model information office

Compliance & Control, Systems & Partner Relationship Management

Mahesh Patwardhan

[email protected]

Information Office

Office of Compliance and Control

Information Security

Access Control

Change Managemen

t

Policy Managemen

t

Systems

Build and Deploy

Ops and Maintenanc

e

Technology Partner

Relations

Partner Relationship Managemen

t

Contract Managemen

t

Compliance and Control: Information Security

Information Security Office

Chief Information Security Officer Implement the Information Security Policy Implement the Access Control Policy Implement the Backup/Restoration Policy Conduct Information Security Office Meetings All meetings to be recorded (MOM)

Conduct Reviews Security, Access Control, AUP, B&R, DR Policy Record all Policy Reviews (MOM) Policies to be updated and approved Updates to policies to be logged


Communication: Information Security Policy and Access Control Policy updates to all

employees periodically. HR Training calendar for Security and Appropriate Usage sessions. Conduct Security Awareness and Appropriate Sessions for new

joinees.

Monitoring Review of System Exception Logs, Unauthorized Logins,

Authorized Users lists All Reviews to be logged and the review reports with findings

signed off on. Action taken report to be reviewed and signed off-on.


Define Data Backup/Restoration Process Recovery Testing Process Data securing process (tape-to-bank)

Review Data Backup/Restoration Process Recovery Testing Process Data securing process (tape-to-bank) Backup/Restoration/Recovery Testing Log Sheet Monthly Tape-To-Bank Log Sheet All reviews to be recorded (MOM)

Access ControlCreation/Deletion of User IDs /privilege grants process

Request for user id

creation / deletion

raised by business

unit mgr.

Request for user id

creation / deletion

authorized by

business unit Head

Hardcopy of

Authorized

Request

Filed by Mgr – IS &

App and Server

Access Auth Matrix

Updated

Application User

Login

Created/Removed

by Manager: IS

Authorized

Request (email

and hardcopy)

approved by

Head - IO

Request from HR

for domain/email ID

Email/Domain

Login

Created/Removed

By Manager - IT

Request for privileged

Access on server raised

By NOC/Engineering

team

Request

Authorized

By CTO

Confirmation

sent for granting

requested

Privileges/accessRequest for temporary

unprivileged access

To server raised by

user

Access ControlAuthorizations Filing

Authorization

Filing

Manager

Process & Control

Application Users

Authorizations

Email / Domain

Users

Authorizations

Privileged Access

Users

Authorizations

Temporary Access

Authorizations

Signed

Authorization

Form

User Creation /

Removal

Log

Application

Authorization

Matrix

Signed

Authorization

Form

User Creation /

Removal

Log

Email / Domain

Users List

Signed

Authorization

Form

Signed

Authorization

Form

Office of Compliance and Control: Change Management

Periodic Review of Change Management Process. Change Requests submitted. Change Request Approvals Pending deployments

Review Meetings minutes to be recorded and the findings of the review documented

Review Report with recommendations for re-mediation submitted, report approved.

Approved recommendations carried out.

Review of re-mediation carried out, approved and signed-off on.

Office of Compliance and Control: Policy Management

Information Steering Committee (ISC)

Policy Reviews and Updates

Schedule for ISC and Policy Reviews

Conduct Reviews, report submission.

Report Approvals, Policy updated and approved.

Information Office Hierarchy

Information

Office

Office of

Compliance

&

Control

Systems

Technology

Partner

Relations

(Engineering

Office)

Information

SecurityAccess

Control

Change

Control

Build and

Deploy

Ops &

Maintenance

Policy

Management

Partner

Relationship

Management

Contract

Management

Sr. Mgr

Compliance &

Control

Head – Information

Office

Sr. Mgr

Info. Systems

Sr. Mgr

Vendor

Relations

Director

Information Systems

Chief

Information Security

Officer