Information Security Management System (ISMS) Manual Documents/Policy... · (OIL-IS-ISMS-ISM- ISMS...

(OIL-IS-ISMS-ISM- ISMS Manual)

Internal

Information Security Management System (ISMS) Manual

Document Number: OIL-IS-ISMS-ISM


Internal

Document Details

Title ISMS Manual

Description Document details the Information Security Management System for Oil India Limited

Version 2.0

Author Information Security Manager

Classification Internal

Review Date 08/01/2016

Reviewer & Custodian CISO

Approved By Information Security Council (ISC)

Release Date 18/01/2015

Owner CISO

Distribution List

Name Internal Distribution Only

Version History

Version Number Version Date 1.0 04/03/2015

2.0 08/01/2016


Internal

Contents

CONTENTS ....................................................................................................................................... 3

DOCUMENT INFORMATION ............................................................................................................. 5

PURPOSE OF DOCUMENT ................................................................................................................... 5

4. CONTEXT OF ORGANIZATION ................................................................................................. 5

4.1. UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT ........................................................... 5

4.2. UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES ................................ 6

4.3. DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM ...................... 6

4.4. INFORMATION SECURITY MANAGEMENT SYSTEM ..................................................................... 7

5. LEADERSHIP ............................................................................................................................. 9

5.1. LEADERSHIP AND COMMITMENT ............................................................................................. 9

5.2. POLICY ............................................................................................................................. 14

5.3. ORGANIZATION ROLES, RESPONSIBILITIES AND AUTHORITIES ................................................... 17

6. PLANNING ............................................................................................................................... 18

6.1. ACTIONS TO ADDRESS RISK AND OPPORTUNITIES ................................................................... 18

6.2. INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM.................................... 20

7. SUPPORT ................................................................................................................................. 21

7.1. RESOURCES ...................................................................................................................... 21

7.2. COMPETENCE .................................................................................................................... 21

7.3. AWARENESS ...................................................................................................................... 21 7.4. COMMUNICATION ............................................................................................................... 21

7.5. DOCUMENTED INFORMATION ............................................................................................... 22

8. OPERATION ............................................................................................................................. 23

8.1. OPERATIONAL PLANNING AND CONTROL ............................................................................... 23

8.2. INFORMATION SECURITY RISK ASSESSMENT .......................................................................... 23

8.3. INFORMATION SECURITY RISK TREATMENT ............................................................................ 23

9. PERFORMANCE EVALUATION ............................................................................................... 24

9.1. MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION ...................................................... 24

9.2. INTERNAL AUDIT ................................................................................................................ 24

9.3. MANAGEMENT REVIEW ....................................................................................................... 24

10. IMPROVEMENT ........................................................................................................................ 25


Internal

10.1. NONCONFORMITY AND CORRECTIVE ACTION .......................................................................... 25

10.2. CONTINUAL IMPROVEMENT .................................................................................................. 25

(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)

Internal 5

Document Information

Purpose of Document This manual provides the framework which Oil India Limited has adopted for implementing an information security management system that complies with ISO/IEC 27001:2013.

The document details the Information Security Management System for Oil India Limited which includes employees/third parties/contractors working in the department, and all information assets owned by and in custody of Oil India Limited.

The following paragraphs detail how the requirements specified in Clauses 4 to 10 of the ISO 27001:2013 Standard have been addressed by Oil India Limited.

4. Context of Organization

4.1. Understanding the organization and its context

OIL is a premier Indian National Oil Company engaged in the business of exploration, development and production of crude oil and natural gas, transportation of crude oil and production of LPG.

OIL has implemented SAP applications. The SAP applications and its supporting IT infrastructure and systems are located at OIL’s Data Centre at Duliajan, Assam and Disaster Recovery Data Centre at Noida, Uttar Pradesh.

OIL has identified the following external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of its information security management system:

Internal External

OIL Senior management

ERP services

Technological Environment

Fraud/ Espionage/ Segregation of Duties/ Information leakage etc

Risk Management reviews and outcomes

Employees

Information Security Incidents

IT team providing support to applications hosting E&P services

Employees’ Union

Executives’ Union

Technological Environment

Riots/Terrorist attacks/Governmental and Statutory directives/Political scenario etc

External stakeholders/consultants/vendors

Legal and regulatory environment

Earthquake

Flood


Internal 6

4.2. Understanding the needs and expectations of interested parties

OIL has identified the following parties which would be considered relevant to information security along with their requirements:

o OIL ISMS Management: A well-established Information Security Management System

would help the OIL’s management gain comfort and assurance over the department’s

operations. o Internal Employees: A certified ISMS will help OIL’s internal employees to be able to

work in a secure environment and assist in implementation and adherence to controls

identified as part of ISMS. o End Users: IT department of OIL provides services through its Data Centres to end

users who would be sharing sensitive information. Having established & certified ISMS

shall help OIL address any confidentiality issues for its end users. o Suppliers/Vendor/Third Parties: At times, Suppliers may share proprietary information

with OIL and in doing so, would expect OIL to implement security controls to protect this proprietary information. With certified ISMS, suppliers will be forthcoming to be

associated with OIL as it enables them to partner with organization complying with global

standards. Further, structured ISMS shall assist OIL in protecting the sensitive

information exposed to third parties and other vendors. o Legal and Regulatory Bodies: The applicability of various legislations, like the IT Act,

and regulations affect OIL’s operation of information security, thereby making them OIL’s

interested parties. The legal issues associated with various legislations enacted and the

regulatory compliance policies towards information systems are better addressed using a structured ISMS.

o Employees’ Union: A well established and certified ISMS would assure the Union that

sensitive data regarding its members are well taken care of and also the relevant

information is available to its members in a secured manner at the right time. o Executives’ Association: Executives’ Association would also expect the interest of its

members are protected with a framework like ISMS so that sensitive information of its

members is handled in a secured manner without compromising on availability.

Necessary procedures and controls should be placed to ensure a secured environment.

4.3. Determining the scope of the information security management system

On the basis of the organizational context & requirements of interested parties captured in 4.1 and 4.2, OIL has established the scope of ISMS as per OIL-IS-ISMS-SD-1.1(ISMS Scope Document).

“Information Security Management System covering two data centers located at Duliajan and SAP Data remote backup site located at Noida”.


Internal 7

4.4. Information Security Management System

People, process, and technology are critical to the Company for the conduct of its business. By establishing, documenting, implementing, monitoring, reviewing and maintaining ISMS based on the ISO 27001 standard, the Company has greater confidence in its personnel and the information security framework, offers better assurance to its business partners and customers. OIL has adopted the Plan-Do-Check-Act (PDCA) approach for the same as shown below:

DoImplement &

Operate ISMS

ActMaintain & Improve

ISMS

Check

Plan

Development

Maintenance

Improvement

ManagedInformation

Security

Information Security

Requirements &

Expectations

DoImplement &

Operate ISMS

ActMaintain & Improve

ISMS

Check

Plan

Development

Maintenance

Improvement

ManagedInformation

Security

Information Security

Requirements &

Expectations

Figure 1: PDCA model

Application of PDCA model to ISMS process is briefly explained below:

4.4.1. Plan (Establishes the ISMS)

OIL has adopted a structured phased approach to information security risk management. The approach adopted will broadly consist of the following activities:

o Understanding information security requirements o Preparation of ISMS documentation

o Risk Assessment of Information & underlying assets

o Framing of the ISMS policies and objectives.

4.4.2. Do (Implements and Operates the ISMS)

o Identification and evaluation of risk scores derived after risk assessment of assets listed in the asset inventory

o Selection of control objectives and identification of various controls for the treatment and

management of the risk.


Internal 8

o Risk Treatment plan is implemented to address the control objectives as identified in the

Statement of Applicability o Implementation of all processes and procedures laid down in Information Security Policy

Document and various other operating procedures.

o Security Metrics are developed to measure the effectiveness of the implemented controls and

provide benchmarks for control effectiveness.

o Creating awareness among users about Information security and their responsibilities

towards Information security - training, poster campaigns and other alternative methods will

be employed to create awareness among users.

4.4.3. Check (Monitors and Reviews the ISMS)

o Awareness: The ISMS will include security awareness and training programs to ensure that all personnel understand how information security relates to their functions and will foster

compliance with information security regulations.

o Monitoring procedures will be implemented.

o The roles and duties will be defined in Information security organization to ensure regular review of ISMS.

o Compliance with the Information Security Policy is also a core component of the ISMS.

o Periodic audits will be performed to review the performance of various controls and measures

defined in ISMS.

o Management will conduct review of whole ISMS on annual basis. This kind of review will be

based on various reports including Incident reports, internal audit reports and quarterly review

reports.

4.4.4. Act (maintains and improves the ISMS)

o Oil India will implement the improvements identified by the audit committee/ management to the ISMS and the same will be communicated to all concerned parties.

o Follow up after management review of ISMS.

o Improvement of ISMS will also take account changing business environments as well as

identification of new set of threats and its implications on business.


Internal 9

5. Leadership

5.1. Leadership and Commitment

OIL ISMS management identifies that the successful implementation of structured Information Security Management System (ISMS) requires commitment from the Chief Executive Officer (GM

(IIS)).

The responsibilities of Chief Executive Officer are:

The GM (IIS) shall provide evidence of his commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by:

o Establishing an information security policy and which is compatible with the strategic direction of the company.

o Ensuring that the organization’s processes integrate information security management

systems requirements through a set of policies and procedures.

o Establishing roles and responsibilities for information security and communicating to the

organization along with the need to comply with information security policy and legal/

regulatory requirements. o Supporting ISC in communicating to Oil India the importance of meeting information security

objectives and the need for continual improvement;

o Providing sufficient resources to develop, implement, operate and maintain the ISMS;

o Additionally, ensuring that the direction and support required by the personnel supporting

ISMS is available for the effective implementation of ISMS

o Carrying out reviews when necessary, and reacting appropriately to the results of these

reviews. o Promoting continual improvement as a philosophy and objective.

OIL has established Information Security Council (ISC) for ensuring the success and sustainability of information security deployment, the ISC will be chaired by the GM (IIS)

Information Security Council (ISC)

o The ISC will serve as a body providing strategic direction to securing information/data of Oil India as per the ISMS scope, and will be reporting to the GM (IIS)


Internal 10

Information Security Organization Structure

The ISC will undertake the following responsibilities:

o Decide and approve the scope of Information Security Management System (ISMS). o Appoint the Chief Information Security Officer (CISO) and provide adequate resources to

support and coordinate the implementation of security.

o Provide information security directives.

o Formulate, monitor, review and approve the organization’s Information Security Policies and

overall responsibilities.

o Provide direction and support for the implementation of ISMS and constantly strive to improve the ISMS.

o Obtain clear understanding and monitor significant changes in the exposure of information

assets to various threats being faced by the organization and support new initiatives to

improve ISMS.


Internal 11

o Review and monitor major incident reports provided by the CISO, together with the results of

any investigation carried out. o Promote information security education, training and awareness throughout Oil India Ltd.

o Ensure that all users are aware of their security roles and responsibilities.

o Review all the policies at least on an annual basis or as deemed necessary. The CISO takes

responsibility of ensuring that the policy is regularly reviewed and any recommendations to

the same shall be promptly presented to the ISC.

o Review internal audit report on ISMS and follow-up on the status of correction actions taken.

o Review the Executive Summary of audit reports annually. o Identify and address legal and regulatory requirements and contractual security obligations of

the organization.

o Identify, classify and periodically review the criticality and confidentiality requirements of all

types of information resources.

The Information Security Council will meet at least once a year to assess the security requirements of Oil India Limited or as required by any significant change in the business operating environment. Members of ISC may depute their representative for mandatory review meetings.

Chief Information Security Officer (CISO)

The Chief Information Security Officer (CISO) will be a part of the Information Security Working Group (ISWG) with reporting to Information Security Council (ISC) that is the governing body for the Information Security Organization. She/he will have the following responsibilities:

o Manage the overall Information Security program at Oil India Limited. o Ensure that the Information Systems Security Policies, procedures and recommended

practices for use throughout Oil India Limited are updated in a timely manner to represent all

current modifications.

o Ensuring that the information security policy is reviewed once a year (at least) for any

changes in the IT or business environment.

o Identify emerging trends in the industry vertical (within which the organization is currently

poised), in relation to safety and security measures.

o Point of contact to the business managers and IT Unit on information security implementation and non-compliances and to ensure that an effective process for implementing and

maintaining the security controls is in place.

o Serve as a supervisor for all the security specialists and enforce information security policies

and recommended practices.

o Ensure that the security requirements for new information processing facilities have been

identified and approved. Ensure that the requisite policies and standards are developed.

o Ensure that an appropriate technical architecture is defined for the security of IT infrastructure

and monitor compliance with the same.


Internal 12

o Allocate roles and responsibilities for information security to individuals within the IT team and

ensure that they dispose their responsibilities. o Arrange required resources and skills for conducting periodic information security reviews.

o Encourage the participation of the managers, auditors and the staff members from various

disciplines, who can contribute to compliance with information security practices.

o Define and communicate to the management, the key threats to the information assets at

various point of time.

o Ensure that appropriate security controls are defined for all applications in consultation with

the application owner (Note: Certain client security requirements may supersede some of Oil India Limited information security requirements).

o Maintain and review all critical incidents that have occurred and the corresponding resolution

timeframe and apprise the ISC of the same.

o Involve in-house security specialists or external specialists where required for addressing

specific information security requirements.

o Plan and organize internal audits of information security at periodic intervals either by internal

auditors or external agencies.

o Coordinate any Incident Response procedures undertaken in response to potential security breaches.

o Coordinate or assist in the investigation of security threats or other attacks on the information

assets.

o Report security incidents and violations to the ISC.

o Ensure that adequate security training is provided to various end users and security

awareness programs are conducted regularly.

o Review and approve the prioritization plan for implementation of patches and fixes for

vulnerabilities that are identified from time to time.

Information Security Working Group:

The Information Security Working Group (ISWG) is entrusted with the responsibility of managing security related operations on a day-to-day basis and co-ordinating with the IT team for implementation/maintenance of the ISMS. The ISWG will meet on quarterly basis for the same. They will have the following responsibilities:

o Develop and maintain the Information Systems Security Policies, procedures and Standards for use throughout Oil India.

o Ensure that all critical operations are carried out in accordance with the security guidelines.

o Work with the CISO to ensure that an effective process for implementing and maintaining the security controls is in place.

o Remain current/up-to-date on the threats against the information assets (attending

information security meetings, reading trade publications and participation in work groups are


Internal 13

some of the ways to stay current/up-to-date with the developments in the field of information

systems security). o Understand the current information processing technologies and information security

practices by receiving internal education, attending information security seminars and through

on-the-job training.

o Understand the business processes of the organization, so as to provide appropriate security

protection.

o Review, audit and examine reports dealing with the information security issues and ensure

that they are presented to the CISO at pre-determined intervals. o The ISWG should be involved in the formulation of the management’s response to the audit

findings and follow-up to ensure that the security controls and procedures, as required, are

implemented within the stipulated time frame.

o Define and communicate to the CISO, the key threats to the information assets.

o Assume responsibility or assist in the preparation and distribution of an appropriate warning

system of potentially serious and imminent threats to Oil India’s information assets e.g.

outbreak of computer virus etc..

o Assist in responding to the security issues relating to the customers including the letters of assurance and suitable replies to the questions on information systems security, as and when

raised by the customers.

o Ensuring that the systems and network are secure and that any breach is quickly identified

analyzed and fixed.

o Coordinate any Incident Response procedures undertaken in response to (current /potential)

security breaches.

o Coordinate or assist in the investigation of security threats or other attacks on the information

assets. o Assist in the recovery of information and information assets from such attacks.

o Prepare, maintain and test contingency plans or disaster recovery plans.

o Conduct network and system reviews from time to time to check for policy compliance and

loopholes, (if any), in the infrastructure. This could be done using approved automated tools

to save time and provide user friendly reporting.

o Report security incidents and violations to the CISO.

o Ensure that adequate security training is provided to various end users and security awareness programme are conducted regularly.

o Ensure that basic security training is provided to IT team from time to time. This responsibility

also covers that any new IT staff members be given a security briefing at the time of joining.

o Preparation of prioritization plan for implementation of patches and fixes for vulnerabilities

that are identified from time to time.

o Provide a monthly update to the CISO regarding the status of information security initiatives.

It should include:


Internal 14

o Any observed non-compliances/major incidents reported/managed.

o Corrective and Preventive Actions required.

Information Security Audit Team (ISA)

The Internal Audit team (IA) is entrusted with the responsibility of ensuring compliance with ISMS framework in all aspects. The IA team will meet on biannually basis for the same. They will have the following responsibilities:

o Conduct internal audits to assess conformance to the standard, organization’s policies, effectiveness of implementation and maintenance.

o Define and document procedures including responsibilities and requirements for planning and

conducting audits, and for reporting results and maintaining records. o Evaluates organization’s compliance with ISMS framework in all aspects.

o Detects any shortcomings in the implementation of ISMS framework within the organization

o To ensure deployment of robust information security framework.

o To recommend the necessary corrective and preventive actions.

o To ensure continuous improvement of information security controls.

5.2. Policy

Information Security Policies cover all of the management decisions, intentions, definitions, and rules relating to information security in place, at a particular time, and thus define OIL’s Information Security Management System.

Information Security Policy describes the minimum baseline security stance to be achieved by OIL. These policies determine the minimum level of security to be achieved and establish the criteria against which results are measured and have been supplemented with adequate procedures and guidelines for implementation of the information security framework at the OIL Data Centres.

The policy document has been divided in Sections describing the policies, procedures and guidelines for the domains of ISO 27001. While the policies are mandatory and are required to be adhered to at all times, the guidelines are advisory in nature and may be followed for enhancing the baseline information security.

Information Security Policy Statement

“OIL is committed to protect the confidentiality, integrity and availability of its Information Assets and provide the same commitment to the information assets entrusted to it by its customers and business partners.”

OIL team shall strive to secure information by:

Maintaining an effective Information Security Management System.

Deploying most appropriate technology and infrastructure.

Creating and maintaining a security conscious culture within OIL

Continually monitoring and improving the effectiveness of the Information Security Management

System.


Internal 15

Aligning the organization’s strategic risk management context for Maintenance of the ISMS.

Taking into account business and legal, statutory or regulatory requirements, and contractual

security obligations.

Principles The Information Security Policies, Guidelines and Procedures at OIL are consistent with the following principles:

Value driven: Information security measures will be implemented in reasonable proportion to the risk and the business value of the information asset they intend to protect.

Accountability: All users of IT systems are accountable for their actions, as they relate to safeguarding of the information assets.

Least privilege: Each user will be provided access to information assets based on ‘need-to-know’ and ‘need-to-do’ principles as required by their job profile.

Segregation of duties: Separation of authority and responsibility will be carried out to ensure that an individual does not have sole control on all aspects of a particular information asset.

Integrity: Security will be maintained at the level that it does not compromise the integrity of the trusted environment.

Scalability: Security architecture will be maintained, so that the varying security needs of the organization can be accommodated

Structure The Oil India Limited Information Security Policy consists of the following components:

Oil India Information security policy This policy incorporates major controls outlined in the revised ISO17799, aligned to the ISO 27001 standard. The policy describes the technical and business processes that must be used to protect the confidentiality, integrity and availability of information.

While this document has broad coverage and applicability, it is not sufficient for every conceivable scenario. Therefore, it is not the sole information security policy that Oil India business should rely on.

There are many areas in this document that lay out the minimum security stance a business should take, or that present the principles that should be followed when making a business specific policy. In these areas, as in all other areas within this policy, controls and requirements are listed in addition to any business specific additions.

Oil India Limited Information Security Policy Overview This document provides a definition of Information Security, describes security responsibilities local to the business, and outlines the different components that make up the Oil India Information Security Policy.

Information Security procedures


Internal 16

Detailed Information Security Procedures have been developed to support the policies of Oil India Limited.

Information security procedures provide the means for actualizing the information security policy. The security procedures lay down the step-by-step approach to implementing the information security policy. The information security procedures will involve defining, documenting, implementing, monitoring, and managing controls over information assets.

Information records Information Records are established to support the Information Security Procedures

List of ISMS Documentation IS0 27001 core documentation

ISO 27001 Scope Document;

GAP Assessment Report;

Information Security Organization;

Risk Assessment & Risk Treatment Report;

ISO 27001 Statement of Applicability;

Oil India Information Security Management System Policy and procedures.

ISO 27001 Domain / Sub-Domain Document Reference

4 Context of the organization

4.1 Understanding the organization and its context

1. ISMS Scope Document

4.2 Understanding the needs and expectations of interested parties


4.3 Determining the scope of the information security management system


4.4 Information Security Management System 4. Information Security Policy

5 Leadership

5.1 Leadership and Commitment 1. Information Security Organization

5.2 Policy 2. Information Security Organization

5.3 Organizational roles, responsibilities and authorities

3. Information Security Organization

6 Planning

6.1 Actions to address risks and opportunities 1. ISMS Manual

6.2 Information security objectives and planning to achieve them

2. ISMS Manual


Internal 17

7 Support

7.1 Resources 1. ISMS Manual

7.2 Competence 2. ISMS Manual

7.3 Awareness 3. ISMS Manual 4. Information Security Awareness Guidelines

7.4 Communication 5. ISMS Manual

7.5 Documented Information 6. ISMS Manual

8 Operation

8.1 Operational planning and control 1. ISMS Manual

8.2 Information security risk assessment 2. OIL ISO 27001 Risk Assessment and Risk

Treatment Plan

8.3 Information security risk treatment 3. OIL ISO 27001 Risk Assessment and Risk

Treatment Plan

9 Performance Evaluation

9.1 Monitoring, measurement, analysis and evaluation

1. Internal Audit procedure

9.2 Internal audit 2. Internal Audit procedure

9.3 Management review 3. Internal Audit procedure

10 Improvement

10.1 Nonconformity and corrective action 1. Preventive and Corrective Maintenance

procedure

10.2 Continual improvement 2. Preventive and Corrective Maintenance

procedure

5.3. Organization roles, responsibilities and authorities

At OIL Information Security Organization has been established as a dual structured organization – Information Security Council (ISC) and Information Security Working Group (ISWG). The detailed

organization structure with detailed roles and responsibilities has been documented in “OIL-IS-

ISMS-ISO-1.0 (Information Security Organization)”.


Internal 18

6. Planning

6.1. Actions to address risk and opportunities

6.1.1. General

On the basis of the issues identified in 4.1 and requirements referred to in 4.2., the organization has determined the following threats are applicable to its information and underlying information

systems.

o Earthquake

o Flood

o Fire

o Storms/Wind/Lightning o Adverse Environmental Conditions

o Public Utilities Failure (Power)

o Communications Failures (Telecom/ Network)

o Random / Unintentional failure of IT systems

o Electronic Sabotage and malicious code

o Medical Emergencies

o Unauthorized physical access/ theft

o Loss of key personnel/ Attrition/ Poaching o Negligent/Uninformed users

o Civil Unrest (strikes, terrorist attacks, riots, etc.)

o Litigation Liabilities

o Inappropriate Information Disclosure

o Fraud

o Unauthorized access

OIL shall conduct a detailed risk assessment to address the risks and chalk out plans to address the same though location specific Risk Assessments and Risk Treatment Plan Reports.

OIL identifies that the successful implementation and continual improvement in its ISMS provides it an opportunity to gain a competitive edge over its competitors by gaining the confidence of its

customers.

6.1.2. Information Security Risk Assessment

The objective of this risk assessment exercise is to identify areas of vulnerability and to initiate appropriate remediation. The risk assessment will result in identifying the assets and threats

against those assets. These risks are prioritized based on the impact and likelihood of risk

occurring. Risk assessment helps ascertain the potential of the existing controls to mitigate these

risks, so as to arrive at gaps that need to be addressed by the proposed Information Security


Internal 19

Management System. Low risk has been identified as the risk acceptance criteria. Additionally, in

case any Medium or High risk has to be accepted as a risk, approval for the same shall be sought from OIL management during the periodic review meetings.

6.1.2.1 Criteria for Risk Assessment

OIL ISMS Management has an established risk assessment methodology and the risk assessment reports shall be reviewed on an annual basis. Further the following changes should

trigger an information security risk assessment:

o Implementation of new operating platforms/applications/software

o Addition of new hardware category

o Change in location of operation o Change in outsourced processes

o Any other trigger as determined by OIL ISMS Management

6.1.2.2 Methodology

Following steps are carried out for the Risk Assessment:

o Identification of the information assets and the owners of these assets o Deriving assets values by identifying the business impact of loss of confidentiality, integrity

and availability of these assets.

o Identification of the threats to these assets and the corresponding threat values. o Input from Security Incidents while revising risk assessment

o Identification of the vulnerabilities in these assets that may be exploited by these threats

and corresponding vulnerability scores.1

o Valuation of threats and vulnerabilities and their mapping to the assets.

o Valuation of Threat Impact and Likelihood of Exploitation.

o Overall Risk rating which is a function of the above.

6.1.3. Information Security Risk Treatment

OIL ISMS management decides the acceptable level of risk after considering the existing residual risk or the proposed residual risk and the mitigation plan. In cases, where management decides to

accept the existing residual risk i.e. authorization is not granted for implementation of controls, the

reasons for the same are recorded. Low risk has been identified as the risk acceptance criteria for

Risk Treatment Plan. The risk treatment approach indicates the strategy adopted for each of the recognized threat. A statement of applicability shall be produced by OIL as per “OIL-IS-ISMS-

SOA-2.0 (Statement of Applicability)”.


Internal 20

6.1.3.1 Methodology

The risk treatment approach lists the threats and risk ratings arrived at in the Risk Assessment exercise. It decides on the risk treatment strategies to be adopted to treat each of the identified

threats, based on the risk score. These strategies are:

o Avoid the risk: by deciding not to proceed with the activity or by choosing another way

to achieve the same outcome o Mitigate the risk: by reducing either the likelihood of the risk occurring, the

consequences of the risk or both o Transfer the risk: by shifting all or part of the risk to another party who is best able to

control it and o Accept the risk: after accepting that it cannot be avoided, controlled or transferred.

6.2. Information security objectives and planning to achieve them

Information Security Objectives

OIL aims to protect its business information from threats identified, either internal or external by enforcing and measuring appropriate controls. OIL ISMS management shall adhere to the Information

Security Policy and establish underlying detailed procedures. The management shall also conduct

periodic review meetings for the continual improvement of information security. OIL ISMS management has identified the following objectives for the Information Security Management System:

Information assets are protected against unauthorized access.

Information is not disclosed to unauthorized persons through deliberate or careless action.

Information is protected from unauthorized modification.

Information is available to authorized users when needed.

Applicable regulatory and legislative requirements are met.

Disaster recovery plans for IT assets are developed, maintained and tested as far as practicable.

All stakeholders are made aware of Information Security on continual basis.

All breaches of Information Security are reported and investigated.

Violations of policies are dealt with appropriate disciplinary actions.

Information Security Management System is reviewed on a periodic basis and updated

The ISMS objectives have been captured in measurable terms in Appendix A.


Internal 21

7. Support

7.1. Resources

The OIL ISMS management has established Information Security Working Group and identified personnel who are responsible for establishment, implementation, maintenance and continual

improvement of ISMS at OIL.

7.2. Competence

Members of Information Security Working Group should have the required competence and experience to deal with information security risks. Prior to their induction into ISWG, they should

undergo relevant information security training outlining the following:

o Importance of Information Security o Overview of ISO 27001:2013 activities

o Risk Assessment and Risk Treatment Plan methodology

If required, the members may also undertake additional certifications on Information Security from external agencies.

7.3. Awareness

OIL ISMS management shall ensure training on Information security and end user responsibilities

are made a part of induction program for new employees joining OIL. Also, the ISWG shall be responsible for creating a training calendar for information security trainings to be conducted over

the year.

7.4. Communication

OIL ISMS Management shall communicate the importance of Information Security Management

System through regular mailers, trainings, posters to all its personnel (including suppliers). Any major change in the ISMS posture of OIL shall be communicated to all interested personnel through

e-mails. The need for external public communication shall be identified by ISWG and

communication shall be put into effect through OIL’s established communication channels.

S. No

Scenario What to communicate?

When to communicate?

With whom to communicate?

Who should communicate?

Communication Process

1 External Natural Disasters (Flood,

Emergency procedures measures, Evacuation

Immediately, followed by periodic appraisal

All affected employees, Process Owners, Board

Safety Officer of the department

Emergency contact numbers, SMS, Email, Public


Internal 22

Fire, Earthquake etc.)

instructions, Alternate service delivery channels etc.

of Directors, Onsite contractors

forums, PA system

2 Service Outage

Reason for Outage, Expected Uptime

At the time of incident occurrence

All service user groups

Information Security Manager

Internal Employee portal, Default banner on applications, Email, SMS

3 Awareness communication

Information Security objectives, Do’s and Dont’s etc.

At periodic intervals

All employees and vendors

Chief Information Security Officer.

Classroom trainings, Email, Posters etc.

4 Major IS Incident

Brief incident description, protection mechanism and Way forward

At incident occurrence and post-RCA

All service user groups

Information Security Manager/ Chief Information Security Officer

Email

7.5. Documented Information

7.5.1. General

The following documents constitute the ISMS at Oil India:

o Oil India ISMS Scope Document; o Oil India Information Security Policy;

o Oil India Risk Assessment Methodology;

o Oil India Risk Assessment & Risk Treatment Report;

o Oil India Statement of Applicability; and

o Any other relevant supporting document and evidences

7.5.2. Creating and updating

All ISMS documents created as per “OIL-IS-PRO-PCOD-1.0 (Procedure for control of

Documents)” shall follow the procedure mentioned in the document.

7.5.3. Control of documented information

OIL has established “OIL-IS-PRO-PCOD-1.0 (Procedure for control of Documents)” and “OIL-IS-

PRO-PCOR-1.0 (Procedure for control of records)” for control of documented information which is

required by ISMS.


Internal 23

8. Operation 8.1. Operational Planning and Control

Through the Information Security Policy and various controls outlined in Statement of Applicability, OIL ISMS management plans to maintain the Information Security Related controls on all

information and assets holding this information. Changes to information processing facilities &

systems should be approved only if the information security controls are not being diluted. In case

of a justified business requirement to dilute a control, exception approval shall be sought from the Head of the respective Department who should provide the approval only on confirming the

business justification from relevant business representative in ISWG.

OIL management acknowledges that certain critical services may be outsourced. Any change in the business services should be controlled through appropriate approvals from Head of the Respective

Department.

8.2. Information security risk assessment

Refer to Section 6.1.2.

8.3. Information security risk treatment

Refer to Section 6.1.3.


Internal 24

9. Performance Evaluation 9.1. Monitoring, measurement, analysis and evaluation

ISWG shall be responsible to update the Security Metrics included in “OIL-IS-ISMS-SM-2.0 (OIL

Security Metrics)” as per the inputs received from Control Owners on an annual basis. The security

metrics shall be monitored and evaluated by the OIL ISMS management during internal review

meetings.

9.2. Internal Audit

OIL shall conduct periodic Information Security Internal Audits as per “OIL-IS-PRO-PIA-1.0

(Procedure for Internal Audit)”.

9.3. Management Review

The agenda for periodic meetings held by OIL ISMS Management should include:

o Status of actions from previous meetings o Changes in external and internal issues that are relevant to ISMS which may include(but

not limited to) :

Security requirements;

Regulatory or legal requirements;

Contractual obligations; and

Levels of risk and/or criteria for accepting risks.

o Feedback on the performance of ISMS at OIL which may include (but not limited to):

Review of nonconformity and corrective actions

Results of evaluation of security metrics

Internal/External audit results

Status of fulfilment of Information Security Objectives

o Feedback from interested parties, if any

o Results of Risk Assessment and status of the Risk Treatment Plan

o Identification of opportunities for continual improvement

The minutes of OIL ISMS Management review meeting will be captured and circulated to all

stakeholders.


Internal 25

10. Improvement 10.1. Nonconformity and corrective action

OIL has established procedures to counter non-conformities through “OIL-IS-PRO-CAPA-1.0

(Procedure for Corrective and Preventive Actions)”

10.2. Continual improvement

The philosophy of continual improvement of ISMS has been adopted through the “Plan-Do-Act-Check” approach of managing ISMS.


Internal 26

This Page is Intentionally Left Blank


Internal 27

Appendix – A

ISMS Measurement Objectives

Slno Measurement

Metric/ Control Reference

Metric Sub-Category

Target Measurement Method

Measurement Records

Periodicity of Records

Periodicity of evaluation

Persons Responsible

1 Protection of assets against unauthorized access [A.11.1.1, A.11.1.2], [A.9.2.1, A.9.2.2, A.9.2.6, A.9.4.1]

Physical Access to DC

>=95% Functional Biometric Access Control

Monitoring & Ensuring Proper Functioning of Access Control Device

Physical Verification

Daily Twice, once in the morning & once in the afternoon

Weekly Ankur + Ractim

DC CCTV Monitoring

>=95% Functional CCTV

Online Monitoring & Ensuring Proper Functioning of CCTV

From System Daily twice, once in the morning

Weekly Satam + Rashmi

User Access to Applications

100 % conformity to procedure

Practice + Records by Sections

Records maintained by Sections

Monthly Two Months Respective Sectional Heads

2 Protection against unauthorized modification [A.9.2.3, A.9.2.4, A.9.2.5]

Admin Access to users authorised by CISO/ Head(IT)

100 % conformity to procedure

Practice + Records by Sections

Records maintained by Sections

Monthly Two months Respective Sectional Heads

Management of privileged access rights

At least 1 (One) Email communication from CISO during first week of month

Email communication from CISO


First week of every month

Three months

CISO

3 Ensuring availability of

SAP ECC 6.0 99.5% uptime Uptime check records

New checklist Daily Twice, once in the morning & once

Monthly Respective Sectional Heads


Internal 28

Slno Measurement Metric/ Control Reference

Metric Sub-Category


Measurement Records



Persons Responsible

critical systems [Monitoring Availability of Application]

SRM e-tender 99.5% uptime Uptime check records

New checklist in the afternoon

Email communication

99% uptime Uptime check records

New checklist

Oilep 99% uptime Uptime check records

New Checklist

HIS 99% uptime Uptime check records

New checklist

Intranet Portal Oilweb

99% uptime Uptime check records

New checklist

E&P Databank 99% uptime Uptime check records

New checklist

4 Ensuring sound technical health of data center infrastructure [A.12.6.1]

3rd party IT Security Audit

1 Audit + 1 Review Audit Report Audit Report As per contract Yearly CISO + ISM

Implementation of IT Security Audit Recommendations on DC infrastructure

90% action on recommendations with criticality rating Critical and High

Action on recommendations with criticality rating as Critical and High

Action taken records on recommendations with criticality rating as Critical and High

Timeline for action: 1) 1 month for Critical & 2) 2 months on Medium rated recommendations

Three months from receipt of audit report

Respective Sectional Heads

5 Compliance to regulatory and legal requirements [A.18.1]

Legal requirements 100% conformity to legal requirements by agency entrusted by OIL

Areas as identified by agency

As updated in on-line legal compliance system

As defined in the on-line system

Three months

CISO + ISM

Use of licensed software

100% licensed product usage

Monitoring products in use vs licenses procured

Records being maintained

On an on-going basis

Three months

Uddhab + Rashmi


Internal 29

Slno Measurement Metric/ Control Reference

Metric Sub-Category


Measurement Records



Persons Responsible

6 Business Continuity/ Disaster Recovery [A.12.3.1, A.17.1.1, A.17.1.3]

Remote backup functionality

95% success Transfer of backup to remote site

Records of remote backup

Daily basis One month LR Manoharan

Backup of data 90% success Backup operations Records of backup

As per defined periodicity

One month Respective Sectional Heads

Testing of backup data

95% success Testing of backup restoration

Records of testing Once in a month Three months

Respective Sectional Heads

7 Information Security awareness amongst stakeholders [7.3], [A.7.2.2]

Email communication

1 email communication every fortnight


Records of emails Fortnightly Three months

CISO

Awareness sessions 1 session per month

Awareness sessions Attendance records

Monthly Three months

ISMS Team

8 Incident management [A.16.1.2, A.16.1.4, A.16.1.5, A.16.1.6]

- 100% of critical incidents to be addressed suitably for non-recurrence

Incident management procedure

Records of incident management

As & when incident happens

Three months

Respective Sectional Heads + ISMS Team

9 Review of ISMS [A.18.2.1], [9.3]

Management Review Meeting

At least 2 meetings in a year

ISC Meetings Records of ISC Meeting

As & when meeting happens

Yearly CISO + ISM

Internal Audit At least 3 audits a year

Internal audit process

Records of Internal Audits

As & when meeting happens

Yearly CISO + ISM

Information Security Management System (ISMS) Manual Documents/Policy... · (OIL-IS-ISMS-ISM- ISMS...

Documents

Transcript of Information Security Management System (ISMS) Manual Documents/Policy... · (OIL-IS-ISMS-ISM- ISMS...