You are on page 1of 48

BHARAT HEAVY ELECTRICALS LIMITED

POWER SECTOR SOUTHERN REGION

ISMS-01/PS/001
Version 3.1
Date: 29th September 2015

Information Security Management System


(ISMS) Manual

DOCUMENT CHANGE CONTROL


Document No: ISMS-01 / PS / 001
Document Title: ISMS Manual
Version No: 3
Issue Date: 31/10/2014
Manual Change History:
Revision Date of
No.
Issue

Details of
Changes

Prepared
By

Approved
By

D
S Jagannathan
Bandyopadhyay (ISSO)
CEO / PSSR
AGM / MSX,
IT & Comml
AK
Mukhopadhyay S Jagannathan
CEP / PSSR
(ISSO)
AGM / MSX,
IT & Comml

31/10/2014

Manual Revised as
per ISO/IEC
27001:2013 standard

E Bhamini
SM / IT

29/09/2015

A.18.1.5 - Regulation
of cryptographic
controls
made applicable
Scope mentioned in
Sl. No. 1 is revised
Scope determination
changed to include
external and internal
issues

E Bhamini
SM / IT

Issued By

[For Internal Use]


Page 1 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

TABLE OF CONTENTS
0.
1.
2.
3.
4.

Introduction
Scope
Normative References
Terms and Definitions
Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the ISMS
4.4 Information security management system
5.
Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and authorities
6.
Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7.
Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8.
Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9.
Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10.
Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
11.
ISMS Controls
A.5 Information security policies
A.5.1 Management direction for information security
A.6 Organization of information security
A.6.1 Internal organization
A.6.2 Mobile devices and teleworking
A.7 Human resource security
A.7.1 Prior to employment
A.7.2 During employment

5
5
5
6
7
7
11
11
11
12
12
13
13
16
16
17
17
17
17
17
18
19
21
21
21
21
21
21
21
22
22
22
22
23
23
23
24
24
25
25
25
26

[For Internal Use]


Page 2 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.7.3 Termination and change of employment


A.8 Asset management
A.8.1 Responsibility for assets
A.8 .2 Information classification
A.8.3 Media handling
A.9 Access control
A.9.1 Business requirements of access control
A.9.2 User access managements
A.9.3 User responsibilities
A.9.4 System and application access control
A.10 Cryptography
A.10.1 Cryptographic controls
A.11 Physical and environmental security
A.11.1 Secure areas
A.11.2 Equipment
A.12 Operations security
A.12.1 Operational procedures and responsibilities
A.12.2 Protection from malware
A.12.3 Backup
A.12.4 Logging and monitoring
A.12.5 Control of operational software
A.12.6 Technical vulnerability management
A.12.7 Information systems audit considerations
A.13 Communications security
A.13.1 Network security management
A.13.2 Information transfer
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems
A.14.2 Security in development and support processes
A.14.3 Test data
A.15 Supplier relationships
A.15.1 Information security in supplier relationships
A.15.2 Supplier service delivery management
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
A.17 Information security aspects of business continuity management
A.17.1 Information security continuity
A.17.2 Redundancies
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
A.18.2 Information security reviews

26
27
27
27
28
29
29
29
30
30
31
31
31
31
33
35
35
36
36
37
37
37
38
38
38
39
40
40
40
41
42
42
42
43
43
44
44
45
45
45
46

[For Internal Use]


Page 3 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

ABBREVIATION

DESCRIPTION

ISMS
CISSO
ISSO
IT
HR
DB
OEM
ED
SOA
CIA
RA
RTP
BCP
DR
NDA
NC
HRDD
HOD
IPR

Information Security Management System


Chief Information System Security Officer
Information System Security Officer
Information Technology Department
Human Resources Department
Database
Original Equipment Manufacturer
Executive Director
Statement of Applicability
Confidentiality, Integrity and Availability
Risk Assessment
Risk Treatment Plan
Business Continuity Plan
Disaster Recovery
Non Disclosure Agreement
Non Conformity
Human Resource Development Department
Head of Department
Intellectual Property Rights

[For Internal Use]


Page 4 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

0. Introduction
0.1 General
This ISMS manual specifies the requirements for establishing, implementing,
maintaining and continually improving Information Security Management System
within the context of the BHEL PSSRs overall Business requirements. It specifies
the implementation of security controls customized to the objectives and needs of
the organization.

0.2 Compatibility with other management system standards


The high level structure and sub-clause titles of this ISMS Manual is in accordance
with the Annex SL to Part 1 of ISO / IEC Directives and hence it helps the
organization to align or integrate other related Management Systems that have
adopted the Annex SL.

1. Scope
The Scope of the ISMS Manual specifies the requirements for establishing,
implementing, maintaining and continually improving the Information Security
Management System in PSSR within the context of PSSRs business operations.

2. Normative References
The following documents were referred for the creation of this document. These
include:

ISO/IEC 27002:2013, Information Technology Security Techniques - Code


of practice for information Security Controls

ISO/IEC 27001:2013 Information technology-Security


Information security management systems-Requirements

ISO 31000:2009 Risk Management Principles and Guidelines

ISO 9001:2000, Quality Management Systems Requirements

BHEL PSSR Quality Management System (QMS) Manual,

BHEL Personnel Manual

BHEL Conduct, Discipline and Appeal (CDA) rules

techniques-

[For Internal Use]


Page 5 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Corporate Information System Security Policy (ISMS-00-AA-001)

3. Terms and Definitions

Availability Ensuring that authorized users have access to information


and associated assets when required.

Business Continuity Plan (BCP) A plan to Build in proper redundancies


and avoid contingencies to ensure continuity of Business.

Computer Media Includes all devices that can electronically store


information. This includes but not limited to diskettes, CDs, tapes,
cartridges, and portable hard disks.

Confidentiality Ensuring that information is accessible only to those


authorized to have access.

Continual Improvement Continual Improvement refers to stage


improvement programs that facilitate rapid improvement phases with
intermediate stabilized phases.

Control A mechanism or procedure implemented to satisfy a control


objective

Control Objective A statement of intent with respect to a domain over


some aspects of an organizations resources or processes. In terms of a
management system, control objectives provide a framework for developing
a strategy for fulfilling a set of security requirements.

Disaster Recovery (DR) - A plan for the early recovery of Business


operations in the event of an incident that prevents normal operation.

Fallback Provisions to provide service in the event of failure of computing


or communications facilities.

Information Security Security preservation of Confidentiality, Integrity


and Availability of Information.

Information Security Management System (ISMS) The part of overall


management system based on business risk approach, to establish,
implement, operate, monitor, review, maintain, and improve information
security

Integrity Safeguarding the accuracy and completeness of information and


processing methods

Organization Refers to BHEL , unless specified otherwise.

[For Internal Use]


Page 6 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Risk The combination of the probability of an event and its consequence

Risk Acceptance Decision to accept risk.

Risk Analysis Systematic use of information to identify sources and to


estimate the risk.

Risk Assessment Overall process of risk analysis and risk evaluation.

Risk Evaluation Process of comparing the estimated risk against given


risk criteria to determine the significance of the risk.

Risk Management Coordinated activities to direct and control an


organization with regard to risk.

Risk Treatment Process of selection and implementation of measures to


modify risk.
Statement of Applicability Document describing the control objectives and
controls that are relevant and applicable to the organizations ISMS, based on
the results and conclusions of the Risk Assessment and Risk Treatment
Processes. It should clearly indicate exclusions with appropriate reasons.

4. Context of the organization


4.1 Understanding the organization and its context
BHEL is an integrated power plant equipment manufacturer and one of the largest
engineering and manufacturing companies in India in terms of turnover. BHEL
was established in 1964, ushering in the indigenous Heavy Electrical Equipment
industry in India - a dream that has been more than realized with a well-recognized
track record of performance. The company has been earning profits continuously
since 1971-72 and paying dividends since 1976-77.
BHEL is engaged in the design, engineering, manufacture, construction, testing,
commissioning and servicing of a wide range of products and services for the core
sectors of the economy, viz. Power, Transmission, Industry, Transportation
(Railway), Renewable Energy, Oil & Gas and Defence. There are 15 manufacturing
divisions, two repair units, four regional offices, eight service centres and 15
regional centres and currently operate at more than 150 project sites across India
and abroad.
The Power Sector Southern Region, Chennai caters to the needs of various
Electricity Boards, Public Sector Undertakings and other Industries in Installation
[For Internal Use]
Page 7 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

& Servicing of Industrial and Power Plant equipments including EPC & Turnkey
projects. It undertakes Life Extension Programmes and Renovation and
Modernizations of Old Power Stations in the states of Tamil Nadu, Andhra Pradesh,
Karnataka, Kerala, MP, Orissa & Pondichery and other places including abroad as
and when notified by the corporate office.
BHEL PSSR has acquired certifications to Quality Management Systems (ISO
9001), Environmental Management Systems (ISO 14001) and Occupational Health
& Safety Management Systems (OHSAS 18001) and is also well on its journey
towards Total Quality Management.

4.1.1 Organization Setup


Bharat Heavy Electricals Limited is a public sector undertaking engaged in Design,
Manufacture, Installation and Servicing of equipment for Power, Industrial,
Transportation and Oil sectors.
The Corporate office is located at New Delhi, India with manufacturing, Installation
and Servicing units / divisions located geographically at various places.
BHELs operations are organized around business sectors to provide a strong
market orientation. Major business sectors are Power, Industry and International
operations.
Power Sector deals with Thermal, Industrial, Nuclear, Gas and Hydro business.
Power Sector Head Quarters is located at New Delhi, India with four Regional
Centers at Noida, KolKata, Nagpur and Chennai for providing closer contact and
speedy services to customers.
Power Sector Southern Region with its Headquarters at Chennai, Tamil Nadu, is
engaged in Installation and Servicing of Industrial and Power Plant equipment.
Installation and Servicing offered by this Region broadly include :
ies

, systems and structures.


[For Internal Use]
Page 8 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

conditions.
CEO-PSSR (Unit Head) reports to Director (Power), Corporate Office.
Top Management of the Unit consists of Unit Head, General Managers and Directly
Reporting officers (DROs) of the Unit Head. The various functions are as given
below:

Information Technology

Planning

Commercial

Project Management

HR and Administration

Vigilance

Finance

Subcontracts, Purchase & Stores

Technical Services

Quality

HSE

Site Operations

SAS

Detailed Organization Chart of each department is maintained by respective


departments.
IT Department of BHEL PSSR caters to IT requirements all functions listed above
and at all site locations of PSSR. IT Department also takes the lead role in
maintaining the ISMS across PSSR and ensures that security requirements are
addressed in all operations including internal, third party contracts and business
partners and all stake holders.
[For Internal Use]
Page 9 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

External Context of the Organization


Bharat Heavy Electricals Limited, Siri Fort, New Delhi 110049 (India) is a Public
Sector Enterprise.
Establishment of BHEL in 1964 was a breakthrough for upsurge in India's Heavy
Electrical Equipment industry. Consistent performance in a highly competitive
environment enabled BHEL attain the coveted 'Maharatna' status in 2013.
The total installed capacity base of BHEL supplied equipment -138 GW in India
speaks volumes about the contribution made by BHEL to Indian power sector.
BHEL's 57% share in India's total installed capacity and 65% share in the country's
total generation from thermal utility sets (coal based) as of March 31, 2014 stand
testimony to this. The company has been earning profits continuously since 197172 and paying dividends since 1976-77 which is a reflection of company's
commendable performance throughout.
BHEL also has a widespread overseas footprint in 76 countries with cumulative
overseas installed capacity of BHEL manufactured power plants nearing 10,000
MW including Malaysia, Oman, Libya, Iraq, the UAE, Bhutan, Egypt and New
Zealand.
In order to be transparent to Investors, the Financial Results including the latest
unaudited quarterly reports are published in the official BHEL corporate portal.
BHEL's contributions towards Corporate Social Responsibility till date include
adoption of villages, organising free medical camps/supporting charitable
dispensaries, schools for the underprivileged and handicapped children, providing
aid during disasters/natural calamities, providing employment to handicapped
and Ex-serviceman, rainwater harvesting, plantation of millions of trees, energy
saving and conservation of natural resources through environmental management.
Globally, the business scenario has been undergoing an unprecedented change
leading to evolution of innovative strategies. Organisations are increasingly
realising that their operations have a large impact on not only stakeholders like
employees, shareholders, suppliers, customers but also on members of public
sphere, communities and environment. It is considered to be the moral
responsibility for an organisation to take care of the surroundings and people
whose lives are being impacted by its operations.

4.2 Understanding the needs and expectations of interested parties


BHEL PSSR shall develop, implement, maintain and continually improve a
documented ISMS within the context of its overall Business activities and risks
and the requirements of the interested parties. The needs and expectations of the
interested parties, namely the customers, vendors, contractors and other stake
[For Internal Use]
Page 10 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

holders is documented as per Security requirements of Interested Parties ISMS-03/PS/030 and the list of Interested Parties is maintained as List of
Interested Parties - ISMS-04/PS/072

4.3 Determining the scope of the information security management


system
The boundaries of ISMS in BHEL PSSR is defined in the following terms:
Physical Boundary: The physical boundary is defined as PSSR HQ Office location
at Chennai, SAS Office at Secunderabad and Site Offices situated at current project
locations of PSSR which are connected to BHEL MPLS cloud. The master list of
project locations covered under the physical boundary of ISMS is listed as per List
of Active Sites - ISMS-04/PS/058
Network Boundary: The network boundary is defined as the LAN network at PSSR
HQ, SAS and Site Offices (as per List of Active Sites - ISMS-04/PS/058) with
interfaces as Internet Gateway at PSSR HQ and MPLS Gateway at each of the
location.
External and Internal Issues: The external and internal issues considered in the
organizational context have been used to determine the scope.
Scope Statement:
The scope of ISMS in BHEL PSSR includes all Information and Information
Processing facilities, processes, resources and support services managed by BHEL
PSSR IT to provide Information & Communication services to BHEL PSSR and to
ensure confidentiality, integrity and availability in the information services
extended to all interested parties.

4.4 Information Security Management System


BHEL PSSR shall develop, implement, maintain and continually improve a
documented ISMS within the context of its overall Business activities and
risks. The ISMS of BHEL PSSR is based on PDCA model as given below.

[For Internal Use]


Page 11 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

5. Leadership
This chapter presents the organizational initiative and commitment to effective
implementation and operation of ISMS. In addition, this chapter highlights the roles
and responsibilities associated with ISMS operation.

5.1 Leadership and Commitment


BHEL PSSR is committed to Information security. The management has constituted
BHEL PSSR Information System Security Forum, which is responsible for defining
and improving the ISMS.
Management provides evidence of its commitment to the establishment,
implementation, operation, monitoring, review, maintenance and improvement of the
ISMS as defined in ISMS documentation, by
a) Ensuring implementation of information security policy;
b) Ensuring that information security objectives and plans are established;
c) Establishing roles and responsibilities for information security and ensuring
that adequate resources are available for establishing and maintaining ISMS;
d) Communicating to the organization the importance of meeting information
security
objectives and conforming to the information security policy, its
responsibilities under the law and the need for continual improvement;
e) Ensuring that the desired outcomes are met after implementing ISMS
f) Directing and supporting persons to contribute to the effectiveness of ISMS;
g) Promoting continual improvement of the ISMS;
h) Supporting other relevant roles as required.

[For Internal Use]


Page 12 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

5.2 Policy
The Corporate Information System Security Policy (ISMS-00/AA/001) approved by
the Chairman and Managing Director of BHEL is the top level Policy Document for all
units / regions / divisions of BHEL. It has been published in the Corporate Intranet
portal and available at all prominent locations in BHEL offices where ISMS is
implemented. The unit level document BHEL PSSR ISMS Manual - ISMS01/PS/001 has been published and communicated to all employees of BHEL PSSR,
through the Intranet and mails, posters, training and induction programs.

5.3 Organizational Roles, Responsibilities and Authorities


5.3.1 HEAD BHEL PSSR

To approve Information Security Management System as Chairman of BHEL


PSSR Information System Security Forum
To appoint ISSO, Information System Security Forum and Security
Organization structure
To review and approve objectives and targets.
To provide finance and resources to meet objectives and targets

5.3.2 INFORMATION SYSTEM SECURITY OFFICER (ISSO)

Define specific roles and responsibilities of information security across BHEL


PSSR
Co-ordinates with BHEL PSSR Information System Security Forum and BHEL
PSSR Information System Security Coordination Team on all activities identified
as a part of group responsibility.
Organize security reviews and audits, with internal and external resources
Ensure implementation and tracking of ISMS plan
Coordinate with different security coordinators within the organization
Organize management reviews of ISMS
To promote awareness amongst employees on ISMS.
To review and prioritize significant information Assets and security threats
To appraise the incidents to the Information System Security Forum
Coordination with Corporate Information System Security Officer (CISSO)
Carry out RA and prepare RTP
Report to Head of PSSR with respect to ISMS implementation.
Review & Approval of ISMS guidelines & procedures
Assessment of Training requirement on information security.

[For Internal Use]


Page 13 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

5.3.3 BHEL PSSR INFORMATION SYSTEM SECURITY FORUM

Review and Approve the ISMS Manual and SoA


Monitor the implementation of ISMS policies and procedures
Review and Approve the risk assessment and risk treatment plan, and accept
residual risk
Design and deliver awareness program
Evaluate, implement and ensure utilization of up-to-date security technology
and techniques
Review and monitor information security incidents
Ensure ISMS is inline with new legal, administrative, and business
requirements
Ensures that security is part of the information planning process
Decide specific methodologies and processes for information security. For e.g.
risk assessment, security classification system etc
Drive organization-wide information security initiative
Assess new system and services for security before absorbing them into the
system and identify and implement appropriate security controls

The Information System Security Forum will meet at least once in a year to support
and supervise the activities of the ISSO, taking informed decisions. Together with the
ISSO, it will jointly be held responsible for achieving measurable progress. Progress
measurement metrics will be monitored to achieve continuous improvement.

5.3.4 BHEL PSSR INFORMATION SYSTEM SECURITY CORE TEAM

Conduct RA for all assets within their domains


Prepare and implement risk treatment plan
Implement ISMS policies and procedures within their domains
Provide necessary help in training and awareness of employees
To review implementation status at defined intervals
To ensure corrective and preventive actions for non-conformities / observations.
To provide technical support and assistance to Information System Coordination
team for implementation of ISMS policies and procedures
To assist ISSO in preparation and review of ISMS Manual, procedures, policies,
guidelines and templates

5.3.5 BHEL PSSR INFORMATION SYSTEM SECURITY COORDINATION


TEAM

Implement ISMS policies and procedures within their functional area


To identify and arrange for provision of training requirement to employees,
suppliers and contractors.
To ensure corrective and preventive actions for non-conformities / observations.
Responsible for the web content published within their functional area.

[For Internal Use]


Page 14 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

The Information System Security Coordination Team will meet at least once in a year
to maintain and monitor the status of implementation of ISMS in their respective
domains.
In addition, the group helps reduce the risk of disruption of business operation by
providing advice on all aspects of security including:

Security Awareness
Data Confidentiality and Privacy
Logical Access
Data Communications
Systems and Data Integrity
Physical Security
Contingency and Disaster Recovery Planning

Personal and Procedural Controls

5.3.6 BHEL PSSR SITE IT COORDINATORS

Implement ISMS policies and procedures for their respective site location
To identify and arrange for provision of training requirement to site employees
To ensure corrective and preventive actions for non-conformities / observations for
their respective domain.

All Employees
All employees are expected to follow the security policy, processes, procedures
documented in ISMS. The management is to ensure that the required awareness on
ISMS is imparted.

Other Key Personnel


The roles, responsibilities and authorities of System Administrator, Network
Administrator, Application Developers, System users etc. are detailed in Roles and
Responsibilities - ISMS-03/PS/007. The roles and responsibilities of BCP team are
detailed in Annexure II of Business Continuity Plan - ISMS-02-PS-BCP

[For Internal Use]


Page 15 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

6. Planning
6.1 Actions to address risks and opportunities
6.1.1 General
The ISMS has been designed taking into consideration the context of the organization
with reference to the external and internal issues and to meet the needs and
expectations of interested parties.
An organizational set of policies to support the top-level policy has been put in
place. The organization selects and implements a set of controls to support the
ISMS policies. The selection of these is based on the following (but not limited to)
parameters:

Legal and Contractual requirements IPR, Data Protection, IT Act,


Safeguarding organizational records and Contractual Requirements.

Business requirements Compliance with standards and security


policy. Outsourcing and use of third party contractors.

Risk Assessment requirements Security breaches, incidents,


legislations, unauthorized access and environmental threats.

BHEL PSSR Information System Security Forum provides guidelines to Information


System Security Officer (ISSO) on the Business Requirements for the level of
assurance required for security of IT assets. Based on these guidelines the ISSO
coordinates the Risk Assessment activity in the organization.

6.1.2 Information security risk assessment


The details of the Risk Assessment (RA) process can be referred from Risk
Assessment Procedures - ISMS-03/PS/001.
The output of the RA process include:

Risk Assessment Report

Risk Treatment Plan (RTP)

Statement of Applicability (With rationale for inclusion/exclusion)

6.1.3 Information security risk treatment


Based on the RA report, the ISSO prepares the RTP and SOA, which includes
selection of controls. The ISSO then obtains approval of Information System
Security Forum for RTP implementation and acceptance of residual risk.
[For Internal Use]
Page 16 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

6.2 Information security objectives and planning to achieve


them
BHEL PSSR has established the information security objectives at relevant
functions and levels. Refer Information security objectives ISMS-03/PS/029

7. Support
7.1 Resources
The management provides resources for the implementation, maintenance, and review
of the ISMS. The resources include funds, tools, human resources and any other
resources that may be required for the efficient performance of the ISMS.
The ISSO evaluates resource requirements for improvements in security infrastructure
based on RA, review /audit records.
Based on resource requirements, the
Management approves/ allocates the required resources.

7.2 Competence
Personnel who have experience and expertise in the application domain and in
information security concepts are assigned to manage ISMS. The competency is built
through regular training courses in ISMS implementation and internal auditor
certification programmes.

7.3 Awareness
When the required levels of skill and expertise are not available, trainings are provided
to ensure skill / knowledge enhancement as per the organization training process. The
ISMS training is an integral part of training curriculum of HRDD. Refer Training
procedure - ISMS-03/PS/008
Identifying what training is needed, and how frequently, for specific positions.
Identifying qualified individuals/agency to conduct the training program.
Organizing the training program.
Maintaining attendance records, course outlines and course feedback of all
trainings conducted.
BHEL PSSR maintains records of all training programs organized by it as mentioned
in the Training procedure - ISMS-03/PS/008.

[For Internal Use]


Page 17 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

7.4 Communication
For changes to be made in existing ISMS, the ISSO consolidates the inputs and reviews the ISMS for applicable improvements and prepares an action plan
and communicates the results to all interested / affected parties with a level of detail appropriate to the circumstances. All improvements should be directed
towards predefined organizational Business objectives.

BHEL PSSR Information System Security Forum reviews the ISMS at least once in a
year, or on an event-driven basis, for its effectiveness and possible improvements. This
review includes assessing opportunities for improvement and the need for changes to
the ISMS, including the Security Policy and Information Security objectives.
Management review of ISMS is conducted in accordance with the procedure ISMS
Review Procedure- ISMS-03/PS/004
The input to the management review of the ISMS includes but not limited to the
following:
Action items from previous ISMS reviews
ISMS review / audit reports (Internal and External)
Results from effectiveness measurements
Feedback from the members of the organization. The feedback could be in the
form of incidents reported, or change requests .Feedback form is published in
intranet for collecting feedback from the members of the organization.
Techniques, products, or procedures, which could be used in the organization
to improve the ISMS performance and effectiveness
Vulnerabilities and threats not adequately addressed or not identified in the
previous risk assessment
Changes (E.g. environmental) that could affect the ISMS
Recommendations for ISMS
Organizational or business change
The output of the management review includes any decisions or actions taken in the
review meeting. The decisions or actions could be in the form of:
Improvement of effectiveness of the ISMS
Modifications of existing procedures to respond to internal or external events
that may impact the ISMS. The external or internal events may be in the form
of:
o Change of business requirements
o Change of security requirements
o Improvements
o Changes in regulatory or legal requirements
o Changes in level of acceptability of risks
o Customer specific requirements

[For Internal Use]


Page 18 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

The results of the reviews are clearly documented. The ISSO communicates output of
the review and the action plan to the Head - BHEL PSSR, the Information System
Security Forum and the Co-ordination Team members through Email.

7.5 Documented Information


7.5.1 General
The documentation structure is as detailed below:

Corporate Information System


Security Policy (ISMS-00)
ISMS Manual (ISMS-01)
Policies & Guidelines (ISMS-02)
Procedures and Processes (ISMS-03)
Templates and Forms (ISMS-04)

The components of ISMS Documentation are:

[For Internal Use]


Page 19 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Level - 0 Corporate Information System Security Policy (ISMS-00) : It is the Toplevel security policy of BHEL.
Level - 1 ISMS Manual (ISMS-01) - This document includes requirements of the ISO
27001 standard, and describes how the defined ISMS meets the requirements. The
document details the organization approach towards management and
implementation of ISMS.
Level - 2 Policies & Guidelines (ISMS-02) A complete set of supporting technical
policies and guidelines as identified and defined by the organization, and within the
scope of ISMS.
Level - 3 Procedures and Processes (ISMS-03) Contains processes and procedures
required to implement and support the defined policies & guidelines.
Level - 4 Templates and Forms (ISMS-04) Organizational standard
templates/forms used in the processes / procedures. These are used to streamline the
operation of ISMS and form a basis for records.

7.5.2 Creating and Updating


The procedure for creation and update of documented information related to ISMS is
per Document Control Process- ISMS-03/PS/005.

7.5.3 Control of Documented Information


All documents related to ISMS requirements are controlled as per Document
Control Process- ISMS-03/PS/005.
. This includes:

Review and approval of documents prior to issue / use


Update, review and approval of necessary changes in controlled documents
Availability of current revisions of necessary documents
Withdrawal of obsolete documents from all points of issue or use to ensure
guarding against unintended use.
All security documents are available on the Intranet for reference and use based
on need-to-know requirements. This excludes the all documents related to
Business Continuity Management Process.

7.5.3.1 Control of Records


Records are identified within each procedure in the ISMS to provide evidence of
conformance to requirements and effective functioning of the Information System
Security Forum. The detailed list of records with record name, record location, owner
and retention period is controlled at List of Records ISMS-04/PS/027.
[For Internal Use]
Page 20 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Organization ensures proper house keeping of all the relevant records as per Record
Control Process- ISMS-03/PS/006.

8. Operation
8.1 Operation Planning and Control
BHEL PSSR ensures effective implementation of actions determined on the basis of
Risk Analysis. The controls and control objectives are derived from ISO 27001:2013
standard. Only controls applicable to achieving the security objectives of BHEL PSSR
have been selected in the SOA and the same have been addressed in the subsequent
chapters of this manual.

8.2 Information Security Risk Assessment


The details of the Risk Assessment process can be referred from Risk Assessment
Procedures - ISMS-03/PS/001.

8.3 Information Security Risk Treatment


Based on the outcome of the Risk Assessment the Risk Treatment plan is derived
and ISSO ensures implementation of the same. The results of the Risk Treatment
Plan are also documented as per Risk Assessment Procedures - ISMS03/PS/001.

9. Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
BHEL PSSR ensures that the security requirements have been met by
measurement of the effectives of the selected controls. Refer Procedure for
Measurement of Effectiveness of Controls - ISMS-03/PS/024.

9.2 Internal Audit


Internal ISMS audits are conducted once in a year to verify the adherence to ISMS.
The audits are conducted to ensure that ISMS:

Conforms to the requirements of the ISO 27001 standard


Ensure compliance with relevant legal, statutory and contractual requirements
ISMS is effectively implemented and maintained
Performs as expected

[For Internal Use]


Page 21 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Security Audits are conducted in accordance with the procedure Internal Audit
Procedure - ISMS-03/PS/003. Trained personnel, not having direct responsibility of
the activity being audited, shall conduct audits. ISSO with the help of HODs will
ensure that any non-conformance found is closed. The ISSO is responsible for
planning, scheduling, organizing and maintaining records of these audits.

9.3 Management Review


BHEL PSSR Information System Security Forum reviews the ISMS at least once in a
year, or on an event-driven basis, for its effectiveness and possible improvements. This
review includes assessing opportunities for improvement and the need for changes to
the ISMS, including the Security Policy and Information Security objectives.
Management review of ISMS is conducted in accordance with the procedure ISMS
Review Procedure- ISMS-03/PS/004
The results of the reviews are clearly documented and records maintained as specified
in Section 7.4 in this document. The ISSO prepares an annual review plan and
communicates the same to the BHEL PSSR Information System Security Forum.

10. Improvement
This chapter presents the organization approach to the continual improvement of the
ISMS.

10.1 Nonconformity and Corrective Action


The ISSO compiles all inputs identified for improvements and prepares an
Improvement Plan with the help of the BHEL PSSR Information System Security
Forum. This plan is presented to the management for approval and resource
allocation. The plan is created, implemented, and tracked. Refer Procedure on
Corrective and Preventive Actions - ISMS-03/PS/009.

10.2 Continual Improvement


The ISSO is responsible for continual improvement of the ISMS for suitability and
effectiveness.
Inputs to continual improvement can be:
Change in security policies and objectives
Audit/ Review Reports
Incident Reports
Analysis of monitored events
Corrective and Preventive Actions
Business Changes
[For Internal Use]
Page 22 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Environmental Change (New threats and vulnerabilities)


Best practices of industry

ISMS Controls
This chapter describes the selection and implementation of controls by the
organization. In addition, the selection of controls presents the applicability of the
standard suggested controls to the organization.
The control objectives and controls listed in this chapter are directly derived from the
ISO/IEC 27001:2013 standard, based on the guidelines Section 6.1.3 of this
document. Only controls applicable to BHEL PSSR have been mentioned and
addressed in this chapter. Controls that are applicable to BHEL PSSR and exclusions
have been explained in detail in the Statement of Applicability. Refer BHEL PSSR
SOA - ISMS-01/PS/003.

A.5 Information Security Policies


A.5.1 Management direction for Information Security
Control Objective: To provide management direction and support for information
security.

A.5.1.1 Information Security Policy Document


A Corporate Information System Security Policy (ISMS-00/AA/001) document
has been created and approved by the management. The BHEL PSSR ISMS Manual
- ISMS-01/PS/001 has been published and communicated to all employees of BHEL
PSSR, through the Intranet and mails, posters, training and induction programs.

A.5.1.2 Review of the information security policy


ISSO is responsible for the creation, maintenance and update of the BHEL PSSR ISMS
Manual. The BHEL PSSR Information System Security Forum approves the manual
prior to release. The review and evaluation of ISMS Manual is conducted at least once
in a year. The review guidelines state that the policy is to be reviewed for its
effectiveness, compliance to business process, and compliance to technology changes.

[For Internal Use]


Page 23 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.6 Organization of Information Security


A.6.1 Internal Organization
Control Objective: To manage information security within BHEL PSSR

A.6.1.1 Information Security Roles and Responsibilities


The BHEL PSSR Information System Security Forum is responsible for developing,
updating and communicating ISMS policies and procedures to all employees. This
forum is headed by the Head of BHEL PSSR and includes Senior Executives from
different domains. The details of organizational security structure and responsibilities
of the Information System Security Forum are mentioned in Section 5.3.3. However,
the responsibility for implementing the ISMS and controls is assigned to Core Team
members and Information System Security Coordination Team members. All
employees are expected to follow the security policy, processes, procedures
documented in ISMS. The management is to ensure that the required awareness on
ISMS is imparted.

A.6.1.2 Segregation of duties


In the organization, duties have been segregated in order to reduce the risk of
accidental or deliberate system misuse. Different individuals are responsible for their
respective areas, and proper controls exist that take care of possibility of fraud in areas
of single responsibility without being detected. Different areas and associated
responsibilities are defined as per Roles and Responsibilities - ISMS-03/PS/007.

A.6.1.3 Contact with authorities


IT department shall maintain appropriate contact with the following authorities:
Internet Service Provider (ISP)
Hardware vendor
Telecom services department
Antivirus and software vendors
HR shall maintain the contacts with the following agencies
Electricity services department
Local Agencies like Police, Fire, Hospitals
Regulatory
This is necessary to ensure that appropriate actions can be promptly taken, and advice
obtained in the event of any security incident. The contact list is available with all
concerned staff.. Refer Format Contact List of External Agencies ISMS04/PS/042

A.6.1.4 Contact with special interest groups


[For Internal Use]
Page 24 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Information security advice is obtained from OEM vendors, legal advisors and
technical experts on security matters to maximize the effectiveness of the
organizations ISMS. Besides above, ISSO, in close coordination with the BHEL PSSR
Information System Security Forum is the main source of advises for all security
issues. All security incidents and breaches are reported to ISSO for necessary
corrective and preventive actions.

A.6.1.5 Information security in Project Management


BHEL PSSR ensures that security controls are implemented in all projects . For system
development projects refer Policy on System Development & Maintenance - ISMS02/PS/015 and for changes to existing operations refer Change Management
Procedure - ISMS-03/PS/016

A.6.2 Mobile devices and teleworking


Control Objective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1 Mobile device policy
BHEL PSSR has well defined policy and guidelines on the use of laptops. Refer
Procedure on Laptop Handling - ISMS-03/PS/018.
A.6.2.2 Teleworking
BHEL PSSR has identified security requirements that have to be addressed before
giving access to the employees / customers for the organizations information or
assets. All teleworkers are given restricted access as per the requirement and the
physical security at teleworking site is ensured by implementing suitable controls.

A.7 Human Resource Security


A.7.1 Prior to employment
Control Objective: To ensure that employees, contractors and third party users
understand their responsibilities, and are suitable for the roles they are considered
for, and to reduce the risk of theft, fraud or misuse of facilities
A.7.1.7 Screening
Background verification checks are carried out on all candidates prior to employment
in accordance with the HR Policy of BHEL, and there is a documented Personnel
Manual.
A.7.1.2 Terms and conditions of employment

[For Internal Use]


Page 25 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

All employees of BHEL, at the time of joining, are required to agree to Terms and
Conditions of employment as detailed in the Personnel Manual.
A.7.2 During employment
Control Objective: To ensure that all employees, contractors and third party users
are aware of information security threats and concerns, their responsibilities and
liabilities, and are equipped to support organizational security policy in the course of
their normal work, and to reduce the risk of human error.
A.7.2.1 Management Responsibilities
The management of BHEL PSSR ensures that employees, contractors and third party
users apply security measures in accordance with the established policies and
procedures of the organization.
A.7.2.2 Information Security awareness, education and training
BHEL PSSR must ensure that all the employees and the relevant external parties are
made aware of their security responsibilities. This will be ensured through awareness
training and job roles and responsibilities. BHEL PSSR in association with HRDD
ensures that all BHEL PSSR personnel are imparted ISMS related training. A training
module on Information security policies is an integral part of HRDD training programs.
Refer Training procedure - ISMS-03/PS/008.

A.7.2.3 Disciplinary process


Any violation of the signed documents is considered as a disciplinary offence and as
such act as a deterrent to employees who might otherwise be inclined to disregard
security procedures. The procedure shall ensure correct, fair treatment for employees
who are suspected of committing serious or persistent breaches of security. The
Conduct, Disciplinary and Appeal (CDA) rules of BHEL addresses the disciplinary
process to be followed for violation of the policies of the organization.
A.7.3 Termination and change of employment
Control objective: To ensure that employees, contractors and third party users exit
BHEL PSSR in an orderly manner
A.7.3.1 Termination responsibilities
The HR Department is responsible for defining and communicating the termination
responsibilities, taking into consideration the information security and legal aspects.
Refer Personnel Manual.

[For Internal Use]


Page 26 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.8 Asset Management


A.8.1 Responsibility for assets
Control Objective: To maintain appropriate protection of organizational assets.
A.8.1.1 Inventory of assets
Organizational assets have been categorized as:

Physical Includes computer equipment (CPU, Peripherals etc), communication


equipment (routers, switches, etc)..

Software Includes various applications programs, Operating System, system


software, development tools and utilities.

Information Databases, data files, archived information, system documentation.

Services Include communication services, general utilities like power, AC etc.

An inventory of all assets is maintained by the IT department in the form of Asset


Register -ISMS-04/PS/002.
BHEL maintains appropriate protection of the
organizational assets. It aims at implementing appropriate controls for ensuring the
confidentiality, integrity and availability of assets.
A.8.1.2 Ownership of assets
All IT assets in BHEL PSSR have a single owner, who manages the asset. The asset
owner may delegate his responsibility to the user of the asset. The ultimate
responsibility of the security of the asset rests with the owner, who monitors the use
of the asset by users, and ensures that no security breaches occur.
A.8.1.3 Acceptable use of assets
All employees, contractors and third party users should follow rules for the
acceptable use of information and assets associated with information processing
facilities, including:
a) Rules for electronic mail and Internet usages - Refer in Email Policy ISMS02/PS/006 and Internet Policy - ISMS-02/PS/011
b) Guidelines for the use of mobile devices, especially for the use outside the
premises of the Organization. Refer Guidelines on use Of Desktop/Laptop
Systems - ISMS-02/PS/003
A.8.1.4 Return of assets
All employees leaving the services of BHEL PSSR are required to surrender the assets
issued to them and obtain a No Dues certificate. The IT department ensures that all
employees, contractors and third party users shall return all the IT assets upon
termination of the employment or change of employment. Refer Procedure for
Return of IT Assets ISMS-03/PS/027
[For Internal Use]
Page 27 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.8.2 Information Classification


Control Objective: To ensure that information assets receive an appropriate level of
protection
A.8.2.1 Classification of information: BHEL PSSR adopts four levels of
classification of Information. The classification of information is documented as per
the Information Classification, Labelling and Handling Guidelines ISMS02/PS/001.
A.8.2.2 Labelling of information
The guidelines for labelling and handling of Information are documented and available
under the Information Classification, Labelling and Handling Guidelines ISMS02/PS/001.
A.8.2.3 Handling of assets
The handling of assets is documented as per the Information Classification,
Labelling and Handling Guidelines ISMS-02/PS/001.

A.8.3 Media Handling


Control Objective: To prevent unauthorized disclosure, modification, removal or
destruction of assets and interruptions to business activities
Use of portable media makes business information and information assets highly
vulnerable to theft, loss, and mishandling. In order to protect information and related
assets from these threats, the BHEL PSSR has implemented appropriate controls
A.8.3.1 Management of removable media
All media should be stored in a safe, secure environment, in accordance with
manufacturers specifications. The organization has defined procedure for the
management of computer media containing sensitive data. Refer Procedure on
Media handling and security ISMS-03/PS/014.
A.8.3.2 Disposal of media
BHEL PSSR has defined procedure for the disposal of computer media. The handling
of Tapes, CDs and Hard Disks have been covered in Procedure on Media handling
and security ISMS-03/PS/014.
A.8.3.3 Physical media transfer
Backup media being transported from one location to the other is protected from
unauthorized access, misuse and corruption by sending them through trusted BHEL
employee with proper authorization and adequate protection. Media like CDs , floppies
are sent only through authorized couriers.

[For Internal Use]


Page 28 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.9 Access Control


A.9.1 Business requirements of access control
Control Objective: To limit access to information and information processing facilities.
A.9.1.1 Access control policy
BHEL PSSR has implemented access control to information based on the business
requirements on need-to-know basis. Well-documented access control policy and
procedures are in place. Refer Business requirement for access control - ISMS02/PS/009.
A.9.1.2 Access to networks and network services
The access to internal and external network of the BHEL PSSR is controlled. This
includes any direct access to services that are business critical to users within the
domain, and direct access to network from users in high-risk location like users
through Internet. Users shall only have direct access to the services that they have
been specifically authorized to use. A defined and documented policy for use of
network services exists. Refer Network Management Policy - ISMS-02/PS/005.
A.9.2 User Access Management
Control Objective: To ensure that access rights to information systems are
appropriately authorized, allocated and maintained. Access to network resources has
to be managed properly at all levels.
A.9.2.1 User registration and de-registration
BHEL PSSR has well defined policy and procedure for managing user access to all
information systems and services. Refer Policy on User Management - ISMS02/PS/010.
A.9.2.2 User access provisioning
The allocation and revocation of user access rights is restricted and controlled and is
covered under Policy on User Management - ISMS-02/PS/010.
A.9.2.3 Management of privileged access rights
The allocation and use of privileges is restricted and controlled. Any privilege given
onto any system in the organization is covered under Policy on User Management ISMS-02/PS/010.
A.9.2.4 Management of secret authentication information of users
BHEL PSSR has a well-defined password policy and guidelines. Refer Policy on User
Management - ISMS-02/PS/010.
[For Internal Use]
Page 29 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.9.2.5 Review of user access rights


The access rights of general users are reviewed every six months. It is the responsibility
of the System Administrator to review the access rights and the review reports will be
ratified by the concerned HOD. Records will be maintained as per format Review of
User Rights ISMS-04/PS/046. The concerned department coordinator will send
the transfers / additions information to IT Department for review.
A.9.2.6 Removal or adjustment of access rights
The access rights of all employees, contractors and third party users to information
processing facilities should be removed upon the termination of employment or change
of employment. All user accounts pertaining to the individual should be removed. If
the individual has known passwords for accounts that need to remain active, the
password has to be changed.

A.9.3 User Responsibilities


Control Objective: To make users accountable for safeguarding their authentication
information
A.9.3.1 Use of secret authentication information
BHEL PSSR has instructed its employees to follow good security practices in selection
and use of passwords.
For detailed guidelines on the password selection and handling refer User
Guidelines ISMS-02/PS/018

A.9.4 System and Application Access Control


Control Objective: To prevent unauthorized access to systems and applications
A.9.4.1 Information access restriction
All applications developed in-house which contain information, have incorporated a
uniform access control mechanism, which provides users with the required level of
access. Additional privileges are given based on proper authorization from the
information owner. Refer Business requirement for access control - ISMS02/PS/009.
A.9.4.2 Secure log-on procedures
All user machines are accessible through a user name and password. These are
assigned to each authorized user and are unique in nature. Unauthorized access is
[For Internal Use]
Page 30 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

not permitted. Refer Operating System Access Controls Procedure 02/PS/012.

ISMS-

A.9.4.3 Password management system


BHEL PSSR has a well-defined password policy and access management process.
Refer Policy on User Management - ISMS-02/PS/010.
A.9.4.4 Use of privileged utility programs
All system utility programs, which impact the operations of the systems, are installed
with controlled access to administrative accounts. Use of system utilities is controlled.
A.9.4.5 Access control to program source code
Only the project team has access to the program source code in the project. Refer
Policy on System Development & maintenance - ISMS-02/PS/015.

A.10 Cryptography
Not applicable as per SoA- Refer: BHEL PSSR SoA - ISMS-01/PS/003

A.11 Physical and Environmental Security


A.11.1 Secure Areas
Control Objective: To prevent unauthorized physical access, damage, and
interference to business premises and information.

A.11.1.1 Physical security perimeter


BHEL PSSR has a well-defined policy on physical security and procedure on physical
access control. BHEL PSSR has implemented different security barriers to check the
access to each of the following zones.
Zone 1:
Zone 1 comprises of secured areas like
Server room
Cabins of top management.
Access to specific / secure areas of concern viz server rooms is monitored through
proper authorization process.
Zone 2:
Zone 2 comprises of office desk area.
[For Internal Use]
Page 31 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Access to these areas is restricted by the visitor pass for visitors and identity card for
employees.
Zone 3:
Zone 3 comprises of reception desk and open / public area in office premises.
Access to these areas in the company premises is monitored by security personnel.
The Organization layout and the security zones are documented as per Procedure on
Physical and Environmental Security - ISMS-03/PS/013.

A.11.1.2 Physical entry controls


Secured areas are protected by appropriate entry controls to ensure that only
authorized personnel are allowed access. The procedure for visitors and employees
identification for access into the area of BHEL PSSRs Information processing facilities
is defined in Procedure on Physical and Environmental Security - ISMS03/PS/013.

A.11.1.3 Securing offices, rooms, and facilities


BHEL PSSR has taken the following security measures:
Appropriate number of security personnel deployed
All visitors and contract staff is supposed to report for security check-in and
check-out formalities
Entry is restricted to authorized personnel as per the Procedure on Physical
and Environmental Security - ISMS-03/PS/013 .
Each workstation, cubicle and cabin is provided with storage space, with lock
and key arrangement to keep official documents/company classified
information belonging to the employee of the workspace.
Employees working before / after office hours and holidays shall inform the
vigilance & Security Department and relevant records are maintained.
Access is server room is restricted only for authorized IT personnel, other third
party personnel who wanted to work in server room will be escorted by
authorized personnel and the presence of authorized personnel is a must for
any work to be carried out .

A.11.1.4 Protecting against external and environmental threats


BHEL PSSR has installed fire-fighting equipments in all areas within the premises and
performs regular maintenance checks of these equipments. Refer Procedure on
Physical and Environment security - ISMS-03/PS/013

A.11.1.5 Working in secure areas

Unsupervised work by external parties within server room will be strictly


prohibited for safety reasons.

[For Internal Use]


Page 32 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Personnel shall only be aware of the existence of, or activities within, a secure
area on a need to know basis
Eating and consuming other food products will be strictly prohibited in secure
areas.
Photographic, video, audio or other recording equipment should not be allowed,
unless authorized

A.11.1.6 Delivery and loading areas


Access to public areas within the organization premises is strictly monitored by
security personnel. The delivery and handling of materials is strictly under the
authorization control with material gate pass. Without proper gate pass, no material
is allowed to enter or leave the premises.

A.11.2 Equipment Security


Control Objective: To prevent loss, damage, theft or compromise of assets and
interruptions to business activities.

A.11.2.1 Equipment siting and protection


All equipments are physically protected from security threats and environmental
hazards, by positioning them at secure areas. Only authorized personnel can enter
secured areas. The controls are adopted to minimize the risk of potential security
threats. The following practices are being followed in the organization:
Business critical equipment is fully secured under lock and key
Fire and smoke alarms are deployed appropriately.
The information processing and storage facilities are fully secured
Users are not allowed to have drink, eatables & smoke in the server room.
Temperature and humidity levels are continuously monitored and maintained.
Power equipment is periodically serviced and checked.
Backup data cartridges are kept offsite.
The procedure for maintaining proper temperature and humidity is provided as per
Procedure on Physical and Environmental Security - ISMS-03/PS/013.

A.11.2.2 Supporting utilities


In BHEL PSSR, all electrical equipments are protected from power failure and other
electrical anomalies. Arrangements are made to provide uninterrupted power supply
(UPS) to all critical information processing facilities. UPS are maintained as per the
OEMs instructions and covered under AMC contract. The overall load on UPS is
maintained at less than 60% of its capacity. The backup time of UPS when on battery
is monitored and systems will be shutdown when the backup time falls below 30
minutes. Lightning protection is provided to the building. DG sets are turned on in
case of failure or routine power cuts. Emergency lights are also available all over the
premises, to provide visibility in case of any emergency or power failure.
[For Internal Use]
Page 33 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.11.2.3 Cabling security


The data cables are well protected and isolated in order to protect from interception
and damage. All the cables (data, telecommunication, and electrical) are laid using
proper conduits, in order to protect them from external damage. Power cables and
network cables are well separated to prevent any interference. The cable layout
diagram is available with the administrator. The following guidelines should be taken
care while laying the cable. Refer - Network Management Policy - ISMS-02/PS/005.

A.11.2.4 Equipment maintenance


All equipments in BHEL PSSR are being correctly maintained to ensure their
continued availability and integrity. Adhering to the following steps ensures this:
All equipments are maintained in accordance with the OEMs recommendations
for service intervals and specifications.
All critical equipments are covered under AMC.
All UPS are under the regular preventive maintenance.

A.11.2.5 Removal of assets


All the equipments that are taken out of the company premises follow a proper
authorization process. A proper gate pass is to be signed by the authorized person
before taking any equipment out of the premises. The equipment/media/baggage
required by visitors to be taken outside the premises will be checked by the security
staff. There will be random checking of bags of employees / visitors while entering or
leaving the premises.

A.11.2.6 Security of equipment and assets off-premises


The person carrying the equipment outside the premises is responsible for the security
of the equipment. BHEL PSSR has a documented Guidelines on use of Desktop and
Laptop Systems - ISMS-02/PS/003.
a) Equipment and media taken off the premises shall be authorized and shall
not be left unattended in public places. Portable computers shall be carried as
hand luggage and disguised where possible, when traveling.
b) Manufacturers instructions for protecting equipment shall be observed at all
times.
c) Adequate insurance cover should be in place to protect equipment off site.
d) IT department will authorize any material which are going out of premises
and will maintain the records.

A.11.2.7 Secure disposal or re-use of equipment


The information available on equipments is removed or erased before the equipment
disposal. All defective computer media, to be disposed, is destroyed completely and all
relevant information is made irrecoverable as per Procedure on Media handling and
[For Internal Use]
Page 34 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

security - ISMS-03/PS/014 and Procedure on Disposal of Computer Equipments


- ISMS-03-PS-026

A.11.2.8 Unattended user equipment


Users shall do the following when not in Desk:

Terminate active sessions when finished.


Log-off Servers when the session is finished.
Secure PCs or terminals from unauthorized access by a key lock or an
equivalent control eg. Password access when not in use.
Laptop users should close the Laptop screen before leaving the Desk.

A.11.2.9 Clear Desk and Clear screen policy


Personal computers will not be left logged on when not in use and will be protected by
Passwords. The idle time after which the machine gets locked automatically is set to
15 minutes by the use of Domain Controller. Clear desk implies that sensitive or
classified information at Level 3 and Level 4 (as per Information Classification,
Labelling and Handling Guidelines ISMS-02/PS/001) should be stored in suitable
locked cabinets when not in use or while not at desk. When printed, documents should
be cleared from printers immediately.

A.12 Operations Security


A.10.1 Operational procedures and responsibilities
Control Objective: To ensure the correct and secure operation of information
processing facilities.

A.12.1.1 Documented operating procedures


BHEL PSSR has a set of defined procedures for information processing facilities.
Documented operating procedures for management and operation (including
housekeeping activities) of information processing facilities are established. All
documented operating procedures are approved by IT Head. Refer Server Room
Procedures - ISMS-03/PS/015. A Master list of documents is maintained. Refer ISMS-04/PS/026.

A.12.1.2 Change management


Any change in IT infrastructure and Software are controlled through well-defined
procedure by ISSO. Before making any operation changes in the IT infrastructure of
the organization, the risk assessment and the impact analysis will be conducted as
per the procedure. - Change Management Procedure - ISMS-03/PS/016.

A.12.1.3 Capacity Management

[For Internal Use]


Page 35 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

The IT head of BHEL PSSR is responsible for advance planning and preparation in
order to ensure availability of adequate capacity and resources. This helps reduce the
risk of system overload.
It is the responsibility of the individual administrators to look for capacity demands in
their domain in advance. This ensures that the required capacity can be arranged in
time to minimize the risk of failure due to lack of capacity. It also ensures the
continuous availability of operational systems. Utilization of existing resources is
monitored regularly. For details, refer Authorization Procedure for Procurement &
Deployment - ISMS-03/PS/010. A capacity plan is to be developed and the same is
to be approved/ revised at least once in a year by BHEL PSSR Information System
Security Forum.

A.12.1.4 Separation of development, testing and operational


facilities
The development and operational activities are separated. There are separate servers
for development and operational systems. The software development procedure
involves various steps in which different teams are involved at various stages including
the migration of software from development to operational environment.

A.12.2 Protection from malware


Control Objective: To ensure that information and information processing facilities
are protected against malware

A.12.2.1 Controls against malware


Precautions are required to detect and prevent the introduction of malware. Software
information processing facilities are vulnerable to the introduction of malware, such
as computer viruses, network worms, Trojan horses, and logic bombs etc. BHEL PSSR
has implemented several controls to address the threat:
BHEL PSSR has a policy for prevention against malicious software. Refer
Protection against malicious software - ISMS-02/PS/002.
BHEL PSSR has a policy for the use of networks or any other medium as a
preventive measure against virus attacks. Refer Network Management Policy
- ISMS-02/PS/005.
Virus attacks and software malfunctions due to malicious software are treated
as security incidents and handled as per the Incident Management
Procedure ISMS-03/PS/002.
To prevent loss of data due to malicious software regular backups of critical data
are taken regularly as per the Housekeeping Policy - ISMS-02/PS/004

A.12.3 Backup
Control Objective: To protect against loss of data
A.12.3.1 Information backup
[For Internal Use]
Page 36 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

Backup of essential business information are taken regularly. BHEL PSSR has a welldefined policy and procedures for Information backup and restoration. Refer
Housekeeping Policy - ISMS-02/PS/004

A.12.4 Logging and Monitoring


Control Objective: To record events and generate evidence
A.12.4.1 Event logging
BHEL PSSR has defined policy for recording event logs of user activities, exceptions,
faults and information security events. All systems are monitored to detect deviation
from access control policy. This audit trail serves as evidence in case of security
breach, and is the basis for any action. Audit logs are maintained on servers and
provide audit information related to User Id, Date and time of log-on and log-off, Failed
login attempts, Terminal Location. Refer Policy on Monitoring System Access and
Use - ISMS-02/PS/013.
A.12.4.2 Protection of log information
BHEL PSSR ensures that logging facilities and log information are protected against
tampering and unauthorized access.
A.12.4.3 Administrator and operator logs
Administrator activity and the system-generated messages are logged and periodically
analyzed to indicate the necessity to perform certain tasks proactively to improve the
performance of the system or to avoid failure. Operational staff maintains a log register
of their operational and maintenance activities. System startup, shutdown, reboot,
error and corrective action taken are logged. System Administrator regularly analyzes
operator logs for preventive action.
A.12.4.4 Clock synchronization
The correct setting of critical computer clocks is important and carried out to ensure
the accuracy of audit logs, which may be required for investigation or as evidence in
legal or disciplinary cases. Refer Server Room Procedures - ISMS-03/PS/015.

A.12.5 Control of Operational Software


Control Objective: To ensure the integrity of operational systems
A.12.5.1 Installation of software on operational software
Software installation activities are conducted in a secure manner by adopting the
controlled user accessibility to the software / application . Refer Procedure on
Control of Operational Software - ISMS-03/PS/028
[For Internal Use]
Page 37 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.12.6 Technical Vulnerability Management


Control objective: To reduce risks resulting from exploitation of published technical
vulnerabilities
A.12.6.1 Management of technical vulnerabilities
All PCs in the BHEL PSSR network are checked for technical vulnerabilities by an
automatic Patch deployment system. The system has been designed to automatically
deploy vulnerability patches after approval by the administrator. All servers are
regularly checked for compliance with security implementation standards. Technical
compliance checking involves the examination of OS, to ensure that hardware and
software have been correctly implemented. No unapproved software will be used for
checking technical compliance. IT head will take internal or external specialists help
for technical compliance check by means of Vulnerability Assessment (VA) and
Penetration Testing (PT).
Refer Technical Compliance Procedure - ISMS03/PS/019.

A.12.6.2 Restrictions on software installation


Users are not permitted to install software on their desktops. The requirement of
software is communicated to IT Department with due approval and IT Department
takes appropriate action.
A.12.7 Information systems Audit Considerations
Control Objective: To maximize the effectiveness of and to minimize interference
to/from the system audit process.
A.12.7.1 Information systems audit control
BHEL PSSR has a defined procedure for conducting security reviews and audits. Refer
Technical Compliance Procedure - ISMS-03/PS/019.

A.13 Communications Security


A.13.1 Network Security Management
Control Objective: To ensure the protection of information in networks and its
supporting information processing facilities.
A.13.1.1 Network controls
The access to internal and external network of the BHEL PSSR is controlled. This
includes any direct access to services that are business critical to users within the
domain, and direct access to network from users in high-risk location like users
through Internet. Users shall only have direct access to the services that they have

[For Internal Use]


Page 38 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

been specifically authorized to use. A defined and documented policy for use of
network services exists. Refer Network Management Policy - ISMS-02/PS/005.
A.13.1.2 Security of Network services
BHEL PSSR ensures that security features, service levels and management
requirement of all network services are identified and included in network service level
agreement.
A.13.1.3 Segregation in networks
Network is segregated as per policy defined in Network Management Policy - ISMS02/PS/005.

A.13.2 Information Transfer


Control Objective: To prevent loss, modification or misuse of information exchanged
within an organization and with any external agency.
A.13.2.1 Information transfer policies and procedures
Information exchange is through several modes of communication such as, Email, File
transfer, Fax, Voice etc. Refer Email Policy ISMS-02/PS/006 and Internet Policy
ISMS-02/PS/011 for policies on protection of sensitive information exchanged
through Email and Internet. Refer User Guidelines - ISMS-02/PS/018 for guidelines
outlining the acceptable use of electronic communication facilities and best practices
to be adopted for secure information exchange
A.13.2.2 Agreements on Information Transfer
For outsourced application development formal agreements are in place for exchange
of information and software. Third party agencies are required to sign the NDA as per
the terms of contract.
A.13.2.3 Electronic messaging
The electronic mail systems are properly secured from unauthorized access by using
firewalls, and from viruses by deploying anti virus software. BHEL PSSR has a welldefined policy and guidelines on the use of electronic mail. Refer Email Policy - ISMS02/PS/006.
A.13.3.4 Confidentiality or Non-disclosure agreements
Requirements for confidentiality or non-disclosure agreements reflecting the needs
of BHEL PSSR for the protection of information shall be identified and reviewed by
information system security forum.

[For Internal Use]


Page 39 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

All contractors and external parties are also required to sign NDA as covered by
respective contract guidelines. The format is as defined in Non Disclosure
Agreement (NDA) - ISMS-04/PS/001

A.14 Systems Acquisition, Development and


Maintenance
A.14.1 Security Requirements of Information Systems
Control Objective: To ensure that security is built into information systems
A.14.1.1 Security requirements analysis and specification
BHEL, PSSR shall document all the security requirements along with functional
requirements during the development of new information system / enhancement
of existing system. The security controls to be incorporated into the system should
take into consideration the business risks and value of information. Refer Policy
on System Development and Maintenance - ISMS-02/PS/015.
A.14.1.2 Securing application services on public networks
BHEL PSSR ensures that information involved in application services passing over
public networks is protected from fraudulent activity, contract dispute and
unauthorized disclosure by implementing security controls. Refer Policy on
System Development and Maintenance - ISMS-02/PS/015.
A.14.1.3 Protecting application services transactions
Application services transactions are protected against mis-routing, alteration,
unauthorized disclosure and traffic sniffing by deploying suitable network controls.
Refer Network Management Policy - ISMS-02/PS/005.

A.14.2 Security in development and support processes


Control Objective: To ensure that information security is designed and implemented
within the development lifecycle of information systems.
A.14.2.1 Secure development policy
Organization has a documented process for software development, which clearly asks
for security requirements of the project. Refer Policy on System Development &
Maintenance - ISMS-02/PS/015
A.14.2.2 System Change control procedures
[For Internal Use]
Page 40 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

BHEL PSSR has a defined procedure to manage and control changes in the software
developed and support systems, during the development life cycle. Refer Policy on
System Development & maintenance - ISMS-02/PS/015 and Change
Management Procedure - ISMS-03/PS/016.
A.14.2.3 Technical review of applications after operating platform changes
The application systems are reviewed to ensure that there is no adverse impact on
operation and security due to changes in operating system. Refer Change
Management Procedure - ISMS-03/PS/016.
A.14.2.4 Restrictions on changes to software packages
Modification to software package is not permitted without the consent of vendor. IPR
and copyrights of software packages is being followed.
A.14.2.5 Secure system engineering principles
BHEL PSSR has established secure practices for system implementation. Refer Policy
on System Development & maintenance - ISMS-02/PS/015
A.14.2.6 Secure development environment
System development activities are carried out in secure platform . Refer Policy on
System Development & maintenance - ISMS-02/PS/015
A.14.2.7 Outsourced development
Where software development is outsourced, the following points shall be considered:
a) Licensing arrangements, code ownership and intellectual property rights
b) Certification of the quality and accuracy of the work carried out
c) Rights of access for audit of the quality and accuracy of work done
d) To ensure that the quality of code meets the requirements as mentioned in
SRS.
Refer Policy on System Development & maintenance - ISMS-02/PS/015 and
Change Management Procedure - ISMS-03/PS/016.
A.14.2.8 System security testing
The security requirements of software testing are addressed in Policy on System
Development & maintenance - ISMS-02/PS/015.
A.14.2.9 System acceptance testing
New information systems, upgrades, and new versions are put through a system
acceptance for their acceptability and interoperability. Appropriate tests are carried out to
confirm that all acceptance criteria are fully satisfied. The tests results are documented and
operational, maintenance and usage procedure are established. Training is provided for use
and operation of new system. Refer Policy on System Development & maintenance
- ISMS-02/PS/015 and Change Management Procedure - ISMS-03/PS/016.

A.14.3 Test data


Control Objective: To ensure the protection of data used for testing.
[For Internal Use]
Page 41 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.14.3.1 Protection of test data


The operational data are not used for testing purposes. Only authorized persons have
access to test data, based on their roles and responsibilities.

A.15 Supplier Relationships


A.15.1 Information security in supplier relationships
Control Objective: To ensure protection of the organizations assets that is accessible by
suppliers.
A.15.1.1 Information security policy for supplier relationships
Organization identifies risks from suppliers access mainly in two categories, physical and
network. Risk areas are identified and appropriate measures taken to mitigate them through
control as mentioned in Procedure on Security requirements in third party and
outsourcing contracts - ISMS-03/PS/011.. As a part of base line control, all contract
personnel are given restricted access as per the requirement of the service they are
providing and as per the contractual obligations. All external parties working at the premises
are required to sign a Non-Disclosure Agreement (NDA) at the time of contracts. Refer Non
Disclosure Agreement (NDA) - ISMS-04/PS/001.
A.15.1.2 Addressing Security in third-party agreement
The security requirements and controls for accessing information of BHEL PSSR by thirdparty vendors are addressed as per security requirements detailed Procedure on
Security requirements in third party and outsourcing contracts - ISMS03/PS/011.
A.15.1.3 Information and communication technology supply chain
The contracts with suppliers explicitly deal with the confidentiality of information that the
supplier comes in contact. Refer Procedure on Security requirements in third
party and outsourcing contracts - ISMS-03/PS/011..
A.15.2 Supplier service delivery management
Control Objective: To implement and maintain the appropriate level of information security
and service delivery in line with third party service delivery agreements. BHEL PSSR
maintains Service Level Agreement with all Third Party Vendors at the time of contract.
A.15.2.1 Monitoring and review of supplier services
BHEL PSSR ensures that the services, reports and records provided by the third party are
regularly monitored and reviewed. Refer Procedure on Security requirements in
third party and outsourcing contracts - ISMS-03/PS/011..
A.15.2.2 Managing changes to supplier services
Depending on the criticality of business system and processes, BHEL PSSR will ensure that
changes in the existing information security policies, procedures and controls of third party
[For Internal Use]
Page 42 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

services will be done. Refer Procedure on Security requirements in third party


and outsourcing contracts - ISMS-03/PS/011..

A.16 Information Security Incident Management


A.16.1 Management
improvements

of

information

security

incidents

and

Control Objective: To ensure information security events and weaknesses associated


with information systems are communicated in a manner allowing timely corrective
action to be taken
A.16.1.1 Responsibilities and procedures
The overall responsibility for processing information security incidents rests with the ISSO and
based on the impact of the incident, the ISSO decides the resolution procedure. The escalation
procedure to be followed for reporting different categories of incidents is detailed in Incident

Management Procedure ISMS - 03/PS/002.


A.16.1.2 Reporting information security events
Security incidents are defined as events that could cause unauthorized disclosure,
modification, or destruction of organizational information assets, or loss or destruction
of the physical equipment associated with the computer systems, its peripheral or
network infrastructure components. Security incidents also include other aspects of
security, such as carrying fire arms, or other lethal weapons on the organization
property, areas typically secured being left unlocked or unattended, fire or hazardous
material spills, or witnessing someone performing an unsafe act, or committing a
violation of security policies or procedures etc. All users in BHEL PSSR are responsible
to report any observed or suspected security incidents. The security incidents are
reported and are managed by the documented procedure, Incident Management
Procedure ISMS - 03/PS/002.
A.16.1.3 Reporting information security weaknesses
Security weaknesses are defined as loopholes, weak points or vulnerabilities in a
software application. These vulnerabilities or the loopholes may be exploited to gain
unauthorized access to data or systems. All users in BHEL PSSR are responsible to
note and report any such observed or suspected security weakness. They shall report
these incidents as per Incident Management Procedure - ISMS-03/PS/002.
A.16.1.4 Assessment of and decision on information security events
All information security events reported in BHEL PSSR are assessed and decided
whether they can be categorized as security incidents based on the no. of users affected
and the impact of the event.
[For Internal Use]
Page 43 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.16.1.5 Response to information security incidents


Incidents shall be attended to by the concerned personnel who has been assigned for
each incident as per Incident Management Procedure - ISMS-03/PS/002.
A.16.1.6 Learning from information security incidents
All information security incidents reported in BHEL PSSR are documented and stored
in the Corrective and Preventive Actions database. The ISSO consolidates the incident
reports for root cause analysis and considers these as an input for appropriate actions
and necessary controls to avoid reoccurrence of the incidents. As a part of
improvement the relevant stakeholders are communicated.
A.16.1.7 Collection of evidence
BHEL PSSR has identified all applicable laws and regulations. Where a follow-up
action against a person or organization after an incident involves legal action, the
records and documents that may be accepted as evidence are collected and
maintained. It is ensured that all evidence collected in the process is:
Admissible as evidence Acceptable to court and legal authorities
Complete Present a complete trail of the incident
Meet quality requirements Are readable, legible etc.

A.17 Information Security


Continuity Management

Aspects

of

Business

A.17.1 Information security continuity


Control objective: To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures or disasters.
A.17.1.1 Planning information security continuity
A single framework of business continuity plans is be maintained to ensure that all
plans are consistent, and to identify priorities for testing and maintenance. Each
business continuity plan specifies clearly the conditions for its activation, as well as
the individuals responsible for executing each component of the plan.
Business continuity begins by identifying events that can cause interruptions to
business processes, e.g. equipment failure, flood and fire. This is followed by a risk
assessment to determine the impact of those interruptions (both in terms of damage
scale and recovery period). This assessment considers all business processes and is
not limited to the information processing facilities. Depending on the results of the risk
assessment, a strategy plan is developed to determine the overall approach to business
continuity. The details of BCP are detailed as per Business Continuity Plan - ISMS02/PS/BCP.

[For Internal Use]


Page 44 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.17.1.2 Implementing information security continuity


Business Continuity Plans are developed to maintain or restore business operations
in the required time scales following interruption to, or failure of, critical business
processes. The business continuity planning process is detailed in Business
Continuity Plan - ISMS-02/PS/BCP.
A.17.1.3 Verify, review and evaluate information security continuity
Business continuity plans shall be tested regularly to ensure that they are up to date
and effective. Such tests should also ensure that all members of the recovery team and
other relevant staff are aware of the plans. The test schedule for business continuity
plan(s) are detailed in the Business Continuity Plan - ISMS-02/PS/BCP.
A.17.2 Redundancies
Control Objective: To ensure availability of information processing facilities.
A.17.2.1 Availability of information processing facilities.
Information processing facilities like networks, servers etc. are provided with redundancies
to ensure that there is no single point of failure. Disaster Recovery site has been established
for mission critical applications. Refer Business Continuity Plan - ISMS-02/PS/BCP

A.18 Compliance
A.18.1 Compliance with Legal and Contractual Requirements
Control Objective: To avoid breaches of any criminal and civil law, statutory,
regulatory or contractual obligations and of any security requirements
A.18.1.1 Identification of applicable legislation and contractual requirements
All relevant statutory, regulatory, and contractual obligations pertaining to
information systems are explicitly defined and documented. BHEL PSSR adheres to
all the applicable laws and acts. It is the responsibility of the HR (legal) department to
review compliance and identify new or unidentified legal obligations. All agreements
entered by the company are duly vetted and approved by HR for this purpose. Refer List of applicable legislations ISMS-04/PS/023.
A.18.1.2 Intellectual property rights (IPR)
BHEL PSSR ensures that all license agreements are respected and limits the use of
the products to specified machines, and for specific purposes.
a) The copyright of hardware, software and documentation belonging to BHEL
PSSR will not be disclosed to any outside party unless and otherwise cleared by
ISSO.
b) The copyright of programs and associated material supplied by outside
organizations / collaborators will be used by BHEL PSSR for only those
purposes for which they are licensed.
c) No unauthorized copies will be made for use within or outside BHEL PSSR.
[For Internal Use]
Page 45 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.18.1.3 Protection of records


The important records are protected from loss, destruction and falsification. The
following organizational records are safeguarded:
List of records under the scope of ISMS
Database records
Transaction logs
All contracts and agreements
All records are retained for a defined period as specified by the owner of the
information. Storage and handling of all these records is in accordance with a defined
procedure. Refer Record Control Process - ISMS-03/PS/006.
A.18.1.4 Privacy and Protection of personally identifiable information
The IT Act 2000 India provides provisions to ensure data protection and privacy of
computer systems. However, all personal records are maintained as hard copies and
classified as Confidential. Only HR department has access to those files. Online
personal information is maintained which is password protected, and the access is
limited to the HR.
A.18.1.5 Regulation of cryptographic controls
Cryptographic controls shall be used in compliance with all relevant agreements, laws,
and regulations.

A.18.2 Information Security Reviews


Control Objective: To ensure compliance of systems with organizational security
policies and standards
A.18.2.1 Independent review of information security
BHEL PSSR Information System Security Forum is responsible for reviewing and
auditing the ISMS for its compliance. All areas covered in the ISMS policy are
considered for regular reviews and audits. ISSO prepares and publishes the annual
audit/ review plan. The methodology in detail is mentioned in Section 9.3 of this
document. Third party certification audit shall also be conducted as a part of
independent review of ISMS.
A.18.2.2 Compliance with security policies and standards
The ISSO with the help of the Information System Security Forum and other
Coordination team members conducts periodic/event-driven review to evaluate the
effectiveness of the ISMS, and initiate corrective and preventive action for continual
improvement. Refer Internal Audit Procedure - ISMS-03/PS/003.

[For Internal Use]


Page 46 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR

A.18.2.3 Technical compliance checking


Information systems are regularly checked for compliance with security
implementation standards. Technical compliance checking involves the examination
of OS, to ensure that hardware and software have been correctly implemented. No
unapproved software will be used for checking technical compliance. IT head will take
internal or external specialists help for technical compliance check by means of
Vulnerability Assessment (VA) and Penetration Testing (PT). Refer Technical
Compliance Procedure - ISMS-03/PS/019.

[For Internal Use]


Page 47 of 47
This document to be considered obsolete if available in printed form. For the latest copy please visit the
intranet page of BHEL PSSR