2. Information
Office
Office of Technology
Compliance Systems Partner
and Control Relations
Partner
Change Policy Ops and Contract
Information Access Build and Relationship
Managemen Managemen Maintenanc Managemen
Security Control Deploy Managemen
t t e t
t
3. Compliance and Control: Information Security
Information Security Office
Chief Information Security Officer
Implement the Information Security Policy
Implement the Access Control Policy
Implement the Backup/Restoration Policy
Conduct Information Security Office Meetings
All meetings to be recorded (MOM)
Conduct Reviews
Security, Access Control, AUP, B&R, DR Policy
Record all Policy Reviews (MOM)
Policies to be updated and approved
Updates to policies to be logged
4. Compliance and Control: Information Security
Communication:
Information Security Policy and Access Control Policy updates to all
employees periodically.
HR Training calendar for Security and Appropriate Usage sessions.
Conduct Security Awareness and Appropriate Sessions for new
joinees.
Monitoring
Review of System Exception Logs, Unauthorized Logins,
Authorized Users lists
All Reviews to be logged and the review reports with findings
signed off on.
Action taken report to be reviewed and signed off-on.
5. Compliance and Control: Information Security
Define
Data Backup/Restoration Process
Recovery Testing Process
Data securing process (tape-to-bank)
Review
Data Backup/Restoration Process
Recovery Testing Process
Data securing process (tape-to-bank)
Backup/Restoration/Recovery Testing Log Sheet
Monthly Tape-To-Bank Log Sheet
All reviews to be recorded (MOM)
6. Access Control
Creation/Deletion of User IDs /privilege grants process
Request for user id Request for user id Authorized
creation / deletion creation / deletion Request (email
authorized by and hardcopy)
raised by business
business unit Head approved by
unit mgr. Head - IO
Request from HR
for domain/email ID Hardcopy of
Authorized Confirmation
Request sent for granting
Filed by Mgr – IS &
App and Server
requested
Request for temporary Access Auth Matrix Privileges/access
unprivileged access Updated
To server raised by
user
Email/Domain Application User
Request for privileged Login Login
Access on server raised
Request
Created/Removed Created/Removed
By NOC/Engineering Authorized By Manager - IT by Manager: IS
team By CTO
7. Access Control
Authorizations Filing
Authorization
Filing
Manager
Process & Control
Email / Domain Privileged Access
Application Users Temporary Access
Users Users
Authorizations Authorizations
Authorizations Authorizations
Signed Signed Signed Signed
Authorization Authorization Authorization Authorization
Form Form Form Form
User Creation / User Creation /
Removal Removal
Log Log
Application
Email / Domain
Authorization
Users List
Matrix
8. Office of Compliance and Control:
Change Management
Periodic Review of
Change Management Process.
Change Requests submitted.
Change Request Approvals
Pending deployments
Review Meetings minutes to be recorded and the findings of the review
documented
Review Report with recommendations for re-mediation submitted,
report approved.
Approved recommendations carried out.
Review of re-mediation carried out, approved and signed-off on.
9. Office of Compliance and Control:
Policy Management
Information Steering Committee (ISC)
Policy Reviews and Updates
Schedule for ISC and Policy Reviews
Conduct Reviews, report submission.
Report Approvals, Policy updated and approved.
10. Information Office Hierarchy
Head – Information
Office
Chief
Information Security Information Director
Officer Office Information Systems
Sr. Mgr Office of Sr. Mgr Sr. Mgr Technology
Compliance & Info. Systems Vendor Partner
Control
Compliance Relations
Systems Relations
& (Engineering
Control Office)
Information Partner
Access Change Policy Build and Ops & Contract
Security Relationship
Control Control Management Deploy Maintenance Management
Management