ITPOLICY_compressed.pdf

Full Transcript

 Information Technology Policy

Foreword

Building, supporting, and sustaining of unified, agile, resilient and secured Digital Business
Ecosystem for Indianoil.

Evolution is intrinsic to nature and for us evolving means not just adopting new things but more
importantly getting better at the existing ones. Globally, the last two years have been full of turmoil
and disruptions both in the physical world as well as the IT world. The pandemic triggered adoption
of newer technology at a pace which was not seen before. During this period, we at IOCL, leveraged
technology to bridge the physical gap between our operating locations and our employees and thus
maintaining continuous operations.

We have been making our processes better, more efficient and more fault tolerant using artificial
intelligence and machine learning concepts. Our systems and applications are more robust and secure
than before owing to the use of advanced technologies. Given the complexity and magnitude of our
operations, it is important to not just have a uniform IT Policy but also a very contemporary policy
incorporating and promoting newer technology. Over the last few years, we have been making apt
changes in our IT Policy as the need has been and now too the changes have been made to pave a way
for higher adoption of new concepts in our IT operations.

With a focus on advanced development and providing a seamless access of applications across
multiple platforms, the policy encourages the adoption of mobile enabled platforms and technologies.
Similarly, with the expanding landscape and collapsing borders, the usage of “Cloud Computing” is
being promoted. We are changing our approach from the traditional “On-prem” to “Cloud First”.

Cyber security has always been amongst our top priorities and will continue to be. We are now moving
to expand the reach of this policy from IT to the OT (Operational Technologies) area to ensure the high
level of security and safety needed in the latter. It is not just a new chapter in this policy on OT but it
signifies a change in our approach to bring IT & OT on the same level.

I am pleased to release this 4th edition of Indian Oil Corporation’s Information Technology Policy. Like
before, this policy continues to be uniformly applicable across the corporation and for all Divisions and
it shall be our endeavor to fully comply with this policy.

I truly acknowledge the dedicated efforts and insight put in by Information Systems Officers of all
Divisions to formulate this Information Technology Policy Document 2.0.

1
 DOCUMENT CONTROL INFORMATION

DOCUMENT TITLE: INFORMATION TECHNOLOGY POLICY

DOCUMENT NO.: IT Policy 2022

REVIEW FREQUENCY: 24 Months

DISTRIBUTION: All IOCL / Intranet

REVISION HISTORY:

Sl. Author Approver Name Version Date Reference Remarks
No. Name Number

ED (I/C) (IS) CO,
First
01st Jan
1 CISO ED (HRD) CO, 1.0 NA Release
2017
Issue
ED(CA) CO

ED I/C (IS) CO,
COIS/ESECURITY
15th July Scheduled
2 CISO ED I/C (HR) CO, 1.1 /2020-21/IT
2020 Review
Policy-Amnd
ED (CA) CO

ED (IS) CO,
COIS/ESECURITY
17th Aug Scheduled
3 CISO ED I/C (HR) CO, 2.0 /2022-23/IT
2022 Review
Policy-Amnd
ED (CA) CO

2
 Index
Topic Page No
Vision and Scope of Policy 4-5
1 Definitions 6-7
2 Network and Infrastructure 8-12
3 Usage 13-15
4 Identity and User Management 16-17
5 Access Policy for System Administrators 18
6 Physical Security 19-20
7 Application Development and Security 21-22
8 Wireless Network Security 23-24
9 Data Privacy and Security 25-26
10 Personnel Security 27-28
11 Business Continuity Plan 29-30
12 Software Compliance and Licensing 31
13 E-mail 32-36
14 Internet Access 37-38
15 Threat and Vulnerability Management 39
16 Security Monitoring and Incident Management 40-41
17 IT Asset Management 42-46
18 Cloud Computing 47
19 Mobile Application and Device 48
20 Open-Source Technology 49
21 Web Hosting 50-51
22 Website Privacy 52
23 Change Management 53
24 Trainees – Student Interns and Summer Trainees 54-55
25 Training 56
26 IT Policy Compliance Audit 57
27 Co-Located Locations 58
28 OT (Operational Technology) 59
29 Data Analytics 60
30 Digital Signature 61
31 Enquiries and Clarifications 62
Annexure A : Internet Site Restriction Policy 63-65
Annexure B : Pen Drive Usage Policy 66
Annexure C: Policy for Internet Access by Non-IOCL employees 67-69
(outsiders) and Non-officers IOCL employees
Annexure D : Official Email Facility 70

3
 IndianOil IT Policy

Vision and Scope of Policy

1. Vision
1.1. The Information Systems (IS) Group of Indian Oil Corporation Limited shall strive
to bring reliable business information on a continual basis to the employees and
business partners without compromising data integrity and security of the
Corporation through the use of innovative and environment friendly technology,
thus promoting corporation’s Vision with Values.

2. Scope / Coverage
2.1. The purpose of this policy is to ensure secured Information and Communication
Technology (ICT) infrastructure that promotes the business needs of the
corporation. This policy intends to ensure: -
2.1.1. The integrity, reliability, availability, and superior performance of ICT
systems,
2.1.2. That the use of ICT Systems is consistent with business goals of the
Corporation,
2.1.3. That ICT infrastructure and Digital asset is used for its intended purpose
and
2.1.4. To establish processes for addressing policy violation and sanctions for
violators.
2.2. This policy is applicable to users in all offices of IndianOil in India and shall operate
within the framework of other corporate policies and guidelines issued from time
to time.
2.3. Requirements of subsidiary and foreign offices shall be handled by respective
offices based on needs and local statutory mandatory requirements.
2.4. This policy covers both IT and IT security policy. This policy supersedes all previous
guidelines and circulars issued to this effect.
2.5. This amended policy takes effect from 17th August 2022 and shall be reviewed and
approved from time to time by the following three-member committee.
a) ED (IS)/ Head of the Department (IS), COIS
b) ED (HR)/ Head of the Department (HR), CO
c) ED (CA)/ Head of the Department (CA), CO

4
 IndianOil IT Policy

2.6. This policy shall be suitably amended in accordance with IT Act and other
regulations passed by Government of India from time to time.

5
 IndianOil IT Policy

Chapter 1: Definition

1. Administrator - Administrators oversee the day-to-day operation of the system and are
authorized to determine who is permitted access to particular IT Resource. The
responsibilities of the administrator may include installing and configuring system
hardware and software, establishing and managing user accounts; managing a multi-user
computing environment, such as a local area network (LAN); upgrading software and
backup and recovery tasks.

2. Authorized/Appropriate Use - IT Resources may be used only for their authorized
purposes – that is, to support the business, administrative, and other functions of
IndianOil. The particular purposes of any IT Resource as well as the nature and scope of
authorized use may vary according to the duties and responsibilities of the User.

3. IT Resources - These are servers, personal computing devices, applications, printers,
networks (virtual, wired, and wireless), online and offline storage media and related
equipment, software, and data files that are owned, managed, or maintained by IndianOil.
For example, IT Resources include institutional and departmental information systems,
research systems, computer workstations and laptops, the IndianOil's network, and
computer clusters.

4. Sensitive Information - Sensitive personal data or information of a person/User shall mean
information relating to password; financial information (Bank account /credit card/ debit
card /other payment instrument details); physical, physiological and mental health
condition; sexual orientation; medical records and history; Biometric information and all
information prohibited to be disclosed under confidential obligations.

5. Third Party(ies) - Persons who are not IndianOil employees, directors, officers, staff. For
example, vendors, visitors, business partners etc.

6. Unauthorized / Inappropriate use - Anything not Authorized, shall be Unauthorized.

7. User - A “User” is any person, whether authorized or not, who makes any use of any IT
Resources from any location including but not limited to, all employees, temporary
employees, probationers, contractors, vendors and suppliers.

8. CII - Critical Information Infrastructure – any ICT infrastructure which, if disrupted, can
impact National Economy, National Security, Public Health, Public Safety is classified as
CII.

6
 IndianOil IT Policy

9. ISSC - Information Security Steering Committee, formed as part of the gazette mandate
for organisations having Critical Information Infrastructure. The committee is the apex
body responsible for the information security policies and controls of the identified CII.
The ISSC comprises of following members:
IT Head or equivalent
CISO
Financial Advisor or equivalent
Representative from NCIIPC
Any other expert to be nominated by the organization.

10. ICT - Information and Communications Technologies (ICT) encompasses all technologies
for the capture, storage, retrieval, processing, display, representation, organization,
management, security, transfer, and interchange of data and information.

7
 IndianOil IT Policy

Chapter 2: Network and Infrastructure

1. Physical Security: Network and infrastructure facilities shall be secured from any
unauthorized access.

2. Redundancy: Critical infrastructure facilities shall be implemented with sufficient
redundancy to meet availability requirements.

3. Inventory of Assets and Infrastructure: Inventory shall be maintained for all network
and infrastructure devices. All the IT Resources shall be grouped and classified in
accordance to the criticality of the information that they transmit, process or store.

4. Network Cabling: Structured cabling shall be used. All network cabling routes shall
be documented.

5. Network Diagram: Network diagram shall be maintained. All changes to the network
diagram shall be as per change management procedure.

6. Device Configuration: Device configuration for all critical devices shall be
documented and reviewed periodically. Any change shall follow change
management procedure.

7. Authentication, Authorization and Accounting shall be enabled for Core Switch,
Router and Security Equipment.

8. Network Security: Network security shall be established in the data center by means
of Perimeter security. At least firewall and IPS shall be in place. In addition, content
filter, Gateway Anti-Virus, DDoS protection etc. may be considered as per the
requirement.

9. Network Security Zones: Networks shall be divided into multiple network zones
according to the sensitivity and criticality of the information or services in that zone.
Different zones shall be securely interconnected.

10. Network Traffic Control: Network traffic to outside world shall be controlled by
means of web security gateway, content filtering, firewall etc.

11. Network Time Synchronization: All Network, security and Infrastructure devices
shall implement Network Time Protocol (NTP) to synchronize time with common
source. The identified NTP server should synchronize the time with standard time
source set to Indian Standard Time (IST).

8
 IndianOil IT Policy

12. IPV6 - All new network and infrastructure equipment shall be IPV6 compliant.

13. LAN and WAN
13.1. No leased line, MPLS VPN line, Internet line, Point to Point (P2P)
communication link and similar such connectivity between locations can be
provided without prior approval from COIS.
13.2. Based on the needs, line bandwidth enhancement or reduction requirements
can be initiated by Divisions and sent to COIS for review and approval.
13.3. IP address scheme and allocation for LAN/WAN shall be governed by COIS.
13.4. A rate contract (RC) and agency of MPLS service for WAN shall be finalized by
COIS for corporation’s requirement. Divisions shall utilize this RC for their
requirement. For Division’s additional requirement, the same RC can be used
with prior approval from COIS.
13.5. Default settings and passwords shall be changed before deployment of any
network and security device. Password to be defined as per password policy.
13.6. Secure protocols like SSH, SSL or IPsec shall be used for remote access.
Insecure communication protocols like telnet shall be disabled.
13.7. Unused ports and interfaces on devices shall be disabled.
13.8. Network equipment shall be configured to close inactive sessions.
13.9. Only approved routing protocols shall be used for WAN.
13.10. Device configuration shall be backed up at least once in a month and
whenever there is a change in the configuration.
13.11. CCTV should be on a different network zone. And, if required to connect to
corporate LAN, the same should be through a security appliance (such as a
firewall).

14. Network Access Policy
14.1. Access from remote users to the corporate network shall be via secured VPN.
VPN access with two factor authentication shall be provided on approval
(Refer details below). The services / applications to be allowed access through
VPN to be decided by Divisional IS head in consultation with application
owners. Divisional IS would be responsible for providing access to employees
posted in its Division. For employees on deputation, parent Division to decide
on permitted applications / services and provide VPN access.

9
 IndianOil IT Policy

Approving Authority Table
For Users of Approving Authority of Approving Authority of IS
Department Department
Corporate Office Officer (Grade ‘H’ or IS head or officer in Grade ‘H’ at
above) RHQ.
COIS HOD of e-Security.
HQ Divisional IS head or officer in
Grade ‘H’
Other offices/ IS Head (Refinery / State Office/
location Regional Office/ Business Dev. /
IIPM)
Deputation/ Respective Divisional HR Divisional IS head/IS Officer
foreign posting Head (Grade ‘H’ or above)
14.2. Remote access to corporate network, SAP application, servers and equipment
shall be through two factor authentication.
14.3. Devices that are used to access the network remotely shall meet the minimum
standard for supported operating system, updated antivirus software and
web browsers.
14.4. Necessary access control shall be used to protect remote as well as local
devices from Unauthorized access.
14.5. Desktops connected to corporate network shall not be connected to internet
through attachment of any modem, mobile, data card or any other such
device.
14.6. Devices used for connecting to wireless network shall not be permitted to
connect to wired network simultaneously.
14.7. Access to IOCL Network to be given to only IOCL owned machines with all
corporate / divisional approved software installed on the machine. In case
network access is required on any machine not owned by the corporation,
then the following to be practiced:
14.7.1. Access to be provided only through VPN. Necessary provisions to be
made in the VPN access control to allow / deny network resource
access as deemed necessary.
14.7.2. In case VPN cannot be used, then the machine on which access it to be
given, needs to join IOCL AD and needs to comply with the IT

10
 IndianOil IT Policy

requirements with respect to Cyber Security & Software Compliance -
the machine needs to have the same (or similar) applications as being
used at that point in time as the corporation owned machines (such as
Anti-Virus, Anti-APT, Auto-Patching etc.). Respective Divisional IS to
ensure that the conditions are being met before providing access.
14.8. Access to system components by the vendors for support or maintenance via
remote access shall be enabled only during the time period needed and
disabled when not in use and the access shall be monitored when in use.
14.9. For sending data from devices/servers within IndianOil network to external
servers on regular or one time basis, to be done after proper approval and
assessing all security checks for such connection from Head of business
function of the data and IS In-Charge of that server.

15. Infrastructure Change Management: All changes to the network and infrastructure
configuration by means of addition of devices, installation of system or upgrade of
operating System, software, hardware and firmware shall be done after approval
from appropriate authority. All changes to the network and infrastructure shall be
documented through formal change management procedure.

16. Extending connectivity to Business Partners
16.1. Network connectivity to business partners shall be provided only on approval
from the officer of respective department (Grade ‘H’ or above) and Divisional
IS head.
16.2. The connectivity shall be through secured manner.
16.3. In case of absence of MPLS VPN connectivity, VPN connectivity with two factor
authentication can be provided till such time MPLS VPN connectivity is
established.

17. Electrical Security
17.1. All servers/critical network equipment shall be supplied conditioned power
connection through UPS.
17.2. In the event of a main power supply failure, the UPS shall have sufficient
power to keep the network and servers running until the generator takes over
or systems can be safely shut down.
17.3. Before installing any new equipment, proper electrical requirements shall be
ensured.

11
 IndianOil IT Policy

17.4. Electrical audit at data centers / server room shall be carried out once in a
year. Electrical audit shall be done as per HSE guidelines.

18. Monitoring and Reporting
18.1. Logs shall be enabled for all IT security infrastructure / critical servers/
internet facing infrastructure and the same shall be monitored, analyzed and
stored for audit purposes. Divisional IS would define the criticality of the
servers after taking inputs from application owners.
18.2. Logs shall be retained as per applicable GOI guidelines. (Refer to cert-in
guideline issued from time to time.

12
 IndianOil IT Policy

Chapter 3: Usage

1. Acceptable Usage of Information Systems and Assets (IT Resources)
1.1. This usage policy shall apply to all Users of IT Resources, including but not
limited to employees and approved third parties. This policy is also applicable
to privately owned computers when connected to the corporate network.
1.2. IT Resources to be used only for their authorized purposes.
1.3. Users are entitled to access only those areas for which they have authorization.
1.4. The following categories of use are prohibited:
1.4.1. To deny or interfere with or attempt to deny and interfere with services
to other Users in any way, including resource hogging, misusing mail
list, propagating chain letters, virus hoaxes, spamming (spreading email
widely and without good purpose) or bombing (flooding an individual,
group or system with numerous or large email message) and
distribution of unwanted mail.
1.4.2. Attempts to compromise system security.
1.4.3. Unauthorized access or use.
1.4.4. Disguised use.
1.4.5. Distributing computer viruses, malware and any other malicious
software.
1.4.6. Modification or removal of data or equipment.
1.4.7. Use of Unauthorized devices.
1.4.8. Use of Unauthorized and unlicensed software.
1.4.9. Use in violation of corporate contractual obligations including
limitations defined in software and other licensing agreements.
1.5. Users shall be responsible for maintaining security of their own IT system
accounts and passwords. User accounts and passwords shall not be shared.
1.6. It shall be the responsibility of the User to back up the data of his/her desktop
and notebook.
1.7. Upon request from IS Department, User shall produce valid identification.
1.8. Corporation reserves the right to access all aspects of IT systems without
informing the User. Any PC/laptop which has been provided by corporation or

13
 IndianOil IT Policy

personal PC/laptop/mobile/similar device which is being used by person for
accessing information from IndianOil’s corporate network may be audited at
any point of time.
1.9. IS Department shall deactivate the User access, if the User is suspected of
violating this IT Policy.
1.10. Use of the corporate network shall be monitored and audited.
1.11. Failure to comply with this corporate IT policy may lead to disciplinary action.
1.12. The use of IndianOil's IT Resources in connection with IndianOil's business and
limited personal use is a privilege but not a right. The privilege carries with it
the responsibility of using IndianOil's IT Resources efficiently and responsibly.
Personal use of the IT Resources is permitted provided such use is lawful, does
not negatively impact upon the User’s work performance, hinder the work of
other Users, or damage the reputation, image or operations of IndianOil. Such
use must not cause additional cost to IndianOil, for example - Online banking,
travel booking, browsing. IT Resources must not be used for private
commercial purposes in any circumstance.

2. User responsibility

2.1. General:

2.1.1. Users are individually responsible for protecting the data and
information in their hands. Security is everyone’s responsibility.

2.1.2. User shall recognize the criticality of data and take appropriate
measures to protect them.

2.1.3. Every User must be aware that he/she is accountable for their activities
on the system/IT Resource.

2.1.4. Users shall use authenticated portable storage/pen drives media only,
as per Annexure B: Pen Drive Usage Policy.

2.1.5. User shall return the portable storage media, if it is no longer a
functional requirement or in case of damage / malfunctioning (or in
case of retirement/separation).

2.1.6. User shall ensure that portable storage media used is free from virus.

2.1.7. User shall ensure that any execution of software from portable storage
14
 IndianOil IT Policy

media is not carried out.

2.1.8. A clear screen policy is recommended to reduce the risk of
unauthorized access or damage to media and information processing
facilities. All Users of workstations, PCs / laptops are to ensure that their
screens are clear / blank when not being used. This may be ensured
either by closing the application, or using screen saver utility of the
operating system or logging off after using a computer.

2.1.9. Printed copies, disks, and tapes of confidential information should be
kept in locked cabinets or rooms by the User.

2.1.10. Users shall familiarize themselves with legislative requirements which
impact the use of IT Resources and act accordingly. IndianOil takes no
responsibility for Users whose actions breach laws.

2.2. User responsibility for accessing network

2.2.1. Users shall take prior approval from the competent authority to
connect the client system (other than officially issued equipment) to
the network.

2.2.2. A client system authorized to connect to one network shall not connect
to any other network.

2.2.3. By default, all wireless interfaces shall be disabled on the client system.
2.3. User responsible for accessing logs: User having administrative privilege shall
not disable/ delete the audit trails/logs on the client system.

15
 IndianOil IT Policy

Chapter 4: Identity and User Management

1. Unique identity
Each User shall be allotted unique User id to access network/servers/workstations and
systems. Employee number shall be the User id for employees.
Note: For email ids, Email policy under this document to be adhered to.

2. User access management
2.1. The lifecycle of the User from the registration of new User to the final de-
registration of Users who no longer require access to IT Resources shall be
managed through Active Directory.
2.2. User ids shall be created for employees joining the Corporation. These User-id
are not transferable.
2.3. User id once created would not be used again for any other User even if the
first id has been deactivated for any length of time.
2.4. Role Based Access Control shall be used wherever possible.
2.5. Authorizations and default roles shall be attached based on the job profile. The
same shall be reviewed by the Head of Department on change of assignment.
2.6. Specific roles shall be attached on the basis of approval from respective Head
of Department.
2.7. User ids shall be deactivated and all roles and authorizations shall be removed
on separation of employees from the organization. Any exception shall be
based on approval from the Head of Business function.

3. Password Policy
3.1. All Users/Administrators shall have a password of at least 8 characters and
shall be a combination of alpha numeric/special character.
3.2. Passwords shall be changed at regular intervals.
3.3. Password must be unique with expiry not more than 90 days.
3.4. The last 3 passwords that were chosen by the User shall not be reused.
3.5. The desktop/server/laptop shall be locked not beyond 15 minutes of idle
period.

16
 IndianOil IT Policy

3.6. Infrastructure supervisor passwords and system supervisor passwords shall be
stored in a secure location which can be used in case of an emergency or
disaster.
3.7. Default passwords on systems such as database/ servers/switch/routers etc.
shall be changed immediately after installation.
3.8. If a password is suspected to have been disclosed/ compromised, it shall be
changed immediately, and a security incident shall be reported to the system
administrator/ network administrator/ security administrator.

4. Access Control
4.1. Endeavors to be made towards no single User having full rights to all system.
4.2. The IS Department shall control network, server and system passwords. IS
department will create separate User in end-User department and assign
system admin rights to it for maintenance of system in end-User department.

5. Auditing: Auditing shall be implemented on all systems to record login attempts/failures,
successful logins and changes made to all systems.

6. User access for Business partners, consultants, advisors, temporary and contract workers
6.1. User access for business partners, consultants, advisors, temporary and
contract workers, if needed, shall be provided with unique User-id in the Active
Directory on approval from officer in grade ‘H’ or above of the respective
department. Naming convention for creating such kind of Users shall be as per
e-mail address naming policy defined in E-mail policy.
6.2. User ids shall be created with required authorizations for accessing resources
based on the requirement advised by officer in grade ‘H’ or above of the
respective department and approved by IS In-Charge/IS Officer in grade ‘H’ or
above.
6.3. These User ids shall be created with a defined validity period and shall be
deactivated immediately at the end of the contract period or upon completion
of the approval period or separation due to any reason, and authorizations
shall be removed. Any discontinuation shall be immediately intimated by the
respective department to IS. Such User ids shall not be deleted or re-used.

17
 IndianOil IT Policy

Chapter 5: Access Policy for System Administrators
1. Administrator shall implement the security controls specified in the security policies
applicable to client systems.

2. The activities specified in the Access Policy for User that require administrator privileges
shall be carried out by the system administrator.

3. System administrator shall not attempt any unauthorized use of system/data/programs.

4. System administrator shall be responsible for activities carried out on the client systems,
using the administrator account.

5. System administrator shall ensure that client system(s) authorized to connect to one
network shall not be connected to any other network.

6. For client systems connected to wireless network, Wireless Network Security Policy shall
be followed.

7. Client system(s) shall be hardened as per the relevant procedure for operating system
hardening.

8. Only those software which are authorized by the department shall be installed using an
authorized source with valid license.

9. System administrator shall report security incidents to the security administrator.

10. Client system clock shall be configured as per the Indian Standard Time (IST).

11. Password of the client systems shall be configured as per the Password Policy under
Identity and User Management.

12. All activities being performed during remote login session shall be logged and reviewed.

13. System Administrator shall implement end-point security policy as mentioned in the
Threat and Vulnerability Management policy.

18
 IndianOil IT Policy

Chapter 6: Physical Security

1. Information and information processing facilities shall be protected from any kind of
compromise, disclosure, modification or theft by ensuring the following controls:
1.1. Critical or sensitive business information and asset shall be housed in secure
areas, protected by a defined security perimeter, with appropriate security
barriers and entry controls.
1.2. Mechanism shall be in place to protect against hazards or unauthorized access,
and to safeguard supporting facilities, such as the electrical supply and cabling
infrastructure.
1.3. A clear screen policy is recommended to reduce the risk of unauthorized access
or damage to media and information processing facilities. All Users of
workstations, PCs, laptops are to ensure that their screens are clear/blank
when not being used. This may be ensured either by closing the application, or
using screen saver utility of the operating system or logging off the computer
after use.

2. Access to the data center/server rooms shall be restricted to the Authorized person only.
Delivery and loading area shall be isolated from main data center to avoid any
Unauthorized access.

3. Network and security devices shall be housed in network racks.

4. Equipment shall be protected from power failure and other disruption caused by failure
of supporting utilities like AC/UPS.

5. All critical IT equipment shall be provisioned for dual mode of power supply.

6. Location-in-charge shall be responsible for providing safety, security, proper upkeep and
ambient environment for IT equipment placed at their location (e.g. Air-conditioning,
dust/dirt free environment, flood protection measures etc.).

7. Periodic testing and auditing of data center facilities shall be carried out.

8. All equipment shall be covered under insurance as per Corporate/Divisional Policy.

9. CCTV surveillance shall be in place at data center along with recording facility. Recording
should be preserved as per guideline from Corporate Security Department.

19
 IndianOil IT Policy

10. All areas where loading and unloading of equipment are being done, shall be monitored
and equipped with the appropriate physical security controls. Access to these areas shall
be available only to Authorized personnel.

11. Security personnel at data center shall be properly trained and instructed.

12. Secondary and backup power generators are to be deployed to ensure the continuity of
necessary services during power outages. This shall cover all critical applications/
equipment where a downtime is not acceptable.

13. Documents and backups shall be stored in a secured and safe manner in accordance with
their classification status.

14. Only authorized personnel shall be permitted to take the equipment which belongs to the
Corporation, off the premises. Proper gate pass shall be maintained.

20
 IndianOil IT Policy

Chapter 7: Application Development and Security

1. In-principle approval shall be obtained from COIS for development of any new
software/ applications/ Systems in case the Application shall be deployed across
Division/ Corporation or shall require additional resources in terms of corporate
network/ security/ licenses/ enterprise data.

2. Any Application development, for enterprise-wide application, should be done with
approval of Divisional IS Head.

3. Application development should be done in a manner to provide seamless access from
multiple devices such as mobile, desktop, tablets etc.

4. Development of mobile friendly version, of internet hosted application, like PWA
(progressive web application) etc. should be considered while developing software
applications.

5. The development of the application should be done preferably in contemporary
technologies and should be ready for “cloud deployment” when needed.

6. The platform being used for hosting the application should have enterprise support.
“End-of-life” for the same should be 5 years or more.

7. The licensing of the software being used for development needs to be in line with the
licensing policy of the OEM.

8. For any application requiring data exchange to and from SAP, SDMS-CRM or any other
enterprise -wide application, approval to be obtained from COIS prior to development
of software application.

9. Information security shall be incorporated at each level of Software Development
Lifecycle (SDLC) such as during requirement analysis, design, development,
deployment, maintenance, and improvement.

10. Inventory shall be maintained for all application software developed in-house or out-
sourced. The inventory shall contain the list of applications, level of criticality, version
implemented, No. of installed instances, language, platform, and license details.

11. The applications, whether in-house or out-sourced, shall be developed as per secure
coding guidelines. For web applications, at least, latest Open Web Application Security
Project (OWASP) guidelines shall be followed.

21
 IndianOil IT Policy

12. For all applications where sensitive data is getting stored, the source code shall be
reviewed for vulnerabilities prior to deployment. This would be applicable to both
internally and externally developed applications.

13. All applications developed for internal Users shall integrate with Active Directory to
authenticate Users.

14. Applications shall have the capability to generate logs of exceptions, errors etc.

15. Changes to the application software during development and maintenance shall be
controlled through formal change request form.

16. Vulnerability Assessment and Penetration Testing shall be conducted for all critical
applications before deployment and thereafter as per GoI guidelines.

17. A version control system must be used to track and retain information about changes
in the source code. The version control system should be able to describe the change,
record who made the change, retain the date/time of change, retrieve past versions,
and compare versions.

18. Development, quality, testing environment shall be separated from production
environment.

22
 IndianOil IT Policy

Chapter 8: Wireless Network Security

1. User shall use only the corporate wireless connectivity on client systems.
2. Wireless client systems and wireless devices shall not be allowed to connect to
wireless access points in un-trusted neighboring premises.
2.1. Separation of wireless LAN from the wired LAN shall be ensured.
2.2. Maintenance and regular audit of wireless access shall be done.

3. Monitoring of uncontrolled wireless devices
3.1. All locations, which are connected to corporate network, where permanent
wireless networks are installed shall be equipped with wireless controller to
manage access points from a single point and to limit the radio transmission
and coverage to the intended area only.
3.2. Simultaneous connection between the wired and any wireless network is not
permitted on the same device.
3.3. Wireless network shall be connected to data center through firewall.
3.4. In IndianOil’s locations where wireless LAN access has been deployed, wireless
intrusion prevention systems shall also be deployed to monitor attacks against
the wireless network. The wireless intrusion prevention system shall be
integrated with the wireless LAN access system/LDAP/active directory (AD)
services wherever possible. In case wireless IPS cannot be deployed (or till such
time the IPS is deployed), the access permission to the wireless clients to be
provided based on hardware/ mac based white-listing.

4. Authentication of wireless clients
4.1. All access to wireless networks shall be authenticated.
4.2. Corporate password policy must be followed for access to wireless networks.
4.3. The strongest form of wireless authentication permitted by the Access Point/
Wireless Controller device shall be used. For the majority of devices and
operating systems, WPA2 with 802.1x/EAP/PEAP or latest shall be used.

5. Encryption
5.1. All wireless communication between wireless client and corporate networks
shall be encrypted.

23
 IndianOil IT Policy

5.2. The strongest form of wireless encryption permitted by the client and AP shall
be used.

6. Access control policies - Access control enforcement shall be based on the User’s
authenticated identity, rather than a generic IP address block. This is also known as
“identity-based security.”

7. Wireless NAC
7.1. Wherever possible, the wireless network shall perform checks for the following
client security standards (client integrity checking) before granting access to
the corporate network:
7.1.1. All wireless clients must have Anti-Virus software that has been updated
and maintained up to the latest patch.
7.1.2. All wireless clients must have security-related operating system patches
applied that have been deemed “critical” in accordance with the
corporate host security policy.
7.2. Wireless access to be given only to machines logging on to the corporate Active
Directory. Any machine, which is not a part of IOC domain shall not be given
access.
7.3. Client operating systems that do not support client integrity checking may be
given restricted access to the network according to business requirements.
7.4. Local IS may deny/permit the access based on the actual scenario.

8. Wireless SSID shall remain hidden at all times.

24
 IndianOil IT Policy

Chapter 9: Data Privacy and Security

1. Classification: Information collected, stored, processed and transmitted shall be classified as
sensitive based on the definition given in the Data Privacy Policy or any legal statute of the
country. Further, based on the inputs received from the data owner, the classification of the
data to be done to restrict unauthorized disclosure or modification.

2. Security: Measures shall be taken to ensure the reliability of the data and adequate
precautions shall be taken to protect it from loss, misuse and unauthorized access,
disclosure, alteration and destruction.

3. Ownership: IS department shall be responsible for safekeeping of corporation's
business data which are stored in the servers of IS department. Individual Users shall
be responsible for safekeeping of the data in their PC, laptops or any other devices.

4. USB Policy: Refer to Annexure B ‘Policy on usage of Pen drives’ circular Ref. No. S-
296/Admin dated 10.06.09.

5. Database Management
5.1. Default database system passwords shall be changed before putting into
production.
5.2. Database to be accessed by Authorized Users only.
5.3. All User access, queries and actions on databases shall be through applications.
5.4. Database administrators shall not have the authority to directly access or
query databases. Application data can only be accessed by functional owner.
5.5. Database accesses shall be logged and activities of database administrators
shall be recorded.

6. Retention
6.1. Document/ data shall be retained as per corporate document retention policy.
6.2. However, wherever data is required for longer period due to any ongoing legal
issues, the same may be retained as per the requirement of the concerned
functional department duly approved by ED/Head Department and Divisional
HR Head.

7. Backup - Data backup shall be maintained as per approved business continuity plan.

25
 IndianOil IT Policy

8. Data Usage - User shall ensure that business sensitive data are being used for its
intended purpose only.

9. Disposal - Data shall be permanently erased before any IT Resource or removable
media is disposed.

10. Sensitive information such as accounts, files and stored data including, but not limited
to, e-mail messages belonging to Users at IndianOil are normally held private and
secure from intervention by other Users and shall be accessed only by IndianOil
employees, associates, or third‐parties (ex. service providers) with signed non-
disclosure agreements or designated approved access, with a business need to know.
Any distribution of such information internally within IndianOil or outside shall be
approved by the Head of Business Function of the department concerned and shall be
through e-mail or other approved electronic file transmission methods only and shall
be sent to approved recipients only. Strong encryption is highly recommended. Such
information should be stored on a physically secured computer only. Sensitive or
confidential information, when printed, should be cleared from printers immediately.
When photocopying confidential information, employees are to be careful to remove
the original and all copies from the machine when finished. Confidential faxes should
contain a paragraph instructing the recipient that the fax is confidential. If received
inadvertently, the recipient should notify the administrator/appropriate authority
immediately, and not divulge the information.

11. Processing, storage, handling, collection etc. of sensitive data would be governed by
the Data Privacy Policy of the corporation. The policy also defined the Sensitive Data.

26
 IndianOil IT Policy

Chapter 10: Personnel Security

1. IT policy shall be made available to all employees.

2. Only relevant section of IT policy should be shared with third party personnel, if required.

3. Screening to be carried out and NDA (Non-Disclosure Agreement) to be executed with all
resident service providers. NDA needs to be signed by service provider, such that the
service provider is bound for all acts and omissions of its personnel being engaged for
providing services.

4. The service providers shall provide employment verification details and reports for their
employees engaged for corporation’s work.

5. NDA from all apprentices, summer trainees or any other trainees shall be taken. All such
requests for apprentice/ training should come through HR department.

6. Role based training shall be provided to all employees to familiarize them with basic
information security principles as per their roles and responsibilities in order to recognize
common threats and support security requirements.

7. Processes shall be defined to monitor and review access granted to personnel including
temporary or emergency access to any IT Resource.

8. Individuals representing third party organizations such as consultants, trainees, research
scholars or any other person who require authorized access to the organisation’s
information system, shall be identified by the respective department head/location in-
charge.

9. All new recruits shall be given Information Security Awareness training.

10. Employees shall be responsible for protecting the sensitive data in their possession e.g.
take necessary precautions while working on the data in public places, secure storage of
data away from site.

11. Employees shall not indulge in disseminating/ communicating classified information for
any other purpose except its Authorized and intended use.

12. Hard copies of sensitive documents which need to be discarded shall be shredded, pulped
or incinerated.

27
 IndianOil IT Policy

13. In case of transfer, the employee shall ensure that all the IT equipment and IT Resource
issued by the local IS department are returned to local IS department/custodian of
location.

14. Separation / resignation of any employee shall be intimated to IS by HR in advance. In
such cases it is to be ensured that all the IT Resource issued by the IS are returned. IS to
ensure that their access rights are revoked and their active accounts are deactivated
immediately.

28
 IndianOil IT Policy

Chapter 11: Business Continuity Policy

1. Steering Committee at divisional level shall be formed to oversee the business continuity
strategy and business continuity plan (BCP). A working group shall be set up to implement
and test the Plans. Divisions shall have its own crisis management plan (CMP).

2. COIS shall maintain the BCP for the applications being hosted at COIS.

3. Risk assessment (RA) shall be done on a periodic basis to treat the identified risks due to
threats and disruptions in critical activities.

4. Appropriate controls shall be implemented to prevent or reduce risk from likely
disruptions.

5. Business continuity plan (BCP) and incident management plan (IMP) shall be developed
to ensure continuity of key service delivery following a disruptive event.

6. Competency in respect to business continuity shall be achieved and roles & responsibility
shall be assigned to employees as per their competency.

7. Business impact analysis (BIA) shall be done on a periodic basis to identify priority of
recovery of critical activities and its dependency on resources (premises, power and
cooling, personnel, technology, hardware, software etc.) and vendors will be determined.

8. Configuration files shall be kept in an offsite location in secured manner.

9. Incident response structure shall be established, managed and reviewed for sufficiency,
adequacy and appropriateness.

10. Provision shall be made to manage risks arising out of weaknesses in business continuity
arrangement of suppliers and outsource partners.

11. Adequate redundancies shall be created to ensure alternate personnel, location and
infrastructure to manage disruption of critical services.

12. Measures shall be implemented to ensure that the security of information and IT
Resources containing classified information is maintained to its defined level, even in the
event of a disruption or adverse situation.

13. Exercising or testing of relevant plans shall be done on a periodic basis or as and when
there is any significant change in architecture. Reports of the same shall be maintained.

29
 IndianOil IT Policy

14. Relationship with vendors during BCP implementation shall be managed through service
level agreement (SLA) and operation level agreement (OLA) and the same shall be
reviewed periodically. Vendors shall be regularly updated about scenarios involving BCP
executions.

15. Mock drills should be carried out to assess the working of business continuity plan. The
mock drill need to be properly recorded and if any issue arises during mock drill same to
be assessed and business continuity plan should be modified accordingly.

16. The policy shall be communicated to all the stakeholders.

30
 IndianOil IT Policy

Chapter 12: Software Compliance and Licensing

1. Software compliance and licensing is an integral and important part of auditing, security
and risk management.

2. Procedures shall be implemented to ensure compliance for the use of software in respect
of intellectual property rights, and the use of proprietary software products.

3. IS Department shall keep a full inventory of all IT Resources in use.

4. If any IT asset is procured by any department other than IS, then it is responsibility of
concerned department to maintain the inventory and comply all licenses and legal issues
involved with that asset.

5. Centralized software for IT asset management shall be installed to the extent possible for
tracking hardware and software licenses.

6. Regular audits shall be carried out annually by IS to ensure compliance.

7. All desktops/servers/laptops shall have valid OS license and use only Authorized software.

8. User shall not install any Unauthorized/freeware/open-source software without
permission of IS dept. Any Unauthorized software installed shall be responsibility of the
User/owner.

9. Official software shall not be deployed on home desktops/Laptops.

31
 IndianOil IT Policy

Chapter 13: E-Mail

1. All e-mail account holders have the responsibility to use official e-mail facility in an
efficient, effective, lawful, and ethical manner. Use of the IndianOil’s e-mail service shall
be governed by this policy.

2. User must exercise due discretion on the contents that are being sent as part of the e-
mail.

3. Every officer shall be entitled for an official email account.

4. Email account for workmen shall be generated on need basis and request for same shall
be raised by concerned department and route it through the HR department and duly
recommended by Unit/ State/ Functional head and approved by HR head & IS In-Charge
at Divisional Head Office. In the event of change of assignment / other reasons, if the User
department asks for revocation of the email facility, the created account would be
disabled.

5. The consultants and Non-IOCL employees engaged by IndianOil may be provided the E-
mail ID on need basis with the approval of Head of Business Function and IS In-Charge at
respective Head Office. Except for regular employees, email display name or ID shall be
suitably prefixed with either Consultant/Advisor etc. (e.g.
[email protected]). In the event of end of engagement with the
consultant, the User department shall inform the IS Department for de-activation of E-
mail ID and email account for the consultant would be disabled. The approval period
would be maximum till the end of the financial year or end of engagement whichever is
earlier. Post that, fresh approval would have to be taken.

6. Service (common or shared) email account creation shall be discouraged. These email
accounts, when created on specific requirement from any department, shall be approved
by the Head of business function and Divisional IS In-Charge.

7. For websites related activities such as Domain name registration / SSL certificate / web
administration, a specific email account shall be created as per following naming
convention [email protected], where xxxxx stands for location code i.e.
COIS/PLHO/ RHQ/ MKTHO/ R&D/ BD. This specific mail account shall be used for all
website related correspondence including DNS/SSL registration. The access on this e-mail
account shall be provided to owner department of respective websites. Similarly, for
receiving legal notices, especially under contracts, a service email account (common or

32
 IndianOil IT Policy

shared) to be created. Same shall be created on approval by respective Head of business
function and the Divisional IS In-Charge.

8. Any email account shall be owned by an individual.

9. All Official communication shall happen only through official email account.

10. E-mail can be used as part of the electronic file processing in IndianOil.

11. Multi-factor authentication should not be using mail as a medium to send the
authenticating credentials.

12. Users shall not download e-mails from their official e-mail account, configured on the
IndianOil’s mail server, by configuring POP or IMAP on any other e-mail service provider.
This implies that Users should not provide their IndianOil’s e-mail account details (id and
password) to their accounts on private e-mail service providers.

13. Any e-mail received at official email address, shall not be auto forwarded to any outside
domain email address. Any e-mail redirection request to outside domain email id shall be
approved by Director (HR) with specific time bound requirement.

14. Continuously 5 unsuccessful login attempts shall lock User account for two hours.

15. Auto-save of password in the IndianOil’s e-mail service shall not be enabled due to
security reasons.

16. Inappropriate use of the e-mail service:
16.1. Creation and exchange of e-mails that could be categorized as harassing,
obscene or threatening.
16.2. Unauthorized exchange of proprietary information or any other privileged,
confidential or sensitive information.
16.3. Unauthorized access of the services. This includes the distribution of e-mails
anonymously, use of other officers' User-ids or using a false identity.
16.4. Creation and exchange of advertisements, solicitations, chain letters and
other unofficial, unsolicited e-mail.
16.5. Creation and exchange of information in violation of any laws, including
copyright laws.
16.6. Willful transmission of an e-mail containing a computer virus.
16.7. Misrepresentation of the identity of the sender of an email.
33
 IndianOil IT Policy

16.8. Use or attempt to use the accounts of others without their permission.
16.9. Transmission of e-mails involving language derogatory to religion, caste,
ethnicity, sending personal e-mails to a broadcast list, exchange of e-mails
containing antinational messages, sending e-mails with obscene material, etc.
16.10. For sending religious matters, non-business matters to several people.
16.11. Willful sending or forwarding material that could be constructed as
confidential to such recipients, who are not authorized to receive the same.
16.12. Sending or forwarding political, religious, profane, obscene, threatening,
offensive or libelous emails.
16.13. Use of distribution lists for the purpose of sending e-mails that are personal in
nature, such as personal functions, etc.

17. Any case of inappropriate use of e-mail accounts shall be considered a violation of the
policy and may result in deactivation of the account. Further, such instances may also
invite action by HR under CDA rules.

18. Backup of mails shall be taken by the User at regular intervals. The e-mail administrator
shall not restore the data lost due to User’s actions.

19. The backup of any archived emails (saved to local disk) shall be the responsibility of
individual user.

20. Each User shall get storage quota on email server as per his/ her grade entitlement as
under and manage within the same by archiving old messages periodically:
Officers in grade up to F: 750MB
Officers in grade G and above: 2GB
Service Accounts: 750MB
Other accounts: 250MB
The quota limit may be reviewed based on the underlying hardware capacity & capability.
Such storage capacity may be increased on need basis if requisitioned by Officer in Grade
‘H’ or above and approved by the Divisional IS In-Charge.

21. Only system administrators and officers (grade ‘H’ or above) shall be authorized to send
mass mail on need basis.

22. Officer up to grade ‘G’ can send mass mail up to a group of 100 recipients. However, for
mass email beyond 100 recipients, request for the same shall be approved by Head of

34
 IndianOil IT Policy

business functions (Officer in grade ‘I’). The mails promoting private
businesses/commercial/promotional activities should not be sent as mass mail.

23. Broadcast messages shall be kept to a minimum. Any request for sending a broadcast
message shall either come from or be approved by an officer not below the level of Grade
‘G’. The maximum size of a broadcast message including attachments shall be within 2MB.
Company circulars, notifications and policies etc. are excluded from such restrictions.

24. The email accounts of employees on foreign posting and out on deputation to other
organizations shall be maintained with mail receive facility only. Separate OU to be
created in AD for Deputation out for each division or at corporate level.

25. The email accounts of officer, separating by way other than superannuation/VRS, shall be
suspended/ de-activated immediately on intimation by HR and retained for a period of six
months by email administrator.

26. The email accounts of separating workmen shall be suspended/ de-activated immediately
on intimation by HR and retained for a period of six months by email administrator.

27. The email account of officer, separating by way of superannuation/VRS, shall be governed
by circular of CO(HR) (Annexure-D) or latest circular issued by CO(HR) on this subject. Such
facility is to be extended only after intimation from respective Divisional HR.

28. The electronic mail/ archived data stored on corporate infrastructure may be accessed by
authorized IS representatives based on the recommendation given by Functional Head
along with the consent of concerned Divisional HR head for the following reasons:
28.1. Retrieving business related information from an e-mail account.
28.2. Complying with legal/disciplinary requests.

29. Scrutiny of e-mails/Release of logs

29.1. Notwithstanding anything in the clauses above, the disclosure of logs/e-mails to
law enforcement agencies by the email administrator would be done only as per
the IT Act 2000 (as amended from time to time) and other applicable laws on
the advice of IndianOil management.
29.2. The email administrator shall neither accept nor act on the request from any
other organization.

30. Audit of E-mail Services – The security audit of email services shall be conducted
periodically.

35
 IndianOil IT Policy

31. Recommendation for sending system generated mails to be given by officer of respective
department in Grade ‘H’ or above and on approval by Divisional IS Head.

32. The creation of distribution list or groups in Global address list shall be discouraged except
in the cases of requirement covering a wider recipient (above 100). Such requests have to
be approved by Functional head and Divisional IS Head and Divisional HR head.

36
 IndianOil IT Policy

Chapter 14: Internet Access

1. Internet Connectivity
1.1. Divisional headquarters will assess the required bandwidth for their divisional
internet requirement and based on it they will take internet connection for
entire division.
1.2. Provision for clean pipe from ISP may be considered.
1.3. Access to internet from corporate network to be provided preferably through
centralized divisional internet gateway through proxy servers.
1.4. At least, Firewalls and web security gateway shall be used for secure internet
connectivity.
1.5. Usages logs as per defined policy shall be maintained.
1.6. In exceptional cases as per the business need, separate broadband/data card-
based internet connectivity may be provided after taking due approval from IS
In-Charge at locations. Such endpoints which are directly connected to internet
shall not be part of IndianOil network.

2. Internet Access
2.1. Usage of internet on company provided networks are intended for business
purposes and knowledge enhancement only.
2.2. All Officers will be provided with internet access. Internet access for staff / non-
IOCL employees working on IOCL machines shall be provided on need basis and
will follow procedure given in Annexure-C. For access on personal / non-IOCL
devices, refer to the external network access clause.
2.3. The "save password" and auto-complete features of the browser should be
disabled.
2.4. Cookies and running of active content, such as, ActiveX, JSP, PHP etc. should
be allowed from the trusted sites only.
2.5. Defined access rules depending on the nature of job requirement shall be
there.

3. Users to ensure that copyright and other intellectual property issues are not being
violated by any of their activities.

37
 IndianOil IT Policy

4. The files downloaded from the internet or accessed from the portable storage media
should be scanned for malicious contents before use. To ensure integrity of the
downloaded files, digital signatures/hash values should be verified wherever possible.

5. Before accepting an SSL certificate, the User should verify the authenticity of the
certificate.

6. The User should log-out from web-based services, like web mail, before closing the
browser session.

7. After completing the activity in the current web-based application, the browser session
should be closed.

8. All other points of Internet usage shall be governed by the policy given in Annexure-A.

38
 IndianOil IT Policy

Chapter 15: Threat and Vulnerability Management

1. Threat assessment – Regular vulnerability assessment of critical network and security
devices shall be carried out to identify vulnerabilities and weaknesses associated with
configuration, use of ports, protocols, services etc. VA/PT of the critical IT infrastructure
shall be done as per applicable government guidelines. However, third party VAPT shall
be done for internet facing equipment/applications at least once in a year or whenever
there is a major change.

2. Integration with external intelligence – The organization shall establish a formal
relationship with external entities for receiving timely notification on emerging threats,
vulnerabilities, bugs and exploits. External sources may include vendors, trusted third
parties, OEMs, open-source communities, industry bodies and other relevant
organizations.

3. System hardening – System hardening guidelines and best practices shall be followed for
IT assets like servers, desktop, network, security equipment etc.

4. Perimeter threat protection – Multi-layer security devices and best practices shall be
followed to ensure perimeter threat protection for corporate network.

5. Protection from fraudulent activity – Adequate protection shall be deployed to block
fraudulent applications such as key loggers, phishing, identity theft and other similar
applications.

6. End-point security – All end points shall have corporate Anti-Virus installed with latest
signature (which are to be updated regularly). Only required services shall run on the end
point devices. Any other services running on the end point devices / systems to be blocked
through various methods/technologies. The User shall not have administrator (even local)
privilege access.

7. Remediation – All IT Resources to be updated with latest security patches and signatures.

39
 IndianOil IT Policy

Chapter 16: Security Monitoring and Incident Management

1. The security monitoring and incident management policy in organization shall cover the
following broad points:
1.1. The incident management requirements shall be based on compliance
requirements, business criticality and security threat to the corporation.
1.2. An inventory of all critical information sources shall be created which generate
useful log information for detection of security events or incidents.
1.3. Incident management system shall be in place to take care of the IT security
incidents of the corporation.
1.4. Critical security incident shall be notified to the respective regulatory
authority, if required.
1.5. Integration of incident management function with the log management
system, security intelligence mechanism and infrastructure management
processes shall be done.
1.6. An enterprise log management system shall be defined that specifies
architecture for log collection and management processes for log management
and policies for logging, monitoring and auditing.
1.7. Log archival, retention and disposal measures shall be deployed as per the
compliance requirements for the corporation.
1.8. Process shall be established for regular review and analysis of logs and log
reports.
1.9. It shall be ensured that a significant visibility exists across the organization over
the likely incidents, reporting incidents and incident management capabilities
of the corporation.

2. Security Incident Management
2.1. Repository of incidents that are relevant to the organization’s environment
shall be created based on the historical information and threat landscape.
2.2. Categorization of incident shall be done at divisions based on its criticality for
prioritization of incident’s response, arranging proportionate resources, and
defining SLAs for remediation services.

40
 IndianOil IT Policy

2.3. Division shall maintain guidelines for prioritization of incidents response. The
same shall be established based on the criticality of affected resources and
potential technical and business effects of such incidents.
2.4. Incident management plan shall be in place for all incident types.
2.5. Roles and responsibilities for incident management process shall be clearly
defined and documented.
2.6. Significant level of efforts shall be dedicated for spreading awareness of
incident response process throughout the corporation.
2.7. There shall be a defined and established escalation process for response
requirements.
2.8. Significant level of collaboration shall exist with internal (security function,
infrastructure management, application support) and external stakeholders
(threat advisory, vulnerability and exploit databases, vendor alerts and
computer emergency response teams).

41
 IndianOil IT Policy

Chapter 17: IT Asset Management

1. Interdependence of systems – Replacement/ addition of any IT asset with
newer/upgraded version shall be done after both forward and backward compatibility
analysis with existing infrastructure devices.

2. All the IT assets of the corporation shall be classified on the basis of criticality and labeled.

3. All IT assets like hardware, peripherals, networking and security components, software
and media etc. shall be suitably insured for fire, theft, natural calamity etc. as per
divisional policy. Standard Operating Procedures (SOP) shall be developed, maintained
and reviewed to support the IT operations.

4. Asset information verification shall be done on yearly basis or in case of any major
changes.

5. Asset Labeling and Handling
5.1. Asset register shall be maintained by IS department for all IT assets procured by IS
department. Other department may buy IT assets in consultation with IS department
for use in their projects. However, assets procured by non-IT departments shall not
be recorded in asset register of IS dept.
5.2. Asset Register shall be maintained which includes the following information about
an asset:
5.2.1. Asset ID: A unique asset identification number assigned to each asset
for easy and quick identification.

5.2.2. Asset name: Name given for identification of asset based on its
functionality.

5.2.3. Asset details: Details about the asset such as IP address, MAC address,
host name and software license number etc. wherever applicable.

5.2.4. Serial No. / License: In case of hardware provide serial number and for
software provide license key.

5.2.5. Purchase Order No., date and cost of equipment.

5.2.6. Warranty/ AMC: Provide details for warranty / AMC validity date.

5.2.7. Asset Type: Hardware/ software/appliance etc.

5.2.8. Physical Location: Physical location and details where the asset is
located.

42
 IndianOil IT Policy

5.2.9. Owner: Person who is responsible for the asset.

5.2.10. Custodian: User who is assigned the asset for the operations.

Asset information should be captured using asset register template (Table-A).

6. Procurement
6.1. All purchases of new systems and hardware or new components for existing systems
must be made in accordance with IT policy.
6.2. The Procurement process shall be followed as per the corporation’s approved
procedure. If any IT asset is procured by any department other than IS, then it is
responsibility of concerned department to maintain the inventory and comply all
licenses and legal issues involved with that asset. The inventory of the assets to be
provided to local IS department.
6.3. Any ULA (Unlimited License Agreement) should be executed on COIS approval.

7. Maintenance
7.1. COIS shall finalize rates and agency for annual maintenance of all IT hardware and
networking equipment procured/ maintained by IS department. However, separate
agency may be engaged by divisions for specialized equipment procured/ maintained
by respective IS Department.
7.2. Regular monitoring (console) of patch management and antivirus update shall be
managed at divisional level. If required, separate agencies may be engaged by local
IS for facility management services (FMS) comprising of – regular monitoring
(console) of patch management, antivirus updation, network traffic/bandwidth
management and liaising, system administration of firewall, proxy, content filter,
anti-spam device, all server/system administration etc.

8. Obsolescence
8.1. Desktops / Laptops / Servers / Printers / Monitors / Routers /Switches and other IT
related peripherals shall fall in the category of obsolete item which are either:
Phased out by the manufacturer (reached end of life-EOL).
OR
They do not support technical advancement like higher/newer version of SAP GUI,
operating system (OS), system software, application software etc. that is likely to
affect the business/ operational requirement of the corporation adversely.
OR

43
 IndianOil IT Policy

The equipment is beyond repairs (as certified by the AMC partner/OEM).
OR
If security updates/patches are not available for the device.
OR
Main components of the equipment e.g. CPU, RAM, HDD, controller cards, SMPS,
main circuit boards etc. are no more available in the market.
OR
Product has attained maximum depreciation or minimum book value.
8.2. In case of replacement of obsolete item with new equipment, buy-back
option shall be explored.
8.3. The required disposal procedure such as administrative approval, write off approval
etc. are to be followed as per corporate procedure. However, decision to declare
obsolete item is to be taken in consultation with respective unit IS head.

9. Hiring
9.1. Necessary IT equipment shall be hired for exceptional reasons like training, urgent
replacement in lieu of breakdown of server etc.
9.2. Hiring shall not be used to fulfill the permanent shortage of IT equipment.

10. Experimentation of Technology
10.1. To keep itself abreast with the changes in technology and take decision on adoption
of the same. COIS/ Divisional IS may procure IT equipment on experimental basis
for use.
10.2. After evaluation, divisional IS shall give its report to COIS on usefulness of the
technology.
10.3. Any new business initiative which requires augmenting IT infrastructure / services
/ linkage to IOCL network / software procurement / software development would
need approval of COIS.

11. Hardware
11.1. Allotment/Distribution
11.1.1. In Co-located offices where officers belonging to different divisions / offices
are positioned, IS infrastructure shall be provided by related IS department

44
 IndianOil IT Policy

which has been assigned responsibility for providing IS infrastructure
services in particular building / office.
11.1.2. PC – One PC per seat for officers. If there are 3 officers coming in shifts for
the same job, they shall share one PC but use their own login ID, not
common User login ID. Allocation of PC for staff shall be approved by the
HOD/Functional head.
11.1.3. Resident business associates may be provided with PC on approval of Head
of business function.
11.1.4. Laptop – Allocation shall be on need basis on approval of Head of business
function. The User department shall be the custodian.
11.1.5. Printers/Scanner – Use of shared laser printers/Printer-cum-scanner on
LAN shall be encouraged. Individual printers can be given only to the officers
on need basis in exceptional cases. For such types of cases approval need to
be obtained by officer of respective department (Grade ‘H’ or above/HOD).
11.2. On exceptional basis and where need exists, memory and storage capacity can be
increased for individual PCs and notebooks. Such proposal needs approval of officer
of respective department (Grade ‘H’ or above/HOD) in consultation with unit IS In-
Charge.

12. Software
12.1. All Desktops/servers/laptops shall have licensed and authorized software.
12.2. All SAP software licenses shall be procured centrally at COIS and shall be distributed
as per requirement.
12.3. Antivirus and asset management software shall be standardized throughout the
corporation. COIS shall line up rate contract for the same and based on rate
contract divisions shall procure the software.
12.4. Other standard software such as OS, application software and data bases etc. shall
be procured by divisions.
12.5. Office automation software – MS Office: Agency and rate contract for licenses shall
be finalized by COIS for bulk requirement.
12.6. In-principal approval shall be obtained from COIS for procurement of any new
software/ applications/ Systems in case the software shall be deployed across the
location / division / corporation or shall require additional resources in terms of
corporate network / security / Licenses. Divisions shall maintain the inventory of
software / applications / systems for their divisions.

45
 IndianOil IT Policy

12.7. COIS shall arrange for renewal of subscription for all software procured by them.
For other software, respective division shall arrange for renewal.
12.8. Disposal: Adequate measures shall be taken to prevent misuse of obsolete media
and licenses.
12.9. Redistribution:
12.9.1. Whenever a PC or a server or a hard disk is replaced or reallocated, all User
generated documents, images and files shall be removed before
reallocation, the responsibility for ensuring this shall be borne by the
individual whose PC has been replaced, in coordination with the engineer
who moves that person’s data to the new machine.
12.9.2. A replaced machine shall also have all installed software removed before re-
distribution. Such machines should be formatted before redistribution.
12.10. Inventory of all the authorized software and licenses procured by IS
department must be maintained by respective IS department. A half yearly
compliance report of the same shall be generated for audit purpose and gaps to be
shared with COIS.

13. Consumables – Consumable like cartridges, CDs, DVDs, pen drive, USB HDD, Tag/Card
reader (USB), Proximity card etc. shall be treated as stationary items and shall be procured
by concerned department accordingly.

14. Disposal of e-waste – Disposal of e-waste shall be done as per HSE guidelines and material
management manual.

Table A – ASSET REGISTER
PO No., date

Valid up to
No./

/
SAP Asset No.

Asset Owner
Asset Name

License No.

Asset Type

Custodian
Warranty
and Cost

Remarks
Location
Asset ID

Details
S. No.

Serial

Asset

Asset
AMC

date

46
 IndianOil IT Policy

Chapter 18: Cloud Computing

1. For any update or refresh of the existing IT infrastructure or for a new requirement, it is
advisable to explore the possible options on Cloud first. Thorough assessment of the
nature of the work to be done, data to be handled, applications to be moved etc. to be
carried out and based on the assessment, the services on cloud may be adopted.

2. Necessary cyber security requirements and compliance to the statutory data regulations
(specifically with regards to residency / localization of the data) to be ensured.

3. For any cloud service, only MeitY empaneled CSP (Cloud service providers) to be engaged.
The list of the empanelment is available on the MeitY website.

4. Any engagement requiring sensitive personal data or information needs to be thoroughly
examined and strict security controls such as encryption of data (both at rest as well as
motion), multi-factor authentication etc. to be ensured.

5. For projects involving Aadhaar data to be stored on cloud, compliance to the Aadhaar
related regulations (as per Aadhaar Act or other existing statues) to be ensured. Aadhaar
related technical requirements to be built into the contract.

6. Any network communication link to the CSP needs to be taken on approval from COIS.

47
 IndianOil IT Policy

Chapter 19: Mobile Application and Device

The term “Mobile Technology” have very wide representation. Adoption of mobile
technology means enabling User to access corporate applications and data while on move
from anywhere and anytime by deploying corporate mobile application.

1. Mobile Applications
1.1. Types of Mobile Application: IndianOil had adopted and will continue to adopt new
technologies and leverage the same for achieving business goals. Customized mobile
applications in IndianOil are divided, but not limited, into the following categories:
1.1.1. Mobile Application for Employees.
1.1.2. Mobile Application for Dealers, Distributors and Consumers.
1.1.3. Mobile Application for General public.
1.1.4. Mobile Application for Vendors.

2. Development Architecture
2.1. The architecture shall be based on industry-wide open standards so as to offer
integration and interoperability with third party tools and software.
2.2. SAP Net Weaver Gateway/ SAP PO shall be used to exchange data with SAP system.
2.3. For external Users SSL connectivity shall be established between internet/intranet
devices and web servers using public certificates signed by certifying Agency (CA).
2.4. Standard User Interface (UI), look and feel (color combination, icons, background
graphics etc.) for all mobile applications shall be followed.

3. Mobile Device Security
3.1. In order to prevent unauthorized access, devices shall be password protected using
the features of the device and a strong password as per corporate policy shall be used
to access the corporate network.
3.2. The device shall lock itself with a password or PIN if it’s idle for longer periods.
3.3. Rooted (Android) or jail broken (iOS) devices are strictly forbidden from accessing the
network.

48
 IndianOil IT Policy

Chapter 20: Open-Source Technology

1. Integration of open-source technology with existing infrastructure such as OS, processing
power, storage space, connectivity, interoperability with other technologies should be
thoroughly evaluated for security vulnerabilities and compliance with organization’s
specific needs.

2. All open-source products installed and in use, shall be secured and kept updated by
installing latest patches and upgrading to latest version as and when they are released.

3. Subscribe to respective open-source security announcement mailing list to get patches,
bug fixes and software upgrades at regular intervals. Periodic auditing of the open-source
products like commercial software is to be carried out.

4. In case of vendor providing open-source technology, adequate support in the form of
upgrades, patches etc. must be a part of contractual agreement.

49
 IndianOil IT Policy

Chapter 21: Web Hosting

1. All websites shall be hosted in-house or NIC or any other server owned by Government
of India or the State Government or with a third-party organization’s servers located in
India or as per prevalent guidelines on subject issued by Govt. of India.

2. New domain name registration shall be done after in-principal approval from COIS.
Renewal of existing domain name shall be the responsibility of respective domain owner.
New domain name registration shall be preferably done in “.in” registry and under SLD
(second level domain name) “.indianoil.in” e.g. refinery.indianoil.in.

3. CERT-In guidelines, GoI guidelines on websites and application security guidelines shall
be followed.

4. Application security audit shall be carried out by CERT-In empaneled vendors before the
site is made operational or after any major change and vulnerabilities should be
mitigated.

5. PT (Penetration Testing) shall be carried out by CERT-In empaneled vendors before the
site is made operational or after any change in source code and vulnerabilities should be
mitigated.

6. The website hosting IT infrastructure should be ISO 27001compliant. VA (Vulnerability
Assessment) for this infrastructure shall be carried out by CERT-In empaneled vendors
yearly and vulnerabilities should be mitigated.

7. System shall be in place to carry out VA/PT at least once in a year or during any major
changes.

8. The operating system, web server and other applications on the servers being used shall
be patched with the latest security updates available from respective OEMs.

9. A dedicated network zone shall be created for the servers hosting the website.

10. The network access to such zone shall bear a “Deny all, allow selected” access policy.

11. Database server process shall run with minimum privileges and never as administrator.
Audit trail logs on Database server shall be enabled.

12. Database server should never be accessible on public IP. Database server access should
be only allowed from Web server through particular port only.

50
 IndianOil IT Policy

13. Sensitive information between the browser and the web servers shall be encrypted using
a public/private key pair and it should be traceable to root CA.

14. All web servers hosted in public domain should have latest version of SSL certificate from
trusted authority.

15. Monitoring and early alert mechanisms shall be in place to detect and inform
defacement, intrusions and exploits on the website.

16. If required, disaster recovery/business continuity for the website shall be in place.

17. In case of website being outsourced, security requirements as above shall be clearly
mentioned in the contract.

18. The change management process for the website shall be documented and approved by
competent authority.

19. Acceptable use policy and privacy policy for the website shall be mentioned on the
website.

20. Log files should be regularly archived, stored and analyzed.

21. Maintain latest copy of web site content on a separate secure host or media.

51
 IndianOil IT Policy

Chapter 22: Website Privacy

1. The purpose and usages of the data (Users’ data/ cookies) being collected shall be
mentioned in the website.

2. IT Act 2000 along with its subsequent amendments from Government of India shall be
followed.

3. All legal statute, as applicable, such as Aadhaar Act shall be complied with in all
application/websites capturing, storing, processing Aadhaar data.

4. If website is using links to other websites, it shall be informed to visitors that corporation
is not having any control on externally linked websites and if third-party is providing any
information on external websites, corporation is not responsible for its security and use.

5. All IOCL public websites to host the corporation’s Data Privacy Policy.

52
 IndianOil IT Policy

Chapter 23: Change Management

The primary goal of the IT change management process is to accomplish IT changes in the
most efficient manner while minimizing the business impact, costs, and risk.

1. Formal change request–There shall be a formal change request duly approved by
system/software owner.

2. Document change request - All requests for change shall be documented. The completion
of a new request for change shall be completed by the change coordinator with input from
the change requester.

3. Categorize and Prioritize the Change - The change coordinator will assess the urgency and
the impact of the change on the infrastructure, end-User productivity and budget to
prioritize the same.

4. Analyze and Justify the Change –Request shall be assessed by the change coordinator to
identify how the change may impact the infrastructure, business operations, and budget.
When completing the analysis of the change, the change coordinator shall ensure they
consider the business as well as the technical impacts and risks.

5. Approve and Schedule the Change–Request for change shall move to competent authority
for approval or rejection of the change.

6. Plan and Complete the Implementation of the Change - This process includes developing
the technical requirements, reviewing the specific implementation steps and then
completing the change in a manner that shall minimize impact on the infrastructure and
end-Users.

7. Take backup of existing system/configuration before applying Changes - Before
implementing the change, backup of existing configuration must be taken and then the
changes should be implemented.

8. Post-Implementation Review - A post-implementation review shall