Information Security Policy
In a knowledge-based economy, information security is a key success factor for any organization. Rapid expansion of enterprise ecosystem, new compliance and regulatory regimes, value migration from physical to information based intangible assets and changing socio-economic environment have changed the security landscape on which leading organizations need to operate effectively. Integration of global economics, exchange of data across organizations, rising security expectations of the customers, shareholders and international markets have put additional responsibilities on us for protection of information assets.
The objective of Information Security Policy (ISP) is to ensure the information security of Smartworks and to minimize the risk of damage by preventing security incidents and reducing their potential impact. We maintain confidentiality, integrity and availability of Smartworks information assets to prevent any adverse effect on our operations and our professional standing.
To achieve our security objectives, we shall establish comprehensive information security management system covering people, processes, technologies of all business, operational and functional units within Smartworks. We shall implement all reasonable and appropriate security mechanisms for all our information assets at granular levels, thus, increasing effectiveness of our internal control systems. We are committed to build the necessary infrastructure, knowledge and resource base to meet information security requirements within a focus on continual improvement. In all such cases where customer information assets are hosted with us, we shall demonstrate our information security responsibilities by strictly adhering to the contractual obligations. We are confident that our sustained efforts in the area of information security will give us the most competitive advantage by winning customer trust.
Information Security Objective
- To ensure that our business operations continue to be carried out in line with best security practices.
- To increase professional skills among all employees in terms of the importance of information security and data privacy now-a-days.
- To appropriately protect the confidentiality and integrity of information assets, thereby ensuring the appropriate protection of information assets.
- Complying with applicable legal, regulatory, contractual and other requirements.
- Periodically reviewing this policy for its continued suitability and applicability.
1. Information Security Policy
The purpose of Smartworks’s Information Security Policy is to protect the organization’s employees, assets, customer information, integrity and reputation from potential security threats. Security threats can include compromise of confidentiality (people obtaining or disclosing information inappropriately), integrity (information being altered or erroneously validated, whether deliberate or accidental) and availability (information not being available when it is required).
- This policy is applicable to all staff of Smartworks and third parties who interact with the information held by Smartworks and the assets used to store and process the information.
- All Smartworks staff are expected to follow a code of conduct and company policies and procedures.
1.3 Information Security Objectives
Main objectives of the policy are to ensure that –
- Information/information systems are available only to authorized users as per the business needs and information systems are used in an effective and efficient manner adhering to the Smartworks policy.
- Information assets including data, computer systems, intellectual property and IT equipment are adequately protected from damage, loss, inappropriate alteration and unauthorized use or access.
- Complying of all regulatory and statutory requirements pertaining to information technology and collecting, processing, transmission, storage and disclosure of data.
- Creation of awareness on information security within the company as a part of the daily operations and to ensure that all employees understand their responsibilities for maintaining information security.
- Creation of detailed information security standards and procedures and ensuring compliance against such standards and procedures.
- To provide guidance and direction to the Smartworks and its employees for the protection of the organization’s information systems against accidental/deliberate damage or destruction.
1.4 Policy Statement
- Smartworks should identify the security risks and their relative priorities, responding to them promptly and implementing safeguards that are appropriate, effective, culturally acceptable and practical.
- All information (including third party information) should be protected by security controls and handling procedures appropriate to its sensitivity and criticality.
- Compliance with the policy will be monitored on a regular basis.
- Security measures should be reviewed periodically in order to protect the business.
- Information assets should be protected and managed in order to meet the contractual, legislative, privacy and ethical responsibilities.
- The information assets of third parties should be protected whether such protection is required contractually, legally or ethically.
2. Human Resource Security Policy
The purpose of Human Resource policy is to address the risks of human error, theft, fraud or misuse of facilities and assist all personnel in creating a secure computing environment. Security responsibilities should be addressed at the recruitment stage, included in job descriptions and contracts, and monitored during an individual’s employment as well as at the time of ending of employment / contract.
2.2 ScopeHuman Resource Security policy is one of the most important elements contributing to the overall security of organizational information. The organization should employ prudent hiring practices that should include among other things, background checking of applicant in accordance with the classification of information he/she would handle and the perceived risks therein. The purpose of this policy is to set rules and regulations that apply before, during and after the employment.
2.3 Policy Statement
2.3.1 Prior to Employment
To ensure that all employees including contractors, or third party understand their roles and
responsibilities and are suitable for the roles they are considered.
Screening: - Background verification checks of all candidates for employment shall be carried out in accordance with relevant regulations and ethics and shall be proportional to the business requirements, the classification of information to be accessed and the perceived risks.
Terms & Conditions of Employment: - All employees who are given access to confidential information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities.
2.3.2 During Employment
To ensure that employees including contractors, or third party are aware of and fulfill their
information security responsibilities.
Management Responsibility: - Management shall require all employees to apply information security in accordance with the established policies and procedures of the organization. Information Security Awareness Education & Training: - All employment of an organization shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant to their job functions.
Disciplinary Process: - There shall be formal and communicated disciplinary process in place to act against employees who have committed an information security breach.
2.3.3 Change of Employment or Termination
To protect the organization’s interest as part of the process of changing or terminating employment:
- HR must immediately send notification to IT Department, in writing, about transfer, resignation, suspension or termination of services of any employee, contractor, or consultant. Depending on the notice period, all access to information resources must be revoked.
- The HR department updates the case of exit with relevant details into the HR database and sends out a notification to the respective department for acting on revocation of all the access rights, privileges, and email accounts given to the employee.
- The employee on the mutually agreed last working day must return all access and ID cards, keys, business cards issued to him/her to the respective Departments.
- The employee on his/her last working day must get the clearance form signed by respective department like IT department, admin department & HR department.
- The HR must make the full and final settlement only after employee has submitted duly filled No Objection Certificate (NOC).
- If there is a change in job responsibility of employee or transfer to other department then all unnecessary accesses to previous information systems shall be revoked.
3. Access Control Policy
Access to information assets is a privilege granted to all Smartworks employees and stakeholders and is vital to performing their daily tasks. Therefore, proper access and authorization to Smartworks information assets. Inappropriate usage exposes Smartworks to risks including virus attacks, compromise of network systems and services, legal issues, monitory loss, loss of reputation and business. The purpose of this policy is to define access controls for information systems and computing resources.
This policy applies to all platforms being used at Smartworks including but not limited to operating systems, applications, software, middleware, screensaver, databases, network device operating systems and tools. Access control protects organizations from security threats such as internal and external intrusions.
3.3 Policy Statement
3.3.1 Access Control for Employees & IT Team
- Access to information and business processes shall be controlled based on defined and documented business and security requirements.
- Formal procedures should be put in place to control the allocation of access rights to the information systems, network and/or services.
- Remote access to Smartworks’s networks shall be appropriately authorized on a least privilege basis, with access only granted to systems and resources where there is an explicit business requirement.
- All sensitive computer-resident information shall be protected via logical access controls to ensure that unauthorized access, disclosure, modification, deletion of information is prevented.
- Employees should ensure the security to Smartworks resources by observing and practicing good security access practices as guided by Password Protection Policy and Clear Desk and Clear Screen Policy.
- Physical access permissions allocated to secure areas and work zones should be revoked when the user leaves the organization.
- User should email to IT support with reporting manager approval for installation of software.
- Access control procedures shall not only control access based on the need to know, IT Team shall also log which users accessed the sensitive data.
- Admin access issue to specific users.
- Information shall be disclosed only to those people who have a legitimate business need for the information ("need to know"). The access profile for users should be mapped to the functional requirement as approved by the business owners.
- Changes to the privileges of users shall be done immediately after getting the information from IT Team, when the job responsibility of the user changes or the user leaves the organization.
- In certain cases, if privileges (higher than those mentioned above) are allotted to an employee, contractors, consultants, temporaries, outsourcing firms, etc. for some reason, the same shall be reverted to normal after the completion of the task/ project.
3.3.2 User Access Management (User Registration & De-Registration)
- Email to be sent to IT at same day employee joining by the HR team with full name of employee and required details.
- Any logical access shall be provided by following the logical access procedure and after the required written approval.
- Smartworks employees that need access to information systems and/or resources to perform their job role shall be granted appropriate access based on approval.
- Before giving access of information systems to any third-party contractor, an NDA should be signed with the third-party contractor and he/she should undergo the company security training.
- Users shall be responsible for all activities performed with their personal user-ids. They should not allow others to perform any activity with their user-ids. Passwords shall not be shared amongst employees.
- After accepted resignation, HR will email mentioning last day of working and assign to concern department.
- IT will make sure that user is deregistered from related access product/services like AWS, VPN, AD, Email etc.
- After revoking of user access from different services IT dept will send mail to HR.
- The resigned user will fill the form at last day of working and handover assets to individual department.
- All Smartworks’s information systems privileges shall be promptly terminated at the time when user leave.
3.3.3 Privilege Access Management
- All privileged access to any systems shall be restricted to minimum number of people and only to those who require such access for performing their daily job function.
- All default guest accounts in all systems must be disabled and their passwords should be changed to a strong and unpredictable password.
- The password of default administrator account shall be changed every 90 days.
- All the privileges granted to the system administrators for managing the Client information systems must be approved by the Head of IT.
3.4 Review of User Access RightsThe reconciliation of the following will be carried out on quarterly basis:
- User accounts
- System privileges
- Application privileges
- All privileged access
- Physical access
3.5 Information Access Restriction
- Access to information and application system functions should be restricted in accordance with the access control policy.
- Access rights of users shall be controlled, e.g. read, write, delete and execute.
3.6 Review of Logs to Monitor Access
3.6.1 Types of LogsFollowing are the types of logs, but are not limited to:
- All server access logs
- All application logs
- All warning, error & critical logs
- All internal device like firewall/ router access and web logs
- User internet activity logs.
3.6.2 Log Management Procedure
- All logs shall be reviewed periodically by IT Team.
- Logs are retained for a period of one month.
- If any suspected activities found in such logs shall be investigated.
- Access to log should be read only.
- Protect audit logs from unauthorized modifications.
- Log includes
- User identification
- Type of event
- Date and time
- Success or failure indication.
3.7 Access Control to Program Source Code
- Program source code should be accessible to limited personnel only.
- Access to Git Code Commit shall be reviewed on every quarter.
- Access to Git Code Commit shall be restricted to development team & authorized personnel only.
- Any changes in the source code shall be logged.
4. Physical Security Policy
This policy document states that information and information processing facilities should be protected from disclosure to modification of or theft by unauthorized persons, and controls should be in place to minimize loss or damage. Critical or sensitive business information processing facilities should be housed in secure areas, protected by a defined perimeter, with appropriate security barriers and entry controls. All equipment should be physically protected from security threats and environmental hazards to reduce the risk of unauthorized access to data and to protect against loss or damage.
The scope of this policy covers security of information and information processing facilities from unauthorized physical access, damage, interference and prevention of equipment from loss, damage and theft. It applies to all employees, contract employees and any other staff part of service agreement in Smartworks.
4.3 Classification of Physical Security into Zones
- Zone 1. Entrance, reception area
- Zone 2. Support department, pantry
- Zone 3. IT server room
- Zone 4. Business secure area
4.4 Policy Statement
4.4.1 Physical Entry Controls
- Visitors to secure areas must be supervised and their date & time of entry and departure recorded in a visitor's log and reviewed according to the criticality of zone s/he is accessing.
- Entry to all restricted area should be controlled by access mechanism.
- All personnel carrying laptops, PDA, mobile phone with camera, USB drivers, CDs and floppies should enter the details of the same in register. Restriction criterion for carrying these devices may vary with the criticality of respective zones.
- Duplicate Identification Card can be issued in case of damage, lost or stolen cards. It is the responsibility of employees/visitors/third party vendors to immediately report loss to the security at gate and/ or to ID card cell. The damaged card must be taken back prior to the issuance of duplicate identification card.
- ID cards of temporary visitor / vendor / consultant must have a visibly different color/ mark than that of employee, enabling easy identification.
4.4.2 Securing offices, rooms and facilities
- Access to computer rooms should be monitored 24x7 using CCTV and alarm system.
- Access to zone 4 area should be based on permission from respective HOD and access should be a one-time access that terminates immediately after his/her exit.
- Use video cameras or other access control mechanisms to monitor individual physical access to sensitive zonal areas. Audit collected data and correlate with other entries.
- Fire extinguishers in enough should be provided for all work areas. Critical zones like the datacenter, UPS room should be provided with appropriate and adequate firefighting systems.
4.4.3 Equipment Security
- Eating, drinking and smoking in proximity to information processing facilities should be strictly prohibited.
- Environmental conditions of the server room should be monitored daily. Temperature should be maintained between 18 C and 24 C.
- All maintenance activities shall be properly recorded and documented. Records of all suspected or actual faults as well as all preventive and corrective measures shall be maintained.
5. Acceptable Usage of Information Asset Policy
5.1 PurposeTo support Smartworks’s business functions and to provide customer satisfaction, Smartworks provides access to information assets to all the employees. Access to these information assets is a privilege granted to all its employees and stakeholders and is vital to performing their daily tasks. Therefore, proper use and protection of Smartworks’s information assets is essential to Smartworks’s operations. Inappropriate usage exposes Smartworks to risks including virus attacks, compromise of network systems and services, legal issues, monitory loss, loss of reputation and business. The purpose of this policy is to outline the rules those govern acceptable use of all information assets at Smartworks, to protect the information assets from inappropriate usage.
5.2 ScopeThis Acceptable Usage of Information Asset policy governs appropriate usage of all the Information assets of Smartworks. Information security requires the participation and support from all stakeholders of Smartworks with access to information assets. It is thus the responsibility of every member of the Smartworks family to help ensure that all information assets are kept secure and available.
5.3 Policy Statement
5.3.1 General Usage and Ownership
- Employees should be aware that the data they create on the corporate systems remains the property of Smartworks.
- For security and network maintenance purposes, authorized individuals within Smartworks may monitor equipment, systems, browsing logs and network traffic at any time.
- Smartworks reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
5.3.2 Security and Proprietary Information
- Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
- Employees must not disseminate any data classified as sensitive or confidential over the Internet that is not encrypted.
- Downloading information or any kind of material that is not required for Smartworks’s business functionality.
- Smartworks employees must not disable antivirus software at any point of time.
- It won’t be accepted if it is found that there was no antivirus on the systems and this information was not communicated to the IT team of Smartworks.
6. Cryptography Policy
6.1 PurposeThe purpose of the policy is to improve security, integrity and confidentiality of the data and reduce the risk of unauthorized access, loss or/ and damage to information.
6.2 ScopeEncryption must be applied as per business requirement for sensitive data that is stored or transmitted and as appropriate for the information classification and businessrequirements from time to time. This policy is applicable to all Employees, Contractors and Vendors of Smartworks and others who have authorization to access or use Smartworks’s information processing facility.
6.3 Policy Statement
- Appropriate cryptographic rules set based on latest global standards should be implemented to secure confidential and sensitive information of the organization and to ensure that all the legal and regulatory requirements have been complied. The encryption mechanisms should support a minimum of, but not limited to AES 128-bit encryption.
- Any confidential and sensitive information transmitted through open and public network should be encrypted and/or be transmitted through an encrypted tunnel, such as virtual private networks (VPN), SSH, or SSL/TLS.
- Wireless (Wi-Fi) transmissions that are used to access portable computing devices or internal networks must be encrypted using standards such as but not limited to IEEE 802.11i (WPA2) or industry best practices.
- Plain FTP should not be used on any Internet-facing systems or where confidential data is being transmitted, since it does not provide encrypted transmission. Instead secured FTP (SFTP) should be used.
- Confidential and sensitive data at rest/stored on computer systems/ removable media / Portable devices and networks should be encrypted using strong cryptographic rule set.
- Key management procedures should ensure that authorized users can access and decrypt all encrypted data using controls that meet operational needs and comply with data retention requirements.
- Any sensitive information when communicated electronically outside the organization to clients, Government, legal or regulatory agencies should be digitally signed.
- Latest industry approved version of TLS/strong cryptographic protocols should be used where sensitive and payment card related information are stored, processed and transmitted. SSL v3.0 and early TLS should not be used.
7. BYOD Policy
7.1 PurposeThis policy establishes rules for the proper usage of handheld devices & applications in corporate environment in order to protect the Confidentiality, Integrity of corporate information/ data, and Availability of Application/ Network services.
7.2 ScopeThe Policy applies to all employees, consultants, vendors, contractors, and others using business or private mobile handheld devices on any premises occupied by Organization. This BYOD Security Policy is applicable to employee owned laptops and all mobile devices namely, Smart Phones (Android, Windows, IOS, Blackberry), Laptops and Tablets (iPad, Android, etc.) and notebooks.
7.3 Policy Statement
- Only approved devices can be used by employees under BYOD policy.
- The organization has the right to seize and forensically examine any device believed to contain, or to have contained, corporate data where necessary for investigatory or control purposes.
- BYOD users must ensure that valuable corporate data created or modified on device are backed up regularly.
- BYOD users should keep their personal data separate from business data on the device in separate directories, clearly named (e.g. “Private” and “BYOD”). This would reduce the possibility of disclosure of BYOD user’s personal information.
- The organization has the right to control its information. This includes the right to backup, retrieve, modify, determine access and/or delete corporate data without reference to the owner or user of the device.
8. E-Mail & Internet Security Policy
8.1 PurposePurpose of this policy is to provide useful guidelines to help IT Team maximize the security posture to defend Smartworks from all the security risked faced by it from improper email and internet configurations, practices and controls.
8.2 ScopeThis document lists out the policy for proper email and Internet related mechanisms to be followed by the IT team and other email and internet service users of Smartworks to ensure information security at Smartworks.
8.3 Policy Statement
- All the assigned email addresses, mailbox storage and transfer links must be used only for business purposes in the interest of the Smartworks. Occasional use of personal email address on the Internet for personal purpose may be permitted if in doing so there is no perceptible consumption in the Smartworks system resources, and the productivity of the work is not affected.
- Use of the Smartworks resources for non-authorized advertising, external business, spam, political campaigns, and other uses unrelated to the Smartworks business is strictly forbidden.
- Using the email resources of the Smartworks for disseminating messages regarded as offensive, racist, obscene or in any way contrary to the law and ethics is absolutely discouraged.
- Identities for accessing corporate email must be protected by strong passwords. The complexity and lifecycle of passwords are managed by the company’s procedures for managing identities. Sharing of passwords is discouraged. Users should not impersonate another user.
- Attachments must be limited in size according to the specific procedures of the Smartworks. Whenever possible, restrictions should be automatically enforced.
- Scanning technologies for virus and malware must be in place in client PCs and servers to ensure the maximum protection in the ingoing and outgoing email.
- Corporate mailboxes content should be centrally stored in locations where the information can be backed up and managed according to company procedures.
- All users who have been given access to emails and Internet have the responsibility to use Smartworks’s computer resources and Internet in a professional, lawful and ethical manner.
- Relevant logs must be reviewed periodically to detect unusual or malicious activity and any such unauthorized usage must be reported to IT team immediately.
9. Mobile Computing Policy
9.1 PurposeThe purpose of Smartworks’s Mobile Computing policy is to establish the rules for the use of mobile computing devices and their connection to the network. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of Smartworks’s information assets. Mobile Computing policy governs the practices to be followed for using mobile devices to ensure protection and availability of the information present in those devices.
9.2 ScopeThis document lists out the policy for identifying mobile devices, their usage and practices that are required to be imbibed for ensuring information security success at Smartworks.
9.3 Policy Statement
- Only Smartworks approved portable computing devices may be used to access Smartworks Information Resource.
- Non Smartworks computer systems (Visitors or contractors’ laptops) that require network connectivity will be provided guest network access.
- Unattended, Smartworks-provided portable computing devices must be physically secure. Owners of the device should ensure their physical security.
- Antivirus software and database should be updated in company owned portable computing device.
- Unattended, Smartworks provided portable computing devices must be physically secure.
- Smartworks’s electronic communications systems must be used only for business activities.
- Use of Personal computing devices that include laptop computers, smart phones, tablets & other handheld devices and wireless computing equipment and devices and in general any device that supports connectivity through cable, wireless or infra-red medium is strictly disallowed and must be specifically approved before they are brought into the Smartworks’s premises.
- Employees assigned with Smartworks’s Laptops can use the laptop computer inside and outside the Smartworks’s premises in accordance with the acceptable usage policy of Smartworks.
- The Smartworks assigned laptops are to be used as a productivity tool for Smartworks related business and communications. Employees may use the Smartworks’s laptops for limited personal purposes subject to the acceptable usage policy.
- If there is important data on the laptop, User must back up the data on the device provided by IT team as a safety precaution against hard drive failure.
10. Data Classification & Media Handling Policy
10.1 PurposeThe purpose of this policy is to ensure data protection, so that important and Smartworks business critical records are protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements. Policy states that all information must be properly classified, as per the classification specified in this document, and adequate procedures, as specified here must be followed to ensure that the proper level of protection is used for various levels of information.
10.2 ScopeThis document lists out the policy to be followed by Smartworks for proper infor
10.3 Policy Statement
10.3.1 Data ClassificationThe following classes of information exist, depending on the sensitivity of information, and its importance to the business:
The following table explains these classes:
Every piece of information (printed reports, documents, etc.) must have an owner. The owner of the information is responsible for classifying the document as per the classification described above. The owner must ensure that the document is properly controlled during storage, transmission, and disposal. The owner may decide to downgrade its classification label.
10.3.2 Handling Procedures
10.3.3 Information Exchange Agreements with Third Parties
At various stages, information produced by the organization needs to be exchanged in various forms with other organizations. The means and methods adopted for exchange of such information must be secured to protect the confidentiality, integrity and availability of such information. The controls for information exchange with third party organizations can be as follows:
- If the information is classified as Confidential or Proprietary, it must be marked accordingly before being transmitted.
- If it is being couriered, then it must be placed in a sealed envelope, and labeled clearly.
- A confidentiality agreement must be signed with the third parties.
10.3.4 Data Archival
Client Data should be retained till 15 days after project completion. However, its duration can be extended as per client confirmation.
10.3.5 Disposal of Media
Following disposal methods should be used for disposing various types of media: -
- Printed material: All papershould be disposed by shredding.
- Carbon Papers: All carbon papersshouldbe burnt.
- CDs/DVDs: All CDs/DVDs should be shredded in the CD/DVD shredders.
- Removal Media (e.g., pen drives, memory cards etc.): Any confidential or sensitive information should not be stored on removal media. removal media should be formatted at least 3 times before it is disposed or data on it should be securely deleted with software destruction tool. If the device is damaged and cannot be detected, it should be disposed by physically damaging the memory chip inside the device.
- Backup Magnetic Media: When any backup media is damaged or not usable, such media should be damaged physically and the magnetic media should be burnt.
- Hard Disk: If any PC is removed out of Smartworks’s premises;
- The hard disk of PC should be formatted by software destruction tool or should be deep formatted at least 3 times before it is disposed.
- Authorize vendor should be selected for disposal of HDD.
- Store the HDD with lock and key if not dispose.
- If the hard disk is damaged and cannot be detected; such hard disk should be physically damaged, and its magnetic media should be removed.