Page 203 - 1-37
P. 203

TRANSFORMING         TRANSFORMING         TRANSFORMING
 SUSTAINABILITY REPORT  FY 2023                      COMMUNITIES            THE PLANET        THE WORKPLACE
















 Third-party certifications and assessments are also conducted twice a year.  Incident Reporting  Escalation Process
    Security incidents are addressed by                        Vedanta diligently tracks and monitors all
 Certification/Assessment  Service provider  diligent tracking and monitoring until   security incidents, ensuring they are
    resolution. A comprehensive root cause                     thoroughly investigated, and actions are
 Internal Vulnerability Assessment and   Information Security Function through a   analysis is conducted, and action plans are   taken for their resolution. To encourage
 Penetrating Testing (VAPT) Program, including   third-party expert agency
 stimulated hacker attacks  developed to mitigate future incidents. We   reporting, Vedanta's BUs have established
    have a well-defined Incident Management                    a central email address:, gc@vedanta.co.in,
 External Vulnerability Assessment and   Group Management Assurance System   & Data Breach Policy communicated to all   where users can report any suspicious
 Penetrating Testing (VAPT) Assessment  (through Third-Party Expert Agency)  stakeholders. To facilitate incident   activities related to Information Security.
    reporting, Vedanta has a centralised email                 Reported incidents undergo investigation
 ISO 27001, ISO 22301, ISO 31000,   Surveillance audit conducted through an
 and ISO 27701  audit partner  address for reporting suspicious activities   by the Chief Information Security Officer
    related to information security.                           (CISO), and appropriate measures are
                                                               implemented to address each incident.
 Awareness and Capacity Building  Lessons learned from these simulations   Incidents are generated through various   Incidents reported through the Security

 As part of the onboarding process, all   are shared with the users, while individuals   channels, including 24/7 monitoring of   Information and Event Management (SIEM)
                                                               system by employees and end users are
    critical IT assets, daily monitoring of data
 new joiners at Vedanta are required to   who fall prey to the simulations are required   movement using data leakage prevention   evaluated by the BU’s CISO and further
 attend mandatory cybersecurity training   to undergo specific phishing training   tools, incident reports from end users, and   reviewed by the BU’s Chief Information
 to ensure their awareness and   videos for further learning.  internal security organisation observations.  Officer (CIO). Data incidents reported
 understanding of security protocols.   Performance Evaluation and Reporting  through Data Loss Prevention (DLP)
 100% of our employees are trained on   Each reported incident is thoroughly   systems and by end users are evaluated by
 cybersecurity. In addition, an Online   Each employee in the IT function has   investigated by the Chief Information   the BU’s Data Governance and Privacy
 Awareness Training Capsule is made   well-defined KRA/KPI, in line with Vedanta’s   Security Officer (CISO), and appropriate   Officer (DGPO)/BU’s CISO and reviewed by
 available on a self-service basis. The   Information Security Goals as part of their   actions are taken. Vedanta uses advanced   the BU’s CIO. The severity and impact of
 Information Security function closely   Annual Goals and Performance   tools and technologies to continuously   these incidents and observations are
 monitors and tracks the training status of   Management process and requirements.  monitor IT assets and data movement,   reported and discussed in various forums,
 users, conducting periodic follow-ups to   automatically generating incidents based   including the BU’s Executive Committee
 promote completion. Virtual Classroom   Performance evaluation of Information   on predefined rules. These incidents are   (EXCO), Vedanta Group's Executive
 sessions are also organised periodically,   Security is carried out based on the   then tracked and resolved by the IT   Committee (EXCO), the BU’s Audit & Risk
 allowing voluntarily participation and   following aspects:  Operations Team with guidance from the   Committee, and Vedanta’s Audit & Risk
 self-nomination for further training. To   •  People   Information Security Organization.  Committee. Compliance with agreed-upon
 assess the level of user awareness, BUs   •  Process          observations is reported on a quarterly
 conduct Dip-Stick Assessments in the   During the reporting period, no incidents of   basis to ensure timely and effective
 form of periodic tests and quizzes. Based   •  Technology  leaks, thefts, or data loss were identified,   resolution.
 on the effectiveness of these   resulting in no impact on clients,
 assessments, targeted trainings and   Performance of the employee is measured   customers, or employees.
 communications are conducted   against these goals. Similarly, employees
 throughout the organisation. Phishing   working on OT environment and managing
 simulations are carried out for all users to   such systems also have KPI aligned to
 evaluate their vigilance and awareness.   Vedanta’s Information Security Goals in
 their Annual KRA/KPA Plan.






                                                                                                             102
   198   199   200   201   202   203   204   205   206   207   208