SAVE LESSSAVE MORE
Cybersecurity is an imperative for businesses in the digital age and for the increasingly connected world we live in. The rapid shift to remote working for employees, coupled with the faster pace of digitalisation, presented significant technological challenges across industries during the COVID-19 pandemic. At Hindustan Zinc, however, we experienced no significant disruption on account of our consistent investment in technology and stringent processes.
The operating and control systems at our mines are increasingly leveraging high-tech solutions. These systems, though crucial for operating the mines safely and efficiently, are vulnerable to the perils of cyber threats and security breaches. Cybersecurity has, thus, emerged as one of our most significant business risks. Cyber-related threats will continue to grow, with malicious actors targeting organisations with extortion through ransomware. Maintaining tight cybersecurity across our operations is an ongoing process, and we remain committed to ensuring that our technology is protected from attacks, confidential information remains safe, data integrity is protected, and business continuity is maintained in case of any disastrous event.
Hindustan Zinc has in place a robust enterprise risk management framework.
The responsibility of overseeing cybersecurity governance is delegated to the Audit and Risk Committee of the Board. The Committee reports to the Board, and is responsible for all business risks, including cyber risk. It is chaired by our Independent Director, Mr. Anjani Agrawal.
The Hindustan Zinc’s Executive Committee (EXCO) has overall responsibility and accountability for setting up expectations, providing direction and support, besides reviewing, and monitoring the progress and maturity of the cybersecurity posture of the organisation in line with its vision and strategy. This Committee, chaired by the Chief Executive Officer (CEO), consists of leaders from all business functions, including Chief Operating Officer (COO), Chief Financial Officer (CFO) and Chief Commercial Officer (CCO).
The Chief Information Officer (CIO) is responsible for setting up cybersecurity vision and strategy, defining cybersecurity governance framework, and executing programmes to ensure that confidentiality, integrity, and availability of all information assets are well protected. The CIO is accountable to the EXCO and Audit and Risk Committee of the Board for cybersecurity related matters.
Below is the leadership and governance structure to strategise, execute and monitor the cybersecurity domain in the organisation.
Our cybersecurity framework details a principle and objective-based approach to protect the confidentiality, integrity and availability of all technology and data assets, including those we rely on in our operations. The standard is particularly applicable to all assets that are critical for business and operational resilience, as well as stability and regulatory compliance. The framework focusses on the risks and critical controls around our assets.
Additionally, several other standards and guidelines support the framework and govern our information technology and cybersecurity practices. These include the information security management and personal data privacy standards, disaster recovery and business continuity management, and risk management.
Hindustan Zinc received an Integrated ISO certification, consisting of ISO 27001 (Information Security), ISO 22301 (DR & BCP), ISO 31000 (Risk Management) and ISO 27701 (Privacy Management), during 2021, that covers 100% of Hindustan Zinc’s assets in India. We are committed to minimising business risks and have incorporated the National Institute of Standards and Technology (NIST) cybersecurity information framework into our cybersecurity operating model at all levels. The Hindustan Zinc’s risk register and risk control matrix are aligned with control objectives for information and related technology (COBIT) framework.
The framework is cohesive and comprehensive, and takes the following aspects as an input:
Based on this framework, we prepare our information security strategy, long-term roadmap, and annual information security plan. The information security framework is reviewed annually by the Hindustan Zinc’s information security team, in consultation with external expert agencies, to incorporate applicable regulatory requirements and prevailing industry knowledge, besides considering newer threats and risks.
Hindustan Zinc has in place well-articulated information security and data governance policies and has adopted various management frameworks which are incorporated in the process of defining all policies.
All policies and procedures are reviewed annually by competent personnel in information security function. All approved and enforced policies are made available to all employees and business partners (BPs) through various communication mediums. Hindustan Zinc has also adopted a proven process of third-party risk management (TPRM) for all its key BPs.
Our cyber programme focusses on seven strategic areas, aimed at enhancing cybersecurity capabilities across the business to minimise risks:
Hindustan Zinc is a risk-driven organisation and detailed risk assessment is carried out across the organisation. Hindustan Zinc has successfully implemented a robust risk management framework which helps the organisation to consider the full range of risks it faces and has been certified in ISO 31000:2018 risk management framework.
Risks and vulnerabilities are identified and addressed across the information technology (IT), operational technology (OT) and digital landscape, in line with the Company’s vulnerability management policy. Internal and external vulnerability assessment and penetrating testing (VAPT) programme, surveillance audit, as well as assessment of IT general controls (ITGC) are carried out by globally reputed and recognised third-party agencies on an annual basis.
Our vulnerability management programme is structured across all the layers of defence of depth covering policy & framework, physical, perimeter, network, application, and data security.
Vulnerability identification, monitoring and tracking of mitigation actions and continuous compliance are achieved through various assessments. We conduct various assessments during the year to identify vulnerabilities, threats, shortcomings, and associated risk/impact. It includes governance & framework review, red teaming exercise as part of physical security assessment, VAPT testing, data governance and compliance assessment, surveillance audit under various ISO frameworks and assessment of ITGC by statutory auditor under applicable financial compliance frameworks.
VAPT including simulated hacker attacks is conducted at least twice a year and is put together by Hindustan Zinc’s information security function and group Management Assurance Services (MAS) function. It is conducted for defining, identifying, classifying, and prioritising vulnerabilities in computer systems, applications, and network infrastructures. This helps us in conducting the assessment by providing with the necessary knowledge, awareness, and risk background to understand the threats to its environment and react appropriately. Moreover, we conduct simulated hacker attacks as part of third-party vulnerability analysis.
At the conclusion of each assessment, observation tracker is prepared for all identified vulnerabilities with clear-cut mitigation timelines and ownership, based on criticality of observation. This is rigorously monitored, reviewed and reported to various forums.
From the information security administration perspective, observations and points emanating from risk and review controls and assessments, form a part of the Company’s regular information security operations. Execution is tracked as part of the CIOs review, as well as reviews under various other internal and external forums.
Information security and data incidents are generated mainly through monitoring under Security Information and Event Management (SIEM) services, Data Loss Prevention (DLP) desk operations and incidents reported by information security function and end users.
All security incidents are tracked and monitored till their logical closure, including root cause analysis and action plan to mitigate similar incidents in the future, under the incident management and data breach policy. Hindustan Zinc has also established a platform through which any employee can raise the incident when something suspicious is noticed. Hindustan Zinc conducts incident response testing twice a year as part of Business Continuity Plan (BCP)/Disaster Recovery (DR) Drills.
Under the ISO 22301 framework, Hindustan Zinc has defined and rolled out an effective BCP/DR. As part of this process, we have conducted a business impact analysis (BIA) for all critical IT systems and defined the recovery point objective (RPO) and recovery time objective (RTO) for these systems in collaboration with, and on approval by the respective system owners and functional business heads. Our BCP considers various risks, including technical risk, natural disaster risk, human risk besides those related to external partners. Business continuity testing and disaster recovery drills are carried out on a half-yearly basis to test the readiness of recovery sites. A table-top exercise is also carried out on a half-yearly basis with a role play, which provides understanding and clarity to every member of the BCP/DR teams about the do’s and don’ts to be considered during a threat intervention.
Hindustan Zinc recognises that business continuity and disaster recovery is not merely an IT subject. Rather, it is an essential business requirement. Aligned with this thought, we have implemented ISO 22301 disaster recovery and business continuity management framework to prevent any interruption in operations of the Company’s critical IT systems, and to ensure that IT systems are continuously available to all authorised users, compliance with all statutory and legal requirements is completed and the organisation’s financial and reputational interests are protected.
Hindustan Zinc has a detailed business code of conduct (CoC), which is a mandatory programme for all employees. The code is aligned with the Company’s information security and privacy standards and regulations. There is a zero-tolerance approach on breach of the CoC. We have also enforced acceptable usage policy for all the users of IT systems in this CoC. The policy incorporates clear consequence management in case of non-compliance.
Hindustan Zinc has formulated an incident and crisis management response plan, under which various teams are created. Roles and responsibilities are also defined for all the teams, along with separate emergency plans to be implemented during office and non-office hours. A crisis communication strategy is available to communicate information about any incident to internal and external interested parties. Recognising the criticality and impact, a specific procedure is defined and deployed to handle ransomware attack on the organisation.
To build the team’s capability to identify and report breaches, Hindustan Zinc has prepared a holistic cybersecurity awareness plan, which is executed continually throughout the year.
We conduct mandatory awareness training for all employees on an annual basis. All new joiners are mandated to attend the cybersecurity training during their on-boarding process. Additionally, an online awareness training capsule on self-service mode is available to all users. Our business ethics and CoC has a cybersecurity element with which employees must comply as it is also linked with their annual performance evaluation.
Phishing simulations are carried out for 100% of users to test their vigilance and awareness. We carry out a variety of simulations like general phishing, spear phishing, whaling, smishing and vishing on a periodic basis. A user failing the phishing test is required to undergo phishing specific training through a learning video.
Performance evaluation of information security is conducted on the following aspects:
People
Process
Technology
For the workforce in the IT/OT function, goals and performance of each employee is designed in line with the Company’s information security goals.
Effectiveness of processes and technologies is measured through various internal and external vulnerability assessments, management reviews under information security administration and reported incidents.