SL No Domain Subdomain Objective Control No

To ensure
authorized user
A.9.2 User access and to
A.9 Access Access prevent
2 Control Manageme unauthorized A.9.2.1
nt access to
systems and
services

To ensure
authorized user
A.9.2 User access and to
A.9 Access Access prevent
3 Control Manageme unauthorized A.9.2.1
nt access to
systems and
services

To ensure
authorized user
A.9.2 User access and to
9 A.9 Access Access prevent A.9.2.3
Control Manageme unauthorized
nt access to
systems and
services
 A.9.4 To prevent
12 A.9 Access System and
Application
unauthorized
access to A.9.4.2
Control Access systems and
Control applications

To ensure that
information
A.14 System A.14.2 security is
acquisition, Security in designed and
developme developme implemented
32 nt and nt and within the A.14.2.2
maintenanc support development
e processes lifecycle of
information
systems
 Gaps Identified Recommendation

2. Old unused user IDs are reused by 2. Old unused user IDs should not reused by
assigning them to new users. (MES assigning them to new users. (MES
Vijaynagar) Vijaynagar)

3. There is no naming conventions defined 3. A defined naming conventions should be

and followed for user ID creation ((MES followed for user ID creation ((MES
Vijaynagar) Vijaynagar)

2. An authorization process and a record of 2. Privileged access should be timebound

and a record for all the access provisioned
all privileges allocated is not maintained.
should be maintained.
We noted that last login details are not It is recommended that last login details
available in firewalls, applications and should be displayed on applications and
logon banner is not available in case of IT logon banner should be displayed in case of
Infrastructure devices. supporting infrastructure.

4. Learnings and user manuals are not 4. Learnings and user manuals are
documented (MES Vijay Nagar, ValueApps) documented during the course of SDLC.
 Target Date Status

30-Sep-21

Open

SPTS: 2 months after new resource deployment

Skill set:Pb6.5

Open

Open
15-Oct-21

Open

10-Oct-21

Open
 Commercials

No

Yes

No
Yes
Comments

.User access mgmt policy to be enhanced to stop the reuse of unused user accounts to new users during
the creation of user accounts.
.Introduce db user and user id mapping table in SPTS to ensure the unique user ids.

Being followed in new user account creation.

New user ids are created in AD account format. Where as old active userids can't be changed as it
has business impact. Exceptional case:SPTS
User access mgmt module to be redesigned in SPTS which requires 2 man months for
implementation.

Allocated privileged(application admin) access report to be generated from each MES application.
Login screen to have static content on JSW confidential message. Show last login details in MES
applications.
Exceptional apps are CRM2 MES,BRM2 MES.

Learnings are added in MSP where minimum details are added. Document to be maintained along
with project docs.
User manual:
Option1:Technical writer is required to prepare exhaustive user manual and will be placed in
respective project folder for longer run.
 AD IDAM
KPMG Comments Authotication Implementation

Team to check and confirm if a report can be extracted

from the applications. In case it is not feasible, KPMG to
mention it in the risk register.
As discussed, Sunil to share the content for
warning/log-on messages. MES team to incorporate it
for applications.
Last login details to be incorporated by the MES team.

Team to ensure the required documents are

maintained.
 MES
JIRA/E-Desk Policy Change Kintana QA Team Sonarcube

Y
(Only in
SPTS)

Y
(changing
user IDs)

Y
(User
Access
Report)
 Y
(Login
Screen
Changes)

Y
(User
Manuals)
Security Management
Team DBA Points
 Y
(new role as
technical writer)