Page 1 of 1

Clear Desk & Clear Screen Policy Policy

1. Purpose

This policy provides direction to ensure that the appropriate level of physical and logical access control is applied to protect the information from unauthorized access, modification, disclosure or destruction to ensure that information remains accurate, confidential, and is available when required.

2. Business Priorities

This Policy and Procedures apply to all the applications, personnel, systems and facilities of

3. Execution Responsibilities

(CTO) along with Information Security Manager (ISM) is responsible to execute and implement physical and logical access control procedures mentioned in this document.

4. Clear Desk & Clear Screen Control Policy

4.1. All electronic information and systems shall have necessary and appropriate system access controls

4.2. Access rights should be defined based on ‘need-to-know’, ‘need-to-do’, ‘segregation of duties, and ‘individual accountability principles.

4.2.1 How does define Access Rights?

4.3. The access to specific functionalities in information systems and the level of access required at the granular level to read, modify & update, deletion should be identified and documented. These requirements should be translated into system profiles for the different classes of users. The access requirements should be identified in coordination with (CTO)

4.4. Employees should ensure assets such as laptops containing sensitive information are logged off or turned off when unattended or not in use.

4.5. Use of photocopiers only with authorised access

4.6. Removal of media after use.

4.7. Actions need to be applied depending on the level of sensitivity or criticality of the information.

4.8. Physical security perimeter Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. Physical security for offices, rooms and facilities shall be designed and applied.

4.9 Physical entry controls Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

4.10 Protecting against external and environmental threats Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.

4.11 Working in secure areas. Procedures for working in secure areas shall be designed and applied.

4.12 Delivery and loading areas Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

4.13 Equipment siting and protection Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

4.14 Supporting utilities Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

4.15 Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage

4.16 Equipment maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity.

4.17 Removal of assets Equipment, information or software shall not be taken off-site without prior authorization.

4.18 Security of equipment and assets off-premisesSecurity shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises

4.19 Secure disposal or reuse of equipment All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

4.20 Unattended user equipment Users shall ensure that unattended equipment has appropriate protection.

4.21 Clear desk and screen policy A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

5. Confidentiality of Information

5.1. Confidential information refers to information where unauthorized use, access and disclosure, loss or modification, and deletion can result in damages for the client’s company and its employees. Confidential information should strictly be accessed on a “need to know” basis only.

5.2. Internal use information needs to be protected for proprietary, ethical, and privacy considerations. The loss or deletion of such information can also result in financial losses or damage to a company’s reputation or violate an individual’s privacy rights or lead to legal action.

5.2.1 What is 's Standard Operating Procedure for Internal Information Use?

6. Application of Clear Desk & Clear Screen Policy

6.1. Restriction of the use of copy and printing facilities only to people with authorised access.

6.2. Deletion of media files after usage of copy and printing facilities

6.3. Use of locked areas containing sensitive information should be restricted to people with authorized access

6.4. Strict protection of information assets, systems, and devices as stipulated in the HR policy and User access management

6.5. Adoption of a paperless culture is strongly encouraged to limit the exposure of sensitive information

6.6. Disposal of information remaining in meeting rooms such as the practice of erasing whiteboard information and removal of all paper trails of sensitive information from meeting areas.

6.7 How does apply the Clear Desk & Clear Screen Policy?

7. Employee Awareness and Education

Training and awareness for all employees about the criticality of sensitive data and information as well as its storage and use.

Guidelines for this training in the onboarding of all new employees

Regular clean desk audits to ensure safe practices of all employees in maintaining good workplace hygiene with protecting and safeguarding sensitive information and locking of personal workstations when they leave the desk.

These audits should be practiced twice a year

7.1. Training and awareness for all employees about the criticality of sensitive data and information as well as its storage and use.

7.2. Guidelines for this training in the onboarding of all new employees

7.3. Regular clean desk audits to ensure safe practices of all employees in maintaining good workplace hygiene with protecting and safeguarding sensitive information and locking of personal workstations when they leave the desk.

7.4. These audits should be practiced twice a year

7.5 Do you have Employee Awareness Training for handling data?

8. Exceptions

Exceptions shall not be universal but shall be agreed on a case-to-case basis, upon official

request made by the information owner. These may arise, for example, because of local

circumstances, conditions or legal reasons existing at any point of time.

9. Disclaimer

9.1. reserve all rights and are the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.

For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team. At dpo@..com

10. Enforcement

10.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for

10.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.

10.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of

10.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.