Sl.

Gaps/ Concerns from Enterprise Project response

No. Architecture team

3 The upload functionality in the Since the uploading of document happens at HUL's end this
application does not check for any feature is not implemented by LegalDesk.com
viruses/malware in the attachments

5 Application did not have SSO Being worked on with HUL and will be implemented
functionality for UL users

10 All client data (unless specified) is If contract details are removed within 24 hours, then Both
disposed within 24hrs of signing of Parties must download Agreement within that timeframe,
Agreement on both sides. Query WHY else it will be lost.

11 Option for Usage of Aadhaar OR Dongle Dongle may be used at a later stage

Vivek Gaps identified from Information Project response

Sl. security assessment (ISA) team
No.
6 Are infrastructure components located Datacenter is secured as per the control of ISO 27001
in secure data centres aligned to
ISO27K?

7 How the equipment / media is disposed according to ISO control process listed in the ISMS manual
of securely when no longer in use

10 User authentication mechanism SSo integration via Azure for authentication, we are
working with HUL team to implement this
11 Multi factor authentication - can be email and password, third part will only be able to login
contextual using the email id provided by HUL during invitation and
the password assigned by Legaldesk.com

12 System level / IT admin accounts must We have implemented a network level firewall mechanism
access through a secure admin gateway for privileged access
or equivalent for internet accessible
systems

20 Incident management procedurs to be Implemented and details are shared

inluded in service delivery model

21 VA & PT Scans VA & PT Scans initiated

22 JML processes are in place and Could you please explain how JML process will work for this
monitored by Business / System Owner project?

23 Privileged application / business users Are there any privileged business application user from UL?
are reviewed on a quarterly basis by
Business Owner or delegate
24 System components are monitored to Do you use any system configuration compliance
ensure configuration compliance to process/tools? To check policy compliance?
identified standards
25 Info Sec controls are implemented and Do you have a DR plan/process?
maintained during Disaster Recovery
scenarios
** The above are not the final list of
evidences required for ISA. Based on
the assessment approach we might
require some more details
Action Status Unilever comments - based on Comments by Maryann/Namita
confirmation from LegalDesk/ UL Global
project team
LegalDesk Open Application inputs doesnt validate Noted.
team content.

- File type validation - .PDF, .txt,

PNG/JPEG

- Only UL team will use the upload

functionality. 3rd party users doesnt
have upload functionality

Pradeesh + Open Feasibility of leveraging Azure AD to be - Pradeesh initiated work by Avanade.

Maryann + used, discussion in progress with UL - Configuration done by Avanade on Pre-
Alok project and UL email identity directory production server
team - Follow-up mtg with Supplier 5 May
- DO for Avanade team : Alok

EA & ISA Open Alok & Sarah to agree and confirm with - Alok agreed to remove Functionality of
LegalDesk retention for 24 hours only
- Agreed that data will be held as per
Retention policy of Unilever & this will
be confirmed by EA & ISA

EA Legal + Open Alok to brief EAs for complete clarity Follow-up meeting on authentication
Alok Workflow to be explained by LegalDesk process using Aadhaar and DSC dongle
scheduled for 5 May
Action Status Vivek comments - based on Comments by Maryann/Namita
confirmation from LegalDesk/ UL
project team
LegalDesk Open ISMS policies shared with keshav. Vivek
team to check and come back

4/517 : WIP

8/5/17 : No relevant evidence found on

AWS data denter security. Please share.

LegalDesk Open No external media in LegalDesk to store

team UL data. Same is evidences in ISMS.
Vivek to check

4/517 : WIP

8/5/17 : Please clarify on how UL data is

planned to be deleted from AWS storage
servers

Maryann Open Maryann and team to coordinate this Pradeesh and Avanade Accenture team
task with Email, identity, directory team are starting work immediately.
and LegalDesk Follow up meeting for clarifications - 3rd
May
4/517 : Email identity team is working DO in progress
on this. Maryann/Namita is tracking this
LegalDesk Open To be discussed internally on levaraging Vivek to define conditions that will
team contextual MFA trigger additional authentication
challenges, such as changes in
4/517 : Will confirm you soon geographic location or logins from
unrecognized devices.
8/5/17 : Could you please cofirm
whether the application access to
Unilever instance shall be resticted by
certain means, (Possibilities)

Some possibilities i can think of -

whether the Unilever instance of Legal
desk application can be restricted to be
made accesible only through certain
devices (UL device based
authentication). As IP based restriction
will be difficult for Internet facing
application.

Also this case needs to be discussed for

distributors.

LegalDesk Open Do it through SSH of AWS, Wait for Team to share artifacts with
team - Internet acessible, over asset Vivek
authentication (certification)
- and user authentication
- to be verified as part of AWS reports,
which are about to be shared by
LegalDesk

4/517 : Waiting for vendor to share

evidence

8/5/17 : Waiting for details from legal

desk

LegalDesk Open 8/5/17 : Please include the Info sec.

team / incident management process to be
Maryann agreed with Unilever in SDM
Web Open Web Remediations team handling the - VA scans done and Vendor intimated to
Remediation same do Remediations before 3rd June
PT scans awaited
Maryann Open

Maryann Open

Legal desk Open

team

Legal desk Open

team
@ Keshav sent VRM clearance on
Vendor Questionnaire + Due Diligence
as queried by Sangeeta Sarah
confirmed she is happy with Keshav's
assurance on the same.
LegalDesk.com Comments

LegalDesk.com Comments
Articrafts will be shared to show SSH
access