Apex Information Security Policy
Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8 7.1 Desktop Security (desktop, licenses, servers, virus protection 8 7.2 E-mail (Messaging) Policy 8 7.3 Network Security (LAN and WAN) 8 7.4 Internet (Perimeter) Security 9 7.5 Intranet Policy 9 7.6 Data Base Administration 9 7.7 Freeware / Shareware Security 9 7.8 Operating System (OS) Security 9 7.9 Remote access security 9 7.10 Virus Protection and Prevention 9 7.11 Logical access policy 10 7.12 Password Policy 10 7.13 Physical access security policy 10 7.14 Backup & Recovery Policy 10 7.15 Asset (Data) Classification Policy 10 7.16 Compliance Policy 10 8. Business Continuity Management 10 9. Risk Management 11 10. Handling Exceptions 12 11. Document Approval Criteria 12 2
Approval and Amendment History Ver sion no. Revi sion No. Version/ Revision Date Authored / Modified By Approved By Revision details Remarks 00 01 26-02-07 MR Mr. Srinivasan, Initial document MD 00 02 12-06-07 MR MSF General guidelines have been appended 00 03 15-10-09 IS Team MSF Revised as per observation in 3 rd Pre assessment 00 04 15-10-10 CISO / MR ETG Head Annual review 00 05 21-02-11 CISO / MR ETG Head Risk Management approach added 00.. 06 31-10-12 CISO / MR ETG Head Updated Corporate address 00 07 05-11-12 CISO / MR ETG Head Updated Approval Authority 00 08 10-1-14 CISO/MR ETG Head Amended Remote Access Security (7.9) 3
1. Objective The Objective of this policy is to ensure there are documented standards / procedures for establishing and maintaining information security management system in 3i Infotech Ltd. 2. Policy 3i Infotech Ltd. is committed to provide services and protect confidentiality, integrity and availability of the information assets through continuous improvement, pro-active approach, courtesy, timely response and accuracy to achieve customer satisfaction, enhance trust, reliability and confidence of the stake holder. 3. Scope This policy applies to all 3i Infotech Ltd. employees worldwide and to all employees / consultants of 3i Infotech Ltd.s 100% subsidiary companies. It is the responsibility of all operating units to ensure that these policies are clearly communicated, understood and followed. These policies cover the usage of all of the Company s Information Technology and communication resources, including, but not limited to: All computer-related equipment, including portable PCs, terminals, workstations, PDAs, wireless computing devices, telecom equipment, networks, databases, printers, servers and shared computers, and all networks and hardware to which this equipment is connected All software including purchased or licensed business software applications, Companywritten applications, employee or vendor/supplier-written applications, computer operating systems, firmware, and any other software residing on Company-owned equipment All intellectual property and other data stored on Company equipment This policy also applies to all users, whether on Company property, connected from remote via any networked connection, or using Company equipment 4
4. Approval Authority The Information Security Policy has been approved by Management Security Forum (MSF) comprising of Deputy Managing Director and Chief Financial Officer, President South Asia Geography, Senior General Manager Legal and Compliance, Head Enterprise Risk Management and General Manager ETG to support the ISMS framework and to review the information security policy annually. The Chief Information Security Officer has direct responsibility for maintaining the Policy and providing advice and guidance on its implementation. It is the responsibility of each member of staff to adhere to the Policy. In case of any exceptions / breach of policy, MSF shall initiate appropriate action against users / group and the Business Heads / Functional Heads shall be responsible to implement the action 5. Purpose The management of 3i Infotech Ltd. whose corporate office is located at Tower # 5, 3rd to 6th Floor, International Infotech Park, Vashi, Navi Mumbai 400 703 and is in the business of software development & IT operation support, is committed to preserving the physical and electronic information assets throughout the company and it is the policy of the 3i Infotech Ltd. to ensure that: Information will be protected against unauthorized access ity of information will be assured; Integrity of information will be maintained; Availability of information is ensured as required by the business processes; Regulatory and legislative requirements will be met; Business Continuity plans will be produced, maintained and tested; Information security within the organization is managed; The security of organizational information processing facilities and information assets accessed by third parties is maintained; Appropriate protection of organizational assets is available by maintaining inventory of important assets; Information assets receive an appropriate level of protection by having classification guidelines; 5
The risks of human error, theft, fraud or misuse of facilities is reduced by defining security in job and resourcing; The users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work; The damage from security incidents and malfunctions is minimized, and to monitor and learn from such incidents; Unauthorized physical access, damage and interference to business premises and information are prevented; The loss, damage or compromise of assets and interruption to business activities is prevented by securing the equipment; The compromise or theft of information and information processing facilities is prevented by having general controls; The correct and secure operation of information processing facilities is ensured by having operational procedures and defining responsibilities; The risk of systems failure is minimized by proper procedures of system planning and acceptance; The integrity of software and information from damage by malicious software is protected; The integrity and availability of information processing and communication services is maintained by taking and testing back-up copies of essential business information and software, The safeguarding of information in networks and the protection of the supporting infrastructure is ensured by implementing range of network controls; The damage to assets and interruptions to business activities is prevented by having good media handling practices and business continuity and disaster recovery procedures; The loss, modification or misuse of information exchanged between organizations is policies for e-mail and electronic office systems and by having proper authorization process before information is made publicly available; The access to information is controlled as per access control policy; Access rights to information systems are appropriately authorized, allocated and maintained by having user registration procedures and good practices of privilege management & user password management 6
Unauthorized user access is prevented by having sound password policies and by ensuring that unattended equipment is given appropriate protection by users; Networked services are protected by having policy and network security procedures; Unauthorized computer access is prevented by implementing operating system access controls; The unauthorized activities are detected by monitoring system access and use; Information security when using mobile computing facilities is ensured; Security into information systems is built by analyzing and specifying the security requirements for controls; The breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements are avoided by identifying and complying with all the applicable laws/statutory, regulatory or contractual obligations; Systems comply with organizational security policies and standards by reviewing procedures/practices; The effectiveness of system audit process is maximized and interference to/from the system audit process is minimized by planned audits Information security training will be available to all staff All breaches of information security, actual or suspected, will be reported to, and investigated by IT Compliance team to CISO 6. General Guidelines 3i Infotech Ltd. information must be consistently protected in a manner commensurate with its sensitivity, value, and criticality. 3i Infotech Ltd. information must be used only for the business purposes expressly authorized by management. Information is a critical and vital asset, and all accesses to, uses of, and processing of, 3i Infotech Ltd. information must be consistent with its policies and standards. All employees of the 3i Infotech Ltd. and related third parties are expected to comply with this policy and with the ISMS that implements this policy This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually 3i Infotech Ltd. uses access controls and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and 7
communications systems. In keeping with these objectives, management maintains the authority to: o restrict or revoke any user's privileges, o inspect, copy, remove, or otherwise alter any data, program, or other system resource that may take any other steps deemed necessary to manage and protect its information systems. This authority may be exercised with or without notice to the involved users. 3i Infotech Ltd. disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives. This policy also applies to all users, whether on Company property, connected from remote via any networked connection, or using Company equipment All 3i Infotech Ltd. information security documentation including, but not limited to, policies, standards, and procedures, must be classified as Internal Use Only, unless expressly created for external business processes or partners. This Document is available to all users on Intranet. 7. Sub policies exist for 7.1 Desktop Security (desktop, licenses, servers, virus protection) End-user workstations used in sensitive or critical tasks shall have adequate measures to ensure information security. Virus protection software and other appropriate security measures will be implemented to ensure that individual data and information are safeguarded. All the systems will be protected against misuse and unauthorized access by implementing necessary controls. 7.2 E-mail (Messaging) Policy The messaging policy emphasizes on message hygiene and controls both at perimeter and at end user levels. Content Filtering will be enabled on outgoing messages which will safeguard the confidential information and IT assets from being abused. Mail scanner to guard against the spam mails is deployed. 7.3 Network Security (LAN and WAN) This policy establishes Enterprise-wide security policy to document, implement, and enforce in order to augment privacy, authentication, and security via deployment of network security tools. This policy helps to ensure the security of 3i-infotech Ltd. s IT assets, in response to increasing threats, and will allow the company to meet and fully comply with Regulatory and statutory requirements. And it also establishes controls on 8
utilization, management, direction of flow and procedures to protect of communication on the network 7.4 Internet (Perimeter) Security (Internet and any customer network terminating at our premises) Connectivity to and from the outside world with 3i Infotech Ltd. s internal network ensures appropriate perimeter security controls. Access will be restricted to the internet based on business need and controls will be implemented at gateway to prevent unauthorized access from the internet into our systems. 7.5 Intranet Policy Connectivity within 3i Infotech Ltd. ensures appropriate perimeter security controls. Access will be restricted to the Employees. Controls will be implemented at gateway to prevent unauthorized access from outsiders into our systems 7.6 Data Base Administration It applies to database management systems containing business data. It also covers personnel directly involved with operation and administration of these systems as well as owners of information and/ or applications. 7.7 Freeware / Shareware Security Downloading and installation of freeware/shareware must be restricted to authorized personnel and must be in accordance with the procedures listed in this policy 7.8 Operating System (OS) Security Ensuring restrict access to the operating system to those people who need the information to perform their business functions. Unix security - Systems and procedures should be implemented for ensuring adequate security at operating system level. Access to the operating system should be restricted to those people who need the information to perform their business functions. 7.9 Remote Access Security Remote Access shall be granted to employees who have demonstrated business need and obtained necessary approvals. Use of unauthorized or unlicensed or free remote access software, hardware, networking equipment is against the IS policy. Usage of licensed remote access software/hardware shall be monitored. 7.10 Virus Protection and Prevention Systems and procedures shall be implemented and constantly monitored for ensuring adequate protection and prevention of IT resources against computer viruses and other virus like activities at various operating levels. 9
7.11 Logical Access Policy Access controls for shared resources including systems and applications ensures detection and minimizing the effects of unintended or unauthorized access. Access to facilities will be limited to persons authorized based on their role and level of access to information. 7.12 Password Policy Password policy ensures protection of users confidential information and data by authenticating user s id and establishes the accountability. Controls on password shall be on length, complexity and regular enforcement for change. 7.13 Physical Access Security Policy 3i Infotech Ltd. ensures appropriate physical and environmental controls in place to protect and monitor IT assets from unauthorized or illegal access and environmental threats / hazards. 7.14 Backup and Recovery Policy Proper backup strategy and recovery procedures ensure that production systems are brought up from a crisis with least possible loss of data & time. 7.15 Asset (Data) Classification Policy IT Assets shall be classified in accordance with the requirements and shall be ensured that they receive an appropriate level of protection from unauthorized disclosure, threats, use, modification or destruction. Proper accountability shall be defined to have a better control on IT assets. 7.16 Compliance Policy 3i Infotech Ltd. shall ensure compliance to security policy document, applicable legal requirements and the security procedures. 8. Business Continuity Management BCP/DR team is formed for deployment of BCP/DR plans. Procedures exist to support the policy. These include 3i Infotech Ltd. IT Security procedures and Guidelines and business continuity plan. Business requirements for the availability of information and information systems will be met. The BCP/DR team leader has direct responsibility for maintaining the Policy and providing advice and guidance on its implementation. It is the responsibility of each member of staff to adhere to the Policy. 10
9. Risk Management The information stored on electronic or magnetic media or on paper or on plastic or with people or information in transit or in any other form is considered as an Information asset of 3i Infotech Ltd - ETG. These assets are to be protected from all the possible threats at all the times. These information assets fall within the scope of Risk Management Plan. Risk is defined as the possibility of unsatisfactory outcome. Hence risk management plan based on PDCA model (Plan-Do-Check-Act) model is prepared and implemented to either reduce or eliminate the risk. The Risk management approach is based on the following principles: The risks to information assets will be identified Each identified risk is assessed in terms of it's probability of occurrence and its resulting loss. The risk is calculated and used to prioritize risks. High priority risks will be managed first. All team members assist in suggesting solutions to minimize risks. Plans consist of specific actions to be taken by specific individuals within specific time frames. Progress is monitored and adjusted if necessary. As actions are performed, the risk value changes, so the priorities continually change. The Methodology adopted for Risk Management is: Defining Risks: o Identifying Risks o Assessing and Prioritizing Risks Managing Risks: o Planning o Acting o Monitoring, Reporting and Adjusting The Risk management methodology is explained in details in the "Risk management plan and treatment' document. 11
10. Handling of Exceptions In case of any exceptions / breach of policy, ETG shall seek advice from legal to take appropriate action against users / group. And the Functional Heads / Managers shall be responsible to implement the action. 11. Document Approval Criteria Approving authority DMD / MD Approval Documents for approval Purchase approval authority, Individual Eligibility policy ETG Head Approval (member of MSF) All the other documents except the above 12