IndianOil Cyber Security and IT Policy

Questions and Answers

What must a machine comply with if VPN access cannot be used?

• It must only use outdated software for compatibility.
• It must be restricted from accessing any external servers.
• It must have similar applications as corporation-owned machines. (correct)
• It must operate entirely independently of corporate policies.

What should be done before providing remote access to system components by vendors?

• All vendors should have unrestricted access at all times.
• Access should be enabled indefinitely.
• Access should be monitored during its usage. (correct)
• No monitoring of access is necessary.

What is required before sending data from IndianOil servers to external servers?

• Proper approval and security checks must be completed. (correct)
• Sending data externally requires no documentation.
• Data can be sent anytime without approval.
• Any employee can decide to send data freely.

Which authority must approve network changes to infrastructure?

An officer of the respective department. (D)

What type of connectivity can be provided if MPLS VPN is absent?

VPN connectivity with two-factor authentication. (B)

How should changes to network and infrastructure configurations be managed?

Changes should be approved and documented formally. (B)

What is required for all servers and critical network equipment in terms of power supply?

Conditioned power connection through UPS is necessary. (A)

Who has the authority to approve network connectivity for business partners?

Approval must come from an officer of grade 'H' or above. (A)

What must be done before creating a service email account for receiving legal notices?

Approval by the Head of business function and the Divisional IS In-Charge (D)

Which of the following statements about official email usage is correct?

All official communication must occur through official email accounts. (D)

What happens after 5 unsuccessful login attempts on a user account?

The account is locked for two hours. (D)

Which practice is explicitly prohibited concerning email usage?

Auto-saving passwords in the email service. (C)

What must be done if an email redirection request to an outside domain is needed?

Should be approved by Director (HR) with a specific timeframe requirement. (D)

What type of email content is considered inappropriate?

Harassing or threatening emails. (C)

Which of the following is NOT a consequence of inappropriate email usage?

Sharing business updates with colleagues. (C)

What should users avoid when using multi-factor authentication?

Using a code sent to their email. (C)

What is the primary role of the location-in-charge concerning IT equipment?

To provide safety, security, and maintenance for IT equipment. (A)

Which measure is NOT mentioned as a responsibility of location-in-charge?

Periodic auditing of data center facilities. (A)

What must be maintained when equipment belonging to the Corporation is taken off-premises?

A proper gate pass. (D)

Who must approve the development of any new software or applications intended for enterprise-wide deployment?

COIS. (D)

What is essential regarding the physical security of areas used for loading and unloading equipment?

Access is restricted to authorized personnel. (B)

What should be included in the development of software applications?

Mobile-friendly versions for various devices. (D)

What type of power generators should be deployed to maintain necessary services during outages?

Secondary and backup power generators. (B)

What is necessary for all equipment regarding coverage?

It must be covered under insurance as per corporate policy. (A)

What responsibility do users have regarding their IT system accounts and passwords?

Users must maintain security by not sharing their accounts and passwords. (B)

Under what condition can the IS Department deactivate a User's access?

If the User is suspected of violating the IT Policy. (B)

What is the primary purpose of monitoring and auditing the use of the corporate network?

To enforce corporate rules and ensure compliance with the IT Policy. (B)

What can happen if a User fails to comply with the corporate IT policy?

They could face disciplinary action. (A)

Which of the following is NOT a permitted use of IndianOil’s IT Resources?

Using IT resources for private commercial purposes. (B)

What must every User recognize regarding their activities on IT Resources?

They are accountable for their activities on the system. (B)

What is an important measure Users must take to protect their data?

Recognize the criticality of their data and take appropriate measures. (A)

What should Users do if requested by the IS Department?

Provide valid identification as required. (A)

What requirement is stated regarding the use of passwords on devices accessing the corporate network?

Devices shall be password protected with strong passwords as per corporate policy. (A)

What should happen to a device if it remains idle for an extended period?

It shall lock itself with a password or PIN. (A)

Which type of devices are strictly forbidden from accessing the corporate network?

Devices that have been rooted or jailbroken. (C)

What is essential before integrating open-source technology with existing infrastructure?

Thorough evaluation for security vulnerabilities and compliance. (C)

What should be done with open-source products that are currently in use?

They should be secured and kept updated with the latest patches. (D)

What is a requirement for new domain name registration?

It requires in-principal approval from COIS. (C)

Which guidelines must be followed when hosting websites?

CERT-In guidelines and GoI guidelines on security. (A)

What should be conducted before a website becomes operational or after a major change?

Application security audit by CERT-In empaneled vendors. (A)

Study Notes

VPN Access Control

• Provisions must be established to manage network resource access via VPN, allowing or denying as necessary.
• If VPN is unavailable, devices must join IndianOil Active Directory (AD) and comply with IT requirements regarding Cyber Security and Software Compliance.
• Devices require necessary applications like Anti-Virus and Auto-Patching consistent with corporate machines.

Remote Access for Vendors

• Vendor access for support/maintenance is allowed only during necessary periods, which must be monitored.
• Access should be disabled immediately when not in use.

Data Transfer Protocol

• Transfer of data from IndianOil network to external servers requires prior approval and security assessments from responsible business heads.

Infrastructure Change Management

• Any changes to network configuration must be approved by the appropriate authority and documented formally.

Business Partner Connectivity

• Connectivity to business partners requires approval from department heads (Grade ‘H’ or above) and the Divisional IS head.
• Secured connectivity must be ensured; if MPLS VPN is not available, a temporary VPN with two-factor authentication may be used.

Electrical Security

• Critical network equipment must have conditioned power through Uninterruptible Power Supply (UPS).
• Security responsibilities include protecting user accounts and data backups.

User Responsibilities

• Users must maintain the security of their accounts and passwords and avoid sharing them.
• Users are responsible for backing up data on devices.
• Identification must be produced upon request by the IS Department.

IT Resource Usage

• The corporation reserves the right to access IT systems without user notification.
• Usage of IT resources is a privilege that requires responsible and efficient use.
• Personal use is permitted as long as it does not impact work performance or incur additional costs.

Application Development and Security

• Approval from COIS is necessary for any new application intended for enterprise or that requires additional resources.
• Applications must facilitate access from varied devices (e.g., mobile, tablets).
• Email communication must be conducted through official accounts only, ensuring security through protocols like multi-factor authentication.

Open-Source Technology

• Integration of open-source technology should be evaluated for security vulnerabilities.
• Open-source products must be kept updated and secured, with audits conducted periodically.

Web Hosting Guidelines

• Websites must be hosted on in-house or government-approved servers.
• New domain registration requires COIS approval, following guidelines for security audits and compliance.

Security Audits and Compliance

• Application security audits by CERT-In approved vendors are mandatory before operational deployment or after significant changes.

Equipment Security and Monitoring

• Data center facilities must have periodic tests and audits, with physical security controls in place to monitor equipment loading/unloading.
• Only authorized personnel can remove equipment from premises, ensuring proper documentation.

Description

This quiz covers the key provisions of the IndianOil IT Policy concerning VPN access control and compliance with cyber security standards. Participants will learn about necessary measures for network resource access and the implications of software compliance. Test your knowledge on these essential IT protocols.