COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

--------------- Partnerships @ Work

INFORMATION SECURITY POLICY

“Security is not a product, but a Process”

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

1 of 30

 

 

 

 

 

COMPANY

 

Title

 

DOC. REF.

 

 

 

INFORMATION SECURITY POLICY

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CONFIDENTIAL

 

 

 

Document Control

 

 

 

 

 

 

 

 

 

 

 

 

Document

The objective of this document is to elaborate the

 

 

information security polices at Information Dynamics.

 

 

Description:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Document

 

 

 

 

 

 

Identification:

 

 

 

 

 

 

 

 

 

 

 

 

 

Security

Confidential

 

 

 

 

Classification:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Location:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Authorizatio

 

 

 

 

 

 

Name of the person

 

Date (dd-mmm-yyyy)

 

 

 

 

 

 

 

 

 

Prepared by:

 

 

 

 

 

 

 

 

 

 

 

 

 

Reviewed by:

 

 

 

 

 

 

 

 

 

 

 

 

 

Approved by:

 

 

 

 

 

 

 

 

 

 

 

 

 

Change

Document

Date of

Section

A/M/D

Brief description of change

Reviewed by

Version

Change

 

 

 

 

1.6

11 Jun 10

 

 

Initial release

Dani

 

 

 

 

 

 

2.0

07 Jun 18

 

A

Updated security policy

Dani

 

 

 

 

document

 

 

 

 

 

 

 

Confidentiality Agreement

This document is copyrighted and all rights are reserved. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from an authorized representative of Information Dynamics. This document is for internal use only and may, in whole or in part, be provided to anyone outside of Company, including customer, clients, or prospects after taking an approval from an authorized representative of Information Dynamics.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

2 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

 

 

 

CONFIDENTIAL

 

 

 

 

 

CONTENTS

 

 

1.

CONTENTS .................................................................................................................................................

 

 

2

2.

Purpose.......................................................................................................................................................

 

 

5

3.

Objective(s).................................................................................................................................................

 

 

5

4.

ISMS Policy Statement ..............................................................................................................................

 

 

7

4.1

Policy for Display

 

 

 

8

4.2

Data Confidentiality, Privacy & Protection Policy Statement

8

4.3

Review and Evaluation of Policy

 

9

4.4

Policy Exceptions / Waivers

 

9

4.5

Issue based policies

 

 

 

10

5.

Security Policies: ....................................................................................................................................

 

 

10

Access Control Policy.....................................................................................................................................

 

 

10

 

Information Back-up ....................................................................................................................

 

 

15

 

Network Security Management ...................................................................................................

16

 

Network Controls.........................................................................................................................

 

 

16

 

Security of Network Services ......................................................................................................

16

Media Handling

 

 

 

15

 

Management of Removable Media ..............................................................................................

15

 

Disposal of Media ........................................................................................................................

 

 

16

 

Information Handling Procedure .................................................................................................

16

 

Exchange of Information .............................................................................................................

 

 

16

 

Information Exchange Policies and procedures...........................................................................

16

 

Exchange Agreements .................................................................................................................

 

 

17

 

Physical Media in Transit ............................................................................................................

 

 

17

 

Electronic Messaging...................................................................................................................

 

 

17

 

Business Information System ......................................................................................................

17

Monitoring

 

 

 

17

Audit Logging

 

 

 

17

Monitoring System Use

 

 

 

18

Protection of Log Information

 

 

 

18

Administrator and Operator Log

 

18

Fault Logging

 

 

 

18

Clock Synchronization

 

 

 

19

Developing and implementing continuity plans including information security

19

Business continuity planning framework

 

19

 

Business Continuity Management Process ..................................................................................

19

Risk Assessment & Business Impact Analysis (BIA)

 

20

Business Continuity Strategy

 

 

 

20

Disaster Recovery Plan (DRP)

 

 

 

20

Business Resumption Plan

 

 

 

20

Crisis Management Program

 

 

 

21

Testing and Maintenance Program

 

21

Data Classification

 

 

 

21

Risk Assessment Approach

 

 

 

24

 

 

 

 

 

 

 

 

ISSUE VERSION

 

REV. DATE

 

REV. NO:

PAGE

 

2.0

 

 

 

0

3 of 30

 

 

 

 

 

 

 

COMPANY

Title

DOC. REF.

 

INFORMATION SECURITY POLICY

 

 

 

 

 

CONFIDENTIAL

 

Overview of identifying and assessing the risks

25

Risk Treatment Plan

 

26

Risk Reduction

 

27

Risk Acceptance

 

27

Risk Avoidance

 

27

Risk Transfer

 

27

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

1.Purpose

The purpose of this Information Security policy is to address the requirements of the Information Security processes of our group. This Information Security policy system provides documented policies, procedures and methodologies to achieve processes required to meet the requirements of the international security standards. The purpose of Information Security policy is to identify basic rules

&procedures that all group members must adhere to, while accessing and handling information assets. These rules must be enforced in order to ensure the confidentiality, integrity and availability of these assets. Furthermore, it puts into writing group security posture, describes & assigns functions and responsibilities, grants authority to security professionals, and identifies the incident response processes and procedures.

2.Objective(s)

The objective of the Information Dynamics, Information Security program is to foster direct compliance with company policies, ethical standards, employee honesty and overall business operations. Information security policies define a concise set of behaviors that provide a secure environment within which each Information Dynamics employee may use and manage information resources. Information is a primary asset and as such must be protected in a manner commensurate to its value. It is the policy of Information Dynamics that information must be protected in any format or media whether printed, electronic, verbal, or otherwise from unauthorized or inappropriate access, use, modification, disclosure, or destruction. This applies to all information that exists in Information Dynamics applications, systems, and networks that Information Dynamics owns or operates (processing environments).

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

5 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

2.1Processes:

Key Processes Included under scope for IT-Infrastructure & support:

-IT Asset Management

-Equipment Security

-System Planning and Acceptance

-Antivirus Management

-Data Backup Management

-Network Security Management

-User Access Control Management

-User Network Access Control Management

-System & Network Monitoring

-Application & Information Access Control

-Database Management

-Application acceptance

Key Processes Included under scope for support functions:

Administration, Purchase & Facilities

-Physical entry/exit controls

-Outsourcing Suppliers (AMCs, Housekeeping, Security guards & Caterers)

-Vendors – Purchasing information

-Facilities maintenance (Generators, UPS, Access control, In-coming & out- going materials)

-Statutory & regulatory support functions

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

6 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

3.ISMS Policy Statement

It is the policy of the group management to establish, implement and maintain an Information Security Management System by

Ensuring that information security objectives and plans are established

Establishing roles and responsibilities for information Security that includes protection of all kinds of data, either client or our group company’s data.

Communicating to the organization the importance of meeting Information security objectives

Providing sufficient resources to develop, implement, operate and maintain Information security

Reviewing periodically and making necessary changes to improvise Information security system

Adequately training personnel about the relevance & importance of their information security responsibilities.

Ensuring the confidentiality, privacy & protection of Company data and customer/client data at all levels.

Ensuring that supporting issue based policies is established and operated in line with the main policy.

It is the responsibility of all process owners and heads of departments to implement and operate the above requirements of the policy.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

7 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

3.1Policy for Display

The policy for display is designed to be user understandable and simple as suggested by the senior management and the information security policy for display is agreed to be as follows

INFORMATION SECURITY POLICY

We at Information Dynamics shall ensure confidentiality, Integrity and Availability of critical information through deployment and continual improvement of our information security system to build profit and reputation for our stakeholders.

Information Security shall cover the internal & customer information pertaining to services offered by the group companies.

Our stakeholders expect us to create an effective, highly reputed and profitable company. Our policy focuses on the three key drivers that meet these expectations: Our clients, our associates and our business partners.”

3.2Data Confidentiality, Privacy & Protection Policy Statement

It is the responsibility of the management to provide Data Confidentiality, Privacy and Protection in regard to personal sensitive information, company information and client information, which are under our custody. This is achieved through all employees of our group following the policy requirements as stated in this document.

Confidentiality of all kinds of data shall be maintained by all employees at all levels by transacting the data only on a need to know and use basis. There shall be a formal Non- Disclosure or confidentially agreements signed during recruitment process and the same made understood to the prospective employee before employment. In this context, the data is classified and according to the classification in terms of access control and disposition of the same.

Privacy of all kinds of data shall be maintained by all employees at all levels by knowing to whom, when, where and how the data has to be communicated with respect to personal,

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

8 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

company and client information. In this regard, the senior-management of the group shall train and educate people to handle such data or information periodically.

Protection of data in our group is based on the classification of the data and related treatment and handling of the same. The data shall be segregated according to the classification and divulged to personnel only on need to know and use basis. Methods such as authorized folder

/access management, password protected files, secure encrypted storage and transmissions, disposals, re-use, etc. shall be enforced and followed by all the employees.

3.3Review and Evaluation of Policy

Audits and reviews of policy shall be conducted bi-annually and necessary improvisations made.

Independent review of information security systems shall be performed.

3.4Policy Exceptions / Waivers

If, for any reason, the terms of this policy and those listed in the Policy Manual cannot be complied with, a documented waiver must be granted from the designate and the person designated as head of the particular business unit. Waivers of varying duration can be granted when acceptable compensating or alternative controls are in place.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

9 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

3.5Issue based policies

We formulated various issue-based policies to support the main policy. They are

Access Control Policy

Password Policy

Customer Data Exchange Policy

Email and Internet Policy

Human Resource Security Policy

Data center Physical Security Policy

Data server Management Policy

Laptop Usage Policy

System Development & Maintenance Policy

Backup Policy

Media and Equipment disposal Policy

Network Segmentation Policy

Data Retention Policy

Data Confidentiality, Privacy & Protection Policy

Acceptable usage Policy

Policy on mobile computing & teleworking

4.Security Policies: Access Control Policy

Logical access controls shall be deployed with the principle of ‘deny all unless explicitly permitted’ to protect information from unauthorized access.

Customers, third party vendors/ service providers shall be provided appropriate access to our information assets on the basis of contractual agreement/business need.

User Access Management

User Registration

User registration and de-registration procedure, which shall be integral to the HR joining and exit processes, for providing and revoking end users access.

Users shall be registered upon receiving communication (joining date) from recruitment team Any additional access privileges required for their nature of work will be provided only after receiving an authorized approval from the respective department head and the asset owner.

Unique user IDs shall be assigned to each user to ensure accountability of individual users for their activities.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

10 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Privilege Management

Privilege shall be assigned to the personnel on a ‘need-to-know’ basis and a ‘need-to-do’ (minimum requirement for the functional role) basis.

Authorization record of all privileges shall be maintained.

User Password Management

An initial temporary password shall be provided to the users and they shall be forced to change it on first logon.

In application systems, where this functionality of force changing the password is not possible, the user shall change the password manually.

Password standard shall be defined for operating systems, databases, applications, network equipments deployed in IT and technical functions.

Review of User Access Rights

Access rights of users shall be reviewed at time of lateral changes in employment & responsibilities or internal transfer.

IT Support team shall review the privileges granted to users with the respective department heads at regular interval.

User Responsibility

Password Use

Users shall be required to follow good security practices in the selection and use of passwords, which shall include but not be limited to:

keeping passwords confidential;

change passwords at regular interval or whenever there is any indication of possible

system or password compromise;

Select quality passwords; and

Change temporary passwords at the first log-on.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

11 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Unattended User Equipment

All users shall be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection which shall include but not be limited to:

terminate active sessions when finished;

log-off desktops, Laptops and servers when the session is finished;

Clear Desk and Clear Screen Policy

Sensitive or critical business information on paper or on electronic storage media shall be locked when not required

Computers and terminals shall be left logged off or locked when unattended. System shall be locked after 10 minutes of idle time.

Network Access Control

Policy on Use of Network Services

Authorization matrix shall be built to ensure that the users are provided access to the network services that have been specifically authorized.

Business applications shall be accessible on the network only through approved network services and segments.

User Authentication for External Connections

Remote access connections to our group network shall be provided to authorized users only. Strong user authentication shall be used for providing remote access to the network.

Usage of modem shall be controlled and restricted in the organization

All wireless routers for connecting to LAN shall be password protected and access shall be authorized.

Equipment identification in networks

All information outlets (Network Points) shall be identified and traceability to the Ethernet switch, Routers etc., shall be determine and established.

Remote Diagnostic and Configuration-Port Protection

Physical and logical access to diagnostic and configuration ports shall be controlled.

Ports and services or network devices, which are not required for business functionality, shall be disabled or removed.

Segregation in networks

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

12 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Separate network segments for external, DMZ and internal network shall be implemented. Appropriate configuration of firewalls, routers and switches shall be documented and maintain for network segregation.

Dedicated VLANs shall be provided to business units and/or departments upon request and approval respective department heads.

Network Connection Control

Data flow across firewalls shall comply with the organizational security policies, and exceptions to the same need to be explicitly granted.

FTP uploads/downloads from the Internet shall be permitted only for business use.

Personal web based mail services usage such as Yahoo Mail, Hotmail etc and interactive chat services shall be restricted until explicitly approved.

Group shall implement URL filtering measures to filter websites for regulatory compliance.

Network Routing Control

Controls shall be implemented through network gateways that filter the traffic by means of pre-defined tables or rules. Routing controls shall be based on the source and destination address checking mechanism.

Network Address Translation shall be configured on the network for outbound Internet access.

Operating System Access Control

Secure log-on procedures

Operating system logon procedure shall disclose a minimum amount of information about the system.

A logon banner shall appear on all information systems prior to login on to the system stating that the information system should only be accessed by authorized users and un-authorized access is prohibited, monitored and liable for punitive actions.

The system shall validate the logon information only on completion of all input data. After a rejected logon attempt, the logon procedures shall terminate.

Unsuccessful logon attempts shall be logged, monitored, and investigated for critical systems.

Password management system

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

13 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Systems for managing passwords shall be interactive and shall ensure quality passwords. The password management system shall:

Enforce the use of individual user IDs and passwords to maintain accountability;

Allow users to select and change their own passwords and include a confirmation procedure to allow for input errors;

Enforce password changes;

Force users to change temporary passwords at the first log-on; and

Passwords shall not be readable on the screen when being entered.

All users should change their passwords after every 42 days.

Use of system utilities

Access to the operating system commands and system utilities shall be restricted to authorized personnel for system administration and management functions.

Application and Information Access Control

Information access restriction

Access to application systems shall be restricted to users who require them to fulfill their business operations and shall be in line with the access control policy.

The owner of the information resources and business application shall review the access rights based on criticality of information or at least once in six months or when the role of the user is changed.

Sensitive system isolation

Application systems hosting confidential or sensitive information as per information classification guidelines shall not be hosted on shared servers.

Mobile computing

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

14 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Mobile computing and communications

Users shall be allowed to remotely connect to the company network using mobile computing device to access business information, only after successful identification and authentication. Users shall take special care of the mobile computing resources, such as laptops, mobile phones, etc (but not limited to) to prevent the compromise of business information.

Latest virus definitions shall be updated on the mobile computing devices regularly to prevent the corruption of the information stored on these devices.

Mobile computing devices shall not be connected to the company network without approval from IT Head.

Protection against Malicious and Mobile Code

Control against Malicious Code and Mobile Code

Detective, preventive, recovery controls, shall be implemented and users shall be made aware of protecting information processing facilities against malicious and mobile code.

At a minimum, the following shall be observed:

Prohibiting the use of unauthorized software;

Installing and regularly updating malicious and mobile code detection and repair software to scan computer and media;

Regular backup of critical data & software; and

Implementing controls to block suspicious external sites & filtering electronic mails.

Backup

Information Back-up

Back-ups shall be taken and tested regularly to ensure that all essential information and software can be recovered following a disaster or media failure. The following shall be considered for information backup:

oLevel, extent and frequency of back-up information shall be defined in accordance to the business requirement

o Back-up information shall be given an appropriate level of physical and environmental protection

oBack-up media shall be regularly tested to ensure that they can be relied upon

Media Handling

Management of Removable Media

Media shall be controlled and physically protected. Procedures shall be established for:

Erasing content from reusable media

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

15 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Storage of media in a safe & secure environment

Authorization for use of removable media

Disposal of Media

Media containing information valued as critical and vital shall be disposed of securely and safely when no longer required.

Formal procedure/guidelines for disposal of media shall be established to minimize the risk of sensitive information leakage to unauthorized persons.

Information Handling Procedure

Procedures for the handling and storage of information shall be established to protect this information from unauthorized disclosure or misuse. The procedures shall include but not be limited to:

Handling and labeling of all media to its indicated classification level;

Access restrictions to prevent access from unauthorized personnel;

Storage of media in accordance to required specifications;

Ensuring that input processing is properly completed; and Keeping the distribution of data to minimum.

Network Security Management

Network Controls

Network Controls shall be implemented to ensure the security of information in networks, and the protection of connected services from unauthorized access. At a minimum, the following shall be implemented:

oSeparation of operational responsibilities for networks from computer operations;

oLogging and monitoring shall be applied to enable recording of security relevant actions; and

oManagement activities shall be closely coordinated to optimize the service and to ensure that controls are consistently applied across the information processing facility.

Security of Network Services

Security features, service levels, and management requirements of network services shall be identified and included in network services agreement.

Exchange of Information

Information Exchange Policies and procedures

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

16 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Controls shall be in place to protect the exchange of information through the use of communication facilities.

Exchange Agreements

oExchange agreement shall be established for the exchange of information and software between the group and external parties.

oBusiness information or software assets shall be exchanged with outside organizations as per appropriate security clauses in the formal agreements/ contracts.

Physical Media in Transit

Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond physical boundaries.

Electronic Messaging

Group provides electronic mailing systems to facilitate the company’s business needs and interests.

The email servers shall be configured to provide secure access to users accessing email content over the Internet.

Under certain business circumstances, temporary e-mail accounts will be provided to third parties, strategic outsourced partners.

These e-mail accounts will have a validity period, as required, and will be de- activated/ deleted thereafter

Business Information System

Policies and procedures shall be documented and implemented to protect information associated with the interconnection of business information systems.

Consideration shall be given to security of information and business implications where information is shared between different parts of the group.

Monitoring

Audit Logging

Audit logs recording user activities on critical assets, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

17 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Audit logs shall include but not be limited to:

User Ids;

Dates, times and details of key event;

Terminal Identity;

Records of successful and rejected systems access attempt;

Monitoring System Use

Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities shall be reviewed regularly.

Areas that shall be considered include but are not limited to:

System log exceptions;

Network management alarms;

Use of privileged accounts, e.g. root, administrator;

Access policy violation and notification for network gateways and firewalls;

Protection of Log Information

Logging facilities and log information shall be protected against tampering and unauthorized access.

Controls shall be implemented to protect: Alterations to the message types that are recorded; Log files being edited or deleted; and

Storage capacity of log files media.

Administrator and Operator Log

System administrator and system operator activities shall be logged and include following:

The time at which an event (success or failure) occurred; Information about the event or failure;

Fault Logging

Faults reported by users or by system program related to information processing or communications systems shall be logged.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

18 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Review of fault logs shall be conducted to ensure satisfactory resolution and to ensure that the controls have not been compromised.

Clock Synchronization

The clocks of all relevant information processing systems within the group companies or security domain shall be synchronized with an agreed accurate time source.

Developing and implementing continuity plans including information security

Plans shall be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.

Business continuity planning framework

Business Continuity Management Process

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

19 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Risk Assessment & Business Impact Analysis (BIA)

Business process owners shall be responsible for ensuring that the key events that can cause disruption to their processes are identified, the probability of their occurrence and their potential adverse impact is documented. Threats and applicable vulnerabilities shall be identified for information assets within the process.

Developing the business continuity plan; and

Reviewing and updating the business continuity plan (once a year) Risk and business impact assessment shall be reported.

Business Continuity Strategy

A single common framework shall be followed for drafting continuity plans as per business requirements, which shall include the key stakeholders and third parties.

The risks and business impacts shall be considered for developing and updating the business continuity strategy of the company.

The framework shall include but not be limited to:

Establishing recovery time objectives;

Conditions for disaster declaration and plan invocation;

Disaster Recovery Plan

Business Resumption Plan

Crisis Management Program and

Testing and maintenance program.

Disaster Recovery Plan (DRP)

IT and Admin teams shall develop and maintain a Disaster Recovery Plan for assets whose availability is critical to the organization.

The DRP for such assets shall include but not be limited to: Alternate server room facilities;

Computer hardware replacement; Software and data (backup and) recovery; System connectivity; and

Physical and logical security.

Business Resumption Plan

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

20 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

BRP shall be the responsibility of the respective process owners. Business resumption plans shall include but not be limited to:

Identification of muster points where personnel would gather in the event of declaration of an emergency/disaster

Recovery organization and command center setup, including strategic outsourced partners and third parties

Damage assessment checklist Resource requirements

List of important contacts

Purchase of suitable insurance in view of the BIA Draft press release in the event of a business disruption Essential vendor list

Crisis Management Program

Business continuity plan shall comprise of a crisis management program including but not limited to contain:

List of command centers Directions to muster points

Emergency response procedures (during and after normal business hours) Communication procedures, including but not limited to crisis management team, strategic outsourced partners, third parties

Executive succession

Testing and Maintenance Program

Business continuity plan shall be tested on a half-yearly basis. The testing and maintenance program shall include but not be limited to:

BCP audit checklist Test drills Responsibility for testing Procedures for the updating BCP Controls for access to BCP

Data Classification

Data owned, used, created or maintained by the Information Dynamics Companies is classified into the following three categories:

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

21 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Public

Business Use Only

Confidential

Company should carefully evaluate the appropriate data classification category for their information.

When provided in this policy, examples are illustrative only, and serve as identification of implementation practices rather than specific requirements. Nothing in this policy is intended to identify a restriction on the right of departments to require policies and/or procedures in addition to the ones identified in this document

PUBLIC DATA

Public data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to Information Dynamics disclosure rules, is available to all staff of the Information Dynamics Companies and to all individuals and external entities.

Information Dynamics and Authorized personnel on behalf Information Dynamics can change data type to anymore at anytime

By way of illustration only, some examples of Public Data include:

Public Forums and Knowledge Base

Data which are located in common Disk Storage.

Publicly posted in company Internet websites, social networking websites, newsletters, newspapers and magazines.

Any correspondence and communication or any mean of information posted public folder.

Any information in printed document that can be circulated to any internal and external users.

Business Use Only Data

Business Use Only Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. Business Use Only Data is information that is restricted to

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

22 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

all type of staffs of Information Dynamics Companies, who have a legitimate purpose for accessing such data.

By way of illustration only, some examples of Business Use Data include:

Operational Data that is used for daily business transactions

Partner and customer communication data which are communicated by any mode of transfer

Business Transactional Data that is sent to partners and Information Dynamics Associates by Information Dynamics Employee or from system with knowledge of an employee Internal circulated information or data to employees of an organization

Following are important best practices to handle such business data,

oBusiness Data must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure. Electronic document to be with required security setting and kept in file server with active directory.

oIt must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.

oAll Transactional Data are required to be stored under RDBMS and to be protected with Database Security controls

oIt must not be posted on any public website or any portal that discloses information to public

oIt must be destroyed when no longer needed subject to Company Policy.

Private Data

Confidential Data is information protected by statutes, regulations, Information Dynamics policies or contractual language. Managers may also designate data as Confidential. Confidential Data may be disclosed to individuals on a need-to-know basis only with defined approval process.

Disclosure to parties outside Information Dynamics should be authorized by executive management and/or the Vice President and General Manager.

By way of illustration only, some examples of Confidential Data include:

Employee personal records

Customer Personal records

Company Financial data

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

23 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Intellectual properties those were created by an organization

Communication to employee or customer those are intended to be confidential Organization and Employee banking data

Legal and Government communication or relevant documents Legal agreements which are made for internal and external entities

Any data identified by Company regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction.

Following are best practices that Private or Confidential data to be handled,

oWhen stored in an electronic format, must be protected with strong passwords and stored on servers that have protection and encryption measures provided by ISS in order to protect against loss, theft, unauthorized access and unauthorized disclosure.

oPrivate data must not be disclosed to parties without explicit management authorization.

oMust be stored only in a locked drawer or room or an area where access is controlled by a guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.

oWhen sent via fax/Email must be sent only to a previously established and used address or one that has been verified as using a secured location.

oIt must not be posted on any public website or any portal that discloses information to public

oIt must be destroyed when no longer needed subject to Company Policy.

oOne must follow access request approval process to access such data

oAny modification or deletion to those data must be logged to audit log for reference

oAny destruction to physical confidential data must be logged to audit log for reference

Risk Assessment Approach

The assessment of risk has been carried out as an overall process of risk analysis (systematic use of information to identify sources and to estimate the risk) and risk evaluation (process of comparing the estimated risk against given risk criteria to determine the significance of risk).

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

24 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

The risk assessment includes the following factors:

Identification and valuation of assets

Identification of all security requirements, i.e. threats and vulnerabilities, legal and business requirements

Assessment of the likelihood of the threats and vulnerabilities to occur, and the importance of legal and business requirements

Calculation of risk resulting from these factors Selection of the appropriate risk treatment options; and Selection of controls to reduce the risks to an acceptable level.

Overview of identifying and assessing the risks

Assets are grouped under the headings listed below:

People: personnel, contractors, cleaners, security etc.

Environment

Tools

Services: services provided by the operation

Information: data, documentation etc.

To value the asset, a business impact analysis will be performed on the consequences to the business of a worst case breach of confidentiality, integrity or availability according to the following rating.

 

Business Impact

 

 

Description

 

 

Rating

 

 

 

 

 

 

 

 

 

Very High (VH)

 

 

Serious Damage

 

 

 

 

 

 

High (H)

 

 

Significant Damage

 

 

 

 

 

 

Medium (M)

 

 

Minor Impact

 

 

 

 

 

 

Low (L)

 

 

Negligible

 

 

 

 

 

 

Anything that achieves a rating of “M” or above will be deemed to require further assessment to identify issues that may cause a security breach. This will be achieved by the Information Security Implementation Team of each location performing a threats, vulnerability, probability and impact assessment.

The assessment starts with identifying vulnerabilities and related threats of each information asset that scored a High and Very High value.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

25 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

For each threat identified values will be determined that represents the probability and likely impact from the threat occurring. The rating model of the previous step will apply.

The Risk Measure (RM) is calculated by multiplying the numeric values whereby L=1, M=2, H=3 and VH=4

Risk Measure (RM) = Probability Value * Impact Value

This calculation will result in the next possible risk measures and (ranking):

Impact Value -->

1

2

3

4

Probability Frequency

 

 

 

 

Value

 

 

 

 

 

1

2

3

4

1

(9)

(8)

(7)

(6)

 

2

4

6

8

2

(8)

(6)

(5)

(4)

 

3

6

9

12

3

(7)

(5)

(3)

(2)

 

4

8

12

16

4

(6)

(4)

(2)

(1)

The following table shows the actions that will take on the risk measures:

 

Ranking

Meaning

 

1 and 2

The management of this threat is considered to be of high

 

 

priority to the organization. Options for treating the risk

 

 

will be selected.

 

3 and 4

The management of this threat is considered to be of

 

 

medium priority to the organization. Options for treating

 

 

the risk will be selected.

 

5, 6 and 7

The management of this threat is considered to be of low

 

 

priority to the organization. Options for treating the risk

 

 

will be selected.

 

8 and 9

The threat is not relevant to the information asset or the

 

 

organization. Management accepts that the risk is

 

 

acceptable.

Risk Treatment Plan

 

Four methods of risk treatment will be established: Risk Reduction (RR), Risk Acceptance (RA), Risk Avoidance (RAV) and Risk Transfer (RT).

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

26 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Risk Reduction

If the resulting ranking for the associated asset is 1 - 7, then controls will be referred to and procedures, practices and or mechanisms will be selected that mitigate the risk to an acceptable level.

Each control that is selected to reduce the risk (RR) will be recorded on to a Risk Treatment Plan. This plan will show the control selected, the implementation priority, the expected implementation date and the person responsible for the work.

Risk Acceptance

Group may accept the risks for the following reasons:

If the control / process will not align with culture of the organization If the necessary personnel are not available

If the financial resource is not available

If there is no benefit to the organization or its trading partners

If the cost of implementing the control exceeds the perceived or actual cost of a security breach

All acceptance of risk will be documented.

Risk Avoidance

This will be achieved by either stopping a process or eliminating a threat or vulnerability. All avoidance of risk will be documented.

Risk Transfer

The designated person is responsible for ensuring that the responsibilities that have been discharged are appropriate to the risk and that the trading partner is fully aware of their responsibilities.

Change Management Policy

Every change is subject to the Change Management Policy and must follow the Change Management Procedures.

A formal change request must be submitted for all changes, both scheduled and unscheduled.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

27 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

All scheduled change requests must be submitted in accordance with change management procedures so to review the request, determine and review potential failures, and make the decision to allow or delay the request.

The department head may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate blackout plans, the timing of the change will negatively impact a key business process such as yearend accounting, or if adequate resources cannot be readily available

Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.

A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.

A Change Management Log must be maintained for all the above mentioned changes.

The log must contain, but is not limited to:

a)Date of submission and date of change

b)Owner and custodian contact information

c)Nature of the change

d)Indication of success or failure

Violation of Policy

Not reporting a known security incident – Employee who is witness to a non- compliance instance to this policy and does not report this to the appropriate authority, IT team.

Allowing/Leaving any information exposing to irrelevant person or third party person or organization in the form of soft/hard copy e.g.; paper documents near a work station or printer, or viewable soft data on an individual’s computer screen.

Copying of classified Information Dynamics Information to the Internet or removable media – Transferring data from the Information Dynamics environment to any Internet sites or removable media e.g.: official data transfer or source code being captured to third-party removable devices.

Installation of software without defined authorization – Installing any software on individual terminals without the approval of the IT Infrastructure team.

Password sharing (LDAP) - The unique individual LDAP password belonging to an employee that is shared with any other IT person or employee or individual.

Allowing a laptop or other devices to the network without authorization – Entering the Information Dynamics network via a personal laptop, Mobile and PDA Devices or other third-party device without prior approval/authorization.

Leaking of confidential information– Any document which is defined as confidential information, leaking or transfer of any such document via any means i.e., chat mode, over a phone call, by SMS or MMS, ftp transferred, photographs, or word of mouth disclosure in public.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

28 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

Copy/transmit client-related data to the Internet or removable media device – Intentional act of transferring confidential or sensitive customer data to any external body or removable device such as a CD, pen drive and/or any other source.

Hacking external or internal systems by using Information Dynamics facilities – Hacking of external systems, transferring data inward through an improper mode, and clear violation of any Intellectual property right (IPR) using Information Dynamics resources. Intentional act of hacking data, systems, and internal or external devices covered by confidentiality and proprietary act. Surfing unethical sites such as hackers.com.

Sharing a customer’s confidential information to unauthorized people – Any Information asset which is defined as confidential customer information, leaking or transfer of any such document via any means i.e., chat mode, over a phone call, ftp transferred, photographs, or word of mouth disclosure in public.

Accessing customer or Partners IT infrastructure from Information Dynamics or from outside without approval or NDA from customer and Information Dynamics Management

Consequence Management

A breach of this policy could have severe consequences to Information Dynamics and its ability to provide services, or maintain the integrity, confidentiality, or availability of services.

The employee and any other parties involved will be & (or) subject to face legal proceedings through the cyber crime department or local police authorities.

Policy Deviation & Exclusion

Security Policy Exceptions

Information Dynamics information security policies, standards, guidelines, and procedures institute controls that are used to protect Information Dynamics data and information system Resources. While every exception to a policy or standard weakens protection for IT Resources and underlying data, occasionally exceptions will exist. Centralized and departmental IT units and IT Resource owners who are responsible for ensuring appropriate enforcement of Information Dynamics information security policies and related standards on Information Dynamics Companies IT Resources must use this procedure when requesting an exception to information security policies, standards, guidelines, and procedures.

Exception Procedure

The following procedure defines the process for the review and approval of exceptions to Information Dynamics information security policies, standards, guidelines, and procedures:

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

29 of 30

 

 

 

 

COMPANY

Title

DOC. REF.

INFORMATION SECURITY POLICY

CONFIDENTIAL

A manager (or their designee) seeking an exception must assess the risks that non-compliance causes Companies IT Resources and business processes. If the manger believes the risk is reasonable, then the manager prepares a written request describing the risk analysis and request for an exception.

ISSUE VERSION

REV. DATE

REV. NO:

PAGE

2.0

 

0

30 of 30