This document outlines control requirements for various departments at Asirvad to enhance security of their applications. It lists 14 control requirements for the applications department including implementing role-based access control, blocking user access on resignation, changing known passwords, implementing multi-factor authentication, reviewing audit logs and access rights periodically, conducting security testing, and establishing a change advisory board. The CTO, Joshy, is identified as the responsible head to ensure these controls are implemented.
This document outlines control requirements for various departments at Asirvad to enhance security of their applications. It lists 14 control requirements for the applications department including implementing role-based access control, blocking user access on resignation, changing known passwords, implementing multi-factor authentication, reviewing audit logs and access rights periodically, conducting security testing, and establishing a change advisory board. The CTO, Joshy, is identified as the responsible head to ensure these controls are implemented.
This document outlines control requirements for various departments at Asirvad to enhance security of their applications. It lists 14 control requirements for the applications department including implementing role-based access control, blocking user access on resignation, changing known passwords, implementing multi-factor authentication, reviewing audit logs and access rights periodically, conducting security testing, and establishing a change advisory board. The CTO, Joshy, is identified as the responsible head to ensure these controls are implemented.
Head : Joshy (CTO) 1. Role Base Access Control (RBAC) to be defined and periodic User and Privilege access review Application required. Review report must be approved and signed. 1 Procedure must be implemented to block User access in HRMS/ all applications on the same day of Application 2 Resignation. All the Passwords know must be changed which are known to the resigned user on the same day and Application 3 record of the activity must be maintained. Procedure for usage of Generic Accounts in applications and it must be reviewed periodically Application 4 and recorded the review report. Security Plan and its security related test cases Application 5 verification for the Change implementation Password Policy must be uniquely followed in Applications. Application Asirvad Password Policy configuration in Applications 6 MFA Authentication must be implemented for all Application 7 critical applications of Asirvad Audit trail logs (Applications/ Cloud Environment) must be reviewed Monthly basis and review report Application 8 must be maintained
VAPT to be done for all applications. Application
9
User based Login must be maintained for all
Application applications 10 Process set up for the maintenance of Generic Login Application 11 ID's in Applications.
How the access is provisioned and deprovisioned. Application
12 Conduct BCP DR drill for all the critical applications Application 13 and networks
For Critial Changes which is having business impact 14 Legal warning banners shall be displayed before Application 15 application login screen. Review of logical access rights shall be periodically Application 16 performed. Specific Secure fields in Database of applications Application 17 shall be encrypted. All releases shall be approved by the CTO from Application 18 Asirvad. All changes shall be tracked in the Applications and it Application 19 can be tracked by reports.
Release logs/ versions shall be periodically reviewed
by AML to identify any unauthorised changes. Application 20 Record retention standards for data shall be defined by AML for outsourced development and software Application 21 management. All software applications developed by vendors for AML shall be centrally managed by the IT Application 22 Department. The vendor shall intimate AML before revoking or modifying admin access from servers. Application 23 Procedure to be established
Approvals shall be obtained from AML before
granting an admin access in servers/systems. Application 24 Procedure to be established
Application administrator logs shall be monitored to
identity any fraudulent activates. Application 25 26 Data classification Application Electronic copy of the Business, Finance, PII, Architecture,Project Plans, Design and Regulatory documents must be stored in centralised repository with Application VPN access 27 To be Completed By Status