Page 203 - 1-37
P. 203
TRANSFORMING TRANSFORMING TRANSFORMING
SUSTAINABILITY REPORT FY 2023 COMMUNITIES THE PLANET THE WORKPLACE
Third-party certifications and assessments are also conducted twice a year. Incident Reporting Escalation Process
Security incidents are addressed by Vedanta diligently tracks and monitors all
Certification/Assessment Service provider diligent tracking and monitoring until security incidents, ensuring they are
resolution. A comprehensive root cause thoroughly investigated, and actions are
Internal Vulnerability Assessment and Information Security Function through a analysis is conducted, and action plans are taken for their resolution. To encourage
Penetrating Testing (VAPT) Program, including third-party expert agency
stimulated hacker attacks developed to mitigate future incidents. We reporting, Vedanta's BUs have established
have a well-defined Incident Management a central email address:, gc@vedanta.co.in,
External Vulnerability Assessment and Group Management Assurance System & Data Breach Policy communicated to all where users can report any suspicious
Penetrating Testing (VAPT) Assessment (through Third-Party Expert Agency) stakeholders. To facilitate incident activities related to Information Security.
reporting, Vedanta has a centralised email Reported incidents undergo investigation
ISO 27001, ISO 22301, ISO 31000, Surveillance audit conducted through an
and ISO 27701 audit partner address for reporting suspicious activities by the Chief Information Security Officer
related to information security. (CISO), and appropriate measures are
implemented to address each incident.
Awareness and Capacity Building Lessons learned from these simulations Incidents are generated through various Incidents reported through the Security
As part of the onboarding process, all are shared with the users, while individuals channels, including 24/7 monitoring of Information and Event Management (SIEM)
system by employees and end users are
critical IT assets, daily monitoring of data
new joiners at Vedanta are required to who fall prey to the simulations are required movement using data leakage prevention evaluated by the BU’s CISO and further
attend mandatory cybersecurity training to undergo specific phishing training tools, incident reports from end users, and reviewed by the BU’s Chief Information
to ensure their awareness and videos for further learning. internal security organisation observations. Officer (CIO). Data incidents reported
understanding of security protocols. Performance Evaluation and Reporting through Data Loss Prevention (DLP)
100% of our employees are trained on Each reported incident is thoroughly systems and by end users are evaluated by
cybersecurity. In addition, an Online Each employee in the IT function has investigated by the Chief Information the BU’s Data Governance and Privacy
Awareness Training Capsule is made well-defined KRA/KPI, in line with Vedanta’s Security Officer (CISO), and appropriate Officer (DGPO)/BU’s CISO and reviewed by
available on a self-service basis. The Information Security Goals as part of their actions are taken. Vedanta uses advanced the BU’s CIO. The severity and impact of
Information Security function closely Annual Goals and Performance tools and technologies to continuously these incidents and observations are
monitors and tracks the training status of Management process and requirements. monitor IT assets and data movement, reported and discussed in various forums,
users, conducting periodic follow-ups to automatically generating incidents based including the BU’s Executive Committee
promote completion. Virtual Classroom Performance evaluation of Information on predefined rules. These incidents are (EXCO), Vedanta Group's Executive
sessions are also organised periodically, Security is carried out based on the then tracked and resolved by the IT Committee (EXCO), the BU’s Audit & Risk
allowing voluntarily participation and following aspects: Operations Team with guidance from the Committee, and Vedanta’s Audit & Risk
self-nomination for further training. To • People Information Security Organization. Committee. Compliance with agreed-upon
assess the level of user awareness, BUs • Process observations is reported on a quarterly
conduct Dip-Stick Assessments in the During the reporting period, no incidents of basis to ensure timely and effective
form of periodic tests and quizzes. Based • Technology leaks, thefts, or data loss were identified, resolution.
on the effectiveness of these resulting in no impact on clients,
assessments, targeted trainings and Performance of the employee is measured customers, or employees.
communications are conducted against these goals. Similarly, employees
throughout the organisation. Phishing working on OT environment and managing
simulations are carried out for all users to such systems also have KPI aligned to
evaluate their vigilance and awareness. Vedanta’s Information Security Goals in
their Annual KRA/KPA Plan.
102