Cyber Overview:
Geographical Consolidated Split of Revenue Confidential
What type of data is stored and who has access to the same
Data pertaining to Business and Operation and
Employees and Clients
Please let us know how a typical BCP testing looks like in
terms of Role played by different team and the process
Backup Details and Frequency of Backup – D/W/M/Y
Please let us know how do you arrive at your RTO and RPO
Yes
Do you test security functionality during the development
lifecycle of information systems incl. IT security updates? If
the response is no. request you to kindly share some more
details on this aspect? NA
List of entities and their description that would get covered.
We would need to understand the current structure of the IT-
Information security team in terms of Roles, function and
reporting and Strength (no of people)
1. Kindly confirm if whether all the entities to be insured
share a common internal network? - or, are the networks of
all entities to be insured along with Insured
connected 1000 +
2. Are all checks & measures shared with us are applicable for
all entities to be covered? Yes
Please let us know if the IT security
principles/policies/infrastructure and the team managing the
function is centralized or decentralized. This needs to be in
context all the entities (subsidiaries and manufacturing
locations and offices including global entities if any) proposed
to be covered under the policy Yes
Claim History/Circumstances if any No
Website Domains *.aether.co.in, *.airis.co.in,
Etheft/E-comm:
- Cyber-crime questions –
-
- 6.1 Cyber-crime questions to consider:
- 1. What value of own funds do you manage on an annual basis?
- 2. What value of funds do you hold in trust or under management (for third parties)?
- 3. What is your maximum daily volume of funds transferred electronically?
- 4. What is your average daily volume of funds transferred electronically?
- 5. What is the maximum volume of a single electronic funds transfer?
- 6. How are payments loaded? (i.e., Online banking app, own application, other?)
- 7. Do you maintain and follow a documented procedure for accessing and transferring elec-
tronic funds?
- 8. Does this procedure clearly specify and define:
- a. All authorized personnel,
- b. How many people are authorized to load, release and authorize payments?
- i. In numbers, how many are authorized? _______
�- c. Call-back procedures that must be followed?
- d. Transfer limits?
- e. Dual authorization to load or maintain beneficiary details?
- f. Segregation of duties for loading, releasing and authorizing payments?
- 9. How is access to payment applications protected? (e.g., MFA, Password, Other?)
- 10. Are special log-on passwords (separate from an individual operators’ passwords) used
when logging into a terminal to provide verification of the terminal’s identity?
Cyber Assessment:
Please share their ISO 27001 and PCI DSS certificates if they are
certified. Also, please provide description of the entities mentioned on
email & please confirm whether the cyber controls that will be
shared with HDFC Ergo are same and applicable to that entity as well.
ISMS27001 Implemented
-
- Also, following would be queries:-
-
- 1. We would need to understand the current structure of the IT-
Information security team in terms of Roles, function and reporting and
Strength (no of people) 3 Person and CIO
- 2. Please let us know if the IT security principles/policies/infrastructure
and the team managing the function is centralized or decentralized. This
needs to be in context all the entities (subsidiaries and manufacturing
locations and offices including global entities if any) proposed to be
covered under the policy Centrally
-
- 3. Please let us know how are these policies and procedures implemented
across different entities -
- a. This should include all the entities proposed to be covered or even not
covered under the policy i.e. branch offices, office locations, subsidiaries,
etc. NA
-
- 4. For manufacturing locations (OT exposure), we would like to
understand the following :–
- a. Does your CISO (Chief Information Security Officer or HEAD of IT
security) have a direct reporting from production IT? NA
- b. Does your formal Information Security Policy cover your industrial
environment and processes? Yes
- c. Do you have industrial out of date/end of life software and/or
hardware which is officially not provided with security updates by
manufacturer/provider?
- i. If yes, please let us know the compensatory
controls in place to avoid misuse of any vulnerability
-
- d. Do you use restrictive application whitelisting on industrial systems;
e.g. on Supervisory Control and Data Acquisition (SCADA) or Human
Machine Interface (HMI)?
- e. How do you currently manage patching of your OT systems
�- f. Are roll-backs of backups of industrial systems regularly tested to
validate the accuracy and integrity of the data and to verify the ability to
restore data as quickly as possible with the least impact?
-
- g. Are the office-IT- and OT-networks separated?
- i. If yes, please describe the technology and IT
architecture
- ii. Please let us know the method used for
segregation
-
- 5) Do you have segregation of network based on business function to
avoid lateral spread? (Please give details on physical segregation,
intervlan security, port blocking, inter-company, intra-company, etc.)
- 6) Please let us know how a typical BCP testing looks like in terms of Role
played by different team and the process
- 7) Do you test security functionality during the development lifecycle of
information systems incl. IT security updates? If the response is no.
request you to kindly share some more details on this aspect.
- 8) How many manufacturing / generation / logistics locations are present?
- 9) Is multi factor authentication being used for all the systems / services?
If not what is coverage of the multi factor authentication?
- 10) When was the last vapt conducted? Does it include all the cyber assets
present in the organisation? Have all the findings been fixed?
- 11) Are any file transfer or remote support tools being used? If yes which?
How are we securing access to the same?
- 12) What redundancies do you leverage in the design of your
infrastructure? (Eg automatic failover logic, IT systems in HA mode).
- 13) Has the organization implemented an Endpoint threat Detection and
Response (EDR) or XDR solution on all end point systems and servers to
actively monitor and detect security threats based on system behaviour?
- 14) Has the organization performed a DR drill to ensure the effectiveness
of its disaster recovery plan?
- 15) What is the maximum acceptable outage or also known as RTO
(Recovery Time Objective)? Please let us know how do you arrive at your
RTO and RPO?
- 16) Are any cloud service providers being used? If yes which? How many
systems are currently running from cloud while how many running on
prem / collocated?
- 17) Do you technically or organisationally ensure that employees must not
install and, or run unauthorised portable softwares on their workstations?
(Please share controls present excluding admin right restrictions being
implemented).
- 18) Is data at rest and transit encrypted?
- 19) Do you have PIM, PAM solution in place? If yes, please specify the
details and coverage of the same.
- 20) Are any saas services being used /or provided? If yes who is
responsible for the protection of data stored on the saas service? Please
name the service providers being used.
�- 21) Besides traditional signature-based detection, does your malware
protection use advanced heuristic- and behavioral based detection
mechanisms to protect against new malware?
- 22) Does the organization have a Network Access Control (NAC) solution in
place to allow the organizations to restrict access to resources on their
network and to prevent risk to the organization from the internet of things
(IoT), weak access permissions, and advanced persistent threats (APT)?
- 23) Has the organization implemented a Data Leakage Prevention (DLP)
tool in block mode for making sure that end users do not send sensitive or
critical information outside the corporate network?
- 24) Please share the future plans / improvement roadmap for cyber
security architecture including time frames to implement if any?
- 25) How are networks, servers, applications monitored for any cyber
security incidents?
- 26) Has the organization implemented a Security Incident and Event
Management (SIEM) solution for proactively preventing, detecting,
analyzing, and responding to security threats that the organization may
face in a timely manner?
- 27) Are any data centers / networks being shared between the entities /
subsidiaries to be covered / even not covered under the policy please
explain in detail?
- 28) Are any of the manufacturing / logistic / generation systems, medical
equipments. Connected / dependant on IT systems which if not be working
might result in any loss?
- 29) Is the organisation GDPR compliant?
- 30) Please list all the cyber security functions that exists (within the
organization and via external vendor/MSP) to manage/perform day-to-day
security tasks (example - SOC, TI, IR, etc.) or please share IT org chart.
- 31) Do you have a process of real time monitoring for Domain admin
accounts? Kindly elaborate?
- 32) Please describe your current status with regards to Zero trust
architecture for your network? What are the ongoing projects towards
ZTA?
- 33) Please elaborate in details. What is the frequency of backup? How are
backups taken? Please explain in detail the backup strategy & backup
coverage being used in the organisation?
- 34) Kindly describe your current cyber security monitoring setup. Please
explain by way of an example, how day-to-day operations of your cyber
security monitoring setup takes place i.e.
- a. typical process when a alert is generated to resolution and
updating of use cases?
- b. Have you established an escalation procedure for information
security incidents?
- 35) Are all your Critical services on Active- Active setup?
- 36) Please describe the scope of your BCP testing. Was it Table-top or
functional?
