ISMS Manual

Version: 2.9 Date: 07 May 2012

MSTC Limited
225-C, A J C Bose Road
Kolkata 700 020

Prepared By: Reviewed By: Approved By:

Internal
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Contents

Historical Background ................................................................................................ 10

Activities ...................................................................................................................... 10
Financial Results ......................................................................................................... 10
General requirements (4.1) ......................................................................................11
Establishing and managing the ISMS (4.2) .............................................................11
Establishing the ISMS (4.2.1) ...............................................................................11
Implement and operate the ISMS (4.2.2) ........................................................... 13
Monitor and Review the ISMS (4.2.3)................................................................. 14
Maintain and Improve the ISMS (4.2.4)............................................................. 14
Documentation requirements (4.3) ........................................................................ 14
General (4.3.1) ..................................................................................................... 14
Control of documents (4.3.2) .............................................................................. 14
Control of records (4.3.3) .....................................................................................15
Management Responsibility (5)...................................................................................15
Management commitment (5.1)...............................................................................15
Provision of resources (5.2.1) .............................................................................. 18
Training, awareness and competence (5.2.2)...................................................... 18
Internal ISMS audits (6) ............................................................................................. 18
Management review of ISMS (7) ................................................................................ 18
ISMS Improvement (8) ............................................................................................... 19
Continual improvement (8.1).................................................................................. 19
Corrective action (8.2)............................................................................................. 19
Preventive action (8.3) ............................................................................................ 19
Security policy (A.5) .................................................................................................... 21
Information security policy (A.5.1) ......................................................................... 21
Information Security Policy document (A.5.1.1) ................................................. 21
Review of information security policy (A.5.1.2) .................................................. 21
Organization of information security (A.6) ................................................................ 21
Internal organization (A.6.1)................................................................................... 21
Management commitment to information security (A.6.1.1) ............................. 21
Information security co-ordination (A.6.1.2)...................................................... 22
Allocation of information security responsibilities (A.6.1.3).............................. 22
Authorization process for information processing facilities (A.6.1.4)................ 22
Confidentiality agreement (A.6.1.5) .................................................................... 22
Contacts with authorities (A.6.1.6)...................................................................... 22
Contact with special interest groups (A.6.1.7)..................................................... 22
Independent review of information security (A.6.1.8)........................................ 22
External parties (A.6.2) ........................................................................................... 23
Identification of risks related to external parties (A.6.2.1) ................................. 23
Addressing security when dealing with customers (A.6.2.2).............................. 23
Addressing security in third party agreements (A.6.2.3).................................... 23
Asset management (A.7) ............................................................................................. 23
Responsibility for assets (A.7.1) .............................................................................. 23
Inventory of assets (A.7.1.1)................................................................................. 23

Prepared By: Reviewed By: Approved By:

Internal

Page2 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Ownership of assets (A.7.1.2) .............................................................................. 23

Acceptable use of assets (A.7.1.3) ........................................................................ 24
A.7.2 Information Classification ............................................................................. 24
Classification guidelines (A.7.2.1) ....................................................................... 24
Information labeling and handling (A.7.2.2) ...................................................... 24
Human resource Security (A.8) .................................................................................. 26
Prior to employment (A.8.1).................................................................................... 26
Roles and responsibilities (A.8.1.1) ..................................................................... 26
Screening (A.8.1.2)............................................................................................... 26
Terms and conditions of employment (A.8.1.3).................................................. 26
During employment (A.8.2) .................................................................................... 26
Management responsibilities(A.8.2.1) ................................................................ 26
Information security awareness, education and training (A.8.2.2).................... 26
Disciplinary process (A.8.2.3) ............................................................................. 26
Termination or change of employment (A.8.3) ...................................................... 27
Termination responsibilities (A.8.3.1) ................................................................ 27
Return of assets (A.8.3.2) .................................................................................... 27
Removal of access rights (A.8.3.3) ...................................................................... 27
Physical and environmental security (A.9)................................................................. 27
Secure areas (A.9.1) ................................................................................................. 27
Physical security perimeter (A.9.1.1) ................................................................... 27
Physical entry controls (A.9.1.2).......................................................................... 27
Securing offices, rooms and facilities (A.9.1.3) ...................................................28
Protecting against external and environmental threats (A.9.1.4).......................28
Working in secure areas (A.9.1.5)........................................................................28
Public access, delivery and loading areas (A.9.1.6).............................................28
Equipment security (A.9.2) .....................................................................................28
Equipment sitting and protection (A.9.2.1) ........................................................28
Supporting utilities (A.9.2.2)............................................................................... 29
Cabling security (A.9.2.3) .................................................................................... 29
Equipment maintenance (A.9.2.4) ...................................................................... 29
Security of equipment off premises (A.9.2.5) ..................................................... 29
Secure disposal or re-use of equipment (A.9.2.6)............................................... 29
Removal of property (A.9.2.7) ............................................................................. 29
Communications and operations management (A.10) .............................................. 29
Operational procedures and responsibilities (A.10.1) ............................................ 29
Documented operating procedures (A.10.1.1)..................................................... 29
Change management (A.10.1.2)........................................................................... 29
Segregation of duties (A.10.1.3)...........................................................................30
Separation of development, test and operational facilities (A.10.1.4)................30
Third party service delivery management (A.10.2).............................................30
Service delivery (A.10.2.1) ...................................................................................30
Monitoring and review of third party services (A.10.2.2)...................................30
Managing changes to third party services (A.10.2.3)..........................................30
A.10.3 System planning and acceptance .................................................................30
Capacity management (A.10.3.1).........................................................................30
System acceptance (A.10.3.2) .............................................................................. 31

Prepared By: Reviewed By: Approved By:

Internal

Page3 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

A.10.4 Protection against malicious and mobile code (A.10.4) .............................. 31

Controls against malicious code (A.10.4.1) ......................................................... 31
Controls against mobile code (A.10.4.2) ............................................................. 31
Back-up (A.10.5) ...................................................................................................... 31
Information back-up (A.10.5.1) ........................................................................... 31
Network security management (A.10.6) ................................................................. 31
Network controls (A.10.6.1)................................................................................. 31
Security of network services network controls (A.10.6.2) .................................. 32
Media handling (A.10.7).......................................................................................... 32
Management of removable media (A.10.7.1)....................................................... 32
Disposal of media (A.10.7.2)................................................................................ 32
Information handling procedures (A.10.7.3) ...................................................... 32
Security of system documentation (A.10.7.4) ..................................................... 32
Exchange of information (A.10.8)........................................................................... 33
Information exchange policies and procedures (A.10.8.1) ................................. 33
Exchange agreements (A.10.8.2)......................................................................... 33
Physical media in transit (A.10.8.3) .................................................................... 33
Electronic messaging (A.10.8.4).......................................................................... 33
Business information systems (A.10.8.5)............................................................ 33
Electronic commerce services (A.10.9) ................................................................... 33
Electronic commerce (A.10.9.1) .......................................................................... 33
On-line transactions (A.10.9.2) ........................................................................... 33
Publicly available information (A.10.9.3) ........................................................... 34
Monitoring (A.10.10) ............................................................................................... 34
Audit logging (A.10.10.1) ..................................................................................... 34
Monitoring system use (A.10.10.2)...................................................................... 34
Protection of log information (A.10.10.3) ........................................................... 34
Administrator and operator logs (A.10.10.4) ...................................................... 34
Fault logging (A.10.10.5) ..................................................................................... 34
Clock synchronization (A.10.10.6)....................................................................... 34
Access control (A.11) ................................................................................................... 35
Business requirement for access control (A.11.1) ................................................... 35
Access control policy (A.11.1.1) ............................................................................ 35
User access management (A.11.2) ........................................................................... 35
User registration (A.11.2.1) .................................................................................. 35
Privilege management (A.11.2.2)......................................................................... 35
User password management (A.11.2.3)............................................................... 35
Review of user access rights (A.11.2.4) ................................................................ 36
User responsibilities (A.11.3)................................................................................... 36
Password use (A.11.3.1)........................................................................................ 36
Unattended user equipment (A.11.3.2) ............................................................... 36
Clear desk and clear screen policy (A.11.3.3) ...................................................... 36
Network access control (A.11.4) .............................................................................. 36
Policy on use of network services (A.11.4.1) ........................................................ 36
User authentication for external connections (A.11.4.2) .................................... 36
Equipment identification in networks (A.11.4.3) ................................................ 36
Remote diagnostic and configuration port protection (A.11.4.4) ....................... 36

Prepared By: Reviewed By: Approved By:

Internal

Page4 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Segregation in networks (A.11.4.5) ...................................................................... 37

Network connection control (A.11.4.6)................................................................ 37
Network routing control (A.11.4.7)...................................................................... 37
Operating system access control (A.11.5)................................................................ 37
Secure log-on procedures (A.11.5.1) .................................................................... 37
User identification and authentication (A.11.5.2) ............................................... 37
Password management system (A.11.5.3) ........................................................... 37
Use of system utilities(A.11.5.4) .......................................................................... 37
Session time-out (A.11.5.5) .................................................................................. 37
Limitation of connection time (A.11.5.6)............................................................. 37
Application and information access control (A.11.6)..............................................38
Information access restriction (A.11.6.1).............................................................38
Sensitive system isolation (A.11.6.2) ...................................................................38
Mobile computing and teleworking (A.11.7) ...........................................................38
Mobile computing and communications (A.11.7.1).............................................38
Teleworking (A.11.7.2) .........................................................................................38
Information systems acquisition, development and maintenance (A.12) ................. 39
Security requirements of information systems (A.12.1) ......................................... 39
Security requirements analysis and specification (A.12.1.1)............................... 39
Correct processing in applications (A.12.2) ............................................................ 39
Input data validation (A.12.2.1)........................................................................... 39
Control of internal processing (A.12.2.2) ............................................................ 39
Message integrity (A.12.2.3) ................................................................................ 39
Output data validation (A.12.2.4)........................................................................ 39
Cryptographic controls (A.12.3) ..............................................................................40
Policy on the use of cryptographic controls (A.12.3.1)........................................40
Key management (A.12.3.2) ................................................................................40
Security of system files (A.12.4) ..............................................................................40
Control of operational software (A.12.4.1) ..........................................................40
Protection of system test data (A.12.4.2).............................................................40
Access control to program source code (A.12.4.3) ..............................................40
Security in development and support processes (A.12.5).......................................40
Change control procedures (A.12.5.1) .................................................................40
Technical review of applications after operating system changes (A.12.5.2) .....40
Restrictions on changes to software packages (A.12.5.3) ................................... 41
Information leakage (A.12.5.4)............................................................................ 41
Outsourced software development (A.12.5.5) ..................................................... 41
Technical Vulnerability Management (A.12.6) ....................................................... 41
Control of technical vulnerabilities (A.12.6.1)..................................................... 41
A.13 Information security incident management (A.13) ............................................ 41
A.13.1 Reporting information security events and weaknesses (A.13.1) ................ 41
Reporting information security events (A.13.1.1)................................................ 41
Reporting security weaknesses (A.13.1.2) ........................................................... 42
Management of information security incidents and improvements (A.13.2) ........ 42
Responsibilities and procedures (A.13.2.1) ......................................................... 42
Learning from information security incidents (A.13.2.2) ................................... 42
Collection of evidence (A.13.2.3) ......................................................................... 42

Prepared By: Reviewed By: Approved By:

Internal

Page5 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Business continuity management (A.14) .................................................................... 42

Information security aspects of business continuity management (A.14.1) .......... 42
Including information security in the business continuity management process.
(A.14.1.1)............................................................................................................... 42
Business continuity and risk assessment (A.14.1.2)............................................ 42
Developing and implementing continuity plans including information security
(A.14.1.3) .............................................................................................................. 43
Business continuity planning framework (A.14.1.4) ........................................... 43
Testing, maintaining and reassessing business continuity plans (A.14.1.5)....... 43
Compliance (A.15) ....................................................................................................... 43
Compliance with legal requirements (A.15.1) ......................................................... 43
Identification of applicable legislation (A.15.1.1) ................................................ 43
Intellectual property rights (IPR) (A.15.1.2) ....................................................... 43
Protection of organizational records (A.15.1.3)................................................... 43
Data protection and privacy of personal information (A.15.1.4) ........................44
Prevention of misuse of information processing facilities (A.15.1.5)..................44
Regulation of cryptographic controls (A.15.1.6)..................................................44
Compliance with security policies and standards, and technical compliance
(A.15.2).....................................................................................................................44
Compliance with security policies and standards (A.15.2.1)...............................44
Technical compliance checking (A.15.2.2) ..........................................................44
A.15.3 Information systems audit considerations (A.15.3)..................................... 45
Information systems audit controls (A.15.3.1) .................................................... 45
Protection of information systems audit tools (A.15.3.2) ................................... 45

Prepared By: Reviewed By: Approved By:

Internal

Page6 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Document Revision History

Revision Revision Description Version Revision

date Number Made By
1-04-07 Original release 1.0 CISO

4-02-08 4.2.1 2.0 CISO

DR site, Legal dept and all that is with the
VLAN of e-commerce network.
A9.1.3, A9.2.2, A15.1.1-
Interfaces with different departments such as personnel,
admin, operations and legal dept. specified.
Organization Chart modified.
A4.3.2 -
Inclusion of control of external documents. Date of
revision of Master list of documents. Form (Soft / Hard) in
which Master copy is kept.
Review & Approving Authority.
Document Control Procedure linked.
A4.3.3 -
Retention policy stated for records.
Clause 6-
Modified for Internal Audit Frequency and independency of
auditing.
Clause 7-
Convener of management review meeting stated.
Frequency modified.
A6.1.5 -
HR & CISO responsibility defined.
A6.1.8 -
Wordings changed as far as frequency is concerned.
A6.2.3 -
Rationality stated for third party.
A9.2.2 -
Interface with Admin for utilities.
A9.2.5 -
Modified for DR site inclusion.
A10.1.1-
Wording changed for replacing the word appropriate.
A10.1.3-
Segregation of duties w.r.t administration of servers and
monitoring of logs.
A10.3.1-
Reference to report format stated.
A10.7.3- System documentation identified with
responsibility defined.
A10.9.1- Terms & Conditions of trading has been

Prepared By: Reviewed By: Approved By:

Internal

Page7 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

identified as an external document.

A10.9.2-
Modifications made for protection of online transactions.
A10.9.3-
Responsibility of authorization of publicly available system
defined.
A11.2.3-
Strengthening of password protection defined.
A12.4.1-
Control of software through VCS.
A13.2.1- Changes made for communication of
incidents.

24.03.08 Clause 7 - 2.1 CISO

Inclusion of GM(P&A) as a management committee
member.
Clause 5
Organization Chart modified for simplicity and inclusion of
GM(P&A).

28.10.08 Development server included in scope. Was present in 2.2 CISO

asset register but was not explicitly defined in the scope
earlier.

20.02.09 Format of Document Revision History. 2.3 CISO

10.11.09 Address of DR site in scope changed from 609 Raheja 2.4 CISO
Center to 607 Raheja Center

21.05.10 Organizational hierarchy for ISMS. 2.5 CISO

5.2.2 Training proposal flow
6 ISMS Internal Audit frequency
7 Inclusion of Director(Finance) & Director(Commercial)
A.6.1.6 Contact with authorities
A.9.1.1 & A.9.1.2 - Physical security perimeter segregated
into two areas.
A.9.2.2 Inclusion of failover UPS.

11.10.10 4.2.1 Reviewing and setting of Security Objectives. 2.6 CISO

5.2.1 - Ownership of Minutes of review meetings
5.2.2 Ownership of Training records.
6 Frequency of Internal Audit.
A.6.1.6 Legal dept role on contact with legal authorities.
A.9.1.1 Physical security perimeter- How CISO is secured.
A.9.1.2 Physical entry control Security personnel.
A.12 Ownership of Test documents and records.

29.04.11 A.15.1.1 Review of statutory/regulatory framework and 2.7 CISO

responsibility.

12.05.11 The scope remaining the same, the wordings have been 2.8 CISO
changed for making it more descriptive.

07.05.12 Information System-Management Hierarchy 2.9 CISO

A.15.3.2 Frequency of VA & PT

Prepared By: Reviewed By: Approved By:

Internal

Page8 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

A.15.1.4- Inclusion of Data protection and privacy of

personal information

Prepared By: Reviewed By: Approved By:

Internal

Page9 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

MSTC LIMITED PROFILE

Historical Background
MSTC Limited is a Mini Ratna Category-I PSU under the administrative control of the Ministry of
Steel, Government of India. The company was set up in 9th September 1964 to act as a regulating
authority for export of ferrous scrap with an investment of Rs 6 lakh. Government of India,
Members of Steel Arc Furnace Association and members of ISSAI had made with the investment.
MSTC became a subsidiary of SAIL in 1974. In 1982, it got delinked from SAIL and became an
independent company under Ministry of Steel. It was a canalizing agency for import of ferrous
scrap till 1992.

Activities
As on date, MSTC has two major portfolios of business. One is known as the Marketing Division
which looks after the procurement of industrial raw materials in bulk for its Principals. The
sourcing is done either from foreign manufacturers / traders or from domestic producers. The
items that are procured include HMS, HR Coil, Billets, Wire Rods, LAM Coke, Coking coal, Naphtha
etc which are mainly consumed by the steel industry in the country.
The second portfolio provides a virtual marketplace for domestic sellers and buyers to do business
in metal scrap (ferrous/non-ferrous), surplus stores, machineries, obsolete spares, vehicles, Plants
etc. The methodology adopted includes open tender, public auction and e-auction.
Of late, MSTC has emerged as a major player in the country for promoting e-commerce. Its e-
auction portal namely www.mstcecommerce.com have become popular tool for transacting
business over the internet in a transparent manner. MSTC has developed an e-procurement module
and is ready with its e-procurement services.

Financial Results
Since inception, MSTC has always made profits and has paid dividends to its shareholders. The
shareholders investment in the company was Rs 1.10 crore and by issuing bonus shares @1:1, the
paid up capital was increased to Rs 2.20 crore. The General Reserves of the company as on
31.3.2006 is in excess of Rs 150 crore.

Prepared By: Reviewed By: Approved By:

Internal

Page10 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Information Security Management System

General requirements (4.1)
MSTC management has assessed the need to build the information security management system
(ISMS) for their E-commerce portal; this would help MSTC to adopt a structured approach to
information security management. MSTC LTD has adopted the PDCA (Plan, Do, Check and Act)
model for managing its information security function. The diagram below gives an overview of the
relevance of the PDCA model in MSTC Ltds E-commerce portal.

Figure 1 ISMS Process Model

Establishing and managing the ISMS (4.2)

Establishing the ISMS (4.2.1)
MSTC Ltd Management has committed that the E-Commerce Group will be responsible for all the
ISMS related issues related to E-commerce portal of MSTC Ltd. The scope of ISMS covers only the E-
commerce portal and involves the following:
Act as a single point of contact for all information security activities.
Define and deploy information security policies for E-commerce portal
Formulate and operate the security incident management forum.
Participate and prepare roadmap on information security compliance with specific legal as
well as contractual commitments to MSTC Ltd.
Facilitate and maintain MSTC E-commerce information risk management program
Define technology security guidelines for MSTC E-commerce portal.
The following describes the activities of the E-commerce Security Group within MSTC E-commerce.

Process & Security Group Components

Information Security
Business Continuity

Prepared By: Reviewed By: Approved By:

Internal

Page11 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

IT Standards & Procedures

The management has defined a set of security objectives which shall be reviewed at least once in
a year and initiatives for further improvement of security would be discussed in the review
meeting.

The Security Objectives for the e-commerce portal are identified and consists of the following:

I.the information is protected against unauthorized access.

II.the confidentiality of information is assured.
III.the integrity of information is maintained.
IV. the information is available at the time and place it is required.
V. the information is accessible to the employees on need to know and need to do basis.
VI. the applicable laws and contractual arrangements are identified and complied with at all
times.
VII. business continuity with minimum impact from security incidents, if any.

Measurement of the effectiveness of the security controls through analysis of relevant logs and
records such as incident report, access logs, network logs, BCP test etc. and technical compliance
will verify the achievement of security objectives.(Ref: ME)

A defined Information Security Policy Statement is in place (Ref: S_POLICY) which is approved by
CMD and displayed at various places.

Scope
The ISMS offers protection to all information processed stored in the E-commerce servers or
transmitted through it and desktops connected to E-commerce servers through a dedicated LAN.
The e-commerce server and the desktops are located at the 3rd floor of MSTC LTD H.O. having its
address at 225C, AJC Bose Road, Kolkata-700 020. It also includes the following :
1 Law, HR and Admin functions associated with e-commerce.
2 DR site located at 607 Raheja Centre, Nariman Point, Mumbai - 400 021.
3 Development Server located at the 3rd floor of MSTC LTD H.O. having its address at
225C, AJC Bose Road, Kolkata-700 020

Risk Management at MSTC LTD E-commerce server

MSTC E-commerce system group conducts risk assessment for all the information assets to ensure
that there are no unidentified risks and the major risks are mitigated by implementing a timely
solution. The owners of the information assets in use by E-commerce are the system and network
administrator (CISO, Technical Manager (E-commerce team leader) & ISOs) of the E-commerce
system who will carry the responsibility of managing the respective assets.
The risk assessment shall be triggered by events such as:
Significant change in the information environment, which will ensure that whenever any
assets are added or existing assets undergo any change, the associated risks are identified,
documented and a risk mitigation/acceptance plan is prepared.
Periodic assessment which will be conducted on annual basis to ensure that the existing
assets which didnt undergo any change were revisited for any fresh risks identified.

MSTC E-commerce group adopts an unique Risk Management approach for its information assets.
This approach is based on qualitative risk analysis model for assessing and maintaining the risk
framework implements certain formulas that would be seen as quantitative approach. This unique
approach ensures proper identification and measure of the assets risks and corresponding
mitigation controls that have been implemented.
The detailed risk assessment methodology can be found in the document Risk Assessment

Prepared By: Reviewed By: Approved By:

Internal

Page12 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Procedure [Ref: RAPR: Risk Assessment Procedure].

Statement of applicability
The statement of applicability with respect to the ISMS implementation is prepared an approved by
the management.
The SoA document enlists the controls as per the ISO 27001 standard [Ref: ISO 27001], the
applicability/ implementation status along with a statement on the basis of their selection or non-
selection. [Ref: SoA: Statement of Applicability]
Implement and operate the ISMS (4.2.2)
In line with MSTCs risk management approach, the risk treatment plan [Ref: RTP] is also
documented in the same framework. The risk treatment plan includes the resources,
responsibilities and priorities along with action taken by the MSTC management towards the risk
identified. These are documented, implemented and reviewed from time to time by various
methods.
A risk treatment plan is arrived stating the technology and the process controls to be
implemented. This is presented to the management team for approval. The senior management
reviews the approach as well as the solution and then approves the treatment plan, which includes
steps to be taken to mitigate a particular risk. The E-commerce Group consults on the various
aspects of the treatment plan and develops the solution approach.
The scope of ISMS is limited to E-commerce portal and employees working in it are all IT qualified
and are aware of the security aspects. A formal awareness program is imparted on ISMS and a dos
and donts on information security are informed both verbally and in the form of hard copy. The
employees of E-commerce group signs an agreement on maintaining the security and
confidentiality at the time of appointment.
The E-commerce System team is equipped with sufficient knowledge and infrastructure to ensure
that they will be able to implement the required controls with the desired effectiveness and
maintain information security to the fullest extent.
The ISMS operations are lead by CISO & Technical Manager with the help of other E-commerce
team members. The roles and responsibilities of all persons falling under the scope are defined in
the document Ref: Roles & Responsibilities.

The E-commerce implements various procedures and controls to ensure effective, consistent and
operations. These procedures are documented as part of the standards and procedures define
reviewed at-least once a year OR when significant changes occur to the infrastructure. These
procedures assist the IT group carrying out the activities in a structured manner. The procedures
defined include the following broad areas:

Risk Management (Ref: RAPR & RTP)

Information security (Ref: ISMS)
Desktop management (Ref: ISPM)
Server Management (Ref: ISPM)
LAN Management (Ref: ISPM)
Continuity of Business (Ref: BCMM)

The above chapters contain detailed explanation with respect to the expectations from the
management on various facets of IT management. These procedures along with various checklists
help MSTC to monitor, detect and correct all activities pertaining to information activities which
are performed by the various domains (Windows, Linux) described in this document and are used
for monitoring and reviewing purposes by E-commerce group.
Adequate measures have been taken and technical as well as other control as relevant deployed to
enable prompt detection of any security events. The information security policy details the
manner to respond to any security incident.
Effectiveness of all security controls are measured and actions taken accordingly if effectiveness
found to be low. The effectiveness and the meeting of security objectives are measured through

Prepared By: Reviewed By: Approved By:

Internal

Page13 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

analysis of relevant logs and records such as incident report, access logs, network logs, BCP test
etc. and technical compliance (Ref: TCCPR)

Monitor and Review the ISMS (4.2.3)

The E-commerce group has drawn out an elaborate plan with respect to the various activities to be
taken up with respect to monitor and review the ISMS. The monitoring activities are divided into
categories such as daily, weekly, and monthly activities. These monitoring activities help the group
and track and measure the security compliance in various aspects of information security. The
group also has drawn up an elaborate information security testing framework.
The testing framework includes monitoring of various activities such as vulnerability assessment,
anti virus controls, patch updating, user profile management, and access control reviews.
These measures are carried out on a regular basis and any improvement to the security is
implemented after testing. This ensures that a complete test methodology exists and constant
improvement measures are taken towards information security. The diagram below illustrates
MSTCs information security testing framework.

Figure 2 Security Testing Framework

Maintain and Improve the ISMS (4.2.4)

MSTC Ltd invests significant time and effort in improving the quality of the various activities
present in E-commerce areas viz. software, hardware and security improvement. The E-commerce
Security group reviews MSTC E-commerce information security document at-least once a year with
inputs from various quarters of the management.
This is reviewed and changes that are required to meet the current business requirements as well
as current scenarios are incorporated into the security policy.
Documentation requirements (4.3)
General (4.3.1)
ISMS documentation includes all documents and records related to ISMS. The list of
documents and records are maintained in the asset register (Ref: ARFO).
Contr ol of documents (4.3.2)
A Document Control Procedure (Ref: DOC_CTRL) is available with CISO which is available as a soft

Prepared By: Reviewed By: Approved By:

Internal

Page14 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

copy in the file server.

All documents pertaining to the ISMS either with respect to the policies and procedures technology
specific documents will be in sole custody of E-commerce Security group. The group will own these
documents monitor the implementation and will be sole entity within MSTC eligible for making
changes. The E-commerce security group is also responsible for defining and maintaining the IT
infrastructure administration process. The E-commerce security group issues the changes to the
documents when they are warranted. The changes are recommended by the E-commerce security
group and intimated to the management team for approval.
The other interfaces to this document are a few external documents which are stated in Asset
Register. All documents pertaining to ISMS are identified by their unique version numbers; any
change the version in ISMS shall be put in two categories (a) Major change (b) Minor change.
Major change is defined as the release where there are more than 12 changes to the existing
manual. Changes related to formatting, TOC, diagrams are not counted among these change such
releases are numbered in absolute numbers incrementing one to the existing version (11, 12, 13
etc)
Minor change is defined as the release where they are less than changes 12 to the existing ISMS
manual. Changes related to formatting, TOC, diagrams are not counted among these changes. All
such releases are numbered in decimal notation which get incremented by one (12.1, 12.2
The document owner shall also have the history of changes that has been done on the document to
ensure control over the changes. Apart from the version number the documents are also per the
classification guidelines from MSTC.
The CISO is responsible for the following controls with respect to the documentation pertaining to
ISMS
Review and approval of documents by authorized person prior to issue/use
Updating, review and approval of necessary changes in controlled documents
Availability of current and correct revisions of necessary documents
Identification of the change history and the change itself in the document or as an
amendment to the original document.
Withdrawal of obsolete documents from all points of issue or use or identification as such,
guarding against unintended use. The older documents are water marked with the standard
verbiage obsolete.
The circulation of the documents is based only on a need to know basis.
The control of master documents whether in soft or hard copy is provided in the Master List of
Documents. Documents that are kept as soft copy in a file server with limited access are uploaded
after proper review and approval. A master list (Ref:Masterlist of Documents) is maintained of all
documents with proper version number, reviewing and approving authority. Availability of the
documents pertaining to ISMS shall be only to authorized people that too from the file server. This
by default will be available only to the E-commerce members within MSTC and subject to approval
from the management may be provided to others.
Contr ol of records (4.3.3)
Records shall be identified as appropriate within each procedure in the ISMS to provide evidence of
conformance to requirements and effective functioning of the Information Security System These
records shall be generated, maintained and disposed as per the required methodology. Masterlist
of all records is available in Asset Register. (Ref: ARFO)
Records are classified in the same way as documents and with retention period. The master list of
documents contains this information.

Management Responsibility (5)

Management commitment (5.1)
MSTC senior management is responsible for the consistent and effective information security
operations across MSTC. It has nominated the E-commerce group to define, architect, manage and
monitor information security activities in MSTC. MSTC management also actively participates in the

Prepared By: Reviewed By: Approved By:

Internal

Page15 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

risk management exercises by reviewing the risk assessment exercise and determining acceptable
levels of risk.
The chart below gives an overview of the hierarchy with respect to the Information security
management.

Prepared By: Reviewed By: Approved By:

Internal

Page16 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

CMD

D(F) D(C)

HOD(F&A)
HOD(P&A)

CISO Tech.Manager

ISO 1 &
ISO 2

Attendants
DR SITE

RM

ISO 1 &
ISO 2

(Roles & Responsibilities of each individual above is described in document Roles &
Responsibilities)

#Tech. Manager, ISO 1 and ISO 2 are referred in ISMS as E-commerce System Security Group.
#CISO, Tech.Manager, ISO 1, ISO 2 is referred as E-commerce System Group / E-commerce Group.
#Management Team or MISF Ref: Roles & Responsibilities
Bold lines indicates Reporting To
Dash lines indicate the interfaces.

Prepared By: Reviewed By: Approved By:

Internal

Page17 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Resource Management (5.2)

Provision of resources (5.2.1)
The requirement and plan for the E-commerce portal is placed to the Management team by E-
commerce Systems Group who reviews the ISMS operations at least once a year. MSTC management
reviews the plan and allocates resources in terms of people, technology etc. to the E-commerce
group. This ensures that a structured approach to information security resource management is
built into MSTCs operations.

The minutes of such review meetings are maintained by CISO.

Training, awareness and competence (5.2.2)

ISMS awareness training has been provided to existing users and will be provided to new entrants
to e-commerce system. All security training related issues follow the following procedure:

If the Technical Manager feels that a particular training is necessary for developing the
competence level of a system personnel associated with e-commerce, a proposal may be sent by
him or through CISO to management, following the normal practice. After the approval, HR will
make arrangements for the said training. Training records will be maintained by HR.

CISO or Technical Manager encourages ISOs for attending security related seminars.

Internal ISMS audits (6)

A separate team conducts independent internal audit of the information security activities
mentioned in the standards and procedures of the ISMS. A different internal auditor audits the CISO
functions as CISO is also an internal auditor and cannot audit CISOs function.
An audit plan is drawn up in consultation with Technical Manager, Admin & HR department and will
be carried out at least once in between surveillance audits. The typical audit scope includes the
implementation of policies and adherence to the procedures defined in Standards & Procedures,
compliance to relevant standards such as ISO 27001 as well as compliance with the applicable laws
(applicable if any) and contractual arrangements. The auditor uses checklists as an aid during
interviewing the Auditees & physical verification of records / evidence of compliance to the
process. On completion of audit a structured report on findings (including Non-compliances &
suggestions) of the audit is submitted by the internal audit to CISO/Tech.Manager [Repo
ID:Audit_Report]. The CISO/Tech.Manager shall submit the action plan for the findings of the
audit along with the dates by which the implementation will be completed. Based on the
intimation of action completion by the Auditees, the internal audit verifies the closure.
Management review of ISMS (7)
The Management team (Ref: Roles & Responsibilities) conduct a management review of the ISMS
operations in MSTC E-commerce. The management review takes place at least once in a year or on
such occasion which warrant a review. CISO conveys the meeting after discussion with CMD and
other management team members. CMD chairs this meeting to conduct the review of the ISMS
operations.
The CISO makes a presentation on the various initiatives and activities carried out by the team for
the review period.
Whenever CISO/TM feels that some special initiative is needed to further improve the security
controls, the same is placed to the management team in detail. The management team reviews
and if convinced approves the initiative.

The management team carries out a review of the status of implementation of the ISMS program
at least twice a year within MSTC. The presentation from the CISO also contains the activities that

Prepared By: Reviewed By: Approved By:

Internal

Page18 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

were carried but were not part of the yearly planner as such activities are included to take care of
the emerging business scenario.
During the management review meeting, the following reports are reviewed:
Status of various corrective & preventive actions initiated
Reports on internal audits
Incident reports
Any changes to ISMS documentation/operation based on the incidents, feedbacks
received during the course of operations.
Security policy for its continued suitability, adequacy and effectiveness
Results of the measurement of effectiveness
Business Continuity Review
The Minutes of Meeting are prepared for each Management Review Meeting. The minutes
document the improvement areas identified, modifications to procedures concerning information
security, as well as any changes to the current business processing which are mandated due to
increase / decrease in threat scenario. The need (if any) to augment the resource requirement to
carry out the ISMS activities are also identified.
The minutes of the meeting shall also describe any need to increase or carry our specific security
activities due to contractual as well as change in regulatory aspects.
The minutes of the management review meeting shall be circulated to the management team for
discussion.
The internal audit team conducts the internal audit of the information security activities standards
and procedures as well as ISMS. The CISO along with the relevant members from the management
team draw an action plan to address the observations in the internal audit report.

ISMS Improvement (8)

Continual improvement (8.1)
MSTC recognizes to keep the information security environment current on an on-going basis, to
achieve the same it has implemented the following
Periodic review of the security policy
Periodic updates regarding the versions, patch levels
Periodic Vulnerability assessment and track security related tasks to closure
Build education and awareness through new channels.

Corrective action (8.2)

The MSTC E-commerce group drives compliance with respect to the standards and procedures; this
is done through various reviews by the internal team and also by external team if required.
These reviews identify the vulnerabilities, non-conformities to ensure the areas of improvement
are identified and addressed. Apart from the corrective actions which are performed a root-cause
analysis of the issue is done and proper measures are implemented to ensure that there is no
recurrence of the same issue.
Issues identified through these reviews are tracked on a continuous basis to ensure compliance.
Suitable corrective controls both process controls as well as technical controls are implemented to
ensure that the security posture of MSTC E-commerce is maintained.
Preventive action (8.3)
Learnings emerging from the various reviews as well as industry best practices are integrated into
the information security framework on an ongoing basis to ensure there is a constant improve
process which is kept up. Apart from the preventive action results of that are analyzed to
determine if the preventive controls has met the expectations as well as addressed the business /
security issue that was identified.
The preventive steps include a constant monitoring of threat scenarios, identifying the
applicability of the same in MSTC information context as well as implementing the controls for

Prepared By: Reviewed By: Approved By:

Internal

Page19 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

identified threat
Compliance to ISO 27001 annexure control
MSTC shall comply with the ISO 27001 annexure controls, the controls as well as the objectives
described in the sections given below:

Prepared By: Reviewed By: Approved By:

Internal

Page20 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Annexure Controls
Security policy (A.5)
Information security policy (A.5.1)
Control Objective: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
Information Security Policy document (A.5.1.1)
Information Security Policy Manual (ISPM) shall be approved by CMD. The documents shall be kept
as soft copy in the designated file server with shared access to the E-commerce Group,
Administration and HR. It is applicable to all users defined in the scope.

Review of information security policy (A .5.1.2)

The ISPM will be owned by CISO/Tech.Manager and reviewed by the management at least once in a
year. The review shall also be done in case of major security incidents or organization and business
process changes. Following points shall be considered while reviewing
Security Threats faced.
Virus, Spyware and other malicious code attack incidents.
Identified improvements of ISMS.
Changes to the organizational environment, business circumstances, contractual,
regulatory and legal conditions or to the technical environment.
Any aspects which are felt by E-commerce group may create security threats or
requirement of any additional resources that calls for an unscheduled ISMS review.

Minutes of the review committee meeting will be recorded in details with signatures from all
the concerned members. Decision on major issues will be discussed and decision taken will be
recorded and management approval for same will be obtained.

Organization of information security (A.6)

Internal organization (A.6.1)
Control Objective: To manage information security within the organization.
Management commitment to information security (A.6.1.1)
CMD will form a Management Information Security Forum MISF or a Management Team.
The management team shall
Define the scope of ISMS
Develop, review and approve the Information Security Policy.
Monitor significant changes in exposure of information assets to major threats.
Review the security incidents along with the results of respective investigations.
Document the security roles and responsibility of each individual.
Assign owner of each Information Asset for its day-to-day security.
Communicate all about the security expectations from them.
Authorize the induction of new information processing facilities.
Seek for a source of specialist information security advice and made the same available
within the organization.
Arrange for independent review of implementation of Security policy.

The CISO / Tech. Manager shall report to the top management on any security related issues, and

Prepared By: Reviewed By: Approved By:

Internal

Page21 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

such discussions should be properly recorded with actions taken if any. All activities of the
management team detailed above will be documented.

Information security co-ordination (A.6.1.2)

Day to day co-ordination of the information security related activities shall be performed by the
CISO, Tech.Manager, ISO 1, ISO 2, Admin and HR.

Allocation of information security responsibilities (A.6.1.3)

While CISO/Tech.Manager shall have the overall responsibility of ISMS of the organization, the
specific responsibilities of the members of management team in respect of information security
shall be in accordance with section A.6.1.1 of this document.
The following specific tasks shall be conducted and documented personally by the CISO, Tech.
Manager and/or his entrusted members.
Analysis of Security Incidents.
Review of server logs for production servers.
Review of logs of network equipment.
Management Team shall review the security responsibilities regularly in accordance with the
need of the situation.
Authorization process for information processing facilities (A .6.1.4)
New processing facility, including personal computing/information processing system requirement
shall be identified with respect to business requirements and security requirements within the
division/function and shall be authorized by divisional/functional head. Necessary approvals as
mentioned in purchase process documents shall be obtained after reviewing the potential threats
and compatibility issues of the new system with the existing system.
Confidentiality agreement (A.6.1.5)
Requirements for confidentiality / non-disclosure agreements reflecting organizations needs for
protection of information shall be identified. CISO is responsible for making confidentiality
agreement with vendors whereas HR will be responsible for regular and hired employees. The
requirements shall be reviewed by the CISO at least once in a year. A general NDA format is with
CISO which has been approved by Legal department. Existing NDA records are available with CISO.
[Repo ID: NDA]

Contacts with authorities (A.6.1.6)

CISO or legal department shall maintain contacts with law enforcement authorities, regulatory
bodies, information service providers and telecommunications service providers depending on the
service required. This is required for necessary updates, assistance and guidance in handling the
security incidents and keeping the security infrastructure up-to-date.

Contact with special interest groups (A.6.1.7)

CISO shall keep in touch with information security consultants, Internet resources and shall keep
watch on the early warning of alerts, advisories or patches related to the Information system of
MSTC.

Independent review of information security (A.6.1.8)

Internal audit of the ISMS shall be conducted at as stated in Clause 6 or when any significant
changes occur to the security implementation by a group of internal auditors not directly
connected with the areas under audit. The audit shall be planned and coordinated by the Tech.
Manager. However the organization may also engage independent third party for auditing the ISMS.
The CISO will be responsible to get the ISMS certified by a reputed Certification Body and co-

Prepared By: Reviewed By: Approved By:

Internal

Page22 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

coordinating the certification audits by the Certification Body.

External parties (A.6.2)

Control Objective: To maintain the security of the organizations information and information
processing facilities that are accessed, processed, communicated to, or managed by external
parties.

Identification of risks related to external parties (A.6.2.1)

CISO shall ensure that the external parties follow the Service Level Agreement (SLA), Code of
Conduct, Non-disclosure agreement and security policy for addressing the security risks to the
organizations information and information processing facilities, if logical/physical accesses are
granted to the external parties in future. A general NDA format is available with CISO being
approved by legal department. Risk assessment exercise shall be carried out as per defined
procedure by CISO to identify security risks.

Addressing security when dealing with customers (A.6.2.2)

NOT APPLICABLE as not in scope.
Addressing security in third party agreements (A.6.2.3)
CISO shall ensure that the third parties involving accessing, processing, communicating or
managing the organizations information or information processing facilities sign confidentiality /
Non-disclosure agreements.

Asset management (A.7)

Responsibility for assets (A.7.1)
Control Objective: To achieve and maintain appropriate protection of organizational assets.
Inventory of assets (A.7.1.1)
All information assets of MSTC shall be clearly identified and an inventory of all information assets
shall be maintained in the Asset Register [Ref: ARFO] by the e-commerce group. The asset register
shall be verified half yearly. The Asset Register will include:

Asset Type
Asset ID
Asset Description
Acquisition Date
Asset Owner
Location
Backup Information
License Information (If any)
Business Value

Ownership of assets (A.7.1.2)

All information and assets associated with information processing facilities within the scope of the
ISMS are owned by the CISO, Tech. Manager and ISOs. Following responsibilities shall be assigned to
the asset owner for managing the assets:
Initial classification of the assets.
Initial asset allocation to the user/custodian of the assets
Any discrepancies/exceptions during the stock verification shall be reported to the owner.

Prepared By: Reviewed By: Approved By:

Internal

Page23 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Acceptable use of assets (A.7.1.3)

Rules for the acceptable use of information and assets associated with information processing
facilities as documented [Ref: ISPM] shall be communicated to the all concerned users by suitable
means like awareness programme, publishing in file server etc.

A.7.2 Information Classification

Control objective: To ensure that information receives an appropriate level of protection.

Classification guidelines (A.7.2.1)

All information assets within the scope shall be classified based on its impact value in case of loss
of Confidentiality/ Integrity /Availability. The impact values can be HIGH, MEDIUM and LOW.
The assets shall be classified as per the following scheme.

Table 1: Asset Classification Scheme

Impact HIGH MEDIUM LOW
Confidentiality Confidential Internal Unclassified
Integrity/Availability Critical Essential Unclassified

As per the above scheme each asset shall be having two classifications, one based on
Confidentiality and another based on Integrity/Availability.
For further details of asset valuation refer the Risk Assessment Procedure [Ref: RAPR: Risk
Assessment Procedure]. CISO will be responsible to define the classification of an asset, review it
atleast once a year and ensure it is kept up to date.

Information labeling and handling (A.7.2.2)

All information assets shall be labelled and handled as per the following schemes.

Table 2: Asset Labelling Scheme

Classification Physical Asset Information Asset
Confidential Red sticker with C inscribed in Mark CONFIDENTIAL in
it. footers/headers for electronic
documents. For paper documents
at least mark the container (e.g
folder, file cabinet), if not
possible to mark the individual
documents.
Internal Yellow sticker with C Mark INTERNAL in
inscribed in it. footers/headers for electronic
documents. For paper documents
at least mark the container (e.g
folder, file cabinet), if not
possible to mark the individual
documents.
Critical Red sticker Mark CRITICAL in
footers/headers for electronic
documents. For paper documents
at least mark the container (e.g
Prepared By: Reviewed By: Approved By:

Internal

Page24 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

folder, file cabinet), if not

possible to mark the individual
documents.
Essential Yellow sticker Mark ESSENTIAL in
footers/headers for electronic
documents. For paper documents
at least mark the container (e.g
folder, file cabinet), if not
possible to mark the individual
documents.
Unclassified No Label No marking

Table 3: Asset Handling Scheme

Classification Physical Asset
Confidential Very strict physical and
logical access control.
Placed in secure zone.
Access by authorized
persons only on need to
use basis.
Media containing
confidential information
(e.g. Hardcopy, CD,
DVD, Hard Disk etc)
shall be securely
erased/destroyed before
disposal.
Internal Access restricted to
authorized groups
Critical Careful handling by
authorized persons.
Availability of suitable
and tested BCP
Information Asset
Strict physical and
logical access control.
No transmission through
e-mail without proper
encryption.
Access by authorized
persons only need to
know basis
Access restricted to
authorized groups.
Exchange is restricted
among the group.
Availability of backup
both onsite and at offsite.
Storing a backup in a
suitable fireproof
cabinet.

Essential Availability of standby Availability of backup.

arrangement to meet the
requirement.
Unclassified No special control No special control

Procedures for chain of custody and logging of any security relevant event will be defined.

Prepared By: Reviewed By: Approved By:

Internal

Page25 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Human resource Security (A.8)

Prior to employment (A.8.1)

Control objective: To ensure that employees, contractors and third party users understand their
responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of
theft, fraud or misuse of facilities.

Roles and responsibilities (A.8.1.1)

Security roles and responsibilities of the employees, contractors and third party users shall be
defined. HR and CISO shall ensure that all employees and third party users within the scope having
access to the information assets sign the Non-disclosure Agreement. Employees shall be made
aware of their specific security roles & responsibilities as per the MSTC information security policy.
Screening (A.8.1.2)
Background verification checks with respect to integrity, competency, knowledge and behavior for
all candidates for employment shall be carried out by the HR as per the HR process. CISO shall
ensure that the third party users are properly screened before employment for specific tasks
requiring privilege access to the MSTC information system.

Terms and conditions of employment (A.8.1.3)

All employees and the third party users shall agree and sign the terms and conditions of their
employment. This shall be ensured by HR for MSTC employees and by the CISO for the third party
users.
During employment (A.8.2)

Control objective: To ensure that all employees, contractors and third party users are aware of
information security threats and concerns, their responsibilities and liabilities, and are equipped to
support organizational security policy in the course of their normal work, and to reduce the risk of
human error.

Management responsibilities(A.8.2.1)
Top management shall require employees and third party users to apply security in accordance
with established policies and procedures of MSTC. Top management shall communicate the
security roles & responsibilities to the employees the relevant documents by them, and shall
motivate them to adhere to the security procedures by communication of the benefits of the
same.

Information security awareness, education and training (A.8.2.2)

All users within the scope shall receive appropriate awareness and training and regular updates
about MSTCs policies and procedures, as relevant for their job function. CISO shall ensure the
same. The CISO shall identify the specialist training needs for his employees and arrange the
training through HR.

Disciplinary pr ocess (A.8.2.3)

A disciplinary process is in place as per the Conduct, Discipline and Appeal Rule,1980 of MSTC

Prepared By: Reviewed By: Approved By:

Internal

Page26 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

which has been referenced as an external document in Asset Register(Ref: ARFO).

Termination or change of employment (A.8.3)

Control objective: To ensure that employees, contractors and third party users exit MSTC or
change employment in an orderly manner.

Termination responsibilities (A.8.3.1)

Responsibilities for performing employment termination or change of employment should be
clearly defined and assigned by the HR as per MSTC HR process.

Return of assets (A.8.3.2)

All employees and third party users should return all the MSTCs assets in their possession upon
termination of their employment, contract or agreement. CISO shall ensure this.

Removal of access rights (A.8.3.3)

Access rights of all the employees and third party users to information and information processing
facilities shall be removed upon termination of their employment, contract or agreement or
adjusted upon change. The Technical Manager shall ensure this.

Physical and environmental security (A.9)

Secure areas (A.9.1)

Control objective: To prevent unauthorized physical access, damage and interference to MSTCs
premises and information at Kolkata office and DR site at Mumbai.

Physical security perimeter (A.9.1.1)

All information assets within the scope are kept inside the datacenter and the adjacent system
room. Those rooms are identified as secure zone (SZ1) with necessary security measures like entry
restriction, controlled environment etc. Though there are few e-commerce personnel working on
the same floor but they are not precisely kept under the secure zone (SZ1) as described above.
They are sitting in individual closed chambers with lock and key and a clear desk policy and are
marked also to be in a secured zone (SZ2). Throughout the document wherever secured zone
is mentioned it refers to SZ1 unless specifically mentioned as SZ2. CISO is sitting in an
unsecured zone but all precautions are present that none including CISO can have access to e-
commerce systems and related documents. All documents maintained by CISO are stored in a
file server situated in virtual a virtual LAN and password protected. The documents are version
controlled.

Physical entry contr ols (A.9.1.2)

The entry to the secure zone is controlled by card control gates, having access rights to the
authorized persons only with facility to automatically log the accesses. The access logs shall be
verified by the CISO/Technical Manager fortnightly. The few ecommerce personnel who are
sitting in a separate secure zone (SZ2) are in closed chambers with lock and key and a clear

Prepared By: Reviewed By: Approved By:

Internal

Page27 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

desk policy. Security personnel man the total third floor where the secured zones are situated.

Securing offices, rooms and facilities (A.9.1.3)

The scope of the ISMS is e-commerce information security. The e-commerce information facilities
are housed in the identified secure zone at data centre located in the third floor. The data centre
and the system room are isolated from the other departments which are also located in the third
floor. Security guard is present at the entry of the third floor. Administration department has to
monitor the security and visitors log that is being maintained. Monitoring of the e-commerce site
is done by attendants from outside the secured zone (i.e. outside server and ante chamber). Entry
to this systems room and data centre is restricted through access control cards. All physical
movements inside the data centre and systems room can be viewed through monitors which are
recorded through cameras. Past 10 days recording are always preserved.

Protecting against external and environmental threats (A.9.1.4)

Preventive measure to counter natural or man-made disaster is in place as far as possible like fire-
fighting equipments, alarms etc. Fire fighting equipments like fire extinguisher are checked half-
yearly. People are not allowed to enter the premises without the knowledge of the security. The
security after taking permission from the respective employee allows the visitor to meet the
employee.

Working in secure areas (A.9.1.5)

Use of camera and other recording devices is prohibited within the secure zone*. Visitors have to
take prior permission from competent authority for entering the secure zone. A register is
maintained for all visitors, AMC and support people. CISO maintains and reviews it. Smoking and
drinking alcoholic beverages is strictly prohibited in the secure zone.

* Secure zone (Data Center) includes the Server room and the attached System Room (SZ1)
and cubicles of some ecommerce personnel (SZ2).

Public access, delivery and loading areas (A.9.1.6)

No delivery or loading shall be done from the third floor where the secure zone is located. Delivery
of office equipment and stationeries shall be done from the 2nd floor which does not house any
information processing facilities within the scope.
Equipment security (A.9.2)

Control Objective: To prevent loss, damage, theft or compromise of assets and interruption to the
organizations activities.

Equipment sitting and protection (A.9.2.1)

The servers and network devices are kept in the secure zone. All the critical servers and
equipments are placed in rack environment so that it is not easy to remove any information
facilities. Moreover card controlled gate and round the clock manning is present so that no
stranger can enter into the data centre. Alarms and other precautions are in place. Proper
lightning conductors are in place in the building. The environmental condition of the secure zone is
controlled. Suitable modular UPS is deployed to feed power to the critical equipments.

Prepared By: Reviewed By: Approved By:

Internal

Page28 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Supporting utilities (A.9.2.2)

All the critical servers and equipments are fed with uninterrupted power supplies (UPS) with
sufficient battery back up to avoid damage from electrical anomalies and power failure. A failover
UPS is also in place. A back up DG set is in place to provided supply in case of mains failure. The
UPSs are put under Annual Maintenance Contract (AMC). DG set is under the supervision of
Administration department and is run by a third party vendor. AMC of DG set is with the AMC
vendor of Data Center. However the AMC vendor has a backup support with the authorized sales
and service partner of the DG set manufacturer. The records of maintenance of those facilities
shall be maintained.
Cabling security (A.9.2.3)
Power, telecommunication and network cabling carrying information are protected from
interception and damage.
Equipment maintenance (A.9.2.4)
All information processing facilities are under AMC and redundancy is present as far as possible for
the critical equipments. CISO is responsible for review of the maintenance records regularly.

Security of equipment off premises (A.9.2.5)

MSTC E-commerce has a DR site at Mumbai for the purpose of continuing business in the event of
failure at Primary site. Physical security is under the control of Mumbai office whereas all logical
security is taken care of by Technical Manager.
Secure disposal or re-use of equipment (A.9.2.6)
All equipment containing Medias (e.g. HDD) shall be securely disposed off and recorded in the
Asset Register with proper authorization.

Removal of property (A.9.2.7)

Usually no information equipments will be taken off-site. If at all required, data storage media
should be left in site and for the rest it should be under authorization of CISO/TM. A register/call
sheet is in place. [Ref: AMRFO: Asset Movement Register Format]

Communications and operations management (A.10)

Operational procedures and responsibilities (A.10.1)

Control Objective: To ensure the correct and secure operation of information processing facilities.

Documented operating procedures (A.10.1.1)

The documented operating procedures of ISMS shall be maintained and made available on
fileserver. Access to the file server shall be limited by the use of user-id and password.

Change management (A.10.1.2)

Changes to the information processing facilities shall be done in controlled manner. Changes to the
operational systems should only be made when there are adequate business reasons to do so. All
changes to equipment, software, application or procedures shall be done formally by following the

Prepared By: Reviewed By: Approved By:

Internal

Page29 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Change Management Procedure [Ref: CMPR: Change Management Procedure].

Segregation of duties (A.10.1.3)

Duties and responsibilities should be segregated as far as possible to reduce human error and
misuse of the information processing assets. Whenever it is not possible to segregate, the process
should be secured by alternative controls such as monitoring, logging, management supervision,
independent audit/review etc. Administrations of servers are done by Technical Manager whereas
logs are maintained by ISO 1. Logs are reviewed periodically.

Separation of development, test and operational facilities (A.10.1.4)

Development, test and go-live operation shall be separated to reduce the risks of unauthorized
access or changes to the operational system. Separate servers shall be used for those activities.

Third party service delivery management (A.10.2)

Control Objective: To implement and maintain the appropriate level of information security and
service delivery in line with third party service delivery agreements.

Service delivery (A .10.2.1)

MSTC shall ensure that the security controls, service definitions and delivery levels are included in
the third party service delivery agreement in the form of SLA/contract. The same shall be
implemented, operated, and maintained by the third party. CISO shall be responsible for ensuring
the same.

Monitoring and revie w of third party services (A.10.2.2)

The call sheets of third parties shall be regularly monitored by the CISO. CISO shall also ensure to
conduct yearly audit/review of the SLA/contract compliance by the third parties.

Managing changes to third party services (A.10.2.3)

If it is required that agreement (SLA) with third party vendors needs a change which may arise due
to any changes in the existing infrastructure like addition of hardware/software or new control
needs to be in place, the changes should be incorporated through proper management process
after considering the pros and cons.

A.10.3 System planning and acceptance

Control Objective: To minimize the risk of systems failures.

Capacity management (A.10.3.1)

Capacity and health status of power supply, air-conditioning, network connectivity, data storage
shall be closely monitored. A periodic report of above shall be made available to the CISO for
review. All related reports are referenced in the Master list of documents.

Prepared By: Reviewed By: Approved By:

Internal

Page30 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

System acceptance (A.10.3.2)

Acceptance criteria for new information systems, upgrades and new versions should be established
and suitable tests shall be carried out during development and prior to acceptance.
All in-house developments are also tested on the test server. Acceptance of new software is
considered after checking whether the said software is fulfilling the acceptance criteria. Persons
concerned who works on such new systems are trained by concerned developer or vendor from
whom new systems are purchased.

A.10.4 Protection against malicious and mobile code (A.10.4)

Control Objective: To protect the integrity of software and information.

Contr ols against malicious code (A.10.4.1)

All desktops attached to E-commerce server are loaded with anti-virus and regular updates are
made online. Virus scanning is done at least once a week.

No unauthorized software can be installed on e-commerce server without the knowledge of CISO
and this has been communicated to all members of e-commerce team.

Refer [Ref: ISPM] for detailed anti-virus policy and Malicious code policy.

Contr ols against mobile code (A .10.4.2)

NOT APPLICABLE
No immediate risk is anticipated hence, this control has not been selected

Back-up (A.10.5)

Control Objective: To maintain the integrity and availability of information and information
processing facilities.

Information back-up (A.10.5.1)

Back-up of information and software shall be taken and tested regularly as the back-up
policy [Ref: ISPM].

Network security management (A.10.6)

Control Objective: To ensure the protection of information in networks and the protection of the
supporting infrastructure.

Network controls (A.10.6.1)

MSTC has designed a robust and secure network. Presently MSTC LTD are using three VLANs. Out of
the three VLAN, one VLAN is dedicated only for critical E-commerce Server Group. One Vlan is
used for MSTC internal users and 3rd number VLAN is used for R & D Purposes & that is used by
MSTC system group only. A Firewall is placed in between MSTC Network and Internet to control

Prepared By: Reviewed By: Approved By:

Internal

Page31 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

entrusted user networks .A NIDS is placed in between internet and Critical E-commerce server
group to detect intrusion attempts from the outside world. MSTC uses a secure log on procedure so
that not display systems or application identifiers until the log-on process has successfully
completed. Array of controls are implemented in the network and application systems for secure
e-procurement transaction using Digital Signature.

Remote administration of the servers and network devices should be avoided as far as possible. If
done it should be done using SSH.

Network administration is conducted by a skilled ISO under the supervision of the Technical
Manager.

Security of network services network controls (A.10.6.2)

Security features, service levels, and management requirements of the network services shall be
identified and included in the SLA of the service providers (e.g. Internet Service Provider). The
SLAs shall be closely monitored by the e-commerce team and any issues shall be addressed through
review meetings with the service providers.

Media handling (A.10.7)

Control Objective: To prevent unauthorized disclosure, modification, removal or destruction of

assets, and interruption to business activities.

Management of removable media (A.10.7.1)

Media shall be disposed of securely and safely when no longer required or damaged.
All media should be stored in a safe and secure environment by following the
manufacturers specification.
Proper care should be taken while using and storing the media containing Critical
information so that the media is not deteriorated or corrupted and becomes unuseable.
Refer asset handling scheme [Ref: Table 3] for proper handling of media containing
classified information during processing, storing, exchanging and disposal.
Disposal of media (A.10.7.2)
Redundant or unusable computer media should be physically destroyed (e.g. floppy disks,
CD-ROMS, LTOs).
Hard disks on any machine may contain sensitive or confidential data. Removal of such
disks e.g. for repairs, represents a potential threat. The data and information should be
securely erased/overwritten by junk data and formatted wherever possible. If not possible
the HDD should be destroyed if it contains CONFIDENTIAL data.
All removable media should be securely erased and reformatted before disposal, however
if this is not possible, the media should be destroyed
Refer asset handling scheme [Ref: Table 3] for securely disposing of all kinds of media
(floppy, CD, HDD, paper documents)

Information handling procedures (A.10.7.3)

MSTC information handling procedure is summarized in the [Table 3: Asset Handling Scheme].
Security of system documentation (A.10.7.4)
CISO is responsible for secure use and storage of system documentation. Asset Handling Scheme
shall be followed for security of those Confidential and Critical assets.

Prepared By: Reviewed By: Approved By:

Internal

Page32 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Exchange of information (A.10.8)

Control Objective: To maintain the security of information and software exchanged within an
organization and with any external entity.

Information exchange policies and procedures (A.10.8.1)

NOT APPLICABLE
Current buisness practices do not require this control.
Exchange agreements (A.10.8.2)
NOT APPLICABLE
Current buisness practices do not require this control.
Physical media in transit (A.10.8.3)
NOT APPLICABLE
Current buisness practices do not require this control.
Electronic messaging (A.10.8.4)
E-mail accounts are available to restricted system users and operation people and for official use
only. Refer detail E-mail policy [Ref: ISPM]
Business information systems (A.10.8.5)
NOT APPLICABLE
No business information systems are within the scope.

Electronic commerce services (A.10.9)

Control Objective: To ensure the security of electronic commerce services, and their secure use.

Electronic commerce (A.10.9.1)

Information involved in electronic commerce passing over public networks shall be protected from
fraudulent activities, contract dispute, and unauthorized disclosure and modifications.

E-commerce service is provided by MSTC for its customers and principals. All concerned parties are
provided with user-id and password without which no one can make any transaction. Proper terms
and conditions are present to protect contract dispute. Moreover all transactions are passed over
SSL.

Trading partners before starting transaction has to agree to terms and conditions where
protections are kept for any legal dispute. (Ref:www.mstcecommerce.com)

On-line transactions (A.10.9.2)

Information involved in on-line transactions shall be protected to prevent incomplete transmission,
misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message
duplication or reply.
SSL shall be in place. Bidding through use of PKI as far as possible. Synchronization of time through
use of a certified time stamping server.
All online transactions are validated for completeness before committing the transaction.

Prepared By: Reviewed By: Approved By:

Internal

Page33 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Publicly available information (A.10.9.3)

No sensitive information is made available in the public websites. Only authorized contents are
published. Responsibility of contents for publicly available system rests on the operation
department of regions and branches. Adequate protections are in place to prevent unauthorized
access and modifications of the published contents.

Monitoring (A.10.10)

Control Objective: To detect unauthorized information processing activities.

Audit logging (A.10.10.1)

All security-related events on CRITICAL or CONFIDENTIAL systems must be logged and audit trails
shall be protected as per the MSTC Server Security Policy [Ref: ISPM]

Monitoring system use (A.10.10.2)

The e-commerce systems are operated and used by small no. of trusted e-commerce team
members hence chances of misuse is very less. However, misuse is monitored by random
checking of the logs by Technical Manager and independent auditors.

Protection of log information (A .10.10.3)

Regular back-up of the logs are taken as per the Server Security Policy [Ref: ISPM].

Administrator and operator logs (A.10.10.4)

Administrator and operator access logs are also part of the security related event logs which
are maintained for CRITICAL and CONFIDENTIAL servers.

Fault logging (A.10.10.5)

All faults shall be logged, addressed and reviewed for corrective and preventive actions.

Call is placed if not at the capacity of the internal systems people and is maintained in a register.
Record of Fault logging is made in a register.

If the problem is resolved to the satisfaction of the e-commerce group then the case is closed in
the register.
Clock synchronization (A.10.10.6)
Clock Synchronization will take place from a certified time-stamping server.
Transactions logs are based on single server (time stamping server) time.

Prepared By: Reviewed By: Approved By:

Internal

Page34 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Access control (A.11)

Business requirement for access control (A.11.1)

Control Objective: To control access to information.

Access control policy (A.11.1.1)

The access control policy is applicable to all computing resources such as Desktops, Laptops,
Servers, Network Devices, Communication equipments etc. The term "User" in the policy includes
Employees and Third party users, who may access the Computing resources. Access to the systems
shall be provided based on role of the employee in the organization and shall be controlled by
USERID and PASSWORD. E-mail account shall be provided to employees only.

Administrator passwords of the critical servers and the network devices are used by the authorized
e-commerce team members responsible for system administration.

User access management (A.11.2)

Control Objective: To ensure authorized user access and to prevent unauthorized access to
information systems.

User registration (A.11.2.1)

User registration and de-registration to the system and services shall be carried out in controlled
manner. User/e-mail account creation and deletion shall be carried out only after formal
authorization by the Technical Manager.

The e-commerce applications should have its own secure user registration / de-registration
process.

Privilege management (A .11.2.2)

Allocation of system administration privileges should be granted to the respective administrators
by the Technical Manager. A record of the all administration users shall be maintained by the
Technical Manager. The administration account shall not be used other than administration
purposes. Administration accesses should be logged and the logs shall be reviewed by the e-
commerce leader regularly for any abnormal use or misuse of the administration privileges.

User password management (A.11.2.3)

A Forgot Password shall be present which will require other authentication like PAN No, Account
No for authenticity of the person making the request over and above e-mail id. It should not be
communicated by phone or e-mail.

Prepared By: Reviewed By: Approved By:

Internal

Page35 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Review of user access rights (A.11.2.4)

The Technical Manager shall conduct formal review of the user access rights quarterly both for
normal and privilege user accounts.
User responsibilities (A.11.3)

Control Objective: To prevent unauthorized user access, and compromise or theft of information
and information processing facilities

Password use (A.11.3.1)

Users shall follow the MSTC password policy [Ref: ISPM, Password policy] and good security
practices in the selection and use of passwords. CISO/Technical Manager should take necessary
measures to make the users aware of this

Unattended user equipment (A.11.3.2)

The users should ensure that unattended Desktop has appropriate security measures as per
the MSTC security policy. [Ref: ISPM, Acceptable use policy]

Clear desk and clear screen policy (A.11.3.3)

The clear screen policy shall be adopted and enforced through the desktop configuration, e.g
screensaver password, whereas clear desk policy shall be observed for removable storage media
and information assets in paper form when users leave office for the day.

Network access control (A.11.4)

Control Objective: To prevent unauthorized access to networked services.

Policy on use of network services (A.11.4.1)

Email and other network services shall be available to the authorized users only. No direct access
to the network services shall be available from the Internet. Internet access to the authorized
users shall be given through proxy server using user name and password authentication scheme.

Users shall not connect any new resources (e.g. personal laptop, modem) to the MSTC network
without getting prior approval from the CISO/Technical Manager.

User authentication for external connections (A.11.4.2)

NOT APPLICABLE
Connection from external network is not allowed.
Equipment identification in networks (A.11.4.3)
NOT APPLICABLE
Connection from external network is not allowed.

Remote diagnostic and configuration port protection (A.11.4.4)

NOT APPLICABLE

Prepared By: Reviewed By: Approved By:

Internal

Page36 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

No remote diagnostic and configuration port exists.

Segregation in networks (A.11.4.5)

Presently MSTC LTD are using three VLANs. Out of the three VLAN one VLAN is dedicated only for
critical E-commerce Server Group. One Vlan is used for MSTC internal users and 3rd number VLAN
is used for R & D Purposes & that is used by MSTC system group only. A Firewall is placed in
between MSTC Network and Internet to control entrusted user networks.
Network connection control (A.11.4.6)
NOT APPLICABLE
Connection from external network is not allowed.

Network routing control (A.11.4.7)

A Firewall is placed in between MSTC Network and Internet to control entrusted user networks and
it shall be configured to comply the MSTC access control policy.

Operating system access control (A.11.5)

Control Objective: To prevent unauthorized access to operating systems.

Secure log-on procedures (A.11.5.1)

MSTC uses a secure log on procedure so that not display systems or application identifiers until the
log-on process has successfully completed.

User identification and authentication (A.11.5.2)

All general users shall have a unique identifier (user ID) for their personal and sole use so that
activities can be traced to the individual responsible. Special accounts shall be used for
administration with necessary privileges. Password based authentication will be used for the
administration accounts.

Password management system (A.11.5.3)

Password policy [Ref: ISPM] of MSTC shall be enforced in the respective systems wherever feasible.

Use of system utilities(A.11.5.4)

The use of utility programs that might be capable of overriding system and application controls
shall be restricted and tightly controlled.

Session time-out (A.11.5.5)

Inactive sessions shall be timed out, after a period of inactivity. For workstations this can be
implemented by screen saver time-out control. Suitable controls shall be in place in the e-
commerce application so that the client sessions timed out after some predetermined period of
inactivity.

Limitation of connection time (A.11.5.6)

NOT APPLICABLE

Prepared By: Reviewed By: Approved By:

Internal

Page37 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

There is no business or risk requirement for this control

Application and information access control (A.11.6)

Control objective: To prevent unauthorized access to information held in application systems.

Information access restriction (A.11.6.1)

Access to information and application system by the employees and the third party users shall be
restricted in accordance with business requirements. Access to shared files, emails, databases
shall be controlled as per the access control policy of MSTC.

Sensitive system isolation (A.11.6.2)

E-commerce application system is the most sensitive system. No other systems/applications shall
be installed in the e-commerce application system and database servers.

Mobile computing and teleworking (A.11.7)

Control Objective: To ensure information security when using mobile computing and teleworking
facilities.

Mobile computing and communications (A.11.7.1)

NOT APPLICABLE

It is not practiced within the scope.

Teleworking (A.11.7.2)
NOT APPLICABLE

It is not practiced within the scope.

Prepared By: Reviewed By: Approved By:

Internal

Page38 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Information systems acquisition, development and maintenance

(A.12)

Security requirements of information systems (A.12.1)

Control objective: To ensure that security is an integral part of information systems.

Security requirements analysis and specification (A.12.1.1)

The security requirements shall be specifically mentioned at the time of analyzing the requirement
for new systems as well as during change of the existing system. Suitable testing shall be done to
ensure that the requirements are met. Test Documentation being maintained by TM.

The procurement process shall consist of suitable acceptance testing of the systems ensuring
compliance to the security requirements. Testing Records for the purpose of Acceptance of
hardware & software being maintained by TM.

Technical Manager/ISO 2 shall be responsible for the same.

Correct processing in applications (A.12.2)

Control objective: To prevent errors, loss, unauthorized modification or misuse of information in
applications.

Input data validation (A.12.2.1)

Data input to applications shall be validated to ensure that this data is correct and appropriate.
Validation requirement of each field shall be met at required stages and shall be taken care off
during development process.
All validation logic for each of the application systems shall be tested at the time of software
development and the test results shall be documented. Test Documentation being maintained by
TM.
Contr ol of internal processing (A.12.2.2)
Suitable controls shall be incorporated into applications to prevent any corruption of information
through processing errors or deliberate acts. Testing process shall ensure this during development
and maintenance. Test Documentation being maintained by TM.

Message integrity (A.12.2.3)

Integrity of message shall be controlled by built in mechanism inside the application. This is
implemented in the e-commerce portal.
Output data validation (A.12.2.4)
Before committing any transaction validation of all data is made through the built in codes in the
e-commerce application. Suitable testing shall be carried out for validation the data output
Testing record stating the output against inputs shall be maintained. Test Documentation being
maintained by TM.

Prepared By: Reviewed By: Approved By:

Internal

Page39 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Cryptographic controls (A.12.3)

Control objective: To protect the confidentiality, authenticity or integrity of information by

cryptographic means.

Policy on the use of cryptographic contr ols (A.12.3.1)

For the e-commerce application cryptographic control has been implemented. SSL and digital
certificate as per the global best practices and the MSTC Acceptable Encryption Policy [Ref: ISPM]
has been implemented.

Key management (A.12.3.2)

Key management shall be in place to support MSTCs use of cryptographic techniques.
Safe global best practice shall be followed to manage the cryptographic keys.
CISO shall be responsible for this act.

Security of system files (A.12.4)

Control objective: To ensure the security of system files.

Contr ol of operational software (A.12.4.1)

Installation and upgrade of all software (application / operating system) on operational systems
shall be done in controlled manner as per the MSTC Change Management Procedure [Ref: CMPR].
Version control software may be in place to control the version of the operational code.

Protection of system test data (A.12.4.2)

Use of live personal or sensitive data for testing shall be avoided as far as possible. If it becomes
inevitable to use such data to simulate actual scenario, the sensitive details shall be masked /
removed properly. Use of such data shall be done only after due authorization by the Technical
Manager or the owner of the database.
Access control to program source code (A.12.4.3)
Access to program source code shall be restricted. All source codes shall be kept in a server as a
with proper access control. The CISO/ISO 2 shall be responsible for this activity.

Security in development and support processes (A.12.5)

Control objective: To maintain the security of application system software and information.

Change control procedures (A.12.5.1)

All changes to the application systems and the support environments shall implement in controlled
manner as per the MSTC Change Management Procedure [Ref: CMPR].
Technical review of applications after operating system changes (A.12.5.2)
When operating systems are changed, business critical applications shall be reviewed and tested to
ensure there is no adverse impact on MSTCs operations or security. Technical Manager shall be

Prepared By: Reviewed By: Approved By:

Internal

Page40 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

responsible for this act.

Restrictions on changes to software packages (A.12.5.3)

Vendor supplied software packages, off-the-shelf standard software shall be used without
modification in the basic package. The software updates/patches shall only be acquired from the
original vendor or the authorized agents of the original vendors. The updates and patches shall be
implemented after testing and following the MSTC Change Management Procedure. [Ref: CMPR]

Information leakage (A.12.5.4)

E-commerce application and other sensitive applications shall be thoroughly tested regularly by
specialists to detect any vulnerabilities causing leakage of information.[Ref: ISPM: Technical
Compliance Checking Procedure]. To avoid information leakage, access to the sensitive systems,
resources shall be restricted and monitored. All applications/systems shall be either developed in
house in controlled manner or acquired from reputed sources.
Outsourced software development (A .12.5.5)
NOT APPLICABLE

It is not practiced currently.

Technical Vulnerability Management (A.12.6)

Control objective: To reduce risks resulting from exploitation of published technical

vulnerabilities.

Contr ol of technical vulnerabilities (A.12.6.1)

CISO shall pro-actively acquire information about the unearthed technical vulnerabilities of the e-
commerce application system and the operating environments and take appropriate actions to
patch those vulnerabilities by following the Change Management Procedure [Ref: CMPR].
Additionally Vulnerability Assessment and Penetration Testing of the e-commerce system shall be
conducted regularly as per the Technical Compliance Checking Procedure. [Ref: ISPM Technical
Compliance Checking Procedure]

A.13 Information security incident management (A.13)

A.13.1 Reporting information security events and weaknesses (A.13.1)

Control objective: To ensure information security events and weaknesses associated with
information systems are communicated in a manner allowing timely corrective action to be taken.

Reporting information security events (A.13.1.1)

Information security events shall be reported through appropriate management channels as quickly
as possible.
All e-commerce portal related security incidents shall be reported to the CISO / Technical Manager
who in turn may escalate to the top management if necessary. The entire e-commerce team shall
be made aware of it.

Prepared By: Reviewed By: Approved By:

Internal

Page41 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Reporting security weaknesses (A.13.1.2)

All employees, contractors and third party user of the e-commerce portal shall be informed that
they are required to note and report security weaknesses (if any), to the CISO / Technical
Manager.

Management of information security incidents and improvements (A.13.2)

Control objective: To ensure a consistent and effective approach is applied to the management of
information security incidents.

Responsibilities and procedures (A.13.2.1)

Whenever a severe or unprecedented security incident comes to the knowledge of CISO/Technical
Manager which calls for special attention, the same is communicated to the higher authority
directly or through management team and on their approval appropriate remedial procedure is
adopted. For other incidents Technical Manager can use his intelligence for solving the problem
provided there will be no financial implication. In case of financial implication the same has to be
approved by head of systems and finance and CMD.
Learning from information security incidents (A.13.2.2)
Analysis and solution of the security incidents are shared among the e-commerce team members.
Collection of evidence (A.13.2.3)
Where a follow-up action against a person or organization after an information security incident
involves legal action (either civil or criminal), evidence shall be collected, retained, and presented
to conform to the rules for evidence laid down in the relevant jurisdiction(s).
Depending upon the type of security incident, physical or technical evidences are retained for
future legal purpose and provided to the operational people for further course of action.

Business continuity management (A.14)

Information security aspects of business continuity management (A.14.1)

Control objective: To counteract interruptions to business activities and to protect critical business
processes from the effects of major failures of information systems or disasters and to ensure their
timely resumption.

Including information security in the business continuity management process.

(A.14.1.1)
E-commerce application system is the critical system within the scope of these ISMS. A business
continuity management process along with disaster recovery strategy is in place for the e-
commerce application. [Ref: BCMM]

Business continuity and risk assessment (A.14.1.2)

Risk assessment has been carried out for the e-commerce application and databases as per the Risk
Assessment Procedure. [Ref: RAPR].

Prepared By: Reviewed By: Approved By:

Internal

Page42 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Developing and implementing continuity plans including information security

(A.14.1.3)
Business Continuity Plans (BCP) shall be developed and implemented to maintain or restore
operations and ensure availability of information at the required level and in the required time
scales following interruption to, or failure of, critical business processes. [Ref: BCMM]

Business continuity planning framework (A.14.1.4)

A single framework of business continuity plans shall be maintained to ensure all plans are
consistent, to consistently address information security requirements, and to identify priorities for
testing and maintenance. [Ref: BCMM]

Testing, maintaining and reassessing business continuity plans (A.14.1.5)

Business continuity plans shall be tested and updated regularly to ensure that they are up to date
and effective. [Ref: BCMM]

Compliance (A.15)

Compliance with legal requirements (A.15.1)

Control objective: To avoid breaches of any law, statutory, regulatory or contractual obligations,
and of any security requirements.

Identification of applicable legislation (A .15.1.1)

All relevant statutory, regulatory and contractual requirements shall be met. Legal department has
provided a Statutory/Regulatory Framework for e-commerce/e-business. Compliance of
statutory/regularity framework will be reviewed periodically (at least once a year or whenever any
modification happens) by an internal legal officer from the legal dept.

Intellectual pr operty rights (IPR) (A.15.1.2)

CISO shall ensure compliance with legislative, regulatory, and contractual requirements on the use
of material in respect of which there may be intellectual property rights. Software with valid
licenses shall only be used. All paper licenses shall be in the custody of CISO.

Protection of organizational records (A.15.1.3)

Important records shall be protected from loss, destruction and falsification, in accordance with
statutory, regulatory, contractual, and business requirements.
Organizational records will be categorized into record types, e.g. database records, transaction
logs, audit logs, operational procedures each with details of retention period and type of storage
media (e.g. paper, optical media, magnetic media etc.).

The following rules will be maintained while keeping the organizational records and/or
choosing the storage media/technology:

Whenever new storage technology to be adopted, compatibility issues will be taken

care of.

Prepared By: Reviewed By: Approved By:

Internal

Page43 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

Disposal of all information assets will be made after destruction of sensitive data.
The retention period of the storage of the organizational records will be in line with
national/regional laws or as per requirement of principals.

Data protection and privacy of personal information (A.15.1.4)

MSTCs Privacy Policy is present in the Ecommerce portal. Legal department has to modify the
policy as and when new rules come up. Data protection control is made through restricted access
to the server.

Prevention of misuse of information processing facilities (A.15.1.5)

All users are made aware of the security policies of MSTC. [Ref: ISPM]. The users are also bound by
confidentiality agreement and terms and conditions of employment. Also different organisational,
procedural and technical measures are in place to prevent the misuse of information processing
facilities.
All users will also be given written authorization clearly defined the scope of their permitted
access and of the monitoring in place to detect unauthorized use. The authorization document will
be signed by every user and securely retained by the organization.

At log-on to the e-commerce portal a terms & condition page will be presented to the user/viewer
mentioning all the terms and conditions related to the authorizations. The user/viewer has to
acknowledge and accept to the message on the screen to continue with the log-on process.

Regulation of cryptographic controls (A.15.1.6)

Cryptographic controls shall be used in compliance with all relevant agreements, laws, and
regulations. Legal advice is sought by operational people from the legal cell to ensure compliance
with national laws and regulations and conveyed to the Technical Manager for compliance.

Compliance with security policies and standards, and technical compliance

(A.15.2)

Control objective: To ensure compliance of systems with organizational security policies and
standards.

Compliance with security policies and standards (A.15.2.1)

CISO/Technical Manager shall ensure that all security policies and procedures are followed through
regular review and audit.
If any non-compliance is found as a result of the review, CISO/Technical Manager will be
responsible to:

Determine the cause of the non-compliance.

Evaluate the need for actions to ensure that non-compliance does not occur.
Determine and implement appropriate corrective action.
Review the corrective action plan.

Technical compliance checking (A.15.2.2)

The e-commerce system and the associated supporting environment shall be regularly checked for
compliance with security implementation standards as per the Technical Compliance Checking
Procedure. [Ref: ISPM - Technical Compliance Checking Procedure]. The help of specialist third
party may be taken if required for conducting these checks.

Prepared By: Reviewed By: Approved By:

Internal

Page44 of 45
 ISO 27001 ISMS Manual DOC-ID: ISMS
Version 2.9 Date 07-05-2012

All information systems before putting on to the production environment are tested on a
development server and being approved by concerned users.

Security concerns are kept in mind while information systems are installed through logs in servers.

A.15.3 Information systems audit considerations (A.15.3)

Control objective: To maximize the effectiveness of and to minimize interference to/from the
information systems audit process.

Information systems audit controls (A.15.3.1)

Audit requirements and activities involving checks on operational systems shall be carefully
planned, and agreed to minimize the risk of disruptions to business processes. CISO shall be
responsible to ensure this. All audits are to be performed on demo tables.

Protection of information systems audit tools (A .15.3.2)

MSTC e-commerce security audits on vulnerability and penetration testing are to be done by expert
third parties whenever a major hardware or software configuration change takes place through the
use of their audit tools. Such tests would be planned and documented. Application level technical
compliance is done through examination of controls.

Prepared By: Reviewed By: Approved By:

Internal

Page45 of 45