Information Security Management System
Our systems are certified for ISO 27001:2022 (Information Security Management Systems) and ISO 22301:2019 (Business Continuity Management (BCM)). Our cybersecurity programme aligns with NIST Cyber Security Framework (NIST-CSF) and ISO 27001:2022 standards. We have implemented a systematic ‘Three Lines of Defence Model’ to manage our cybersecurity risks, with clear roles and responsibilities at each level, led by the Chief Information Security Officer (CISO).
Three Lines of Defence Model for Cyber Risk Management
Line of Defence
- Cyber defence through SCADA (Supervisory Control and Data Acquisition) operations & Information Technology
- Line managers identify potential cyber risks within their projects and operations
Line of Defence
- Cybersecurity function establishes policies, processes and controls for risk management at functional level
- Responsible for updating the senior management about ongoing initiatives and progress
Line of Defence
- Involves assurance of risk management processes and policy compliance through internal audits, reviews from senior management and independent assurance providers
Cybersecurity Governance
- Serves as a foundation to maintain integrity and confidentiality of information assets
Board-led Information Technology and Data Security Committee
- Conducts half-yearly reviews on cybersecurity risk management and performance of cybersecurity programme
- Evaluates emerging cyber trends and incidents across sectoral & non-sectoral players
Chief Information Security Officer (CISO)
- Apprises the Board committee on Adani Energy Solutions' preparedness to respond to cybersecurity threats effectively
Technical Controls for Enhanced Security
- Inventory and control of enterprise information assets, including those in remote and cloud environments
- Secure configuration of enterprise assets and software to avoid misconfigurations and minimise the attack surface of assets
- Multi-level security controls for malware defence
- Application software security through in-depth assessments of CIA (Confidentiality/Integrity/ Availability) rating for all enterprise-level applications
- Authorised software installation on enterprise information assets
- Continuous technical vulnerability management solutions across all enterprise assets
- Maintaining audit logs to detect, understand, or recover from attacks
- Lifecycle management of user access across enterprise assets
- Data protection mechanisms including endpoint encryption, monitoring and tracking of sensitive data transfers
- Segmentation of enterprise network to control flow of traffic, enforce security policies and isolate infected assets
- Email and internet access protections to monitor incoming and outgoing emails for phishing and spamming attacks
Trainings and Awareness
Adani Energy Solutions provides continuous cybersecurity education for employees to effectively manage emerging threats and vulnerabilities. The training and awareness programmes include:
- Annual mandatory Adani Cyber Security Awareness Course fore all employees, including senior management
- Regular campaigns, webinars and workshops on emerging cybersecurity threats, best practices and Adani Energy Solutions' incident response protocols
- Specialised cybersecurity training for employees in operations and maintenance of ICT infrastructure
- Access to online cybersecurity courses and certifications
- Phishing exercises, drills and simulations to enhance employee readiness
- Encouraging participation in cybersecurity communities and forums to stay updated
Cyber Hygiene Best Practices
- Creating strong, unique passwords and update them regularly
- Multifactor authentication (MFA) for an added layer of security
- Keep software and systems updated with the latest security patches
- Regularly backing up important data to secure locations
- Recognising and reporting suspicious emails and links
Measuring Training Effectiveness
- Regular assessments and quizzes to measure employees understanding
- Tracking and analysing security breaches caused by human error
- Gathering employee feedback on the training materials and sessions
- Monitoring compliance with cybersecurity policies and procedures
Complaints related to Breach of Customer Data Privacy and Customer Data Loss
| Indicators | Number of Complaints in FY 2024-25 |
|---|---|
| Number of complaints received from the outside parties and substantiated by Adani Energy Solutions | Zero |
| Number of complaints received from the regulatory bodies | Zero |
| Total number of identified leaks, thefts, or losses of customer data | Zero |
