Operation Security Policy

Details

DateVersionStatusInformation ClassificationDocument Template IDDocument No
22-01-20202.5ApprovedInternalAMS DOCAMS-SP-10

Revision History

DateVersionDescriptionAuthorReviewed byApproved byApproved date
17-06-20111.0Initial Version
29-07-20121.1Mobile Code is made applicable
09-04-20121.2Cover Page, Document Identification changed from ISMS 10 to AMS-SP-10, Included Standardized Header & Footer
07-05-20122.0Entire content of Communication and Operation Management Policy has been revamped via DCR No 2012-07JeevanPraveen
25-05-20152.1Reviewed as part of AMS transition
23-03-20162.2Reviewed as part of document review. No changes madePremanand
31-07-20172.2Reviewed no changes
10-08-20172.3Replaced shall with will and deleted etc.,
25-03-20192.4Reviewed no changes
24-12-20192.5Annual Review 2020 - Changes made to align with the standard document formatPraveenShailaSuresh Kumar B V22-01-2020

Acronym Used

AcronymExpanded Form

Purpose

The purpose of this document is to ensure the correct and secure operation of information processing facilities.

Operations Security

Operational procedures and Responsibilities

Documented Operating Procedures: Operating Procedures will be documented, maintained and made available to all users who need them.

  • Relevant documented operating procedures required for day-to-day conduct of operations will be developed and maintained. Master copy of these documented operating procedures will be available with CISO who will maintain as version controlled.

  • Department Head will authorize the documented procedures and changes to them.

  • When changes will be made, an audit log containing all relevant information will be retained wherever needed.

  • Relevant procedures are available as required for day-to-day conduct of operations. Master copy of documented operating procedures for network devices and software is available with IT. These IT specific documents are maintained and controlled by IT

  • Some of the procedures identified are: Backup and Restoration, Server Hardening, Anti-Virus, Patch Management, Media Handling, User Administration.

Change Management

Changes to Information Processing facilities and systems will be controlled.

  • Changes to operational systems will be made when there is a valid business reason to do so.

  • Changes to information processing facilities and systems will be controlled. The confidentiality, integrity and availability of information will be protected if there is a change required in the operational environment.

  • Operating systems and application software will be subject to strict change management control.

  • Change Management at ASL is categorized as follows:

    • Application Changes

    • Infrastructure Changes

  • Change request for deployment and closure is routed through ticketing system (IMS sapphire)

  • Application Changes are enhancements to the software and defect fixes. Change is subjected to Impact Analysis, Review, Estimation, Design, Implementation, Testing and Deployment.

  • Infrastructure Changes are enhancements to Hardware, Network Devices, System Software (Like Webserver, DB Server, and OS). Major changes to infrastructure are subjected to Impact Analysis, Risk Analysis, Backup Plan, Validations. Changes are identified as major by the IT department.

Capacity management

  • Capacity demands will be monitored and projections of future capacity requirements will be made to ensure that adequate processing power and storage are available.

  • These projections take into account new business and system requirements and current and projected trends in the ASL information processing.

  • IT department will monitor following parameters:

    • Server Disk Space utilization

    • Bandwidth utilization

    • Computing Power Utilization

    • User Sessions

    • Database Sessions

    • Java Heap values

  • Performance testing measures are undertaken before acceptance to validate whether application is able to meet the customer requirements.

Separation of Development, Test and Operational Facilities

Developmental, test and operational facilities will be separated to reduce the risks of unauthorized access or changes to the operational system.

  • The level of separation between production, test, acceptance, demo and developmental environments, necessary to prevent operational problems, are identified and appropriate controls are established.

  • Production environments will be hosted at qualified data centers. Production environment at ASL is hosted at TCL Datacenter. Testing, Acceptance & Development environment are at ASL and separated logically.

Protection Malware

  • ASL has implemented mechanism for detection, prevention and recovery controls to protect against malware and users are appropriately informed about.

  • ASL is committed to provide safe environment to all computing resources under its control by comprehensively protecting them against computer viruses and malicious code. This protection includes the tools and procedures necessary to prevent major and widespread damage to user applications, files and hardware.

  • IT department will be responsible for providing comprehensive anti-virus / anti-Spam solutions within its PCs / Networks and other information processing facilities.

  • ASL implemented fortigate firewall 500 D along with fortigate firewall 620 B as standby with latest unified threat management agents (UTM) and is updated regularly as and patches are released by vendor.

  • For client level protection, ASL uses Kaspersky AV in client-server architecture with following features

    • Endpoint controls

      • Application start up control

      • Application privilege control

      • Device control

      • Web control

    • Antivirus protection

      • File Anti-virus

      • Mail Antivirus

      • Web antivirus

      • IM antivirus

      • Firewall

      • Network attack blocker

      • System Watcher

Back-up

  • Information back-up: Back-up copies of Information and software will be taken and tested regularly in accordance with the agreed backup policy.

  • Routine procedures have been established to implement the agreed back-up policy and strategy for taking back-up copies of data and verifying media integrity by their timely restoration.

Logging and Monitoring

Event logging

Event logs recording user activities, exceptions, fault and information security events are produced, analyzed and reviewed daily. A record of the same is maintained.

Protection of Log Information

  • Logging facilities and log information are protected against tampering and unauthorized access.

  • Controls are implemented at Antares against:

    • Alterations to the message types that are recorded

    • Any changes done to server times is detected and alerted

    • Log files being edited or deleted

    • Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing past recorded events.

  • System event logs are transferred regularly to storage and backup is taken at TCL & logs are analyzed by using forti-analyser and logs are transferred to local storage for backup at ASLHO.

Administrator & Operator Logs

Antares records all the activities of system administrator and operators. These logs are protected and stored for retrieval upon the requirements.

Clock Synchronization

The clocks of all relevant information processing systems within ASL are synchronized with single reference time source. (redhat time server & NIST Time server).

Control of operational software

Installation of software on operational systems

ASL implemented following controls against installation of software on operational systems:-

  • Change management process to be initiated.

  • The updating of the operational software, applications and program libraries should only be performed by trained engineers of IT department upon proper authorization.

  • Application and operating system software should only be implemented after extensive and successful testing by covering functionality, usability, suitability and security.

  • A roll back strategy is defined and tested before installation of software on operational systems by keeping the previous version of software for contingency purpose.

  • System event logs are reviewed and system resources are monitored during the activity.

  • Ensure that vendor support and subscription is available for the software.

References

Srl.Document/Section Name
Procedure for Change Management- For Application Changes
Network Diagram of ASL & TCL
Malware protection policy and Antivirus SOP
Procedure for Backup and Recovery
Procedure for Log Management
ISMS_NTP_ Document_SOP