized to have access.
Continual Improvement – Continual Improvement refers to stage improvement programs that facilitate rapid improvement phases with intermediate stabilized phases.
Control – A mechanism or procedure implemented to satisfy a control objective
Control Objective – A statement of intent with respect to a domain over some aspects of an organization’s resources or processes. In terms of a management system, control objectives provide a framework for developing a strategy for fulfilling a set of security requirements.
Disaster Recovery (DR) - A plan for the early recovery of Business operations in the event of an incident that prevents normal operation.
Fallback – Provisions to provide service in the event of failure of computing or communications facilities.
Information Security – Security preservation of Confidentiality, Integrity and Availability of Information.
Information Security Management System (ISMS) – The part of overall management system based on business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security
Integrity – Safeguarding the accuracy and completeness of information and processing methods
Organization – Refers to BHEL , unless specified otherwise.
[For Internal Use] Page 6 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Risk – The combination of the probability of an event and its consequence
Risk Acceptance – Decision to accept risk.
Risk Analysis – Systematic use of information to identify sources and to estimate the risk.
Risk Assessment – Overall process of risk analysis and risk evaluation.
Risk Evaluation – Process of comparing the estimated risk against given risk criteria to determine the significance of the risk.
Risk Management – Coordinated activities to direct and control an organization with regard to risk.
Risk Treatment – Process of selection and implementation of measures to modify risk. Statement of Applicability – Document describing the control objectives and controls that are relevant and applicable to the organization’s ISMS, based on the results and conclusions of the Risk Assessment and Risk Treatment Processes. It should clearly indicate exclusions with appropriate reasons.
4. Context of the organization 4.1 Understanding the organization and its context BHEL is an integrated power plant equipment manufacturer and one of the largest engineering and manufacturing companies in India in terms of turnover. BHEL was established in 1964, ushering in the indigenous Heavy Electrical Equipment industry in India - a dream that has been more than realized with a well-recognized track record of performance. The company has been earning profits continuously since 1971-72 and paying dividends since 1976-77. BHEL is engaged in the design, engineering, manufacture, construction, testing, commissioning and servicing of a wide range of products and services for the core sectors of the economy, viz. Power, Transmission, Industry, Transportation (Railway), Renewable Energy, Oil & Gas and Defence. There are 15 manufacturing divisions, two repair units, four regional offices, eight service centres and 15 regional centres and currently operate at more than 150 project sites across India and abroad. The Power Sector Southern Region, Chennai caters to the needs of various Electricity Boards, Public Sector Undertakings and other Industries in Installation [For Internal Use] Page 7 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
& Servicing of Industrial and Power Plant equipments including EPC & Turnkey projects. It undertakes Life Extension Programmes and Renovation and Modernizations of Old Power Stations in the states of Tamil Nadu, Andhra Pradesh, Karnataka, Kerala, MP, Orissa & Pondichery and other places including abroad as and when notified by the corporate office. BHEL PSSR has acquired certifications to Quality Management Systems (ISO 9001), Environmental Management Systems (ISO 14001) and Occupational Health & Safety Management Systems (OHSAS 18001) and is also well on its journey towards Total Quality Management.
4.1.1 Organization Setup Bharat Heavy Electricals Limited is a public sector undertaking engaged in Design, Manufacture, Installation and Servicing of equipment for Power, Industrial, Transportation and Oil sectors. The Corporate office is located at New Delhi, India with manufacturing, Installation and Servicing units / divisions located geographically at various places. BHEL’s operations are organized around business sectors to provide a strong market orientation. Major business sectors are Power, Industry and International operations. Power Sector deals with Thermal, Industrial, Nuclear, Gas and Hydro business. Power Sector Head Quarters is located at New Delhi, India with four Regional Centers at Noida, KolKata, Nagpur and Chennai for providing closer contact and speedy services to customers. Power Sector Southern Region with its Headquarters at Chennai, Tamil Nadu, is engaged in Installation and Servicing of Industrial and Power Plant equipment. Installation and Servicing offered by this Region broadly include : ies
, systems and structures. [For Internal Use] Page 8 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
conditions. CEO-PSSR (Unit Head) reports to Director (Power), Corporate Office. Top Management of the Unit consists of Unit Head, General Managers and Directly Reporting officers (DROs) of the Unit Head. The various functions are as given below:
HR and Administration
Subcontracts, Purchase & Stores
Detailed Organization Chart of each department is maintained by respective departments. IT Department of BHEL PSSR caters to IT requirements all functions listed above and at all site locations of PSSR. IT Department also takes the lead role in maintaining the ISMS across PSSR and ensures that security requirements are addressed in all operations including internal, third party contracts and business partners and all stake holders. [For Internal Use] Page 9 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
External Context of the Organization Bharat Heavy Electricals Limited, Siri Fort, New Delhi 110049 (India) is a Public Sector Enterprise. Establishment of BHEL in 1964 was a breakthrough for upsurge in India's Heavy Electrical Equipment industry. Consistent performance in a highly competitive environment enabled BHEL attain the coveted 'Maharatna' status in 2013. The total installed capacity base of BHEL supplied equipment -138 GW in India speaks volumes about the contribution made by BHEL to Indian power sector. BHEL's 57% share in India's total installed capacity and 65% share in the country's total generation from thermal utility sets (coal based) as of March 31, 2014 stand testimony to this. The company has been earning profits continuously since 197172 and paying dividends since 1976-77 which is a reflection of company's commendable performance throughout. BHEL also has a widespread overseas footprint in 76 countries with cumulative overseas installed capacity of BHEL manufactured power plants nearing 10,000 MW including Malaysia, Oman, Libya, Iraq, the UAE, Bhutan, Egypt and New Zealand. In order to be transparent to Investors, the Financial Results including the latest unaudited quarterly reports are published in the official BHEL corporate portal. BHEL's contributions towards Corporate Social Responsibility till date include adoption of villages, organising free medical camps/supporting charitable dispensaries, schools for the underprivileged and handicapped children, providing aid during disasters/natural calamities, providing employment to handicapped and Ex-serviceman, rainwater harvesting, plantation of millions of trees, energy saving and conservation of natural resources through environmental management. Globally, the business scenario has been undergoing an unprecedented change leading to evolution of innovative strategies. Organisations are increasingly realising that their operations have a large impact on not only stakeholders like employees, shareholders, suppliers, customers but also on members of public sphere, communities and environment. It is considered to be the moral responsibility for an organisation to take care of the surroundings and people whose lives are being impacted by its operations.
4.2 Understanding the needs and expectations of interested parties BHEL PSSR shall develop, implement, maintain and continually improve a documented ISMS within the context of its overall Business activities and risks and the requirements of the interested parties. The needs and expectations of the interested parties, namely the customers, vendors, contractors and other stake [For Internal Use] Page 10 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
holders is documented as per ‘Security requirements of Interested Parties’ ISMS-03/PS/030 and the list of Interested Parties is maintained as ‘List of Interested Parties’ - ISMS-04/PS/072
4.3 Determining the scope of the information security management system The boundaries of ISMS in BHEL PSSR is defined in the following terms: Physical Boundary: The physical boundary is defined as PSSR HQ Office location at Chennai, SAS Office at Secunderabad and Site Offices situated at current project locations of PSSR which are connected to BHEL MPLS cloud. The master list of project locations covered under the physical boundary of ISMS is listed as per ‘List of Active Sites’ - ISMS-04/PS/058 Network Boundary: The network boundary is defined as the LAN network at PSSR HQ, SAS and Site Offices (as per ‘List of Active Sites - ISMS-04/PS/058) with interfaces as Internet Gateway at PSSR HQ and MPLS Gateway at each of the location. External and Internal Issues: The external and internal issues considered in the organizational context have been used to determine the scope. Scope Statement: The scope of ISMS in BHEL PSSR includes all Information and Information Processing facilities, processes, resources and support services managed by BHEL PSSR IT to provide Information & Communication services to BHEL PSSR and to ensure confidentiality, integrity and availability in the information services extended to all interested parties.
4.4 Information Security Management System BHEL PSSR shall develop, implement, maintain and continually improve a documented ISMS within the context of its overall Business activities and risks. The ISMS of BHEL PSSR is based on PDCA model as given below.
[For Internal Use] Page 11 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
5. Leadership This chapter presents the organizational initiative and commitment to effective implementation and operation of ISMS. In addition, this chapter highlights the roles and responsibilities associated with ISMS operation.
5.1 Leadership and Commitment BHEL PSSR is committed to Information security. The management has constituted BHEL PSSR Information System Security Forum, which is responsible for defining and improving the ISMS. Management provides evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS as defined in ISMS documentation, by a) Ensuring implementation of information security policy; b) Ensuring that information security objectives and plans are established; c) Establishing roles and responsibilities for information security and ensuring that adequate resources are available for establishing and maintaining ISMS; d) Communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement; e) Ensuring that the desired outcomes are met after implementing ISMS f) Directing and supporting persons to contribute to the effectiveness of ISMS; g) Promoting continual improvement of the ISMS; h) Supporting other relevant roles as required.
[For Internal Use] Page 12 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
5.2 Policy The Corporate Information System Security Policy (ISMS-00/AA/001) approved by the Chairman and Managing Director of BHEL is the top level Policy Document for all units / regions / divisions of BHEL. It has been published in the Corporate Intranet portal and available at all prominent locations in BHEL offices where ISMS is implemented. The unit level document ‘BHEL PSSR ISMS Manual’ - ISMS01/PS/001 has been published and communicated to all employees of BHEL PSSR, through the Intranet and mails, posters, training and induction programs.
5.3 Organizational Roles, Responsibilities and Authorities 5.3.1 HEAD – BHEL PSSR
To approve Information Security Management System as Chairman of BHEL PSSR Information System Security Forum To appoint ISSO, Information System Security Forum and Security Organization structure To review and approve objectives and targets. To provide finance and resources to meet objectives and targets
5.3.2 INFORMATION SYSTEM SECURITY OFFICER (ISSO)
Define specific roles and responsibilities of information security across BHEL PSSR Co-ordinates with BHEL PSSR Information System Security Forum and BHEL PSSR Information System Security Coordination Team on all activities identified as a part of group responsibility. Organize security reviews and audits, with internal and external resources Ensure implementation and tracking of ISMS plan Coordinate with different security coordinators within the organization Organize management reviews of ISMS To promote awareness amongst employees on ISMS. To review and prioritize significant information Assets and security threats To appraise the incidents to the Information System Security Forum Coordination with Corporate Information System Security Officer (CISSO) Carry out RA and prepare RTP Report to Head of PSSR with respect to ISMS implementation. Review & Approval of ISMS guidelines & procedures Assessment of Training requirement on information security.
[For Internal Use] Page 13 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
5.3.3 BHEL PSSR INFORMATION SYSTEM SECURITY FORUM
Review and Approve the ISMS Manual and SoA Monitor the implementation of ISMS policies and procedures Review and Approve the risk assessment and risk treatment plan, and accept residual risk Design and deliver awareness program Evaluate, implement and ensure utilization of up-to-date security technology and techniques Review and monitor information security incidents Ensure ISMS is inline with new legal, administrative, and business requirements Ensures that security is part of the information planning process Decide specific methodologies and processes for information security. For e.g. risk assessment, security classification system etc Drive organization-wide information security initiative Assess new system and services for security before absorbing them into the system and identify and implement appropriate security controls
The Information System Security Forum will meet at least once in a year to support and supervise the activities of the ISSO, taking informed decisions. Together with the ISSO, it will jointly be held responsible for achieving measurable progress. Progress measurement metrics will be monitored to achieve continuous improvement.
5.3.4 BHEL PSSR INFORMATION SYSTEM SECURITY CORE TEAM
Conduct RA for all assets within their domains Prepare and implement risk treatment plan Implement ISMS policies and procedures within their domains Provide necessary help in training and awareness of employees To review implementation status at defined intervals To ensure corrective and preventive actions for non-conformities / observations. To provide technical support and assistance to Information System Coordination team for implementation of ISMS policies and procedures To assist ISSO in preparation and review of ISMS Manual, procedures, policies, guidelines and templates
5.3.5 BHEL PSSR INFORMATION SYSTEM SECURITY COORDINATION TEAM
Implement ISMS policies and procedures within their functional area To identify and arrange for provision of training requirement to employees, suppliers and contractors. To ensure corrective and preventive actions for non-conformities / observations. Responsible for the web content published within their functional area.
[For Internal Use] Page 14 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
The Information System Security Coordination Team will meet at least once in a year to maintain and monitor the status of implementation of ISMS in their respective domains. In addition, the group helps reduce the risk of disruption of business operation by providing advice on all aspects of security including:
Security Awareness Data Confidentiality and Privacy Logical Access Data Communications Systems and Data Integrity Physical Security Contingency and Disaster Recovery Planning Personal and Procedural Controls
5.3.6 BHEL PSSR SITE IT COORDINATORS
Implement ISMS policies and procedures for their respective site location To identify and arrange for provision of training requirement to site employees To ensure corrective and preventive actions for non-conformities / observations for their respective domain.
All Employees All employees are expected to follow the security policy, processes, procedures documented in ISMS. The management is to ensure that the required awareness on ISMS is imparted.
Other Key Personnel The roles, responsibilities and authorities of System Administrator, Network Administrator, Application Developers, System users etc. are detailed in ‘Roles and Responsibilities’ - ISMS-03/PS/007. The roles and responsibilities of BCP team are detailed in Annexure II of ‘Business Continuity Plan’ - ISMS-02-PS-BCP
[For Internal Use] Page 15 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
6. Planning 6.1 Actions to address risks and opportunities 6.1.1 General The ISMS has been designed taking into consideration the context of the organization with reference to the external and internal issues and to meet the needs and expectations of interested parties. An organizational set of policies to support the top-level policy has been put in place. The organization selects and implements a set of controls to support the ISMS policies. The selection of these is based on the following (but not limited to) parameters:
Legal and Contractual requirements – IPR, Data Protection, IT Act, Safeguarding organizational records and Contractual Requirements.
Business requirements – Compliance with standards and security policy. Outsourcing and use of third party contractors.
Risk Assessment requirements – Security breaches, incidents, legislations, unauthorized access and environmental threats.
BHEL PSSR Information System Security Forum provides guidelines to Information System Security Officer (ISSO) on the Business Requirements for the level of assurance required for security of IT assets. Based on these guidelines the ISSO coordinates the Risk Assessment activity in the organization.
6.1.2 Information security risk assessment The details of the Risk Assessment (RA) process can be referred from ‘Risk Assessment Procedures’ - ISMS-03/PS/001. The output of the RA process include:
Risk Assessment Report
Risk Treatment Plan (RTP)
Statement of Applicability (With rationale for inclusion/exclusion)
6.1.3 Information security risk treatment Based on the RA report, the ISSO prepares the RTP and SOA, which includes selection of controls. The ISSO then obtains approval of Information System Security Forum for RTP implementation and acceptance of residual risk. [For Internal Use] Page 16 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
6.2 Information security objectives and planning to achieve them BHEL PSSR has established the information security objectives at relevant functions and levels. Refer ‘Information security objectives’ – ISMS-03/PS/029
7. Support 7.1 Resources The management provides resources for the implementation, maintenance, and review of the ISMS. The resources include funds, tools, human resources and any other resources that may be required for the efficient performance of the ISMS. The ISSO evaluates resource requirements for improvements in security infrastructure based on RA, review /audit records. Based on resource requirements, the Management approves/ allocates the required resources.
7.2 Competence Personnel who have experience and expertise in the application domain and in information security concepts are assigned to manage ISMS. The competency is built through regular training courses in ISMS implementation and internal auditor certification programmes.
7.3 Awareness When the required levels of skill and expertise are not available, trainings are provided to ensure skill / knowledge enhancement as per the organization training process. The ISMS training is an integral part of training curriculum of HRDD. Refer ‘Training procedure’ - ISMS-03/PS/008 Identifying what training is needed, and how frequently, for specific positions. Identifying qualified individuals/agency to conduct the training program. Organizing the training program. Maintaining attendance records, course outlines and course feedback of all trainings conducted. BHEL PSSR maintains records of all training programs organized by it as mentioned in the ‘Training procedure’ - ISMS-03/PS/008.
[For Internal Use] Page 17 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
7.4 Communication For changes to be made in existing ISMS, the ISSO consolidates the inputs and reviews the ISMS for applicable improvements and prepares an action plan and communicates the results to all interested / affected parties with a level of detail appropriate to the circumstances. All improvements should be directed towards predefined organizational Business objectives.
BHEL PSSR Information System Security Forum reviews the ISMS at least once in a year, or on an event-driven basis, for its effectiveness and possible improvements. This review includes assessing opportunities for improvement and the need for changes to the ISMS, including the Security Policy and Information Security objectives. Management review of ISMS is conducted in accordance with the procedure ‘ISMS Review Procedure’- ISMS-03/PS/004 The input to the management review of the ISMS includes but not limited to the following: Action items from previous ISMS reviews ISMS review / audit reports (Internal and External) Results from effectiveness measurements Feedback from the members of the organization. The feedback could be in the form of incidents reported, or change requests .Feedback form is published in intranet for collecting feedback from the members of the organization. Techniques, products, or procedures, which could be used in the organization to improve the ISMS performance and effectiveness Vulnerabilities and threats not adequately addressed or not identified in the previous risk assessment Changes (E.g. environmental) that could affect the ISMS Recommendations for ISMS Organizational or business change The output of the management review includes any decisions or actions taken in the review meeting. The decisions or actions could be in the form of: Improvement of effectiveness of the ISMS Modifications of existing procedures to respond to internal or external events that may impact the ISMS. The external or internal events may be in the form of: o Change of business requirements o Change of security requirements o Improvements o Changes in regulatory or legal requirements o Changes in level of acceptability of risks o Customer specific requirements
[For Internal Use] Page 18 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
The results of the reviews are clearly documented. The ISSO communicates output of the review and the action plan to the Head - BHEL PSSR, the Information System Security Forum and the Co-ordination Team members through Email.
7.5 Documented Information 7.5.1 General The documentation structure is as detailed below:
Corporate Information System Security Policy (ISMS-00) ISMS Manual (ISMS-01) Policies & Guidelines (ISMS-02) Procedures and Processes (ISMS-03) Templates and Forms (ISMS-04)
The components of ISMS Documentation are:
[For Internal Use] Page 19 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Level - 0 Corporate Information System Security Policy (ISMS-00) : It is the Toplevel security policy of BHEL. Level - 1 ISMS Manual (ISMS-01) - This document includes requirements of the ISO 27001 standard, and describes how the defined ISMS meets the requirements. The document details the organization approach towards management and implementation of ISMS. Level - 2 Policies & Guidelines (ISMS-02) – A complete set of supporting technical policies and guidelines as identified and defined by the organization, and within the scope of ISMS. Level - 3 Procedures and Processes (ISMS-03) – Contains processes and procedures required to implement and support the defined policies & guidelines. Level - 4 Templates and Forms (ISMS-04) – Organizational standard templates/forms used in the processes / procedures. These are used to streamline the operation of ISMS and form a basis for records.
7.5.2 Creating and Updating The procedure for creation and update of documented information related to ISMS is per ‘Document Control Process’- ISMS-03/PS/005.
7.5.3 Control of Documented Information All documents related to ISMS requirements are controlled as per ‘Document Control Process’- ISMS-03/PS/005. . This includes:
Review and approval of documents prior to issue / use Update, review and approval of necessary changes in controlled documents Availability of current revisions of necessary documents Withdrawal of obsolete documents from all points of issue or use to ensure guarding against unintended use. All security documents are available on the Intranet for reference and use based on need-to-know requirements. This excludes the all documents related to Business Continuity Management Process.
18.104.22.168 Control of Records Records are identified within each procedure in the ISMS to provide evidence of conformance to requirements and effective functioning of the Information System Security Forum. The detailed list of records with record name, record location, owner and retention period is controlled at ‘List of Records’ – ISMS-04/PS/027. [For Internal Use] Page 20 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Organization ensures proper house keeping of all the relevant records as per ‘Record Control Process’- ISMS-03/PS/006.
8. Operation 8.1 Operation Planning and Control BHEL PSSR ensures effective implementation of actions determined on the basis of Risk Analysis. The controls and control objectives are derived from ISO 27001:2013 standard. Only controls applicable to achieving the security objectives of BHEL PSSR have been selected in the SOA and the same have been addressed in the subsequent chapters of this manual.
8.2 Information Security Risk Assessment The details of the Risk Assessment process can be referred from ‘Risk Assessment Procedures’ - ISMS-03/PS/001.
8.3 Information Security Risk Treatment Based on the outcome of the Risk Assessment the Risk Treatment plan is derived and ISSO ensures implementation of the same. The results of the Risk Treatment Plan are also documented as per ‘Risk Assessment Procedures’ - ISMS03/PS/001.
9. Performance Evaluation 9.1 Monitoring, measurement, analysis and evaluation BHEL PSSR ensures that the security requirements have been met by measurement of the effectives of the selected controls. Refer ‘Procedure for Measurement of Effectiveness of Controls’ - ISMS-03/PS/024.
9.2 Internal Audit Internal ISMS audits are conducted once in a year to verify the adherence to ISMS. The audits are conducted to ensure that ISMS:
Conforms to the requirements of the ISO 27001 standard Ensure compliance with relevant legal, statutory and contractual requirements ISMS is effectively implemented and maintained Performs as expected
[For Internal Use] Page 21 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Security Audits are conducted in accordance with the procedure ‘Internal Audit Procedure’ - ISMS-03/PS/003. Trained personnel, not having direct responsibility of the activity being audited, shall conduct audits. ISSO with the help of HODs will ensure that any non-conformance found is closed. The ISSO is responsible for planning, scheduling, organizing and maintaining records of these audits.
9.3 Management Review BHEL PSSR Information System Security Forum reviews the ISMS at least once in a year, or on an event-driven basis, for its effectiveness and possible improvements. This review includes assessing opportunities for improvement and the need for changes to the ISMS, including the Security Policy and Information Security objectives. Management review of ISMS is conducted in accordance with the procedure ‘ISMS Review Procedure’- ISMS-03/PS/004 The results of the reviews are clearly documented and records maintained as specified in Section 7.4 in this document. The ISSO prepares an annual review plan and communicates the same to the BHEL PSSR Information System Security Forum.
10. Improvement This chapter presents the organization approach to the continual improvement of the ISMS.
10.1 Nonconformity and Corrective Action The ISSO compiles all inputs identified for improvements and prepares an Improvement Plan with the help of the BHEL PSSR Information System Security Forum. This plan is presented to the management for approval and resource allocation. The plan is created, implemented, and tracked. Refer Procedure on ‘Corrective and Preventive Actions’ - ISMS-03/PS/009.
10.2 Continual Improvement The ISSO is responsible for continual improvement of the ISMS for suitability and effectiveness. Inputs to continual improvement can be: Change in security policies and objectives Audit/ Review Reports Incident Reports Analysis of monitored events Corrective and Preventive Actions Business Changes [For Internal Use] Page 22 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Environmental Change (New threats and vulnerabilities) Best practices of industry
ISMS Controls This chapter describes the selection and implementation of controls by the organization. In addition, the selection of controls presents the applicability of the standard suggested controls to the organization. The control objectives and controls listed in this chapter are directly derived from the ISO/IEC 27001:2013 standard, based on the guidelines Section 6.1.3 of this document. Only controls applicable to BHEL PSSR have been mentioned and addressed in this chapter. Controls that are applicable to BHEL PSSR and exclusions have been explained in detail in the Statement of Applicability. Refer ‘BHEL PSSR SOA’ - ISMS-01/PS/003.
A.5 Information Security Policies A.5.1 Management direction for Information Security Control Objective: To provide management direction and support for information security.
A.5.1.1 Information Security Policy Document A Corporate Information System Security Policy (ISMS-00/AA/001) document has been created and approved by the management. The ‘BHEL PSSR ISMS Manual’ - ISMS-01/PS/001 has been published and communicated to all employees of BHEL PSSR, through the Intranet and mails, posters, training and induction programs.
A.5.1.2 Review of the information security policy ISSO is responsible for the creation, maintenance and update of the BHEL PSSR ISMS Manual. The BHEL PSSR Information System Security Forum approves the manual prior to release. The review and evaluation of ISMS Manual is conducted at least once in a year. The review guidelines state that the policy is to be reviewed for its effectiveness, compliance to business process, and compliance to technology changes.
[For Internal Use] Page 23 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.6 Organization of Information Security A.6.1 Internal Organization Control Objective: To manage information security within BHEL PSSR
A.6.1.1 –Information Security Roles and Responsibilities The BHEL PSSR Information System Security Forum is responsible for developing, updating and communicating ISMS policies and procedures to all employees. This forum is headed by the Head of BHEL PSSR and includes Senior Executives from different domains. The details of organizational security structure and responsibilities of the Information System Security Forum are mentioned in Section 5.3.3. However, the responsibility for implementing the ISMS and controls is assigned to Core Team members and Information System Security Coordination Team members. All employees are expected to follow the security policy, processes, procedures documented in ISMS. The management is to ensure that the required awareness on ISMS is imparted.
A.6.1.2 – Segregation of duties In the organization, duties have been segregated in order to reduce the risk of accidental or deliberate system misuse. Different individuals are responsible for their respective areas, and proper controls exist that take care of possibility of fraud in areas of single responsibility without being detected. Different areas and associated responsibilities are defined as per ‘Roles and Responsibilities’ - ISMS-03/PS/007.
A.6.1.3 – Contact with authorities IT department shall maintain appropriate contact with the following authorities: Internet Service Provider (ISP) Hardware vendor Telecom services department Antivirus and software vendors HR shall maintain the contacts with the following agencies Electricity services department Local Agencies like Police, Fire, Hospitals Regulatory This is necessary to ensure that appropriate actions can be promptly taken, and advice obtained in the event of any security incident. The contact list is available with all concerned staff.. Refer Format “Contact List of External Agencies” – ISMS04/PS/042
A.6.1.4 Contact with special interest groups [For Internal Use] Page 24 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Information security advice is obtained from OEM vendors, legal advisors and technical experts on security matters to maximize the effectiveness of the organization’s ISMS. Besides above, ISSO, in close coordination with the BHEL PSSR Information System Security Forum is the main source of advises for all security issues. All security incidents and breaches are reported to ISSO for necessary corrective and preventive actions.
A.6.1.5 Information security in Project Management BHEL PSSR ensures that security controls are implemented in all projects . For system development projects refer ‘’Policy on System Development & Maintenance’ - ISMS02/PS/015 and for changes to existing operations refer Change Management Procedure’ - ISMS-03/PS/016
A.6.2 Mobile devices and teleworking Control Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 – Mobile device policy BHEL PSSR has well defined policy and guidelines on the use of laptops. Refer ‘Procedure on Laptop Handling ’ - ISMS-03/PS/018. A.6.2.2 – Teleworking BHEL PSSR has identified security requirements that have to be addressed before giving access to the employees / customers for the organization’s information or assets. All teleworkers are given restricted access as per the requirement and the physical security at teleworking site is ensured by implementing suitable controls.
A.7 Human Resource Security A.7.1 Prior to employment Control Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities A.7.1.7 – Screening Background verification checks are carried out on all candidates prior to employment in accordance with the HR Policy of BHEL, and there is a documented Personnel Manual. A.7.1.2 – Terms and conditions of employment
[For Internal Use] Page 25 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
All employees of BHEL, at the time of joining, are required to agree to Terms and Conditions of employment as detailed in the Personnel Manual. A.7.2 During employment Control Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. A.7.2.1 Management Responsibilities The management of BHEL PSSR ensures that employees, contractors and third party users apply security measures in accordance with the established policies and procedures of the organization. A.7.2.2 Information Security awareness, education and training BHEL PSSR must ensure that all the employees and the relevant external parties are made aware of their security responsibilities. This will be ensured through awareness training and job roles and responsibilities. BHEL PSSR in association with HRDD ensures that all BHEL PSSR personnel are imparted ISMS related training. A training module on Information security policies is an integral part of HRDD training programs. Refer ‘Training procedure’ - ISMS-03/PS/008.
A.7.2.3 Disciplinary process Any violation of the signed documents is considered as a disciplinary offence and as such act as a deterrent to employees who might otherwise be inclined to disregard security procedures. The procedure shall ensure correct, fair treatment for employees who are suspected of committing serious or persistent breaches of security. The ‘Conduct, Disciplinary and Appeal (CDA) rules’ of BHEL addresses the disciplinary process to be followed for violation of the policies of the organization. A.7.3 Termination and change of employment Control objective: To ensure that employees, contractors and third party users exit BHEL PSSR in an orderly manner A.7.3.1 Termination responsibilities The HR Department is responsible for defining and communicating the termination responsibilities, taking into consideration the information security and legal aspects. Refer ‘Personnel Manual’.
[For Internal Use] Page 26 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.8 Asset Management A.8.1 Responsibility for assets Control Objective: To maintain appropriate protection of organizational assets. A.8.1.1 – Inventory of assets Organizational assets have been categorized as:
Physical – Includes computer equipment (CPU, Peripherals etc), communication equipment (routers, switches, etc)..
Software – Includes various applications programs, Operating System, system software, development tools and utilities.
Information –Databases, data files, archived information, system documentation.
Services – Include communication services, general utilities like power, AC etc.
An inventory of all assets is maintained by the IT department in the form of ‘Asset Register’ -ISMS-04/PS/002. BHEL maintains appropriate protection of the organizational assets. It aims at implementing appropriate controls for ensuring the confidentiality, integrity and availability of assets. A.8.1.2 Ownership of assets All IT assets in BHEL PSSR have a single owner, who manages the asset. The asset owner may delegate his responsibility to the user of the asset. The ultimate responsibility of the security of the asset rests with the owner, who monitors the use of the asset by users, and ensures that no security breaches occur. A.8.1.3 Acceptable use of assets All employees, contractors and third party users should follow rules for the acceptable use of information and assets associated with information processing facilities, including: a) Rules for electronic mail and Internet usages - Refer in ‘Email Policy’ – ISMS02/PS/006 and ‘Internet Policy’ - ISMS-02/PS/011 b) Guidelines for the use of mobile devices, especially for the use outside the premises of the Organization. Refer ‘Guidelines on use Of Desktop/Laptop Systems’ - ISMS-02/PS/003’ A.8.1.4 Return of assets All employees leaving the services of BHEL PSSR are required to surrender the assets issued to them and obtain a “No Dues” certificate. The IT department ensures that all employees, contractors and third party users shall return all the IT assets upon termination of the employment or change of employment. Refer ‘Procedure for Return of IT Assets’ – ISMS-03/PS/027 [For Internal Use] Page 27 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.8.2 Information Classification Control Objective: To ensure that information assets receive an appropriate level of protection A.8.2.1 – Classification of information: BHEL PSSR adopts four levels of classification of Information. The classification of information is documented as per the ‘Information Classification, Labelling and Handling Guidelines’ – ISMS02/PS/001. A.8.2.2 – Labelling of information The guidelines for labelling and handling of Information are documented and available under the ‘Information Classification, Labelling and Handling Guidelines’ – ISMS02/PS/001. A.8.2.3 Handling of assets The handling of assets is documented as per the ‘Information Classification, Labelling and Handling Guidelines’ – ISMS-02/PS/001.
A.8.3 Media Handling Control Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets and interruptions to business activities Use of portable media makes business information and information assets highly vulnerable to theft, loss, and mishandling. In order to protect information and related assets from these threats, the BHEL PSSR has implemented appropriate controls A.8.3.1 – Management of removable media All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications. The organization has defined procedure for the management of computer media containing sensitive data. Refer ’Procedure on Media handling and security’ – ISMS-03/PS/014. A.8.3.2 – Disposal of media BHEL PSSR has defined procedure for the disposal of computer media. The handling of Tapes, CDs and Hard Disks have been covered in ‘Procedure on Media handling and security’ – ISMS-03/PS/014. A.8.3.3 Physical media transfer Backup media being transported from one location to the other is protected from unauthorized access, misuse and corruption by sending them through trusted BHEL employee with proper authorization and adequate protection. Media like CDs , floppies are sent only through authorized couriers.
[For Internal Use] Page 28 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.9 Access Control A.9.1 Business requirements of access control Control Objective: To limit access to information and information processing facilities. A.9.1.1 – Access control policy BHEL PSSR has implemented access control to information based on the business requirements on ‘need-to-know ’ basis. Well-documented access control policy and procedures are in place. Refer ‘Business requirement for access control’ - ISMS02/PS/009. A.9.1.2 – Access to networks and network services The access to internal and external network of the BHEL PSSR is controlled. This includes any direct access to services that are business critical to users within the domain, and direct access to network from users in high-risk location like users through Internet. Users shall only have direct access to the services that they have been specifically authorized to use. A defined and documented policy for use of network services exists. Refer ‘Network Management Policy’ - ISMS-02/PS/005. A.9.2 User Access Management Control Objective: To ensure that access rights to information systems are appropriately authorized, allocated and maintained. Access to network resources has to be managed properly at all levels. A.9.2.1 – User registration and de-registration BHEL PSSR has well defined policy and procedure for managing user access to all information systems and services. Refer ‘Policy on User Management ‘ - ISMS02/PS/010. A.9.2.2 – User access provisioning The allocation and revocation of user access rights is restricted and controlled and is covered under ‘Policy on User Management’ - ISMS-02/PS/010. A.9.2.3 – Management of privileged access rights The allocation and use of privileges is restricted and controlled. Any privilege given onto any system in the organization is covered under ‘Policy on User Management’ ISMS-02/PS/010. A.9.2.4 – Management of secret authentication information of users BHEL PSSR has a well-defined password policy and guidelines. Refer ‘Policy on User Management’ - ISMS-02/PS/010. [For Internal Use] Page 29 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.9.2.5 – Review of user access rights The access rights of general users are reviewed every six months. It is the responsibility of the System Administrator to review the access rights and the review reports will be ratified by the concerned HOD. Records will be maintained as per format “Review of User Rights” – ISMS-04/PS/046. The concerned department coordinator will send the transfers / additions information to IT Department for review. A.9.2.6 – Removal or adjustment of access rights The access rights of all employees, contractors and third party users to information processing facilities should be removed upon the termination of employment or change of employment. All user accounts pertaining to the individual should be removed. If the individual has known passwords for accounts that need to remain active, the password has to be changed.
A.9.3 User Responsibilities Control Objective: To make users accountable for safeguarding their authentication information A.9.3.1 – Use of secret authentication information BHEL PSSR has instructed its employees to follow good security practices in selection and use of passwords. For detailed guidelines on the password selection and handling refer “User Guidelines” – ISMS-02/PS/018
A.9.4 System and Application Access Control Control Objective: To prevent unauthorized access to systems and applications A.9.4.1– Information access restriction All applications developed in-house which contain information, have incorporated a uniform access control mechanism, which provides users with the required level of access. Additional privileges are given based on proper authorization from the information owner. Refer ‘Business requirement for access control’ - ISMS02/PS/009. A.9.4.2 –Secure log-on procedures All user machines are accessible through a user name and password. These are assigned to each authorized user and are unique in nature. Unauthorized access is [For Internal Use] Page 30 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
not permitted. Refer ‘Operating System Access Controls Procedure’ 02/PS/012.
A.9.4.3 – Password management system BHEL PSSR has a well-defined password policy and access management process. Refer ‘Policy on User Management’ - ISMS-02/PS/010. A.9.4.4 – Use of privileged utility programs All system utility programs, which impact the operations of the systems, are installed with controlled access to administrative accounts. Use of system utilities is controlled. A.9.4.5 – Access control to program source code Only the project team has access to the program source code in the project. Refer ‘Policy on System Development & maintenance’ - ISMS-02/PS/015.
A.10 Cryptography Not applicable as per SoA- Refer: BHEL PSSR – SoA - ISMS-01/PS/003
A.11 Physical and Environmental Security A.11.1 Secure Areas Control Objective: To prevent unauthorized physical access, damage, and interference to business premises and information.
A.11.1.1 – Physical security perimeter BHEL PSSR has a well-defined policy on physical security and procedure on physical access control. BHEL PSSR has implemented different security barriers to check the access to each of the following zones. Zone 1: Zone 1 comprises of secured areas like Server room Cabins of top management. Access to specific / secure areas of concern viz server rooms is monitored through proper authorization process. Zone 2: Zone 2 comprises of office desk area. [For Internal Use] Page 31 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Access to these areas is restricted by the visitor pass for visitors and identity card for employees. Zone 3: Zone 3 comprises of reception desk and open / public area in office premises. Access to these areas in the company premises is monitored by security personnel. The Organization layout and the security zones are documented as per ‘Procedure on Physical and Environmental Security’ - ISMS-03/PS/013.
A.11.1.2 – Physical entry controls Secured areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. The procedure for visitors and employees identification for access into the area of BHEL PSSR’s Information processing facilities is defined in ‘Procedure on Physical and Environmental Security’ - ISMS03/PS/013.
A.11.1.3 – Securing offices, rooms, and facilities BHEL PSSR has taken the following security measures: Appropriate number of security personnel deployed All visitors and contract staff is supposed to report for security check-in and check-out formalities Entry is restricted to authorized personnel as per the ‘Procedure on Physical and Environmental Security’ - ISMS-03/PS/013 . Each workstation, cubicle and cabin is provided with storage space, with lock and key arrangement to keep official documents/company classified information belonging to the employee of the workspace. Employees working before / after office hours and holidays shall inform the vigilance & Security Department and relevant records are maintained. Access is server room is restricted only for authorized IT personnel, other third party personnel who wanted to work in server room will be escorted by authorized personnel and the presence of authorized personnel is a must for any work to be carried out .
A.11.1.4 Protecting against external and environmental threats BHEL PSSR has installed fire-fighting equipments in all areas within the premises and performs regular maintenance checks of these equipments. Refer ‘Procedure on Physical and Environment security’ - ISMS-03/PS/013
A.11.1.5 – Working in secure areas
Unsupervised work by external parties within server room will be strictly prohibited for safety reasons.
[For Internal Use] Page 32 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Personnel shall only be aware of the existence of, or activities within, a secure area on a need to know basis Eating and consuming other food products will be strictly prohibited in secure areas. Photographic, video, audio or other recording equipment should not be allowed, unless authorized
A.11.1.6 – Delivery and loading areas Access to public areas within the organization premises is strictly monitored by security personnel. The delivery and handling of materials is strictly under the authorization control with material gate pass. Without proper gate pass, no material is allowed to enter or leave the premises.
A.11.2 Equipment Security Control Objective: To prevent loss, damage, theft or compromise of assets and interruptions to business activities.
A.11.2.1 – Equipment siting and protection All equipments are physically protected from security threats and environmental hazards, by positioning them at secure areas. Only authorized personnel can enter secured areas. The controls are adopted to minimize the risk of potential security threats. The following practices are being followed in the organization: Business critical equipment is fully secured under lock and key Fire and smoke alarms are deployed appropriately. The information processing and storage facilities are fully secured Users are not allowed to have drink, eatables & smoke in the server room. Temperature and humidity levels are continuously monitored and maintained. Power equipment is periodically serviced and checked. Backup data cartridges are kept offsite. The procedure for maintaining proper temperature and humidity is provided as per ‘Procedure on Physical and Environmental Security’ - ISMS-03/PS/013.
A.11.2.2 – Supporting utilities In BHEL PSSR, all electrical equipments are protected from power failure and other electrical anomalies. Arrangements are made to provide uninterrupted power supply (UPS) to all critical information processing facilities. UPS are maintained as per the OEM’s instructions and covered under AMC contract. The overall load on UPS is maintained at less than 60% of its capacity. The backup time of UPS when on battery is monitored and systems will be shutdown when the backup time falls below 30 minutes. Lightning protection is provided to the building. DG sets are turned on in case of failure or routine power cuts. Emergency lights are also available all over the premises, to provide visibility in case of any emergency or power failure. [For Internal Use] Page 33 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.11.2.3 – Cabling security The data cables are well protected and isolated in order to protect from interception and damage. All the cables (data, telecommunication, and electrical) are laid using proper conduits, in order to protect them from external damage. Power cables and network cables are well separated to prevent any interference. The cable layout diagram is available with the administrator. The following guidelines should be taken care while laying the cable. Refer - ‘Network Management Policy’ - ISMS-02/PS/005.
A.11.2.4 – Equipment maintenance All equipments in BHEL PSSR are being correctly maintained to ensure their continued availability and integrity. Adhering to the following steps ensures this: All equipments are maintained in accordance with the OEM’s recommendations for service intervals and specifications. All critical equipments are covered under AMC. All UPS are under the regular preventive maintenance.
A.11.2.5 – Removal of assets All the equipments that are taken out of the company premises follow a proper authorization process. A proper gate pass is to be signed by the authorized person before taking any equipment out of the premises. The equipment/media/baggage required by visitors to be taken outside the premises will be checked by the security staff. There will be random checking of bags of employees / visitors while entering or leaving the premises.
A.11.2.6 – Security of equipment and assets off-premises The person carrying the equipment outside the premises is responsible for the security of the equipment. BHEL PSSR has a documented ‘Guidelines on use of Desktop and Laptop Systems’ - ISMS-02/PS/003. a) Equipment and media taken off the premises shall be authorized and shall not be left unattended in public places. Portable computers shall be carried as hand luggage and disguised where possible, when traveling. b) Manufacturers’ instructions for protecting equipment shall be observed at all times. c) Adequate insurance cover should be in place to protect equipment off site. d) IT department will authorize any material which are going out of premises and will maintain the records.
A.11.2.7 – Secure disposal or re-use of equipment The information available on equipments is removed or erased before the equipment disposal. All defective computer media, to be disposed, is destroyed completely and all relevant information is made irrecoverable as per ‘Procedure on Media handling and [For Internal Use] Page 34 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
security’ - ISMS-03/PS/014 and ‘Procedure on Disposal of Computer Equipments’ - ISMS-03-PS-026
A.11.2.8 – Unattended user equipment Users shall do the following when not in Desk:
Terminate active sessions when finished. Log-off Servers when the session is finished. Secure PCs or terminals from unauthorized access by a key lock or an equivalent control eg. Password access when not in use. Laptop users should close the Laptop screen before leaving the Desk.
A.11.2.9 – Clear Desk and Clear screen policy Personal computers will not be left logged on when not in use and will be protected by Passwords. The idle time after which the machine gets locked automatically is set to 15 minutes by the use of Domain Controller. Clear desk implies that sensitive or classified information at Level 3 and Level 4 (as per ‘Information Classification, Labelling and Handling Guidelines’ – ISMS-02/PS/001) should be stored in suitable locked cabinets when not in use or while not at desk. When printed, documents should be cleared from printers immediately.
A.12 Operations Security A.10.1 Operational procedures and responsibilities Control Objective: To ensure the correct and secure operation of information processing facilities.
A.12.1.1 – Documented operating procedures BHEL PSSR has a set of defined procedures for information processing facilities. Documented operating procedures for management and operation (including housekeeping activities) of information processing facilities are established. All documented operating procedures are approved by IT Head. Refer ‘Server Room Procedures’ - ISMS-03/PS/015. A Master list of documents is maintained. Refer ISMS-04/PS/026.
A.12.1.2 –Change management Any change in IT infrastructure and Software are controlled through well-defined procedure by ISSO. Before making any operation changes in the IT infrastructure of the organization, the risk assessment and the impact analysis will be conducted as per the procedure. - ‘Change Management Procedure’ - ISMS-03/PS/016.
A.12.1.3 – Capacity Management
[For Internal Use] Page 35 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
The IT head of BHEL PSSR is responsible for advance planning and preparation in order to ensure availability of adequate capacity and resources. This helps reduce the risk of system overload. It is the responsibility of the individual administrators to look for capacity demands in their domain in advance. This ensures that the required capacity can be arranged in time to minimize the risk of failure due to lack of capacity. It also ensures the continuous availability of operational systems. Utilization of existing resources is monitored regularly. For details, refer “Authorization Procedure for Procurement & Deployment” - ISMS-03/PS/010. A capacity plan is to be developed and the same is to be approved/ revised at least once in a year by BHEL PSSR Information System Security Forum.
A.12.1.4 – Separation of development, testing and operational facilities The development and operational activities are separated. There are separate servers for development and operational systems. The software development procedure involves various steps in which different teams are involved at various stages including the migration of software from development to operational environment.
A.12.2 Protection from malware Control Objective: To ensure that information and information processing facilities are protected against malware
A.12.2.1 – Controls against malware Precautions are required to detect and prevent the introduction of malware. Software information processing facilities are vulnerable to the introduction of malware, such as computer viruses, network worms, Trojan horses, and logic bombs etc. BHEL PSSR has implemented several controls to address the threat: BHEL PSSR has a policy for prevention against malicious software. Refer ‘Protection against malicious software’ - ISMS-02/PS/002’. BHEL PSSR has a policy for the use of networks or any other medium as a preventive measure against virus attacks. Refer ‘Network Management Policy’ - ISMS-02/PS/005. Virus attacks and software malfunctions due to malicious software are treated as security incidents and handled as per the ‘Incident Management Procedure ISMS-03/PS/002.’ To prevent loss of data due to malicious software regular backups of critical data are taken regularly as per the ‘Housekeeping Policy - ISMS-02/PS/004’
A.12.3 Backup Control Objective: To protect against loss of data A.12.3.1 – Information backup [For Internal Use] Page 36 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
Backup of essential business information are taken regularly. BHEL PSSR has a welldefined policy and procedures for Information backup and restoration. Refer ‘Housekeeping Policy - ISMS-02/PS/004’
A.12.4 Logging and Monitoring Control Objective: To record events and generate evidence A.12.4.1 – Event logging BHEL PSSR has defined policy for recording event logs of user activities, exceptions, faults and information security events. All systems are monitored to detect deviation from access control policy. This audit trail serves as evidence in case of security breach, and is the basis for any action. Audit logs are maintained on servers and provide audit information related to User Id, Date and time of log-on and log-off, Failed login attempts, Terminal Location. Refer ‘Policy on Monitoring System Access and Use’ - ISMS-02/PS/013. A.12.4.2 – Protection of log information BHEL PSSR ensures that logging facilities and log information are protected against tampering and unauthorized access. A.12.4.3 – Administrator and operator logs Administrator activity and the system-generated messages are logged and periodically analyzed to indicate the necessity to perform certain tasks proactively to improve the performance of the system or to avoid failure. Operational staff maintains a log register of their operational and maintenance activities. System startup, shutdown, reboot, error and corrective action taken are logged. System Administrator regularly analyzes operator logs for preventive action. A.12.4.4 – Clock synchronization The correct setting of critical computer clocks is important and carried out to ensure the accuracy of audit logs, which may be required for investigation or as evidence in legal or disciplinary cases. Refer ‘Server Room Procedures’ - ISMS-03/PS/015.
A.12.5 Control of Operational Software Control Objective: To ensure the integrity of operational systems A.12.5.1 – Installation of software on operational software Software installation activities are conducted in a secure manner by adopting the controlled user accessibility to the software / application . Refer ‘Procedure on Control of Operational Software’ - ISMS-03/PS/028 [For Internal Use] Page 37 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.12.6 Technical Vulnerability Management Control objective: To reduce risks resulting from exploitation of published technical vulnerabilities A.12.6.1 – Management of technical vulnerabilities All PCs in the BHEL PSSR network are checked for technical vulnerabilities by an automatic Patch deployment system. The system has been designed to automatically deploy vulnerability patches after approval by the administrator. All servers are regularly checked for compliance with security implementation standards. Technical compliance checking involves the examination of OS, to ensure that hardware and software have been correctly implemented. No unapproved software will be used for checking technical compliance. IT head will take internal or external specialists help for technical compliance check by means of Vulnerability Assessment (VA) and Penetration Testing (PT). Refer ‘Technical Compliance Procedure’ - ISMS03/PS/019.
A.12.6.2 – Restrictions on software installation Users are not permitted to install software on their desktops. The requirement of software is communicated to IT Department with due approval and IT Department takes appropriate action. A.12.7 Information systems Audit Considerations Control Objective: To maximize the effectiveness of and to minimize interference to/from the system audit process. A.12.7.1 Information systems audit control BHEL PSSR has a defined procedure for conducting security reviews and audits. Refer ‘Technical Compliance Procedure’ - ISMS-03/PS/019.
A.13 Communications Security A.13.1 Network Security Management Control Objective: To ensure the protection of information in networks and its supporting information processing facilities. A.13.1.1 – Network controls The access to internal and external network of the BHEL PSSR is controlled. This includes any direct access to services that are business critical to users within the domain, and direct access to network from users in high-risk location like users through Internet. Users shall only have direct access to the services that they have
[For Internal Use] Page 38 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
been specifically authorized to use. A defined and documented policy for use of network services exists. Refer ‘Network Management Policy’ - ISMS-02/PS/005. A.13.1.2 – Security of Network services BHEL PSSR ensures that security features, service levels and management requirement of all network services are identified and included in network service level agreement. A.13.1.3 – Segregation in networks Network is segregated as per policy defined in ‘Network Management Policy ‘ - ISMS02/PS/005.
A.13.2 Information Transfer Control Objective: To prevent loss, modification or misuse of information exchanged within an organization and with any external agency. A.13.2.1 – Information transfer policies and procedures Information exchange is through several modes of communication such as, Email, File transfer, Fax, Voice etc. Refer ‘Email Policy’ – ISMS-02/PS/006 and ‘Internet Policy’ – ISMS-02/PS/011 for policies on protection of sensitive information exchanged through Email and Internet. Refer ‘User Guidelines’ - ISMS-02/PS/018 for guidelines outlining the acceptable use of electronic communication facilities and best practices to be adopted for secure information exchange A.13.2.2 – Agreements on Information Transfer For outsourced application development formal agreements are in place for exchange of information and software. Third party agencies are required to sign the NDA as per the terms of contract. A.13.2.3 – Electronic messaging The electronic mail systems are properly secured from unauthorized access by using firewalls, and from viruses by deploying anti virus software. BHEL PSSR has a welldefined policy and guidelines on the use of electronic mail. Refer ‘Email Policy’ - ISMS02/PS/006. A.13.3.4 – Confidentiality or Non-disclosure agreements Requirements for confidentiality or non-disclosure agreements reflecting the needs of BHEL PSSR for the protection of information shall be identified and reviewed by information system security forum.
[For Internal Use] Page 39 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
All contractors and external parties are also required to sign NDA as covered by respective contract guidelines. The format is as defined in ‘Non Disclosure Agreement (NDA)’ - ISMS-04/PS/001’
A.14 Systems Acquisition, Development and Maintenance A.14.1 Security Requirements of Information Systems Control Objective: To ensure that security is built into information systems A.14.1.1 – Security requirements analysis and specification BHEL, PSSR shall document all the security requirements along with functional requirements during the development of new information system / enhancement of existing system. The security controls to be incorporated into the system should take into consideration the business risks and value of information. Refer ‘Policy on System Development and Maintenance’ - ISMS-02/PS/015. A.14.1.2 – Securing application services on public networks BHEL PSSR ensures that information involved in application services passing over public networks is protected from fraudulent activity, contract dispute and unauthorized disclosure by implementing security controls. Refer ‘Policy on System Development and Maintenance’ - ISMS-02/PS/015. A.14.1.3 – Protecting application services transactions Application services transactions are protected against mis-routing, alteration, unauthorized disclosure and traffic sniffing by deploying suitable network controls. Refer ‘Network Management Policy’ - ISMS-02/PS/005.
A.14.2 Security in development and support processes Control Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy Organization has a documented process for software development, which clearly asks for security requirements of the project. Refer ‘Policy on System Development & Maintenance’ - ISMS-02/PS/015 A.14.2.2 – System Change control procedures [For Internal Use] Page 40 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
BHEL PSSR has a defined procedure to manage and control changes in the software developed and support systems, during the development life cycle. Refer ‘Policy on System Development & maintenance’ - ISMS-02/PS/015 and ‘ Change Management Procedure’ - ISMS-03/PS/016. A.14.2.3 – Technical review of applications after operating platform changes The application systems are reviewed to ensure that there is no adverse impact on operation and security due to changes in operating system. Refer ‘Change Management Procedure’ - ISMS-03/PS/016. A.14.2.4 – Restrictions on changes to software packages Modification to software package is not permitted without the consent of vendor. IPR and copyrights of software packages is being followed. A.14.2.5 Secure system engineering principles BHEL PSSR has established secure practices for system implementation. Refer ‘Policy on System Development & maintenance’ - ISMS-02/PS/015 A.14.2.6 Secure development environment System development activities are carried out in secure platform . Refer ‘Policy on System Development & maintenance’ - ISMS-02/PS/015 A.14.2.7 – Outsourced development Where software development is outsourced, the following points shall be considered: a) Licensing arrangements, code ownership and intellectual property rights b) Certification of the quality and accuracy of the work carried out c) Rights of access for audit of the quality and accuracy of work done d) To ensure that the quality of code meets the requirements as mentioned in SRS. Refer ‘Policy on System Development & maintenance’ - ISMS-02/PS/015 and ‘ Change Management Procedure’ - ISMS-03/PS/016. A.14.2.8 System security testing The security requirements of software testing are addressed in ‘Policy on System Development & maintenance’ - ISMS-02/PS/015. A.14.2.9 – System acceptance testing New information systems, upgrades, and new versions are put through a system acceptance for their acceptability and interoperability. Appropriate tests are carried out to confirm that all acceptance criteria are fully satisfied. The tests results are documented and operational, maintenance and usage procedure are established. Training is provided for use and operation of new system. Refer ‘Policy on System Development & maintenance’ - ISMS-02/PS/015 and ‘ Change Management Procedure’ - ISMS-03/PS/016.
A.14.3 Test data Control Objective: To ensure the protection of data used for testing. [For Internal Use] Page 41 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.14.3.1 Protection of test data The operational data are not used for testing purposes. Only authorized persons have access to test data, based on their roles and responsibilities.
A.15 Supplier Relationships A.15.1 Information security in supplier relationships Control Objective: To ensure protection of the organization’s assets that is accessible by suppliers. A.15.1.1 – Information security policy for supplier relationships Organization identifies risks from suppliers’ access mainly in two categories, physical and network. Risk areas are identified and appropriate measures taken to mitigate them through control as mentioned in ‘Procedure on Security requirements in third party and outsourcing contracts’ - ISMS-03/PS/011.. As a part of base line control, all contract personnel are given restricted access as per the requirement of the service they are providing and as per the contractual obligations. All external parties working at the premises are required to sign a Non-Disclosure Agreement (NDA) at the time of contracts. Refer ‘Non Disclosure Agreement (NDA)’ - ISMS-04/PS/001. A.15.1.2 – Addressing Security in third-party agreement The security requirements and controls for accessing information of BHEL PSSR by thirdparty vendors are addressed as per security requirements detailed ‘Procedure on Security requirements in third party and outsourcing contracts’ - ISMS03/PS/011. A.15.1.3 Information and communication technology supply chain The contracts with suppliers explicitly deal with the confidentiality of information that the supplier comes in contact. Refer ‘Procedure on Security requirements in third party and outsourcing contracts’ - ISMS-03/PS/011.. A.15.2 Supplier service delivery management Control Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. BHEL PSSR maintains Service Level Agreement with all Third Party Vendors at the time of contract. A.15.2.1 Monitoring and review of supplier services BHEL PSSR ensures that the services, reports and records provided by the third party are regularly monitored and reviewed. Refer ‘Procedure on Security requirements in third party and outsourcing contracts’ - ISMS-03/PS/011.. A.15.2.2 Managing changes to supplier services Depending on the criticality of business system and processes, BHEL PSSR will ensure that changes in the existing information security policies, procedures and controls of third party [For Internal Use] Page 42 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
services will be done. Refer ‘Procedure on Security requirements in third party and outsourcing contracts’ - ISMS-03/PS/011..
A.16 Information Security Incident Management A.16.1 Management improvements
Control Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken A.16.1.1 – Responsibilities and procedures The overall responsibility for processing information security incidents rests with the ISSO and based on the impact of the incident, the ISSO decides the resolution procedure. The escalation procedure to be followed for reporting different categories of incidents is detailed in ‘Incident
Management Procedure‘ ISMS - 03/PS/002. A.16.1.2 Reporting information security events Security incidents are defined as events that could cause unauthorized disclosure, modification, or destruction of organizational information assets, or loss or destruction of the physical equipment associated with the computer systems, it’s peripheral or network infrastructure components. Security incidents also include other aspects of security, such as carrying fire arms, or other lethal weapons on the organization property, areas typically secured being left unlocked or unattended, fire or hazardous material spills, or witnessing someone performing an unsafe act, or committing a violation of security policies or procedures etc. All users in BHEL PSSR are responsible to report any observed or suspected security incidents. The security incidents are reported and are managed by the documented procedure, ‘Incident Management Procedure‘ ISMS - 03/PS/002. A.16.1.3 – Reporting information security weaknesses Security weaknesses are defined as loopholes, weak points or vulnerabilities in a software application. These vulnerabilities or the loopholes may be exploited to gain unauthorized access to data or systems. All users in BHEL PSSR are responsible to note and report any such observed or suspected security weakness. They shall report these incidents as per ‘Incident Management Procedure’ - ISMS-03/PS/002. A.16.1.4 – Assessment of and decision on information security events All information security events reported in BHEL PSSR are assessed and decided whether they can be categorized as security incidents based on the no. of users affected and the impact of the event. [For Internal Use] Page 43 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.16.1.5 – Response to information security incidents Incidents shall be attended to by the concerned personnel who has been assigned for each incident as per ‘Incident Management Procedure’ - ISMS-03/PS/002. A.16.1.6 – Learning from information security incidents All information security incidents reported in BHEL PSSR are documented and stored in the Corrective and Preventive Actions database. The ISSO consolidates the incident reports for root cause analysis and considers these as an input for appropriate actions and necessary controls to avoid reoccurrence of the incidents. As a part of improvement the relevant stakeholders are communicated. A.16.1.7 – Collection of evidence BHEL PSSR has identified all applicable laws and regulations. Where a follow-up action against a person or organization after an incident involves legal action, the records and documents that may be accepted as evidence are collected and maintained. It is ensured that all evidence collected in the process is: Admissible as evidence – Acceptable to court and legal authorities Complete – Present a complete trail of the incident Meet quality requirements – Are readable, legible etc.
A.17 Information Security Continuity Management
A.17.1 Information security continuity Control objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. A.17.1.1 – Planning information security continuity A single framework of business continuity plans is be maintained to ensure that all plans are consistent, and to identify priorities for testing and maintenance. Each business continuity plan specifies clearly the conditions for its activation, as well as the individuals responsible for executing each component of the plan. Business continuity begins by identifying events that can cause interruptions to business processes, e.g. equipment failure, flood and fire. This is followed by a risk assessment to determine the impact of those interruptions (both in terms of damage scale and recovery period). This assessment considers all business processes and is not limited to the information processing facilities. Depending on the results of the risk assessment, a strategy plan is developed to determine the overall approach to business continuity. The details of BCP are detailed as per ‘Business Continuity Plan’ - ISMS02/PS/BCP.
[For Internal Use] Page 44 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.17.1.2 –Implementing information security continuity Business Continuity Plans are developed to maintain or restore business operations in the required time scales following interruption to, or failure of, critical business processes. The business continuity planning process is detailed in ‘Business Continuity Plan’ - ISMS-02/PS/BCP. A.17.1.3 – Verify, review and evaluate information security continuity Business continuity plans shall be tested regularly to ensure that they are up to date and effective. Such tests should also ensure that all members of the recovery team and other relevant staff are aware of the plans. The test schedule for business continuity plan(s) are detailed in the ‘Business Continuity Plan’ - ISMS-02/PS/BCP. A.17.2 Redundancies Control Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information processing facilities. Information processing facilities like networks, servers etc. are provided with redundancies to ensure that there is no single point of failure. Disaster Recovery site has been established for mission critical applications. Refer ‘Business Continuity Plan’ - ISMS-02/PS/BCP
A.18 Compliance A.18.1 Compliance with Legal and Contractual Requirements Control Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements A.18.1.1 – Identification of applicable legislation and contractual requirements All relevant statutory, regulatory, and contractual obligations pertaining to information systems are explicitly defined and documented. BHEL PSSR adheres to all the applicable laws and acts. It is the responsibility of the HR (legal) department to review compliance and identify new or unidentified legal obligations. All agreements entered by the company are duly vetted and approved by HR for this purpose. Refer List of applicable legislations ISMS-04/PS/023. A.18.1.2 – Intellectual property rights (IPR) BHEL PSSR ensures that all license agreements are respected and limits the use of the products to specified machines, and for specific purposes. a) The copyright of hardware, software and documentation belonging to BHEL PSSR will not be disclosed to any outside party unless and otherwise cleared by ISSO. b) The copyright of programs and associated material supplied by outside organizations / collaborators will be used by BHEL PSSR for only those purposes for which they are licensed. c) No unauthorized copies will be made for use within or outside BHEL PSSR. [For Internal Use] Page 45 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.18.1.3 – Protection of records The important records are protected from loss, destruction and falsification. The following organizational records are safeguarded: List of records under the scope of ISMS Database records Transaction logs All contracts and agreements All records are retained for a defined period as specified by the owner of the information. Storage and handling of all these records is in accordance with a defined procedure. Refer ‘Record Control Process’ - ISMS-03/PS/006. A.18.1.4 – Privacy and Protection of personally identifiable information The IT Act 2000 India provides provisions to ensure data protection and privacy of computer systems. However, all personal records are maintained as hard copies and classified as ‘Confidential’. Only HR department has access to those files. Online personal information is maintained which is password protected, and the access is limited to the HR. A.18.1.5 – Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.
A.18.2 Information Security Reviews Control Objective: To ensure compliance of systems with organizational security policies and standards A.18.2.1 – Independent review of information security BHEL PSSR Information System Security Forum is responsible for reviewing and auditing the ISMS for its compliance. All areas covered in the ISMS policy are considered for regular reviews and audits. ISSO prepares and publishes the annual audit/ review plan. The methodology in detail is mentioned in Section 9.3 of this document. Third party certification audit shall also be conducted as a part of independent review of ISMS. A.18.2.2 – Compliance with security policies and standards The ISSO with the help of the Information System Security Forum and other Coordination team members conducts periodic/event-driven review to evaluate the effectiveness of the ISMS, and initiate corrective and preventive action for continual improvement. Refer ‘Internal Audit Procedure’ - ISMS-03/PS/003.
[For Internal Use] Page 46 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR
A.18.2.3 – Technical compliance checking Information systems are regularly checked for compliance with security implementation standards. Technical compliance checking involves the examination of OS, to ensure that hardware and software have been correctly implemented. No unapproved software will be used for checking technical compliance. IT head will take internal or external specialists help for technical compliance check by means of Vulnerability Assessment (VA) and Penetration Testing (PT). Refer ‘Technical Compliance Procedure’ - ISMS-03/PS/019.
[For Internal Use] Page 47 of 47 This document to be considered obsolete if available in printed form. For the latest copy please visit the intranet page of BHEL PSSR