Page 1 of 1

Data Management Policy

1. Purpose

This policy defines the various security measures taken by with respect to customers data.

2. Scope and Applicability

This policy will apply to any and all data pertaining to any customer that is used by any of the IT systems at end.

3. Execution Responsibilities

3.1. IT team is responsible for ensuring the execution of the policy
3.2. Information Security Manager (ISM) is responsible to ensure compliance with the policy

4. Data Management Policy

4.1 Access to Data
4.1.1. Records protected from loss, destruction, falsification, unauthorized access, and unauthorized release in accordance with legislative, regulatory, contractual, and business requirements.
4.1.2. There is no unauthorized use by any other third party including, but not limited to, any of its group companies, subsidiaries, affiliates, or associates in violation of the provision of specific regulations followed at or other applicable laws.
4.1.3. Information is shared with employees at or agents on a “need to know basis” only while ensuring that such employees or agents with access to the said information are subjected to the obligation of confidentiality.

4.1.4. Do you have a plan for controlling access of data?

4.2 Data categorisation

4.2.1. Do you have a data categorisation plan at ?
4.2.4. Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
4.2.5. An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
4.2.6. Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
4.2.7. Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.
4.2.8. Media shall be disposed of securely when no longer required, using formal procedures.
4.2.9. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.
4.3 Data backups
4.3.1. Detail information processing facilities implemented with redundancies sufficient to meet availability requirements.
4.3.2 Data backups are made frequently and stored offline/online with encryption for the prevention of data loss.
4.3.2 Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.

4.3.2 What is the data backup plan ?

4.4 Data used for testing
Ensuring the protection of data used for testing
4.4.1. What is the procedure for protection of data used for testing?
4.5 Data usage policy
The client shall use collected data solely for limited end-use as agreed with the individual and shall not use or sell or resell or pass on information to any other person or engage itself in obtaining data other than that for the consented purpose.
4.5.1. Do you have a data usage policy?
4.6 User consent policy
User consent policy includes “Individual Consent”. Individual Consent means the prior written consent of the individual by any documented means (stored as an electronic or physical record) is verifiable from time to time and permanent in nature.
4.6.1 What is your user consent policy?
4.7 Data storage policy
4.7.1 What is the data storage policy established at ?
4.8 Data encryption policy
Data encryption policy should include the following:
a. Methods of data encryption at rest.
b. Methods of data encryption in transit.
4.8.1 What is the data encryption policy established at ?
4.9 Event Logging
4.9.1 Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
4.9.2 Logging facilities and log information shall be protected against tampering and unauthorized access.
4.9.3 System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
4.9.4 The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.
4.9.2 Logging facilities and log information shall be protected against tampering and unauthorized access.

5. Exceptions

Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.
All exception requests shall be submitted to These shall be submitted through an email and to be approved

6. Disclaimer

reserve all rights and are the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team. At dpo@..com

7. Enforcement

7.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for
7.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.
7.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of
7.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.