SEPG Plan
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 22-01-2020 | 1.3 | Approved | Internal | AMS DOC | AMS-SP-32 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 23-06-2017 | 1.0 | Initial Version | Ramanujan | Suresh Kumar BV | Suresh Kumar BV | |
| 23-03-2019 | 1.1 | Annual Review | Ramanujan | Suresh Kumar BV | Suresh Kumar BV | |
| 05-07-2019 | 1.2 | Revised the whole document to address BSI audit 2019 finding | Shaila | Praveen, Rukmani | Suresh Kumar BV | |
| 18-12-2019 | 1.2 | To remove remarks of monthly IT audit in the Internal Audit Plan section | Usha | Shaila | Suresh Kumar BV | 22-01-2020 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
| SEPG | Software Engineering Process Group |
| AMF | Antares Management Forum |
| SCM | Software Configuration Management |
Introduction
The purpose of SEPG Plan is to plan the activities for achieving the Objectives stated in the AMS Manual. The specific activities are the following:
Schedule for Quality Assurance Activities
Internal Audit Plan
VAPT schedule
Risk assessment review
BCP/Fire drill schedule
Coordinate external audit
Process Development and Improvement Activities
Training
Schedule for Management Review Meeting
Measurement Objectives
Scope
- This policy is applicable to all users
Objectives
- Refer AMS Objectives
Milestones and Process Improvements
Refer AMS Annual Plan for details
//image//
Internal Audit Plan
- In order to ensure that approved processes are being implemented, internal audits will be conducted by the Quality Group in coordination with Project Managers. The schedule for internal audits will be developed by the Quality Group using the Project Plans as the input. A separate audit schedule will be maintained on regular basis.
| Srl. | Type of Audit | Frequency | Remarks |
|---|---|---|---|
| Internal Audit or Compliance Check(ISMS+QMS or PPQA) | Every Quarter | ||
| SCM Audit | Every Quarter | Part of Internal Audit normally | |
| Internal Audit | IT Support | External | |
| VAPT Schedule | Yearly | 1 year |
Risk Assessment Review
- Risk Assessment and treatment plan will be reviewed in at least once in a year or on need basis by Risk owners
Process Definition & Documentation
Organization Process Framework and a set of processes are identified as outlined in master list.
Identified process are developed, reviewed and maintained in Repository of ISO server.
Any changes will be considered under change control as defined Document Change Management process. Such changes will be reviewed during the Management Review meeting.
Training
ASL will use all possible channels for providing training in order to fully utilize modern training technologies. The types of channels that may be used include:
Class-room training sessions
Intranet based training
Question and answer sessions
Self-paced computer based training
The training channels may also be integrated with the organizations' regular activities like the following:
Employee induction programs
Project startup and project closure meetings, team meetings.
Information Security Awareness Campaign will be organized through HR/Training function. The content and scope of these programs will be developed by the Quality/CISO function.
Web Page - An Information Security Intranet site will be created to serve as a communications channel for Information Security Awareness issues.
Electronic Mail - Bulletins addressing information security topics will be developed and may include descriptions of security incidents, possible impact of security breaches, and how an security posture can act as an enabler for business operations.
Posters - Posters will be created with Information Security themes and posted at common meeting locations to heighten user awareness of security issues.
Coffee Mugs - Coffee mugs could be produced with user security awareness themes.
Promotional Magnets - Magnets can also provide an effective communication channel to raise awareness of security issues.
Screensavers - The security awareness project team could develop screensavers to provide and improve information security awareness.
ISMS Quizzes - Quizzes on ISMS will be conducted in groups across the organization.
All the training related artifacts will be maintained as per the training process.
BCP Testing
BCP testing is designed to determine:
The state of readiness of the ASL recovery organization to cope with a disaster situation.
Whether the BCP has been properly maintained.
Three distinct test types have been identified to help validate the accuracy and effectiveness of the plan. Following are the test types:
Structured walkthrough
Also referred to as a "desk-top" exercise, the structured walkthrough is a paper evaluation of the BCP designed to expose errors or omissions without incurring the level of planning and expenses associated with performing an operations test. In the structured walkthrough, a disaster scenario is established, and members of the recovery organization assemble in a conference room and walkthrough their recovery actions.
A scenario will be made available in advance to allow the recovery organization members to review their recovery actions in response to the test scenario. At the end of the structured walkthrough anychanges to the plan that are found to be necessary are documented and implemented.
Component testing
Component tests are actual physical exercises designed to assess the readiness and effectiveness of discrete plan elements and recovery activities. The isolation of key recovery activities allows members of recovery organization to focus their efforts while limiting testing expense and resources. This testing is effective for identifying and resolving issues that may adversely affect the successful completion of a full operations test. Component tests include:
Evacuation tests.
Emergency notification test.
Backup restoration test.
Application recovery test.
Critical support business processes recovery test.
Integrated simulation/ full operations test
- The full operations test requires extensive planning and preparation and should not be performed until most, if not all, of the plan components have been tested. This test requires the simulated recovery of critical support business processes across a business function. It is the closest exercise to an actual disaster. Although a full operations test requires weeks of planning and considerable coordination of personnel and resources, the exercise provides a level of confidence about the ability to recover in an actual event.
Indicative test schedule
| Structured walkthrough | Yearly |
| Component testing | Quarterly (Schedule tests for different components for different months) |
| Integrated simulation/Full operations test | On need basis |
- Fire Drill will be conducted once in a year
Management Review Meetings
The AMF will meet once every quarter to review and analyze the effectiveness of AMS. These meetings are coordinated by CISO.
The agenda for the periodic AMF meeting will include:
Results of AMS audits and reviews
Feedback from interested parties, customer feedback
Process performance and product conformity/Techniques, products or procedures, which could be used in the organization to improve the AMS performance and effectiveness
Status of preventive and corrective actions
Vulnerabilities or threats not adequately addressed in the previous risk assessment
Results from effectiveness measurements
Follow-up actions from previous management reviews
Any changes that could affect the AMS
Recommendations for improvement.
Process Asset Library
All the AMS related processes are maintained & located on the ISO server as process asset library
The access to ISO server will be controlled and reviewed at least once a quarter.