Post on 12-Mar-2020
transcript
Report Author Suresh Dattatraya
Haridas Page 1 of 28
Visit Start Date 18/02/2013
Re Assessment Report
Power System Operation Corporation
Wholly Owned Subsidiary of POWERGRID.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 2 of 28
Visit Start Date 18/02/2013
Introduction.
This report has been compiled by Suresh Dattatraya Haridas and relates to the assessment activity detailed below:
Visit ref/Type/Date/Duration Certificate/Standard Site address
7777400
Re-certification Audit (RA Opt 2)
18/02/2013
1 day(s)
No. Employees: 77
IS 571620
ISO/IEC 27001:2005
Southern Load Despatch Center
29, Race Course Cross Road
Bangalore
Karnataka
560 009
India
7777401
Re-certification Audit (RA Opt 2)
18/02/2013
1 day(s)
No. Employees: 47
IS 571620
ISO/IEC 27001:2005
North Eastern Regional Load
Despatch Center
Dongteih, Lower Nongrah
Lapalang
Shillong
Meghalaya
793 006
India
7777403
Re-certification Audit (RA Opt 2)
18/02/2013
1 day(s)
No. Employees: 84
IS 571620
ISO/IEC 27001:2005
Northern Regional Load Despatch Center
18-A, Shaheed Jeet Singh Sansanwal
Marg
Katwaria Sarai
New Delhi
110 016
India
7959662
Re-certification Audit (RA Opt 2)
19/02/2013
1 day(s)
No. Employees: 41
IS 571620
ISO/IEC 27001:2005
National Load Despatch Center
B-9 Quatab Institutional Area
Katwaria Sarai
New Delhi
110 016
India
7777402
Re-certification Audit (RA Opt 2)
19/02/2013
1 day(s)
No. Employees: 83
IS 571620
ISO/IEC 27001:2005
Eastern Regional Load Despatch Center
14, Golf Club Road
Tollygunge
Kolkata
West Bengal
700 033
India
7777399
Re-certification Audit (RA Opt 2)
19/02/2013
1 day(s)
IS 571620
ISO/IEC 27001:2005
Western Region Load Despatch Center
Plot no F3, MIDC Area,Marol
Opposite SEEPZ, Andheri, East
Mumbai
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 3 of 28
Visit Start Date 18/02/2013
No. Employees: 81 Maharastra
400093
India
The objective of the assessment was to conduct a certification assessment to ensure that all elements of the proposed scope of
registration and entire requirements of the management standard are effectively addressed by the organisation's management
system.
Management Summary.
Overall Conclusion
We are pleased to recommend the continuation of your registration recommended for issuing the new certificate.The areas assessed
during the course of the visit were found to be effective.
Corrective actions with respect to nonconformities raised at the last assessment have been reviewed. Actions were not found to be
effectively implemented in all areas. Such areas, identified in subsequent sections of the report, will be further reviewed for closure at
the next assessment.
5 nonconformities requiring attention were identified. These, along with other findings, are contained within subsequent sections of
the report.
A nonconformity relates to a single identified lapse, which in itself would not indicate a breakdown in the management system's
ability to effectively control the processes for which it was intended. It is necessary to investigate the underlying cause of any issue to
determine corrective action. The proposed action will be reviewed for effective implementation at the next assessment.
Please submit a plan to BSI detailing the nonconformity, the cause and your proposed corrective action, with responsibilities and
timescales allocated. The plan is to be submitted no later than 26/02/2013 by e-mail or fax to the correspondence address below,
referencing the report number.
Areas Assessed & Findings.
About POWER SYSTEM OPERATION CORPORATION
POWER GRID CORPORATION OF INDIA LIMITED is a Govt. of India Enterprise which is engaged in the business of transmission of
power across the country by establishing a national grid and has been designated "Central transmission Utility" by the Govt. of
India.The purpose of establishing national grid is to transmit power from the central generating station to the beneficiary states and
facilitate inter-regional power transfer. Registered Office of POWERGRID is located at B-9, Qutab Institutional area, Katwaria Sarai,
New Delhi-110 016. POWER SYSTEM OPERATION CORPORATION came into existence on 01.04.2009 is a wholly owned subsidiary of
POWERGRID CORPORATION OF INDIA LIMITED. The POSOCO as it is abbreviated has its corporate office at B-9, Qutab Institutional
area, Katwaria Sarai, New Delhi-110 016. The POSOCO is assumed to take up role of the Independent System Operator(ISO) in
Indian power sector. The POSOCO comprises the corporate centre, SO department and its Load Despatch Centres comprise National
Load Despatch Centre at Delhi, Back up National Load Despatch Centre at Kolkata with Regional Load dispatch Centres( RLDC)
located at Northern Region (NRLDC) New Delhi, Eastern Region(ERLDC), Kolkata, North Eastern Region (NERLDC) Shillong,
Southern Region (SRLDC) Bangalore, Western Region (WRLDC) Mumbai, National (NLDC) New Delhi.
ISMS Framework
The audit team appreciates the hospitality and co operation extended during the Reassessment which has been preponed by one
year in order to integrate with other standards including PAS99 2006, ISO 9001 : 2008, ISO 14001:2004, BS OHSAS 18001:2007.
In general the organisation has demonstrated good level of security awareness generated form the services provided , as well as
supporting training and awareness activities conducted by the department. The controls selected within the risk analysis and
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 4 of 28
Visit Start Date 18/02/2013
subsequent treatment plan have been identified effective within the organisation. This will be monitored continuously during the
subsequent assessment activities.
The Scope of the Integrated Management System(IMS), Security Policy with security control objectives are defined. The procedures
for planning, operation and control are clearly defined and documented.
Effective organization structure for information security has been set up and maintained. Respective responsibilities and nominations
have been defined in the IMS.
Management commitment for establishing, implementing, operating, monitoring and reviewing, maintaining and continually improving
the IMS is observed. Respective personnel have been made aware, educated and trained on the Information Security requirements of
the organization.
The areas assessed during the Re Assessment audit included review of CAV 1 report no 7673584 dated 13/2/2012
and CISO functions(Scope and Policy, Organisation, Internal Audits, Management Reviews, Continual Improvement, Incident
Management, Compliance , BCP) , Site tour, Physical security , Grid Operation( Grid Management, Operation services)) , Market
Operation(Commercial services ), Logistics(Information Technology including support for SCADA/EMS, and Incident management) ,
Establishment( Human Resources, Finance, Contract Services ,Technical services ,Human Resources ),Six audit days have been
delivered during the Re assessments at 6 locations including New Delhi (2), Bangalore, Kolkatta, Shillong and Mumbai .
Scope,RA-RT, SOA, Internal Audits. MRM, BCP, Compliance 4 to 8
Documents Referenced
1. POSOCO/IMS/Manual rev 2.0, Dated 15/1/2013(Scope, Policy)
2.POSOCO/IMS/SOP Rev 2.0, Dated 10/1/2013(RA, )
3.POSOCO/ISM/SOA Ver 2.0 dated 15/1/2013
4POSOCO/IMS/SOP ver 2.0 dated 10/1/2013 section 4.5.3.1(Internal Audit)
5POSOCO/IMS/Manual Rev 2.0 dated 15/1/2013 section 4.3.2(Compliance)
6POSOCO/IMS/OCP/16 Ver 2.0 dated 15/1/2013 (BCP)
7. Review of CAV 1 report no 7673584 dated 13/2/2012
1.Scope and Organisation
The scope and boundaries of the ISMS have been well defined. The scope is addressing the main business of the company, and the
support services. The Security policy with the security control objectives are defined. The legal and regulatory requirements and
compliances identified and being addressed . The procedures for planning, operation and control are clearly defined and documented
and being maintained with appropriate access controls.
The scope includes areas Grid Operation, Market Operation, Logistics , and Establishment( Ref POSOCO/IMS/Manual rev 2.0, Dated
15/1/2013(Scope, Policy) duly approved by CEO)
Scope is finalised as
Power Systems Operation Corporation Limited , wholly owned subsidiary of POWERGRID operates an Integrated management
system in compliance with PAS99:2006 which applies to operation and control of Load Despatch centers as per IEGC( Indian
Electricity Grid Code) and Electricity Act 2003. Market Operation, and O & M Of SCADA, EMS and Communication system associated
with Generation and Transmission system upto 1200KV AC/ 500KV HVDC.
The Integrated Management System consists of ISO9001:2008,ISO14001:2004, OHSAS18001:2007, and ISO/IEC 27001:2005
( SOA applicable date for ISMS 27001:2005 is ver 2.0 date 15/1/2013 ).
2.ISMS Organisation:
Effective organization infrastructure has been set up and being maintained for information security. Nominations to the structure are
stated, and respective responsibilities have been defined.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 5 of 28
Visit Start Date 18/02/2013
The organisation has undertaken a program to train, educate and make people aware of their respective information security
responsibilities.
3.Site Tour/Physical security
POSOCO facilities were observed to be well laid out and planned, with physical access and environmental controls evident. Assets
observed are tagged, and identification and labelling of infrastructure observed. Storage bays, workstations, duly numbered. Two
levels of security were evidenced, with a security guard at the entrance gate , Frisking and metal detector at main entrance and
electronic access control into the offices. The work area is divided into functional zones with access controls in place at the floor
entrances and Server room. The office main entrance area is manned with physical security present, and maintaining records of
visitors and movement of records( gate passes). Environmental controls implemented and evident. Fire protection systems installed
and evident. Secure areas are defined and electronic access control systems installed. Asset Movement is handled by respective
departments.
4. Risk assessment
Referred POSOCO/IMS/SOP Rev 2.0, Dated 10/1/2013 Risk assessment methodology. Assets are identified Asset value = C + I + A
( 1 low to 3 high)
Vulnerability criticality= 1 to 3
Threat Probability= 1 to 3
Risk value = (Av * Vul criticality * Threat Probability) / 3
Acceptable risk value = 3, Mitigate Risk value more than 3.
Risk registers System Operation 1 & 2 ( Grid Management), LO1 , LO 2
(IT/SCADA/Contract and Technical services), Establishment(Finance /HR )
Risk assessment records of . Controls have been selected from Annexure A of ISO 27001:2005 and a Statement of Applicability has
been prepared, post review and inclusion of the controls selected. Security controls have been implemented.
Sampled LO 1 , Assets identified include Physical assets, Document assets, Information assets, People assets, Service assets, and
Software assets. Risk assessment and treatment has been evidenced.
Referred POSOCO/ISM/SOA Ver 2.0 dated 15/1/2013
Controls excluded are
A.10.9.1, A.10.9.2, A.11.4.3, A.11.4.6, A.11.5.6, A.11.7.2, A.12.3.1, A.12.3.2, A.12.5.5, and A.15.1.6
Other Exclusions are justified.
Internal Audit 6.0
Internal audits are conducted by internal auditors ( 2 ISMS and 3 IMS auditors) .Audits are planned and are being conducted. The
internal audit process has been defined( Ref POSOCO/IMS/SOP ver 2.0 dated 10/1/2013 section 4.5.3.1). Last Internal audit was held
on 15/1/13 and 18/1/13 . Audit summary report dated 16/1/2013 for Jan 13 has been evidenced. The observations are followed
with RCA and corrective and preventive actions.
MRM 7.0
Management commitment for establishing, implementing, operating, monitoring and reviewing, maintaining and continually improving
the ISMS is observed. The management review meetings( ISMF ) are being held regularly every six months.
Last MRM was held on 8 th Feb 2013 attended by Unit head, HOD's , MR's and CISO. Agenda is as per ISMS requirements Action
items with ownership and time line are specified.
Compliance A.15
Referred POSOCO/IMS/Manual Rev 2.0 dated 15/1/2013 section 4.3.2
Compliance requirement are documented ( IEGC, IE Act 2003, IPR act, Regulations passed by CERC , CEA etc). HOD sends letter
every quarter declaring compliance with regulatory acts . Grievance committee headed by Unit head covers employee litigations.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 6 of 28
Visit Start Date 18/02/2013
BCP A.14
Referred POSOCO/IMS/OCP/16 Ver 2.0 dated 15/1/2013. Failure scenarios and recovery time objectives are defined. Drills for Fire
drill and Terrorist are conducted.
DR will be available in Next SCADA version 2014
Incident Management A.13
Department wise register is maintained for the incidents monitoring. Oracle Database is used for technical incidents monitoring
Physical Security/ Administration/Contract Services/Technical services( Establishment) A.9, A.10
3.Site Tour/Physical security/Technical services/Contract services
POSOCO facilities were observed to be well laid out and planned, with physical access and environmental controls evident. Assets
observed are tagged, and identification and labelling of infrastructure observed. Storage bays, workstations, duly numbered. Two
levels of security were evidenced, with a security guard at the entrance gate , Frisking and metal detector at main entrance and
electronic access control into the offices. The work area is divided into functional zones with access controls in place at the floor
entrances and Server room. The office main entrance area is manned with physical security present, and maintaining records of
visitors and movement of records( gate passes). Environmental controls implemented and evident. Fire protection systems installed
and evident. Secure areas are defined and electronic access control systems installed. Physical security
Asset Movement is handled by respective departments.
The equipment maintenance records have been evidenced with corrective and preventive actions. AMC ' tracker is maintained to keep
track of status on AMC with third parties and covers SOW and SLA.
DG set( 375 kava + 125 Kva) maintained on as and when service required. No load test is done every week. SR record dated 3/8/12
has been evidenced for Routine B Maintenance has been found to be in order.
AC central is maintained n quarterly basis. SR 00831612 dated 31/1/13 has been verified and found to be in order . One chillier is not
functioning and is expected to be replaced by 1Q2014.
UPS ( 2X 40 kva) . Verified SR no 488573 dated 25/10/2012 and found it in order. SMF batteries are nearing service life and would
be replaced. Cells are being checked every 10 days.
Verified Fire equipment visit report dated 12/12/12 and is found to be in order.
Fire drill is done once in six months. Verified fire drill record . Last drill was conducted on 24 th Jan 2013. Report is under
preparation.
Last drill record for Q ending Dec 12 was verified for drill held on 23/12/12 . Evacuation time was 0 to 1 minute. %3 persons were
evacuated.
Grid Management A.10, A.11
Auditee DGM
The main activities cover Real Time Monitoring of Power System at HV/EHV levels from point of view of security, enabling the
bottled up generations and maximize the power, and enabling the commercial mechanisms to facilitate the generation, transmission
and distribution
24 X 7 operation. Team headed by DGM ( Shift in charge), Manager and Engineer carry out Real time Grid operation, Coordination
with NLDC , control Power flows, control of frequency in IEGC Band ( 49.7 hz to 50.2 hz) on 24 x 7 operations.
Document on reactive power CERC press release, Open access in Interstate transmission , Procedure for Scheduling of Bilateral
Transactions is used for monitoring .
Inputs are received in form of Scada Data, Phone calls on internally dedicated links. Sampled input message from NLDC approval
for Agra-Gwalior Circuit1 outage scheduling for rectification of defect. Approved on 18/2/2013.
Grid Incidences are maintained in code book with Code no , date, time, from to , description of event, signed by concerned
engineers .
No security incidents reported so far.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 7 of 28
Visit Start Date 18/02/2013
SCADA/EMS/Communication( Logistics) A.10, A.11, A.13
Auditee Manager
Major part is the SCADA/EMS systems- These systems have to be maintained fully available round the clock to aid the Load
Dispatchers
,New elements need to be integrated in time so that informed decisions can be taken by operators. All IT infrastructure has to be
maintained with 100% user availability, so inbuilt redundancies are deployed at many levels. SACDA system is supported and
maintained by third party using 2009 long term service agreement for 5 years. (Amendment II WRLDC/CON/WC-922/835/2011/3032
dated 8/4/2011, annexure describes SOW and escalation procedure)
Evidenced Network Diagram dated 8 th Feb 2013 v 2. The continuity/security is ensured through Hathway 8 port switch, Firewall, 2
web servers, Layer 3 switches, Layer 2 switches, cisco routers . Passwords are protected through access control to the softcopy,
Vapt is carried our regularly( last report Jan 7,2013), Corrective action is in progress and will be completed in about 10 months.( E
mail dated 15/2/2013 to DGM IT SS).
Evidenced antivirus definition distribution report dated 18/2/2013, Symantec definition 16/2/2013 r 9 on 96.5 % of total no of
computers 57.
Input is received through meetings for Plant integration as per connectivity agreement with CTU , analog and status points are
created in DB and output is created on Display. System operations data is generated daily, generation frequency is monitored every
30 seconds, Antivirus status 16/2/2013 r 9 on no 46
Market Operations( Commercial services) A.10, A.11
Auditee Chief Manager
The core activities of market operations(1) include Metering, Energy accounting, RLDC fees & charge, UI disbursals, system studies,
and Regulatory affairs The team of Operational services carry out activities related to Reliability, Market operation( Commercial),
Regulatory affairs,Reliability Operational planning, ( Outage guidance to shift engineers), Transfer capability of transmission network
for Open access team. Market operation is responsible for metering and settlement. Binary files are received through e mail,
converted to text file and use it as for the purpose of working out net injection of power and net drawn by different states .
Integrity checks are performed. Data cannot be tampered as hand held meter reading instruments are used for down loading the
data.
Regulatory affairs :
CERC come out with several rules , Stake holders are involved in sharing their inputs, comments are given to NLDC who consolidates
and passes on to CERC ( Grid code ).
Compliance monitoring is Time line , Grid code validate data , pool payment disbursal,
Establishment ( HR, Finance) A.8, A.9,A.10, A.11
HR
Auditee Personnel Officer
Team size 8
This group administers HR management, HR development and Administration of the office and Trainings, facilities extending to
employees, office orders etc are under its purview.( Complete employee life cycle ).
Sampled emp no 2586. NDA is under Rule 5 of CDC rules. BGV is done internally . Police verification, Qualification verification and
employment verification has been evidenced and found to be in order.
Sampled emp no 41427 doj 9/3/11. The is was transfer case. Hence BGV and NDA records could not be verified.
Sampled emp nos 02078 and 02479. Return of assets are evidenced in no dues certificate .
The records are protected in cupboard under lock and key.
Observation:
1. No smoke detector is located in HR records storage room
OFI
1.Return of assets ( IT ) could be explicitly mentioned in no dues certificate.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 8 of 28
Visit Start Date 18/02/2013
Finance
Auditee Chief Manager
The team is responsible for Payments, Preparation of accounts, Audit for location contract maintenance.
The records secured under lock and key which can be accessed by authorised person. Online back up is maintained which is stored
in remote location. Finance server is maintained in Delhi .Access is protected through log in and password which is changed
periodically.No security incidents are reported so far.
Summary of SRLDC (Bangalore) Findings
ISMS Change Management:
There are 26 policies are defined based on the central RLDC policies and processes applicable for SRLDC. All these policies are
reviewed and updated during 2013. The password policy for control room is changed to 90 days from 30 days for the operational
convenience.
The risk assessment in a SRLDC-RA-RTP ver.1.2 dated 15th Jan 2013 has been verified for the changes done for the assets added
and security and supporting utilities.
ISMS Audit:
The Internal audit was conducted once in three months. The previous internal audit was conducted during July 2012 and Nov 2012.
The combined audit report of Nov 2012 has been verified for the audit schedule, coverage, audit findings, reporting and analysis of
results. The audit focus on ISMS for preparation, performing audit and reporting needs improvement.
Management Review:
The Management Review was conducted once in a three months immediately after the internal audit. The combined MR meeting
records have been verified for the agenda points, reporting on ISMS effectiveness controls, minutes of meeting and action plan. The
MOM and action plan dated 17th Dec 2012 covers ISMS checklist, Antecedence for security staff, mock drill, ISMS awareness and
VAPT.
Closure of Previous Audit Findings:
The Previous external audits reports of BSI report of Feb 2012 have been verified during the audit and found that there is no formal
CAPA record available with the team.
Observations:
1.Change management procedure not followed for the change of password policy 90 for control room
2.Reference to Physical & Environmental Security Policy ver.2.0 dated 15th Jan 2013: the change description is recorded as
‘Recertification Audit”.
3. Reference to the risk assessment of Security and supporting utilities – A.14 controls was not selected, though this control is in
practice.
4. Reference to the Internal Audit of 17th Nov 2012: The Integrated management system audit is conducted for all the four
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 9 of 28
Visit Start Date 18/02/2013
standards. A) There is no effort put into verify the ISMS controls during the audit, no checklist used. B.) The IA findings classification
is incorrect eg. “Te information assets list not prepared and vendor evaluation procedure to be done are classified as ‘OFI’.
5. Reference to Internal Audit procedure: the classification (NC, OFI) of findings could be defined
6.Audit summary report was not evidenced as per sec 5.2.10 of Internal audit procedure to demonstrate the purpose / objective of
Internal audit
7. Reference to the MR review of 17th Dec 2012: Clause of e) and f) could be addressed as per the standard clause 7.2 and review of
ISMS control effectiveness could be carried out.
8.There is no evidence of corrective and preventive action plan for the previous BSI audit report 13th Feb 2012 (11-obs, 1-Minor NC).
– Clause 8.2 / 8.3
Area: Human Resources(A.8)
Conduct Discipline and Appeal Rule of HR Policy Manual Volume I – Dec 2002. The Rule 5 addresses the General Information security
requirements applicable to all the employees. The part of the pre-employment medical check, character and antecedents check is
done for all the employees. During the employment for every promotion in the organization required vigilance clearance. For the
superannuation / exit clearance also requires vigilance clearance. The HR records are maintained in hard copies stored in the
cabinet. The digitization of these documents in soft forms and stored in centralized server could be looked into. The sample of
joining formalities of E.ID 02689 dated 8-Aug 2012 and superannuation process for E.ID 35036 have been verified during the audit.
The orientation training program for E.ID 02689 dated 8th Aug 2012 were evidenced.
The legal and regulatory requirements and compliances identified and being addressed. Regulations being complied
Contract Labour
EPF
ESI
Minimum Wage
Workmen compensation
Status of statutory compliance IT Act 1961
Observations:
1.0The link in the Power grid portal / Human Resource Department -> HR rules and Policies link found that not working (display an
error message ‘server error’).
2.0The Antecedents report for the employee 2689 joined on 8th Aug 2012 was not evidenced.
Area: Logistics(SCADA Operation( A.10, A.11)
The objective of this team is providing real time information to control room, MIS reports and ensure the availability of system at
98.5%. The SCADA activities are managed in association with GE Energy team. The IBM Ax based server is used to store all the
operations data. The letter of award to GE India Industries Pvt Ltd dated 29th March 2012 is in place for the two years support
service of SCADA. The team activities involved Sybase@error log, disk utilization XA/21 gaxall, OS error report, performance of
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 10 of 28
Visit Start Date 18/02/2013
database utilization and resolution of issues within agreed services levels. July-Sept 2012 reports on SLA adherence and Uptime and
daily health check of work stations and application controls were evidenced. No security incident reported during last one year.
Good Practice
1.Monthly health check report of HW and SW resolution support issues and Availability report based on the contract elements found
to be good.
Observations:
1.0The analysis of data on comprehensive support of HW and SW on severity levels could be carried out which will provide you the
opportunity to take proactive initiatives to reduce incidents
2.0Vulnerability assessment of Network, Database, Router and Switches could be carried out on regular intervals
Area: Operation Services
The team is involved in developing process for the grid normal and black start conditions. The MIS report is generated weekly /
monthly / quarterly / annual. The team provides the monthly information to operations coordination committee meeting (OCCM) on
set of parameters which leads to take strategic decision by OCC. The 79-OCCM report of 10th Jan 2013 have been verified for the
network & system operation, Network protection / security issues and disaster management found in order.
Good Practice / Strength
1.Operation coordination committee meeting (OCCM) monthly meeting – mouthpiece for the operation covering frequency profile,
voltage profile, system demand, network issues, SCADA data, communication, protection issues, major events, commercial issues
found to be good.
Area: Physical Security and Admin
The POSCO is located in the No. 29, Race Course Road, Bangalore. The ground, first floor and second floor are having total resource
of 65. The physical security services are handled by the P L Security Services as per the letter of award dated 11th Jan 2013. The
CCTV is in place to monitor the movement inside and outside the office premises, monitoring is done by 24/7 by the security staff
and control room.
The visitors and material movement’s registers have been verified during the audit and found in order. The fire extinguishers are in
place at the prominent places like DG, UPS and the Server room. The daily logs of UPS, Battery, Electrical panel and DG are in place
and found in order. The third party agreements of M/s PL Security Services have been verified during the audit.
Observations:
1.Display of security positive culture reflecting the organization password policy, internet security, email security, information
security incidents, emergency situation, handling confidential documents could be carried out
2.Material issue authorization i.e. Head of Departments to security for verification
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 11 of 28
Visit Start Date 18/02/2013
3.There is no antivirus updated in the system at Security and this was connected to control room could be looked into.
Summary Of ERLDC (Kolkata) Findings
Site Tour, Physical Security and Contract Services Auditee: A.B. Sengupta, S.K Mukherjee
Site tour conducted to assess periphery and physical security of the facility. The main entrance to the facility is manned by security
guards, which takes care of visitor and material movement. All the visitors are issued gate pass and guest card and have to record
their credentials in the visitor register. The physical security of POSOCO Kolkata facility is out sourced to GS & IS (P) Ltd. Interviewed
on duty security guard Mr. Phanilal Bose and his awareness of security requirement and POSOCO’s policies and procedures found
satisfactory. One armed guard is deputed for 24X7basis. Verified the gun operating license of on duty gun man Sk. Akhtar Ali vide
license no. 16/2007 of Bhatar PS for 12 bore DBBI gun no. 8651 and the same is valid till 31.12.2014. Total 6 nos CCTV cameras are
installed within the facility. Last 1 month CCTV footage gets stored. Verified the stored footage of camera no 6 between 11.30 AM to
12.30PM on 03.02.2013 and found consistent. Entrance to the working area is access controlled with bio metric access control
system. Metal detector is installed at the main entrance. During the site tour, DG room and switch room was visited. Organization has
two DG Sets of 125 KVA and 400 KVA. Fire extinguishers and sand buckets are kept in DG area to take care of any fire incident.
Refilling of fire extinguishers is done yearly. Verified the fire extinguishers number DPX05, for which next refilling is due on
23.10.2015.
Contract services falls under three major categories vide, short term, midterm and long term based on the requirements. Contract
covers system operations, technical operations, market operation, etc. Verified the KPIs of contract services vide doc id
POSOCO/IMS/Objectives Rev 03 and found full adherence. Contract process is carried out on order to order basis by inviting Limited
(value<25 Lac) / Open (value>25 Lac) tender based on requisition from user department and also selection, evaluation of supplier is
carried out on order to order basis through verification of Technical & Finance Bid, Other Requirements & Comparative study & Order
is in general placed to the supplier with L1 grade. Process verified by taking following sample: “Proposal: O & M and Development of
ERLDC Lawn / Garden, Tender No: ERLDC/ C & M/ 970-O & M-Gardening/2012/856-868 dated 09/05/12, Bidders No: 04. M/s Udayan
is selected as L1 supplier for above tender after comparative study of the bidders & details recorded in comparative statement of
tender. Purchase Order No: ERLDC/ C & M/ 970-O & M-Gardening/2012/3340 dated 11/10/12 is placed in favour of Supplier: Udayan
after approval of Purchase Proposal by tender committee. Order is accepted by supplier on 14/10/12.”
**Observations**
1. Visitor’s log book to be maintained properly. It was found during the audit that Mr. B.Dey entered in the facility on 14.02.2013 at
12.53 from ORG India, but his/her out time details were not recorded. The visitor’s pass was also not evidenced. Review process of
visitor register at defined schedule may be in place to confirm the effectiveness.
2.Returnable outgoing materials memo may be separated and expected return date may be mentioned in the same to increase
traceability.
3.Specimen copy of authorised signatories may be placed at the security desk for ready reference and signature validation.
4.Reconciliation of visitor’s card may be done at defined interval and any incident of loss/ damage of visitor’s card to be recorded as
security incident.
** Non-conformance**
1.ISO/IEC 27001-2005 requires – The clocks of all relevant systems within an organization or security domain shall be synchronized
with an agreed accurate time source (under control number A.10.10.6).
Objective Evidence- It was evidenced during the audit, the CCTV surveillance system of POSOCO has a time difference of 4 mins 35
secs with the access control system and the server time of the facility.
Type – Minor non conformance.
Asset register review, Internal audits, MRM, Review of NC closure Auditee: P. Mukhopadhyay (MR)
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 12 of 28
Visit Start Date 18/02/2013
The asset register vide asset_register-PG_ERLDC ver 3.0.1 dated 15.01.2013 verified and assess the risk assessment and treatment
process. Asset values and their risk rating done as per POSOCO/IMS/SOP Rev 02. CIA of each asset has been calculated and risk
rating identified after evaluating vulnerabilities and threats. Verified the risk assessment and treatment of physical asset with high
risk value (application server) and found satisfactory.
There were three NCs in last audit. All issues have been addressed and closed. In the first MRM of the year the closure of all NCs had
been confirmed. Verified the MOM dated 19.10.2012 vide doc id ERLDC/IMS/record/GM/009. Following artefacts noted during the NC
verification:
NC 1 closure- Access control privileges have been clearly defined in ERLDC/SL/2012 on 11.03.2012 by Mr. A.B. Banerjee and
approved by AGM (MO)/MR.
NC 2 closure- BCP record verified dated 15.03.2012. Also the MOM of Crisis Management conform the closure.
NC 3 closure- the section 3 of doc Risk Assessment & Mitigation report Ver 02 dated 15.01.2013 conforms the closure by adding
proper service asset.
Internal audit’s periodicity is twice per year. Last audit conducted during 23rd & 24th January 2013. Verified the audit summery
report vide doc id ERLDC/IMS/record/IA. Total 7 nos observations and 2 nos NCs have been identified. MRM is also scheduled twice
per year. Last MRM held on 11.02.2013 at ERLDC office and chaired by the GM.
**Observations**
1.Document version history may also include the amendment history in details. It was observed during the audit, the SOA vide doc id
POSOCO/IMS/SOA V2.0 has its latest release on 15.01.2013 but the reason for new release or amendment details were not
evidenced.
2.Awareness of risk assessment procedure needs further improvement. It was found during the audit that communication cables not
identified as asset, therefore no risk assessment done (control A.9.2.3 requires the same to be done). To make the system more
resilient, communication cable may not be grouped with the devices they are attached with.
**Non Conformance**
1.Objective Evidence- It was observed during the audit, two nos minor nonconformities had been identified in the last internal audit
conducted during 23rd & 24th January 2013 in physical security and systems logistics departments but evidence of discussion of
same in the MRM held on 11.02.2013 were not found, hence allocation of responsibility for closure and target date has not been
recorded in the MOM.
Type- Minor non conformance.
Grid Management Auditee: Nadim Ahmad
Grid Management & System Operation is carried out as per documented SOP & flow chart. Process verified for Purnia to Muzaffarpur
Line, Power Flow: 67MW x 2, Voltage: 409 KV at Purnia end & 415 KV at Muzaffarpur end, frequency: 50.26 Hz, Date: 19/02/12,
Time: 11:58:54 Hrs.
Record verified such as Day Ahead Scheduling, Daily Power Supply Position, and Generation & Distribution Status Reports etc. Also
verified the shutdown request processing by assessing the mssg no. 29-02-RKL at 19.10, which got approval from NLDC on
19.02.2013, their entire process is fully adhered with the documented process flow.
Information Technology for SCADA/EMS support, Incident Management Auditee: A.B. Sengupta
Process activities mainly include maintenance of IT & SCADA system, intranet and corporate website. Asset details including owner,
specifications etc are maintained in softcopy. Schematic Network Diagram, ref doc ERLDC/ISMS/Manual ver03 dated 20.12.2012
verified. License of software is maintained and found at per usage. Backup policy including frequency, type, restoration frequency,
etc, are documented in Backup & Restoration procedure. Records verified for Machine OPRN-2 on 30.01.2013 and found satisfactory.
Log of last SCADA data file vide file name HDR_130218-235955.7.A.02 dated 19.02.2013 verified. Automated backup completed at
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 13 of 28
Visit Start Date 18/02/2013
6.54 AM. Also verified the restoration of schedule information massage vide msg no. A7967. A dedicated 500 GB external HDD vide
asset no. ERLDC/PCI/046 is allotted for offsite backup. Maintenance of Hardware & Software is done through AMC contract & details
are verified, Service Provider: Wizertech Informatics Pvt. Ltd., Kolkata, Order Ref: ERLDC/C & M/ 949/ AMC-Facility Management-
2011-2012/4666 dated 30/01/12 & Valid till 28/02/13. A separate confidentiality agreement had been signed between POSOCO and
Wizertech on 18.03.2012 for 5 years.
Maintenance of SCADA is done through AMC contract to authorized service partner of OEM , Service Provider: Areva T & D India Ltd.,
Noida, Order Ref: ERLDC/C & M/ AMC-VLDC/09-10/11449-1457 dated 15/02/10 & Valid till 28/02/13. Verified the SCADA uptime KPI
and RTU reporting KPI for third quarter both are recorded as 100.00 as on 31.12.2012 against Target KPIs classified as
Excellent=99.500, Very good=98.000, Good=96.000, Fair=94.000 and Poor=92.000.
Main IT KPIs are Website availability and Intranet availability. Website uptime in 2nd quarter recorded as 99.580 (as on 22.06.2012)
and Intranet uptime in 3rd quarter recorded for 3rd quarter as 96.670 (as on 18.12.2012).
Patch management is a manual process at ERLDC Kolkata. Patches are invoked in the systems after generation and validation of
Belarc Report of every asset. Updated MS patch verified on dB server-2-ERLDC/SERV/008- 192.168.64.99, date of installation
09.02.2013. Symantec Endpoint Security V11 is the antivirus in use at ERLDC. Last updated on 17.02.2013, verified at
ERLDC/PC2/1065.
Activities are performed to ensure business continuity as per the approved business continuity plan vide doc id DSC/ISMS/business
continuity plan ver 2.0 dated 20.12.2012.
Incidents are reported through intranet portal (http://192.168.64.105/break.aspx). Verified the logged call history vide ticket no.
BRKNO. 2013001, dated 01.01.2013, issue time 10.05 AM and call closure time is 12.15 PM, adhering the internal SLA. Also verified
the break down call report from service partner Wizertech Informatics (P) Ltd, vide call no 14353 dated 08.01.2013.
Establishment (Human Resource) Auditee:
G.K. Kundu
The main responsibility of HR function working out of ERLDC Kolkata to maintain personal files and execute the training program
according to yearly training plan prepared by the H.O. HR department maintains 15 KPIs. Verified one of KPIs like HR Training
Program on IMS /Year is 1. Training conducted during 28th & 29th August 2012. Total 13 nos. employees participated, effectiveness
of the training evaluated by MR and reported satisfactory.
Training Needs are identified through TNA. Training details of Mr Abhijit Bhuina (Engg-Mo) verified, Identified training need was Basic
Programme on SCADA, training conducted between 26/11/12 to 30/11/12 by competent external agency on same topic, details are
verified in Training Record Sheet .
Personal file of existing employee Ms. Rosy Sinha (Emp id 02303) verified. Date of joining is 12.09.2012. All required documents are
maintained as per the requirement.
Market Operation( Commercial & Financial Services ) Auditee:
Nadim Ahmad
Department captures and maintains Meta data for preservation. The actual data compared with the schedule data and get forwarded
to the ERPC on weekly basis for preparing bills. Weekly data backed up in an external HDD (asset id: ERLDC/POSOCO/EHDD/160).
Other activities are Metering, Energy Data Collection, Data processing, UI calculation & settlement of bill .Verified the last meta data
containing email to ERPC for the period 4th to 10th February 2013 and it was told the relevant bill is expected to be published by
25th February 2013. Verified the last released bill for the period 28th January to 3rd February 2013. Commercial services are
governed from the HO and all relevant data get published in the URL http://www.eastrpc.org . Also verified the following activities of
commercial services:
UI for DVC on 31/01/13 was -1904.43 MWH.
Congestion Charge Account management, Rs 398102 is receivable to DVC as per report published on 06/12/12.
Short Term Open Access Management- verified for JSEB on 19/02/13, Application No: 283, Acceptance No: ERLDC/2013/4045/D,
Schedule Request: 100 MW.
The entire process flow found complying with documented procedures adhering with all information security requirements. 100% KPI
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 14 of 28
Visit Start Date 18/02/2013
met.
Establishment (Technical Services & Operational Services) Auditee: P. Chaudhury
Technical and operations services cover maintenance of facility and technical utilities and also take care of building management
systems. All types of PM and BDM records are maintained in the department and SLA adherence of vendors evaluated. Following
maintenance records verified
DG maintenance contract vide doc id ERLCD/C&M/993/AMC-400 KVA DG Set /2012/3132 dated 18.10.2012. Confidentiality
agreement mentioned in point no.15 of annexure III. Last maintenance service record verified vides GD/SR/C&M/002/01 dated
30.01.2013.
AMC contract with Honeywell for fire detection and alarm vide doc id ERLDC/C&M/924/AMC/Fire Alarm/2011/1746 dated 30.08.2011
valid till 31.08.2013. Separate NDA signed with vendor. Last preventive service record verified vide memo BWID-021-F7, Rev 02
dated 13.02.2013.
AMC contract for AC plant maintenance vide doc ERLDC/C&M/972/AMC-AC Plant/2012/634 valid till 30.04.2013. Separate NDA signed
with vendor. Last maintenance service report verified vides memo no. 00804960 dated 31.01.2013.
To ensure business continuity each DG sets undergo test runs every week for 15 mins. Verified the last week’s test run record
register for 13th February, 2013. 4 nos earth pits are well maintained and resistance measured at regular frequency (once per year).
Verified the records dated 23.04.2012 as 0.49, 0.56, 0.91, 0.98 ohms respectively for all 4 earth pits.
Fire mock drill conducted on 13.08.2012. Verified record vide doc id ERLDC/IMS/Record/010. All 30 Employees participated in the drill
and evacuated the facility. Identified fire marshals are M.K. Dey, T.Chakraborty, P.Mitra and K.P. Paul.
**Observations**
1.Process of reviewing the service report may be in place to ensure effectiveness.
2.Control on out sourced maintenance activities may further be reviewed.
Summary of NLDC( Delhi) findings
Location specific ISO function ( Asset Register Review, Internal Audit, Corrective and Preventive Action, MRM for NLDC)
Verified integrated manual for 90001, 14001, 18001 and ISO 27001; POSOCO/IMS/Manual Rev 2.0 dated 15/01/2013. The manual
adequately describes the Scope, Roles and Responsibilities and Structure of the Organisation.
Verified ISMS Policy NRLDC_ISMS Policy Framework_POSOCO Ver 1.0 dated 21 Feb 2011 which gives out Policies regarding all
aspects of various controls applied; and found to meet the requirements.
Verified IS Policy PSC/ISMS2013/013_corporateinformation security_Policy_POSOCO ver 2.0 dated 15/01/2013 was reviewed and
found to be adequate.
Risk Criteria verified as contained in Risk Assessment & Treatment Plan.
The organization has constituted an “Information Security Management Forum” and verified as such.
ISMS Objectives were verified.
Reviewed Risk Assessment & Treatment Plan, which gives out the Asset Name, Asset Value, Threat and Threat Probability,
Vulnerability and Identifies the Risk. The same was reviewed for CRM, DG, Finance, IT, Market Operations, Open Access, SCADA, SO-
II and SO-I.
Last Internal Audit was done on 22 Jan 2013. Verified Records of Internal Audit, which had 16 observations.
MRM done twice in last one year, Records verified for MRM done on 16/08/2012 and 04/02/2013. MRM found to be covering all
aspects of Management Review, except effectiveness measurement.
Minor Non-conformities
YP/01/a 7.2.2 - As per Organization Document No.PSC/ISMS2013/017_information labelling and Handling policy dated 15/01/2013;
the labelling in terms of Confidential, Internal and Public not found to be implemented.
YP/02/A15.1.6 - As per Organization Document No.PSC/ISMS2013/017_information labelling and Handling policy dated 15/01/2013;
the transmission of confidential material shall be done by encrypted means; but the control A15.1.6 has been justified to be excluded
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 15 of 28
Visit Start Date 18/02/2013
from the current applicable SOA POSOCO/IMS/SOA ver 2.0 dated 15/01/2013
OFI’s
1.Records of Internal Audit should not only be in terms of Gaps identified but “Conformity” findings should also be mentioned in the
report.
2.MRM should cover the effectiveness measurements in detail.
3.ISMS Objectives should be clearly measurable and consistent with the ISMS Policy.
Process - Site Visit / Physical Security/ Contracts / Technical Services
Clauses: A9
The Outer Security Perimeter of the Organisation is a manned Reception Desk at the Entrance. This is manned by CISF. The following
Registers are used at the reception for physical entry controls.
Visitor Register.
Visitor Passes
The second security perimeter in terms of access controls for sensitive areas of SCADA and Control room was found to be adequate.
The Fire protection is in terms of Fire extinguishers No sprinkling system etc exists. Verified Fire Emergency Plan dated December
2009. Fire Mock Drill and Evacuation drill was rehearsed on 14/02/ 2013.
Electricity Board Supply is backed by two Generators which are further backed by 2 UPS’s of 40 KVA, 200 AHC each.
Verified “earthing” arrangements for Routers, Servers at Ground Floor and First Floor in control room. These were found to be
earthed.
Verified UPS AMC contract with M/s Rielio PCI India Pvt Ltd. dated 08/02/2013.
OFI’s
1.The time for which UPS’s batteries will work in case generators are not available, should be calculated, and the time in which
generator’s faults should get repaired, as per contract must be matched so that generators are repaired within the time batteries will
last.
.
Process - Location IT Operations Support.
Clauses: A.10, A.11
Organisation has separate SCADA Servers and IT Application Servers, which are in redundant mode locally. All the Servers are
adequately controlled as per applicable Security Controls except for A 10.10.2.
For IT operations, Organisation has two ISP’s of TULIP and SIFY, both of 4 MBPS capacity. For SCADA connectivity is by parent
company POWERGRID and is 4X64 KBPS capacity with 100% redundancy. Back Ups are being taken after 12 Hours. Back Up Policy
PSC/ISMS2013/06_Backup_Policy_POSOCO ver 2.0 dated 15/01/2013 was reviewed and found to be adequate.
Password are handled as per Password Policy, PSC/ISMS/2013/05_PasswordProtection_Policy_POSOCO ver 2.0 dated 15/01/2013
was reviewed and found to be adequate.
User Password are issued by IT and are to be changed every 30 days; however no review for the same was evidenced.
Minor Non Conformity - YP / 01/ A 10.10.2 The control regarding monitoring of SCADA servers was not evidenced.
OFI – Review of Passwords should be undertaken to ensure effectiveness of controls.
Process - HR and Training (Auditees – Narayan R; S S Prasad)
Clauses: A.8
The Process is well controlled in terms of controls to be applied for Recruitment, Employee Induction, and Compliance of legal and
administrative requirements and Exit actions etc.
The screening and verification of personals is being out carried out by way of Police Verification.
The records/files of Akhil Singhal, Anamika, and Harish rathore were verified.
The confidentiality and NDA agreements are being signed by way of undertaking taken from Individuals as regards their CDA rules.
The Access rights are being deleted on HR initiative by IT, Verified for the same regarding above mentioned employees.
OFI - The awareness regarding ISMS of new joinees, need to be improved.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 16 of 28
Visit Start Date 18/02/2013
Process - Commercial Services/Market Operations (Auditees – Kavita Parihar, H Chawla)
Deals with Energy Accounting and Open Access.
The Asset register and controls for the Process were reviewed and found to meet the requirements
The Process is well controlled as per applicable controls.
No Observations
Process – Finance Department
The Asset register and controls for the Process were reviewed and found to meet the requirements.
The Asset “bank Statements” was taken as Sample and reviewed for controls. Process is well controlled as per applicable controls.
No Observations
Process – Operations
The Process is responsible for drawl of Power.
The Asset register and controls for the Process were reviewed and found to meet the requirements.
The sensitive Server/Software for SCADA is segregated from other Information Processing Assets.
The SCADA setup has 100% redundancy for all the assets in form of machines/Software and connectivity.
No Observations
Summary of NRLDC findings
Process - Organization presentation by ISO team. (Auditees – Ashok Nijhawan, D Dey)
Location specific ISO function ( Asset Register Review, Internal Audit, Corrective and Preventive Action, MRM for NRLDC)
Verified ISMS Policy NRLDC_ISMS Policy Framework_POSOCO Ver 1.0 dated 21 Feb 2011 which gives out Policies regarding all
aspects of various controls applied; and found to meet the requirements.
Risk Criteria verified as contained in Risk Assessment & Treatment Plan.
The organization has constituted an “Information Security Management Forum” and verified as such.
ISMS Objectives were verified.
Reviewed Risk Assessment & Treatment Plan, which gives out the Asset Name, Asset Value, Threat and Threat Probability,
Vulnerability and Identifies the Risk. The same was reviewed for CRM, DG, Finance, IT, Market Operations, Open Access, SCADA, SO-
II and SO-I.
Last Internal Audit was done on 22 Jan 2013. Verified Records of Internal Audit, which had 23 observations, out of which 07 are
pending.
MRM done twice in last one year, Records verified for MRM done on 16/08/2012 and 04/02/2013. MRM found to be covering all
aspects of Management Review, except effectiveness measurement.
OFI’s
1.0 Records of Internal Audit should not only be in terms of Gaps identified but “Conformity” findings should also be mentioned in the
report.
2.0 MRM should cover the effectiveness measurements in detail.
Process - Site Visit / Physical Security/ Contracts / Technical Services (Ashok Nijhawan, D Dey)
Clauses: A9
The Security Perimeter of the Organisation is only a manned Reception Desk at the Entrance. This is manned by CISF. The following
Registers are used at the reception for physical entry controls.
1.Visitor Register.
2.Visitor Passes
No second security perimeter in terms of access controls for sensitive areas of SCADA and Control room was found.
The Fire protection is in terms of Fire extinguishers No sprinkling system etc exists. Verified Fire Emergency Plan dated December
2009. Fire Mock Drill and Evacuation drill was rehearsed on 14/02/ 2013.
Electricity Board Supply is backed by two Generators which are further backed by 2 UPS’s of 40 KVA, 200 AHC each.
Verified “earthing” arrangements for Routers, Servers at Ground Floor and First Floor in control room. These were found to be not
earthed.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 17 of 28
Visit Start Date 18/02/2013
Verified AMC contract for Generator and AMF Panel with M/s Emerson Networks Power India Limited, dated 31/03/2013.
OFI’s
1.The time for which UPS’s batteries will work in case generators are not available, should be calculated, and the time in which
generator’s faults should get repaired, as per contract must be matched so that generators are repaired within the time batteries will
last.
2.All IT machines i.e Servers should be properly earthed.
Process - Location IT Operations Support ( Process Owner – Ashok Nijhawan, D Dey)
Clauses: A.10, A.11
Organisation has separate SCADA Servers and IT Application Servers, which are in redundant mode locally. All the Servers are
adequately controlled as per applicable Security Controls except for A 10.10.2.
For IT operations, Organisation has two ISP’s of TULIP and SIFY, both of 4 MBPS capacity. For SCADA connectivity is by parent
company POWERGRID and is 4X64 KBPS capacity with 100% redundancy. Back Ups are being taken after 12 Hours. Back Up Policy
PSC/ISMS2013/06_Backup_Policy_POSOCO ver 2.0 dated 15/01/2013 was reviewed and found to be adequate.
Password are handled as per Password Policy, PSC/ISMS/2013/05_PasswordProtection_Policy_POSOCO ver 2.0 dated 15/01/2013
was reviewed and found to be adequate.
User Password are issued by IT and are to be changed every 30 days; however no review for the same was evidenced.
Minor Non Conformity - YP / 01/ A 10.10.2 The control regarding monitoring of SCADA servers was not evidenced.
OFI – Review of Passwords should be undertaken to ensure effectiveness of controls.
Process - HR and Training
Clauses: A.8
The Process is well controlled in terms of controls to be applied for Recruitment, Employee Induction, and Compliance of legal and
administrative requirements and Exit actions etc.
The screening and verification of personals is being out carried out by way of Police Verification.
The records/files of Sameer saurabh, Rinky Narang, and Rakesh Kumar Meena were verified.
The confidentiality and NDA agreements are being signed by way of undertaking taken from Individuals as regards their CDA rules.
The Access rights are being deleted on HR initiative by IT, Verified for the same regarding above mentioned employees.
OFI - The awareness regarding ISMS of new joinees, need to be improved.
Process - Commercial Services/Market Operations
Deals with Energy Accounting and Open Access.
The Asset register and controls for the Process were reviewed and found to meet the requirements
The Process is well controlled as per applicable controls.
No Observations
Process – Finance Department
The Asset register and controls for the Process were reviewed and found to meet the requirements.
The Asset “bank Statements” was taken as Sample and reviewed for controls. Process is well controlled as per applicable controls.
No Observations
Process – Operations Services
The Process is responsible for drawl of Power. The Asset register and controls for the Process were reviewed and found to meet the
requirements. The sensitive Server/Software for SCADA is segregated from other Information Processing Assets.
The SCADA setup has 100% redundancy for all the assets in form of machines/Software and connectivity.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 18 of 28
Visit Start Date 18/02/2013
No Observations
Summary Of NERLDC ( Shillong) Findings A.6,A.7,A.9, A.10, A.11
System Logistics A.9.2.2, A.9.2.3, A.10, A.11
B. S. Roy – Chief Manager, Prashant Kumar Das - Sr. Engineer
The Systems Logistics department is responsible for all IT support and Auxiliary services (HVAC, Lift, DG sets, UPS) including VoIP,
Telephony, Video Conferencing and Voice Recorder Surveillance.
SCADA modelling, EMS, Database maintenance, Intranet maintenance, Website maintenance, and communication links management
and IT hardware management. The changes to the infrastructure during the review period have been the implementation of 2
Storage systems for the File Server and the DVR server storage capacity has been increased to 60 days. There has been an increase
in the number of CCTV cameras from 4 to 14 and a separate bio-metric based attendance recording system and a proximity card
based access control system.
Symantec End Point Protection is used in all desktops, laptops and servers for anti-virus protection, WSUS server is installed for
Microsoft Windows XP, Windows 7 and MS Office 2003 patch management. The facility has 2 internet links, 1 leased line for the WAN
connecting to the Head Office in Gurgaon. All links terminate onto a Cyberoam UTM device. Access to prohibited sites is disabled
through the UTM device. Webmail is however not blocked as these services are permitted for use. USB ports have also not been
blocked however an undertaking is taken from all employees against misuse of USB devices. The responsibility for backup is left to
the individual departments.
The password length has been increased from 5 char to 6 char long recently.
Wireless LAN has been implemented using WPA2 personal encryption level and further more all devices that can access the wireless
LAN are bound by their MAC address.
Daily log sheet of DG sets (1 x 160KVA and 1 x 200 KVA) and UPS battery checkups was evidenced.
Human Resources, Administration and Physical Security A.7, A.8, A.9
V. F. Desouza – Chief Manager
The department is responsible for physical security, house-keeping, welfare activities, establishment functions - leave records,
training records, loans and advances, rashtra bhasha and hospitality.
All recruitment to the Executive and above levels is managed centrally from the head office. For the staff below executive levels that
are recruited locally background verification is done in the form of verifying educational qualifications, medical records, character /
antecedent verification for the last 3 years from the state authorities and the verification of caste certificates where applicable.
Joining formalities for recruitment to executive levels is done centrally and for non-executives is done locally.
The authority for accepting resignations for executives is with the head office and for non-executives is with the local management.
All dues are settled locally and the no-dues certificate obtained from all associated departments and support functions for return of
company assets.
At least 6 man days / annum for each employee is a corporate mandate. Training needs analysis is completed by January and a
Training Calendar is finalized centrally by April in the form of HRD Learner’s Planner.
System Operation 1 / Grid management A.7, A.11.3
N R Paul DGM SO1
The team is responsible for the real time grid operation and the Short Term Open access transaction processing.
The team size is 3 per shift. This department operates 24x7. This department is the user of the online power systems data which the
SCADA department collects and presents in a graphical form in the large display unit. The responsibilities of the department are the
monitoring of the North East Region grid for electrical parameters of Voltage, Frequency, Line Loading, Power Generation and Power
Drawal for the Inter-State Grid system operation, Load Dispatching and the North East Region Day Ahead Scheduling of Power
requirements for the Generating stations.
Market Operations (MO) A.7, A.11.3
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 19 of 28
Visit Start Date 18/02/2013
R Sutradhar DGM
The department is responsible for accounting the power intake and transmission from the substations and generating stations of the
central sector in the north eastern region – this is done through the monitoring of 250 Special Energy Meters (SEMs) installed in 56
metering locations, Data Processing and Computation, Energy Accounting, Day Ahead Scheduling, and the Settlement System
consisting of Unscheduled interchange accounting, Open access disbursement, Reactive disbursement among the participants if there
is a voltage deviation of more than +/- 3% in the voltage, Reporting of an under-drawing or over-drawing of power by any of the
participants to the Central Electricity Regulatory Commission (CERC).
Technical Services / SCADA A.7, A.10, A.11
M. Hussain – Chief Manager
The department is responsible for collection and visualization of online power systems data for grid management for the NERLDC.
The data is collected through communication links from Remote Terminal Units (RTU) at the various sub-stations and power
generating units in the North Eastern region. This data is then stored in the Data Servers which are specialized dedicated systems
running the VMS operating system. The data so collected is then consolidated and visually displayed in the BARCO display unit in the
Grid Management control centre. There are 2 Data servers for redundancy purposes. The SCADA system is physically separated from
the POSOCO Office LAN through a firewall.
Contracts and Materials A.6, A.7, A.9
Kaushik Sharma Chief Manager
The department is responsible for the procurement of all goods, Equipment and Services. These are procured based on the Works &
Procurement Policy and Procedure.
NDA and Confidentiality agreement is signed by all IT related vendors.
Asset Register, Internal Audit and MRM for NERLDC Clause 4 - 8
V. Kaikhochin DGM System Logistics and MR
The Asset register is maintained department-wise and reviewed once annually. Some observations from the last CAV e.g. Storing
SCADA server administrator password in a sealed envelope with the Department Head and increasing the minimum length of the
domain password has been implemented. The annual ISMS Internal Audit was conducted on Jan 22 – 24, 2013. The MRM was
conducted on Feb 15, 2013.
**Observations**
1.Some of the new assets installed during the year have not been identified in the Asset Register
2.The new Asset Register and Risk Assessment template has not yet been implemented
**Opportunities for Improvement**
1.The access control in the Fire Exit Door may be integrated with the Fire alarm panel to automatically de-activate in an emergency.
Nonconformities Raised at Last Assessment.
Ref Area/Process Clause
A686259/1 Confidential Agreement A6.1.5
Details: NDA, not evidenced with vendor Quantam & Consularies Technologies Solution Pvt Ltd.- Location Mumbai
Requirements:
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 20 of 28
Visit Start Date 18/02/2013
Objective
Evidence:
Actions: Evidenced and verified NDA with Quantam dated 27/1/2012 valid for 5 years.
Closed?: Yes
Ref Area/Process Clause
A686259/2 Classification & Labelling A 7.2.1 & A.7.2.2
Details: No labelling and classification followed across all the departments. :Location- Mumbai
Requirements:
Objective
Evidence:
Actions: Labelling have been evidenced . NC is partially closed. Classification is in progress. Implementation will be
verified during next Audit
Closed?: No
Ref Area/Process Clause
A686259/3 Review of access user rights A.11.2.4
Details: Review frequency of user access rights needs to be established and to be reviewed as per the defined
frequency for privilege access. Minor non conformance under. Kolkatta- Location
Requirements:
Objective
Evidence:
Actions: Access control privileges have been clearly defined in ERLDC/SL/2012 on 11.03.2012 by Mr. A.B. Banerjee
and approved by AGM (MO)/MR.
Closed?: Yes
Ref Area/Process Clause
A686259/4 Testing of BCP A14.1.5
Details: Testing of BCP Plan not evidenced as per the desired frequency. Kolkatta- Location
Requirements:
Objective
Evidence:
Actions: BCP record verified dated 15.03.2012. Also the MOM of Crisis Management conform the closure.
Closed?: Yes
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 21 of 28
Visit Start Date 18/02/2013
Ref Area/Process Clause
A686259/5 Identification of Assets 4.2.1
Details: Risk Assessment for Service Assets in technical services e.g. Vendors not evidence. Kolkatta -Location
Requirements:
Objective
Evidence:
Actions: The section 3 of doc Risk Assessment & Mitigation report Ver 02 dated 15.01.2013 conforms the closure by
adding proper service asset.
Closed?: Yes
Ref Area/Process Clause
A686259/6 Corrective and Preventive Action 8.2 & 8.2
Details: Reference to the audit findings of external audit report – the root cause analysis and effective corrective
and preventive action was not evidenced.- Bangalore Location.
Requirements:
Objective
Evidence:
Actions: There is no evidence of corrective and preventive action plan for the previous BSI audit report 13th Feb
2012 (11-obs, 1-Minor NC). – Clause 8.2 / 8.3
Closed?: No
Minor Nonconformities Arising from this Assessment.
Ref Area/Process Clause
A848170/1 Monitoring A.10.10.6
Details:
Requirements: Clock synchronization - The clocks of all relevant information processing systems within an organization or
security domain shall be synchronized with an agreed accurate time source.
Objective
Evidence:
It was evidenced during the audit, the CCTV surveillance system of POSOCO has a time difference of 4 mins
35 secs with the access control system and the server time of the facility.
Ref Area/Process Clause
A848170/2 Internal Audit 6
Details:
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 22 of 28
Visit Start Date 18/02/2013
Requirements: Internal ISMS audits
The organization shall conduct internal ISMS audits at planned intervals to determine whether the control
objectives, controls, processes and procedures of its ISMS:
a) conform to the requirements of this International Standard and relevant legislation or regulations;
b) conform to the identified information security requirements;
c) are effectively implemented and maintained; and
d) perform as expected.
An audit programme shall be planned, taking into consideration the status and importance of the processes
and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and
methods shall be defined. The selection of auditors and conduct of audits shall ensure objectivity and
impartiality of the audit process. Auditors shall not audit their own work.
The responsibilities and requirements for planning and conducting audits, and for reporting results and
maintaining records (see 4.3.3) shall be defined in a documented procedure.
The management responsible for the area being audited shall ensure that actions are taken without undue
delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the
verification of the actions taken and the reporting of verification results (see 8).
NOTE: ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing, may
provide helpful guidance for carrying out the internal ISMS audits.
Objective
Evidence:
It was observed during the audit, two nos minor nonconformities had been identified in the last internal
audit conducted during 23rd & 24th January 2013 in physical security and systems logistics departments
but evidence of discussion of same in the MRM held on 11.02.2013 were not found, hence allocation of
responsibility for closure and target date has not been recorded in the MOM.
Ref Area/Process Clause
A848170/3 Responsibility of assets A.7.2.2
Details:
Requirements: Information Labelling and Handling - An appropriate set of procedures for information labelling and
handling shall be developed and implemented in accordance with the classification scheme adopted by the
organization.
Objective
Evidence:
No.PSC/ISMS2013/017_information labelling and Handling policy dated 15/01/2013; the labelling in terms
of Confidential, Internal and Public not found to be implemented.
Location NLDC Delhi
Ref Area/Process Clause
A848170/4 Compliance A.15.1.6
Details:
Requirements: Regulation of cryptographic controls - Cryptographic controls shall be used in compliance with all relevant
agreements, laws, and regulations.
Objective
Evidence:
As per Organization Document No.PSC/ISMS2013/017_information labeling and Handling policy dated
15/01/2013; the transmission of confidential material shall be done by encrypted means; but the control
A15.1.6 has been justified to be excluded from the current applicable SOA POSOCO/IMS/SOA ver 2.0
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 23 of 28
Visit Start Date 18/02/2013
Ref Area/Process Clause
A848170/5 Monitoring A.10.10.2
Details:
Requirements: Monitoring system use - Procedures for monitoring use of information processing facilities shall be
established and the results of the monitoring activities reviewed regularly.
Objective
Evidence:
A.10.10.2 The control regarding monitoring of SCADA servers was not evidenced.
User Password are issued by IT and are to be changed every 30 days; however no review for the same was
evidenced.
Assessment Participants.
On behalf of the organisation:
Name Position
At WRLDC
P.Pentayya GM
V.K.Srivastava AGM
Abhimanyu Gartia DGM (LO-I)
Sanjay Gupta CM (Fin)
N.Roy DGM (LO-II)
K.Muralikrishna CM (MO-II)
Harish Patel Mgr (IT)
S.K.Saha Mgr (Lo-I)
Amit Prasad Gupta Sr.Engr (LO-I)
Ankur Gulati Engr(LO-I)
Madhubanti Personnel Officer (HR)
Vivek Singh Asst. Engr (IT)
SRLDC
P.R.Raghuram ED, SRLDC
G.ANBUNESAN DGM
V.Suresh DGM / MR
V.Balaji DGM
M.K. Ramesh CH.MANAGER
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 24 of 28
Visit Start Date 18/02/2013
Jane Jose CH.MANAGER
T.Srinivas CH. MANAGER
S.P.Kumar CH.MANAGER
T.Kalanithy CH MANAGER
N.R.C.Babu CH.MANAGER
F.Badruzzama Begum CH.MANAGER
Rakesh Kumar MANAGER
Shamreena Varghese MANAGER
Pramod Singh DY.MANAGER
M. Nagendra Kumar DY. MANAGER
N.S Gopalakrishnan Dy.Mgr
G Madhukar Sr Engineer
Pramod Singh SR. ENGINEER
M.Venkateshan SR. ENGINEER
Kamalesh Kumar Engineer
B.R.Suresh ENGINEER
Abdullah Siddique ENGINEER
NLDC/NRLDC
SK Soonee CEO
V.K.Agrawal ED
V.V.Sharma GM
A. Mani GM
D.K.Jain AGM
S.S.Prasad AGM
H.K.Chawla DGM
Minaxi Garg DGM
Devendra Kumar DGM
Anil Chadha DGM
P.K.Agarwal DGM
Debashish De DGM
Y.P.Gupta DGM
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 25 of 28
Visit Start Date 18/02/2013
Priti Chaturvedi Company Secretary
Ashok Nijhawan Ch. Manager
S.C.Saxena Ch. Manager
Jyoti Prasad Ch. Manager
A.K.Marwaha Ch. Manager
Gurmit singh Manager
Mitra Sain Engineer
Shailendra Kr. Verma Sr. Engineer
Rinku Narang Jr. Technician
NERLDC
T.S.Singh GM
V. Kaikhochin DGM
N.R.Paul DGM
Rajib Sutradhar DGM
S.C.De Ch. Manager
V.F.Desouza Ch. Manager
T.K.Mondal Ch. Manager
B.S.Roy Ch. Manager
M. Hussain Ch. Manager
K. Sharma Ch. Manager
R.C.Dey Manager
Sh. Shadruddin Manager
Babul Roy Dy. Manager
Biswajeet Medhi Dy. Manager
Prasanta Das Sr. Engineer
P.Bhattacharya Sr. Engineer
Rahul Chakraborty Engineer
Pinki Debnath Engineer
Anupam Kumar Engineer
Manoj Kumar Jha Jr. Engineer
B.S.Jamatia Jr. Engineer
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 26 of 28
Visit Start Date 18/02/2013
B.K.Dey Sr. Supervisor
ERLDC
P. Mukhopadhyay GM/MR
A.B. Sengupta Engineer ( SL)/IA
U K Verma GM( ERLDC)
G K Kundu Dy Manager - HR
S Konar Manager MIS
G Chakraborty CM ( MO)
P Chaudhury Manager TS
Nadim Ahmad Sr Engineer ( SO)/IA
P S Das CM ( SO)
Saurabh K Sahay Engineer (SS)
D K Srivastava AGM ( SO)
The assessment was conducted on behalf of BSI by:
Name Position
Nanjappa Bangalore Team member
Kapil Raina Team member
Lt.Col Yashpal Team member
Tathagata Datta Team member
Suresh Dattatraya Haridas Team leader
Continuing Assessment.
The programme of continuing assessment is detailed below.
Site Address Certificate Reference/Visit Cycle
Western Region Load Despatch Center
Plot no F3, MIDC Area,Marol
Opposite SEEPZ, Andheri, East
Mumbai
Maharastra
400093
India
IS 571620
Visit interval: 12 months
Visit duration: 7 hours
Next re-certification: 01/12/2015
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 27 of 28
Visit Start Date 18/02/2013
Re-certification will be conducted on completion of the cycle, or sooner as required. An entire system re-assessment visit will be
required.
Re-certification Plan.
Visit 1 Visit 2 Visit 3 Visit 4 Visit 5 Visit 6
Business area/Location Date (mm/yy): 1/14 1/155 1/16
Duration (days): 3.5 3.5
(Scope and Policy, Organisation, Internal Audits, Management
Reviews, Continual Improvement, Incident Management,
Y Y Y
At NLDC/CC/NRLDC, WRLDC, ERLDC,NERLDC, SRLDC Y Y Y
Physical security ( Establishment) Y Y Y
Contract Services /Technical services ,( Establishment) Y Y Y
Human Resources( Establishment) Y Y
Operational services Y Y Y
Finance( Establishment) Y Y
Commercial services( Market Operation) Y Y
Grid Management Y Y Y
Information Technology including support for SCADA/EMS, Incident
management( Logistics)
Y Y Y
Recertification Y
Next Visit Plan.
Visit objectives:
CAV 1
Visit scope:
As per certificate
Date Assessor Time Area/Process Clause
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of the visit by the
organisation within 30 days of an agreed visit date.
Notes.
The assessment was based on sampling and therefore nonconformities may exist which have not been identified.
Assessment Report.
Report Author Suresh Dattatraya
Haridas Page 28 of 28
Visit Start Date 18/02/2013
If you wish to distribute copies of this report external to your organisation, then all pages must be included.
BSI, its staff and agents shall keep confidential all information relating to your organisation and shall not disclose any such
information to any third party, except that in the public domain or required by law or relevant accreditation bodies. BSI staff, agents
and accreditation bodies have signed individual confidentiality undertakings and will only receive confidential information on a 'need
to know' basis.
This report and related documents is prepared for and only for BSI’s client and for no other purpose. As such, BSI does not accept or
assume any responsibility (legal or otherwise) or accept any liability for or in connection with any other purpose for which the Report
may be used, or to any other person to whom the Report is shown or in to whose hands it may come, and no other persons shall be
entitled to rely on the Report.
Should you wish to speak with BSI in relation to your registration, please contact your customer service officer.
BSI Group India Private Limited
701, Seventh Floor,
Samarpan Complex,
New Link Road, Chakala,
Andheri-East,
Mumbai - 400 099,
India
Tel: +91 22 2826 0607 Telefax: +91 22 2826 0606
E-mail (for corrective action plans): bsimumbai@bsigroup.com
Appendices.
This report should be read along with BSI audit report for PAS99 2006 recertification held on 18 th Feb 2013 . For ISMS 27001:2005
the SOA applicability version 2.0 and date 15/1/2013 will not appear in the certificate. Address to be specified in the certificate is
corporate address and not the location zero address( i e WRLDC).
The corporate address is
Power System Operation Corporation
(A wholly owned subsidiary of Power Grid Corporation of India Ltd.)
B-9, Qutab Institutional Area,
Katwaria Sarai,
New Delhi 110 016.