Escolar Documentos
Profissional Documentos
Cultura Documentos
1. Objective ............................................................................................................................................. 3
2. Scope of Work ..................................................................................................................................... 4
3. Key Deliverables .................................................................................................................................. 9
4. Timelines ........................................................................................................................................... 10
5. Project Team ..................................................................................................................................... 10
INTRODUCTION
ONGC Videsh Ltd. (OVL) is the second largest E&P Company in India, both in terms of
oil production and oil & gas reserve holdings. The primary business of OVL is to prospect
for oil and gas acreages abroad including acquisition of oil and gas fields, exploration,
development, production, transportation and export of oil and gas. OVL is a wholly-owned
subsidiary of Oil and Natural Gas Corporation Limited (ONGC) - the flagship national oil
company of India. OVL currently has presence in about 41 E&P projects in 20 countries,
namely; Vietnam, Myanmar, Iraq, Iran, Libya, Syria, Sudan, Namibia , Nigeria, Cuba, Brazil,
Venezuela, Colombia, Russia, UAE, New Zealand, Bangladesh, Azerbaijan and Kazakhstan.
OVL has its corporate office at Deendayal Urja Bhawan, Vasant Kunj, New Delhi.
OVL is IT savvy organization with all its employees having access to Email, Internet,
Intranet and other IT services. The PC penetration in our company is 100%. The
desktops/laptops are running on Windows Vista/7/8/10 OS in a Microsoft Windows
2012 based single Domain network. In addition to Microsoft Windows, some users are
also using Apple iMAC based desktop/laptops. The primarily business applications are MS
Office 2007/2010/2013 and the Emails system is based on MS Exchange 2010 platform.
The company’s business processes are running on SAP. OVL is using IBM Filenet based
DMS for document management. All these applications/system are housed in a state of art
on premises Data Center. DR for SAP and Email system is at BSNL Data Center Mumbai.
OVL also has a State of Art Data Center dedicated to Geophysical & Geo-Scientific data
processing and analysis related to its E&P business activities. The DR for G&G and File
Server is at ONGC premises Baroda.
1. Objective
ONGC Videsh Limited (hereafter referred to as OVL) intends to get their IT department and
data centers located at Green Building (Delhi) aligned to ISO 27001:2013, in order to:
The objective of this engagement is to review and identify the gaps in current information
security framework in accordance with ISO 27001:2013 requirements and update the
Information Security Management System (ISMS) for ISO 27001:2013 certification
readiness.
Bidder would require to engage an accredited certifying agency for ISO 27001:2013
certification for IT department and Data centers.
2. Scope of Work
Identify and document the scope of ISO 27001 certification. Bidder needs to identify
functional areas and processes to be covered in the scope and document the scope as per
ISO 27001 certification requirement.
Review ISMS policy, processes and systems and procedures relevant to managing risk and
improving information security to deliver results in accordance with the organization’s
overall policies and objectives.
Conduct ISO 27001 Gap assessment. Bidder shall conduct gap assessment against the ISO
27001 standard and provide the current status of ISMS to OVL management.
Prepare guidelines, update the procedures and other mandatory documents. The Selected
Bidder would be required to revise/ formulate required documentation such as
information security policies, guidelines, procedures and mandatory documents. The
required documentation should also include the steps to be performed for ISO27001
sustenance.
Engage External certification Audit. The Bidder would engage an external certification
agency for certification audit and extend support during Certification audit.
The agreement with the bidder will be applicable for period of 3 years which includes the
first ISO27001 certification process and subsequent ISMS sustenance support for 2nd year
and 3rd year.
Further, scope of work, shall include the following as per the below Phases:
Phase 1: Current State Analysis and ISMS Scope Definition aligned to ISO 27001:2013
requirements:
a. Conduct sensitization session for all stakeholders on ISO 27001:2013
b. Conduct an initial assessment of current information security practices
followed at OVL in accordance with ISO 27001:2013 requirements
c. Define the ISMS scope for the ISO 27001: 2013 certification
d. Visiting the Data Center to understand the environment
d. Development of Gap Analysis Checklist for ISO 27001:2013
e. Performing gap analysis of the existing security policies and procedures with
regards to ISO 27001:2013
f. Identify the areas of improvement and the areas currently not addressed by
existing information security framework
Phase 2: Review and Update Asset Classification Framework, Risk Assessment and
Risk Treatment Plan
Risk Assessment:
a. Review and update the Risk Assessment Methodology
d. Conduct risk assessment of information assets
Risk Treatment:
a. Review and update the Acceptable Risk Level
b. Devise risk management strategy in each case i.e. whether to:
1. Mitigate the risk
2. Transfer the risk
3. Avoid the risk
4. Accept the risk
c. Development of Risk Treatment Plan, which will serve as the action plan for
development of the information security program
Port Scanning
System Identification & Trusted System Scanning
Vulnerability Scanning
Malware Scanning
Spoofing
Scenario Analysis
OS Fingerprinting
Service Fingerprinting
Denial of Service (DOS) Attacks
DDOS Attacks
Authorization Testing
Lockout Testing
Password Cracking
Containment Measure Testing
Server Assessment (OS Security Configuration)
Database Assessment
Vulnerability Research & Verification
Man in the Middle attack
Man in the browser attack
Attempt ARP poisoning
Attempt MAC flooding
Attempt DNS poisoning
Any other attacks
b. Penetration Testing
The vendor will carry out Penetration testing for critical OVL application systems – SAP,
CDMS, E-Mail, File Servers, Websites, critical user desktops etc. The assessment should
be carried out from following different network segments to identify vulnerabilities
which can be exploited from these network segment:
The vulnerability testing methodology and testing tools should conform to CERT.IN
recommendation/instructions issued from time to time on the subject.
Vendor will provide assistance in closure of all observations/gaps found out during VA/PT
exercise.
c. Configuration Review of In-Scope Infrastructure
Configuration review will access the controls implemented to facilitate security of OVL
critical information and systems hosting these applications. These reviews should be
performed to identify any security weakness that can be exploited by a user with
malicious intent. The vendor will carry out detailed review of configurations of In-Scope
IT Infrastructure to ensure that all unnecessary ports and/or services, user accounts are
properly closed/disabled, proper security controls are enabled, server hardening and
patch updates are done, audit logging etc. is enabled on all critical devices/systems and
supporting network infrastructure. This will also include review of network
design/components of datacenters, external Connectivity given to partners, firewall
policy review, router access lists, email system and perimeter
The vendor shall also provide recommendations on relevant CERT, IT Act and CVC
guidelines applicable to OVL.
Phase 5: Review and Update the ISMS Policy Framework and Procedures in
accordance with ISO 27001: 2013
a. Review and update overall information security framework
b. Review and update the information security policy
c. Review and update the security organization defining the structure and
roles and responsibilities of key members
d. Review and update existing IT processes and information security
procedures aligned to ISO 27001:2013
Phase 10: Sustenance Program for year IInd and year III rd year
a. VA/PT and configuration review to be conducted for critical infrastructure
identified as a part sustenance program for 2 subsequent years.
b. Red teaming exercise to be conducted as sustenance program for 2 subsequent
years
c. Awareness training (5-6 sessions for end users) each year
d. Internal Audit for the ISMS framework implemented
e. Policies / Procedure updation (as required) based on Risk assessment performed
Phase Deliverables
Phase – 1:
1. Gap Analysis Report with details on weakness
Gap Assessment and ISMS 2. Addition/Deletion report on existing OVL Security policy
Scope Definition 3. ISMS Scope Document
Phase – 2:
1. Risk Assessment Methodology
Risk Assessment and Risk 2. Risk Assessment Report and Register
Treatment Plan 3. Risk Treatment Plans
1. Performing Vulnerability Assessment and Penetration
Phase – 3:
Testing
Vulnerability Assessment 2. Detailed report on the Vulnerability Assessment and
and Penetration Testing Penetration Testing highlighting the observations, risk
and recommendations
Phase – 4:
1. Statement of applicability matrix for the all controls as per
Selection of Control
ISO 27001: 2013
Objectives
1. OVL’s Information Security Policy
2. Preparation of Information Security Organization
structure
3. Updation of Procedure and guidelines as below:
a. Corrective Action and Preventive Action Procedure
b. Control of Documents Procedure
Phase – 5:
c. Control of Records Procedure
Updation ISMS Framework d. Incident Management Procedure
Development e. User Access Management Procedure
f. Physical Security Procedure
g. Media Disposal Procedure
h. Change Management Procedure
i. Patch Management Procedure
j. Segregation of Duties Guidelines
k. Backup and Restoration Procedure
l. Audit Logging Procedure
1. ISMS Implementation plan
Phase – 6: 2. Implementation of Risk Treatment Plan
3. Posters/ screensavers on Information security
Implementation assistance
4. Conduct Information Security Training for senior
and Roll out
management and IT asset owners of OVL
5. Progress reports on implementation tracker
1. Cyber Maturity Assessment Report
Phase – 7:
2. Cyber Drill Simulation Exercise
Red teaming exercise 3. Assessment report on cyber response plan
4. Assessment report on preparedness towards cyber attack
1. Internal Audit Plan
Phase – 8:
2. Internal Audit Report
Pre Certification audit for 3. Corrective Action and Preventive Action Report for
ISO 27001 Internal Audit
4. Future Roadmap
Phase – 9:
1. Assistance in ISO 27001:2013 certification by the external
Certification on ISO 27001 agency
1. Conduct Internal Audit for IInd year & year IIIrd after
certification
Phase 10: 2. Conduct awareness trainings for for IInd year & year IIIrd
after certification
Sustenance Program for 2 3. Review and update ISMS framework for IInd year & year
years IIIrd after certification
4. Conduct VA/PT in year 1 & year 2 after certification
5. Red teaming exercise for IInd year & year IIIrd after
certification
Phase 11:
1. Assistance during Surveillance Audit – IInd year
Surveillance Audits for 2
2. Assistance during Surveillance Audit –IIIrd year
years
4. Timelines
In the first year the project should be completed within 10 weeks from the date of LOA, this includes
preparation and certification by third party.
For subsequent years the preparation and re-certification to be completed before the expiry of the
previous year’s certificate.
5. Project Team
The project team should constitute of a Project Manager supported by Team Lead and Team
members meeting the following requirements:
1. Project Manager should have minimum 5 years of work experience in carrying out
Information Security assignments and shall possess PMP certificate along with one of the
following information security related certifications: ISO 27001 LI / ISO 27001 LA / CISA /
CISM
2. Team Lead should have minimum 3years of experience and should be ISO 27001 LI / LA
certified.
3. Team member involved in ISMS implementation should have minimum two years
of experience in ISO 27001 / ISMS implementation and should be ISO 27001 LI / LA certified.
4. Team member involved in VA/PT should be CEH certified with a requisite experience of
minimum 2 years.
Annexure- IIIA
S.No GF 3F 4F 5F Total
1 Desktop 11 164 103 66 344
Computers
2 Work Station 2 12 0 1 15
3 Network Printers 0 9+3 7 7 26 Including
2 plotter
4 Personal Printers 1 22 9 20 52
5 Scanners 0 1 0 0 1
6 Network Switches 4+4+3+1 8 7 6 33 Data
center
4+4, LV
Room 1+3
G&G
7 CISCO IP Phones 7 164 109 79 359
8 Wireless Access 0 7 9 7 23
Points
9 VC System 0 1 1 2 4
10 AV System 0 3 5 4 12