Review existing documented policies and procedures relating to IT

4 security
           
Sr Recommendatio
No Issue Type of Policy Impact Cause Exposure n Management comment
1 Lack of Specific Business High Resumption and Recovery to Loss of Develop and Agreed to develop and
Disaster Continuity normal conditions in the event Business, establish a establish DRP.
Recovery Management of disaster is not possible as goodwill, specific and
plan/Procedure. policy. required as per policies and profit etc. detailed Disaster
objectives. Recovery Plan
2 Alarm system is Departmental High Situation of Fire accident may Loss of Departmental Agree and will
not working. Policies. arise. Information Store policies to follow.
System be strictly
Assets, Data followed.
and
Employees of
the
department.
3 Poor Network Security Policy & High 1. Poor network stability can 1.Easy to The network Agreed to develop.
Stability & Network Security threaten operations. hack must be
Configuration. Policy. 2. Inadequate control over Information designed and
access to network can system. configured to
jeopardize the confidentiality deliver high
and integrity of data. 2. Loss of performance
3.Slow or inadequate system confidential and reliability to
response times impede the data. meet the needs
processing. Ideal Hours of the
for operations
employees. whilst providing
a high degree of
access controls
and range of
privilege
restrictions.”
4 ‘housekeeping’ Operating High 1 Where an upgraded Security Computers can Agree and will
routines are not System Security operating system fail to safeguards operate without follow.
adhered to.” Policy. perform as expected, this can can go application
result in a loss of stability or undetected software, but
 even the total failure of some and offer the cannot run
systems. potential for without an
2.Where housekeeping and fraud or Operating
routine support are informal or malicious System.
incident led, damage. “Operating
weaknesses in the security Systems must be
safeguards can go undetected regularly
and offer the monitored and
potential for fraud or malicious all required
damage. ‘housekeeping’
routines
adhered to.”

Housekeeping
routines must be
added in the
existing policies.
5 Staff is not Security Policy For High 2. If operational program 1.software “Only Agreed to develop.
designated to Software . libraries are poorly protected, and designated staff
access software and configuration configuration may access
operational files could be modified without files could be operational
program libraries authorization, resulting in modified. program
disruption to system 2.Fraud. libraries.
and / or other incidents. Amendments
2.Unauthorized use of may
production software can cause only be made
disruption to systems or fraud using a
against the department store. combination of
technical access
control and
robust
procedures
operated under
dual control.”
Policy should be
amended.
6 Very high risk of Security Policy for High 1. Criminals may target Loss of Security on the Agree to Amend.
external security cyber crime. department Store information Business, network is to be
 breaches as system, resulting in serious goodwill, maintained at
network security financial loss and damage to profit etc., the highest level.
is department ës operations and Those
inadequate. reputation. responsible for
2.Cyber crime is an ever- the network and
increasing area of concern, and external
suitable training is to be communications
given to those persons have to receive
responsible for network proper training
security to minimize such risks. in risk
assessment and
how to build
secure systems
which minimize
the threats from
cyber crime.”
Existing Policy
should be
amended for
inclusion of this
part.
7 Regular training Information Mediu 1.Sensitive data may be Loss of “Permanent Agree to Include.
to permanent Security m acquired unlawfully, damaged, confidential staff is to be
staff of Stores is awareness. or modified because data. provide with
not included in staffs have become Unauthorize Information
policy. complacent. d Security
2.Staff assuming new duties Modification awareness tools
without specific Information s. to enhance
Security training may awareness and
compromise sensitive data. educate them
regarding the
range of threats
and the
appropriate
safeguards.”
Existing Policy
should be
included Regular
 training.
8 Emergency Data Date amendment Low Emergency data amendment These "Emergency Agree to Include.
amendment Policy can bypass normal controls measures are data
poicy is not found with the consequent scope for adopted amendments
in existing fraud and error. when live may only be
policies. data used in extreme
must be Circumstances
altered by and only in
other than accordance with
normal emergency
software amendment
functions Procedures.
and
procedures. These
amendments
should be done
with proper log
involvement of
senior
management
and should be
used sparingly.
9 Risk Register is Risk Register. Mediu Without appropriate IT risk Threats may All stores are Agreed to develop.
not maintained at m policies and practices, threats not be required to have
stores. may not be identified and identified risk
treated within reasonable and treated management
timeframes, thereby increasing within policies and
the likelihood that store reasonable practices that
objectives will not be met. timeframes. identify,
assess and treat
risks that affect
key business
objectives. IT is
one of the key
risk areas that
should be
addressed. We
therefore expect
 stores to have IT
specific risk
management
policies and
practices such as
risk
assessments,
registers and
treatment plans.
10 Incident Incident Mediu Without IMP ,Store will receive Late Incident Agreed to develop.
Management Management m late responses to Security response to management is
Policy to be Policy. incidents. Security required and
developed incidents. needs to be
established to
ensure a quick,
effective, and
orderly response
to security
incidents.
11 No uniformity in Version Control Mediu Results into Extracting of Data Extracting of The version Agree and will
versions running Policy. m in new version format and Data in old control policy follow.
across all the extensions and new features of version addresses
stores of Peacock application to be checked. format and implementing,
Ltd. extensions. managing and
controlling the
changes in
versions of
application
systems, and
customised add-
on modules,
network and
operating
system software,
interfaces and
utilities.
So unformity
should be there
 across all the
stores of
company.
12 Security Security High Criminals may target Threats may As per Cyber Agreed to develop.
Operations monitoring department Store information not be Security
Center is not procedure. system, resulting in serious identified guidelines issued
established as financial loss and damage to and treated by RBI, a
per SMP. department ës operations and within Security
reputation. reasonable Operations
timeframes. Center shall be
established for
security
monitoring of
logs of critical IT
Assets.