- Partnerships @ Work
Document Control
Document Description: | The objective of this document is to elaborate the information security polices at Information Dynamics. |
Document Identification: | |
Security Classification: | Internal |
Location: |
Authorization | ||
Name of the person | Date (dd-mmm-yyyy) | |
Prepared by: | Sankar | 09-Jan-2020 |
Reviewed by: | Soundar | 25-Jan 2020 |
Approved by: | Arun Dani | 26-feb 2020 |
Change | |||||
Document Version | Date of Change | Section | A/M/D | Brief description of change | Reviewed by |
1.0 | 27 Feb 2019 | A | Initial Release | Soundar | |
1.1 | 26 Feb 2020 | A | Updated Security policy to map with the ISO 27001:2013 standards | Soundar | |
1.2 | 01 Feb 2021 | A | Updated the communication plan as per the stage 1 audit recommendations | Soundar | |
1.3 | 01 Feb 2022 | A | Annual Review | Soundar | |
1.4 | 01 Feb 2023 | A | Annual Review | Soundar | |
Confidentiality Agreement
This document is copyrighted and all rights are reserved. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from an authorized representative of Information Dynamics. This document is for internal use only and may, in whole or in part, be provided to anyone outside of Company, including customer, clients, or prospects after taking an approval from an authorized representative of Information Dynamics.
Table of Contents
The purpose of this Information Security policy is to address the requirements of the Information Security processes of Information Dynamics (ID). This Information Security policy system provides documented policies, procedures and methodologies to achieve processes required to meet the requirements of the international security standards. The purpose of Information Security policy is to identify basic rules & procedures that all ID employees must adhere to, while accessing and handling information assets. These rules must be enforced in order to ensure the confidentiality, integrity and availability of these assets. Furthermore, it puts into writing ID security posture, describes & assigns functions and responsibilities, grants authority to security professionals, and identifies the incident response processes and procedures.
Plan
Act
Do
Check
The objective of the Information Dynamics (ID), Information Security program is to foster direct compliance with company policies, ethical standards, employee honesty and overall business operations. Information security policies define a concise set of behaviors that provide a secure environment within which each Information Dynamics employee may use and manage information resources. Information is a primary asset and as such must be protected in a manner commensurate to its value. It is the policy of Information Dynamics that information must be protected in any format or media whether printed, electronic, verbal, or otherwise from unauthorized or inappropriate access, use, modification, disclosure, or destruction. This applies to all information that exists in Information Dynamics applications, systems, and networks that Information Dynamics owns or operates (processing environments). The program uses the PDCA - Plan Do Check Act cycle for implementation, maintenance and continually improving the system.
At a high level, the implementation of the information security program focusses on achieving the following objectives:
To address security control weakness in process, people and technology by implementing security controls through solutions, process strengthening and awareness programs
To report, manage and handle security incidents.
Reduce exposure of critical information.
To prevent unauthorized physical access, damage and interference to ID premises and information and to prevent loss or compromise of asset and interruption to ongoing and planned activities.
To control access to the information and to prevent unauthorized user access to systems, applications and network.
To ensure security of electronic services and to detect unauthorized information processing activities.
To create a security culture in the organization.
Continually improve the security posture of the company through effective process management, adopt more technology to suit business needs and faster and effective delivery:
Key Processes Included under scope for IT-Infrastructure & support:
IT Asset Management
Equipment Security
System Planning and Acceptance
Antivirus Management
Backup Management
Network Security Management
User Access Control Management
User Network Access Control Management
System & Network Monitoring
Application & Information Access Control
Database Management
Application acceptance
The context of the organization plays a vital role in information security program. This determines the factors that affect information security implementation in the organization and also identifies risks that might affect the environment.
Ref: ISMS Scope document
The Senior management of Information Dynamics have treated information security as a priority and a critical factor to assist in building a secure environment and also to customer needs.
To ensure this is followed, the management has allocated resourced and identified key roles to manage the security program.
Ref: Information Security Roles and Responsibilities document
ISMS Policy Statement:
It is the policy of the ID management to establish, implement and maintain an Information Security Management System by:
Ensuring that information security objectives and plans are established
Establishing roles and responsibilities for information Security that includes protection of all kinds of data, either client or our group company’s data.
Communicating to the organization the importance of meeting Information security objectives
Providing sufficient resources to develop, implement, operate and maintain Information security
Reviewing periodically and making necessary changes to improvise Information security system
Adequately training personnel about the relevance & importance of their information security responsibilities.
Ensuring the confidentiality, privacy & protection of Company data and customer/client data at all levels.
Ensuring that supporting issue based policies is established and operated in line with the main policy.
It is the responsibility of all process owners and heads of departments to implement and operate the above requirements of the policy.
Information Security Commitment Statement
The policy for display is designed to be user understandable and simple as suggested by the senior management and the information security policy for display is agreed to be as follows
INFORMATION SECURITY POLICY COMMITMENT STATEMENT
Vision “Building Technologies, Driving Businesses” Mission “Adding Value through Innovations”.
Decrease Incident Response time by 5 %
Decrease Incident Closure time by 5 %
ISMS Awareness training- to cover 100 % Information Dynamics Employees
Data Confidentiality, Privacy & Protection Policy Statement
It is the responsibility of the management to provide Data Confidentiality, Privacy and Protection in regard to personal sensitive information, company information and client information, which are under our custody. This is achieved through all employees of Information Dynamics following the policy requirements as stated in this document.
Confidentiality of all kinds of data shall be maintained by all employees at all levels by transacting the data only on a need to know and use basis. There shall be a formal Non- Disclosure or confidentially agreements signed during joining process and the same made understood to the prospective employee before employment. In this context, the data is classified and according to the classification in terms of access control and disposition of the same.
Privacy of all kinds of data shall be maintained by all employees at all levels by knowing to whom, when, where and how the data has to be communicated with respect to personal,company and client information. In this regard, ID shall train and educate people to handle such data or information periodically.
Protection of data in ID is based on the classification of the data and related treatment and handling of the same. The data shall be segregated according to the classification and divulged to personnel only on need to know and use basis. Methods such as authorized folder
/ access management, password protected files, secure encrypted storage and transmissions, disposals, re-use, etc. shall be enforced and followed by all the employees.
Roles and responsibilities have been allocated to dedicated personnel/Team to manage the information security program.
Ref: Information Security Roles and Responsibilities Document.
Action to address Risks and Opportunities.
Information dynamics has identified risks and continually identifies new risks that affect the information. The same is evaluated, analyzed and accordingly appropriate security controls are applied to mitigate the risks.
Ref:
Risk Assessment Methodology
Risk Assessment and Treatment Sheet
Resources have been allocated by the management to manage and maintain information security controls in the organization. These roles are split across the department and vary based on the domains being managed by the individuals.
Teams shall be appropriately trained to manage technical and compliance management of information security.
All employees in the environment shall be provided awareness on information security best practices and how to secure information. This shall be through the following channels, but not limited to:
Emailers
Posters
Classroom sessions
Communication of policies and other aspects shall be documented.
Communication | By Whom | To Whom |
ID Policies and Guidelines | Information Security Team | Employees |
Communication of Risks | CISO | ISSC |
Communication to Press | CEO | Press and Public Media |
Social Media updates | Marketing Team | Public Social Media accounts |
Any crisis | CISO | Employees |
Regulatory issues and communications | HR | Respective local authorities |
Change in product delivery or schedule | Product Manager | Customer |
New customer acquisition | CEO | Employees |
Information Security documentation shall be focused on aligning to international best practices and standards. All documentation at a minimum shall have the following updated:
Version Number
Changes Made
Date of Change
Author
Classification of the document
Controls shall be implemented to manage new updates and changes to the current environment. Ref:
Design and Transition of new services Procedure
Change management procedure
The security controls been implemented are monitored regularly and measured for effectiveness. This shall give the management the effectiveness and the strength of the controls. Based on the results of these checks, management can decide which controls lacks in effectiveness and appropriate action to be taken.
Ref: The evaluation KPIs are updated in every procedure document.
Internal audits on the implemented security controls shall be done at least once a year.
Ref: Process Manual for Internal Audit
The management reviews the information security program on a regular basis (Once in Six months). This helps management understand where the security program needs attention and continually improve the process. The agenda and frequency has been defined. (Frequency :- Once in Six Months)
Ref: Information security roles and responsibilities document.
ID is dedicated to continually improve the process of security and service management practices. The audits conducted shall provide areas to be improved. Corrective actions shall be documented for the Non conformities. The findings shall have root cause identified and owner who shall be responsible to close the finding.
Areas of improvement shall also be from, but not limited to:
Risk Assessments
New Technology advancements
Process effectiveness
Training and Awareness
Set of policies have been documented to implement best practice security controls in the ID environment. These policies have been approved by the management.
All the policies shall be reviewed at least once a year or whenever there is a change required to the policy whichever comes first.
Information Security roles and responsibilities have been defined and shared. To avoid conflict of interest, duties are segregated in various domains. In terms of auditing, an independent body shall conduct this exercise.
ID recognizes that the maintenance of the desired level of information security may require the cooperation, support and assistance of certain external agencies.
Therefore, the Management shall ensure that formal contact with vendors, security groups, industry forums and other service providers are established
The extent of cooperation and transfer of information shall be formalized to the extent possible. Such cooperation will be in the interest of ID and will not result in violation of ID’s Information Security Policies including the transfer of confidential / classified information to unauthorized third parties.
The Information Security Manager shall establish contact with information security forums (such as ISACA, MS security bulletins, Indian and AE Cert etc) and take part in various information security programs
The knowledge gained shall be utilized in improving the security of ID Information assets
For all projects managed in ID, risks are factored and appropriate planning is done.
Ref: Guidelines for Project Risk Management
Users shall be allowed to remotely connect to the company network using mobile computing device to access business information, only after successful identification and authentication.
Users shall take special care of the mobile computing resources, such as laptops, mobile
phones, etc (but not limited to) to prevent the compromise of business information.
Latest virus definitions shall be updated on the mobile computing devices regularly to prevent the corruption of the information stored on these devices.
Mobile computing devices shall not be connected to the company network without approval from IT Head.
Teleworking and remote access shall be granted to users only on need basis and on business requirement.
Remote access connections to our group network shall be provided to authorized users only. Strong user authentication shall be used for providing remote access to the network.
Usage of modem shall be controlled and restricted in the organization
All wireless routers for connecting to LAN shall be password protected and access shall be authorized.
Any employee joining ID has to go through a formal screening process. Apart from this there are security controls followed by HR during the employee’s tenure in the firm.
Ref: Human Resource Security Policy
ID shall maintain a list of information assets which shall be maintained for the department. The information asset shall have following information tagged to the same. All information Assets shall have:
Asset Name and Description
Asset Owner
Asset Location
Asset Custodian
Asset format (Electronic/ Hard Copy)
Asset type: Hardware/ Software etc)
Asset rating based on confidentiality, Integrity and Availability.
ID is the owner of all information assets managed and maintained. All these assets have to be used only for business purpose only. This has been documented.
Ref: Acceptable use of assets Policy
All assets need to be returned to the respective department during employee leaving the firm.
Ref: Human Resource Security Policy
Information owned, used, created or maintained by the Information Dynamics Companies is classified into the following three categories:
Public
Internal
Confidential
Company should carefully evaluate the appropriate information classification category based on the criticality involved.
When provided in this policy, examples are illustrative only, and serve as identification of implementation practices rather than specific requirements. Nothing in this policy is intended to identify a restriction on the right of departments to require policies and/or procedures in addition to the ones identified in this document
Public
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to Information Dynamics disclosure rules, is available to all staff of the Information Dynamics Companies and to all individuals and external entities.
Information Dynamics and Authorized personnel on behalf Information Dynamics can change data type to anymore at anytime
By way of illustration only, some examples of Public Data include:
Public Forums and Knowledge Base
Data which are located in common Disk Storage.
Publicly posted in company Internet websites, social networking websites, newsletters, newspapers and magazines.
Any correspondence and communication or any mean of information posted public folder.
Any information in printed document that can be circulated to any internal and external users.
Internal
Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. Internal Data is information that is restricted to all type of staffs of Information Dynamics Companies, who have a legitimate purpose for accessing such data.
By way of illustration only, some examples of Internal Data include:
Operational Data that is used for daily business transactions
Partner and customer communication data which are communicated by any mode of transfer
Business Transactional Data that is sent to partners and Information Dynamics Associates by Information Dynamics Employee or from system with knowledge of an employee
Internal circulated information or data to employees of an organization Following are important best practices to handle such business data,
Business Data must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure. Electronic document to be with required security setting and kept in file server with active directory.
It must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.
All Transactional Data are required to be stored under RDBMS and to be protected with Database Security controls
It must not be posted on any public website or any portal that discloses information to public
It must be destroyed when no longer needed subject to Company Policy.
Confidential Data
Confidential Data is information protected by statutes, regulations, Information Dynamics policies or contractual language. Managers may also designate data as Confidential. Confidential Data may be disclosed to individuals on a need-to-know basis only with defined approval process.
By way of illustration only, some examples of Confidential Data include: Employee personal records
Customer Personal records Company Financial data
Intellectual properties those were created by an organization
Communication to employee or customer those are intended to be confidential Organization and Employee banking data
Legal and Government communication or relevant documents Legal agreements which are made for internal and external entities
Any data identified by Company regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction.
Following are best practices that Confidential data to be handled,
When stored in an electronic format, must be protected with strong passwords and stored on servers that have protection and encryption measures provided by ISS in order to protect against loss, theft, unauthorized access and unauthorized disclosure.
Confidential data must not be disclosed to parties without explicit management authorization.
Must be stored only in a locked drawer or room or an area where access is controlled by a guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.
When sent via fax/Email must be sent only to a previously established and used address or one that has been verified as using a secured location.
It must not be posted on any public website or any portal that discloses information to public
It must be destroyed when no longer needed subject to Company Policy.
One must follow access request approval process to access such data
Any modification or deletion to those data must be logged to audit log for reference
Any destruction to physical confidential data must be logged to audit logfor reference
All confidential information processing assets, at a minimum needs to be physically labelled. This includes hardware devices and also labelling classification on hard copy information.
List of these tags need to be maintained and these shall be tracked and traced through the same.
Information Handling Procedure
Procedures for the handling and storage of information shall be established to protect this information from unauthorized disclosure or misuse. The procedures shall include but not be limited to:
Handling and labeling of all media to its indicated classification level; Access restrictions to prevent access from unauthorized personnel; Storage of media in accordance to required specifications;
Ensuring that input processing is properly completed; and Keeping the distribution of data to minimum.
Media shall be controlled and physically protected. Procedures shall be established for: Erasing content from reusable media
Storage of media in a safe & secure environment Authorization for use of removable media
Media containing information valued as critical and vital shall be disposed of securely and safely when no longer required.
Formal procedure/guidelines for disposal of media shall be established to minimize the risk of sensitive information leakage to unauthorized persons.
Reference: Asset Management Procedure
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond physical boundaries.
Logical access controls shall be deployed with the principle of ‘deny all unless explicitly permitted’ to protect information from unauthorized access.
Customers, third party vendors/ service providers shall be provided appropriate access to our information assets on the basis of contractual agreement/business need.
User registration and de-registration procedure, which shall be integral to the HR joining and exit processes, for providing and revoking end users access.
Users shall be registered upon receiving communication (joining date) from recruitment team.
Unique user IDs shall be assigned to each user to ensure accountability of individual users for their activities.
Privilege shall be assigned to the personnel on a ‘need-to-know’ basis and a ‘need-to-do’ (minimum requirement for the functional role ) basis.
Authorization record of all privileges shall be maintained.
Access rights of users shall be reviewed at time of lateral changes in employment & responsibilities or internal transfer. The user access to critical systems shall be reviewed at least once in 6 months.
IT Support team shall review the privileges granted to users with the respective department heads once in 6 months.
Users shall be required to follow good security practices in the selection and use of passwords, which shall include but not be limited to:
keeping passwords confidential;
change passwords at regular interval or whenever there is any indication of possible system or password compromise;
Select quality passwords; and
Change temporary passwords at the first log-on.
An initial temporary password shall be provided to the users and they shall be forced to change it on first logon.
In application systems, where this functionality of force changing the password is not possible, the user shall change the password manually.
Password standard shall be defined for operating systems, databases, applications, network equipment deployed in IT and technical functions.
Systems for managing passwords shall be interactive and shall ensure quality passwords. The password management system shall:
Enforce the use of individual user IDs and passwords to maintain accountability;
Allow users to select and change their own passwords and include a confirmation procedure to allow for input errors;
Enforce password changes;
Force users to change temporary passwords at the first log-on; and Passwords shall not be readable on the screen when being entered
. All users should change their passwords after every 45days.
The below is the password policy and account lockout policy implemented in Information Dynamics: This is the similar to user passwords and privilege passwords.
Enforce Password Policy: 4 passwords remember
Maximum Password age: 45 days
Minimum Password age: 0 days
Password Length: 8 Characters (Complexity enabled)
Account Lockout duration: 30 minutes
Account lockout threshold: 3 invalid logon attempts
Reset account lockout counter after: 30 minutes
Access to the operating system commands and system utilities shall be restricted to authorized personnel for system administration and management functions.
Encryption is used to safeguard confidential information.
Ref: Key Management & Card Data Encryption Policy
Ref: Physical and Environmental Security Policy
All users shall be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection which shall include but not be limited to:
terminate active sessions when finished;
log-off desktops, Laptops and servers when the session is finished;
Sensitive or critical business information on paper or on electronic storage media shall be locked when not required
Computers and terminals shall be left logged off or locked when unattended.
System shall be locked after 30 minutes of idle time.
The entire Information Dynamics records, either physical or digital, are subject to the retention requirements based on business, legal and regulatory requirements. The Information Dynamics requires that all removable storage media (CDs, tapes, memory sticks, hard drives, etc) are clean (which means: it is not possible to read or re-constitute the information that was stored on the device or document) prior to disposal. Specifically:
No storage of Magnetic stripe data, CVV, CID, CAV2, CVV2, CVC2 and PIN to be stored under any circumstances.
Each data item that is stored should be marked with the name of the record, the record type, the original owner of the data, the information classification, the required retention period, and any special information (eg in relation to cryptographic keys).
The required retention periods, by record type, should be in compliance with business, legal and regulatory requirements. The records both physical and electronic should have secure remote offsite backups.
The offsite records both physical and digital should be retrieved and reviewed at least annually or based on the criticality of the information of the records.
All records (physical and digital) moving to and fro the facility to offsite locations has to be logged and inventory managed both at the primary and offsite locations. A periodic inventory check must be done at offsite to find if there exist any irregularities in the logging mechanism.
Data should be disposed as soon as the specified retention period completes it retention period.
If sensitive authentication data (CVV, PIN, magnetic stripe data, track data etc.) is being received, then the data should not be stored and be deleted in a secure manner which makes the data unrecoverable.
Cryptographic keys, which are required for sensitive transaction data should be retained as set out as in Credit Card Data Encryption & Key Management Policy
Devices containing confidential information are dependent on a risk assessment physically destroyed prior to disposal and are never to be re-used.
Devices containing confidential information that are damaged are subject to a risk assessment prior to sending for repair, to establish whether they should be repaired or replaced.
Documents, CDs, etc containing confidential and restricted information which are to be destroyed are shredded by their owners, using a cross cut shredder. These shredders are located in the secure area and the containers are under lock and key.
Portable or removable storage media of any description are physically destroyed prior to disposal.
The data owner along with support from the custodian is responsible for destroying data once it has reached the end of the retention period. Destruction must be completed within 30 days of the planned retention period. Destruction is handled as follows:
Papers to be shredded.
CDs to be shredded.
Backup tapes to be burnt.
Sensitive data to be deleted through a program.
The TSG Team is responsible for the retention and secure disposal of storage media and the disposal of all information processing equipment is routed through his office. A log Documents Data Transfer and Storage Request Form_v1 & Data Disposal Form_v1 is retained showing what media were destroyed, disposed of, and when. As required, the asset inventory is adjusted once the asset has been disposed of.
Every change is subject to the Change Management Policy and must follow the Change Management Procedures.-
A formal change request must be submitted for all changes, both scheduled and unscheduled.
All changes should have security risks evaluated prior to approval.
All scheduled change requests must be submitted in accordance with change management procedures so to review the request, determine and review potential failures, and make the decision to allow or delay the request.
The department head may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate blackout plans, the timing of the change will negatively impact a key business process such as yearend accounting, or if adequate resources cannot be readily available
Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedure.
A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.
A Change Management Log must be maintained for all the above mentioned changes.
The log must contain, but is not limited to:
Date of submission and date of change
Owner and custodian contact information
Nature of the change
Indication of success or failure
Ref: Change Management Procedure
Capacity Management
Ref: Capacity Management Policy (Under IT_SMS Policies)
Detective, preventive, recovery controls, shall be implemented and users shall be made aware
of protecting information processing facilities against malicious and mobile code. At a minimum, the following shall be observed:
Prohibiting the use of unauthorized software;
Installing and regularly updating malicious and mobile code detection and repair software to scan computer and media;
Regular backup of critical data & software; and
Implementing controls to block suspicious external sites & filtering electronic mails.
Anti-Virus Deployment
Antivirus/Anti-malware software is installed on all Organizational information systems and devices, including gateways and firewalls. The Antivirus/Anti-malware software installed on the gateway(s) conducts automated scans of all attachments and deletes or quarantines suspect files. The anti-virus software would be actively running all the time, and would be capable of generating alerts.
All servers and workstations must have latest release of antivirus software installed.
Antivirus signatures must be updated regularly. The updates would be distributed to all clients.
All the servers and workstations are to be centrally administered and controlled on a daily basis.
The anti-virus programs would be capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware.
The anti-virus software and its definitions should be regularly updated.
The installation and maintenance of anti-malware software on all Organizational information systems and devices is mandatory.
Anti-virus Log
The anti-virus program would be capable of generating audit logs. The logs should be retained for at least 15days
Back-ups shall be taken and tested regularly to ensure that all essential information and
software can be recovered following a disaster or media failure. The following shall be considered for information backup:
Level, extent and frequency of back-up information shall be defined in accordance to the business requirement
Back-up information shall be given an appropriate level of physical and environmental protection
Back-up media shall be regularly tested to ensure that they can be relied upon.
Users are responsible to ensuring the information is saved on shared folders.
No desktops shall be backed up.
Backup tapes shall be moved to offsite location to ensure continuity of business is possible in case of a crisis/ disaster.
Ref: Backup Policy
Audit logs recording user activities on critical assets, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations. Audit logs shall include but not be limited to:
User Ids;
Dates, times and details of key event; Terminal Identity;
Records of successful and rejected systems access attempt;
Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities shall be reviewed regularly.
Areas that shall be considered include but are not limited to: System log exceptions;
Network management alarms;
Use of privileged accounts, e.g. root, administrator;
Access policy violation and notification for network gateways and firewalls;
Logging facilities and log information shall be protected against tampering and unauthorized access.
Controls shall be implemented to protect:
Alterations to the message types that are recorded; Log files being edited or deleted; and
Storage capacity of log files media.
System administrator and system operator activities shall be logged and include following:
The time at which an event (success or failure) occurred; Information about the event or failure;
Faults reported by users or by system program related to information processing or communications systems shall be logged.
Review of fault logs shall be conducted to ensure satisfactory resolution and to ensure that the controls have not been compromised.
The clocks of all relevant information processing systems within the group companies or security domain shall be synchronized with an agreed accurate time source.
Requirement for Latest Patch
All system components and software in the organization will have the latest vendor-supplied security patches installed.
Technical Assessments , Vulnerability assessments and penetration tests shall be done atleast once in an year Based on the same, patches and other updates shall be done on the systems to secure the system.
Patch Management Process
Organization must receive updates from vendors from time to time for new security patches released. The available patches are installed as per document.
Ref: Patch Management Procedure document
Patch Installation Timelines
All relevant security patches must be installed within 30 days (one month) of release.
Security Patch Testing Requirements
All security patches must be tested before being deployed into production. Person(s) responsible for Patch Management should test the patches in a test setup before deploying to a production environment.
New Vulnerability Risk Ranking
New vulnerabilities must be identified with updates from external industry sources, known security forums etc. and the vulnerability should be assigned a Risk Ranking. Risk rankings should be based on industry best practices, like adhering to the CVSS scoring system for the risks.
Employees shall not have access to install any software on their systems. All software installation requests shall be routed through a request. Software shall be installed only after line manager approval.
Systems shall be audited on a regular basis. This shall be compliance auditing and technical auditing. Based on the audit results, corrective action shall be taken and areas shall be fixed. Ref: Process Manual for Internal Audit
Network Controls shall be implemented to ensure the security of information in networks, and the protection of connected services from unauthorized access. At a minimum, the following shall be implemented:
Separation of operational responsibilities for networks from computer operations;
Logging and monitoring shall be applied to enable recording of security relevant actions; and
Management activities shall be closely coordinated to optimize the service and to ensure that controls are consistently applied across the information processing facility.
Security features, service levels, and management requirements of network services shall be identified and included in network services agreement.
Authorization matrix shall be built to ensure that the users are provided access to the network services that have been specifically authorized.
Business applications shall be accessible on the network only through approved network services and segments.
All information outlets (Network Points) shall be identified and traceability to the Ethernet switch, Routers etc., shall be determine and established.
Physical and logical access to diagnostic and configuration ports shall be controlled.
Ports and services or network devices, which are not required for business functionality, shall be disabled or removed.
Separate network segments for external, DMZ and internal network shall be implemented. Appropriate configuration of firewalls, routers and switches shall be documented and maintain for network segregation.
Dedicated VLANs shall be provided to business units and/or departments upon request and approval respective department heads.
Data flow across firewalls shall comply with the organizational security policies, and exceptions to the same need to be explicitly granted.
FTP uploads/downloads from the Internet shall be permitted only for business use.
Personal web based mail services usage such as Yahoo Mail, Hotmail etc and interactive chat services shall be restricted until explicitly approved.
Group shall implement URL filtering measures to filter websites for regulatory compliance.
Controls shall be implemented through network gateways that filter the traffic by means of pre- defined tables or rules. Routing controls shall be based on the source and destination address checking mechanism.
Network Address Translation shall be configured on the network for outbound Internet access.
Operating system logon procedure shall disclose a minimum amount of information about the system.
A logon banner shall appear on all information systems prior to login on to the system stating that the information system should only be accessed by authorized users and un-authorized access is prohibited, monitored and liable for punitive actions.
The system shall validate the logon information only on completion of all input data. After a rejected logon attempt, the logon procedures shall terminate.
Unsuccessful logon attempts shall be logged, monitored, and investigated for critical systems.
Application systems hosting confidential or sensitive information as per information classification guidelines shall not be hosted on shared servers.
Controls shall be in place to protect the exchange of information through the use of communication facilities.
Exchange agreement shall be established for the exchange of information and software between the group and external parties.
Business information or software assets shall be exchanged with outside organizations as per appropriate security clauses in the formal agreements/contracts.
Group provides electronic mailing systems to facilitate the company’s business needs and interests.
The email servers shall be configured to provide secure access to users accessing email content over the Internet.
Under certain business circumstances, temporary e-mail accounts will be provided to third parties, strategic outsourced partners.
These e-mail accounts will have a validity period, as required, and will be de- activated/ deleted thereafter.
Ref: Email Security Policy
System Acquisition, development and maintenance
Ref: Supplier Management policy
Policies and procedures shall be documented and implemented to protect information associated with the interconnection of business information systems.
Consideration shall be given to security of information and business implications where information is shared between different parts of the group.
Ref: Incident Management Policy
Plans shall be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.
Refer: Business Continuity and Disaster Recovery Policy
A list of laws have been documented which are applicable for geographical areas that are in scope.
Ref: ISMS Scope document
Ref: Compliance Policy
Information Security Reviews are done on a regular basis.
Technical Reviews: VA and PT exercises are done to understand the security posture of the firm.
These exercises are conducted at least once in 12 months.
Compliance Reviews: Compliance reviews are done to verify compliance level w.r.t ISMS documentation and implementation. This is done atleast once a year
Not reporting a known security incident – Employee who is witness to a non- compliance instance to this policy and does not report this to the appropriate authority, ITteam.
Allowing/Leaving any information exposing to irrelevant person or third party person or organization in the form of soft/hard copy e.g.; paper documents near a work station or printer, or viewable soft data on an individual’s computer screen.
Copying of classified Information Dynamics Information to the Internet or removable media – Transferring data from the Information Dynamics environment to any Internet sites or removable media e.g.: official data transfer or source code being captured to third-party removable devices.
Installation of software without defined authorization – Installing any software on individual terminals without the approval of the IT Infrastructure team.
Password sharing (LDAP) - The unique individual LDAP password belonging to an employee that is shared with any other IT person or employee or individual.
Allowing a laptop or other devices to the network without authorization – Entering the Information Dynamics network via a personal laptop, Mobile and PDA Devices or other third-party device without prior approval/authorization.
Leaking of confidential information– Any document which is defined as confidential information, leaking or transfer of any such document via any means i.e., chat mode, over a phone call, by SMS or MMS, ftp transferred, photographs, or word of mouth disclosure inpublic.
Copy/transmit client-related data to the Internet or removable media device – Intentional act of transferring confidential or sensitive customer data to any external body or removable device such as a CD, pen drive and/or any other source.
Hacking external or internal systems by using Information Dynamics facilities – Hacking of external systems, transferring data inward through an improper mode, and clear violation of any Intellectual property right (IPR) using Information Dynamics resources. Intentional act of hacking data, systems, and internal or external devices covered by confidentiality and proprietary act. Surfing unethical sites such as hackers.com.
Sharing a customer’s confidential information to unauthorized people – Any Information asset which is defined as confidential customer information, leaking or transfer of any
such document via any means i.e., chat mode, over a phone call, ftp transferred, photographs, or word of mouth disclosure in public.
Accessing customer or Partners IT infrastructure from Information Dynamics or from outside without approval or NDA from customer and Information Dynamics Management
A breach of this policy could have severe consequences to Information Dynamics and its ability to provide services, or maintain the integrity, confidentiality, or availability of services.
The employee and any other parties involved will be & (or) subject to face legal proceedings through the cyber crime department or local police authorities.
If, for any reason, the terms of this policy and those listed in the Policy Manual and other supporting security policies cannot be complied with, a documented waiver must be granted from the designate and the person designated as head of the particular business unit. Waivers of varying duration can be granted when acceptable compensating or alternative controls are in place. A manager (or their designee) seeking an exception must assess the risks that non-compliance causes Companies IT Resources and business processes. If the manger believes the risk is reasonable, then the manager prepares a written request describing the risk analysis and request for an exception.