model information office
DESCRIPTION
A Model Information Office - Compliance, Control, Processes and SystemsTRANSCRIPT
Information Office
Office of Compliance and Control
Information Security
Access Control
Change Managemen
t
Policy Managemen
t
Systems
Build and Deploy
Ops and Maintenanc
e
Technology Partner
Relations
Partner Relationship Managemen
t
Contract Managemen
t
Compliance and Control: Information Security
Information Security Office
Chief Information Security Officer Implement the Information Security Policy Implement the Access Control Policy Implement the Backup/Restoration Policy Conduct Information Security Office Meetings All meetings to be recorded (MOM)
Conduct Reviews Security, Access Control, AUP, B&R, DR Policy Record all Policy Reviews (MOM) Policies to be updated and approved Updates to policies to be logged
Compliance and Control: Information Security
Communication: Information Security Policy and Access Control Policy updates to all
employees periodically. HR Training calendar for Security and Appropriate Usage sessions. Conduct Security Awareness and Appropriate Sessions for new
joinees.
Monitoring Review of System Exception Logs, Unauthorized Logins,
Authorized Users lists All Reviews to be logged and the review reports with findings
signed off on. Action taken report to be reviewed and signed off-on.
Compliance and Control: Information Security
Define Data Backup/Restoration Process Recovery Testing Process Data securing process (tape-to-bank)
Review Data Backup/Restoration Process Recovery Testing Process Data securing process (tape-to-bank) Backup/Restoration/Recovery Testing Log Sheet Monthly Tape-To-Bank Log Sheet All reviews to be recorded (MOM)
Access ControlCreation/Deletion of User IDs /privilege grants process
Request for user id
creation / deletion
raised by business
unit mgr.
Request for user id
creation / deletion
authorized by
business unit Head
Hardcopy of
Authorized
Request
Filed by Mgr – IS &
App and Server
Access Auth Matrix
Updated
Application User
Login
Created/Removed
by Manager: IS
Authorized
Request (email
and hardcopy)
approved by
Head - IO
Request from HR
for domain/email ID
Email/Domain
Login
Created/Removed
By Manager - IT
Request for privileged
Access on server raised
By NOC/Engineering
team
Request
Authorized
By CTO
Confirmation
sent for granting
requested
Privileges/accessRequest for temporary
unprivileged access
To server raised by
user
Access ControlAuthorizations Filing
Authorization
Filing
Manager
Process & Control
Application Users
Authorizations
Email / Domain
Users
Authorizations
Privileged Access
Users
Authorizations
Temporary Access
Authorizations
Signed
Authorization
Form
User Creation /
Removal
Log
Application
Authorization
Matrix
Signed
Authorization
Form
User Creation /
Removal
Log
Email / Domain
Users List
Signed
Authorization
Form
Signed
Authorization
Form
Office of Compliance and Control: Change Management
Periodic Review of Change Management Process. Change Requests submitted. Change Request Approvals Pending deployments
Review Meetings minutes to be recorded and the findings of the review documented
Review Report with recommendations for re-mediation submitted, report approved.
Approved recommendations carried out.
Review of re-mediation carried out, approved and signed-off on.
Office of Compliance and Control: Policy Management
Information Steering Committee (ISC)
Policy Reviews and Updates
Schedule for ISC and Policy Reviews
Conduct Reviews, report submission.
Report Approvals, Policy updated and approved.
Information Office Hierarchy
Information
Office
Office of
Compliance
&
Control
Systems
Technology
Partner
Relations
(Engineering
Office)
Information
SecurityAccess
Control
Change
Control
Build and
Deploy
Ops &
Maintenance
Policy
Management
Partner
Relationship
Management
Contract
Management
Sr. Mgr
Compliance &
Control
Head – Information
Office
Sr. Mgr
Info. Systems
Sr. Mgr
Vendor
Relations
Director
Information Systems
Chief
Information Security
Officer