information security management system (isms) manual documents/policy... · (oil-is-isms-ism- isms...
TRANSCRIPT
(OIL-IS-ISMS-ISM- ISMS Manual)
Internal
Information Security Management System (ISMS) Manual
Document Number: OIL-IS-ISMS-ISM
(OIL-IS-ISMS-ISM- ISMS Manual)
Internal
Document Details
Title ISMS Manual
Description Document details the Information Security Management System for Oil India Limited
Version 2.0
Author Information Security Manager
Classification Internal
Review Date 08/01/2016
Reviewer & Custodian CISO
Approved By Information Security Council (ISC)
Release Date 18/01/2015
Owner CISO
Distribution List
Name Internal Distribution Only
Version History
Version Number Version Date 1.0 04/03/2015
2.0 08/01/2016
(OIL-IS-ISMS-ISM- ISMS Manual)
Internal
Contents
CONTENTS ....................................................................................................................................... 3
DOCUMENT INFORMATION ............................................................................................................. 5
PURPOSE OF DOCUMENT ................................................................................................................... 5
4. CONTEXT OF ORGANIZATION ................................................................................................. 5
4.1. UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT ........................................................... 5
4.2. UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES ................................ 6
4.3. DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM ...................... 6
4.4. INFORMATION SECURITY MANAGEMENT SYSTEM ..................................................................... 7
5. LEADERSHIP ............................................................................................................................. 9
5.1. LEADERSHIP AND COMMITMENT ............................................................................................. 9
5.2. POLICY ............................................................................................................................. 14
5.3. ORGANIZATION ROLES, RESPONSIBILITIES AND AUTHORITIES ................................................... 17
6. PLANNING ............................................................................................................................... 18
6.1. ACTIONS TO ADDRESS RISK AND OPPORTUNITIES ................................................................... 18
6.2. INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM.................................... 20
7. SUPPORT ................................................................................................................................. 21
7.1. RESOURCES ...................................................................................................................... 21
7.2. COMPETENCE .................................................................................................................... 21
7.3. AWARENESS ...................................................................................................................... 21 7.4. COMMUNICATION ............................................................................................................... 21
7.5. DOCUMENTED INFORMATION ............................................................................................... 22
8. OPERATION ............................................................................................................................. 23
8.1. OPERATIONAL PLANNING AND CONTROL ............................................................................... 23
8.2. INFORMATION SECURITY RISK ASSESSMENT .......................................................................... 23
8.3. INFORMATION SECURITY RISK TREATMENT ............................................................................ 23
9. PERFORMANCE EVALUATION ............................................................................................... 24
9.1. MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION ...................................................... 24
9.2. INTERNAL AUDIT ................................................................................................................ 24
9.3. MANAGEMENT REVIEW ....................................................................................................... 24
10. IMPROVEMENT ........................................................................................................................ 25
(OIL-IS-ISMS-ISM- ISMS Manual)
Internal
10.1. NONCONFORMITY AND CORRECTIVE ACTION .......................................................................... 25
10.2. CONTINUAL IMPROVEMENT .................................................................................................. 25
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 5
Document Information
Purpose of Document This manual provides the framework which Oil India Limited has adopted for implementing an information security management system that complies with ISO/IEC 27001:2013.
The document details the Information Security Management System for Oil India Limited which includes employees/third parties/contractors working in the department, and all information assets owned by and in custody of Oil India Limited.
The following paragraphs detail how the requirements specified in Clauses 4 to 10 of the ISO 27001:2013 Standard have been addressed by Oil India Limited.
4. Context of Organization
4.1. Understanding the organization and its context
OIL is a premier Indian National Oil Company engaged in the business of exploration, development and production of crude oil and natural gas, transportation of crude oil and production of LPG.
OIL has implemented SAP applications. The SAP applications and its supporting IT infrastructure and systems are located at OIL’s Data Centre at Duliajan, Assam and Disaster Recovery Data Centre at Noida, Uttar Pradesh.
OIL has identified the following external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of its information security management system:
Internal External
OIL Senior management
ERP services
Technological Environment
Fraud/ Espionage/ Segregation of Duties/ Information leakage etc
Risk Management reviews and outcomes
Employees
Information Security Incidents
IT team providing support to applications hosting E&P services
Employees’ Union
Executives’ Union
Technological Environment
Riots/Terrorist attacks/Governmental and Statutory directives/Political scenario etc
External stakeholders/consultants/vendors
Legal and regulatory environment
Earthquake
Flood
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 6
4.2. Understanding the needs and expectations of interested parties
OIL has identified the following parties which would be considered relevant to information security along with their requirements:
o OIL ISMS Management: A well-established Information Security Management System
would help the OIL’s management gain comfort and assurance over the department’s
operations. o Internal Employees: A certified ISMS will help OIL’s internal employees to be able to
work in a secure environment and assist in implementation and adherence to controls
identified as part of ISMS. o End Users: IT department of OIL provides services through its Data Centres to end
users who would be sharing sensitive information. Having established & certified ISMS
shall help OIL address any confidentiality issues for its end users. o Suppliers/Vendor/Third Parties: At times, Suppliers may share proprietary information
with OIL and in doing so, would expect OIL to implement security controls to protect this proprietary information. With certified ISMS, suppliers will be forthcoming to be
associated with OIL as it enables them to partner with organization complying with global
standards. Further, structured ISMS shall assist OIL in protecting the sensitive
information exposed to third parties and other vendors. o Legal and Regulatory Bodies: The applicability of various legislations, like the IT Act,
and regulations affect OIL’s operation of information security, thereby making them OIL’s
interested parties. The legal issues associated with various legislations enacted and the
regulatory compliance policies towards information systems are better addressed using a structured ISMS.
o Employees’ Union: A well established and certified ISMS would assure the Union that
sensitive data regarding its members are well taken care of and also the relevant
information is available to its members in a secured manner at the right time. o Executives’ Association: Executives’ Association would also expect the interest of its
members are protected with a framework like ISMS so that sensitive information of its
members is handled in a secured manner without compromising on availability.
Necessary procedures and controls should be placed to ensure a secured environment.
4.3. Determining the scope of the information security management system
On the basis of the organizational context & requirements of interested parties captured in 4.1 and 4.2, OIL has established the scope of ISMS as per OIL-IS-ISMS-SD-1.1(ISMS Scope Document).
“Information Security Management System covering two data centers located at Duliajan and SAP Data remote backup site located at Noida”.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 7
4.4. Information Security Management System
People, process, and technology are critical to the Company for the conduct of its business. By establishing, documenting, implementing, monitoring, reviewing and maintaining ISMS based on the ISO 27001 standard, the Company has greater confidence in its personnel and the information security framework, offers better assurance to its business partners and customers. OIL has adopted the Plan-Do-Check-Act (PDCA) approach for the same as shown below:
DoImplement &
Operate ISMS
ActMaintain & Improve
ISMS
Check
Plan
Development
Maintenance
Improvement
ManagedInformation
Security
Information Security
Requirements &
Expectations
DoImplement &
Operate ISMS
ActMaintain & Improve
ISMS
Check
Plan
Development
Maintenance
Improvement
ManagedInformation
Security
Information Security
Requirements &
Expectations
Figure 1: PDCA model
Application of PDCA model to ISMS process is briefly explained below:
4.4.1. Plan (Establishes the ISMS)
OIL has adopted a structured phased approach to information security risk management. The approach adopted will broadly consist of the following activities:
o Understanding information security requirements o Preparation of ISMS documentation
o Risk Assessment of Information & underlying assets
o Framing of the ISMS policies and objectives.
4.4.2. Do (Implements and Operates the ISMS)
o Identification and evaluation of risk scores derived after risk assessment of assets listed in the asset inventory
o Selection of control objectives and identification of various controls for the treatment and
management of the risk.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 8
o Risk Treatment plan is implemented to address the control objectives as identified in the
Statement of Applicability o Implementation of all processes and procedures laid down in Information Security Policy
Document and various other operating procedures.
o Security Metrics are developed to measure the effectiveness of the implemented controls and
provide benchmarks for control effectiveness.
o Creating awareness among users about Information security and their responsibilities
towards Information security - training, poster campaigns and other alternative methods will
be employed to create awareness among users.
4.4.3. Check (Monitors and Reviews the ISMS)
o Awareness: The ISMS will include security awareness and training programs to ensure that all personnel understand how information security relates to their functions and will foster
compliance with information security regulations.
o Monitoring procedures will be implemented.
o The roles and duties will be defined in Information security organization to ensure regular review of ISMS.
o Compliance with the Information Security Policy is also a core component of the ISMS.
o Periodic audits will be performed to review the performance of various controls and measures
defined in ISMS.
o Management will conduct review of whole ISMS on annual basis. This kind of review will be
based on various reports including Incident reports, internal audit reports and quarterly review
reports.
4.4.4. Act (maintains and improves the ISMS)
o Oil India will implement the improvements identified by the audit committee/ management to the ISMS and the same will be communicated to all concerned parties.
o Follow up after management review of ISMS.
o Improvement of ISMS will also take account changing business environments as well as
identification of new set of threats and its implications on business.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 9
5. Leadership
5.1. Leadership and Commitment
OIL ISMS management identifies that the successful implementation of structured Information Security Management System (ISMS) requires commitment from the Chief Executive Officer (GM
(IIS)).
The responsibilities of Chief Executive Officer are:
The GM (IIS) shall provide evidence of his commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by:
o Establishing an information security policy and which is compatible with the strategic direction of the company.
o Ensuring that the organization’s processes integrate information security management
systems requirements through a set of policies and procedures.
o Establishing roles and responsibilities for information security and communicating to the
organization along with the need to comply with information security policy and legal/
regulatory requirements. o Supporting ISC in communicating to Oil India the importance of meeting information security
objectives and the need for continual improvement;
o Providing sufficient resources to develop, implement, operate and maintain the ISMS;
o Additionally, ensuring that the direction and support required by the personnel supporting
ISMS is available for the effective implementation of ISMS
o Carrying out reviews when necessary, and reacting appropriately to the results of these
reviews. o Promoting continual improvement as a philosophy and objective.
OIL has established Information Security Council (ISC) for ensuring the success and sustainability of information security deployment, the ISC will be chaired by the GM (IIS)
Information Security Council (ISC)
o The ISC will serve as a body providing strategic direction to securing information/data of Oil India as per the ISMS scope, and will be reporting to the GM (IIS)
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 10
Information Security Organization Structure
The ISC will undertake the following responsibilities:
o Decide and approve the scope of Information Security Management System (ISMS). o Appoint the Chief Information Security Officer (CISO) and provide adequate resources to
support and coordinate the implementation of security.
o Provide information security directives.
o Formulate, monitor, review and approve the organization’s Information Security Policies and
overall responsibilities.
o Provide direction and support for the implementation of ISMS and constantly strive to improve the ISMS.
o Obtain clear understanding and monitor significant changes in the exposure of information
assets to various threats being faced by the organization and support new initiatives to
improve ISMS.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 11
o Review and monitor major incident reports provided by the CISO, together with the results of
any investigation carried out. o Promote information security education, training and awareness throughout Oil India Ltd.
o Ensure that all users are aware of their security roles and responsibilities.
o Review all the policies at least on an annual basis or as deemed necessary. The CISO takes
responsibility of ensuring that the policy is regularly reviewed and any recommendations to
the same shall be promptly presented to the ISC.
o Review internal audit report on ISMS and follow-up on the status of correction actions taken.
o Review the Executive Summary of audit reports annually. o Identify and address legal and regulatory requirements and contractual security obligations of
the organization.
o Identify, classify and periodically review the criticality and confidentiality requirements of all
types of information resources.
The Information Security Council will meet at least once a year to assess the security requirements of Oil India Limited or as required by any significant change in the business operating environment. Members of ISC may depute their representative for mandatory review meetings.
Chief Information Security Officer (CISO)
The Chief Information Security Officer (CISO) will be a part of the Information Security Working Group (ISWG) with reporting to Information Security Council (ISC) that is the governing body for the Information Security Organization. She/he will have the following responsibilities:
o Manage the overall Information Security program at Oil India Limited. o Ensure that the Information Systems Security Policies, procedures and recommended
practices for use throughout Oil India Limited are updated in a timely manner to represent all
current modifications.
o Ensuring that the information security policy is reviewed once a year (at least) for any
changes in the IT or business environment.
o Identify emerging trends in the industry vertical (within which the organization is currently
poised), in relation to safety and security measures.
o Point of contact to the business managers and IT Unit on information security implementation and non-compliances and to ensure that an effective process for implementing and
maintaining the security controls is in place.
o Serve as a supervisor for all the security specialists and enforce information security policies
and recommended practices.
o Ensure that the security requirements for new information processing facilities have been
identified and approved. Ensure that the requisite policies and standards are developed.
o Ensure that an appropriate technical architecture is defined for the security of IT infrastructure
and monitor compliance with the same.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 12
o Allocate roles and responsibilities for information security to individuals within the IT team and
ensure that they dispose their responsibilities. o Arrange required resources and skills for conducting periodic information security reviews.
o Encourage the participation of the managers, auditors and the staff members from various
disciplines, who can contribute to compliance with information security practices.
o Define and communicate to the management, the key threats to the information assets at
various point of time.
o Ensure that appropriate security controls are defined for all applications in consultation with
the application owner (Note: Certain client security requirements may supersede some of Oil India Limited information security requirements).
o Maintain and review all critical incidents that have occurred and the corresponding resolution
timeframe and apprise the ISC of the same.
o Involve in-house security specialists or external specialists where required for addressing
specific information security requirements.
o Plan and organize internal audits of information security at periodic intervals either by internal
auditors or external agencies.
o Coordinate any Incident Response procedures undertaken in response to potential security breaches.
o Coordinate or assist in the investigation of security threats or other attacks on the information
assets.
o Report security incidents and violations to the ISC.
o Ensure that adequate security training is provided to various end users and security
awareness programs are conducted regularly.
o Review and approve the prioritization plan for implementation of patches and fixes for
vulnerabilities that are identified from time to time.
Information Security Working Group:
The Information Security Working Group (ISWG) is entrusted with the responsibility of managing security related operations on a day-to-day basis and co-ordinating with the IT team for implementation/maintenance of the ISMS. The ISWG will meet on quarterly basis for the same. They will have the following responsibilities:
o Develop and maintain the Information Systems Security Policies, procedures and Standards for use throughout Oil India.
o Ensure that all critical operations are carried out in accordance with the security guidelines.
o Work with the CISO to ensure that an effective process for implementing and maintaining the security controls is in place.
o Remain current/up-to-date on the threats against the information assets (attending
information security meetings, reading trade publications and participation in work groups are
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 13
some of the ways to stay current/up-to-date with the developments in the field of information
systems security). o Understand the current information processing technologies and information security
practices by receiving internal education, attending information security seminars and through
on-the-job training.
o Understand the business processes of the organization, so as to provide appropriate security
protection.
o Review, audit and examine reports dealing with the information security issues and ensure
that they are presented to the CISO at pre-determined intervals. o The ISWG should be involved in the formulation of the management’s response to the audit
findings and follow-up to ensure that the security controls and procedures, as required, are
implemented within the stipulated time frame.
o Define and communicate to the CISO, the key threats to the information assets.
o Assume responsibility or assist in the preparation and distribution of an appropriate warning
system of potentially serious and imminent threats to Oil India’s information assets e.g.
outbreak of computer virus etc..
o Assist in responding to the security issues relating to the customers including the letters of assurance and suitable replies to the questions on information systems security, as and when
raised by the customers.
o Ensuring that the systems and network are secure and that any breach is quickly identified
analyzed and fixed.
o Coordinate any Incident Response procedures undertaken in response to (current /potential)
security breaches.
o Coordinate or assist in the investigation of security threats or other attacks on the information
assets. o Assist in the recovery of information and information assets from such attacks.
o Prepare, maintain and test contingency plans or disaster recovery plans.
o Conduct network and system reviews from time to time to check for policy compliance and
loopholes, (if any), in the infrastructure. This could be done using approved automated tools
to save time and provide user friendly reporting.
o Report security incidents and violations to the CISO.
o Ensure that adequate security training is provided to various end users and security awareness programme are conducted regularly.
o Ensure that basic security training is provided to IT team from time to time. This responsibility
also covers that any new IT staff members be given a security briefing at the time of joining.
o Preparation of prioritization plan for implementation of patches and fixes for vulnerabilities
that are identified from time to time.
o Provide a monthly update to the CISO regarding the status of information security initiatives.
It should include:
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 14
o Any observed non-compliances/major incidents reported/managed.
o Corrective and Preventive Actions required.
Information Security Audit Team (ISA)
The Internal Audit team (IA) is entrusted with the responsibility of ensuring compliance with ISMS framework in all aspects. The IA team will meet on biannually basis for the same. They will have the following responsibilities:
o Conduct internal audits to assess conformance to the standard, organization’s policies, effectiveness of implementation and maintenance.
o Define and document procedures including responsibilities and requirements for planning and
conducting audits, and for reporting results and maintaining records. o Evaluates organization’s compliance with ISMS framework in all aspects.
o Detects any shortcomings in the implementation of ISMS framework within the organization
o To ensure deployment of robust information security framework.
o To recommend the necessary corrective and preventive actions.
o To ensure continuous improvement of information security controls.
5.2. Policy
Information Security Policies cover all of the management decisions, intentions, definitions, and rules relating to information security in place, at a particular time, and thus define OIL’s Information Security Management System.
Information Security Policy describes the minimum baseline security stance to be achieved by OIL. These policies determine the minimum level of security to be achieved and establish the criteria against which results are measured and have been supplemented with adequate procedures and guidelines for implementation of the information security framework at the OIL Data Centres.
The policy document has been divided in Sections describing the policies, procedures and guidelines for the domains of ISO 27001. While the policies are mandatory and are required to be adhered to at all times, the guidelines are advisory in nature and may be followed for enhancing the baseline information security.
Information Security Policy Statement
“OIL is committed to protect the confidentiality, integrity and availability of its Information Assets and provide the same commitment to the information assets entrusted to it by its customers and business partners.”
OIL team shall strive to secure information by:
Maintaining an effective Information Security Management System.
Deploying most appropriate technology and infrastructure.
Creating and maintaining a security conscious culture within OIL
Continually monitoring and improving the effectiveness of the Information Security Management
System.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 15
Aligning the organization’s strategic risk management context for Maintenance of the ISMS.
Taking into account business and legal, statutory or regulatory requirements, and contractual
security obligations.
Principles The Information Security Policies, Guidelines and Procedures at OIL are consistent with the following principles:
Value driven: Information security measures will be implemented in reasonable proportion to the risk and the business value of the information asset they intend to protect.
Accountability: All users of IT systems are accountable for their actions, as they relate to safeguarding of the information assets.
Least privilege: Each user will be provided access to information assets based on ‘need-to-know’ and ‘need-to-do’ principles as required by their job profile.
Segregation of duties: Separation of authority and responsibility will be carried out to ensure that an individual does not have sole control on all aspects of a particular information asset.
Integrity: Security will be maintained at the level that it does not compromise the integrity of the trusted environment.
Scalability: Security architecture will be maintained, so that the varying security needs of the organization can be accommodated
Structure The Oil India Limited Information Security Policy consists of the following components:
Oil India Information security policy This policy incorporates major controls outlined in the revised ISO17799, aligned to the ISO 27001 standard. The policy describes the technical and business processes that must be used to protect the confidentiality, integrity and availability of information.
While this document has broad coverage and applicability, it is not sufficient for every conceivable scenario. Therefore, it is not the sole information security policy that Oil India business should rely on.
There are many areas in this document that lay out the minimum security stance a business should take, or that present the principles that should be followed when making a business specific policy. In these areas, as in all other areas within this policy, controls and requirements are listed in addition to any business specific additions.
Oil India Limited Information Security Policy Overview This document provides a definition of Information Security, describes security responsibilities local to the business, and outlines the different components that make up the Oil India Information Security Policy.
Information Security procedures
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 16
Detailed Information Security Procedures have been developed to support the policies of Oil India Limited.
Information security procedures provide the means for actualizing the information security policy. The security procedures lay down the step-by-step approach to implementing the information security policy. The information security procedures will involve defining, documenting, implementing, monitoring, and managing controls over information assets.
Information records Information Records are established to support the Information Security Procedures
List of ISMS Documentation IS0 27001 core documentation
ISO 27001 Scope Document;
GAP Assessment Report;
Information Security Organization;
Risk Assessment & Risk Treatment Report;
ISO 27001 Statement of Applicability;
Oil India Information Security Management System Policy and procedures.
ISO 27001 Domain / Sub-Domain Document Reference
4 Context of the organization
4.1 Understanding the organization and its context
1. ISMS Scope Document
4.2 Understanding the needs and expectations of interested parties
2. ISMS Scope Document
4.3 Determining the scope of the information security management system
3. ISMS Scope Document
4.4 Information Security Management System 4. Information Security Policy
5 Leadership
5.1 Leadership and Commitment 1. Information Security Organization
5.2 Policy 2. Information Security Organization
5.3 Organizational roles, responsibilities and authorities
3. Information Security Organization
6 Planning
6.1 Actions to address risks and opportunities 1. ISMS Manual
6.2 Information security objectives and planning to achieve them
2. ISMS Manual
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 17
7 Support
7.1 Resources 1. ISMS Manual
7.2 Competence 2. ISMS Manual
7.3 Awareness 3. ISMS Manual 4. Information Security Awareness Guidelines
7.4 Communication 5. ISMS Manual
7.5 Documented Information 6. ISMS Manual
8 Operation
8.1 Operational planning and control 1. ISMS Manual
8.2 Information security risk assessment 2. OIL ISO 27001 Risk Assessment and Risk
Treatment Plan
8.3 Information security risk treatment 3. OIL ISO 27001 Risk Assessment and Risk
Treatment Plan
9 Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
1. Internal Audit procedure
9.2 Internal audit 2. Internal Audit procedure
9.3 Management review 3. Internal Audit procedure
10 Improvement
10.1 Nonconformity and corrective action 1. Preventive and Corrective Maintenance
procedure
10.2 Continual improvement 2. Preventive and Corrective Maintenance
procedure
5.3. Organization roles, responsibilities and authorities
At OIL Information Security Organization has been established as a dual structured organization – Information Security Council (ISC) and Information Security Working Group (ISWG). The detailed
organization structure with detailed roles and responsibilities has been documented in “OIL-IS-
ISMS-ISO-1.0 (Information Security Organization)”.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 18
6. Planning
6.1. Actions to address risk and opportunities
6.1.1. General
On the basis of the issues identified in 4.1 and requirements referred to in 4.2., the organization has determined the following threats are applicable to its information and underlying information
systems.
o Earthquake
o Flood
o Fire
o Storms/Wind/Lightning o Adverse Environmental Conditions
o Public Utilities Failure (Power)
o Communications Failures (Telecom/ Network)
o Random / Unintentional failure of IT systems
o Electronic Sabotage and malicious code
o Medical Emergencies
o Unauthorized physical access/ theft
o Loss of key personnel/ Attrition/ Poaching o Negligent/Uninformed users
o Civil Unrest (strikes, terrorist attacks, riots, etc.)
o Litigation Liabilities
o Inappropriate Information Disclosure
o Fraud
o Unauthorized access
OIL shall conduct a detailed risk assessment to address the risks and chalk out plans to address the same though location specific Risk Assessments and Risk Treatment Plan Reports.
OIL identifies that the successful implementation and continual improvement in its ISMS provides it an opportunity to gain a competitive edge over its competitors by gaining the confidence of its
customers.
6.1.2. Information Security Risk Assessment
The objective of this risk assessment exercise is to identify areas of vulnerability and to initiate appropriate remediation. The risk assessment will result in identifying the assets and threats
against those assets. These risks are prioritized based on the impact and likelihood of risk
occurring. Risk assessment helps ascertain the potential of the existing controls to mitigate these
risks, so as to arrive at gaps that need to be addressed by the proposed Information Security
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 19
Management System. Low risk has been identified as the risk acceptance criteria. Additionally, in
case any Medium or High risk has to be accepted as a risk, approval for the same shall be sought from OIL management during the periodic review meetings.
6.1.2.1 Criteria for Risk Assessment
OIL ISMS Management has an established risk assessment methodology and the risk assessment reports shall be reviewed on an annual basis. Further the following changes should
trigger an information security risk assessment:
o Implementation of new operating platforms/applications/software
o Addition of new hardware category
o Change in location of operation o Change in outsourced processes
o Any other trigger as determined by OIL ISMS Management
6.1.2.2 Methodology
Following steps are carried out for the Risk Assessment:
o Identification of the information assets and the owners of these assets o Deriving assets values by identifying the business impact of loss of confidentiality, integrity
and availability of these assets.
o Identification of the threats to these assets and the corresponding threat values. o Input from Security Incidents while revising risk assessment
o Identification of the vulnerabilities in these assets that may be exploited by these threats
and corresponding vulnerability scores.1
o Valuation of threats and vulnerabilities and their mapping to the assets.
o Valuation of Threat Impact and Likelihood of Exploitation.
o Overall Risk rating which is a function of the above.
6.1.3. Information Security Risk Treatment
OIL ISMS management decides the acceptable level of risk after considering the existing residual risk or the proposed residual risk and the mitigation plan. In cases, where management decides to
accept the existing residual risk i.e. authorization is not granted for implementation of controls, the
reasons for the same are recorded. Low risk has been identified as the risk acceptance criteria for
Risk Treatment Plan. The risk treatment approach indicates the strategy adopted for each of the recognized threat. A statement of applicability shall be produced by OIL as per “OIL-IS-ISMS-
SOA-2.0 (Statement of Applicability)”.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 20
6.1.3.1 Methodology
The risk treatment approach lists the threats and risk ratings arrived at in the Risk Assessment exercise. It decides on the risk treatment strategies to be adopted to treat each of the identified
threats, based on the risk score. These strategies are:
o Avoid the risk: by deciding not to proceed with the activity or by choosing another way
to achieve the same outcome o Mitigate the risk: by reducing either the likelihood of the risk occurring, the
consequences of the risk or both o Transfer the risk: by shifting all or part of the risk to another party who is best able to
control it and o Accept the risk: after accepting that it cannot be avoided, controlled or transferred.
6.2. Information security objectives and planning to achieve them
Information Security Objectives
OIL aims to protect its business information from threats identified, either internal or external by enforcing and measuring appropriate controls. OIL ISMS management shall adhere to the Information
Security Policy and establish underlying detailed procedures. The management shall also conduct
periodic review meetings for the continual improvement of information security. OIL ISMS management has identified the following objectives for the Information Security Management System:
Information assets are protected against unauthorized access.
Information is not disclosed to unauthorized persons through deliberate or careless action.
Information is protected from unauthorized modification.
Information is available to authorized users when needed.
Applicable regulatory and legislative requirements are met.
Disaster recovery plans for IT assets are developed, maintained and tested as far as practicable.
All stakeholders are made aware of Information Security on continual basis.
All breaches of Information Security are reported and investigated.
Violations of policies are dealt with appropriate disciplinary actions.
Information Security Management System is reviewed on a periodic basis and updated
The ISMS objectives have been captured in measurable terms in Appendix A.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 21
7. Support
7.1. Resources
The OIL ISMS management has established Information Security Working Group and identified personnel who are responsible for establishment, implementation, maintenance and continual
improvement of ISMS at OIL.
7.2. Competence
Members of Information Security Working Group should have the required competence and experience to deal with information security risks. Prior to their induction into ISWG, they should
undergo relevant information security training outlining the following:
o Importance of Information Security o Overview of ISO 27001:2013 activities
o Risk Assessment and Risk Treatment Plan methodology
If required, the members may also undertake additional certifications on Information Security from external agencies.
7.3. Awareness
OIL ISMS management shall ensure training on Information security and end user responsibilities
are made a part of induction program for new employees joining OIL. Also, the ISWG shall be responsible for creating a training calendar for information security trainings to be conducted over
the year.
7.4. Communication
OIL ISMS Management shall communicate the importance of Information Security Management
System through regular mailers, trainings, posters to all its personnel (including suppliers). Any major change in the ISMS posture of OIL shall be communicated to all interested personnel through
e-mails. The need for external public communication shall be identified by ISWG and
communication shall be put into effect through OIL’s established communication channels.
S. No
Scenario What to communicate?
When to communicate?
With whom to communicate?
Who should communicate?
Communication Process
1 External Natural Disasters (Flood,
Emergency procedures measures, Evacuation
Immediately, followed by periodic appraisal
All affected employees, Process Owners, Board
Safety Officer of the department
Emergency contact numbers, SMS, Email, Public
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 22
Fire, Earthquake etc.)
instructions, Alternate service delivery channels etc.
of Directors, Onsite contractors
forums, PA system
2 Service Outage
Reason for Outage, Expected Uptime
At the time of incident occurrence
All service user groups
Information Security Manager
Internal Employee portal, Default banner on applications, Email, SMS
3 Awareness communication
Information Security objectives, Do’s and Dont’s etc.
At periodic intervals
All employees and vendors
Chief Information Security Officer.
Classroom trainings, Email, Posters etc.
4 Major IS Incident
Brief incident description, protection mechanism and Way forward
At incident occurrence and post-RCA
All service user groups
Information Security Manager/ Chief Information Security Officer
7.5. Documented Information
7.5.1. General
The following documents constitute the ISMS at Oil India:
o Oil India ISMS Scope Document; o Oil India Information Security Policy;
o Oil India Risk Assessment Methodology;
o Oil India Risk Assessment & Risk Treatment Report;
o Oil India Statement of Applicability; and
o Any other relevant supporting document and evidences
7.5.2. Creating and updating
All ISMS documents created as per “OIL-IS-PRO-PCOD-1.0 (Procedure for control of
Documents)” shall follow the procedure mentioned in the document.
7.5.3. Control of documented information
OIL has established “OIL-IS-PRO-PCOD-1.0 (Procedure for control of Documents)” and “OIL-IS-
PRO-PCOR-1.0 (Procedure for control of records)” for control of documented information which is
required by ISMS.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 23
8. Operation 8.1. Operational Planning and Control
Through the Information Security Policy and various controls outlined in Statement of Applicability, OIL ISMS management plans to maintain the Information Security Related controls on all
information and assets holding this information. Changes to information processing facilities &
systems should be approved only if the information security controls are not being diluted. In case
of a justified business requirement to dilute a control, exception approval shall be sought from the Head of the respective Department who should provide the approval only on confirming the
business justification from relevant business representative in ISWG.
OIL management acknowledges that certain critical services may be outsourced. Any change in the business services should be controlled through appropriate approvals from Head of the Respective
Department.
8.2. Information security risk assessment
Refer to Section 6.1.2.
8.3. Information security risk treatment
Refer to Section 6.1.3.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 24
9. Performance Evaluation 9.1. Monitoring, measurement, analysis and evaluation
ISWG shall be responsible to update the Security Metrics included in “OIL-IS-ISMS-SM-2.0 (OIL
Security Metrics)” as per the inputs received from Control Owners on an annual basis. The security
metrics shall be monitored and evaluated by the OIL ISMS management during internal review
meetings.
9.2. Internal Audit
OIL shall conduct periodic Information Security Internal Audits as per “OIL-IS-PRO-PIA-1.0
(Procedure for Internal Audit)”.
9.3. Management Review
The agenda for periodic meetings held by OIL ISMS Management should include:
o Status of actions from previous meetings o Changes in external and internal issues that are relevant to ISMS which may include(but
not limited to) :
Security requirements;
Regulatory or legal requirements;
Contractual obligations; and
Levels of risk and/or criteria for accepting risks.
o Feedback on the performance of ISMS at OIL which may include (but not limited to):
Review of nonconformity and corrective actions
Results of evaluation of security metrics
Internal/External audit results
Status of fulfilment of Information Security Objectives
o Feedback from interested parties, if any
o Results of Risk Assessment and status of the Risk Treatment Plan
o Identification of opportunities for continual improvement
The minutes of OIL ISMS Management review meeting will be captured and circulated to all
stakeholders.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 25
10. Improvement 10.1. Nonconformity and corrective action
OIL has established procedures to counter non-conformities through “OIL-IS-PRO-CAPA-1.0
(Procedure for Corrective and Preventive Actions)”
10.2. Continual improvement
The philosophy of continual improvement of ISMS has been adopted through the “Plan-Do-Act-Check” approach of managing ISMS.
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 26
This Page is Intentionally Left Blank
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 27
Appendix – A
ISMS Measurement Objectives
Slno Measurement
Metric/ Control Reference
Metric Sub-Category
Target Measurement Method
Measurement Records
Periodicity of Records
Periodicity of evaluation
Persons Responsible
1 Protection of assets against unauthorized access [A.11.1.1, A.11.1.2], [A.9.2.1, A.9.2.2, A.9.2.6, A.9.4.1]
Physical Access to DC
>=95% Functional Biometric Access Control
Monitoring & Ensuring Proper Functioning of Access Control Device
Physical Verification
Daily Twice, once in the morning & once in the afternoon
Weekly Ankur + Ractim
DC CCTV Monitoring
>=95% Functional CCTV
Online Monitoring & Ensuring Proper Functioning of CCTV
From System Daily twice, once in the morning
Weekly Satam + Rashmi
User Access to Applications
100 % conformity to procedure
Practice + Records by Sections
Records maintained by Sections
Monthly Two Months Respective Sectional Heads
2 Protection against unauthorized modification [A.9.2.3, A.9.2.4, A.9.2.5]
Admin Access to users authorised by CISO/ Head(IT)
100 % conformity to procedure
Practice + Records by Sections
Records maintained by Sections
Monthly Two months Respective Sectional Heads
Management of privileged access rights
At least 1 (One) Email communication from CISO during first week of month
Email communication from CISO
Email communication from CISO
First week of every month
Three months
CISO
3 Ensuring availability of
SAP ECC 6.0 99.5% uptime Uptime check records
New checklist Daily Twice, once in the morning & once
Monthly Respective Sectional Heads
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 28
Slno Measurement Metric/ Control Reference
Metric Sub-Category
Target Measurement Method
Measurement Records
Periodicity of Records
Periodicity of evaluation
Persons Responsible
critical systems [Monitoring Availability of Application]
SRM e-tender 99.5% uptime Uptime check records
New checklist in the afternoon
Email communication
99% uptime Uptime check records
New checklist
Oilep 99% uptime Uptime check records
New Checklist
HIS 99% uptime Uptime check records
New checklist
Intranet Portal Oilweb
99% uptime Uptime check records
New checklist
E&P Databank 99% uptime Uptime check records
New checklist
4 Ensuring sound technical health of data center infrastructure [A.12.6.1]
3rd party IT Security Audit
1 Audit + 1 Review Audit Report Audit Report As per contract Yearly CISO + ISM
Implementation of IT Security Audit Recommendations on DC infrastructure
90% action on recommendations with criticality rating Critical and High
Action on recommendations with criticality rating as Critical and High
Action taken records on recommendations with criticality rating as Critical and High
Timeline for action: 1) 1 month for Critical & 2) 2 months on Medium rated recommendations
Three months from receipt of audit report
Respective Sectional Heads
5 Compliance to regulatory and legal requirements [A.18.1]
Legal requirements 100% conformity to legal requirements by agency entrusted by OIL
Areas as identified by agency
As updated in on-line legal compliance system
As defined in the on-line system
Three months
CISO + ISM
Use of licensed software
100% licensed product usage
Monitoring products in use vs licenses procured
Records being maintained
On an on-going basis
Three months
Uddhab + Rashmi
(OIL-IS-ISMS-ISM-2.0 - ISMS Manual)
Internal 29
Slno Measurement Metric/ Control Reference
Metric Sub-Category
Target Measurement Method
Measurement Records
Periodicity of Records
Periodicity of evaluation
Persons Responsible
6 Business Continuity/ Disaster Recovery [A.12.3.1, A.17.1.1, A.17.1.3]
Remote backup functionality
95% success Transfer of backup to remote site
Records of remote backup
Daily basis One month LR Manoharan
Backup of data 90% success Backup operations Records of backup
As per defined periodicity
One month Respective Sectional Heads
Testing of backup data
95% success Testing of backup restoration
Records of testing Once in a month Three months
Respective Sectional Heads
7 Information Security awareness amongst stakeholders [7.3], [A.7.2.2]
Email communication
1 email communication every fortnight
Email communication from CISO
Records of emails Fortnightly Three months
CISO
Awareness sessions 1 session per month
Awareness sessions Attendance records
Monthly Three months
ISMS Team
8 Incident management [A.16.1.2, A.16.1.4, A.16.1.5, A.16.1.6]
- 100% of critical incidents to be addressed suitably for non-recurrence
Incident management procedure
Records of incident management
As & when incident happens
Three months
Respective Sectional Heads + ISMS Team
9 Review of ISMS [A.18.2.1], [9.3]
Management Review Meeting
At least 2 meetings in a year
ISC Meetings Records of ISC Meeting
As & when meeting happens
Yearly CISO + ISM
Internal Audit At least 3 audits a year
Internal audit process
Records of Internal Audits
As & when meeting happens
Yearly CISO + ISM