ONGC Videsh Limited

Scope of Work for ISMS Implementation in

accordance with ISO 27001:2013
Contents
Introduction

1. Objective ............................................................................................................................................. 3
2. Scope of Work ..................................................................................................................................... 4
3. Key Deliverables .................................................................................................................................. 9
4. Timelines ........................................................................................................................................... 10
5. Project Team ..................................................................................................................................... 10
 INTRODUCTION

ONGC Videsh Ltd. (OVL) is the second largest E&P Company in India, both in terms of
oil production and oil & gas reserve holdings. The primary business of OVL is to prospect
for oil and gas acreages abroad including acquisition of oil and gas fields, exploration,
development, production, transportation and export of oil and gas. OVL is a wholly-owned
subsidiary of Oil and Natural Gas Corporation Limited (ONGC) - the flagship national oil
company of India. OVL currently has presence in about 41 E&P projects in 20 countries,
namely; Vietnam, Myanmar, Iraq, Iran, Libya, Syria, Sudan, Namibia , Nigeria, Cuba, Brazil,
Venezuela, Colombia, Russia, UAE, New Zealand, Bangladesh, Azerbaijan and Kazakhstan.
OVL has its corporate office at Deendayal Urja Bhawan, Vasant Kunj, New Delhi.

INFORMATION TECHNOLOGY IN OVL

OVL is IT savvy organization with all its employees having access to Email, Internet,
Intranet and other IT services. The PC penetration in our company is 100%. The
desktops/laptops are running on Windows Vista/7/8/10 OS in a Microsoft Windows
2012 based single Domain network. In addition to Microsoft Windows, some users are
also using Apple iMAC based desktop/laptops. The primarily business applications are MS
Office 2007/2010/2013 and the Emails system is based on MS Exchange 2010 platform.
The company’s business processes are running on SAP. OVL is using IBM Filenet based
DMS for document management. All these applications/system are housed in a state of art
on premises Data Center. DR for SAP and Email system is at BSNL Data Center Mumbai.
OVL also has a State of Art Data Center dedicated to Geophysical & Geo-Scientific data
processing and analysis related to its E&P business activities. The DR for G&G and File
Server is at ONGC premises Baroda.

The details of IT infrastructure in OVL is enclosed at Annexure-1

1. Objective
ONGC Videsh Limited (hereafter referred to as OVL) intends to get their IT department and
data centers located at Green Building (Delhi) aligned to ISO 27001:2013, in order to:

 Mandate the policy framework for operations and management of Information

Systems
 Harness industry leading practices for Information risk management
 Align their security controls against leading information security frameworks
 Establish secure relationship with vendors and suppliers
 Identify the vulnerabilities present in the organization internal IT infrastructure
 Provide Independent Assurance on Information Security Practices
 Establish reporting and monitoring mechanism
  Standardize information security and IT security controls implemented
 Create user awareness
 Provide guidance to OVL for preparing them for the ISO 27001:2013 certification.

The objective of this engagement is to review and identify the gaps in current information
security framework in accordance with ISO 27001:2013 requirements and update the
Information Security Management System (ISMS) for ISO 27001:2013 certification
readiness.

Bidder would require to engage an accredited certifying agency for ISO 27001:2013
certification for IT department and Data centers.

2. Scope of Work

ISO 27001 Certification Framework

 Identify and document the scope of ISO 27001 certification. Bidder needs to identify
functional areas and processes to be covered in the scope and document the scope as per
ISO 27001 certification requirement.
 Review ISMS policy, processes and systems and procedures relevant to managing risk and
improving information security to deliver results in accordance with the organization’s
overall policies and objectives.
 Conduct ISO 27001 Gap assessment. Bidder shall conduct gap assessment against the ISO
27001 standard and provide the current status of ISMS to OVL management.
 Prepare guidelines, update the procedures and other mandatory documents. The Selected
Bidder would be required to revise/ formulate required documentation such as
information security policies, guidelines, procedures and mandatory documents. The
required documentation should also include the steps to be performed for ISO27001
sustenance.
 Engage External certification Audit. The Bidder would engage an external certification
agency for certification audit and extend support during Certification audit.
 The agreement with the bidder will be applicable for period of 3 years which includes the
first ISO27001 certification process and subsequent ISMS sustenance support for 2nd year
and 3rd year.

Further, scope of work, shall include the following as per the below Phases:

Phase 1: Current State Analysis and ISMS Scope Definition aligned to ISO 27001:2013
requirements:
a. Conduct sensitization session for all stakeholders on ISO 27001:2013
 b. Conduct an initial assessment of current information security practices
followed at OVL in accordance with ISO 27001:2013 requirements
c. Define the ISMS scope for the ISO 27001: 2013 certification
d. Visiting the Data Center to understand the environment
d. Development of Gap Analysis Checklist for ISO 27001:2013
e. Performing gap analysis of the existing security policies and procedures with
regards to ISO 27001:2013
f. Identify the areas of improvement and the areas currently not addressed by
existing information security framework

Phase 2: Review and Update Asset Classification Framework, Risk Assessment and
Risk Treatment Plan

Risk Assessment:
a. Review and update the Risk Assessment Methodology
d. Conduct risk assessment of information assets

Risk Treatment:
a. Review and update the Acceptable Risk Level
b. Devise risk management strategy in each case i.e. whether to:
1. Mitigate the risk
2. Transfer the risk
3. Avoid the risk
4. Accept the risk
c. Development of Risk Treatment Plan, which will serve as the action plan for
development of the information security program

Phase 3: Vulnerability Assessment and Penetration Testing, Configuration review:

Conduct complete vulnerability assessment and penetration testing for
identified critical information assets to identify vulnerabilities in the existing system
(once in a financial year). The assessment needs to be comprehensive but not limited
to following activities.
a. Vulnerability /Rask Assessment of in-scope infrastructure
To identify the vulnerabilities present in the organization internal IT infrastructure and
to identify the vulnerabilities present in the organizations IT infrastructure perimeter
security. The vendor should carry out an assessment of Threat & Vulnerabilities and
assess the risks in servers and network. This will include identifying existing threats if any
and suggest remedial solutions and recommendations of the same to mitigate all
identified risks, with the objective of enhancing the security of Information Systems. VA
should be comprehensive but not limited to following activities:

 Port Scanning
  System Identification & Trusted System Scanning
 Vulnerability Scanning
 Malware Scanning
 Spoofing
 Scenario Analysis
 OS Fingerprinting
 Service Fingerprinting
 Denial of Service (DOS) Attacks
 DDOS Attacks
 Authorization Testing
 Lockout Testing
 Password Cracking
 Containment Measure Testing
 Server Assessment (OS Security Configuration)
 Database Assessment
 Vulnerability Research & Verification
 Man in the Middle attack
 Man in the browser attack
 Attempt ARP poisoning
 Attempt MAC flooding
 Attempt DNS poisoning
 Any other attacks

b. Penetration Testing
The vendor will carry out Penetration testing for critical OVL application systems – SAP,
CDMS, E-Mail, File Servers, Websites, critical user desktops etc. The assessment should
be carried out from following different network segments to identify vulnerabilities
which can be exploited from these network segment:

 Trusted & DMZ Zone.

 Server zone, Administrator zone
 End User network segment.
 Remote Access etc
 External networks
Vendor will carry out Penetration Testing (PT) both from internal network and also from
external public networks.

Internal and external vulnerability assessment and penetration testing to be undertaken

with prior approvals.

The vulnerability testing methodology and testing tools should conform to CERT.IN
recommendation/instructions issued from time to time on the subject.

Vendor will provide assistance in closure of all observations/gaps found out during VA/PT
exercise.
 c. Configuration Review of In-Scope Infrastructure
Configuration review will access the controls implemented to facilitate security of OVL
critical information and systems hosting these applications. These reviews should be
performed to identify any security weakness that can be exploited by a user with
malicious intent. The vendor will carry out detailed review of configurations of In-Scope
IT Infrastructure to ensure that all unnecessary ports and/or services, user accounts are
properly closed/disabled, proper security controls are enabled, server hardening and
patch updates are done, audit logging etc. is enabled on all critical devices/systems and
supporting network infrastructure. This will also include review of network
design/components of datacenters, external Connectivity given to partners, firewall
policy review, router access lists, email system and perimeter

The vendor shall also provide recommendations on relevant CERT, IT Act and CVC
guidelines applicable to OVL.

Phase 4: Selection of Control Objectives and Updation of Statement of Applicability:

a. Evaluation of the control objectives outlined in ISO 27001:2013
b. Identify control objectives which are applicable to the OVL as per ISO
27001:2013 requirements
c. Document the rationale for relevance of inclusion/ exclusion of specific
control objectives
d. Update the Statement of Applicability as per ISO 27001:2013

Phase 5: Review and Update the ISMS Policy Framework and Procedures in
accordance with ISO 27001: 2013
a. Review and update overall information security framework
b. Review and update the information security policy
c. Review and update the security organization defining the structure and
roles and responsibilities of key members
d. Review and update existing IT processes and information security
procedures aligned to ISO 27001:2013

Phase 6: Implementation Assistance & ISMS Management Workshops:

Implementation Assistance
a. Assistance in developing the implementation program, processes, controls
and procedures in respective business environments
b. Establishment of data collection points (records) for evidences of effective
implementation of ISMS
d. Periodic monitoring the progress of implementation
e. Conduct management overview on the progress of ISMS and assess the
feedback
f. Developing awareness material for end users
 ISMS Management Workshops:
a. Conducting user awareness trainings/ workshops to train the ISMS
Implementation team and end users on ISO 27001:2013

Phase 7: Red Teaming exercise

a. The bidder will assess OVL Cyber Maturity and provide recommendation for
improvement
b. Bidder will conduct scenario based cyber drill simulation exercise
c. Assess OVL’s preparedness to identify and respond cyber attack
d. Assess comprehensiveness of cyber response plan

Phase 8: Pre Certification Assessment:

a. Formulate the Internal Audit plan
b. Assess the gaps identified and assist management in defining roadmap for plugging
the gaps
c. Define the future roadmap for ongoing compliance and enhancement of
effectiveness and efficiency of ISMS at OVL.

Phase 9: Certification on ISO 27001 from external agency

a. Bidder would need to tie-up with an accredited certifying agency on behalf of OVL
for ISO 27001:2013 certification for each in-scope data centers.

Phase 10: Sustenance Program for year IInd and year III rd year
a. VA/PT and configuration review to be conducted for critical infrastructure
identified as a part sustenance program for 2 subsequent years.
b. Red teaming exercise to be conducted as sustenance program for 2 subsequent
years
c. Awareness training (5-6 sessions for end users) each year
d. Internal Audit for the ISMS framework implemented
e. Policies / Procedure updation (as required) based on Risk assessment performed

Phase 11: Surveillance Audit from external agency

a. Bidder shall provide assistance during Surveillance Audit by external agency for
year II nd year
b. Bidder shall provide assistance during Surveillance Audit by external agency for
IIIrd year.
3. Key Deliverables:

Phase Deliverables
Phase – 1:
1. Gap Analysis Report with details on weakness
Gap Assessment and ISMS 2. Addition/Deletion report on existing OVL Security policy
Scope Definition 3. ISMS Scope Document
Phase – 2:
1. Risk Assessment Methodology
Risk Assessment and Risk 2. Risk Assessment Report and Register
Treatment Plan 3. Risk Treatment Plans
1. Performing Vulnerability Assessment and Penetration
Phase – 3:
Testing
Vulnerability Assessment 2. Detailed report on the Vulnerability Assessment and
and Penetration Testing Penetration Testing highlighting the observations, risk
and recommendations
Phase – 4:
1. Statement of applicability matrix for the all controls as per
Selection of Control
ISO 27001: 2013
Objectives
1. OVL’s Information Security Policy
2. Preparation of Information Security Organization
structure
3. Updation of Procedure and guidelines as below:
a. Corrective Action and Preventive Action Procedure
b. Control of Documents Procedure
Phase – 5:
c. Control of Records Procedure
Updation ISMS Framework d. Incident Management Procedure
Development e. User Access Management Procedure
f. Physical Security Procedure
g. Media Disposal Procedure
h. Change Management Procedure
i. Patch Management Procedure
j. Segregation of Duties Guidelines
k. Backup and Restoration Procedure
l. Audit Logging Procedure
1. ISMS Implementation plan
Phase – 6: 2. Implementation of Risk Treatment Plan
3. Posters/ screensavers on Information security
Implementation assistance
4. Conduct Information Security Training for senior
and Roll out
management and IT asset owners of OVL
5. Progress reports on implementation tracker
 1. Cyber Maturity Assessment Report
Phase – 7:
2. Cyber Drill Simulation Exercise
Red teaming exercise 3. Assessment report on cyber response plan
4. Assessment report on preparedness towards cyber attack
1. Internal Audit Plan
Phase – 8:
2. Internal Audit Report
Pre Certification audit for 3. Corrective Action and Preventive Action Report for
ISO 27001 Internal Audit
4. Future Roadmap
Phase – 9:
1. Assistance in ISO 27001:2013 certification by the external
Certification on ISO 27001 agency

1. Conduct Internal Audit for IInd year & year IIIrd after
certification
Phase 10: 2. Conduct awareness trainings for for IInd year & year IIIrd
after certification
Sustenance Program for 2 3. Review and update ISMS framework for IInd year & year
years IIIrd after certification
4. Conduct VA/PT in year 1 & year 2 after certification
5. Red teaming exercise for IInd year & year IIIrd after
certification

Phase 11:
1. Assistance during Surveillance Audit – IInd year
Surveillance Audits for 2
2. Assistance during Surveillance Audit –IIIrd year
years

4. Timelines
In the first year the project should be completed within 10 weeks from the date of LOA, this includes
preparation and certification by third party.
For subsequent years the preparation and re-certification to be completed before the expiry of the
previous year’s certificate.

5. Project Team
The project team should constitute of a Project Manager supported by Team Lead and Team
members meeting the following requirements:
1. Project Manager should have minimum 5 years of work experience in carrying out
Information Security assignments and shall possess PMP certificate along with one of the
 following information security related certifications: ISO 27001 LI / ISO 27001 LA / CISA /
CISM
2. Team Lead should have minimum 3years of experience and should be ISO 27001 LI / LA
certified.
3. Team member involved in ISMS implementation should have minimum two years
of experience in ISO 27001 / ISMS implementation and should be ISO 27001 LI / LA certified.
4. Team member involved in VA/PT should be CEH certified with a requisite experience of
minimum 2 years.
 Annexure- IIIA

IT Inventory – End User

S.No GF 3F 4F 5F Total
1 Desktop 11 164 103 66 344
Computers
2 Work Station 2 12 0 1 15
3 Network Printers 0 9+3 7 7 26 Including
2 plotter
4 Personal Printers 1 22 9 20 52
5 Scanners 0 1 0 0 1
6 Network Switches 4+4+3+1 8 7 6 33 Data
center
4+4, LV
Room 1+3
G&G
7 CISCO IP Phones 7 164 109 79 359
8 Wireless Access 0 7 9 7 23
Points
9 VC System 0 1 1 2 4
10 AV System 0 3 5 4 12

IT Inventory – Infocom Data Centre

S.No Items Quantity Remarks

1 Servers 43 HP DL,BL Series, HP Integrity Servers; Blade C3000,7000;
Cisco UCSC,Dell
2 Storage 7 HP EVA 4400, 8000, 6400, HP 3PAR, NetApp 2554
3 Router 16 Cisco 1800,1900,2800 Series, HP MSR
3044 Series
4 Switch 20 Cisco 2900,4500,6500 Series, HP
5930 Series
5 Load Balancer 6 Kemp Load master 2600, F5 5050
6 DAS Storage for Email 4 HP D2700
7 Firewall 6 Sophos XG 520, HP S3020 Series
8 Backup Library/VTL 5 HP MSL 2024,4048, IBM 3400 Series
IT Inventory – G&G Data centre

S.No Item Quantity Existing Under Implementation

1 Servers 9 HP DL 385-6, HP- VxRailV570F All Flash Nodes –10
DL 380-2, HP DL- Nos.
145-1
2 Storage 1 EVA 8000 Unity 550F All Flash Storage
Array –1 No.
3 Switch 2 Cisco 4500 Series S4148U-ON ToRSwitches –2
Nos.
S4048-ON Core Switches –2 Nos
4 Printer 1 HP 5550 dn Neurolog
5 Plotter 1 4500 ps3 HP
6 Workstation 15,9 HP Z820, Wyse 5070 Thin Clients with 2 x
HP XW9400, XW 31.5” Monitors –20 Nos
8200 ,XW 4400

7 Backup 2 IBM 3400 Series, Datadomain6300 D2D Backup

Library/VTL HP MSL 4048 Storage –1 No.
ML3 Tape Library –1 No
8 Firewall Checkpoint SG5600 Firewalls –2
Nos.