Apex Information Security Policy

Similar documents
TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information Security Management System

Information Security Policy

Security Policies and Procedures Principles and Practices

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Corporate Information Security Policy

01.0 Policy Responsibilities and Oversight

Checklist: Credit Union Information Security and Privacy Policies

The Common Controls Framework BY ADOBE

SECURITY & PRIVACY DOCUMENTATION

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Information Security Policy

Advent IM Ltd ISO/IEC 27001:2013 vs

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Information Technology Branch Organization of Cyber Security Technical Standard

Information Security Controls Policy

INFORMATION ASSET MANAGEMENT POLICY

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

ISMS Essentials. Version 1.1

Cyber Security Program

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

INFORMATION SECURITY POLICY

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

ISO27001 Preparing your business with Snare

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Responsible Officer Approved by

HIPAA Security and Privacy Policies & Procedures

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Seven Requirements for Successfully Implementing Information Security Policies and Standards

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

The Honest Advantage

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

PS 176 Removable Media Policy

ISO/IEC Information technology Security techniques Code of practice for information security management

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Bring Your Own Device Policy

Standard for Security of Information Technology Resources

Canada Life Cyber Security Statement 2018

AUTHORITY FOR ELECTRICITY REGULATION

Version 1/2018. GDPR Processor Security Controls

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Information Security Strategy

Information Security Management

Data Protection Policy

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

ISO & ISO & ISO Cloud Documentation Toolkit

INFORMATION SECURITY AND RISK POLICY

Information Security Management Criteria for Our Business Partners

INFORMATION TECHNOLOGY SECURITY POLICY

Google Cloud & the General Data Protection Regulation (GDPR)

Acceptable Use Policy

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Donor Credit Card Security Policy

Protecting your data. EY s approach to data privacy and information security

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

MEETING ISO STANDARDS

Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002

ADIENT VENDOR SECURITY STANDARD

Security Standards for Electric Market Participants

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

7.16 INFORMATION TECHNOLOGY SECURITY

Physical and Environmental Security Standards

EXHIBIT A. - HIPAA Security Assessment Template -

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

NUKG Business Solutions Pvt Ltd. Information Security Incident Management Procedure (IS-IMG)

Regulation P & GLBA Training

Information Security Data Classification Procedure

Information Technology General Control Review

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

ISO 27002: 2013 Audit Standard Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD ISO 27002

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Trust Services Principles and Criteria

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

BFB-IS-3: Electronic Information Security

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

University of Liverpool

Virginia Commonwealth University School of Medicine Information Security Standard

UTAH VALLEY UNIVERSITY Policies and Procedures

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Information Security Controls Policy

Data Processing Amendment to Google Apps Enterprise Agreement

Cloud Security Standards

Policy and Procedure: SDM Guidance for HIPAA Business Associates

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Network Security Policy

Transcription:

Apex Information Security Policy

Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8 7.1 Desktop Security (desktop, licenses, servers, virus protection 8 7.2 E-mail (Messaging) Policy 8 7.3 Network Security (LAN and WAN) 8 7.4 Internet (Perimeter) Security 9 7.5 Intranet Policy 9 7.6 Data Base Administration 9 7.7 Freeware / Shareware Security 9 7.8 Operating System (OS) Security 9 7.9 Remote access security 9 7.10 Virus Protection and Prevention 9 7.11 Logical access policy 10 7.12 Password Policy 10 7.13 Physical access security policy 10 7.14 Backup & Recovery Policy 10 7.15 Asset (Data) Classification Policy 10 7.16 Compliance Policy 10 8. Business Continuity Management 10 9. Risk Management 11 10. Handling Exceptions 12 11. Document Approval Criteria 12 2

Approval and Amendment History Ver sion no. Revi sion No. Version/ Revision Date Authored / Modified By Approved By Revision details Remarks 00 01 26-02-07 MR Mr. Srinivasan, Initial document MD 00 02 12-06-07 MR MSF General guidelines have been appended 00 03 15-10-09 IS Team MSF Revised as per observation in 3 rd Pre assessment 00 04 15-10-10 CISO / MR ETG Head Annual review 00 05 21-02-11 CISO / MR ETG Head Risk Management approach added 00.. 06 31-10-12 CISO / MR ETG Head Updated Corporate address 00 07 05-11-12 CISO / MR ETG Head Updated Approval Authority 00 08 10-1-14 CISO/MR ETG Head Amended Remote Access Security (7.9) 3

1. Objective The Objective of this policy is to ensure there are documented standards / procedures for establishing and maintaining information security management system in 3i Infotech Ltd. 2. Policy 3i Infotech Ltd. is committed to provide services and protect confidentiality, integrity and availability of the information assets through continuous improvement, pro-active approach, courtesy, timely response and accuracy to achieve customer satisfaction, enhance trust, reliability and confidence of the stake holder. 3. Scope This policy applies to all 3i Infotech Ltd. employees worldwide and to all employees / consultants of 3i Infotech Ltd.s 100% subsidiary companies. It is the responsibility of all operating units to ensure that these policies are clearly communicated, understood and followed. These policies cover the usage of all of the Company s Information Technology and communication resources, including, but not limited to: All computer-related equipment, including portable PCs, terminals, workstations, PDAs, wireless computing devices, telecom equipment, networks, databases, printers, servers and shared computers, and all networks and hardware to which this equipment is connected All software including purchased or licensed business software applications, Companywritten applications, employee or vendor/supplier-written applications, computer operating systems, firmware, and any other software residing on Company-owned equipment All intellectual property and other data stored on Company equipment This policy also applies to all users, whether on Company property, connected from remote via any networked connection, or using Company equipment 4

4. Approval Authority The Information Security Policy has been approved by Management Security Forum (MSF) comprising of Deputy Managing Director and Chief Financial Officer, President South Asia Geography, Senior General Manager Legal and Compliance, Head Enterprise Risk Management and General Manager ETG to support the ISMS framework and to review the information security policy annually. The Chief Information Security Officer has direct responsibility for maintaining the Policy and providing advice and guidance on its implementation. It is the responsibility of each member of staff to adhere to the Policy. In case of any exceptions / breach of policy, MSF shall initiate appropriate action against users / group and the Business Heads / Functional Heads shall be responsible to implement the action 5. Purpose The management of 3i Infotech Ltd. whose corporate office is located at Tower # 5, 3rd to 6th Floor, International Infotech Park, Vashi, Navi Mumbai 400 703 and is in the business of software development & IT operation support, is committed to preserving the physical and electronic information assets throughout the company and it is the policy of the 3i Infotech Ltd. to ensure that: Information will be protected against unauthorized access ity of information will be assured; Integrity of information will be maintained; Availability of information is ensured as required by the business processes; Regulatory and legislative requirements will be met; Business Continuity plans will be produced, maintained and tested; Information security within the organization is managed; The security of organizational information processing facilities and information assets accessed by third parties is maintained; Appropriate protection of organizational assets is available by maintaining inventory of important assets; Information assets receive an appropriate level of protection by having classification guidelines; 5

The risks of human error, theft, fraud or misuse of facilities is reduced by defining security in job and resourcing; The users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work; The damage from security incidents and malfunctions is minimized, and to monitor and learn from such incidents; Unauthorized physical access, damage and interference to business premises and information are prevented; The loss, damage or compromise of assets and interruption to business activities is prevented by securing the equipment; The compromise or theft of information and information processing facilities is prevented by having general controls; The correct and secure operation of information processing facilities is ensured by having operational procedures and defining responsibilities; The risk of systems failure is minimized by proper procedures of system planning and acceptance; The integrity of software and information from damage by malicious software is protected; The integrity and availability of information processing and communication services is maintained by taking and testing back-up copies of essential business information and software, The safeguarding of information in networks and the protection of the supporting infrastructure is ensured by implementing range of network controls; The damage to assets and interruptions to business activities is prevented by having good media handling practices and business continuity and disaster recovery procedures; The loss, modification or misuse of information exchanged between organizations is policies for e-mail and electronic office systems and by having proper authorization process before information is made publicly available; The access to information is controlled as per access control policy; Access rights to information systems are appropriately authorized, allocated and maintained by having user registration procedures and good practices of privilege management & user password management 6

Unauthorized user access is prevented by having sound password policies and by ensuring that unattended equipment is given appropriate protection by users; Networked services are protected by having policy and network security procedures; Unauthorized computer access is prevented by implementing operating system access controls; The unauthorized activities are detected by monitoring system access and use; Information security when using mobile computing facilities is ensured; Security into information systems is built by analyzing and specifying the security requirements for controls; The breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements are avoided by identifying and complying with all the applicable laws/statutory, regulatory or contractual obligations; Systems comply with organizational security policies and standards by reviewing procedures/practices; The effectiveness of system audit process is maximized and interference to/from the system audit process is minimized by planned audits Information security training will be available to all staff All breaches of information security, actual or suspected, will be reported to, and investigated by IT Compliance team to CISO 6. General Guidelines 3i Infotech Ltd. information must be consistently protected in a manner commensurate with its sensitivity, value, and criticality. 3i Infotech Ltd. information must be used only for the business purposes expressly authorized by management. Information is a critical and vital asset, and all accesses to, uses of, and processing of, 3i Infotech Ltd. information must be consistent with its policies and standards. All employees of the 3i Infotech Ltd. and related third parties are expected to comply with this policy and with the ISMS that implements this policy This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually 3i Infotech Ltd. uses access controls and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and 7

communications systems. In keeping with these objectives, management maintains the authority to: o restrict or revoke any user's privileges, o inspect, copy, remove, or otherwise alter any data, program, or other system resource that may take any other steps deemed necessary to manage and protect its information systems. This authority may be exercised with or without notice to the involved users. 3i Infotech Ltd. disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives. This policy also applies to all users, whether on Company property, connected from remote via any networked connection, or using Company equipment All 3i Infotech Ltd. information security documentation including, but not limited to, policies, standards, and procedures, must be classified as Internal Use Only, unless expressly created for external business processes or partners. This Document is available to all users on Intranet. 7. Sub policies exist for 7.1 Desktop Security (desktop, licenses, servers, virus protection) End-user workstations used in sensitive or critical tasks shall have adequate measures to ensure information security. Virus protection software and other appropriate security measures will be implemented to ensure that individual data and information are safeguarded. All the systems will be protected against misuse and unauthorized access by implementing necessary controls. 7.2 E-mail (Messaging) Policy The messaging policy emphasizes on message hygiene and controls both at perimeter and at end user levels. Content Filtering will be enabled on outgoing messages which will safeguard the confidential information and IT assets from being abused. Mail scanner to guard against the spam mails is deployed. 7.3 Network Security (LAN and WAN) This policy establishes Enterprise-wide security policy to document, implement, and enforce in order to augment privacy, authentication, and security via deployment of network security tools. This policy helps to ensure the security of 3i-infotech Ltd. s IT assets, in response to increasing threats, and will allow the company to meet and fully comply with Regulatory and statutory requirements. And it also establishes controls on 8

utilization, management, direction of flow and procedures to protect of communication on the network 7.4 Internet (Perimeter) Security (Internet and any customer network terminating at our premises) Connectivity to and from the outside world with 3i Infotech Ltd. s internal network ensures appropriate perimeter security controls. Access will be restricted to the internet based on business need and controls will be implemented at gateway to prevent unauthorized access from the internet into our systems. 7.5 Intranet Policy Connectivity within 3i Infotech Ltd. ensures appropriate perimeter security controls. Access will be restricted to the Employees. Controls will be implemented at gateway to prevent unauthorized access from outsiders into our systems 7.6 Data Base Administration It applies to database management systems containing business data. It also covers personnel directly involved with operation and administration of these systems as well as owners of information and/ or applications. 7.7 Freeware / Shareware Security Downloading and installation of freeware/shareware must be restricted to authorized personnel and must be in accordance with the procedures listed in this policy 7.8 Operating System (OS) Security Ensuring restrict access to the operating system to those people who need the information to perform their business functions. Unix security - Systems and procedures should be implemented for ensuring adequate security at operating system level. Access to the operating system should be restricted to those people who need the information to perform their business functions. 7.9 Remote Access Security Remote Access shall be granted to employees who have demonstrated business need and obtained necessary approvals. Use of unauthorized or unlicensed or free remote access software, hardware, networking equipment is against the IS policy. Usage of licensed remote access software/hardware shall be monitored. 7.10 Virus Protection and Prevention Systems and procedures shall be implemented and constantly monitored for ensuring adequate protection and prevention of IT resources against computer viruses and other virus like activities at various operating levels. 9

7.11 Logical Access Policy Access controls for shared resources including systems and applications ensures detection and minimizing the effects of unintended or unauthorized access. Access to facilities will be limited to persons authorized based on their role and level of access to information. 7.12 Password Policy Password policy ensures protection of users confidential information and data by authenticating user s id and establishes the accountability. Controls on password shall be on length, complexity and regular enforcement for change. 7.13 Physical Access Security Policy 3i Infotech Ltd. ensures appropriate physical and environmental controls in place to protect and monitor IT assets from unauthorized or illegal access and environmental threats / hazards. 7.14 Backup and Recovery Policy Proper backup strategy and recovery procedures ensure that production systems are brought up from a crisis with least possible loss of data & time. 7.15 Asset (Data) Classification Policy IT Assets shall be classified in accordance with the requirements and shall be ensured that they receive an appropriate level of protection from unauthorized disclosure, threats, use, modification or destruction. Proper accountability shall be defined to have a better control on IT assets. 7.16 Compliance Policy 3i Infotech Ltd. shall ensure compliance to security policy document, applicable legal requirements and the security procedures. 8. Business Continuity Management BCP/DR team is formed for deployment of BCP/DR plans. Procedures exist to support the policy. These include 3i Infotech Ltd. IT Security procedures and Guidelines and business continuity plan. Business requirements for the availability of information and information systems will be met. The BCP/DR team leader has direct responsibility for maintaining the Policy and providing advice and guidance on its implementation. It is the responsibility of each member of staff to adhere to the Policy. 10

9. Risk Management The information stored on electronic or magnetic media or on paper or on plastic or with people or information in transit or in any other form is considered as an Information asset of 3i Infotech Ltd - ETG. These assets are to be protected from all the possible threats at all the times. These information assets fall within the scope of Risk Management Plan. Risk is defined as the possibility of unsatisfactory outcome. Hence risk management plan based on PDCA model (Plan-Do-Check-Act) model is prepared and implemented to either reduce or eliminate the risk. The Risk management approach is based on the following principles: The risks to information assets will be identified Each identified risk is assessed in terms of it's probability of occurrence and its resulting loss. The risk is calculated and used to prioritize risks. High priority risks will be managed first. All team members assist in suggesting solutions to minimize risks. Plans consist of specific actions to be taken by specific individuals within specific time frames. Progress is monitored and adjusted if necessary. As actions are performed, the risk value changes, so the priorities continually change. The Methodology adopted for Risk Management is: Defining Risks: o Identifying Risks o Assessing and Prioritizing Risks Managing Risks: o Planning o Acting o Monitoring, Reporting and Adjusting The Risk management methodology is explained in details in the "Risk management plan and treatment' document. 11

10. Handling of Exceptions In case of any exceptions / breach of policy, ETG shall seek advice from legal to take appropriate action against users / group. And the Functional Heads / Managers shall be responsible to implement the action. 11. Document Approval Criteria Approving authority DMD / MD Approval Documents for approval Purchase approval authority, Individual Eligibility policy ETG Head Approval (member of MSF) All the other documents except the above 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback