Internal and External Issue

Company Confidential

OSB India Private Limited

Notice of Distribution

Notice of Confidentiality

Disclaimer
rnal and External Issue
Tracker

Company Confidential

OSB India
Old Madras Private
Road, BangaloreLimited
- 560 016

This document is available to OSB India management and One Savings Bank (OSB) PLC
management. Any request to update this document must be authorized by CISO.
This document contains proprietary and confidential information of OSB India. The
recipient agrees to maintain this information in confidence and not reproduce or otherwise
disclose this information to any person outside of the group directly responsible for the
evaluation
OSB Indiaofreleases
its contents.
and maintains controlled documents in soft copy only. User is
responsible to ensure usage of latest version of the document.
 Document Summary:

Author CISO
Reviewed by ISF
Current Version 1.0
Date of Current Version 30-Jan-2019
Date of Original Version
30-Jan-2019
Document Type Tracker
Document Number OSBI-ISM-TMP-IIEI-19-001
Document Status Approved
Document Circulation OSB India, OneSavings Bank PLC Management
Owner CISO
Approved by Name Irfan Khan
Designation ISF Chairman

Revision History

Particulars Version No. Revision No. Date Edited by/Remarks

Created 1 0 30-Jan-19 Initial

 Edited by/Remarks

tial
 Type Interested parties Existing Needs and Expectations
Internal Top Management Establishment, implementation, maintenance
and continual improvement of Integrated
Management System in the organization

Risks are appropriately and continuously

identified, assessed and managed.

Policies, procedures and applicable laws and

regulations are complied with,

Business objectives are achieved effectively

and efficiently

Internal Employees Learning opportunities

Supportive Work environment

Understanding of desired behavior

Business continuity

Availability of Information resources and tools

Security of their personal data

Internal Share holders Good Governance

Management Accountability

Regulatory Compliance

Strong Corporate reputation

Transparent Reporting & communication

Business growth
Internal Human Resource Leadership support to implement
organization level policies, procedures

Availability of HR information

Resource availability

Approval for exceptional cases

Availability of Tools, process and technologies.

Leadership commitment

Internal IT Stable and secure IT infrastructure

Availability of skilled resource

Availability of Tools, process and

technologies.

Well established policies and procedures

Internal Admin and Facility Availability of Admin and Facility information

Availability of suppliers

Availability of resources

Management support for implement

security/enviornmental controls and safety
measures

External Special Interest Sharing Information Security best practice

Groups
 Groups

External Customers Data Security, data protection

Commitment to Contractual obligations and

ethical principles

Competitive in response to customer needs

Ensuring quality and security in products and

service delivery
Compliance to relevant ISO standards

Adherance to contractual requirements

Timely support
External Legal, regulatory, Compliance with legal, regulatory and
statutory and statutory requirements
Government

Promoting Common interests

External Suppliers Fair Dealing

Opportunity to grow their business

Sharing Information security best practice

Adherance to payment terms

External Community/ Society Safe Operations

Community Support

External Family members Work-life balance

Safety, Health and wellness

Good and timely living wages

 New Needs and Expectations Dependencies
OSBI should prevent security incidents that Management Commitment
have an adverse impact on the stability and
reputation of the organization

OSBI has a risk management approach to Resource and budget allocation

assess, treat and communicate risks. The risk
areas such as process and its context are
captured.

OSBI employees adhere to the organization's

ISMS policy and procedures
OSBI qualifies in compliance to RBI and
applicable laws and regulations of other
relevant bodies.
OSBI can satisfy its customers expectations
based on protecting and storing their data

Awareness on OSBI's security policy during Support for ISMS

onboarding
Regular updates on information security
Access to relevant ISMS documents for future
reference

There is a controlled approach towards Business ethics

sharing confidential payroll information of
employees between the HR department and
Finance

A healthy work culture which promotes Follow organizational policies,

communication of incidents among employees procedures
and the management.
A safe working environment by practising
equipment siting and protection e.g. safe
distance from power rooms
Protecting their rights to privacy and
information
streamlined network facilities and business
continuity
Prevent security incidents that can majorly Ownership, leadership and
affect the market reputation and company management and applicable
shares. E.g. customer information gets leaked compliance
on internet

OSBI delivers good annual revenue and meets

projected business outcomes
OSBI management can drive its employees to
reach targeted goals and improve the
company value
OSBI's services are competitive among other
industry giants
OSBI management allocates the necessary On time Resource provisioning
resources/funds to carry out BGV incase of
third-party verfication.
Information of employee and other suppliers Training
is readily available
OSBI management allocates the required Employee friendly policies
resources for carrying out HR operations such as
training, recruitment, employee information
protection etc. in a continuos manner

Supplier evaluation is done periodically and

all requirements of tools and technologies are
met at all times

OSBI management allocates necessary Management support

resources/funds to purchase and/or maintain
systems, tools, equipment etc.
OSBI management is committed to improve Tools and Technologies
the capacity, security and stability of IT
infrastructure
There is a separate environment for
development, testing and production.

The system's are updated regularly and have

antivirus support.
OSBI management allocates necessary Safe and secure physical
resources/funds to purchase office stationary, environment
diaries, bags etc.
The supplier agreements are addressed with
necessary information security clauses

OSBI maintains a reliable access control system

OSBI has a transparent reporting and Latest trends and technology

communication process updates
Security threats and vulnerabilities
OSBI provides secure information processing On time payment
facilities for storing customer data

OSBI management has a commitment towards Fair dealing

contractual obligations and holds
responsibility of its actions towards its
customers

OSBI shows a competitive edge over other

banks to deliver quality services in a
consistent manner
OSBI is compliant with relevant ISO standards

OSBI is persistent in offering timely support and

customercare for its services.

OSBI compliance is in accordance with the Policies in line with business needs
legal and regulatory requirements set out by
the government and other relevant bodies

OSBI promotes government initiatives

OSBI maintains a consistent growth based Quality of services
supplier - user relationship
OSBI maintains non-interruptive and
transparent payment terms
OSBI evaluates its supplier based on a fair and
concise manner

OSBI adheres to safe operations and promotes Peaceful environment

a eco-friendly environment
OSBI has taken measures to prevent any
chaos, community disharmony etc.
The employees work in a safe and protected Emotional Support to employees
facility
OSBI promotes a a multi-cultural environment

It caters to clean and hygienic workplace

 Interface Issues
Authorities Lack of Support from the Top Management ,

Regular review Lack of Policy Setting, Direction and Communication

NDA Lack of addressing Information Security

Requirements in the and compliance to NDA,

Offer letter

Awareness Issue in Employee Recruitment

Training HR operations

Contracts Employee attrition

Lack of ISMS Awareness

Compliance to legal, statutory and Violation of legal, statutory and regulatory

regulatory requirements. requirements.
OLA / SLA Issue in on time recruitment,

Induction and on Job training,

Awareness Training,

Enforcement of Disciplinary Process,

Terms and Condition of the Employment,

Improper Background Verification

Enforcement of HR policies.
OLA / SLA Lack of availability of skilled resources

Lack of availability of Tools and Technologies

Lack of user administration, backup management,

change management, capacity management,
Network controls management, incident
management, business continuity management,
asset management, access control, media
management, IT supplier management and quality
management.

OLA / SLA Lack of enforcement of Admin and Facility related

policies,

Lack of process in issuing and revoking the physical

access cards during entry and exit.

Improper maintenance of equipment’s

Issue in physical security guidelines and lack of

communication

Lack of physical and environmental security

controls.
Forum Issue in getting the intimation on the latest security
updates on time
Email Lack of communication from the special interested
groups
Issue in getting the right information
Contracts Violation of the contracts and SLA breach

SOW Lack of tracking the customer SOW and non-

compliance

Agreements Customer satisfaction

Issue in delivering the quality work.

Delivering products and services with poor quality

and security.

Data privacy and regulation issues

Standards Violation of legal, statutory and regulatory
requirements,

Guidelines
Lack of enforcement of supply chain requirements in
the supplier contract
Agreements Supplier Contract Breach

SLA Issue in on time delivery of the products and

services.
Lack of quality in the products and services.
Communication Media, Relationship Wrong communication to public,

Bandh, Civil unrest, Riot.

Relationship Lack of Support and Misguide

Sl.No. Issue Identified Date

8 10/24/2018

9 11/13/2018
10 8/15/2018
11 8/20/2018
12 9/6/2018
13 11/23/2018
14 12/12/2018
15 8/9/2018
16 8/21/2018
17 8/21/2018
18 9/19/2018
19 10/18/2018
20 11/26/2018
21 12/11/2018
22 12/14/2018

23 11/14/2018

24 1/11/2019
25 10/23/2018
26 4/5/2018

27 10/9/2018

28 10/11/2018
29 10/31/2018
30 11/30/2018
31 12/5/2018
32 12/13/2018
33 12/18/2018
34 1/15/2019
35 1/16/2019
36 1/18/2019
37 9/11/2018

38 11/8/2018

39 11/26/2018
40 12/5/2018
41 12/5/2018

42 12/19/2018

43 12/21/2018
44 12/28/2018
45 12/28/2018
46 1/17/2019
47 6/8/2018
48 11/8/2018
49 12/7/2018
50 12/14/2018
51 1/3/2019
 Internal Issues
30 Devices in provisioning status in Secureworks (events are not correlated for) .

DLP combines endpoint on MAC’s – not deployed to all macs .

DLP and Varonis not being implemented at OSBI.

Logs need to be monitored and correlated in Secureworks for: DDOS , Dartrace.

Documented procedures are not being followed by the team to handle the security incidents. Providing
training and regular follow-ups with the team to improve the standard on this.

All security Incident's must be updated with valid RCA, Investigation progress and justification.

Tickets must be closed with in the SLA however there is a delay due large volume of incidents where all
security systems being integrated with Secure works and however tuning is required.
ISA outsource letter file not set up to send to Imprimus - resulting in 268 ISA letters not being sent

Indexing issue on AWD10 was identified for KRPL accounts.

DPR not working properly (App Server reboot done) (Service Desk #200366)
Custom fields not available in DPR
Pay360 SSL Certificate expired
Currently unable to load any new mortgages into Bastion from DPR
Funds release wizard not working in DPR
GRC process fail
Unable to perform reconciliations for 7 working days in Phoebus for K1 division
Phoebus Daily Rest Interest issue
Phoebus automated debit card payments are posted as single entry
Non-UK Phoebus Letters - Failure to send to Paragon
Bank Wizard licence not validating
Product fee debited twice on accounts migrated from Bastion to Phobeus in Nov 2017
Reversal of authorised BACS credit
System error with no main account linked to the Further Advance account causing DPA incident on Phoebus
ASM distributed
Phoebus incorrect calculation of balance at end of term
DLP High Rated security incident #567424407
SSL Certificate expirary on Prestige web servers
Misconfiguration of firewall device led to the occurrence of a near miss security incident (cyber attack)

Post Code anywhere search limit expiry issue

SCV file reconciliation Table C to Table D
System issues following the IT maintenance weekend of 24/25 November 2018
Accounts are not reverted to Standard Variable Rate post the product expiry
RPA not working, completion wizards not run
AWD3 and AWD10 Lending Queue Status report generated incorrectly
DD's were not cancelled automatically on direct debit expert for 11 accounts.
Morning Phoebus MI reports not being run for print management reconciliation
SMS notifications were triggered to customer from Test environment
ODS Database not responding to delete or update statements, reg reports are affected
On the 6th of November the OSBBACS01 server unexpectedly shutdown causing Finance reports to not be
produced
VMware Host failure
2 x Phone lines not recording calls
Centrac - EOP process hung
While performing the DD import and Export process the outray and extraction report did not match.

Citrix upgrade problems - staff unable to access system due to certificate error
Broker Portal not available on Thursday 27th December 2018
Call drop due to IPFX issues
Repeated Issues with Incorrect Uploads to Mailing House
Unable to withdraw funds from our Bank of England account
Duplicate Posting on Bastion
Data Quality issue with duplicate Bastion products
Overnight Standing order batch has been posted in place of the 9 PM posting.
287 payments requested on 1st Jan 2019 (public holiday) was processed only on 3rd Jan 2019