This policy applies to all users and other third parties, if they provide network access.
The term Information Systems defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. desktop, network devices, and wireless devices), software and information.
All users are required to read, understand and comply with other Information Security policies, standards and procedures. If any user does not fully understand anything in these documents, he/she should contact the Information Security Manager or the concerned department/division units to jointly resolve any conflicts arising from this policy.
The principles of security adopted by the company are:
Confidentiality: information should be accessible only to authorized personnel
Integrity: information should be modifiable only by authorized personnel
Availability: information should be made available to personnel who need it
The purpose is to protect the confidential information of the company, its clients, as well as information received from users to minimize business damage, to ensure business continuity and gain customer confidence by undertaking proactive measures for preventing and minimizing the impact of security incidents and disasters.
To protect its infrastructure and information generated/processed within or received from its clients by building robust information systems and processes. Employees, contractors, vendors and stake holders shall be committed to comply with all legal, regulatory and contractual obligations by adhering to the practices defined to protect business sensitive, client and operational information.
It is the responsibility of all employees, and contractors to comply with this and other associated policies. The management is responsible to review, update, maintain, and disseminate a security policy annually and as required.
POLICY – IT AND INFORMATION SECURITY
The responsibility is to manage the IT functions with the help of the associated third party service provider and provide adequate protection and confidentiality to all the data of company and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorized members and to ensure the integrity of all data and configuration controls is maintained.
INFORMATION SECURITY OBJECTIVE
The objectives of implementing an information security management system are:
To ensure adequate protection of all data and data processing facilities.
To ensure effective management along with third party support, where required.
To ensure formal assignment of information security responsibilities to a Chief Security Officer or other security-knowledgeable member of management.
To establish, document and distribute all the security policies and procedures to responsible personnel.
To ensure that all information security accidents or suspected security flaws have appropriate reporting mechanisms so that superiors are notified, and these incidents are appropriately investigated, analysed and handled.
To provide a safe and secure information systems working environment for all staff and contractors by conducting information security awareness program.
RISK MANAGEMENT FRAMEWORK
In order to manage information security, the organization will adopt an asset-based risk approach.
This approach mandates:
Identify business functions within the scope
Identify all the information assets used by the business functions such as:
System/Network/Security/Laptops/Desktops/Backup Devices etc.;
Policies/Procedures/Other departmental documents and records/ client specific data/ financial information etc.;
Software/Application, Logs etc.;
Against each asset, list the owner of the asset in the organization
The assets with similar threats and vulnerabilities have been grouped together in the Risk register.
SECURITY AWARENESS PROGRAM
An information security management system will continue to grow and maintain itself only if the people of the organization are continuously vigilant and are able to absorb information security principles in their work culture.
In accordance with this statement, it is essential for the company to implement security awareness initiatives at all levels of the organization, including senior management, middle management, team leaders, heads of department, support staff, and any third parties.
The information security awareness sessions will be an ongoing initiative which will ensure that all the employees and contractors are aware of the information security policies that are relevant to them. In addition, all the procedures, guidelines, and information security best practices in conjunction with other laws, regulations, and management best practices as adopted by the company.
All employees will go through employee information security awareness program when they join the organization as part of induction, additionally, an annual refresher trainings and / or quiz would be conducted online or in classroom to enforce the awareness.
CONTACT WITH SPECIAL INTEREST GROUPS
Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.