Sl.
No Domain
1 Risk Management
2 Information Security Governance
3 Human resource security
4 Asset management
5 Access control
6 Information Lifecycle Management and
Protection
7 Physical and environmental security
8 Operational security
9 Network and Communication Security
Sensitivity: General
#
� 10 System acquisition, development and
maintenance
11 Incident management
12 Business continuity management / Disaster
Recovery (BIA / DR Drill)
13 Compliance
14 Bring Your Own Device (BYOD) Security
15 Cloud Security
16 Third Party
17 Operational Technology Security (SCADA / DCS)
18 Data Privacy
Sensitivity: General
#
� Objective
To ensure that information security risks are identified, mitigated and
monitored on a continuous basis, across the group.
Information security governance consists of the leadership,
organizational structures and processes that protect information and
assists in management of growing information security risks.
To ensure that all employees, contractors and third parties understand
their responsibilities towards information security before, during and
after the termination of employment/ service.
To ensure protection of Physical and Information Assets throughout
their lifecycle.
To ensure that only authorized users are accessing ABG's business
applications, information systems and computing resources, and that
access privileges are managed to allow user to perform their duties.
To ensure confidentiality, integrity and availability of information during
the entire lifecycle.
To prevent unauthorized physical access, damage and interference to
ABG’s information and information processing facilities
To ensure secure operations of ABG’s information systems.
To secure the ABG network devices and services from unauthorized
access, disruption and modification
Sensitivity: General
#
� To secure information systems throughout the lifecycle of acquisition,
design, development, testing and implementation
To ensure a robust incident management process to detect, report,
respond and manage information security incidents
To ensure that well defined business continuity program is established
covering resilient technology infrastructure, crisis management
capability and tested business continuity plans across in ABG such that
prolonged unavailability is managed and the impact due to disruption is
minimized.
To ensure that ABG is compliant with legal, regulatory and contractual
requirements
To ensure security of ABG’s data when accessed through ABG or
personally owned mobile devices.
To ensure security of ABG’s Information Assets in the cloud
environment
To ensure protection of the ABG’s information assets that is accessible
by third parties and maintain an agreed level of information security and
service delivery in line with contractual agreements.
To ensure secure and sound operation of OT infrastructure and prevent
physical damage, loss of production, loss of confidential data and
casualties caused by cyber-attacks.
The objective of this policy is to ensure regulatory compliance by
safeguarding that adequate processes are in place to assess, manage,
report, and mitigate regulatory compliance risks.
Sensitivity: General
#
� Controls Evidence Required
1. Risk Mangement Framework
2. Risk Register
3. Risk Assessment & Treatment Plan
1. Information Security Committee
2. MR Review Meeitng
3. IS Roles & Responsibilites
4. Segregation of Duties
5. Contacts With Authorities
6. Contacts with special interest groups
1. Background Verifications of all employees / Contractors
2. Acceptable Usage Policy
3. Non-Disclosure Agreement
4. Records of Information security awareness, education and
training
5. Disciplinary process
6. Exit Process (No-Dues clearence)
1. Information Asset Register
2. Media Handling & Disposal
1. User role access matrix
2. User Access Provisioning & De-Provisioning
3. ID Reconciliation (AD / Email / SAP / Other Applications /
Generic ID's / Privilege ID's etc.,.)
4. Password Policy
5. Emergency Access Control procedure
1. Information Classificaion (Highly Confidential/Restricted /
Confidential / nternal / Public)
2. encryption and masking solutions to protect information at rest
3. information rights management
4. Information is disposed/erased securely
5. Cryptography
1. firefighting equipment
2. periodic fire evacuation drills
3. environmental controls relating to temperature, water, smoke,
access alarms, service availability alerts (power supply,
telecommunication, servers), access logs, etc
4. Fire proof cabinets for storing business sensitive information
5. Physical maintenance of equipment
6. Equipment shall be disposed off securely and safely (EWaste)
1. Change Management,
2. Capacity Management,
3. Backup & Restoration,
4. Protection from Malicious Software,
5. Patch Management,
6. Logging & Monitoring,
7. Technical Vulnerability Management,
8. Secure Configuration Management
1. updated network architecture diagram
2. all network devices are time synced with the Network Time
Protocol (NTP) synchronization device/ server.
3. deception/decoy mechanisms to detect attacks
4. Firewall, Intruder detection system (IDS)/ Intruder prevention
system (IPS), proxy etc.)
5. prohibit auto forwarding of emails
6. All Wi-Fi access points shall be secured using Wireless Intrusion
Prevention System (WIPS)
Sensitivity: General
#
� 1. secure software development lifecycle (SDLC) process
2. System Change Control
3. Outsourced Development - software escrow agreement
4. System security and acceptance testing - perform vulnerability
assessment for any new system before deployment in production
environment
1. dedicated Incident Response Team (IRT)
2. procedures for reporting incidents
3. Incident response plan
4. define escalation matrix comprising of teams to be involved
during various stages of information security incidents
5. Contact with Authorities
6. Learnings from incident shall be recorded
7. periodic review of incident records
1. identify critical business processes
2. Business Impact analysis (BIA)
3. Recovery Time Objective (RTO), Recovery Point Objective (RPO)
and Maximum Tolerable Period of Downtime (MTPD) shall be
determined for the identified critical business processes.
4. IT DR plan
5. DR Drill
6. periodic awareness and training sessions
1. document all applicable legal, statutory, regulatory and
contractual requirements
2. list of software’s shall be authorized
3. information security audits
1. all mobile devices (ABG owned or personal) are registered before
being allowed to access ABG network or applications.
2. maintain a whitelist of device models
1. Risk Assessment prior to onboarding a cloud service providers
(CSPs)
2. Cloud Security Framework
1. Due diligence
2. Confidentiality agreements
3. service level agreements
4. "Right to Audit" clause
5. Termination or expiry of the contract
1. OT Security Framework
2. periodic reviews of risks and a process for addressing them
1. Data Protection Impact Assessment
2. Privacy Compliance Audits
3. Privacy incident management process
Sensitivity: General
#
