Re Assessment Report - SRLDC ISMS_Assessment Report_2013.pdf · levels of security were evidenced,...

Report Author Suresh Dattatraya

Haridas Page 1 of 28

Visit Start Date 18/02/2013

Re Assessment Report

Power System Operation Corporation

Wholly Owned Subsidiary of POWERGRID.

Assessment Report.




Introduction.

This report has been compiled by Suresh Dattatraya Haridas and relates to the assessment activity detailed below:

Visit ref/Type/Date/Duration Certificate/Standard Site address

7777400

Re-certification Audit (RA Opt 2)

18/02/2013

1 day(s)

No. Employees: 77

IS 571620

ISO/IEC 27001:2005

Southern Load Despatch Center

29, Race Course Cross Road

Bangalore

Karnataka

560 009

India

7777401


18/02/2013

1 day(s)

No. Employees: 47

IS 571620

ISO/IEC 27001:2005

North Eastern Regional Load

Despatch Center

Dongteih, Lower Nongrah

Lapalang

Shillong

Meghalaya

793 006

India

7777403


18/02/2013

1 day(s)

No. Employees: 84

IS 571620

ISO/IEC 27001:2005

Northern Regional Load Despatch Center

18-A, Shaheed Jeet Singh Sansanwal

Marg

Katwaria Sarai

New Delhi

110 016

India

7959662


19/02/2013

1 day(s)

No. Employees: 41

IS 571620

ISO/IEC 27001:2005

National Load Despatch Center

B-9 Quatab Institutional Area

Katwaria Sarai

New Delhi

110 016

India

7777402


19/02/2013

1 day(s)

No. Employees: 83

IS 571620

ISO/IEC 27001:2005

Eastern Regional Load Despatch Center

14, Golf Club Road

Tollygunge

Kolkata

West Bengal

700 033

India

7777399


19/02/2013

1 day(s)

IS 571620

ISO/IEC 27001:2005

Western Region Load Despatch Center

Plot no F3, MIDC Area,Marol

Opposite SEEPZ, Andheri, East

Mumbai

Assessment Report.




No. Employees: 81 Maharastra

400093

India

The objective of the assessment was to conduct a certification assessment to ensure that all elements of the proposed scope of

registration and entire requirements of the management standard are effectively addressed by the organisation's management

system.

Management Summary.

Overall Conclusion

We are pleased to recommend the continuation of your registration recommended for issuing the new certificate.The areas assessed

during the course of the visit were found to be effective.

Corrective actions with respect to nonconformities raised at the last assessment have been reviewed. Actions were not found to be

effectively implemented in all areas. Such areas, identified in subsequent sections of the report, will be further reviewed for closure at

the next assessment.

5 nonconformities requiring attention were identified. These, along with other findings, are contained within subsequent sections of

the report.

A nonconformity relates to a single identified lapse, which in itself would not indicate a breakdown in the management system's

ability to effectively control the processes for which it was intended. It is necessary to investigate the underlying cause of any issue to

determine corrective action. The proposed action will be reviewed for effective implementation at the next assessment.

Please submit a plan to BSI detailing the nonconformity, the cause and your proposed corrective action, with responsibilities and

timescales allocated. The plan is to be submitted no later than 26/02/2013 by e-mail or fax to the correspondence address below,

referencing the report number.

Areas Assessed & Findings.

About POWER SYSTEM OPERATION CORPORATION

POWER GRID CORPORATION OF INDIA LIMITED is a Govt. of India Enterprise which is engaged in the business of transmission of

power across the country by establishing a national grid and has been designated "Central transmission Utility" by the Govt. of

India.The purpose of establishing national grid is to transmit power from the central generating station to the beneficiary states and

facilitate inter-regional power transfer. Registered Office of POWERGRID is located at B-9, Qutab Institutional area, Katwaria Sarai,

New Delhi-110 016. POWER SYSTEM OPERATION CORPORATION came into existence on 01.04.2009 is a wholly owned subsidiary of

POWERGRID CORPORATION OF INDIA LIMITED. The POSOCO as it is abbreviated has its corporate office at B-9, Qutab Institutional

area, Katwaria Sarai, New Delhi-110 016. The POSOCO is assumed to take up role of the Independent System Operator(ISO) in

Indian power sector. The POSOCO comprises the corporate centre, SO department and its Load Despatch Centres comprise National

Load Despatch Centre at Delhi, Back up National Load Despatch Centre at Kolkata with Regional Load dispatch Centres( RLDC)

located at Northern Region (NRLDC) New Delhi, Eastern Region(ERLDC), Kolkata, North Eastern Region (NERLDC) Shillong,

Southern Region (SRLDC) Bangalore, Western Region (WRLDC) Mumbai, National (NLDC) New Delhi.

ISMS Framework

The audit team appreciates the hospitality and co operation extended during the Reassessment which has been preponed by one

year in order to integrate with other standards including PAS99 2006, ISO 9001 : 2008, ISO 14001:2004, BS OHSAS 18001:2007.

In general the organisation has demonstrated good level of security awareness generated form the services provided , as well as

supporting training and awareness activities conducted by the department. The controls selected within the risk analysis and

Assessment Report.




subsequent treatment plan have been identified effective within the organisation. This will be monitored continuously during the

subsequent assessment activities.

The Scope of the Integrated Management System(IMS), Security Policy with security control objectives are defined. The procedures

for planning, operation and control are clearly defined and documented.

Effective organization structure for information security has been set up and maintained. Respective responsibilities and nominations

have been defined in the IMS.

Management commitment for establishing, implementing, operating, monitoring and reviewing, maintaining and continually improving

the IMS is observed. Respective personnel have been made aware, educated and trained on the Information Security requirements of

the organization.

The areas assessed during the Re Assessment audit included review of CAV 1 report no 7673584 dated 13/2/2012

and CISO functions(Scope and Policy, Organisation, Internal Audits, Management Reviews, Continual Improvement, Incident

Management, Compliance , BCP) , Site tour, Physical security , Grid Operation( Grid Management, Operation services)) , Market

Operation(Commercial services ), Logistics(Information Technology including support for SCADA/EMS, and Incident management) ,

Establishment( Human Resources, Finance, Contract Services ,Technical services ,Human Resources ),Six audit days have been

delivered during the Re assessments at 6 locations including New Delhi (2), Bangalore, Kolkatta, Shillong and Mumbai .

Scope,RA-RT, SOA, Internal Audits. MRM, BCP, Compliance 4 to 8

Documents Referenced

1. POSOCO/IMS/Manual rev 2.0, Dated 15/1/2013(Scope, Policy)

2.POSOCO/IMS/SOP Rev 2.0, Dated 10/1/2013(RA, )

3.POSOCO/ISM/SOA Ver 2.0 dated 15/1/2013

4POSOCO/IMS/SOP ver 2.0 dated 10/1/2013 section 4.5.3.1(Internal Audit)

5POSOCO/IMS/Manual Rev 2.0 dated 15/1/2013 section 4.3.2(Compliance)

6POSOCO/IMS/OCP/16 Ver 2.0 dated 15/1/2013 (BCP)

7. Review of CAV 1 report no 7673584 dated 13/2/2012

1.Scope and Organisation

The scope and boundaries of the ISMS have been well defined. The scope is addressing the main business of the company, and the

support services. The Security policy with the security control objectives are defined. The legal and regulatory requirements and

compliances identified and being addressed . The procedures for planning, operation and control are clearly defined and documented

and being maintained with appropriate access controls.

The scope includes areas Grid Operation, Market Operation, Logistics , and Establishment( Ref POSOCO/IMS/Manual rev 2.0, Dated

15/1/2013(Scope, Policy) duly approved by CEO)

Scope is finalised as

Power Systems Operation Corporation Limited , wholly owned subsidiary of POWERGRID operates an Integrated management

system in compliance with PAS99:2006 which applies to operation and control of Load Despatch centers as per IEGC( Indian

Electricity Grid Code) and Electricity Act 2003. Market Operation, and O & M Of SCADA, EMS and Communication system associated

with Generation and Transmission system upto 1200KV AC/ 500KV HVDC.

The Integrated Management System consists of ISO9001:2008,ISO14001:2004, OHSAS18001:2007, and ISO/IEC 27001:2005

( SOA applicable date for ISMS 27001:2005 is ver 2.0 date 15/1/2013 ).

2.ISMS Organisation:

Effective organization infrastructure has been set up and being maintained for information security. Nominations to the structure are

stated, and respective responsibilities have been defined.

Assessment Report.




The organisation has undertaken a program to train, educate and make people aware of their respective information security

responsibilities.

3.Site Tour/Physical security

POSOCO facilities were observed to be well laid out and planned, with physical access and environmental controls evident. Assets

observed are tagged, and identification and labelling of infrastructure observed. Storage bays, workstations, duly numbered. Two

levels of security were evidenced, with a security guard at the entrance gate , Frisking and metal detector at main entrance and

electronic access control into the offices. The work area is divided into functional zones with access controls in place at the floor

entrances and Server room. The office main entrance area is manned with physical security present, and maintaining records of

visitors and movement of records( gate passes). Environmental controls implemented and evident. Fire protection systems installed

and evident. Secure areas are defined and electronic access control systems installed. Asset Movement is handled by respective

departments.

4. Risk assessment

Referred POSOCO/IMS/SOP Rev 2.0, Dated 10/1/2013 Risk assessment methodology. Assets are identified Asset value = C + I + A

( 1 low to 3 high)

Vulnerability criticality= 1 to 3

Threat Probability= 1 to 3

Risk value = (Av * Vul criticality * Threat Probability) / 3

Acceptable risk value = 3, Mitigate Risk value more than 3.

Risk registers System Operation 1 & 2 ( Grid Management), LO1 , LO 2

(IT/SCADA/Contract and Technical services), Establishment(Finance /HR )

Risk assessment records of . Controls have been selected from Annexure A of ISO 27001:2005 and a Statement of Applicability has

been prepared, post review and inclusion of the controls selected. Security controls have been implemented.

Sampled LO 1 , Assets identified include Physical assets, Document assets, Information assets, People assets, Service assets, and

Software assets. Risk assessment and treatment has been evidenced.

Referred POSOCO/ISM/SOA Ver 2.0 dated 15/1/2013

Controls excluded are

A.10.9.1, A.10.9.2, A.11.4.3, A.11.4.6, A.11.5.6, A.11.7.2, A.12.3.1, A.12.3.2, A.12.5.5, and A.15.1.6

Other Exclusions are justified.

Internal Audit 6.0

Internal audits are conducted by internal auditors ( 2 ISMS and 3 IMS auditors) .Audits are planned and are being conducted. The

internal audit process has been defined( Ref POSOCO/IMS/SOP ver 2.0 dated 10/1/2013 section 4.5.3.1). Last Internal audit was held

on 15/1/13 and 18/1/13 . Audit summary report dated 16/1/2013 for Jan 13 has been evidenced. The observations are followed

with RCA and corrective and preventive actions.

MRM 7.0

Management commitment for establishing, implementing, operating, monitoring and reviewing, maintaining and continually improving

the ISMS is observed. The management review meetings( ISMF ) are being held regularly every six months.

Last MRM was held on 8 th Feb 2013 attended by Unit head, HOD's , MR's and CISO. Agenda is as per ISMS requirements Action

items with ownership and time line are specified.

Compliance A.15

Referred POSOCO/IMS/Manual Rev 2.0 dated 15/1/2013 section 4.3.2

Compliance requirement are documented ( IEGC, IE Act 2003, IPR act, Regulations passed by CERC , CEA etc). HOD sends letter

every quarter declaring compliance with regulatory acts . Grievance committee headed by Unit head covers employee litigations.

Assessment Report.




BCP A.14

Referred POSOCO/IMS/OCP/16 Ver 2.0 dated 15/1/2013. Failure scenarios and recovery time objectives are defined. Drills for Fire

drill and Terrorist are conducted.

DR will be available in Next SCADA version 2014

Incident Management A.13

Department wise register is maintained for the incidents monitoring. Oracle Database is used for technical incidents monitoring

Physical Security/ Administration/Contract Services/Technical services( Establishment) A.9, A.10

3.Site Tour/Physical security/Technical services/Contract services

POSOCO facilities were observed to be well laid out and planned, with physical access and environmental controls evident. Assets

observed are tagged, and identification and labelling of infrastructure observed. Storage bays, workstations, duly numbered. Two

levels of security were evidenced, with a security guard at the entrance gate , Frisking and metal detector at main entrance and

electronic access control into the offices. The work area is divided into functional zones with access controls in place at the floor

entrances and Server room. The office main entrance area is manned with physical security present, and maintaining records of

visitors and movement of records( gate passes). Environmental controls implemented and evident. Fire protection systems installed

and evident. Secure areas are defined and electronic access control systems installed. Physical security

Asset Movement is handled by respective departments.

The equipment maintenance records have been evidenced with corrective and preventive actions. AMC ' tracker is maintained to keep

track of status on AMC with third parties and covers SOW and SLA.

DG set( 375 kava + 125 Kva) maintained on as and when service required. No load test is done every week. SR record dated 3/8/12

has been evidenced for Routine B Maintenance has been found to be in order.

AC central is maintained n quarterly basis. SR 00831612 dated 31/1/13 has been verified and found to be in order . One chillier is not

functioning and is expected to be replaced by 1Q2014.

UPS ( 2X 40 kva) . Verified SR no 488573 dated 25/10/2012 and found it in order. SMF batteries are nearing service life and would

be replaced. Cells are being checked every 10 days.

Verified Fire equipment visit report dated 12/12/12 and is found to be in order.

Fire drill is done once in six months. Verified fire drill record . Last drill was conducted on 24 th Jan 2013. Report is under

preparation.

Last drill record for Q ending Dec 12 was verified for drill held on 23/12/12 . Evacuation time was 0 to 1 minute. %3 persons were

evacuated.

Grid Management A.10, A.11

Auditee DGM

The main activities cover Real Time Monitoring of Power System at HV/EHV levels from point of view of security, enabling the

bottled up generations and maximize the power, and enabling the commercial mechanisms to facilitate the generation, transmission

and distribution

24 X 7 operation. Team headed by DGM ( Shift in charge), Manager and Engineer carry out Real time Grid operation, Coordination

with NLDC , control Power flows, control of frequency in IEGC Band ( 49.7 hz to 50.2 hz) on 24 x 7 operations.

Document on reactive power CERC press release, Open access in Interstate transmission , Procedure for Scheduling of Bilateral

Transactions is used for monitoring .

Inputs are received in form of Scada Data, Phone calls on internally dedicated links. Sampled input message from NLDC approval

for Agra-Gwalior Circuit1 outage scheduling for rectification of defect. Approved on 18/2/2013.

Grid Incidences are maintained in code book with Code no , date, time, from to , description of event, signed by concerned

engineers .

No security incidents reported so far.

Assessment Report.




SCADA/EMS/Communication( Logistics) A.10, A.11, A.13

Auditee Manager

Major part is the SCADA/EMS systems- These systems have to be maintained fully available round the clock to aid the Load

Dispatchers

,New elements need to be integrated in time so that informed decisions can be taken by operators. All IT infrastructure has to be

maintained with 100% user availability, so inbuilt redundancies are deployed at many levels. SACDA system is supported and

maintained by third party using 2009 long term service agreement for 5 years. (Amendment II WRLDC/CON/WC-922/835/2011/3032

dated 8/4/2011, annexure describes SOW and escalation procedure)

Evidenced Network Diagram dated 8 th Feb 2013 v 2. The continuity/security is ensured through Hathway 8 port switch, Firewall, 2

web servers, Layer 3 switches, Layer 2 switches, cisco routers . Passwords are protected through access control to the softcopy,

Vapt is carried our regularly( last report Jan 7,2013), Corrective action is in progress and will be completed in about 10 months.( E

mail dated 15/2/2013 to DGM IT SS).

Evidenced antivirus definition distribution report dated 18/2/2013, Symantec definition 16/2/2013 r 9 on 96.5 % of total no of

computers 57.

Input is received through meetings for Plant integration as per connectivity agreement with CTU , analog and status points are

created in DB and output is created on Display. System operations data is generated daily, generation frequency is monitored every

30 seconds, Antivirus status 16/2/2013 r 9 on no 46

Market Operations( Commercial services) A.10, A.11

Auditee Chief Manager

The core activities of market operations(1) include Metering, Energy accounting, RLDC fees & charge, UI disbursals, system studies,

and Regulatory affairs The team of Operational services carry out activities related to Reliability, Market operation( Commercial),

Regulatory affairs,Reliability Operational planning, ( Outage guidance to shift engineers), Transfer capability of transmission network

for Open access team. Market operation is responsible for metering and settlement. Binary files are received through e mail,

converted to text file and use it as for the purpose of working out net injection of power and net drawn by different states .

Integrity checks are performed. Data cannot be tampered as hand held meter reading instruments are used for down loading the

data.

Regulatory affairs :

CERC come out with several rules , Stake holders are involved in sharing their inputs, comments are given to NLDC who consolidates

and passes on to CERC ( Grid code ).

Compliance monitoring is Time line , Grid code validate data , pool payment disbursal,

Establishment ( HR, Finance) A.8, A.9,A.10, A.11

HR

Auditee Personnel Officer

Team size 8

This group administers HR management, HR development and Administration of the office and Trainings, facilities extending to

employees, office orders etc are under its purview.( Complete employee life cycle ).

Sampled emp no 2586. NDA is under Rule 5 of CDC rules. BGV is done internally . Police verification, Qualification verification and

employment verification has been evidenced and found to be in order.

Sampled emp no 41427 doj 9/3/11. The is was transfer case. Hence BGV and NDA records could not be verified.

Sampled emp nos 02078 and 02479. Return of assets are evidenced in no dues certificate .

The records are protected in cupboard under lock and key.

Observation:

1. No smoke detector is located in HR records storage room

OFI

1.Return of assets ( IT ) could be explicitly mentioned in no dues certificate.

Assessment Report.




Finance

Auditee Chief Manager

The team is responsible for Payments, Preparation of accounts, Audit for location contract maintenance.

The records secured under lock and key which can be accessed by authorised person. Online back up is maintained which is stored

in remote location. Finance server is maintained in Delhi .Access is protected through log in and password which is changed

periodically.No security incidents are reported so far.

Summary of SRLDC (Bangalore) Findings

ISMS Change Management:

There are 26 policies are defined based on the central RLDC policies and processes applicable for SRLDC. All these policies are

reviewed and updated during 2013. The password policy for control room is changed to 90 days from 30 days for the operational

convenience.

The risk assessment in a SRLDC-RA-RTP ver.1.2 dated 15th Jan 2013 has been verified for the changes done for the assets added

and security and supporting utilities.

ISMS Audit:

The Internal audit was conducted once in three months. The previous internal audit was conducted during July 2012 and Nov 2012.

The combined audit report of Nov 2012 has been verified for the audit schedule, coverage, audit findings, reporting and analysis of

results. The audit focus on ISMS for preparation, performing audit and reporting needs improvement.

Management Review:

The Management Review was conducted once in a three months immediately after the internal audit. The combined MR meeting

records have been verified for the agenda points, reporting on ISMS effectiveness controls, minutes of meeting and action plan. The

MOM and action plan dated 17th Dec 2012 covers ISMS checklist, Antecedence for security staff, mock drill, ISMS awareness and

VAPT.

Closure of Previous Audit Findings:

The Previous external audits reports of BSI report of Feb 2012 have been verified during the audit and found that there is no formal

CAPA record available with the team.

Observations:

1.Change management procedure not followed for the change of password policy 90 for control room

2.Reference to Physical & Environmental Security Policy ver.2.0 dated 15th Jan 2013: the change description is recorded as

‘Recertification Audit”.

3. Reference to the risk assessment of Security and supporting utilities – A.14 controls was not selected, though this control is in

practice.

4. Reference to the Internal Audit of 17th Nov 2012: The Integrated management system audit is conducted for all the four

Assessment Report.




standards. A) There is no effort put into verify the ISMS controls during the audit, no checklist used. B.) The IA findings classification

is incorrect eg. “Te information assets list not prepared and vendor evaluation procedure to be done are classified as ‘OFI’.

5. Reference to Internal Audit procedure: the classification (NC, OFI) of findings could be defined

6.Audit summary report was not evidenced as per sec 5.2.10 of Internal audit procedure to demonstrate the purpose / objective of

Internal audit

7. Reference to the MR review of 17th Dec 2012: Clause of e) and f) could be addressed as per the standard clause 7.2 and review of

ISMS control effectiveness could be carried out.

8.There is no evidence of corrective and preventive action plan for the previous BSI audit report 13th Feb 2012 (11-obs, 1-Minor NC).

– Clause 8.2 / 8.3

Area: Human Resources(A.8)

Conduct Discipline and Appeal Rule of HR Policy Manual Volume I – Dec 2002. The Rule 5 addresses the General Information security

requirements applicable to all the employees. The part of the pre-employment medical check, character and antecedents check is

done for all the employees. During the employment for every promotion in the organization required vigilance clearance. For the

superannuation / exit clearance also requires vigilance clearance. The HR records are maintained in hard copies stored in the

cabinet. The digitization of these documents in soft forms and stored in centralized server could be looked into. The sample of

joining formalities of E.ID 02689 dated 8-Aug 2012 and superannuation process for E.ID 35036 have been verified during the audit.

The orientation training program for E.ID 02689 dated 8th Aug 2012 were evidenced.

The legal and regulatory requirements and compliances identified and being addressed. Regulations being complied

Contract Labour

EPF

ESI

Minimum Wage

Workmen compensation

Status of statutory compliance IT Act 1961

Observations:

1.0The link in the Power grid portal / Human Resource Department -> HR rules and Policies link found that not working (display an

error message ‘server error’).

2.0The Antecedents report for the employee 2689 joined on 8th Aug 2012 was not evidenced.

Area: Logistics(SCADA Operation( A.10, A.11)

The objective of this team is providing real time information to control room, MIS reports and ensure the availability of system at

98.5%. The SCADA activities are managed in association with GE Energy team. The IBM Ax based server is used to store all the

operations data. The letter of award to GE India Industries Pvt Ltd dated 29th March 2012 is in place for the two years support

service of SCADA. The team activities involved Sybase@error log, disk utilization XA/21 gaxall, OS error report, performance of

Assessment Report.




database utilization and resolution of issues within agreed services levels. July-Sept 2012 reports on SLA adherence and Uptime and

daily health check of work stations and application controls were evidenced. No security incident reported during last one year.

Good Practice

1.Monthly health check report of HW and SW resolution support issues and Availability report based on the contract elements found

to be good.

Observations:

1.0The analysis of data on comprehensive support of HW and SW on severity levels could be carried out which will provide you the

opportunity to take proactive initiatives to reduce incidents

2.0Vulnerability assessment of Network, Database, Router and Switches could be carried out on regular intervals

Area: Operation Services

The team is involved in developing process for the grid normal and black start conditions. The MIS report is generated weekly /

monthly / quarterly / annual. The team provides the monthly information to operations coordination committee meeting (OCCM) on

set of parameters which leads to take strategic decision by OCC. The 79-OCCM report of 10th Jan 2013 have been verified for the

network & system operation, Network protection / security issues and disaster management found in order.

Good Practice / Strength

1.Operation coordination committee meeting (OCCM) monthly meeting – mouthpiece for the operation covering frequency profile,

voltage profile, system demand, network issues, SCADA data, communication, protection issues, major events, commercial issues

found to be good.

Area: Physical Security and Admin

The POSCO is located in the No. 29, Race Course Road, Bangalore. The ground, first floor and second floor are having total resource

of 65. The physical security services are handled by the P L Security Services as per the letter of award dated 11th Jan 2013. The

CCTV is in place to monitor the movement inside and outside the office premises, monitoring is done by 24/7 by the security staff

and control room.

The visitors and material movement’s registers have been verified during the audit and found in order. The fire extinguishers are in

place at the prominent places like DG, UPS and the Server room. The daily logs of UPS, Battery, Electrical panel and DG are in place

and found in order. The third party agreements of M/s PL Security Services have been verified during the audit.

Observations:

1.Display of security positive culture reflecting the organization password policy, internet security, email security, information

security incidents, emergency situation, handling confidential documents could be carried out

2.Material issue authorization i.e. Head of Departments to security for verification

Assessment Report.




3.There is no antivirus updated in the system at Security and this was connected to control room could be looked into.

Summary Of ERLDC (Kolkata) Findings

Site Tour, Physical Security and Contract Services Auditee: A.B. Sengupta, S.K Mukherjee

Site tour conducted to assess periphery and physical security of the facility. The main entrance to the facility is manned by security

guards, which takes care of visitor and material movement. All the visitors are issued gate pass and guest card and have to record

their credentials in the visitor register. The physical security of POSOCO Kolkata facility is out sourced to GS & IS (P) Ltd. Interviewed

on duty security guard Mr. Phanilal Bose and his awareness of security requirement and POSOCO’s policies and procedures found

satisfactory. One armed guard is deputed for 24X7basis. Verified the gun operating license of on duty gun man Sk. Akhtar Ali vide

license no. 16/2007 of Bhatar PS for 12 bore DBBI gun no. 8651 and the same is valid till 31.12.2014. Total 6 nos CCTV cameras are

installed within the facility. Last 1 month CCTV footage gets stored. Verified the stored footage of camera no 6 between 11.30 AM to

12.30PM on 03.02.2013 and found consistent. Entrance to the working area is access controlled with bio metric access control

system. Metal detector is installed at the main entrance. During the site tour, DG room and switch room was visited. Organization has

two DG Sets of 125 KVA and 400 KVA. Fire extinguishers and sand buckets are kept in DG area to take care of any fire incident.

Refilling of fire extinguishers is done yearly. Verified the fire extinguishers number DPX05, for which next refilling is due on

23.10.2015.

Contract services falls under three major categories vide, short term, midterm and long term based on the requirements. Contract

covers system operations, technical operations, market operation, etc. Verified the KPIs of contract services vide doc id

POSOCO/IMS/Objectives Rev 03 and found full adherence. Contract process is carried out on order to order basis by inviting Limited

(value<25 Lac) / Open (value>25 Lac) tender based on requisition from user department and also selection, evaluation of supplier is

carried out on order to order basis through verification of Technical & Finance Bid, Other Requirements & Comparative study & Order

is in general placed to the supplier with L1 grade. Process verified by taking following sample: “Proposal: O & M and Development of

ERLDC Lawn / Garden, Tender No: ERLDC/ C & M/ 970-O & M-Gardening/2012/856-868 dated 09/05/12, Bidders No: 04. M/s Udayan

is selected as L1 supplier for above tender after comparative study of the bidders & details recorded in comparative statement of

tender. Purchase Order No: ERLDC/ C & M/ 970-O & M-Gardening/2012/3340 dated 11/10/12 is placed in favour of Supplier: Udayan

after approval of Purchase Proposal by tender committee. Order is accepted by supplier on 14/10/12.”

**Observations**

1. Visitor’s log book to be maintained properly. It was found during the audit that Mr. B.Dey entered in the facility on 14.02.2013 at

12.53 from ORG India, but his/her out time details were not recorded. The visitor’s pass was also not evidenced. Review process of

visitor register at defined schedule may be in place to confirm the effectiveness.

2.Returnable outgoing materials memo may be separated and expected return date may be mentioned in the same to increase

traceability.

3.Specimen copy of authorised signatories may be placed at the security desk for ready reference and signature validation.

4.Reconciliation of visitor’s card may be done at defined interval and any incident of loss/ damage of visitor’s card to be recorded as

security incident.

** Non-conformance**

1.ISO/IEC 27001-2005 requires – The clocks of all relevant systems within an organization or security domain shall be synchronized

with an agreed accurate time source (under control number A.10.10.6).

Objective Evidence- It was evidenced during the audit, the CCTV surveillance system of POSOCO has a time difference of 4 mins 35

secs with the access control system and the server time of the facility.

Type – Minor non conformance.

Asset register review, Internal audits, MRM, Review of NC closure Auditee: P. Mukhopadhyay (MR)

Assessment Report.




The asset register vide asset_register-PG_ERLDC ver 3.0.1 dated 15.01.2013 verified and assess the risk assessment and treatment

process. Asset values and their risk rating done as per POSOCO/IMS/SOP Rev 02. CIA of each asset has been calculated and risk

rating identified after evaluating vulnerabilities and threats. Verified the risk assessment and treatment of physical asset with high

risk value (application server) and found satisfactory.

There were three NCs in last audit. All issues have been addressed and closed. In the first MRM of the year the closure of all NCs had

been confirmed. Verified the MOM dated 19.10.2012 vide doc id ERLDC/IMS/record/GM/009. Following artefacts noted during the NC

verification:

NC 1 closure- Access control privileges have been clearly defined in ERLDC/SL/2012 on 11.03.2012 by Mr. A.B. Banerjee and

approved by AGM (MO)/MR.

NC 2 closure- BCP record verified dated 15.03.2012. Also the MOM of Crisis Management conform the closure.

NC 3 closure- the section 3 of doc Risk Assessment & Mitigation report Ver 02 dated 15.01.2013 conforms the closure by adding

proper service asset.

Internal audit’s periodicity is twice per year. Last audit conducted during 23rd & 24th January 2013. Verified the audit summery

report vide doc id ERLDC/IMS/record/IA. Total 7 nos observations and 2 nos NCs have been identified. MRM is also scheduled twice

per year. Last MRM held on 11.02.2013 at ERLDC office and chaired by the GM.

**Observations**

1.Document version history may also include the amendment history in details. It was observed during the audit, the SOA vide doc id

POSOCO/IMS/SOA V2.0 has its latest release on 15.01.2013 but the reason for new release or amendment details were not

evidenced.

2.Awareness of risk assessment procedure needs further improvement. It was found during the audit that communication cables not

identified as asset, therefore no risk assessment done (control A.9.2.3 requires the same to be done). To make the system more

resilient, communication cable may not be grouped with the devices they are attached with.

**Non Conformance**

1.Objective Evidence- It was observed during the audit, two nos minor nonconformities had been identified in the last internal audit

conducted during 23rd & 24th January 2013 in physical security and systems logistics departments but evidence of discussion of

same in the MRM held on 11.02.2013 were not found, hence allocation of responsibility for closure and target date has not been

recorded in the MOM.

Type- Minor non conformance.

Grid Management Auditee: Nadim Ahmad

Grid Management & System Operation is carried out as per documented SOP & flow chart. Process verified for Purnia to Muzaffarpur

Line, Power Flow: 67MW x 2, Voltage: 409 KV at Purnia end & 415 KV at Muzaffarpur end, frequency: 50.26 Hz, Date: 19/02/12,

Time: 11:58:54 Hrs.

Record verified such as Day Ahead Scheduling, Daily Power Supply Position, and Generation & Distribution Status Reports etc. Also

verified the shutdown request processing by assessing the mssg no. 29-02-RKL at 19.10, which got approval from NLDC on

19.02.2013, their entire process is fully adhered with the documented process flow.

Information Technology for SCADA/EMS support, Incident Management Auditee: A.B. Sengupta

Process activities mainly include maintenance of IT & SCADA system, intranet and corporate website. Asset details including owner,

specifications etc are maintained in softcopy. Schematic Network Diagram, ref doc ERLDC/ISMS/Manual ver03 dated 20.12.2012

verified. License of software is maintained and found at per usage. Backup policy including frequency, type, restoration frequency,

etc, are documented in Backup & Restoration procedure. Records verified for Machine OPRN-2 on 30.01.2013 and found satisfactory.

Log of last SCADA data file vide file name HDR_130218-235955.7.A.02 dated 19.02.2013 verified. Automated backup completed at

Assessment Report.




6.54 AM. Also verified the restoration of schedule information massage vide msg no. A7967. A dedicated 500 GB external HDD vide

asset no. ERLDC/PCI/046 is allotted for offsite backup. Maintenance of Hardware & Software is done through AMC contract & details

are verified, Service Provider: Wizertech Informatics Pvt. Ltd., Kolkata, Order Ref: ERLDC/C & M/ 949/ AMC-Facility Management-

2011-2012/4666 dated 30/01/12 & Valid till 28/02/13. A separate confidentiality agreement had been signed between POSOCO and

Wizertech on 18.03.2012 for 5 years.

Maintenance of SCADA is done through AMC contract to authorized service partner of OEM , Service Provider: Areva T & D India Ltd.,

Noida, Order Ref: ERLDC/C & M/ AMC-VLDC/09-10/11449-1457 dated 15/02/10 & Valid till 28/02/13. Verified the SCADA uptime KPI

and RTU reporting KPI for third quarter both are recorded as 100.00 as on 31.12.2012 against Target KPIs classified as

Excellent=99.500, Very good=98.000, Good=96.000, Fair=94.000 and Poor=92.000.

Main IT KPIs are Website availability and Intranet availability. Website uptime in 2nd quarter recorded as 99.580 (as on 22.06.2012)

and Intranet uptime in 3rd quarter recorded for 3rd quarter as 96.670 (as on 18.12.2012).

Patch management is a manual process at ERLDC Kolkata. Patches are invoked in the systems after generation and validation of

Belarc Report of every asset. Updated MS patch verified on dB server-2-ERLDC/SERV/008- 192.168.64.99, date of installation

09.02.2013. Symantec Endpoint Security V11 is the antivirus in use at ERLDC. Last updated on 17.02.2013, verified at

ERLDC/PC2/1065.

Activities are performed to ensure business continuity as per the approved business continuity plan vide doc id DSC/ISMS/business

continuity plan ver 2.0 dated 20.12.2012.

Incidents are reported through intranet portal (http://192.168.64.105/break.aspx). Verified the logged call history vide ticket no.

BRKNO. 2013001, dated 01.01.2013, issue time 10.05 AM and call closure time is 12.15 PM, adhering the internal SLA. Also verified

the break down call report from service partner Wizertech Informatics (P) Ltd, vide call no 14353 dated 08.01.2013.

Establishment (Human Resource) Auditee:

G.K. Kundu

The main responsibility of HR function working out of ERLDC Kolkata to maintain personal files and execute the training program

according to yearly training plan prepared by the H.O. HR department maintains 15 KPIs. Verified one of KPIs like HR Training

Program on IMS /Year is 1. Training conducted during 28th & 29th August 2012. Total 13 nos. employees participated, effectiveness

of the training evaluated by MR and reported satisfactory.

Training Needs are identified through TNA. Training details of Mr Abhijit Bhuina (Engg-Mo) verified, Identified training need was Basic

Programme on SCADA, training conducted between 26/11/12 to 30/11/12 by competent external agency on same topic, details are

verified in Training Record Sheet .

Personal file of existing employee Ms. Rosy Sinha (Emp id 02303) verified. Date of joining is 12.09.2012. All required documents are

maintained as per the requirement.

Market Operation( Commercial & Financial Services ) Auditee:

Nadim Ahmad

Department captures and maintains Meta data for preservation. The actual data compared with the schedule data and get forwarded

to the ERPC on weekly basis for preparing bills. Weekly data backed up in an external HDD (asset id: ERLDC/POSOCO/EHDD/160).

Other activities are Metering, Energy Data Collection, Data processing, UI calculation & settlement of bill .Verified the last meta data

containing email to ERPC for the period 4th to 10th February 2013 and it was told the relevant bill is expected to be published by

25th February 2013. Verified the last released bill for the period 28th January to 3rd February 2013. Commercial services are

governed from the HO and all relevant data get published in the URL http://www.eastrpc.org . Also verified the following activities of

commercial services:

UI for DVC on 31/01/13 was -1904.43 MWH.

Congestion Charge Account management, Rs 398102 is receivable to DVC as per report published on 06/12/12.

Short Term Open Access Management- verified for JSEB on 19/02/13, Application No: 283, Acceptance No: ERLDC/2013/4045/D,

Schedule Request: 100 MW.

The entire process flow found complying with documented procedures adhering with all information security requirements. 100% KPI

Assessment Report.




met.

Establishment (Technical Services & Operational Services) Auditee: P. Chaudhury

Technical and operations services cover maintenance of facility and technical utilities and also take care of building management

systems. All types of PM and BDM records are maintained in the department and SLA adherence of vendors evaluated. Following

maintenance records verified

DG maintenance contract vide doc id ERLCD/C&M/993/AMC-400 KVA DG Set /2012/3132 dated 18.10.2012. Confidentiality

agreement mentioned in point no.15 of annexure III. Last maintenance service record verified vides GD/SR/C&M/002/01 dated

30.01.2013.

AMC contract with Honeywell for fire detection and alarm vide doc id ERLDC/C&M/924/AMC/Fire Alarm/2011/1746 dated 30.08.2011

valid till 31.08.2013. Separate NDA signed with vendor. Last preventive service record verified vide memo BWID-021-F7, Rev 02

dated 13.02.2013.

AMC contract for AC plant maintenance vide doc ERLDC/C&M/972/AMC-AC Plant/2012/634 valid till 30.04.2013. Separate NDA signed

with vendor. Last maintenance service report verified vides memo no. 00804960 dated 31.01.2013.

To ensure business continuity each DG sets undergo test runs every week for 15 mins. Verified the last week’s test run record

register for 13th February, 2013. 4 nos earth pits are well maintained and resistance measured at regular frequency (once per year).

Verified the records dated 23.04.2012 as 0.49, 0.56, 0.91, 0.98 ohms respectively for all 4 earth pits.

Fire mock drill conducted on 13.08.2012. Verified record vide doc id ERLDC/IMS/Record/010. All 30 Employees participated in the drill

and evacuated the facility. Identified fire marshals are M.K. Dey, T.Chakraborty, P.Mitra and K.P. Paul.

**Observations**

1.Process of reviewing the service report may be in place to ensure effectiveness.

2.Control on out sourced maintenance activities may further be reviewed.

Summary of NLDC( Delhi) findings

Location specific ISO function ( Asset Register Review, Internal Audit, Corrective and Preventive Action, MRM for NLDC)

Verified integrated manual for 90001, 14001, 18001 and ISO 27001; POSOCO/IMS/Manual Rev 2.0 dated 15/01/2013. The manual

adequately describes the Scope, Roles and Responsibilities and Structure of the Organisation.

Verified ISMS Policy NRLDC_ISMS Policy Framework_POSOCO Ver 1.0 dated 21 Feb 2011 which gives out Policies regarding all

aspects of various controls applied; and found to meet the requirements.

Verified IS Policy PSC/ISMS2013/013_corporateinformation security_Policy_POSOCO ver 2.0 dated 15/01/2013 was reviewed and

found to be adequate.

Risk Criteria verified as contained in Risk Assessment & Treatment Plan.

The organization has constituted an “Information Security Management Forum” and verified as such.

ISMS Objectives were verified.

Reviewed Risk Assessment & Treatment Plan, which gives out the Asset Name, Asset Value, Threat and Threat Probability,

Vulnerability and Identifies the Risk. The same was reviewed for CRM, DG, Finance, IT, Market Operations, Open Access, SCADA, SO-

II and SO-I.

Last Internal Audit was done on 22 Jan 2013. Verified Records of Internal Audit, which had 16 observations.

MRM done twice in last one year, Records verified for MRM done on 16/08/2012 and 04/02/2013. MRM found to be covering all

aspects of Management Review, except effectiveness measurement.

Minor Non-conformities

YP/01/a 7.2.2 - As per Organization Document No.PSC/ISMS2013/017_information labelling and Handling policy dated 15/01/2013;

the labelling in terms of Confidential, Internal and Public not found to be implemented.

YP/02/A15.1.6 - As per Organization Document No.PSC/ISMS2013/017_information labelling and Handling policy dated 15/01/2013;

the transmission of confidential material shall be done by encrypted means; but the control A15.1.6 has been justified to be excluded

Assessment Report.




from the current applicable SOA POSOCO/IMS/SOA ver 2.0 dated 15/01/2013

OFI’s

1.Records of Internal Audit should not only be in terms of Gaps identified but “Conformity” findings should also be mentioned in the

report.

2.MRM should cover the effectiveness measurements in detail.

3.ISMS Objectives should be clearly measurable and consistent with the ISMS Policy.

Process - Site Visit / Physical Security/ Contracts / Technical Services

Clauses: A9

The Outer Security Perimeter of the Organisation is a manned Reception Desk at the Entrance. This is manned by CISF. The following

Registers are used at the reception for physical entry controls.

Visitor Register.

Visitor Passes

The second security perimeter in terms of access controls for sensitive areas of SCADA and Control room was found to be adequate.

The Fire protection is in terms of Fire extinguishers No sprinkling system etc exists. Verified Fire Emergency Plan dated December

2009. Fire Mock Drill and Evacuation drill was rehearsed on 14/02/ 2013.

Electricity Board Supply is backed by two Generators which are further backed by 2 UPS’s of 40 KVA, 200 AHC each.

Verified “earthing” arrangements for Routers, Servers at Ground Floor and First Floor in control room. These were found to be

earthed.

Verified UPS AMC contract with M/s Rielio PCI India Pvt Ltd. dated 08/02/2013.

OFI’s

1.The time for which UPS’s batteries will work in case generators are not available, should be calculated, and the time in which

generator’s faults should get repaired, as per contract must be matched so that generators are repaired within the time batteries will

last.

.

Process - Location IT Operations Support.

Clauses: A.10, A.11

Organisation has separate SCADA Servers and IT Application Servers, which are in redundant mode locally. All the Servers are

adequately controlled as per applicable Security Controls except for A 10.10.2.

For IT operations, Organisation has two ISP’s of TULIP and SIFY, both of 4 MBPS capacity. For SCADA connectivity is by parent

company POWERGRID and is 4X64 KBPS capacity with 100% redundancy. Back Ups are being taken after 12 Hours. Back Up Policy

PSC/ISMS2013/06_Backup_Policy_POSOCO ver 2.0 dated 15/01/2013 was reviewed and found to be adequate.

Password are handled as per Password Policy, PSC/ISMS/2013/05_PasswordProtection_Policy_POSOCO ver 2.0 dated 15/01/2013

was reviewed and found to be adequate.

User Password are issued by IT and are to be changed every 30 days; however no review for the same was evidenced.

Minor Non Conformity - YP / 01/ A 10.10.2 The control regarding monitoring of SCADA servers was not evidenced.

OFI – Review of Passwords should be undertaken to ensure effectiveness of controls.

Process - HR and Training (Auditees – Narayan R; S S Prasad)

Clauses: A.8

The Process is well controlled in terms of controls to be applied for Recruitment, Employee Induction, and Compliance of legal and

administrative requirements and Exit actions etc.

The screening and verification of personals is being out carried out by way of Police Verification.

The records/files of Akhil Singhal, Anamika, and Harish rathore were verified.

The confidentiality and NDA agreements are being signed by way of undertaking taken from Individuals as regards their CDA rules.

The Access rights are being deleted on HR initiative by IT, Verified for the same regarding above mentioned employees.

OFI - The awareness regarding ISMS of new joinees, need to be improved.

Assessment Report.




Process - Commercial Services/Market Operations (Auditees – Kavita Parihar, H Chawla)

Deals with Energy Accounting and Open Access.

The Asset register and controls for the Process were reviewed and found to meet the requirements

The Process is well controlled as per applicable controls.

No Observations

Process – Finance Department

The Asset register and controls for the Process were reviewed and found to meet the requirements.

The Asset “bank Statements” was taken as Sample and reviewed for controls. Process is well controlled as per applicable controls.

No Observations

Process – Operations

The Process is responsible for drawl of Power.


The sensitive Server/Software for SCADA is segregated from other Information Processing Assets.

The SCADA setup has 100% redundancy for all the assets in form of machines/Software and connectivity.

No Observations

Summary of NRLDC findings

Process - Organization presentation by ISO team. (Auditees – Ashok Nijhawan, D Dey)

Location specific ISO function ( Asset Register Review, Internal Audit, Corrective and Preventive Action, MRM for NRLDC)

Verified ISMS Policy NRLDC_ISMS Policy Framework_POSOCO Ver 1.0 dated 21 Feb 2011 which gives out Policies regarding all

aspects of various controls applied; and found to meet the requirements.

Risk Criteria verified as contained in Risk Assessment & Treatment Plan.

The organization has constituted an “Information Security Management Forum” and verified as such.

ISMS Objectives were verified.

Reviewed Risk Assessment & Treatment Plan, which gives out the Asset Name, Asset Value, Threat and Threat Probability,

Vulnerability and Identifies the Risk. The same was reviewed for CRM, DG, Finance, IT, Market Operations, Open Access, SCADA, SO-

II and SO-I.

Last Internal Audit was done on 22 Jan 2013. Verified Records of Internal Audit, which had 23 observations, out of which 07 are

pending.

MRM done twice in last one year, Records verified for MRM done on 16/08/2012 and 04/02/2013. MRM found to be covering all

aspects of Management Review, except effectiveness measurement.

OFI’s

1.0 Records of Internal Audit should not only be in terms of Gaps identified but “Conformity” findings should also be mentioned in the

report.

2.0 MRM should cover the effectiveness measurements in detail.

Process - Site Visit / Physical Security/ Contracts / Technical Services (Ashok Nijhawan, D Dey)

Clauses: A9

The Security Perimeter of the Organisation is only a manned Reception Desk at the Entrance. This is manned by CISF. The following

Registers are used at the reception for physical entry controls.

1.Visitor Register.

2.Visitor Passes

No second security perimeter in terms of access controls for sensitive areas of SCADA and Control room was found.

The Fire protection is in terms of Fire extinguishers No sprinkling system etc exists. Verified Fire Emergency Plan dated December

2009. Fire Mock Drill and Evacuation drill was rehearsed on 14/02/ 2013.

Electricity Board Supply is backed by two Generators which are further backed by 2 UPS’s of 40 KVA, 200 AHC each.

Verified “earthing” arrangements for Routers, Servers at Ground Floor and First Floor in control room. These were found to be not

earthed.

Assessment Report.




Verified AMC contract for Generator and AMF Panel with M/s Emerson Networks Power India Limited, dated 31/03/2013.

OFI’s

1.The time for which UPS’s batteries will work in case generators are not available, should be calculated, and the time in which

generator’s faults should get repaired, as per contract must be matched so that generators are repaired within the time batteries will

last.

2.All IT machines i.e Servers should be properly earthed.

Process - Location IT Operations Support ( Process Owner – Ashok Nijhawan, D Dey)

Clauses: A.10, A.11

Organisation has separate SCADA Servers and IT Application Servers, which are in redundant mode locally. All the Servers are

adequately controlled as per applicable Security Controls except for A 10.10.2.

For IT operations, Organisation has two ISP’s of TULIP and SIFY, both of 4 MBPS capacity. For SCADA connectivity is by parent

company POWERGRID and is 4X64 KBPS capacity with 100% redundancy. Back Ups are being taken after 12 Hours. Back Up Policy

PSC/ISMS2013/06_Backup_Policy_POSOCO ver 2.0 dated 15/01/2013 was reviewed and found to be adequate.

Password are handled as per Password Policy, PSC/ISMS/2013/05_PasswordProtection_Policy_POSOCO ver 2.0 dated 15/01/2013

was reviewed and found to be adequate.

User Password are issued by IT and are to be changed every 30 days; however no review for the same was evidenced.

Minor Non Conformity - YP / 01/ A 10.10.2 The control regarding monitoring of SCADA servers was not evidenced.

OFI – Review of Passwords should be undertaken to ensure effectiveness of controls.

Process - HR and Training

Clauses: A.8

The Process is well controlled in terms of controls to be applied for Recruitment, Employee Induction, and Compliance of legal and

administrative requirements and Exit actions etc.

The screening and verification of personals is being out carried out by way of Police Verification.

The records/files of Sameer saurabh, Rinky Narang, and Rakesh Kumar Meena were verified.

The confidentiality and NDA agreements are being signed by way of undertaking taken from Individuals as regards their CDA rules.

The Access rights are being deleted on HR initiative by IT, Verified for the same regarding above mentioned employees.

OFI - The awareness regarding ISMS of new joinees, need to be improved.

Process - Commercial Services/Market Operations

Deals with Energy Accounting and Open Access.

The Asset register and controls for the Process were reviewed and found to meet the requirements

The Process is well controlled as per applicable controls.

No Observations

Process – Finance Department


The Asset “bank Statements” was taken as Sample and reviewed for controls. Process is well controlled as per applicable controls.

No Observations

Process – Operations Services

The Process is responsible for drawl of Power. The Asset register and controls for the Process were reviewed and found to meet the

requirements. The sensitive Server/Software for SCADA is segregated from other Information Processing Assets.

The SCADA setup has 100% redundancy for all the assets in form of machines/Software and connectivity.

Assessment Report.




No Observations

Summary Of NERLDC ( Shillong) Findings A.6,A.7,A.9, A.10, A.11

System Logistics A.9.2.2, A.9.2.3, A.10, A.11

B. S. Roy – Chief Manager, Prashant Kumar Das - Sr. Engineer

The Systems Logistics department is responsible for all IT support and Auxiliary services (HVAC, Lift, DG sets, UPS) including VoIP,

Telephony, Video Conferencing and Voice Recorder Surveillance.

SCADA modelling, EMS, Database maintenance, Intranet maintenance, Website maintenance, and communication links management

and IT hardware management. The changes to the infrastructure during the review period have been the implementation of 2

Storage systems for the File Server and the DVR server storage capacity has been increased to 60 days. There has been an increase

in the number of CCTV cameras from 4 to 14 and a separate bio-metric based attendance recording system and a proximity card

based access control system.

Symantec End Point Protection is used in all desktops, laptops and servers for anti-virus protection, WSUS server is installed for

Microsoft Windows XP, Windows 7 and MS Office 2003 patch management. The facility has 2 internet links, 1 leased line for the WAN

connecting to the Head Office in Gurgaon. All links terminate onto a Cyberoam UTM device. Access to prohibited sites is disabled

through the UTM device. Webmail is however not blocked as these services are permitted for use. USB ports have also not been

blocked however an undertaking is taken from all employees against misuse of USB devices. The responsibility for backup is left to

the individual departments.

The password length has been increased from 5 char to 6 char long recently.

Wireless LAN has been implemented using WPA2 personal encryption level and further more all devices that can access the wireless

LAN are bound by their MAC address.

Daily log sheet of DG sets (1 x 160KVA and 1 x 200 KVA) and UPS battery checkups was evidenced.

Human Resources, Administration and Physical Security A.7, A.8, A.9

V. F. Desouza – Chief Manager

The department is responsible for physical security, house-keeping, welfare activities, establishment functions - leave records,

training records, loans and advances, rashtra bhasha and hospitality.

All recruitment to the Executive and above levels is managed centrally from the head office. For the staff below executive levels that

are recruited locally background verification is done in the form of verifying educational qualifications, medical records, character /

antecedent verification for the last 3 years from the state authorities and the verification of caste certificates where applicable.

Joining formalities for recruitment to executive levels is done centrally and for non-executives is done locally.

The authority for accepting resignations for executives is with the head office and for non-executives is with the local management.

All dues are settled locally and the no-dues certificate obtained from all associated departments and support functions for return of

company assets.

At least 6 man days / annum for each employee is a corporate mandate. Training needs analysis is completed by January and a

Training Calendar is finalized centrally by April in the form of HRD Learner’s Planner.

System Operation 1 / Grid management A.7, A.11.3

N R Paul DGM SO1

The team is responsible for the real time grid operation and the Short Term Open access transaction processing.

The team size is 3 per shift. This department operates 24x7. This department is the user of the online power systems data which the

SCADA department collects and presents in a graphical form in the large display unit. The responsibilities of the department are the

monitoring of the North East Region grid for electrical parameters of Voltage, Frequency, Line Loading, Power Generation and Power

Drawal for the Inter-State Grid system operation, Load Dispatching and the North East Region Day Ahead Scheduling of Power

requirements for the Generating stations.

Market Operations (MO) A.7, A.11.3

Assessment Report.




R Sutradhar DGM

The department is responsible for accounting the power intake and transmission from the substations and generating stations of the

central sector in the north eastern region – this is done through the monitoring of 250 Special Energy Meters (SEMs) installed in 56

metering locations, Data Processing and Computation, Energy Accounting, Day Ahead Scheduling, and the Settlement System

consisting of Unscheduled interchange accounting, Open access disbursement, Reactive disbursement among the participants if there

is a voltage deviation of more than +/- 3% in the voltage, Reporting of an under-drawing or over-drawing of power by any of the

participants to the Central Electricity Regulatory Commission (CERC).

Technical Services / SCADA A.7, A.10, A.11

M. Hussain – Chief Manager

The department is responsible for collection and visualization of online power systems data for grid management for the NERLDC.

The data is collected through communication links from Remote Terminal Units (RTU) at the various sub-stations and power

generating units in the North Eastern region. This data is then stored in the Data Servers which are specialized dedicated systems

running the VMS operating system. The data so collected is then consolidated and visually displayed in the BARCO display unit in the

Grid Management control centre. There are 2 Data servers for redundancy purposes. The SCADA system is physically separated from

the POSOCO Office LAN through a firewall.

Contracts and Materials A.6, A.7, A.9

Kaushik Sharma Chief Manager

The department is responsible for the procurement of all goods, Equipment and Services. These are procured based on the Works &

Procurement Policy and Procedure.

NDA and Confidentiality agreement is signed by all IT related vendors.

Asset Register, Internal Audit and MRM for NERLDC Clause 4 - 8

V. Kaikhochin DGM System Logistics and MR

The Asset register is maintained department-wise and reviewed once annually. Some observations from the last CAV e.g. Storing

SCADA server administrator password in a sealed envelope with the Department Head and increasing the minimum length of the

domain password has been implemented. The annual ISMS Internal Audit was conducted on Jan 22 – 24, 2013. The MRM was

conducted on Feb 15, 2013.

**Observations**

1.Some of the new assets installed during the year have not been identified in the Asset Register

2.The new Asset Register and Risk Assessment template has not yet been implemented

**Opportunities for Improvement**

1.The access control in the Fire Exit Door may be integrated with the Fire alarm panel to automatically de-activate in an emergency.

Nonconformities Raised at Last Assessment.

Ref Area/Process Clause

A686259/1 Confidential Agreement A6.1.5

Details: NDA, not evidenced with vendor Quantam & Consularies Technologies Solution Pvt Ltd.- Location Mumbai

Requirements:

Assessment Report.




Objective

Evidence:

Actions: Evidenced and verified NDA with Quantam dated 27/1/2012 valid for 5 years.

Closed?: Yes


A686259/2 Classification & Labelling A 7.2.1 & A.7.2.2

Details: No labelling and classification followed across all the departments. :Location- Mumbai

Requirements:

Objective

Evidence:

Actions: Labelling have been evidenced . NC is partially closed. Classification is in progress. Implementation will be

verified during next Audit

Closed?: No


A686259/3 Review of access user rights A.11.2.4

Details: Review frequency of user access rights needs to be established and to be reviewed as per the defined

frequency for privilege access. Minor non conformance under. Kolkatta- Location

Requirements:

Objective

Evidence:

Actions: Access control privileges have been clearly defined in ERLDC/SL/2012 on 11.03.2012 by Mr. A.B. Banerjee

and approved by AGM (MO)/MR.

Closed?: Yes


A686259/4 Testing of BCP A14.1.5

Details: Testing of BCP Plan not evidenced as per the desired frequency. Kolkatta- Location

Requirements:

Objective

Evidence:

Actions: BCP record verified dated 15.03.2012. Also the MOM of Crisis Management conform the closure.

Closed?: Yes

Assessment Report.





A686259/5 Identification of Assets 4.2.1

Details: Risk Assessment for Service Assets in technical services e.g. Vendors not evidence. Kolkatta -Location

Requirements:

Objective

Evidence:

Actions: The section 3 of doc Risk Assessment & Mitigation report Ver 02 dated 15.01.2013 conforms the closure by

adding proper service asset.

Closed?: Yes


A686259/6 Corrective and Preventive Action 8.2 & 8.2

Details: Reference to the audit findings of external audit report – the root cause analysis and effective corrective

and preventive action was not evidenced.- Bangalore Location.

Requirements:

Objective

Evidence:

Actions: There is no evidence of corrective and preventive action plan for the previous BSI audit report 13th Feb

2012 (11-obs, 1-Minor NC). – Clause 8.2 / 8.3

Closed?: No

Minor Nonconformities Arising from this Assessment.


A848170/1 Monitoring A.10.10.6

Details:

Requirements: Clock synchronization - The clocks of all relevant information processing systems within an organization or

security domain shall be synchronized with an agreed accurate time source.

Objective

Evidence:

It was evidenced during the audit, the CCTV surveillance system of POSOCO has a time difference of 4 mins

35 secs with the access control system and the server time of the facility.


A848170/2 Internal Audit 6

Details:

Assessment Report.




Requirements: Internal ISMS audits

The organization shall conduct internal ISMS audits at planned intervals to determine whether the control

objectives, controls, processes and procedures of its ISMS:

a) conform to the requirements of this International Standard and relevant legislation or regulations;

b) conform to the identified information security requirements;

c) are effectively implemented and maintained; and

d) perform as expected.

An audit programme shall be planned, taking into consideration the status and importance of the processes

and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and

methods shall be defined. The selection of auditors and conduct of audits shall ensure objectivity and

impartiality of the audit process. Auditors shall not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and

maintaining records (see 4.3.3) shall be defined in a documented procedure.

The management responsible for the area being audited shall ensure that actions are taken without undue

delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the

verification of the actions taken and the reporting of verification results (see 8).

NOTE: ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing, may

provide helpful guidance for carrying out the internal ISMS audits.

Objective

Evidence:

It was observed during the audit, two nos minor nonconformities had been identified in the last internal

audit conducted during 23rd & 24th January 2013 in physical security and systems logistics departments

but evidence of discussion of same in the MRM held on 11.02.2013 were not found, hence allocation of

responsibility for closure and target date has not been recorded in the MOM.


A848170/3 Responsibility of assets A.7.2.2

Details:

Requirements: Information Labelling and Handling - An appropriate set of procedures for information labelling and

handling shall be developed and implemented in accordance with the classification scheme adopted by the

organization.

Objective

Evidence:

No.PSC/ISMS2013/017_information labelling and Handling policy dated 15/01/2013; the labelling in terms

of Confidential, Internal and Public not found to be implemented.

Location NLDC Delhi


A848170/4 Compliance A.15.1.6

Details:

Requirements: Regulation of cryptographic controls - Cryptographic controls shall be used in compliance with all relevant

agreements, laws, and regulations.

Objective

Evidence:

As per Organization Document No.PSC/ISMS2013/017_information labeling and Handling policy dated

15/01/2013; the transmission of confidential material shall be done by encrypted means; but the control

A15.1.6 has been justified to be excluded from the current applicable SOA POSOCO/IMS/SOA ver 2.0

Assessment Report.





A848170/5 Monitoring A.10.10.2

Details:

Requirements: Monitoring system use - Procedures for monitoring use of information processing facilities shall be

established and the results of the monitoring activities reviewed regularly.

Objective

Evidence:

A.10.10.2 The control regarding monitoring of SCADA servers was not evidenced.

User Password are issued by IT and are to be changed every 30 days; however no review for the same was

evidenced.

Assessment Participants.

On behalf of the organisation:

Name Position

At WRLDC

P.Pentayya GM

V.K.Srivastava AGM

Abhimanyu Gartia DGM (LO-I)

Sanjay Gupta CM (Fin)

N.Roy DGM (LO-II)

K.Muralikrishna CM (MO-II)

Harish Patel Mgr (IT)

S.K.Saha Mgr (Lo-I)

Amit Prasad Gupta Sr.Engr (LO-I)

Ankur Gulati Engr(LO-I)

Madhubanti Personnel Officer (HR)

Vivek Singh Asst. Engr (IT)

SRLDC

P.R.Raghuram ED, SRLDC

G.ANBUNESAN DGM

V.Suresh DGM / MR

V.Balaji DGM

M.K. Ramesh CH.MANAGER

Assessment Report.




Jane Jose CH.MANAGER

T.Srinivas CH. MANAGER

S.P.Kumar CH.MANAGER

T.Kalanithy CH MANAGER

N.R.C.Babu CH.MANAGER

F.Badruzzama Begum CH.MANAGER

Rakesh Kumar MANAGER

Shamreena Varghese MANAGER

Pramod Singh DY.MANAGER

M. Nagendra Kumar DY. MANAGER

N.S Gopalakrishnan Dy.Mgr

G Madhukar Sr Engineer

Pramod Singh SR. ENGINEER

M.Venkateshan SR. ENGINEER

Kamalesh Kumar Engineer

B.R.Suresh ENGINEER

Abdullah Siddique ENGINEER

NLDC/NRLDC

SK Soonee CEO

V.K.Agrawal ED

V.V.Sharma GM

A. Mani GM

D.K.Jain AGM

S.S.Prasad AGM

H.K.Chawla DGM

Minaxi Garg DGM

Devendra Kumar DGM

Anil Chadha DGM

P.K.Agarwal DGM

Debashish De DGM

Y.P.Gupta DGM

Assessment Report.




Priti Chaturvedi Company Secretary

Ashok Nijhawan Ch. Manager

S.C.Saxena Ch. Manager

Jyoti Prasad Ch. Manager

A.K.Marwaha Ch. Manager

Gurmit singh Manager

Mitra Sain Engineer

Shailendra Kr. Verma Sr. Engineer

Rinku Narang Jr. Technician

NERLDC

T.S.Singh GM

V. Kaikhochin DGM

N.R.Paul DGM

Rajib Sutradhar DGM

S.C.De Ch. Manager

V.F.Desouza Ch. Manager

T.K.Mondal Ch. Manager

B.S.Roy Ch. Manager

M. Hussain Ch. Manager

K. Sharma Ch. Manager

R.C.Dey Manager

Sh. Shadruddin Manager

Babul Roy Dy. Manager

Biswajeet Medhi Dy. Manager

Prasanta Das Sr. Engineer

P.Bhattacharya Sr. Engineer

Rahul Chakraborty Engineer

Pinki Debnath Engineer

Anupam Kumar Engineer

Manoj Kumar Jha Jr. Engineer

B.S.Jamatia Jr. Engineer

Assessment Report.




B.K.Dey Sr. Supervisor

ERLDC

P. Mukhopadhyay GM/MR

A.B. Sengupta Engineer ( SL)/IA

U K Verma GM( ERLDC)

G K Kundu Dy Manager - HR

S Konar Manager MIS

G Chakraborty CM ( MO)

P Chaudhury Manager TS

Nadim Ahmad Sr Engineer ( SO)/IA

P S Das CM ( SO)

Saurabh K Sahay Engineer (SS)

D K Srivastava AGM ( SO)

The assessment was conducted on behalf of BSI by:

Name Position

Nanjappa Bangalore Team member

Kapil Raina Team member

Lt.Col Yashpal Team member

Tathagata Datta Team member

Suresh Dattatraya Haridas Team leader

Continuing Assessment.

The programme of continuing assessment is detailed below.

Site Address Certificate Reference/Visit Cycle

Western Region Load Despatch Center

Plot no F3, MIDC Area,Marol

Opposite SEEPZ, Andheri, East

Mumbai

Maharastra

400093

India

IS 571620

Visit interval: 12 months

Visit duration: 7 hours

Next re-certification: 01/12/2015

Assessment Report.




Re-certification will be conducted on completion of the cycle, or sooner as required. An entire system re-assessment visit will be

required.

Re-certification Plan.

Visit 1 Visit 2 Visit 3 Visit 4 Visit 5 Visit 6

Business area/Location Date (mm/yy): 1/14 1/155 1/16

Duration (days): 3.5 3.5

(Scope and Policy, Organisation, Internal Audits, Management

Reviews, Continual Improvement, Incident Management,

Y Y Y

At NLDC/CC/NRLDC, WRLDC, ERLDC,NERLDC, SRLDC Y Y Y

Physical security ( Establishment) Y Y Y

Contract Services /Technical services ,( Establishment) Y Y Y

Human Resources( Establishment) Y Y

Operational services Y Y Y

Finance( Establishment) Y Y

Commercial services( Market Operation) Y Y

Grid Management Y Y Y

Information Technology including support for SCADA/EMS, Incident

management( Logistics)

Y Y Y

Recertification Y

Next Visit Plan.

Visit objectives:

CAV 1

Visit scope:

As per certificate

Date Assessor Time Area/Process Clause

Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of the visit by the

organisation within 30 days of an agreed visit date.

Notes.

The assessment was based on sampling and therefore nonconformities may exist which have not been identified.

Assessment Report.




If you wish to distribute copies of this report external to your organisation, then all pages must be included.

BSI, its staff and agents shall keep confidential all information relating to your organisation and shall not disclose any such

information to any third party, except that in the public domain or required by law or relevant accreditation bodies. BSI staff, agents

and accreditation bodies have signed individual confidentiality undertakings and will only receive confidential information on a 'need

to know' basis.

This report and related documents is prepared for and only for BSI’s client and for no other purpose. As such, BSI does not accept or

assume any responsibility (legal or otherwise) or accept any liability for or in connection with any other purpose for which the Report

may be used, or to any other person to whom the Report is shown or in to whose hands it may come, and no other persons shall be

entitled to rely on the Report.

Should you wish to speak with BSI in relation to your registration, please contact your customer service officer.

BSI Group India Private Limited

701, Seventh Floor,

Samarpan Complex,

New Link Road, Chakala,

Andheri-East,

Mumbai - 400 099,

India

Tel: +91 22 2826 0607 Telefax: +91 22 2826 0606

E-mail (for corrective action plans): [email protected]

Appendices.

This report should be read along with BSI audit report for PAS99 2006 recertification held on 18 th Feb 2013 . For ISMS 27001:2005

the SOA applicability version 2.0 and date 15/1/2013 will not appear in the certificate. Address to be specified in the certificate is

corporate address and not the location zero address( i e WRLDC).

The corporate address is

Power System Operation Corporation

(A wholly owned subsidiary of Power Grid Corporation of India Ltd.)

B-9, Qutab Institutional Area,

Katwaria Sarai,

New Delhi 110 016.

Date post:	12-Mar-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times