Avanse InfoSec Assessment Template

Application:- Preksha Edutech Pvt Ltd

Partner Managing:-

Avanse owner:-

Date:- 21-04-2023

Assessment team :-

InfoSec Controls Required:-

1) Stringent Authentication, Authorization, Access review

(What is expected: - Valid user verification (eg: Strong passwords policy, Lockout, password expiry
options), Least amount of access required to complete the job (aka Least Privilege), Reviewing active
users, Reviewing the active admin users & their privileges)

Partner Comments:- Otp Validation based login, Session based authentication

Evidences:- user login with otp and generating session based tokens, every endpoint url access with
bearer token.

Avanse InfoSec Comments:-

2) Audit logs to be maintained for any incidents analysis based on business requirements

(What is expected: - Application access logs, Database access logs, Database activity logs)

Partner Comments:- application access logs and aws cloud watch

Evidences:-app.log , access.log file and system logs

Avanse InfoSec Comments:-

3) Change management process to exist with yearly audit-able evidences

(What is expected: - Approval evidence, change logs for major changes in the application
configuration for the financial year)

Partner Comments:- admin dashboard , activity logs and audit logs

Evidences:- role based admin access , application manager to accept or reject the application

Avanse InfoSec Comments:-

4) Application/Vulnerability assessment to identify most common vulnerability

(What is expected: - Vulnerability Assessment framework)

Partner Comments: - Periodic Assessment black Duck Synopsys Tool, Performing Static analysis

Evidences: - not applicable

Avanse InfoSec Comments: -

5) Regulatory compliance to be maintained

(What is expected: - Maintaining regulatory compliances as appropriate)

Partner Comments: - All Regulatory Compliances as per the guidelines by RBI

Evidence: - Refer to Excel Sheet.

Avanse InfoSec Comments: -

6) Basic IT Governance to be in place

(What is expected: - IT Policies, Senior management ownership & involvement)

Partner Comments: - IT Policy Document in place by Preksha Edutech

Evidences: -

Avanse InfoSec Comments: -

7) InfoSec awareness to be given to resources handling Avanse applications/data not limited to

Phishing email, Social engineering, Data leakages

(What is expected: - Information Security training to employees including but not limited to Social
Engineering, Phishing, Malware, Best practices, & Information Security policies)

Partner Comments:- We will train the and provide awareness to handle the applications as per the
IT Policy of Preksha Edutech and Partner Guidelines.

Evidences:-

Avanse InfoSec Comments:-

8) Mandatory encryption for data in transit and optional storage encryption demonstrating other
compensating controls

(What is expected :- TLS certificates, RSA/AES encryption, Wireless WPA3 encryption, Volume
encryption, Data security compliance (eg: ISO 27001) certification)
Partner Comments:- SSL , RSA , AES-256

Evidences:- all encryptions implemented with aws services

Avanse InfoSec Comments:-

9) Network Firewall, Malware protection, Backups to be in place

(What is expected: - Network Firewall for requests, basic SOC operations in place, Backup policy,
Retention)

Partner Comments:- AWS security groups within VPC , Retention policy for latest versions, Every
day backups

Evidences:-

Avanse InfoSec Comments:-

10) Sign-off from Avanse InfoSec required

(What is expected: - Avanse InfoSec team approval before on-boarding the partner)

Partner Comments:-

Evidences:-

Avanse InfoSec Comments:-