Information Security Policy
The objective of this document is to ensure the Management and appointed Information Security representative at is committed to effectively establish, maintain and sustain the Information Security paradigm within
2. Scope and Applicability
Information Security Policy applies to all the employees at
This document provides a framework for Senior Management and information security representatives to adequately direct, support and guide to establish Information Security in line with business/legal/regulatory needs.
4. Supporting information
4.1. Does have subsidiaries?
4.2. To maintain and enhance its business, has identified the need of establishing an Information Security Management System (ISMS). The overall objective of the ISMS is to protect the confidentiality, integrity, and availability of information assets including its employees, working area, financial, informational, brand and reputation. The policies of ISMS are reviewed annually. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.
4.2.1 The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.
4.2.2 Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
4.2.3 Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.
4.3. understands the sensitivity of its business and is committed to ensuring compliance with all legal and regulatory requirements in addition to meeting its organization's mission. The external parties, external requirements, and internal requirements are identified in this document and are reviewed annually. The same is additionally reviewed if there is any significant change in the external or internal environment, at the discretion of (CTO)
4.3.1. State the External Requirements established at
4.3.2 State the Internal Requirements established at
5.1. The Information Security Management System (ISMS) is applicable to its IT Infrastructure, Business Applications, and Support processes. A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
5.2. Logical and Informational scope of the ISMS shall include:
5.2.1. All information stored on the systems available in the above-mentioned locations, irrespective of the origin, destination, or association of this information.
5.2.2. All information stored on the cloud servers.
5.2.3. All logical access to this information irrespective of the origin, termination or association of this access.
5.2.4. All network infrastructure is available at the above-mentioned locations irrespective of what information they are carrying.
5.3. All users of these locations who have access to information and information processing and security facilities, infrastructure, and supporting utilities, include along with employees, any contractors, third parties, suppliers, visitors, and any other human being in any capacity.
5.4. What is the Physical Address of ?
5.5. Describe the scope of ISMS
6. Organisational leadership, roles, and responsibilities
6.1. leadership has been the guiding factor and support for the information Security Management System. An Information Security Steering Committee (ISSC) reviews the ISMS activities at the organizational level. All information security responsibilities shall be defined and allocated.
6.2. Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
6.3. Whom does the Information Security Steering Committee consists of at ?
6.4. Information Security Policies are established and authorized by the ISSC. High-level Information Security Policy Statement is documented in [ /ISMS/ISP/01/4.2…]
6.5. Information security measures at the organizational level are clearly defined and authorized by (CTO)
6.6. Information Security Management System (ISMS) is well integrated with the organization’s processes. The ISMS refers to other standards and processes documents wherever relevant.
6.7. (CTO) ensures provision of resources required for the ISMS.
6.8. Management ensures proper communication charting out the importance of ISMS for following the requirements as laid down in policies.
6.9. Management reviews the ISMS for its purpose and objective at defined frequency.
6.10. Management gives relevant directions and support wherever required.
6.11. Management ensures continual improvement by ensuring action on audit points, defining new objectives, and taking new technological projects.
6.12. Appropriate contacts with relevant authorities shall be maintained
6.13. Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
6.14. Information security shall be addressed in project management, regardless of the type of the project
7.1. The following set of policies have been approved as appropriate and shows management commitment to satisfy applicable requirements, and ensuring continual improvement.
7.1.1. Data Management Policy
7.1.2. Incident Response Policy
7.1.3. Information Security Policy
7.1.4. Infrastructure Management Policy
7.1.5. Human Resource Policy
7.1.6. Patch Management Policy
7.1.7. Product Lifecycle Policy
7.1.8. User Access Control Policy
7.2. These policies are made available with (CTO) and Information Security Manager (ISM). These policies are also made available, as appropriate to all employees and also relevant portions of these policies are made available for other users and interested parties as required or applicable.
8.1. Talent ensures that the ‘relevant talent’ with ‘relevant competency’ is available.
8.2. Competency
ensures that resources required have relevant competency.
8.3. Awareness
shall ensure that all personnel including Employees and all external parties are made aware of the Information Security Policies and procedures.
9. Documented Information
9.1. General shall identify all documented information for any other legal or contractual requirements for the effectiveness of ISMS.
9.2. Control of Documented information
shall ensure that documented information is available to authorized persons when required, is adequately protected from loss of Confidentiality, Integrity, and availability, and will not be subject to improper use.
10.1. Performance Evaluations shall ensure that ISMS performance shall be evaluated on defined intervals and on management directives.
10.2. Internal Audits
10.2.1 shall ensure that internal audits are performed at regular intervals.
10.2.2 shall ensure that Audit criteria and scope are well defined, Auditor competency is matched, results of audits are reported to management, and documented information relevant to the audit process is kept.
10.2.3 Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.
10.3 Management Reviews
10.3.1. shall ensure that management reviews happen at least annually. The ISSC shall review to ensure its continuing suitability, adequacy, and effectiveness.
10.3.2. The management review shall include:
1. Action from previous reviews
2. Changes in external and internal requirements as mentioned in 4.3.1 and 4.3.2
3. Feedback from nonconformities and corrective actions
4. Inputs from internal and external audits
10.4. Management review output shall include decisions on improvements and changes.
10.5. The review proceedings shall be documented in form of minutes and circulated to all attendees.
11.1 Nonconformity and corrective actions11.1.1. shall ensure that all nonconformity observed shall immediately be addressed to correct and deal with consequences.
11.1.2. An evaluation shall be done to eliminate the cause of nonconformity by reviewing the nonconformity, doing root cause analysis, and determining if similar non-conformity exists or potential to occur.
11.1.3. shall implement any action needed, review the effectiveness of correction and if necessary make changes.
11.1.4. The process of corrective action shall be documented and retained.
11.2 Continual Improvement
shall continually improve the suitability, adequacy and effectiveness of the information security management system.
12. Legislation and Contractual Requirements
12.1 Identification of applicable legislation and contractual requirements. All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization
12.2 Intellectual Property Rights Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.
12.3. Protection of Records. Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements
12.4 Privacy and protection of personally identifiable information Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable
12.5 Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
12.1. Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.
12.2. All exception requests shall be submitted to (CTO). These shall be submitted through an email and be approved by (CTO).
13.1. reserves all rights and is the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is made available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
13.2. For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team at dpo@.com