Control Domain Sub-Domain Risk Number Risk Descripti On Control Objective Control Referenc E# Control Descripti On Test Procedur e Evidence Required

Risk Control Control Test
Control Sub- Risk Control Evidence

Descripti Referenc Descripti Procedur
Domain Domain number Objective Required
on e# on e
Asset Asset B_AM_R1 Absence of To ensure B_AM_C1 ToE Control Test Evidence:
Managemen Register comprehensi that Statement: Procedure:
t ve asset comprehensi
inventory ve asset Asset 1. Obtain a 1. Updated
register may register is Register copy of the & approved
lead to adequately shall be current Asset
inadequate maintained maintained, Asset Register
protections and 2. Validate 2. Asset
periodically Register
samples and register
of critical reviewed reviewed validate
assets periodically. from the if it approval
and has
assetbeen email
resulting in approved by reviewed & 3. Network
vulnerable inventory of Diagram
L4 Leader approved
existing, by
and/or non- L4 or above
available newly
Validate
commission 4. Tarmac
assets.
Asset
ed assets report (User
register
are added count and
against
and client
5. RAS
RAS, IDR,
decommissi provide
Network
oned assets softwares)
Diagram,
are removed
Asset Asset B_AM_R1 Absence of To ensure B_AM_C2 ToE Control Test
Tarmac Evidence:
from the
Managemen Register comprehensi asset Statement: Procedure:
report
asset with
t ve asset register Engagement
register in a
inventory includes at At a software
Review
timely the 1. Updated
register may least the minimum details,
Asset Asset
manner
lead to information asset walkthrough
Register and register from
inadequate necessary register details
protections including - Asset shall validate
- Asset that the
contain the gathered
it containsfor engagement
of critical type of asset Class Name Class Name
following key Engagement
the below delivery
assets class, Type, (Title/ (Title/
fields. assets
Parameters SPOC
resulting in Owner, Description
- Type of Description
-atType
of Asset) of a of
Asset
vulnerable Location, Asset Asset
minimum:
and/or non- CIA value
available and
- Asset - Asset
assets. Classificatio
Class Class
n
Owner/ Owner/
Asset is
- Location Asset is
- Location
Assigned to Assigned to
- Business - Business
Impact - due Impact - due
to loss of to loss of
Confidentialit
- Business Confidentialit
- Business
y
Impact - due y Impact - due
Integrity
- Business Integrity
- Business
Impact - due Impact - due
Availability
- Asset Availability
- Asset
business business
value value
- Asset - Asset
Criticality Criticality
ClassificatioClassificatio
Asset Risk B_AM_R3 Absence of To ensure B_AM_C4 n
ToE Control n(Validate
Test if Evidence:
Managemen Assessment periodic risk that risk Statement: criticality
Procedure: has
t assessment assessment been
s may lead is performed assigned as
Risk i.
perRisk
the 1. RA
to non- to identify, assessment Assessment performed
identification quantify and guideline)
shall be shall be by the
of security prioritize conducted conducted engagement
risks threats to ii. Risk 2. Approval
and periodically
Register is mail on the
resulting in the reviewed
loss of information/ reviewed RA
periodically and
data/reputati information as per the iii. Validate 3. Risk
on for the assets used approved
the Risk Treatment
defined annually or if Plan
organization. for process. Assessment
supporting there is
process is a
critical change in-
followed
processes/ environment.
Asset
operations. details,
Vulnerability,
Impact, CIA,
Controls etc.
risks threats to
resulting in the
loss of information/
data/reputati information
on for the assets used
organization. for
supporting
iv. Risk
critical
Treatment
processes/
Plan is
operations.
Asset Return of B_AM_R4 Non-return To ensure B_AM_C6 executed as Evidence:
ToE Control Test
Managemen Asset of IT assets that IT per the
Statement: Procedure:
t by assets are proposed
separating returned and timelines
Return and Below steps 1. Old &
employees formatted/de formatting of to be New RAS
may lead to gaussed as allocated followed: dump
malicious/ina per the HCL IT
dvertent defined Step 1 - 2. Delivery
asset shall Compare Old confirmation
data loss for process be carried available RAS for below:
the out for (from last
organization. separating Step 2-
Assessment) i. Ticket
Obtain the
employees. and leavers
latest raised for
RAS to data return /
from
identify
Step 3 –the formatting Mail to of
Engagement
resources
Request off ii.
for Asset
and compare
boarded. secure Asset
'Service
with theticket delta i.e. not to be
number'
found
Step 4 in
raised by
step formatted
- Seek 3. Evidence
1.
clarification, if from GIT for
offboarding
Engagement
employees Asset return
have
for 'return / and
Step
requested5 – GITfor
formatting
SPOC to be of formatting
share
'data to
assigned
evidence
saved or for
Asset'.
Asset
Laptopreturnto be
Asset Asset B_AM_R5 Lack of To ensure B_AM_C7 TOE control Testsecured' i.e. 1) Asset
and
Managemen Movement approval customer Statement: Procedure:
formatting.
not to be register or
t from provided formatted. list of
customer for assets
Note: Customer 1) Validate if customer2) Client
moving (laptops,
Control lab provided customer assets
approval
assets out of devices,
applicable assets shall provided moved
email / out of
secured etc.) are
only if assets be moved assets were HCL
addendum
environment which
movedwereout of 2) Obtain 3) DCO
premises
out of HCL moved
customer out of (Check
should with
take
may lead to HCLnot allowed secured HCL during
Delivery if
customer secured approval for L4
COVID is
out of HCL premises secured
moving the approval
acknowledg
dissatisfactio premises
premises pre Note:
post seeking 3) Determine
premises period
from -
n, potential post seeking Control asset
the out of Acknowledg
ement on
COVID appropriate if during
HCL authorized
due to authorized
threat to appropriate
situation applicable
customer COVID is ement
approval client from
asset/data/p customer only if assets COVID
still valid (for client
L4 required
consent period
Example
situation of employee)
contact for
atents and approval which were time bound if no client
assets -
reputation approvals) such
not allowed Client assets were
loss out of HCL provided exceptions
moved out
Business BC B_BCM_R1 Absence of To ensure B_BCM_C1 premises
ToD Controlpre Test Evidence:
continuity Framework adequate that Statement: laptops,
Procedure:
COVID desktops,
managemen and documented situation
t approved Business lab devices,
Business 1. Determine 1. Obtain the
etc.,.
BCP Continuity Continuity whether approved
document Framework/ plan shall be business copy of the
may lead to process defined, continuity Engagement
lack of exists, it 2. Assess 2. Obtain a
documented plan,
whether was Business
snapshot/scr
readiness to includes all and defined and Continuity
handle the required business eenshot of
approved at documented.
continuity Framework/
the Business
service parameters an 3. Assess 3. Obtain
Process/Pla a
disruptions and is plan
whether was Continuity
snapshot/scr
engagement approved by n/SOP. Plan
in case of approved level. below were eenshot of
any disaster. the
part Business
of the capturing
the Business the
i.
Unit Head approver
BC
Requirement Continuity
and Client
Framework/ details
Plan such
for
(wheretesting as - Namethe
process:
the Business capturing
applicable)
ii. and
Note:
requirement
continuity
Requirement signature
plan (Table s. In case of
for the
plan Business
is in
top,
performing Unit Head
iii.
Simulation, inline with
i. For BCM
risk and Client
HCL
Requirement
Call Tree) evidences,
assessment (where
Corporate
for first check
applicable)
BC plan,the
performing
iv. whether
ii. If the date
and
then ask for
Business
Requirement required evidences
of approval
updated,
Impact
for artefact
are is
available
Analysis reviewed on BC
calculating available
v. on IfBCM
iii. Delivery
workbook
BCM
the RTO
Requirement has and SharePoint
and updated
validate
SharePoint
RPO
for or AutoBCM
records,
all points are
or AutoBCM
identification obtain tool, extract
the
covered.
tool
of third the same
same from
parties and
themshareand
involved in with considerDelivery
for
business for sign
assessment off
critical on those
operations evidences to
be
considered
vi. List of iv. If no
interested records are
parties available on
vii. BCM
Responsibilit SharePoint
y for or AutoBCM
tool, reach
Business Business B_BCM_R2 Inadequate To ensure B_BCM_C3 ToE Control invoking
Test Evidence:
out to
continuity Continuity business that Statement: BCP should
Procedure: Delivery for
managemen Plan continuity Business be defined
along with required
t managemen Continuity Business 1. artefacts
1. Copy offor
t may lead to Plan (BCP) theDetermine
name
Continuity whether BCM domain
Business
business is reviewed plan, BIA there was a Continuity
disruption/de in case of and Risk change in Plan
layed change in 2. The BC a. Version
Assessment environment
Plan, BIA capturing
history the
recovery in environment. shall be and following:
case of and Risk capturing the
updated & business
Assessment version
crisis. reviewed at 3. Obtain a
continuity b. Last
were of the update
the time of copy
plan,
updated BIA& review date
details.
major business
and Risk at (This review
reviewed
changes or continuity
Assessment
4. Obtain the
least
should be
c. Approver
at least risk
were
Business performed
details -
annually
assessment and annually)
annually updated,
Impact
communicat Name and
report
reviewed
Analysis with signature
ed to
5. Determine
version d. Last of
and
reports.
interested the DU date
whether
history for review
communicat
Check
parties the
(as Head/ SDM
identified
verifying
ed
datesto all
on
applicable) (as
risks
whether in RA 2. Business
interested
whichbeen the applicable)
have
assessment continuity
parties
BIA wasas (as
closed
was being risk
applicable)
conducted.
per
performed assessment
(Annually/ch
proposed 3. Business
annually
ange in the report
timelines Impact
environment Assessment
) Report
Note:
i. For BCM
evidences,
first check
whether
ii. If the
required
evidences
artefact is
are available
available
on BCM on
iii.
BCM If Delivery
SharePoint
has updated
SharePoint
or AutoBCM
records,
or AutoBCM
tool,
obtain extract
tool nothe
iv. Ifsame
the
same
records from
are
and
them share
and on
available
with Delivery
consider
BCM for
Business Business B_BCM_R2 Inadequate To ensure B_BCM_C1 ToE Control Test for sign off
Evidence:
assessment
continuity Impact business that 0 Statement: Procedure: SharePoint
on those
managemen Assessment continuity Business or AutoBCM
evidences to
t managemen Impact tool,
be reach
RTO 1. Determine 1.
out Approved
to
t may lead to Analysis considered
(Recovery whether the BIA
Delivery
business (BIA) on the for ECA for
Time calculation document
required
disruption/de project/acco Objective), of MAO, consisting of
layed unt's Only HCL artefacts
2. Reviewfor
RPO RTO,
(central MBCO MAO,
BCM
the BCP RTO,
domain
recovery in processes/ (Recovery and RPO
case of operations is BCM tool)/for MBCO andto
document
Point the
Client RPO
validate (asif it
crisis. performed to Objective), 2. Determine
project/acco applicable).
prioritize suggested
Business covers the
MAO unt's
template strategy for
assets, data, (Maximum Continuity
processes/o
technology, should
Strategy have large scale
Acceptable perations
been used. Note:
people
people and Outage), covers
was large
processes In case
scale of
people outage (E.g.
MBCO performed
any other pandemic)
on the basis (Minimum outage
for all (E.g.
of the template,
pandemic) i. For BCM
Business engagement
check
impact. evidences,
Continuity tracks
whether asitper
first check
Objective) the process.
covers the whether the
for the (Review
contents forin required
project/acco any
HCL artefact is
unt's references
template available on
processes/o from
BCM
perations MSA/SOW
SharePoint
shall be for Business
or AutoBCM
calculated Continuity).
tool
as per the
people and
processes
on the basis
of the
impact.
ii. If
evidences
are available
on
iii. IfBCM
Delivery
SharePoint
has updated
or AutoBCM
records,
tool,
obtain extract
iv.
theIfsamenothe
same
records from
are
and
them share
and
available
with on
Delivery
consider
BCM for
Business BCP B_BCM_R2 Inadequate To ensure B_BCM_C1 ToE Control Test for sign off
Evidence:
assessment
continuity Training business that 1 Statement: Procedure: SharePoint
on those
managemen continuity Engagement or AutoBCM
evidences to
t managemen specific tool,
be reach
BCP training 1. Determine 1. out Obtain
to the
t may lead to BCP's considered
shall be whether training
Delivery
business training is for ECA for
conducted at Engagement attendance
required
disruption/de provided to least BCP specific records
layed the Crisis 2. Determine artefacts
2. For a for
annually or training
whetherwas the capturing
BCM domain
selection the
of
recovery in Managemen in case of conducted at dates
case of t Team training Crisis on
any major least
records/atte which
Managemen the
crisis. members change in 3. Interview
annually a. Name
or ttraining of
was
(identified in ndance
selected Team
the
the in case of a conducted.
records were members,
the environment Crisis
major employee
respective available
Managemen for (This
obtain the
and change
all Crisisin session
b. Date on
attendance
BC plan(s)) attendance tthe
Team shouldthe be
Managemen which
records/ackn
at least records for members
environment conducted
t Team in trainingowledgemen wasat
annually. all Crisis (identified least
members conducted
t emails
c. Minutes
Managemen the annually)
(identified
respective in of capturing
Meeting-
t Team the
members BC plan(s)) (as
respective
to ascertain applicable)
(identified in BC level
plan(s)),
the the of
showing
awareness
respective their
BC plan(s)) presence in Note:
should be the sessions
available
i. For BCM
evidences,
first check
whether
ii. If the
required
evidences
artefact
are is
available
available
on BCM on
iii.
BCM If Delivery
SharePoint
has updated
SharePoint
or AutoBCM
records,
or AutoBCM
tool,
obtain extract
tool
iv. nothe
theIfsame
same
records from
are
and
themshare and on
available
with Delivery
consider
BCM for
Business BCP Testing B_BCM_R2 Inadequate To ensure B_BCM_C1 ToE Control Test for sign off
Evidence:
assessment
continuity business effectivenes 2 Statement: Procedure: SharePoint
on those
managemen continuity s of the or AutoBCM
evidences to
t managemen recovery tool,
be reach
Business 1. Determine 1.
out BCP
to Test
t may lead to strategies considered
continuity whether Report
Delivery
business through for ECA for
plan shall be BCP test for required
disruption/de periodic tested at engagement
layed BCP tests. 2. Determine artefacts for
least once in has been
whether BCM domain
recovery in a year. performed
case of BCP Test in
the last one
Report(s)
crisis. year and Note:
exist or not.
determine
whether
identified i. For BCM
gaps have evidences,
been closed first check
as per whether the
ii. If
proposed required
evidences
timelines & artefact is
are available
action plan available on
on IfBCM
iii. Delivery
BCM
SharePoint
has updated
SharePoint
or AutoBCM
records,
or AutoBCM
tool, extract
obtain
tool the
the same
same from
and
themshareand
with
considerDelivery
for
for sign
assessment off
on those
evidences to
be
considered
iv. If no
records are
available on
Cloud B_CS_R1 Inadequate Ensure B_CS_C1 ToE Control Test BCM
Evidence:
Security configuration secure Statement Procedure: SharePoint
of IAM access is or AutoBCM
process in enabled for tool, reach
Multi-factor 1. Obtain a 1.
out to
cloud only authenticatio list of user Process/pro
services, authorized Delivery for
n shall be IDs created cedure
required
Identity and may lead to users in enabled for on the Cloud document
leverage of cloud 2. Check artefacts
2. User IDfor
Access all users by Console.
whether all for
BCM logical
domain
enablement
Managemen existing console. default. access
privileges or users are and
t enabled managemen
elevate 3. Ensurewith approvals
3.
t.
for
privileges MFA.(Azure,
appropriate provision
Screenshot of
resulting in AWS &
approvals access.
for enabling
regulatory GCP)
were
Note - Refer MFA for all
non- obtained user IDs.
'Cloud
compliance, before
Security
system creating the
Cloud B_CS_R1 Inadequate
unavailability Ensure B_CS_C2 ToE Control Master'
Test
user ID for Evidence:
Security configuration secure Statement Runbook
Procedure:
and data available to
of IAM access is detailed test
breach. the owner
process in enabled for procedures,
There shall 1. Verify
if required 1.
cloud only not be any evidence to Process/pro
services, authorized generic ID, confirm no cedure
Identity and may lead to users in shared or generic, document
leverage of cloud 2. Refer 2. Obtain
Access guest users shared
Cloud or for logical
screenshot
Managemen existing console. access guest users from access
privileges or Service the
t provisioned exist
Provider managemen
console or
elevate for cloud Note - Refer t
privileges detailed VMs to
environment. 'Cloud
assessment confirm
resulting in Security
regulatory run book
Master' there are no
(Azure, AWS Note: Refer
non- Runbook for generic,
Cloud or
compliance, &
detailed test shared
GCP)
Service
system procedures, guest users
Provider
Cloud B_CS_R1 Inadequate
unavailability Ensure B_CS_C3 ToE Control Test
if required from
Evidence:
Security configuration
and data secure Statement Procedure: detailed
administrator
of IAM access is assessment
.
breach.
process in enabled for run book
Password 1. Verify 1.
(Azure, AWS
cloud only policy password Screenshot
services, authorized & GCP).
controls controls are from the
may lead to users in shall be configured
leverage of cloud - Password console /
2. Evidence
implemented as per
Length VMs of the
of password
existing console. for all users guidelines implemented
privileges or policy
in cloud password
enabled in
elevate environment. - Password controls
privileges Expiration the VM
resulting in infrastructur
Identity and regulatory e and
- Password Note: For
screenshots
Access non-
Complexity console,
of sample
Managemen compliance,
refer
user Cloud
t system
unavailability - Password Service
accounts
History Provider
capturing the
and data
detailed
required
breach.
assessment
policy
- Account run book
settings
Lockout (Azure, AWS
& GCP).
2. Verify that
'Notify users
on password
resets?' is
Note - Refer
set to 'Yes'
'Cloud
Security
Cloud B_CS_R1 Inadequate Ensure B_CS_C4 ToE Control Master'
Test Evidence:
Security configuration secure Statement: Runbook
Procedure: for
of IAM access is detailed test
process in enabled for procedures,
RBAC and 1. Obtain the
if required 1. From
cloud only privileged list of cloud
Identity and services, authorized
Access access shall personnel console and
may lead to users in be followed who are VMs, obtain
Managemen leverage of cloud
t for all users having a list of
existing console. (security access to groups and
privileges or group shall the cloud their
elevate be created console and members
privileges wherever to the VMs. having
resulting in required to access
regulatory provide
non- access)
Cloud B_CS_R1 Inadequate Ensure B_CS_C4
Security configuration secure
of IAM access is
process in enabled for
cloud only
Identity and services, authorized
Access may lead to users in
Managemen leverage of cloud 2. Validate if 2. Logical
t existing console. the access
privileges or privileged provisioning
elevate access was
Note - Refer records for
privileges granted
'Cloud post selected
resulting in approval
Security for samples/
regulatory those Screenshots
Cloud B_CS_R1 Inadequate Ensure B_CS_C5 ToE Control Master'
Test
respective Evidence:
or email
non- Runbook for
Security configuration secure Statement Procedure:
consoles approvals for
compliance, detailed test
of IAM access is and VMs. the
system procedures,
process in enabled for User/ 1.required
Obtain a individual
1. Evidence ID
unavailability if
cloud only Privileged list of user creation
of the dates
Identity and and data
services, authorized access shall IDs and their based
of on
execution
Access breach.
may lead to users in be owners RBAC.
of
Managemen leverage of cloud 2. Validate 2. the
Evidence
t reconciled that the entitlement
of any
existing console. on regular review of the
privileges or reconciliatio corrective
basis as per n is user
actionIDs for
taken
elevate the defined Note - Refer the
privileges performed
'Cloud as a part of
process. for all exit applicable
the
resulting in Security cloud
regulatory employees
Master' entitlement
Cloud B_CS_R2 Lack of To ensure B_CS_C6 ToE Control Test
including for console
Evidence: and
review like
non-
Security adequate that Log Statement: Runbook
Procedure:
transfer, VMs
modified the
compliance, detailed test
event Profile exists abscond and privileges of
system procedures,
logging may and logging Ensure that exit
1. Verify Log the
1. userid,
unavailability if required
lead to loss is enabled in employees.
Log Profiles Profile is removal or
Screenshot
and data
of the cloud are enabled for re- the
from
breach.
accountabilit subscription. subscribed the cloud the assignment
cloud
Logging and y/forensics Ensure the 2. Obtain
and export environment
2.
etc.
console,
Monitoring in case of an log profile Log Profile
activities are details from
Screenshot
VMs, or from
incident in captures capturing
activity logs configured cloud centralized
activity log
cloud for all 3. For a log
environment. for all applicable
console
sample of / export
monitoring
regions VMs
instance enabled for
including regions/locat toolregions.
all for
ions. systems,
Note - Refer enablement
Note: Refer
global inspect
'Cloud of log profile.
Cloud
activity log
Security Service
configuration
Cloud B_CS_R2 Lack of To ensure B_CS_C7 ToE Control Master'
Test
is set to for
Provider
Evidence:
Security adequate that logs are Statement: Runbook
Procedure:
export
detailed
event retained as detailed test assessment
activities
procedures, runbook
logging may defined in Logs shall across
1. all
Determine 1.
lead to loss the if required (Azure, AWS
regions
be retained whether Screenshot
& GCP).
of organization as defined in security logs from the
Logging and accountabilit policies/Proc
Monitoring the were
2. Validate cloud
2. Evidence
y/forensics ess. procedure. retained as console,
in case of an log storage for retention
per
is the VMs, or from
of activity
incident in defined centralized
cloud maintained
Note - Refer logs as per
duration
for 90 days log
log retention
environment. 'Cloud monitoring
(3 months)
Security policies.
tool for log
Cloud B_CS_R2 Lack of To ensure B_CS_C8 ToE Control Master'
Test retention.
Evidence:
Security adequate that at a Statement: Runbook
Procedure: for
event minimum, detailed test
logging may the logs (All) procedures,
For sample 1. For
if required Screenshot
lead to loss are enabled information sample from the
of and systems, the information cloud
accountabilit maintained following systems, console,
y/forensics (for users, - Login - Login 1. For
classes
failures; of determine
failures; VMs,
sample or from
in case of an including activities whether the centralized
incident in system information
shall be following log
systems,
cloud administrator - Account
enabled - Account
for classes of -monitoring
Login
environment. s) for lockouts; lockouts; screenshot
failures;
logging - activities tool.
of the log
activities were
such as information
- System enabled
- System for - Account
being
login logging -
boot and boot and lockouts;
recorded:
failures,
restart times; restart times;
account
lockouts, - System or - System or - System
system boot application application boot and
Logging and and restart start, stop, start, stop, restart times;
Monitoring times, re-
- System re-
- System - System or
system or initialization
configuration initialization
configuration application
application (with
changes;user (with
changes;user start, stop,
start, stop identity and identity and re-
(with user time of time of initialization
identity and action); action); (with user
time of identity and
action), time of
system action);
configuration
changes and
system
lockouts,
system boot
Logging and and restart
Monitoring times,
system or
application
start, stop
(with user - System - System - System
identity and errors and errors and configuration
time of corrective corrective changes;
action), actions
- Production actions
- Production - System
system taken; and
applications taken; and
applications errors and
configuration start and start and corrective
changes and stop times stop times. actions
- Production
system taken; and
applications
errors and start and
corrective
actions Note - Refer stop times
taken. 'Cloud
Security
Master' Please refer
Runbook for the Cloud
Navigate assessment
( AWS,Azure Runbook for
Cloud B_CS_R2 Lack of To ensure B_CS_C9 ToE Control Test
& GCP). Evidence:
Security adequate the storage Statement: Procedure: Navigate
event account ( AWS,Azure
logging may container & GCP).
Ensure the 1. Navigate 1.
Logging and lead to loss containing storage to Storage Screenshot
Monitoring of the activity container Accounts of public
accountabilit log export is storing the and
y/forensics not publicly Note - Refer access
validate
activity logs if Public
'Cloud disabled for
in case of an accessible. is not Access storage
incident in Security
publicly Level
Master' is set accounts.
Cloud B_CS_R3 cloud
Inadequate Ensure that B_CS_C10 ToE Control
accessible Test
to Private for Evidence:
Security environment.
IT security the latest Statement: Runbook
Procedure:
(no
detailed test
controls on OS, anonymous
VM Host Subsystem procedures,
Latest access)
1.required
if For the 1. For cloud
may lead to and patches cloud consoles /
vulnerabilitie Middleware shall be consoles / VMs, system
s like Patches for installed for VMs, assess level
insecure all Virtual 2. Evidence
OS, whether screenshot
of latest OS
Host Security network, Machines Subsystem, latest showing
is the
installed.
data leakage are applied Middleware patches applicable
and/or and for all Verify
were from latest
security Virtual tool and
installed. patches
incidents in Machines. walkthrough were
cloud
Note - Refer installed in
environment. the
'Cloud
Security instances
Master' (VM).
Cloud B_CS_R3 Inadequate Ensure that B_CS_C11 ToE Control Test Evidence:
Security IT security the host Statement: Runbook
Procedure: for
controls on protection detailed test
VM Host (Anti Virus, procedures,
Anti-virus or 1. For the
if required 1. For
Host Security may lead to Host IPS as Host-IPS VMs, assess selected set
vulnerabilitie applicable) software whether consoles/VM
s like for all Virtual shall be updated
insecure Machines is Note - Refer machines,
installed on anti-virus
'Cloud system level
network, installed end point software, screenshot
data leakage Security
instances. Host
Master' IPS showing the
Cloud B_CS_R4 and/or
Inadequate Ensure B_CS_C12 Ensure Test
and Firewall Evidence:
anti-virus
Security security secure secure Runbook
Procedure: for
is
detailed test software and
installed.
incidents in configuration
configuration configuration
cloud
s may lead of cloud guidelines procedures, Firewall
Obtain the installed
1.required
if 1. Evidence in
environment. service
to are followed the device.
evidence showcasing
compromise console and and consisting of only
of Virtual disable all implemented approved
Machines unwanted . 2. Obtain the approved
2.
ports,
list of Ports,
Screenshots
resulting in services. services and of Protocols,
DDoS controls services
protocols
applied to and Services
running,
Networking attacks, enabled forto 3.
are Exception
enabled
deploying RDP/SSH ports
approvals for
and Secure the network
configuration botnets, restrict them and all other
enabled
vulnerable in
infrastructur
from services
internet the networkare
attacks on e of a- Refer ports/service
disabled.
Note
access. 4. Details of
infrastructur
hosted s enabled
service
'Cloud RDP
e. and if
services, provider. any. access
Security SSH
etc.
Master' enablement
Runbook for and list of
detailed test controls
procedures, applied to
if required RDP/SSH
access.
hosted
services,
etc.
Note: Refer
Cloud
Service
Cloud B_CS_R5 Absence of Ensure that B_CS_C13 ToE Control Test Provider
Evidence:
Security hardening in all Statement Procedure: detailed
Cloud Virtualization assessment
Virtualization platform are run book
Ensure that (Applicable 1. Evidence
(Azure, AWS
may lead to hardened as all for Infra as a of
attackers per HCL & GCP).
Virtualization service only) documented
gaining Hardening platform are security
access to guidelines 1. Obtain the 2. Evidence
hardened as documents configuration
of storing
Virtual per HCL standards
Virtualization Machine(s) for secure
Hardening Virtualization for all
images/
Security resulting in guidelines 2. Test for 3. Device
authorized
unavailability platform
containers, templates
configuration for
hardening operating
deployment.
of database, screenshots
systems and
services/dat guidelines.
API, capturing
Note
Refer -to
Refer
GIT software.
4. Evidence
a loss resource hardening
'Cloud
hardening for all
managemen
Security requirement
applicable
guidelines.
tMaster'
platform s.
containers,
5.
information.
Runbook for database,
Integration
detailed test API,
with
procedures, resource
automated
Cloud B_CS_R6 Ensure that B_CS_C14 ToE Control Test
if required Evidence:
managemen
Security all applicable Statement Procedure: configuration
tmonitoring
platform is
container, hardened as
database, systems/tool
Lack of Ensure that 1. For per
1. List of
s as
Middleware API, all applicable Middleware, hardening
installed
appropriate.
security on resource container, assess guidelines.
software for
cloud may managemen database, whether
2. Obtainthey the
2. selected
lead to t platform, API, are having systems.
middleware evidences Screenshots
attackers resource most recent
showcasing of approvals
gaining are managemen version.(IBM
Middleware Security installed for the non
access on hardened as t platform, Note - Refer
WebSphere, 3. Evidence
software list, compliant
middleware, per HCL middleware 'Cloud
Oracle
non-
of
software, if
resulting in Hardening are Security
WebLogic)
compliant
restrictions
any.
unavailability guidelines hardened as Master'
software
applied via
of per HCL Runbook forfor network-
individualtest
services/dat Hardening detailed
instances.
based URL
a loss. guidelines. procedures, filtering and
if required Note:
hardening Any
software/mid
applied on
dleware
web
Cloud B_CS_R7 Inadequate Ensure that B_CS_C15 ToE Control Test having
browser/e-
Evidence:
Security Cloud '.Net Statement Procedure: version
mail client
application Framework, greater
usage. than
security PHP n-2 is
Ensure that (Applicable 1. For
considered
controls may version, '.Net for SaaS Application,
lead to Python, as non-
Framework, only) screenshot
compliant.
Unauthorize Java, HTTP' PHP showing the
d access to version is 1. For 2. Approved
version, middleware / approved
secure
a website, the latest. Python,
server or subsystems latest
guidelines
Java, installed on updates/vers
document
other version is 3. Software
ion/patches
AppService system. the VMs, and confirm
(Applications
the latest, if assess were
used as a )if the
Asset
installed. For
whether document
Managemen is
part of the latest from any
Verify 4.
reviewed on
web app tool and t List
exception,
Walkthrough
patches a periodic
indicating
walkthrough
were approval
to confirm if
basis.
versioning
should be in
installed.
Note (if only
- Refer and
used as a place.
approved
'Cloud approver
part of the Customer
and licensed
Security details.
web approval are
software
Master' Note: Refer
required for
for used
applications.
Runbook Cloud
for
any
)
detailed test development
Service
exception for
procedures, .Provider
Cloud B_CS_R7 Inadequate Ensure web B_CS_C16 ToE Control Test not installing
Evidence:
if required
Security Cloud application Statement Procedure: detailed
the latest
application traffic is assessment
patches.
security routed run
Ensure web Note: Only 1. book/SOP
controls may through application applicable if Details/Scre
lead to secure (Azure, AWS
redirects all web enshot
& GCP).of
Unauthorize communicati HTTP traffic application is encryption
d access to on channel. to HTTPS hosted. technology
a website, and Ensure (TLS
server or web app is Version 1.1
AppService
other using the and above)
system. latest used in
version of browsers,
TLS and web
encryption applications.
Cloud B_CS_R7 Inadequate Ensure web B_CS_C16
Security Cloud application
application traffic is
security routed
controls may through
lead to secure
Unauthorize communicati
d access to on channel. 2. Evidence
a website, for enabling
server or data
AppService
other 1. Obtain the encryption in
system. details for transit.
redirecting
all the HTTP
2. Validate
traffic over
the details
secured
for the TLS
protocols/HT
Encryption
Note
TPS - Refer
(Version
'Cloud 1.1
and above)
Security
technique
Master' in
Cloud B_CS_R8 Lack of Ensure that B_CS_C17 ToE Control Test
use for for Evidence:
Security encryption of all data at Statement Runbook
Procedure:
securing
detailed testthe
data in cloud rest and Web
may lead to transit are procedures,
Ensure that Application
1. For any
if required 1. For
data encrypted all Virtual virtual selected
loss/data storage, storage, VMs, system
theft and data data
regulatory 2. Inventory level2.
volumes / volumes
of all / screenshot
Documents/
non Hard disks' hard disks, Screenshots
showing the
compliance. sensitive
Data Security are determine
information software
of all
encrypted Note
whether - Refer
it is 3. Evidences
configured
stored,
'Cloud sensitive
of data
fully
processed, for full disk
information
Security
encrypted classification
encryption.
or
Master' stored,
based on
transmitted 4. List the
processed,
Runbook for sensitivity
cryptographi of
by the test or
detailed data.
organization' c
procedures, transmitted
s technology mechanisms
if required by the
systems deployed to
organization'
protect data
s technology
stored
systems, and
End user Data B_EUS_R1 Inadequate To ensure B_EUS_C1 ToE Control Test Evidence:
evidences
including of
computing Leakage IT security that end Statement: Procedure: enabling
those
security Prevention controls on user devices encryption
located on-
end point are For the set for 1.
DLP service siteGIT
data
or at a
devices may adequately stored
is enabled of end remoteatfor
report
lead to data protected and running rest.
leakage against data user the month
service
for the end devices,
Step 1. GIT 2.provider.
withScreen
users
and/or leakage and user devices
security other cyber shared
assess shot of as
mapped
incidents. security whether
"End user compliant
System
threats DLP upload
reports":
GIT end and Non-
EDPA
3. and
point on
reports compliant
WDP
Screenshot
common
agent is services
of
(doUSCC
SharePoint
If
installed stopped
widget
VLOOKUP)
.and
hostname
Search with
showing
for
is not
all user
running System
DLP as
device
found,
To confirm
(laptops its hostname
Non-
hostname
Non–
for
andNon- compliant
and Date
in
Compliant.
Complianc
list.
Desktop). with
or
e, follow System
below hostname
options and Date.
Option 1.
Using
USCC
Right click
on USCC
icon in
Visit:
system
https://glo
tray and
balit.hcl.co
take
Type
m/uscc/
screenshot
hostname
or
of the
sampled
system
and see
whether
the DLP
service is
Compliant
or Not
Option 2.
Go to start
> run and
End user Disc B_EUS_R1 Inadequate To ensure B_EUS_C2 ToE Control Test
type Evidence:
computing Encryption IT security that end Statement: Procedure:
"services.
security controls on user devices msc".
end point are Disc search
For thefor
set 1. GIT
devices may adequately encryption of
lead to data protected
services
end shared End
shall be user
"EDPA and user report
leakage against data configured Step
and/or leakage and devices,
WDP". 1. GIT 2.
with
Screen
users
and enabled
security other cyber for HCL end
assess
shared
Check mapped
shot of as
incidents. security user whether
"End User Encryption
compliant
threats machines encryption
reports":
GIT
the upload not Or Non-
and
(Laptop) is
reports
serviceson installed
compliantor
configured
common
are (do set to
not
and
SharePoint
If
"Running" 3. VLOOKUP)
ON in
.enabled
hostname
andSearch
users Screenshot
control
for
is
not not
all
(Laptops). user of
having panel
USCCor
device
found,
optionsits to widget
on My
hostname
Non-
disable/ Computer/
showing
in
compliant.
list.
stop. My PC with
Encryption
Option
To confirm1. as Non-
System
for Non- compliant
hostname
Complianc with and Date.
Using
e follow System
SCCM
below hostname
options: and Date.
Right click
on USCC
icon in
system
Visit:
tray and
https://glo
balit.hcl.co
take
Type
m/uscc/
screenshot
hostname
or
of the
sampled
system
and check
whether2.
Option
Encryption
Go to start
>shows
My
computer/
If no lock
Compliant
This PC
icon, it’s
and check
not
ORthe 'lock
if
encrypted
icon'hence
and is
available
Non-
on all 3.
Option
Compliant
visible->
Start
Control
drives - C:
This
& D: should
panel ->
set to
System
and
'Encryption
End user Anti-virus B_EUS_R1 Inadequate To ensure B_EUS_C3 ToE Control Test Security -> Evidence:
ON'
computing program IT security that end Statement: Procedure:
Bit Locker
security controls on user devices Encryption
end point are Anti-virus For the set 1. GIT
Options.
devices may adequately
software of end shared End
(including all user user report
leakage against data components) devices,
and/or leakage and with
2. System
users
shall be
security other cyber installed and
assess mapped
level as
incidents. security run with whether screenshot
compliant
threats latest Step 1. GIT showing
Anti-virus, OR Non-
and
updated shared
Symantec the anti-
compliant
definition on reports:
WSS Agent virus(do
end user and VLOOKUP)
software
machines InfoBlox installed or
(Laptops, EndPoint is not
Desktop and
Thin client)
configured installed
and on user
enabled machine or
(As no green
and/or leakage and
security other cyber
incidents. security
threats
GIT upload 3. Screen

reports on shots of
common the
SharePoint 4.
If selected
Relevant
. Search
hostname set of end
evidence
fornot
is all user for
user
device its Symantec
found, devices
hostname WSS
Non- with AV
and
compliant.
in list. InfoBlox
(Anti-
To confirm
Option 1. Virus)
for Non- status as
Using
Complianc Non-
SCCM
Right
e, follow click Compliant
on
belowUSCC in USCC
icon
options:in with
system
Visit: System
tray and hostname
https://glo
take
balit.hcl.co and Date.
Type
screenshot
m/uscc/
or
hostname
of the
sampled
system
and see
Option
whether2.
Find
the Anti-
Symantec
Virus is
Endpoint
Or you can
showing
look in
Compliant
Protection
your
in your
system
Also,
Programs the
tray
updated
or find(nextit
definition
by your
to pressing
of
For
theAnti-at
clock)
virus
Symantec
Windows
the is
bottom
indicated
WSS
key on
right and
of
End user Patch B_EUS_R1 Inadequate To ensure B_EUS_C4 ToE Control with
InfoBlox
Test
your a Evidence:
computing Managemen IT security that end Statement: Endpoint
Procedure:
keyboard
screen.
green dot-
security t controls on user devices Right
andthe
Validate
on click
typing
end point are Patches on
For the
all
"Symantec
the
gold end 1. GIT End
shield
installed system
user
".
definition
icon; user report
should be devices,
is updated with users
tray->
leakage against data latest (N-2)
and/or leakage and assess
with N-7. 2.
identify mapped
Systemas
on end user
security other cyber machines
whether
the icons level compliant
incidents. security (Thin client, latest
for WSS and Non-
screenshot
threats Desktop, Patch
Step
and 1.isGIT showing
OR
compliant
Laptop) installed
shared
InfoBlox the (do version
(Laptops,
reports:
and check of VLOOKUP)
Patch
Desktop
GIT upload 3.
whether installed
USCC
and
reports
theyThinareon screenshot
with
common
enabled
client). System
for Non-
If
SharePoint
and hostname
Complianc
hostname
.showing
Search eand
Patch
Date.
for
is not
all
'Connecte with
d' and its Note
device
found, System- Thin
hostname
Non -
'Protected' client is
hostname
in
compliant,
list.
respectivel not
and Date.
Option
to
y confirm 1. Hence
updated
Using
for Non- check on all
SCCM
Complianc Thin client
monthly
Right
e, followclick are
basis but
on USCC running
below version is
icon in
options: updated
with same as
system
Visit: and when
version.
tray and released
https://glo
take
balit.hcl.co by OEM.
m/uscc/
screenshot
or
Type
hostname
of the
sampled
system
and see
the Patch
Option 2.
is showing
Start ->
Control
Compliant
panel ->
Check for
Programs
latest KB -
> View
number,
End user Removable B_EUS_R1 Inadequate To ensure B_EUS_C5 ToE installedof Evidence:
instead
Test
computing Media IT security that end Control updates
the
Procedure:
date ->
security controls on user devices Statement: when
Microsoft it
end point are Removable 1. windows
was Review- 1. GIT
media > Security Report
updated.
report
leakage against data shall be shared
update by
and/or leakage and disabled 2. GIT Validate
- Filter 2. USCC
Microsoft
security other cyber for end the
with USB
Windows.L4 if screenshot
incidents. security user users
all USBfor for USB
Identify
threats systems 3.
theRequest
users KBlisted 3. System
Enabled
USB
in GITuser level
Engageme
article with
nt
report
to share screenshot
number. System
have
screenshot hostname
business
of Ticket and Date
justificatio OR
reference#
Alternate
n for the
indicating
Test
accessand
Start
procedure:
End date
Option
of USB 1.
Using
access
SCCM
Right click
on USCC
icon in
system
Visit:
tray and
https://glo
take
balit.hcl.co
screenshot
Type
m/uscc/
or
hostname
of the
sampled
system
and check
whether2.
Option
the USB is
Locate
showing
Symantec
Disabled
Endpoint
Take
Protection
screenshot
iconGroup
for in the
End user Advanced B_EUS_R1 Inadequate To ensure B_EUS_C6 ToE Test
System
and Evidence:
computing Persistent IT security that the GIT Control Procedure:
tray which
validate
security Threat controls on managed Statement: that
is onallthe
end point assets are Fire Eye HX For allare
taskbar
users end 1. GIT
is installed user
near
in samethe report for
leakage against the and devices,
time If the month
group.
and/or threats display -> 2.
running on assess
USB System
with users
security arising out of all end Right click level
enabled,
whether mapped as
incidents. malware and user's group
Fire
and EyeOpen HX screenshot
compliant
the machines Stepwould
is 1.be
installed
Symantec GIT showing
OR Non-
and
signatures shared
Endpoint the
different
and Fire
compliant
are updated reports:
running
Protection Eye (do
as per the
organization
GIT upload 3.
(Laptops,
-> Click USCC
VLOOKUP)
Endpoint
laid out reports
Desktop).
troublesho on screenshot
Agent
process / common
oting -> for Non-is
Service
policy. SharePoint
Click Complianc
stopped
.Manageme
Search e for EDR.
for
nt device
hostname
in list.
the
signatures
are updated
as per the
organization
laid out
process /
policy. If
hostname
is not
found, its
Non -
compliant,
to confirm
Option 1.
for Non-
Using
SCCM
Complianc
Right
e click
on USCC
icon in
system
Visit:
tray and
https://glo
take
balit.hcl.co
screenshot
Type
m/uscc/
or
hostname
of the
sampled
system
and see
Option
the EDR2.is
Start
showing ->
Compliant
Services ->
If
Fire Fire Eye
Endpoint
Agent
End user Administrativ B_EUS_R1 Inadequate To ensure B_EUS_C7 ToE Service
Test Evidence:
computing e Access IT security that Control Procedure:
status is
security controls on Administrativ Statement: "Running",
end point e access is Privileged Step
then 1. 1. GIT
devices may restricted to
lead to data only
access are Request
AdvancedIT shared list
leakage authorized approved to share of Privilege
Persistent
and/or and and the
Step
Threat list
2. is
of
For 2.access
security appropriate activated the
personnel
enabled in Screenshot
incidents. personnel only for with
sampled
the of SX
the privileged
users,
Step
machine. 3. If 3. raised if
authorized the
validate
access access if Screenshot
End date
personnel isthe
(Localnot passes
if End user
and
privileged
revoked
Step
Admin) 4. access
can install
not
access
post
Mark end
NC
was if software
revoked
date,
admin
granteduser and
highlight
can
Step
post 5. disable
the
uninstall
Mark
approvalNon-NC orif services
Complianc
disable
admin
and user like AV,
End user BYOD B_EUS_R2 Inadequate To ensure B_EUS_C8 etimeline
important
can
ToE Control Test to install
GIT DLP
Evidence:
computing end user that personal application
for
Statement: Procedure: service etc.
security security devices BYOD BYOD
,sPrivilege
freeware
like AV,
controls on used to End Point DLP
etc.
accessin theif 1. Check the
Determine
personal provide
devices services to
security service
system.
revocation
BYOD etc. Anti-virus
has
controls following
Try
is valid installed on
used to client are shall be end
provide adequately 1. Anti-virusa BYOD
point
installing Start--
configured controls. machine
>Search and
services protected on end
pre- check for
may lead to against data user's determine Anti-virus
virus
data leakage leakage and d freeware
2. Latest "Virus
2. Go toand
personal definitions.
Threat
and/or other cyber devices as from the
Microsoft Control
security security protection"--
per agreed patches
internet Panel,
>
select
Settings--
incidents. threats Program &
BYOD policy 3. andWindows Check >Checkfor>
10 Operating Features
validate View
definitions
system
that the installed
and take
system
4. MFA Updates.
snippet/scre
3. Click on
does not Verify enshotif the
Start--
latest
allow it to >Run-->type
'security
be
5. No command
4.
updates' are
installed. <Winver>
freeware Screenshot
installed and
and capture
software is of MFA(Multi
take
installed the
Factor
screenshot
screenshot
Authenticatio
(This
n) should
not be
mechanism
Windows
where usersXP
or
hasWindows
to insert
Vista)
PIN/Passwor
d (Like
RSA/VPN/Ci
5. Click on
Start--
>Run-->type
For BYOD, command
user shall <Appwiz.cpl
connect only > and
via RA-VPN capture the
or UAG screenshots
service of all
provided by installed
NOTE:
Enterprise IT software
a) Obtain
employee
consent over
an
b) Ifemail to
Delivery
carry
statesout
there
End
are nouser
testing
BYOD on
users
End user Secure B_EUS_R3 Unauthorize To ensure B_EUS_C9 ToE Test
their Evidence:
in the
computing logon d software that Control Procedure:
personal
Engagement
security procedures installation approved list Statement: device
may lead to of enterprise , cross / Wi-
Only white -validate
FiRequest
networkfrom 1. TARMAC
violation of software
licensing (white list)
listed GITBYOD
the Spoc report
agreement, should be software to share
user list from GIT
exposure to maintained should be shared with 2.
-Review
the
virus / for installed R&C
the
TARMACteam Evidence
malware deployment on the End (BUCO)
TARMAC
report of
every month
attacks on user user IT report
-Identify
basis the approvals
request systems. Non-
RAS dump for the
obtained
without compliant
shared
from GIT non-
approvals.
For other
software
to ensure compliant
software, installed
that only software, if
approvals approved
from the any.
Human Background B_HR_R1 Inadequate To
fromensure
defined B_HR_C1 ToE Control software is Evidence:
TARMAC
Test
resource Verification background that
approvers Statement: installed
report
Procedure:and
security verification background
should be (greenwith
share
checks may verification
sought prior For all the status
Engageme
1. Obtaininthe 1. List of
lead to hiring checks
to of all
of employees
employees/c TARMAC). employees /
nt
system
deployment ontractors generated contractors /
incompetent/ or
of software. deployed in list of all the new joiners
undesired/su contractors a. Name of 2. BGV
client employees
the Report
spicious hired are delivery, who have
employees conducted. employee
mandatory joined the
which may background b. Date of
engagement 3. Delivery
result in verification joining
(project) head - L1
damage to check must during the Leader's
organization approval
be assessment
c. Employee 4. BGV /
al reputation completed period, client
SAP ID with tracker -
and/or before details such approval
Sample
business deploying. as -
d. Date of population
loss.
assignation file
to the
project/
engagement
2. Determine
whether the
background
verification
Obtain the
check for all
background
the
verification
employees
report of all
a. Date
was on
the
whichselected
the
conducted
employees,
background
before they
capturing
verification the
started
following
check
working was
details
completed - a
in
client
for all therole.
delivery
employees
who were
deployed in
client
delivery role.
The
background
verification
3. For a
selection of
employees,
obtain - Date
i. Criminal
of
Background
background
Verification
verification
(Mandatory
ii.
asGlobal
per -the
check
database No
BGV policy
exceptions
check
which can
approvals
(Mandatory
include
iii. ID
will be the
check
below - No
verification
considered
exceptions
(Mandatory
for baseline)
approvals
check - No
iv.
willHighest
be
exceptions
relevant
considered
approvals
education/E
for baseline)
will be
ducational
v. Previous
considered
Background
Employment
for
Check baseline)
check
vi. Address
vii. CIBIL
Report
viii. 2
reference
check
ix. CV
verification
Note:
a. If the
joining date
is post 30th
Mar’20
b. Effectiveand
BGV checks
1st Apr'21:
are delayed
No baseline
due COVID-
exception
c.
19,Maintain
Validate
approval
the sample will
that Delivery
be accepted
population
L1 Leaders
for
file Criminal
andclient Evidence:
Human Background B_HR_R1 Inadequate To ensure B_HR_C3 ToE Control and/or
Test
Background
resource Verification background that Statement: upload
approval
Procedure: as
verification,
artefact. All
security verification background (mandatory
Global
checks may verification incomplete
for
All the database
1.
BGV Determine 1. List of
lead to hiring checks of all contractual
check and
exceptional whether
samples the
with Exception
of employees BGV
ID
approvals in exceptional
exception approval
incompetent/ or requirement
verification – cases
Background approvals
approvals
1. Obtain the 2. Exception
undesired/su contractors )These
was
Verification were
will
list taken
have
of to approvals
spicious hired are obtained
checks
shall be from
be thehave
exceptional
employees conducted. before
to be the
taken as per authorized
revalidated
cases.
which may date
2. Forofall
completed on-
of 3. Obtain the
the defined individual
for BGV or
result in boarding.
the
before for logical
process. council
completion.
damage to exception
onboarding
the selected access
organization Call this out
cases,a. ECA provisioned
employee
sample check
al reputation in the
-employees.
Validate date
and/or Word report
whether
also.
business
Human Non B_HR_R2 Absence of To ensure B_HR_C4 ToE Control employees
Test Evidence:
loss.
resource Disclosure signed NDA that non- Statement: logical
Procedure:
security Agreement may lead to disclosure access was
lack of agreement is provisioned
Non- Via
postERD
the & 1. List of
awareness signed by all disclosure iTAP Portal employees/
and employees/ exceptional
agreements approval new joiners
obligations contractors should be
towards during onwas
signed by obtained.
organization boarding. the
al employees/c
requirement ontractors/
s which may TP
result in resources/
unauthorized Loan
disclosure of resources at
Human Non B_HR_R2 Absence of To ensure B_HR_C4
resource Disclosure signed NDA that non-
security Agreement may lead to disclosure
lack of agreement is
awareness signed by all
and employees/
obligations contractors
towards during on- 1. Determine 2. NDA
organization boarding. whether the copies
al non-
requirement disclosure
2. Obtain a 3. Indemnity
s which may agreements
list of all the declaration
result in for selected email from
employees
unauthorized sample
who have of employee
a. Name
employees/c 4. NDA
disclosure of joined the
the
ontractors sample
confidential organization
employee
were signed population
information during the
resulting in at the
b. Date
assessment timeofof file - To
joining.HCL
joining validate the
reputational period, with signed
damage and details such NDA's when
financial as For
3. - all on situation will
losses. boarded be back to
employees, normal
obtain
a. Date theon
non-
which the
disclosure
agreement
agreements
was signed
4.
and For onsite
check
by the
employees/
for -
employee(T
TP
his should
resources/
5. Ifsame
be the as
Loan
joining
the dateisof
resources
post
joining)30th
obtain
Mar’20:the
relevant
Validate that
NDA
Indemnity
sections
declaration
from
Notesent
was the
-
offer
from letterthe
Maintain
sample
employee's
Information Information B_IS_R2 Absence of To ensure B_IS_C3 ToE Control population
registered
Test Evidence:
Security Classificatio appropriate that a Statement: file
email and
Procedure:ID
Organization n information defined upload
before the as
and Policy classification information artefact.
date of on-
Information 1. For the
These 1. Sample of
and handling classification boarding
shall be selected
samples will documents
may lead to process classified sample
inadequate exists and is have to of be validated for
and handled documents,
Validatefor classification
validated
2. 2. Software
prioritization implemented as per the validate that
for , approved NDAthe
that sign off by theis
Titus
defined the
once
software assessor.and
installed
protection of and process. documents
organization reviewed process
Titus is is is enabled.
3. Test
are
assets. periodically. resumed
installed,
whether
classified in
post COVID
enabled and
admin
line with the
situation.
enforcing
privileged
defined
Note:
Call this out
classification
users
guidelines.
Sample have
of 3
in the ECA
of
access
to 5 to
Word report
documents
uninstall
Information PCI Data B_IS_R3 Usage of To ensure B_IS_C4 ToE Control documents
also.
upon
Test saving.
TITUS Evidence:
Security Security personal Engagement Statement: to be or
Procedure:B
not.
validated.
Organization devices to handling PCI BYOD YOD
and Policy provide data are only Engagement Determine if 1. Asset
services using HCL handling PCIemployees Register
may lead to or client data are handling PCI
data leakage provided using only / Card data
and/or laptops/desk 2. L4
HCL (Prepaid, acknowledg
security tops provided Credit &
incidents. ement for
laptops/deskDebit Card) BYOD
NOTE:
tops forThisNOTE:
are usingThis 3. End users
user
control is
production control
only HCL is or testing to
applicable
work applicable
client verify asset
for PCI for PCI
provided used is not
Engagement Engagement
laptops / personal
s s -
Desktops. device
"Engagemen
BYOD
ts handling Note:
solution
Prepaid Review the
should not
card, Credit list of BYOD
be used
Logical Logical B_LS_R1 Inadequate To ensure B_LS_C1 card, debit
ToD Control Test users
Evidence:
Security Access controls for logical Statement: card..etc......
Procedure: received
Managemen accessing access to " from BUCO
t Client data Client data is team to
may lead to provided cross
unauthorized only to validate
access. authorized BYOD users
users for the
respective
Engagement
Logical Logical B_LS_R1 Inadequate To ensure B_LS_C1
Security Access controls for logical
Managemen accessing access to
t Client data Client data is Engagement 1.Obtain the 1.
may lead to provided specific On- copy of Engagement
unauthorized only to boarding engagement specific
access. authorized and off- specific approved
users 2.Validate
boarding approved
that it onboarding
procedures onboarding
contains and off-
are and
below offboarding
documented (i) Procedure process
boarding
criteria,
for granting / document
and procedure
approved. At revocation
document. of
a minimum it logical
(ii)
should cover access
Onboarding to
the criteria client
Offboarding
for granting / environment
of Internal
(iii)
s. Non
revocation of movers.
standard
logical
access to
access to
HCL Intranet
(iv) Privilege
customer
Portal
access
environment
(managemen
SharePoint
/ data.
,t.OneDrive,
(v)
MicroPhysical
Sites
access
etc.).
managemen
t.
(vi) Client
Mandate
training as
applicable.
(vii) BGV
package &
NDA
requirement
s as
applicable.
Logical Logical B_LS_R1 Inadequate To ensure B_LS_C2 ToE Control Test Evidence:
Security Access controls for logical Statement: Procedure:
Managemen accessing access to
t Client data Client data is Access to 1.Obtain the 1. Process
may lead to provided customer approved document
unauthorized only to environment onboarding for Logical
access. authorized / data shall and off- the Access
users 2 Obtain 2. RAS
be boarding
list of provisioning
dump for the
requested procedure
employees engagement
only by an document
who on
authorized 3.
LogicalForhave
the (Joiners
3. Logicallist)
joined
selected the access
personnel or Access
engagement
with specific users,
provisioning obtain provisioning
during
the the
approvals 4. Validate records
assessment 4. Artifactsfor
evidences
any Non to selected
for Non
period
confirm - that samples/
standard
using RAS. standard
the
access access to Screenshots
access to
Logical Logical B_LS_R1 Inadequate To ensure B_LS_C3 ToE Control Test
to customer Evidence:
or email
Security Access controls for logical Statement: HCL
Procedure: Intranet HCL Intranet
environment
Portal approvals
Portal for
Managemen accessing access to was
t Client data Client data is ( SharePoint the ( SharePoint
Requests requested
,1.Obtain
OneDrive, the individual
ProcessID
,1.OneDrive,
may lead to provided only
unauthorized only to
are raised in MicrobySites
approved an creation.
document
Micro Sites
a timely authorized
process
etc.)was for
etc.)Logical
access. authorized manner for personnel.
document on Access
users provisioned
2. Obtain the provided
2. as
List of exit
revocation of Logical
as per
list of On- revocation
per On-
employees
logical Access
Boarding
employees boarding/
from the
access to revocation
document.
who have Off-boarding
engagement
customer 3. For the 3. Logical
exited
selected the -process
access
environment engagement document.
/ data at the users, revocation
during
validate the that records for
time of off- 4. Validate
assessment 4. Validate
boarding. the
any access
Non selected
any Non
period-
revocation standard samples/
standard
comparison
request
access was Screenshots
Logical Secure B_LS_R2 Lack of To ensure B_LS_C4 ToE Test on or access
of
raisedprevious to Evidence:to
HCL
and Intranet or
current HCLemail
Intranet
Security logon appropriate appropriate Control Procedure:
before
Portal LWD approvals
Portal for
procedures restriction to usage of Statement: RAS/
the usage of Generic (from
leavers
HCL/ (the
SharePointlist SharePoint
engagement
OneDrive, individual
,from , OneDrive, ID
generic ID(s) User IDs in or as per
may result in information Micro Sites revocation.
engagement Micro Sites
contractual
etc.)was
misuse and processing .requirement etc.)was
lack of systems. provisioned provisioned
in line
as per with
Off- as per Off-
accountabilit off-boarding
y. Boarding Boarding
procedure.
document. document.
Logical Secure B_LS_R2 Lack of To ensure B_LS_C4
Security logon appropriate appropriate
procedures restriction to usage of
the usage of Generic Generic 1. Request 1. System
generic ID(s) User IDs in
may result in information
IDs on HCL Engageme generated
misuse and processing systems nt if there list of
lack of systems. should not areIncase,
2. any generic
2. Owner
accountabilit be used generic/sh confirmati
Engageme user
y. unless for ared
nt is not
ID ID's(if exam
on the
a specific utilized
aware,
3. Identify in 3.ple-
Shared/Ge
business businessID Evidence
request
Generic admin/do
neric ID is
purpose GIT
for the
to
environme still
of
m123mailetc.)
for
with share
Engageme
If
ntGeneric 4. required.
Extension
approvals system
nt
ID and
are of usage of
Quarterly
from generated
request
correct, for review/
Generic ID
relevant confirmati
required
list of (if
reconciliati
business on
and (ifhave
generic/sh the on applicable)
of
owners. generic/sh
business
ared user generic IDs
ared
justificatio
ID's for ID the
is
correct,
n, mark
engageme
effective
nt.
still
required
and have a
business
Note
requireme -
Check
nt). with
owner if
All
there generic
was
IDs
a mail must
have
from a
primary
o All
'itsd@hcl.c
requests
om' for
and
for Generic
extension
secondary
ID’s
o
or All
owner must
review.
be
generic
user
supportedIDs
shall
o
byAll be
allocated
generic
appropriat
only
user for
IDs a
e business
Logical Secure B_LS_R4 Absence of To ensure B_LS_C6 ToE limited
shall
Test
case be Evidence:
Security logon access that system Control reconciled
Procedure:
time
procedures restriction for configuration Statement: quarterly
duration
privilege should not Download and 1. Enquire 1.
accounts permit users
may result in from
and from
continued end Screenshot
undesirable downloading installation user,
accessif of website
access/modi and of he/she
2.
shallSystem is 2. from
fications installing software should
able
require to not Screenshot
where
which may software from download
allow
additional end of download
lead to from the Internet is 3.
any
user System
approvalsto of
downloade
3.
security internet. blocked for should
software
download
in not- Screenshot
software
d software
breaches end user allow
from
For sample
accordanc to was
on
of installed
the
Internet.
users,
install
e with the the software
attempted
system
request
downloade
Exception from
user
d software
manageme to try Add/remo
System
-downloadi
ntTry to
policy ve services
should
ng
install
and the not
software
downloade
allow
process
If
d end user
like
software
software
is
on able
the to
downloadi
'WinZip,
downloade
user
ng and
Notepad+
system.
give
d
+' or
or install
alert
other.
with
software,
prompt
mark theto
Note
enter - as
control
Incase
Admin user
Not
was able
username/
effective
Network Network B_NS_R12 Absence of To ensure B_NS_C10 ToE to
Test
password Evidence:
Security Segregation appropriate that logical Control download
Procedure:
logical segregation Statement: (applicable
and install
segregation should exist to
software.
of networks between
may lead to HCL
Dedicated
Request
unauthorized internal, ODC
him to only)
log
access and client and SX ticket to
data leakage external ITFO for
network. uninstall of
the
Network Network B_NS_R12 Absence of To ensure B_NS_C10
Security Segregation appropriate that logical
logical segregation
segregation should exist HCL Follow 1. Network
of networks between
may lead to HCL
engageme below Diagram
unauthorized internal, nts with steps: with IP
access and client and dedicated Step 1: subnet
2. Network
data leakage external ODC shall Request Switch details
network. have a GIT to Screenshot
segregated share2: - 3.
Step or
VLAN. switch
Obtain Configurati
Screenshot
level
Network onIpconfig
of
details
diagram showing
command
4. Ping
(Screensho
from GIT response
the IP
output
t) to
and subnet
from
test result
validate
During
demonstra Engageme
that
Walkthrou
te nt (few
Screenshot
gh:
Dedicated sample) to
Step
(in
ODC Step
1 in1)a ensure
is
maps
separate with they all are
VLAN.
subnet in same
-details in subnet or
Engageme
Network not
nt
Diagram. to
-confirmStart> on
run
IP subnet > type
used for
CMD > got
-to Ask
engagemec: and
Engageme
nt (for
type
nt if all
Dedicated
‘Ipconfig’
Note: are
users
ODC)
using the
same IP
1.
subnet Lab andor
Engageme
if there a
nt could
particular
have
2.
requireme
different
Engageme
nt to have
subnet
nt with
additional
HIPAA
subnetor
PCI
because DSS of
could
confidentia have
Stepof2:work
such
lity
segregatio
n
-requireme
Try to
ping
nt from
current
subnet to
another
subnet to
confirm for
If
segregatio
machines
n address
IP
Network Network B_NS_R2 Lack of To ensure B_NS_C3 ToE Test
matches Evidence:
Security Architecture approved that Control Procedure:
with
Diagram Network documented Statement: details of
architecture network Network -subnet Request Network
diagram may architecture
result in diagram that
architectur GIT mentionedto Architecture
insecure identifies all e diagram share in Network the diagram for
network connections shall be Request the
-Network
diagram
design between the defined, GIT and to Switch engagement
Architectur
leading to HCL document share econfigurati
diagramthe
unauthorized environment ed and -updated
Network
on,
for the
then
access/cybe and other periodicall architectur
list of
consider
engageme
r attacks. networks y approved eapprovers
nt diagram
control as
should exist,
be approved
by -should
effective
for
and authorized Engageme have
Network
reviewed person details
nt namelike:
Diagram
periodically.
unauthorized environment
access/cybe and other
r attacks. networks
should exist,
be approved
and
reviewed
periodically. - Locations
(all) along
with
-connectivit
Cloud
y
details for
the
-engageme
Review
nt and
date
version of
- Approver
Diagram
Name
Network Vulnerability B_NS_R3 Non- To ensure B_NS_C5 ToE Test Evidence:
Security Assessment adherence that network Control Procedure:
to defined security Statement:
vulnerability vulnerability Vulnerabili 1. Determine 1. Self
assessment assessment
process may should be
ty whether declaration
lead to performed Assessmen Engagement or
unpatched periodically. t is carried has raised 2.
2. Determine Request
Engageme
SX ticket for
vulnerabilitie Any out for whether
Vulnerability
nt
Number
mail to
s resulting in exceptions/ engageme Vulnerability
Assessment confirm
for scan no
unauthorized gaps nt Assessment 3. Scan
such
of their
access/cybe identified dedicated was carried
dedicated
out and
report
request
r attacks. should be devices device(s) send forby
shared
reported to report
the
periodicall Note:
shared with VA device
team
VA
authorized y Engagement scan
personnel.
a)
Vulnerability
Assessment
periodicity
b) If
shall be
Engagement
defined
has raised
basis
VA request,
c) Mark
Engagement the
however,
control 'Not
's
they Tier,
didn't
Effective'
Device on
receive
Engagement the
criticality,
d) Mark the
,VA report
if they
control
:
have
Vulnerabilitie
'Not
Engagement
not raisedon
s identified
effective'
should
the
in
VA VAlast if
the
Team,
Network Vulnerability B_NS_R3 Non- To ensure B_NS_C8 ToE Test
follow-up
request
scan.
Evidence:
Vulnerability
with VA
before
Periodicity
Assessment
to defined security Statement: team and
assessment
shall
was
obtain bethe
not
vulnerability vulnerability Vulnerabili 1.
startRequest
date 1.
minimum
performed
report
ties are Vulnerabili
annually
as per SLA Vulnerabili
lead to performed remediate ty ty scan
unpatched periodically. d as per Assessmen 2.
2. report
SX ticket
for
vulnerabilitie Any SLA t report
Determine dedicated
details for
s resulting in exceptions/ from
whether devices
remediatio
unauthorized gaps Engageme 3.
3. with
n
access/cybe identified nt has
Determine
and criticality
Vulnerabili
r attacks. should be determine
raised
whether SX ty closure
reported to
the
4.
whether
ticket for 4.
vulnerabili Change
evidence
authorized Determine
the
remediatio
ties records
by IT Team
personnel. vulnerabili
n
identified
if of or Ticket
details for
Sev
tiesthe5 > 4 remediatio
identified
in
vulnerabili closure
weeks
vulnerabili
report
ties were n.
identified evidence
from
ties
have
remediatethe
been
in network
Sev
d
SX 4per
remediate >8
asticket
elements
weeks
d
the
date
orSLA
were
from the a
remediatio
defined:
assigned
SX
Sev
n
GITisticket
risk 3rating
> 12
still in (
date
weeks
progress
Vulnerabili
for
from
ty
example the -
SX
Sev ticket
2 > 16
Assessmen
"Critical","
date
weeks
tHigh","Me
PRO v 3.0
from
dium"the or
SX ticket
"Low")
date
Sev 1 >
Vulnerabili
ties are
informatio
nal and
subject to
Note
threat
assessmen
t from
a) Closure
remediatio
of
n
Vulnerabili
perspectiv
ties
b)
e If should
at the
followof
time
Change
assessmen
manageme
t,
c) If all
nt process
vulnerabili
ties have
are
d)
notIfclosed,
been
determine
closed
request asfor
the lead
per
remediatio
SLA
e)
time
and
n If no
has and
not
Vulnerabili
mark the
exception
being
control
were
raised,
ties have
Network Vulnerability B_NS_R3 Non- To ensure B_NS_C7 ToE Test
'Notbeen
required,
mark
not the Evidence:
applicable'
mark
control
remediate the
to defined security Statement: dcontrol
'Not
by GIT
vulnerability vulnerability Exception Determine
'Effective'
Effective'
within SLA, 1.
approval if on the Exception
mark
lead to performed shall be in exception
Engageme approval
control
unpatched periodically. place for approval
nt
'Not is mail for
vulnerabilitie Any vulnerabili available
effective' vulnerabili
s resulting in exceptions/ ties not on GIT
for ties not
unauthorized gaps Note:to be mitigated.
mitigated identified
(Risk
access/cybe identified closed
vulnerabili
r attacks. should be basiswhich
ties RCA
reported to
the
All
shared by
cannot be
authorized vulnerabili
GIT for SLA
mitigated
personnel. ties
missshould
due to
along
be
If closed
business
with their
within
Exception
dependenc
Functional
defined
not
levelshared
ies,
Network Vulnerability B_NS_R3 Non- To ensure B_NS_C9 ToE SLA
or
Test not
unavailabil
leader's Evidence:
Security Assessment adherence that network Control available,
Procedure:
ity of
approval)
to defined security Statement: mark
patch,Not etc.
vulnerability vulnerability Rescan/ Effective 1. Re-Scan
1.
Follow-up Determine
on GIT report
lead to performed post if
unpatched periodically. closure of -If
Engageme
Rescan 2. Mail
vulnerabilitie Any vulnerabili report
nt has evidence
s resulting in exceptions/ ty is requested for Rescan
comes
unauthorized gaps conducted -If
for rescan
without
access/cybe identified for Engageme
to validate
vulnerabili
r attacks. should be ensuring nt closure
ties,hasmark
not
of
reported to
the
closure of -If
vulnerabili
control
requested
authorized the Engageme
tiesdevice
Effective
for
personnel. vulnerabili nt has
rescan,
ties/gaps requested
mark 'Not
identified VA
effective'
team to
during on
rescan,
Vulnerabili 2.
Engageme
however,
ty Determine
nt
re-scan not
assessmen whether
performed
t. Engageme
-If
as old
per SLA,
nt
vulnerabili
mark has'Not
requested
ties are
effective'
found
on VA
GIT to in
rescan,
team
remediate
mark
unaddress the
control
ed
"Not
vulnerabili
ties found
effective"
in the
on GIT
Note - If
there are
open
vulnerabili
ties after
rescan,
Engageme
nt can
request
Network Network B_NS_R4 Non- To ensure B_NS_C11 ToE Test
GIT to Evidence:
Security Controls redundant that critical Control Procedure:
remediate
configuration network Statement: vulnerabili
for critical devices Critical 1.
ties again, 1. Network
network should be
devices configured in
network Understan
no need to Diagram
could lead to redundant devices are dopenthe
a network mode. configured 2. Review 2. Asset
'Network
additional
outage in setup'
the
ticket of register
resulting in redundant Network
the ODC
downtime mode. 3. Reviewto 3. HA
connectivit
Diagram
and Engageme
y from
understan configurati
business Engageme
d
nt the
Asset on
loss
4.
nt Request
SPOC to 4.
Network
register BCP
screenshot
GIT to
Connectivit
identify document,
share
y and
critical if
configurati
devices
network applicable
connected
devices
on
such as
parameter
Note – L3
Router,
screenshot
Switch,
to
Firewall,
demonstra
a)
etc.HA
te is
whether
heart
the beat
setup.
Network i.e.
secondary
b)
devices are
firewall
Redundant
configured
will
setup
in HA or need
automatica
to
*** have
DCOan
Redundant
lly
extra
should
mode be let
router
Engageme
activated andif
Network Centralized B_NS_R5 Lack of To ensure B_NS_C12 ToE downtime
nt
Test know
Primary Evidence:
Security monitoring monitoring that Critical Control will
the
Procedure:
firewallrisk
be forof
critical dedicated Statement: (applicable
at
downtime
stops least 1
parameters devices Critical hr.
if
only
1. firewall
Review
working(Iffor
as 1.
may lead to used in HCL
inefficient environment
parameter theis
dedicated
per notBCP HPNMMI
capacity should be s shall be Engageme
configured
devices)
document, report
planning centrally monitored 2. in
nt
RTO HA
Request
Asset
is consisting
resulting in monitored centrally GITmode***
register
agreed to forto of
downtime for uptime for Critical share
identify
more than parameter
and and dedicated 3. 1 hr.,Review
Critical
evidence mark s with
business utilization. devices. the
Network
of device
control device
loss devices
monitoring
screenshot
as hostname
i.of
such
from Network
effective.as and IP
Hostname
Firewall
HPNMMI
Node
Engageme address
&
Manager
nt has to mentioned
ii.
and Status
Manageme
agree forof
the
nt
adding device
determine
Address
-of Should
belowthe be
additional
iii.
'Normal'
Node
parameter
sampled
router as
Manageme
sthey
device
are have
nt
to Mode
available
bear the -
Should
iv.
and
cost Agent
of be
'Managed'
Status,
compliant:
setting up
Agent
redundant
State
service) &
Agent
Enabled
settings
should be
'Checked'
v. Analysis
of Node
Summary -
Status
should be
'Normal'
Network Firewall B_NS_R6 Absence of To ensure B_NS_C13 ToE along with Evidence:
Test
Security Change relevant that change Control Incident
Procedure:
review evidences managemen Statement: (applicable
details
for firewall t process Modificati 1.forRequest 1. Firewall
rule changes should be
as per the followed for
ons on dedicated
GIT to configurati
defined creation/ firewall and shared on file
share
process may deletion of rule base is 2.
firewalls)
firewall
If the 2. Change
result in any rule on done as configurati records
Old
unauthorized firewall. per the on file i.e.
configurati
access. change '.cfg'
on
3. Validate
file(that
of 3. Old
manageme if can
the changes
be configurati
nt process identified
opened is
firewall in on file
listed in 4.
text)Foralong
available
in point 2in (DCO
the with
SharePoint
is
additional
part listofof should
Firewall ,CR's
the
changes
compare
CR
raised retain
Manageme identified
the
details
during old from
nt Policy in and
shared
step
assessmennew 2,
by Previous
file
GIT
requestin
t periodin txt ECA)
NOTE
and to1-
point
GIT
DCO
identify
share
should
change
any
Network Firewall B_NS_R11 Absence of To ensure B_NS_C16 ToE retain
records.
changes If Evidence:
Test
Security Rule review Firewall rule that the Control GIT is
evidence
Procedure:
reviews may firewall rules Statement: (Scope
unable to
of
lead to are reviewed Firewall Engagement
provide
configurati
1.Request 1. Report /
insecure on periodic
Firewall basis
rules are dedicated
evidence
on
GIT
FWs)
to share Email
being reviewed evidence
of change
compariso of communicati
at least on 2.review
Validate if on
record,
n for of from GIT
2. Change
susceptible Firewall confirming
to hacking / annual mark
future
Firewall
rules
the
ref Request for
cyber basis to rules
and
control hasas the ruleset
removal of
been review done
conflicting,
attacks ensure sharing
'Not
3. Determine
conflicting, reviewed
with
effective'
whether
annualCR
GIT, on expired,
GITif
basis duplicate or
expired, raised
required unnecessary
Network Latest and B_NS_R7 Absence of To ensure B_NS_C14 duplicate for
ToE Test removal Evidence:
rules - raised
of
Security Stable authorized that Control
or Procedure:
conflicting, by GIT
Software software for approved, Statement:
unnecessa (applicable
network authorized, expired,
Latest
ry rules are 1.
for Request
duplicate or 1. Device
devices may latest and
result in stable
software
removed is unnecessary
dedicated
GIT to model and
untested software deployed rulesfirewalls/ version
share
software versions on the Router/Swi
current
2. Refer to 2. details
OEM
getting should be network OEM tch L3)
running (Firewalls/
page
deployed used on devices. version
website Router/Swi
screenshot
leading to network (screensho
and
3. For take
any 3. tchEOL/EOS
for version
L3)
unauthorized elements. t) of
confirmati
deviation, details
page
access, dedicated
on
request
if thefor screenshot
violation of
licensing
***Review
network
latest
clarificatio(N-1) from OEM
agreement, EOL/EOS
device(s)
version
n or of website or
exposure to software
exception
status foris shared by
Network Latest and B_NS_R8 Lack
virus of
/ To ensure B_NS_C15 ToE Test
installed GIT
approval
network Evidence:
Security Stable adequate
malware log that logs Control Procedure:
andper and
as
device
Software managemen
attacks. from various Statement: (applicable
running
policy
accordingl
t for network network Logs are 1. Review
y mark
for the 1.
devices may elements are
lead to loss captured
available & Engageme
complianc Engageme
dedicated
of adequately retained as nt asset of nt Network
e status
Network
accountabilit in a per policy. 2.register
theRequest
devices -to 2.device
y/forensics centralized identify
GIT to
control***
Firewalls/ details
Screenshot
in case of an monitoring share
Router/Swi shared by
dedicated
incident. tool & These screenshot
3.
tchToL3)
network GIT for
logs should from
ensure
devices device logs
be centrally centralized
logs are
maintained
and retained
available
log
as per for last 1
monitoring
policy. year,
tool for share
4 sample
logs
dates
related(per to
device IP
quarter)
address
with GITor
accountabilit in a
y/forensics centralized
in case of an monitoring
incident. tool & These
logs should
be centrally
maintained
and retained
as per
policy.
Note – This
control is
not for End
user
systems
Network SCOM B_NS_R9 Lack of To ensure B_NS_C17 ToE Test Evidence:
Security monitoring/r that SCOM Control Procedure:
eporting (System Statement: (applicable
critical Center System for
1. 1.
parameters Operations
may lead to Manager)
Center dedicated Engageme
Determine
inefficient service Operations ifserver nt server
capacity should be Manager 2. managed 2.
Engageme details
planning enabled to (SCOM) or Determine
by has
nt GIT)any Screenshot
resulting in monitor Solar dedicated shared by
whether
downtime health and winds is 3.
the Validate
server System GIT for
and performance enabled. whether
managed SCOM/
Center
business of all by GIT
Operations
Hostname Solar
loss systems.
Manager
or IP winds
(SCOM) or integration
address
Solar are
details
Note
winds– This
available in
control
service is
screenshot
not
enabled
shared for by
End
Network SCOM B_NS_R9 Lack of To ensure B_NS_C18 ToE user
Test
for a
GIT Evidence:
Security monitoring/r that any Control Procedure:
selection
systems
eporting deterioration Statement: of servers
critical in the Network 1. Check 1.
parameters network
may lead to performance
bandwidth with Engageme
inefficient should be is Engageme nt/commo
capacity communicat monitored 2. nt Request
to n OLA
2. Network
planning ed to the and determine utilization/
Engageme document
resulting in authorized performan nt the/ GIT to Performan
downtime personnel ce reports 3.bandwidth
shareRequest
OLA 3. ce Any
report
and immediately are shared GIT to
allocated or
concern
business with the share
(5MB or the raised
Bandwidth
by
loss
Senior bandwidth
4.
more)Identify
by GIT channel
for
Leadership ifutilization/
GIT there is over report
. Performan utilization
high
ce report
utilization/
for last 6
beyond
months
threshold
of network
***GIT is
bandwidth
not
and
monitoring
request
bandwidth
Hence,
clarificatio
for
normal
individual
spike
n frommay GIT
Network Access B_NS_R10 Unauthorize To ensure B_NS_C20 ToE Test cause Evidence:
Engageme
not
Security Managemen d privileged only Control Procedure:
nts as
any high
t access on authorized Statement: (applicable
bandwidth
concern**
network personnel Privileged 1.*channel
for 1. Device
devices may have the
lead to data privileged
access are Determine
distributed details
dedicated
leakage access to provisione hostname
between
Network
and/or the network d post 2. Request
multiple
devices)
and IP 2. List of
security devices relevant GIT to of Privilege
clients
address
incidents. approval shareEngageme list users –
(Internally
and of
3.
nt'sRequest
'GIT
Segregated screenshot
3. Last
reconciliati GIT
Operations
). to
dedicated monthly
on is share
devices
team last reconciliati
performed (a) monthly
members' 4. on report
at defined Engageme
reconciliati
with or
Confirmati
frequency nt'son report
device on
Privilege screenshot
of 'No
IP address
access
and on ID created'
check
was
sampled : or creation
whether
included
Engageme details
during
nt's device along with
reconciliati
(should be relevant
ACS Server approval
on
Screenshot
(b) Only 5. Last and
authorized current
privilege Privilege
users
4. Validate
have user
access
the current
to mapping
network details
Privilege
End user Wireless B_EUS_R4 Absence of To ensure B_EUS_C10 ToE devices
user
Test (GIT Evidence:
computing Network strong that devices Control OPS) list
Procedure:
security Security encryption connecting Statement: with list
and to corporate Only shared
Determine 1.
password network are
settings on using
wireless during last Screenshot
whether
end user secured network the assessmenuser s
wireless wireless with has
t to highlightin
network may network strong remotely
determine g the
lead to encryption connected
if any new Security of
devices and to
NOTE:
ID was WIFI
being passwords Obtain
corporate
created in network
susceptible is used network
employee
last one (WPA2 or
to hacking
attempts
while using
consent
year. Ifa any WPA3) on
further connecting over
secured
new an the
leading to to wireless
email
Privilege to ID machines
data breach corporate 1. carry
was Forout
network the
network selected
End
created,
(WPA2 user or
testing
set
request
WPA3) of end on
Steps
GIT toto
their
user
Check
personal
devices,
share the
wireless
device
obtain
ID creation /
connection
Open
Wi-Fi
screenshot
approval Cisco
AnyConnec
snetwork
encryption
evidence.
t->>Under
highlightin
:-
Else take
Network
gconfirmati
the
Tab-
Security
on from of
WIFI
>>Network
GIT that
BYOD
network
Details-
'No new
devices
on
>>Manage
the
Privilege
machines.
Connectio
ID' was
Option
It
n- has to1:be
created
"WPA2 or
>>Configur
WPA3"
ation-
Click
>>Double on
the
click on
Windows
connected
Option 2:
Button->
Wi-Fi
Open
network the
Settings
and then
app
Open
take-> the Go
to
Command
the
screenshot
Network
Prompt>
(Security/e &
Operations Change B_OS_R1 Lack of To ensure B_OS_C1 ToE Control TestInternet
Type
ncryption- Evidence:
Security managemen adherence that all >>Select
"netsh
should not
Statement: Procedure:
t to change changes (applicable
wlan
the
be Wi-Fi show
managemen follow Change for
1. dedicated
interfaces"
tab ->click 1. list of
open(Unse
Enquire
t process Change managemen Network
may lead to Managemen
command
the
cured))
from
devices):
Changes as
t process Engagement
and
network press advised by
unauthorized t process should
changes Ensure be for
enterany->
connected
2. Request Engagement
2. Change
followed for changes
being 'Segregation
any changes all
Check
->Scroll
GIT
since
to theto
share
last
list as
introduced to of duties', the
"Authentic
the very shared by
in the
'UAT', Assessment.
changes
business environment. ation"
end
3. Review
[Changes the GIT
of line 3. Change
systems, 'Rollback' requested by number and
steps are
to
next
the check
list of
criteria
Engagement like,
thereby changes
screen and approval
the
new
impacting followed for
with the screenshot
stability or
look
security
Location
4. for
Request
assessment i. screenshot
change
(add/remove with below
integrity of ‘Security
type
GIT
periodto
managemen
share for approvals
minimum
), new
screenshot
Type’ with
the t report
device details:
sampled and approver
Ii. UAT
production received
added/remo
validate as names.
attachment
environment. from GIT
ved/changes
per below and approval
/ upgraded,
steps: screenshot
New ODC,
changes in
link
connectivity
etc.]
stability or
integrity of
the
production
environment.
i. Identify if Note - UAT

there is is only
segregation limited to
of duties
ii. Determine Patch
iii. Roll back
maintained
whether change
plan (if
and
UAT was tickets for
applicable)
requester
carried outis any
Note
not the - (UAT Engagement
and
is UAT
only
approver.
result specific
limited
Determine to server
reports
Patch were
whether
iii.
maintained/a managed
Note - by
change
there were Standard/
Determine GIT (where
ttached.
tickets or for Pre
any
whether
Check if the the Admin rights
any
conflicting
rollback with GIT).
Approved
Operations CMDB B_OS_R1 Lack of To ensure B_OS_C2 UAT
ToE Control Test was
Engagement Evidence:
cases (i.e.
Security adherence that Statement: procedures
signed
Procedure:
specific off changes list
user
were
before whothe to be shared
to change Configuratio server
initiated the by GIT -
documented,
deployment
managemen n managed
Engagement 1. Request by
change
for
in a has 1. Asset in
Uploaded
t process Managemen dedicated GIT)
GIT team of
approved
selection
production. itto Inventory
portal
may lead to t Database devices share the from the
etc.).
changes
unauthorized (CMDB) should be screenshot
changes exists and Validateas engagement
inspected
2. 2. GIT
integrated from
below CMDB
listed (including
applicable. shared
being engagement with CMDB details
for all the the
introduced to dedicated on CMDB
Engagement
CMDB dedicated
business device are i. IP address evidence/
Network network
systems, integrated. screenshot
and screen shot
devices
shared by devices)
thereby Hostname
impacting GIT:
II. Project
stability or
Name
integrity of
details under
the
Asset
production
Details
environment.
Note - 'CI'
name should
be same as
Operations Event B_OS_R2 Lack of To ensure B_OS_C3 ToE Control Hostname
Test Evidence:
Security logging adequate that at a Statement: Procedure:
event minimum,
logging may the logs are Logging 1. Share 1. Sample of
lead to loss enabled and should be sample users
of maintained enabled for users (Priv selected
accountabilit for local and end user and Non
y/forensics system - Password 2. Request 2.
(local
change and Priv)
GIT towith
share Screenshot
in case of an administrator admin) with GIT
incident. s logs from shared from
following SIEM for Centralized
- Login of
classes a) Password
failures activity
change log
activities classes monitoring
being mentioned tool
logged:
- Account b) Login
below (Any)
lockouts failures
c) Account
lockouts
3. Review
the
username
and log time
stamp to
validate end
user logs are
***All end
created
users are
integrated
Operations Event B_OS_R2 Lack of To ensure B_OS_C4 ToE Control with
Test AD and Evidence:
Security logging adequate that logs are Statement: these logs
Procedure:
event retained for are pushed
(applicable
logging may the duration to
forLog
dedicated 1. Asset
Network 1. Review
monitoring
lead to loss as defined in network
of the
devices Engagement
system***
devices
Register -
should be Asset - Engageme
accountabilit organization integrated Firewalls/
register to
y/forensics policies. with the Router/Switc nt Network
determine
in case of an centralized h L3)
dedicated
device
incident. log network details
monitoring devices
tool and
event logs
shall be
captured
Operations Event B_OS_R2 Lack of To ensure B_OS_C4
Security logging adequate that logs are
event retained for
logging may the duration
lead to loss as defined in
of the
accountabilit organization
y/forensics policies. 2. Request 2.
in case of an GIT to share Screenshot
incident. screenshot shared by
from
Validate GIT for
Centralized
whether
Log
integration
below listed with Log
monitoring
parameters
i. Hostname
tool to monitoring
are
and IP
demonstrate
matching:
tool
address
network
devices are
ii. Date and
integrated
timestamp
iii. Device
Type and
Device
Class
Note – This
control is not
for End user
Operations Information B_OS_R3 Inadequate To ensure B_OS_C10 ToE Control systems
This control Evidence:
Security Backup process that the Statement: is applicable
adherence backups are where
for backup taken, Backups are engagement 1.Service
managemen retained, taken, has backup request with
t may lead to reviewed, retained, requirement: data and
unavailability restoration reviewed,
of backup testing and 1. Confirm if content2. GIT to be
restoration the backup backed up
confirmation
data at the secure testing and service
time of destruction for
secure request
failure by disposal 2. Verifyisif acceptance
3.
resulting in authorized agreed
the back-up (If any
Configuratio
done by between GIT shared)
downtime. person as is
authorized and in place as n set by or
GIT
per defined per denial
for proposed
person as 3. For a
Engagement 4. Backed
process per defined agreement backup
sample
.byTest if of
any up data with
process. datagetting request as
such request restoration
relevant per
elements,
is
4. raised
Check and the or
5. retain/
screen
determine frequency
destruction
get list
restoration
shots. of Encryption
defined
whether the
backup
calendar details (by
and request
backup
request
assess from
if delivery) and
5. Assess
media/ 6. Retrigger
Delivery.
accordingly
whether the GIT
tapes/discs for failed
testing
backups has are evidence
backup
were carried
been
appropriately
retained
6. For for
out
access
the defined
sample
periodicallyof
controlled
period.
instances
and
and
Operations Patch B_OS_R4 Inadequate To ensure B_OS_C18 ToE failed,
Test
reviewed. Evidence:
encrypted
determine
Security Managemen patching for that in-scope Control Procedure:
(example:
whether on (For
the
t in-scope servers are Statement: (For
server, were engageme
servers may adequately backup
Latest dedicated
1. Check 1.
tapes/discus
triggered nt Asset
lead to data protected s etc.).
leakage against data
patches Engageme
with
and dedicated
Register:
and/or leakage and shall be nt
Engageme
servers) List
completed. Servers)
of
security other cyber installed 2. nt GIT
if any to 2. Server
incidents. security for in- demonstra
Server is Screenshot
threats scope managed
te latest of Patch
servers 3.
byValidate
(N-1)
HCL GIT 3. MBSA
installed
the latest
patches report or
on server
patch
are OEM
installed
release website
on the
date from screenshot
server
Microsoft
***DCO
website
can alsothe
against
ask
patchfor
Physical and Manage B_PES_R1 Inadequate To ensure B_PES_C1 ToE Control MBSA
installed
Test Evidence:
Environment Access and physical that only Statement: (Microsoft
on server
Procedure:
al Security Security to access authorized Baseline
Facility controls to employees Security
secure areas have access
may lead to to secure
Analyzer)
data theft or area / ODC report
business from GIT
downtime for
record***
Physical and Manage B_PES_R1 Inadequate To ensure B_PES_C1
Environment Access and physical that only
al Security Security to access authorized
Facility controls to employees Physical 1. Determine 1.List of New
secure areas have access Access to whether the Joiners
may lead to to secure ODC / Physical
data theft or area / ODC secured access
business 2. List of 2. Approval
areas should requests
authorized are via
downtime be granted approved
person to by emails/portal
post the
approveSDM/the from
approval by 3.
DUFor the
Head/ 3.List of
physical
selected authorized
authorized
SDM/ DU Authorized
access person
Head/ sample,
person person /
request
obtain is
the delegate (If
Authorized (i) Date
maintained(s on
person. following
which the applicable)
ecured
from BMS/ to approve
request
shared was
raised for access to
ODC)
(ii) Name secured
access
and
activation area -
role/designat Obtain from
ion
(iii)ofDate
the on both delivery
employee/pe
which the & BMS.
rson
request was
approved
(iv)
Approver
details
(v)
Zones/areas
to where
Physical and Restriction B_PES_R1 Inadequate To ensure B_PES_C2 ToE Control access
Test was Evidence:
Environment of access physical that physical Statement: granted
Procedure:
al Security cards access access is (only
controls to disabled if its authorized
Physical 1. Determine 1. For a
employees
secure areas no longer access / whether the selection of
may lead to required. should have
Access physical
access to samples
data theft or Cards access / (Employee,
business Data closed,
i. i. LWD
should be access
Server card subcontracto
Absconding within the
downtime disabled in a was disabled engagement
rs)
rooms,
timely in a timely
special inspected,
manner for ii. Movement ii. Day on
manner
zones) for a obtain the
leavers and within
selection HCL of which the-
following
internal to other
samples. access was
movers. Engagement
iii. revoked/
Separation disabled
as per LWD (should be
within 24
iv. Loss of Hrs.)
Card
2. For the
selected
sample,
obtain theon
(i) Date
following
which the
from BMS
request was
raised for
(ii) Name
access
and
deactivation
role/designat
ion
(iii)of the
employee/pe
Zones/areas
rson
to where
Physical and Access B_PES_R1 Inadequate To ensure B_PES_C3 ToE Control access
Test was Evidence:
Environment Reconciliatio physical that physical Statement: deactivated
Procedure:
al Security n access access is (this should
controls to disabled if its be as per
Physical 1. Determine
role) & the 1. Obtain
secure areas no longer Access to whether copy of
may lead to required. date of
ODC should physical
deactivation reconciliatio
data theft or be reviewed access ns Obtain
mail send
business a) ODC 2.
for reconciliatio
(Reconciliati from
copy BMS
of
downtime appropriaten n
onwas
done with operator
responsetoto
ess and performed
Engagement to engagement
BMS
accuracy on )validate only on a monthly
operator
a periodic active and basis
from
basis. authorized engagement
employees for
have access reconciliatio
to ns mail sent
secure areas no longer
may lead to required.
data theft or
business
downtime
b) Data 3.
closet / Confirmation
Server from BMS
room
2. Determine team on the
/ Hub
room
whether action taken
(Reconciliati
Engagement as
on done with applicable
highlighted
3. Determine
Engagement
the
whether the
/discrepancie
IT / GWS)
BMS
s to BMS to
Physical and Clear Desk B_PES_R6 Lack of To ensure B_PES_C11 ToE Control operator
Tet
deactivate Evidence:
Environment adherence that all users Statement: revoked
Procedure:
access of
the
al Security to clear desk keep their access of
unauthorized
unauthorized
policy may desk clear of Users users
1. listed
Determine
lead to any users within 1. Clear
in
should follow whether
24 the
hrs. of Desk are
disclosure of confidential the clear Reconciliatio
desks had observed for
sensitive papers or discrepancie
desk rule. n
any file the sampled
Physical and Cabling B_PES_R7 Lack of
information. To before B_PES_C12 ToE Control s
filesensure Test highlighted Evidence:
Environment Security adequate that
moving Statement: confidential
by
Procedure: desks,
Walkthrough
al Security measures to appropriate paper(s)
Engagement or verifying
control no
away from file(s) in the confidential
protect controls
their desks. are / IT / GWS
Network 1.
open Perform
for a papers were
network designed cables and walkthrough
cables may and selection of lying in
their of
samplethe Data open.
lead to implemented terminals closet to
business to protect users
2. Perform desks/
should be check
open/unlock
walkthrough
downtime power and identified, whether the
telecommuni eddetermine
to drawers.
marked and network
whether the
System Secure B_SD_R1 Lack of cation
To ensure B_SD_C1 ToD Control 1.Obtain
shielded cablesserver and For samples,
Acquisition, development adherence that networksecure Statement: ODC
approved collect the
appropriately their
room/ Data following
Developmen to secure cabling
coding for data secure
terminals are
t and coding carrying
guidelines data closet/
coding hub documents -
closets.
Secure identified,
room is (i) Code
Maintenance guidelines or defined,
are guidelines
marked and Guidelines
coding clean and
supporting
could lead to documented document
shielded
guidelines maintained Approver
development andinformation and confirm Details -
appropriately
shall be (Control (ii) Code
services,
of insecure reviewed if the
documented to protect
failure Date,
GuidelinesName
code from
periodically. document
against any is
and should be and
Reviewer
unauthorized reviewed
physicaltoon signature of
approved marked Details -
System Secure B_SD_R2 Inadequate interception
To protect B_SD_C2 ToE Control a periodic
1.Obtain
damage 1.
the Physically
Process
GWS) Date, Name
Acquisition, development protection of or damage
client's Statement: basis.
Information
(Control verify
owner.(Thehow
Developmen client's application classification and
the
failure datesystem
should
signature
/
t and application documentati guideline
should
Protect client 2. be
Determine data
be
2. is ifof
before
Verify
Maintenance documentati on and test the reviewer.
application document
marked to
whether protected.
moving
application
(This should the
on and test data GIT)
documentati these code tothe
documentati the
data may not be
on and test application production)
on
same and astest
the
System Secure B_SD_R3 Lack of
lead to To ensure B_SD_C3 ToE Control Test For samples,
Acquisition, development approval on that review data
Statement: documentati
Procedure: data person
collect are who
the
unauthorized on and test classified
Developmen application
access of custom created the
following
t and software code prior to data are and
code)
documents
- Code Code shall 1. For a
categorized protected (i) Code as-
Maintenance code by its release
changes are to be reviewed sample of Approver
authorized reviewed
productionby as per per the
by custom
guideline Details
information -
personnel environment
individuals authorized codes, Date, Name
may lead to -or Code
customers document
2. For the security
(ii) Code
other
review than personnel determine
selected and
guidelines.
Reviewer
improper/ (using
the either before whether the signature
insecure/ results
manualare or samples, Details - of
originating
reviewed moving to code
check was the
Date, Process
Name
weak/ -automated
Appropriate
code author the reviewedthe and owner.(The
untested and
processes)
corrections whether
approved by production and code date should
signature of
code getting areincludes the environment approved by be before
deployed in managemen
following,
implemented and the code
reviewer
authorized
is the
moving
reviewer.
the
System Secure B_SD_R4 Lack of To ensure
t prior B_SD_C4 ToE Control different
Test 1.Software
the at to
a (This should
Acquisition, development appropriate and tested
that previous reviewer
Statement: personnel,
Procedure: code
not betothe
Asset the
production release
minimum:
prior to shall be
from the
prior to production)
Developmen version versions of Managemen
code author same as the
environment. release. different release in
t and managemen application Previous 1. For a t2.List
person who
Verifying
Maintenance t for software from the production indicating created
versions of selected this via the
application with all code author. environment versioning
code)
application sample of walkthrough
software required or to and
software software
- Application using
may result in information customers. approver
shall be development
Parameters Software
unavailability and retained as s, determine details Asset
of prior parameters, defined. whether Managemen
version of procedures, -previous
Procedures t List
the configuration versions of
application details, and application
software in supporting
-software
the event of software is having
Configuratio
a retained as a below
n Details
contingency, contingency information
causing measure. are available
business as a
downtime. contingency
measure
before
moving the
application
to production
System Segregation B_SD_R5 Lack of To ensure B_SD_C5 ToE Control Test For the
Acquisition, of segregation that Statement: Procedure: selected
Developmen Environment of segregation sample
t and s development is Developmen 1.For a screenshots
(i) IP
Maintenance , test and maintained t, test and selected of the three
address(The
production between production sample of environment
re should be
environment development environment software s -
different
Third Party Vendor B_TP_R2 Lack
s mayoflead Appropriate
/ test and B_TP_C13 ToE Control Test Evidence:
development
Security Agreements agreement shall be development subnet for all
to untested/ contractual
production Statement:
segregated.
Procedure:
s, determine .the
production,
or
unauthorized agreements
environment test,
appropriate exist whether the environment
changes s. Appropriate ** This
development highlighting
1. Copy of -
s)
requirement
being made between agreements control can the signed
s , test and
inmentioned
the HCL and are signed be
production agreement
in the
production third parties/ with
agreement 1. third considered
environment
For Third (MSA/
environment, sub- party for
s are SOW) with
with the contractors Information Party
causing contractors engagement
segregated. third Party
contractors/ Security/ Contractors
disruption in and specific Contractors
sub- Data
2. NDA (can and sub-
1. Validate
service, Subcontract (Dedicated) and their
contractors Protection
be contractors
unplanned orsahaving
clause the contract
vendors.
review the sub-
may lead to
downtime or within
logicalthe is still active. contractors
service MSA/ SOW) signed
(Expiry date)
compromise access
3. Right to
to 2.
disruption, agreements
of customer
audit/ Information
loss of data MSA/ SOW
information. data before
assess (for Security/
or for the below
they
fourthare
party/ Data
points
reputational 3. NDA (can
deployed in
vendors Protection
impact or be a clause
the
where work
legal/ within the
engagement
is
regulatory NOTE: MSA/ SOW)
with a Also
outsourced) 4. Right to
issues check
minimum if any audit (for
Addendum
inclusion of fourth party/
was
belowsigned vendors
5. Sub-
between
requirement where work
contractor
HCL
s and is
engagement
client with outsourced)
(Fourth
additional 6. Security
Party)
Incident
security /
data Notification
protection to
7. HCL
Validate
requirement for
s, same termination
should flow clause
Third Party HR- B_TP_R3 Inadequate To ensure B_TP_C14 ToE Control Test Evidence:
down to requirement
Security Employee background that Statement: Procedure:
Third Party s.
Agreements verification background
vendor
checks may verification Background Note:- This 1.
contract
lead to hiring checks of all check is is applicable Background
of the performed for vendor Verification
incompetent/ contractors, on Third resources in reports of
undesired/su sub- 2. Screen
Party vendor Third
shots Party
of the
spicious contractors Contractors payroll.(Not Contractors
third party/ who are background
and in the scope and
verification
sub having Subcontract For
of HCLVendor
HR 3. Any audit
Subcontract
contracts logical resources report of all
reports(SSA
ors who BGV team) ors
the who
selected
which may access to have logical and sub- E18 / ISO
have party
logical
result in customer contractors third
27K1)
access to access
4. Date to on
contractors/
damage to data are customer who have providing
customer
which
sub-
organization conducted. data, before logical assurance
data
resources
contractors, on
al reputation they are access to on BGV into
a) boarded
capturing the
and/or deployed in customer compliance
Background client
following
business the data are for vendor
check environment
details
loss engagement utilizedwasfor employees
completed
providing
b) Date on
before
scopedthe
which
deployment
services.
background
in the if
Validate
verification
engagement
check was
with clean
completed
background
for all the TP
Asset verification
resource/
Managemen report.
loan staff
t who were
Business deployed in
continuity client
managemen delivery role.
t
End user
computing
security
Human
resource
security
Information
Security
Organization
and Policy
Logical
Security
Network
Security
Cloud B_CS_R1 Inadequate Ensure B_CS_C1 ToE Control Test Evidence:
of IAM access is Multi-factor 1. Obtain a 1.
process in enabled for authenticatio list of user Process/pro
cloud only n shall be IDs created cedure
services, authorized enabled for on the Cloud document
may lead to users in all users by Console. for logical
leverage of cloud default. access
existing console. managemen
privileges or t.
elevate
privileges 2. Check 2. User ID
resulting in whether all enablement
regulatory users are and
non- enabled with approvals for
compliance, MFA.(Azure, provision of
system AWS & access.
unavailability GCP)
Identity and and data
Access breach.
Managemen 3. Ensure 3.
appropriate Screenshot
t
approvals for enabling
were MFA for all
obtained user IDs.
before
creating the
user ID
available to
the owner
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required

of IAM access is There shall 1. Verify 1.
process in enabled for not be any evidence to Process/pro
cloud only generic ID, confirm no cedure
services, authorized shared or generic, document
may lead to users in guest users shared or for logical
leverage of cloud access guest users access
existing console. provisioned exist managemen
privileges or for cloud t
elevate environment.
privileges
resulting in
regulatory
2. Refer 2. Obtain
non-
Cloud screenshot
compliance,
Service from the
system
Provider console or
unavailability
detailed VMs to
and data
assessment confirm
breach.
run book there are no
(Azure, AWS generic,
& GCP) shared or
Identity and guest users
Access from
Managemen administrator
t .
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Note: Refer
Cloud
Service
Provider
detailed
assessment
run book
(Azure, AWS
& GCP).

of IAM access is Password 1. Verify 1.
process in enabled for policy password Screenshot
cloud only controls controls are from the
services, authorized shall be configured console /
may lead to users in implemented as per VMs of the
leverage of cloud for all users guidelines implemented
existing console. in cloud password
privileges or environment. controls
elevate
privileges
resulting in
regulatory
- Password 2. Evidence
non-
Length of password
compliance,
policy
system
enabled in
unavailability
the VM
and data
infrastructur
breach.
e and
screenshots
of sample
user
accounts
capturing the
required
policy
settings
Identity and - Password

Access Expiration
Managemen - Password Note: For
t Complexity console,
refer Cloud
Service
Provider
detailed
assessment
run book
(Azure, AWS
& GCP).
- Password
History
- Account
Lockout
2. Verify that
'Notify users
on password
resets?' is
set to 'Yes'
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Security configuration secure Statement: Procedure:
of IAM access is RBAC and 1. Obtain the 1. From
process in enabled for privileged list of cloud
cloud only access shall personnel console and
services, authorized be followed who are VMs, obtain
may lead to users in for all users having a list of
leverage of cloud (security access to groups and
existing console. group shall the cloud their
privileges or be created console and members
elevate wherever to the VMs. having
privileges required to access
resulting in provide
regulatory access)
non-
compliance,
system 2. Validate if 2. Logical
unavailability the access
Identity and and data privileged provisioning
Access breach. access was records for
Managemen granted post selected
t approval for samples/
those Screenshots
respective or email
consoles approvals for
and VMs. the
individual ID
creation
based on
RBAC.
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required

of IAM access is User/ 1. Obtain a 1. Evidence
process in enabled for Privileged list of user of the dates
cloud only access shall IDs and their of execution
services, authorized be owners of the
may lead to users in reconciled entitlement
leverage of cloud on regular review of the
existing console. basis as per user IDs for
privileges or the defined the
elevate process. applicable
privileges cloud
resulting in console and
regulatory VMs
non-
compliance,
system 2. Validate 2. Evidence
unavailability that the of any
and data reconciliatio corrective
Identity and breach. n is action taken
Access performed as a part of
Managemen for all exit the
t employees entitlement
including review like
transfer, modified the
abscond and privileges of
exit the userid,
employees. removal or
re-
assignment
etc.
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Cloud B_CS_R2 Lack of To ensure B_CS_C6 ToE Control Test Evidence:

Security adequate that Log Statement: Procedure:
event Profile exists
logging may and logging
lead to loss is enabled in
of the cloud
accountabilit subscription.
y/forensics
in case of an
incident in
cloud Ensure that 1. Verify Log 1.
environment. Log Profiles Profile is Screenshot
are enabled for from the
subscribed the cloud cloud
and export environment console,
activities are VMs, or from
configured centralized
for all log
applicable monitoring
regions/locat tool for
ions. enablement
of log profile.
Ensure the 2. Obtain the 2.

log profile Log Profile Screenshot
captures details from capturing
Logging and activity logs cloud activity log
Monitoring for all console / export
regions VMs enabled for
including all regions.
global
3. For a
sample of
instance
systems,
inspect
activity log
configuration
is set to
export
activities
across all
regions
Note - Refer Note: Refer

'Cloud Cloud
Security Service
Master' Provider
Runbook for detailed
detailed test assessment
procedures, runbook
if required (Azure, AWS
& GCP).

Security adequate that logs are Statement: Procedure:
event retained as
logging may defined in
lead to loss the
of organization
accountabilit policies/Proc
y/forensics ess.
in case of an
incident in
cloud
environment.
Cloud B_CS_R2 Lack of To ensure B_CS_C7
Security adequate that logs are
event retained as Logs shall 1. Determine 1.
logging may defined in be retained whether Screenshot
lead to loss the as defined in security logs from the
of organization the were cloud
accountabilit policies/Proc procedure. retained as console,
y/forensics ess. per the VMs, or from
in case of an defined centralized
incident in duration log
cloud monitoring
environment. tool for log
retention.
Logging and
Monitoring 2. Validate 2. Evidence
log storage for retention
is of activity
maintained logs as per
for 90 days log retention
(3 months) policies.
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required

Security adequate that at a Statement: Procedure:
event minimum, For sample 1. For Screenshot
logging may the logs (All) information sample from the
lead to loss are enabled systems, the information cloud
of and following systems, console,
accountabilit maintained classes of determine VMs, or from
y/forensics (for users, activities whether the centralized
in case of an including shall be following log
incident in system enabled for classes of monitoring
cloud administrator logging - activities tool.
environment. s) for were
activities enabled for
such as logging -
login
failures,
account - Login - Login 1. For
lockouts, failures; failures; sample
system boot information
and restart systems,
times, screenshot
system or of the log
application information
start, stop being
(with user recorded:
identity and
time of - Account - Account - Login
action), lockouts; lockouts; failures;
system - System - System - Account
configuration boot and boot and lockouts;
changes and restart times; restart times;
system
errors and
corrective - System or - System or - System
actions application application boot and
taken. start, stop, start, stop, restart times;
re- re-
initialization initialization
(with user (with user
identity and identity and
time of time of
action); action);
Logging and
Monitoring
Logging and
- System - System - System or
Monitoring
configuration configuration application
changes; changes; start, stop,
re-
initialization
(with user
identity and
time of
action);
- System - System - System

errors and errors and configuration
corrective corrective changes;
actions actions
taken; and taken; and
- Production - Production - System
applications applications errors and
start and start and corrective
stop times stop times. actions
taken; and
- Production
applications
start and
stop times
Note - Refer
'Cloud
Security
Master'
Runbook for
Navigate
( AWS,Azure
& GCP).
Please refer
the Cloud
assessment
Runbook for
Navigate
( AWS,Azure
& GCP).

Security adequate the storage Statement: Procedure:
event account Ensure the 1. Navigate 1.
logging may container storage to Storage Screenshot
lead to loss containing container Accounts of public
of the activity storing the and validate access
accountabilit log export is activity logs if Public disabled for
y/forensics not publicly is not Access storage
in case of an accessible. publicly Level is set accounts.
incident in accessible to Private
cloud (no
Logging and environment.
Monitoring anonymous
access)
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Security IT security the latest Statement: Procedure:
controls on OS,
VM Host Subsystem
may lead to and
vulnerabilitie Middleware
s like Patches for
insecure all Virtual
network, Machines
data leakage are applied
and/or
security
incidents in
cloud
environment.
Cloud B_CS_R3 Inadequate Ensure that B_CS_C10
Security IT security the latest
controls on OS, Latest 1. For the 1. For cloud
VM Host Subsystem patches cloud consoles /
may lead to and shall be consoles / VMs, system
vulnerabilitie Middleware installed for VMs, assess level
s like Patches for OS, whether screenshot
insecure all Virtual Subsystem, latest showing the
network, Machines Middleware patches applicable
data leakage are applied and for all were latest
and/or Virtual installed. patches
security Machines. were
incidents in installed in
cloud the
environment. instances
(VM).
Host Security
2. Evidence
of latest OS
is installed.
Verify from
tool and
walkthrough
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Security IT security the host Statement: Procedure:
controls on protection Anti-virus or 1. For the 1. For
VM Host (Anti Virus, Host-IPS VMs, assess selected set
may lead to Host IPS as software whether consoles/VM
vulnerabilitie applicable) shall be updated machines,
s like for all Virtual installed on anti-virus system level
insecure Machines is end point software, screenshot
network, installed instances. Host IPS showing the
data leakage and Firewall anti-virus
and/or is installed. software and
security Firewall
Host Security incidents in installed in
cloud the device.
environment.
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Cloud B_CS_R4 Inadequate Ensure B_CS_C12 Ensure Test Evidence:

Security security secure secure Procedure:
configuration configuration configuration 1. Obtain the 1. Evidence
s may lead of cloud guidelines evidence showcasing
to service are followed consisting of only
compromise console and and approved approved
of Virtual disable all implemented ports, Ports,
Machines unwanted . services and Protocols,
resulting in services. protocols and Services
DDoS enabled for are enabled
attacks, the network and all other
deploying infrastructur services are
botnets, e of a disabled.
attacks on service
hosted provider.
services,
etc.
attacks on
hosted
services,
etc.
2. Obtain the 2.
list of Screenshots
controls of services
applied to running,
RDP/SSH to ports
restrict them enabled in
from internet the network
access. infrastructur
e.
Networking
and Secure 3. Exception
configuration approvals for
vulnerable
ports/service
s enabled if
any.
Note - Refer 4. Details of

'Cloud RDP and
Security SSH access
Master' enablement
Runbook for and list of
detailed test controls
procedures, applied to
if required RDP/SSH
access.
Note: Refer
Cloud
Service
Provider
detailed
assessment
run book
(Azure, AWS
& GCP).
Cloud B_CS_R5 Absence of Ensure that B_CS_C13 ToE Control Test Evidence:
Security hardening in all Statement Procedure:
Cloud Virtualization Ensure that (Applicable 1. Evidence
Virtualization platform are all for Infra as a of
may lead to hardened as Virtualization service only) documented
attackers per HCL platform are security
gaining Hardening hardened as configuration
access to guidelines per HCL standards
Virtual Hardening for all
Machine(s) guidelines authorized
resulting in operating
unavailability systems and
of software.
services/dat
a loss
1. Obtain the 2. Evidence
documents of storing
for secure
Virtualization images/
platform templates for
hardening deployment.
guidelines.
Refer to GIT
hardening
guidelines.
Virtualization
Security
2. Test for 3. Device
containers, configuration
Virtualization database, screenshots
Security API, capturing
resource hardening
managemen requirement
t platform s.
information.
Note - Refer 4. Evidence

'Cloud for all
Security applicable
Master' containers,
Runbook for database,
detailed test API,
procedures, resource
if required managemen
t platform is
hardened as
per
hardening
guidelines.
5.
Integration
with
automated
configuration
monitoring
systems/tool
s as
appropriate.
Cloud B_CS_R6 Ensure that B_CS_C14 ToE Control Test Evidence:

Security all applicable Statement Procedure:
Lack of container, Ensure that 1. For 1. List of
Middleware database, all applicable Middleware, installed
security on API, container, assess software for
cloud may resource database, whether they the selected
lead to managemen API, are having systems.
attackers t platform, resource most recent
gaining middleware managemen version.(IBM
access on are t platform, WebSphere,
middleware, hardened as middleware Oracle
resulting in per HCL are WebLogic)
unavailability Hardening hardened as
of guidelines per HCL
services/dat Hardening
a loss. guidelines.
2. Obtain 2.
evidences Screenshots
showcasing of approvals
installed for the non
software list, compliant
non- software, if
compliant any.
software for
individual
Middleware Security instances.
Middleware Security
Note - Refer 3. Evidence

'Cloud of
Security restrictions
Master' applied via
Runbook for network-
detailed test based URL
procedures, filtering and
if required hardening
applied on
web
browser/e-
mail client
usage.
Note: Any
software/mid
dleware
having
version
greater than
n-2 is
considered
as non-
compliant.
Security Cloud '.Net Statement Procedure:
application Framework, Ensure that (Applicable 1. For
security PHP '.Net for SaaS Application,
controls may version, Framework, only) screenshot
lead to Python, PHP showing the
Unauthorize Java, HTTP' version, approved
d access to version is Python, latest
a website, the latest. Java, updates/vers
server or version is ion/patches
other the latest, if were
system. used as a installed. For
part of the any
web app exception,
approval
should be in
place.
Customer
approval
required for
any
exception for
not installing
the latest
patches.
1. For 2. Approved
middleware / secure
subsystems guidelines
installed on document
the VMs, and confirm
assess if the
whether document is
latest reviewed on
patches a periodic
were basis.
installed. (if
used as a
part of the
web
applications.
)
AppService
AppService
3. Software
(Applications
) Asset
Managemen
t List
indicating
versioning
and
approver
details.
Verify from 4.
tool and Walkthrough
walkthrough to confirm if
only
approved
and licensed
software are
used for
development
.
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Note: Refer
Cloud
Service
Provider
detailed
assessment
run
book/SOP
(Azure, AWS
& GCP).
Cloud B_CS_R7 Inadequate Ensure web B_CS_C16 ToE Control Test Evidence:
Security Cloud application Statement Procedure:
application traffic is Ensure web Note: Only 1.
security routed application applicable if Details/Scre
controls may through redirects all web enshot of
lead to secure HTTP traffic application is encryption
Unauthorize communicati to HTTPS hosted. technology
d access to on channel. and Ensure (TLS
a website, web app is Version 1.1
server or using the and above)
other latest used in
system. version of browsers,
TLS and web
encryption applications.
2. Evidence
for enabling
data
encryption in
transit.
AppService
1. Obtain the
details for
redirecting
all the HTTP
AppService traffic over
secured
protocols/HT
TPS
2. Validate
the details
for the TLS
Encryption
(Version 1.1
and above)
technique in
use for
securing the
Web
Application
Note - Refer
'Cloud
Security
Master'
Runbook for
detailed test
procedures,
if required
Cloud B_CS_R8 Lack of Ensure that B_CS_C17 ToE Control Test Evidence:
Security encryption of all data at Statement Procedure:
data in cloud rest and Ensure that 1. For any 1. For
may lead to transit are all Virtual virtual selected
data encrypted storage, storage, VMs, system
loss/data data data level
theft and volumes / volumes / screenshot
regulatory Hard disks' hard disks, showing the
non are determine software
compliance. encrypted whether it is configured
fully for full disk
encrypted encryption.
2. Inventory 2.
of all Documents/
sensitive Screenshots
information of all
stored, sensitive
processed, information
or stored,
transmitted processed,
by the or
organization' transmitted
s technology by the
systems organization'
s technology
systems,
including
those
located on-
site or at a
Data Security remote
service
provider.
Data Security
Note - Refer 3. Evidences

'Cloud of data
Security classification
Master' based on
Runbook for sensitivity of
detailed test data.
procedures,
if required
4. List the
cryptographi
c
mechanisms
deployed to
protect data
stored and
evidences of
enabling
encryption
for data
stored at
rest.

Control Domain Sub-Domain Risk Number Risk Descripti On Control Objective Control Referenc E# Control Descripti On Test Procedur e Evidence Required

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Control Domain Sub-Domain Risk Number Risk Descripti On Control Objective Control Referenc E# Control Descripti On Test Procedur e Evidence Required

Uploaded by

Copyright:

Available Formats

Risk Control Control Test

Control Sub- Risk Control Evidence

GIT upload 3. Screen

i. Identify if Note - UAT

Cloud B_CS_R1 Inadequate Ensure B_CS_C2 ToE Control Test Evidence:

Cloud B_CS_R1 Inadequate Ensure B_CS_C3 ToE Control Test Evidence:

Identity and - Password

Cloud B_CS_R1 Inadequate Ensure B_CS_C5 ToE Control Test Evidence:

Cloud B_CS_R2 Lack of To ensure B_CS_C6 ToE Control Test Evidence:

Ensure the 2. Obtain the 2.

Note - Refer Note: Refer

Cloud B_CS_R2 Lack of To ensure B_CS_C7 ToE Control Test Evidence:

Cloud B_CS_R2 Lack of To ensure B_CS_C8 ToE Control Test Evidence:

- System - System - System

Cloud B_CS_R2 Lack of To ensure B_CS_C9 ToE Control Test Evidence:

Cloud B_CS_R4 Inadequate Ensure B_CS_C12 Ensure Test Evidence:

Note - Refer 4. Details of

Note - Refer 4. Evidence

Cloud B_CS_R6 Ensure that B_CS_C14 ToE Control Test Evidence:

Note - Refer 3. Evidence

Note - Refer 3. Evidences

You might also like