Tata Motors Finance Official #_x000D_
Sr.No. Standard Name Requirement
1 System Clocks System clocks must be synchronized with a
universal time server.
Synchronization must occur automatically.
2 Activities to be TMF production information
Logged by resources must have logging enabled to
Information allow logging of significant events including
Resources but not limited to:
• Account logon events
• Account management
• Privilege use
• System events (as technically and
currently available)
• Application start/stop times
• System boot/restart times
• System configuration changes
• Abnormal system events
• Critical System's software changes
Information to be logged must include the
following (as available):
Date, Time, Source (App, Program, Driver,
DB, etc that logged the event), Event ID
(Code for Specific Event), User/Account
name (Account on whose behalf the event
occurred.), Computer (where the event
occurred), Description, Audit type (Success
or Failure), Error Code (specific error code
for the logging system)
Logging must be enabled to support this
requirement where currently supported
and available.
For the purposes of this control standard
only, Critical Systems are defined as those
identified by regulatory requirement or by
meeting PCI, or are defined as Critical in
EAP, CMDB or other TMF
authoritative sources.
Additional logging items can be required to
meet other requirements as identified by
security assessment or member of the
Information Security Organization.
_x000D_ Tata Motors Finance Official
#
Remarks
NOTE: The synchronization can be done with an internal
time server that is synchronized with a universal time server.
NTP is an example of a service for synchronization.
NOTE: Ideally, the time synchronization should be set to
once per day.
NOTE: The time skew/drift after the initial synchronization
should not exceed 60 seconds; the ideal target is less than
one second.
NOTE: In support of the
minimizing the scale, cost and
other impacts of breach
notification and for enhancing our
eDiscovery and other
requirements, logging for Object
access (including 'read' for
"Confidential" information) should
be strongly considered. (There are
existing legal and regulatory
requirements in force that require
this.)
NOTE: Some systems may have
supplemental, separate or
independent detection capabilities
that provide additional "log type"
information (EX: IDS, IPS,
Monitoring tools, etc) that may
help meet the spirit and intent of
the above requirements.
NOTE: Each software package
treats logging slightly differently
and may have limitations,
alterations or additional abilities.
If there are specific vendor
guidelines or established company
baselines for the specific systems
then they should be followed,
otherwise some practical
judgment (and consulting with a
member of the Information NOTE:
Currently there are many systems
that do not currently have
"success read" enabled for access
to confidential data. Best available
effort is needed to address those
items as risk, regulatory
requirements and expense allow.
If there are known high risk
systems that do not have a
plan/program in place to
implement this control, please
submit an exception to this
standard for each Application or
data store
Tata Motors Finance Official #_x000D_

3 Review of Analysis and/or review of logs for NOTE: Resource Administrators

System Logs production systems must occur periodically
based on risk. Automated Log harvesting,
parsing, and alerting tools are allowed to
be used to achieve compliance with these
requirements.
NOTE: Detailed analysis of these logs may
be considered in examinations to update
and modify security controls.
should review the logs (audit trail
logs) daily of all production
information resources for which
they are responsible. Detailed
analysis of these logs should be
used to update and modify
security controls.
NOTE: In order to improve the
admissibility, Reviews should be in
a structured, formalized and
recurring manner.

4 Security Logs Logs relevant to security controls must be

Must be made available to Information Security team for
Available to review upon request.
Information
Security team

5 Monitoring Firewalls and Intrusion Detection systems

Network/System must be managed and monitored 24x7 by
Activity the security approved entity
or service provider authorized for such
service. All these logs are stored in-house
(SOC) security operation center. Internet
infrastructure DMZs must have active
network monitoring systems to detect
potentially malicious abuse attempts
directed towards the TMF networks.
Where technically possible, critical systems
and systems deployed in a DMZ must have
active monitoring systems implemented to
ensure configurations follow the TMF's
Information Security standards
related to that system.
Network and system activities that must be
monitored include for critical systems and
DMZ systems:
• Security control mechanisms (such as
firewalls, IPS, routers, etc.)
• Outbound communications for unusual or
unauthorized activities including the
presence of malware (such as malicious code,
spyware, adware).

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official
6 Audit Trail Logs
_x000D_ Tata Motors Finance Official
#
#_x000D_
Significant security related events NOTE: The implementation of the
concerning the system use of User IDs must logging requirements are where
be securely logged. These logs must technically possible and any new
provide sufficient data to support audits of implementation and should not
effectiveness and compliance with security have a material impact on the
standards. systems involved.
Audit trail logs must be active and NOTE: End user tools commonly
protected from unauthorized access, do not support the required levels
modification and accidental or deliberate of auditing and logging. Use of end
destruction on TMF information user tools to process, store or
resources that contain Confidential or handle confidential information is
Restricted information. strongly discouraged.
Activities that must be logged include, but NOTE: Regarding the Effective
are not limited to: date: As there is the ability to
• Successful and unsuccessful login comply prior to the effective date,
attempts existing controls should be
• Logoff's (For systems that allow for this to maintained.
be captured.) NOTE: PCI Requirement: Retain
• Granting, modification or revocation of audit trail history for at least six
systems access rights or privileges months, with a minimum of three
• Users switching IDs during an online months immediately available for
session analysis (for example, online,
• Attempts to perform unauthorized archived, or restorable from back_x0002_up)
functions on servers and mainframe
systems and as currently technically
supported. (Best practice but not required
on other systems.)
• Attempts to perform unauthorized file
access on mainframe systems. (Best
practice but not required on other
systems.)
• Modifications to system settings
(parameters) and security/audit log
parameters
In addition to the general activities
documented above, applications that
handle, process or store non-public private
information including Payment Card,
Health and Financial information must also
log the following information:
•Access to confidential data (as required by
regulatory or contractual requirement or as
otherwise required by the Information
Security Organization.)
Logs containing User ID security relevant
events shall be retained for 180 days. The
audit trail history must be promptly
available for analysis (for example, online,
archived, or restorable from back-up) for a
minimum of 90 days
Log entries from different
Tata Motors Finance Official #_x000D_

7 Event Log Log contents must not contain Non-Public NOTE: There is some risk of user
Contents Personally Identifiable Information (NP-PII) supplied content (log in
or Non-Public Personal Health information. information, open text fields, etc)
Log contents must not contain may include confidential
"Confidential" information as technically information, however there are
possible. effective available controls to
Event logs must include but are not limited prevent or protect against this
to the items below as technically possible: information entering the logs.
• Host name
• User account
• Date and time stamp
• Description of the activity performed
• Event ID or event type
• Reason for logging event (e.g., access
failure)
• Source and destination network
addresses (e.g., IP address)
• Referring page (in case of HTTP access)
• Type of browser used (in case of HTTP access)
• Other information or detail that helps to
recreate a sequence of events to provide
information for debugging or testing
purposes

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

8 General Audit
Trail Controls
The following controls apply to audit trails NOTE: Some Divisions require
(as technically possible and settings must prior the TMF
follow the baselines or accepted vendor Information Security Organization
recommendation if no baseline is approval of any deletion or
available.): archive of active current Audit
• Audit trail records must be backed up in Trail records outside of normal
accordance with the TMF Record business processes.
Retention Schedule, and protected based NOTE: In some cases regardless of
on a classification rating of at least the controls some private or
Restricted. business confidential data may
• Auditing functions must not record over wind up in logs. System owners
previous audit records and data owners may need to
• Auditing functions must provide a consider a higher classification for
warning when allocated audit record the data.
storage volume reaches a pre-defined
percent of maximum capacity
• Sufficient audit record storage capacity
must be provided and not exceeded
In support and compliance with data
retention requirements and to ensure
integrity and availability of the Audit trail
records:
• Only resource administrators and the
TMF Information Security and
Compliance or those specifically authorized
have the authority to archive and delete
audit trail records
• System owners, resource administrators
and the TMF Information
Security organization have the authority to
archive, retrieve and delete archived audit
trail records

9 Implementing Only resource administrators approved by

Intrusion TMF IS and
Detection System IT are allowed to implement
Intrusion Detection Systems on TMF
networks and information resources

10 Use and Each Internet Gateway (Points of

Configuration of Presence/POP) must have a managed
Intrusion Network Intrusion Protection System
prevention deployed on perimeter segments to inspect
Systems traffic to/from the Internet. The IPS sensors
must be managed and monitored 24x7 by
TMF IT & IS team approved entity or
service provider.

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

11 Monitoring The following requirements as documented

Internal in TMF Code of Conduct regarding internal
Communications communications must be
followed:
• Subject to applicable local laws, TMF has
the right to review the electronic mail and
other electronic information to determine
compliance with the Code of Conduct,
laws, regulations or TMF policy.
Electronic information, including without
limitation e-mails, instant messages, and
voicemails sent or received from a TMF
computer, Mobile Devices or work station is
subject to review.
• The electronic mail system is TMF
property and is intended for business
purposes. Occasional, incidental, personal
use of the e-mail system is permitted if the
use does not interfere with employees
work performance, have undue impact on
the operation of the e-mail system, or
violate other TMF,
requirement, or standard.
• E-mail messages and other
communications sent or received using
TMF’s information technology
systems are not to be used to create, store,
or transmit information that is hostile,
malicious, unlawful, sexually explicit,
discriminatory, harassing, profane, abusive
or derogatory. These systems also are not
to be used to intentionally access Web sites
which contain illegal, sexually explicit or
discriminatory content.

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

12 Use of Monitoring The use of monitoring and scanning devices
and or tools must be authorized in advance by
Scanning Tools TMF IT and
IS Team. The results of the monitoring
and scanning activities must be classified as
at least Restricted.
Monitoring agents must be installed on
systems classified as a Critical System or as
identified by the TMF IT & IS team. Each
scanning or
monitoring device must be configured so
that it authenticates to the network when
connected (for those technologies that
allow for authentication). Security settings,
auditing, and compliance software as well
as hardening scripts must confirm to the
requirements prescribed by the TMF
Information Security Policies.
NOTE: It is possible that the results
may include "Confidential"
information and in each specific
case should be treated
accordingly.
NOTE: The approved products list
is separate and addressed in other
control standards and by the
Engineering board. This standard
focuses on the use.
NOTE: For the purposes of this
standard "use" is qualified as the
approving of specific individuals
and specific technologies (e.g, DLP
approvals) and not approvals for
each and every occurrence of the
use of a tool by an individual.
Those specific approvals may be
addressed in other controls
standards as they relate to
Incident response, and access to
individuals emails and files for
example.

13 Incidents The unauthorized use of hardware

Discovered by monitoring devices or software-based
Monitoring sniffers to monitor the TMF
Devices Internet computing and networking
facilities is prohibited. This includes, but is
not limited to, the use of a software or
attachment of an electronic device to the
computing and networking facilities for the
purpose of monitoring data, packets,
signals or other information. It also
includes sniffing wireless data using
wireless sniffers. Furthermore, creation of
an unauthorized wireless access point is
strictly prohibited.
Authorization to utilize these tools must
come from the CISO. There are existing
approved uses within the TMF
IT team as well as IS teams. These are approved
based on need. An abuse of these tools
must be handled as an incident to be
investigated.

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

14 Privileged User Privileged access IDs and their activities
IDs Must be must be logged.
Logged Activities to be logged, as technically
possible, for each system include;
• Activity involving User ID creations,
deletions, and privilege changes must be
securely logged.
• Events as identified in the system
Baseline requirements.
• Privileged activities Identified for logging
on a particular system.
• Compliance measurements as identified
for logging on a particular system.
Logs must be retained for audit and
investigatory purposes for a total of 180
days.
NOTE: It is a best practice that
records should be retained online
for as long as financially feasible
and technically possible on the
system, up to 90 days online.
NOTE: This control standard
applies to Operating system
Privileged users, and for those
Database and Applications that
contain "Confidential Data".

15 Privileged User Where logging requirements have been defined Note: Automation can be used to
Activity Reports for systems with "Confidential" data or Business assist with the review process.
Must be available Critical systems' privileged User activity reports,
for review such as changes to user rights must be available
for review to detect misuse of privileged
accounts. Note: Excessive suspicious actions
may be logged as part of intrusion detection;
however logging just to validate controls is
working is not required.

16 Use of Advanced The use of advanced operating system NOTE: The technical baselines
System Utilities utilities and commands that bypass system should include the specific
Must be access controls must be restricted to those functions to be logged and
Monitored individuals who require access to perform monitored. These should follow
their job functions. The granting of access the vendor recommendations,
to and the use of these functions must be industry best practices and our
logged and monitored. own internal business
Activities to be securely logged, as requirements.
technically possible, for each system
include:
• Activity involving User ID creations,
deletions, and privilege changes
• Events as identified in the system
Baseline requirements.
• Privileged activities as it relates to
advanced operating system utilities and
commands
Logs must be retained for audit and
investigatory purposes for a total of 180
days at least 90 days of which must be kept
online.

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

17 Use of Remote Physical and logical access to diagnostic

Maintenance and configuration ports must be controlled.
Ports Remote maintenance access for TMF's
information and communication
resources must be locked or disabled until
the specific time they are needed. Audit
logs must be available for review for the
remote maintenance sessions and ports
must be locked or disabled after use.
Logical access
The log which contains the following
information shall be retained:
1. user IDs,
2. log-on and log-off details,
3. identity of the machine,
4. accepted / rejected system
access attempt,
5. files and system utilities
accessed,
6. alarms raised by access control
system.

18 Required Use of Access between non- TMF systems

Firewalls or networks to or from a TMF network
must be controlled through the
implementation of an approved firewall.

19 Required Use of Periodic reviews of the systems and

Firewalls processes used to continuously monitor
the system logs generated from firewalls to
detect unauthorized entry attempts or
unusual behavior must occur to ensure that
those systems are performing properly. The
following information must be viewed and
action must be taken if unusual activity is
detected:
• Successful and unsuccessful connections
to firewall
• Successful and unsuccessful connections
to internal hosts
• Connections to external hosts
• Multiple, rejected connections to same
host
• Logs must be mirrored on a separate
system as "read only" data and filed and
retained for 90 days online and a total of
six months offline

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

20 Logging DMZ security and system security log files

Requirements need to be maintained and preserved. This
for Network includes but is not limited to the logs of
Security Control routers, intrusion detection systems, DMZ
Devices systems, firewalls, web servers,
applications and proxy servers. Log files
must be logged to a separate dedicated,
non-DMZ, logging system that aggregates
"centrally". Centralization of logs must
consider privacy jurisdictions, Business Unit
geographies and technical limitations.
These log files must be maintained for six
months.
The log files must contain sufficient
information to determine if abuse or a
malicious event has occurred. This must
include data to support a comprehensive
audit of the effectiveness of, and
compliance with security measures. The
elevation of privilege and security related
events must be logged to include:
•Nature of event
•Time and date of event
•Resources involved in event

21 Use of Alarms to Alarm or monitoring tools must be used to

Detect Firewall alert the resource administrator of
Events security-related events originating from the
firewall that are likely to indicate an active
or successful attack or compromise.

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

22 Review of Periodic reviews of the systems and processes

Firewall Log used to continuously monitor the system logs
Files generated from firewalls to detect
unauthorized entry attempts or unusual
behavior must occur to ensure that those
systems are performing properly. The following
information must be viewed and action must be
taken if unusual activity is detected: •
Successful and unsuccessful connections to
firewall • Successful and unsuccessful
connections to internal hosts • Connections to
external hosts • Multiple, rejected connections
to same host • Logs must be mirrored on a
separate system as "read only" data and filed
and retained for 90 days online and a total of six
months offline
• Logs must be protected to prevent
anyone from making changes to the stored
data

23 Audit Trail Logs Significant security related events

concerning the system use of User IDs must
be securely logged. These logs must
provide sufficient data to support audits of
effectiveness and compliance with security
standards.
Audit trail logs must be active and
protected from unauthorized access,
modification and accidental or deliberate
destruction on TMF information
resources that contain Confidential or
Restricted information.
Activities that must be logged include, but
are not limited to:
• Successful and unsuccessful login
attempts
• Logoff's (For systems that allow for this to
be captured.)
• Granting, modification or revocation of
systems access rights or privileges
• Users switching IDs during an online
session
• Attempts to perform unauthorized
functions on servers and mainframe
systems and as currently technically
supported. (Best practice but not required
on other systems.)
• Attempts to perform unauthorized file
access on mainframe systems. (Best
practice but not required on other
systems.)
• Modifications to system settings
(parameters) and security/audit log
parameters
In addition to the general activities
documented above, applications that
handle, process or store non-public private
information including Payment Card,
Health and Financial information must also
log the following information:
• Access to confidential data (as required
by regulatory or contractual requirement
or as otherwise required by the
Information Security Organization.)
Logs containing User ID security relevant
events must be retained for a minimum of
180 days. The audit trail history must be
promptly available for analysis (for
example, online, archived, or restorable
from back-up) for a minimum of 90 days
Log entries from different

_x000D_ Tata Motors Finance Official

#
Tata Motors Finance Official #_x000D_

24 Protection of Logs captured from different devices shall

Logs be protected. All identified network
devices shall be configured to store the
logs on the designated log server. Access to
this server shall be given to only System
administrator.

25 Backup & Logs generated by Backup and Retrieval Logs shall be analyzed regularly. If
Retrieval activities shall be captured and retained. any kind of issue is noticed then
activities the Logs shall be separately
preserved till the issue is resolved.
It has to be securely disposed off
after the issue is resolved.

26 Antivirus Logs Logs generated from the Antivirus software
are classified under this head.
If any kind of security incident is noticed
then the relevant logs shall be separately
backed up and preserved till the issue is
resolved. It has to be securely disposed off
after the issue is resolved.
After 30 days it shall be analyzed
and overwritten unless there is
any kind of virus attack during that
period. If any virus attack is
noticed then the logs shall be
backed up separately on a
removable media onsite

_x000D_ Tata Motors Finance Official

#