TRANSFORMING TRANSFORMING TRANSFORMING SUSTAINABILITY REPORT FY 2023 COMMUNITIES THE PLANET THE WORKPLACE Third-party certifications and assessments are also conducted twice a year. Incident Reporting Escalation Process Security incidents are addressed by Vedanta diligently tracks and monitors all Certification/Assessment Service provider diligent tracking and monitoring until security incidents, ensuring they are resolution. A comprehensive root cause thoroughly investigated, and actions are Internal Vulnerability Assessment and Information Security Function through a analysis is conducted, and action plans are taken for their resolution. To encourage Penetrating Testing (VAPT) Program, including third-party expert agency developed to mitigate future incidents. We reporting, Vedanta's BUs have established stimulated hacker attacks have a well-defined Incident Management a central email address:, [email protected], External Vulnerability Assessment and Group Management Assurance System & Data Breach Policy communicated to all where users can report any suspicious Penetrating Testing (VAPT) Assessment (through Third-Party Expert Agency) stakeholders. To facilitate incident activities related to Information Security. ISO 27001, ISO 22301, ISO 31000, Surveillance audit conducted through an reporting, Vedanta has a centralised email Reported incidents undergo investigation and ISO 27701 audit partner address for reporting suspicious activities by the Chief Information Security Officer related to information security. (CISO), and appropriate measures are implemented to address each incident. Awareness and Capacity Building Lessons learned from these simulations Incidents are generated through various Incidents reported through the Security As part of the onboarding process, all are shared with the users, while individuals channels, including 24/7 monitoring of Information and Event Management (SIEM) new joiners at Vedanta are required to who fall prey to the simulations are required critical IT assets, daily monitoring of data system by employees and end users are attend mandatory cybersecurity training to undergo specific phishing training movement using data leakage prevention evaluated by the BU’s CISO and further to ensure their awareness and videos for further learning. tools, incident reports from end users, and reviewed by the BU’s Chief Information understanding of security protocols. internal security organisation observations. Officer (CIO). Data incidents reported 100% of our employees are trained on Performance Evaluation and Reporting through Data Loss Prevention (DLP) cybersecurity. In addition, an Online Each employee in the IT function has Each reported incident is thoroughly systems and by end users are evaluated by Awareness Training Capsule is made well-defined KRA/KPI, in line with Vedanta’s investigated by the Chief Information the BU’s Data Governance and Privacy available on a self-service basis. The Information Security Goals as part of their Security Officer (CISO), and appropriate Officer (DGPO)/BU’s CISO and reviewed by Information Security function closely Annual Goals and Performance actions are taken. Vedanta uses advanced the BU’s CIO. The severity and impact of monitors and tracks the training status of Management process and requirements. tools and technologies to continuously these incidents and observations are users, conducting periodic follow-ups to monitor IT assets and data movement, reported and discussed in various forums, promote completion. Virtual Classroom Performance evaluation of Information automatically generating incidents based including the BU’s Executive Committee sessions are also organised periodically, Security is carried out based on the on predefined rules. These incidents are (EXCO), Vedanta Group's Executive allowing voluntarily participation and following aspects: then tracked and resolved by the IT Committee (EXCO), the BU’s Audit & Risk self-nomination for further training. To • People Operations Team with guidance from the Committee, and Vedanta’s Audit & Risk assess the level of user awareness, BUs Information Security Organization. Committee. Compliance with agreed-upon conduct Dip-Stick Assessments in the • Process observations is reported on a quarterly During the reporting period, no incidents of basis to ensure timely and effective form of periodic tests and quizzes. Based • Technology on the effectiveness of these leaks, thefts, or data loss were identified, resolution. assessments, targeted trainings and Performance of the employee is measured resulting in no impact on clients, communications are conducted against these goals. Similarly, employees customers, or employees. throughout the organisation. Phishing working on OT environment and managing simulations are carried out for all users to such systems also have KPI aligned to evaluate their vigilance and awareness. Vedanta’s Information Security Goals in their Annual KRA/KPA Plan. 102