Scope: document drafts, legal services, citizen services, e-stamp services, business and license registration, property registration services, accounting, vouching, internal auditing/ due diligence/ statutory compliance/ assistance in company incorporation and corporate law services, application service provider authorised to provide eSign services
DESK NINE PVT LTD
Address: 95, 4th Floor, Rudra Chambers, 4th Main, 11th Cross, Malleswaram, Bangalore, Karnataka, India – 560003
This document is the property of and proprietary to DESK NINE PVT LTD. Contents of this document should not be disclosed to any unauthorized person. This document may not, in whole or in part, be reduced, reproduced, stored in a retrieval system, translated, or transmitted in any form or by any means, electronic or mechanical.
Document Number | LD-IS-ISM-201718-1-1 |
Date | 18-04-2017 |
Revision No | 1.0 |
Information Classification | Internal |
Revision: 1.0
Issue Status: A
Prepared by | Designation |
Prajwal Tiwari | Chief Information Security Officer |
Approved by | Designation |
Krupesh Bhat | Co-Founder |
Krupesh Bhatt
Co-Founder
Information is an extremely valuable and important corporate asset that requires protection against risks that would threaten its confidentiality, integrity and/or availability. Suitable information security controls must therefore be selected and implemented. The security controls identified in this manual are based on ISO/IEC standards that document internationally-accepted good practice. Along with my colleagues on the senior management team, I fully endorse this information security policy manual and expect the controls to be implemented consistently throughout DESK NINE PVT LTD.
Date: 18-04-2017
Information security is achieved by implementing a suitable set of controls (policies), practices, procedures, organizational structures and software functions. These controls have been established here to ensure that the specific security objectives of the organization are met.
DESK NINE PVT LTD, a Legal technology company providing legal documentation, Aadhaar-based eSign, eKYC and stamp paper services to individuals and businesses.
This document is identified towards establishment, implementation, operation, monitor, review, maintain and improve the scope identified for entire operations of M/s. DESK NINE PVT LTD towards ISMS.
Desk Nine Pvt Ltd to carry on the business, to establish and operate and promote online and mobile app based platform for providing document drafts, legal services, citizen services, e-stamp services, business and license registration, property registration services, accounting, vouching, internal auditing/ due diligence/ statutory compliance/ assistance in company incorporation and corporate law services, application service provider authorised to provide eSign services etc.
DESK NINE PVT LTD. is a Legal Technology company engaged in providing legal documentation, delivery, stamp paper, Aadhaar-based eSign and eKYC.
The product of DESK NINE PVT LTD include:
DESK NINE PVT LTD consists of Ten (10) domain functions:
DESK NINE PVT LTD consists of ten (10) domain functions:
The operating domains under the following head that generate revenue to DESK NINE PVT LTD are:
The products included in the ISMS Scope are:
DESK NINE PVT LTD is a company registered under The Companies Act and continues business operations at:
95, 4th Floor, Rudra Chambers,
4th Main, 11th Cross, Malleswaram,
Bangalore, Karnataka, India – 560003
The assets covered under this ISO 27001 implementation are as follows:
Additionally, the ISMS also extend to intangible assets that are existent in the form of their reputation and goodwill.
Software:
Operating Systems | Softwares |
Windows XP SP-3
Windows 7 professional Windows 7 Ultimate Windows 10 Windows 10 Enterprise |
Adobe Acrobat Reader
Google Chrome Mozilla Firefox Microsoft Office Professional Plus 2013 Microsoft Office Professional Plus 2010 Microsoft Office Enterprise 2007 Winzip WinRAR Team Viewer |
Network:
L2 Switch | HP Procurve |
L3 Switch | HP Procurve |
Firewall | Checkpoint |
Router | CISCO |
Antivirus | MacAfee |
Patch and IT Automation | Kaseya |
Third Party/ Outsourced
System Maintenance Service | Vendor |
Policy:
DESK NINE PVT LTD s policy of managing information security is to ensure that its core and supporting business operations continue to operate with minimal disruptions. DESK NINE PVT LTD shall ensure that all information that are disbursed or produced by DESK NINE PVT LTD have absolute integrity. DESK NINE PVT LTD shall guarantee that all relevant information are managed and stored with appropriate confidentiality procedures. DESK NINE PVT LTD’s policy also guarantees compliance with the necessary legal requirements System.
It is the policy of our company to ensure:
complete security of information assets within or outside the company.
Chief Information Security Officer (CISO)
ISMF will appoint the role of the Chief Information Security Officer within the IS Group centrally or location wise. The CISO will be the approving authority in the information security domain. The responsibilities of CISO are:
P | Primary | A | Authority | N | Not Applicable |
S | Secondary | C | Contributory |
Cllause | Description | Management | CISO | Lead Internal Auditor | IT Manager | HR Manager | Admin Manager | Project Manager | End Users |
7.0 | Asset Management | C | C | N | P | C | C | N | C |
8.0 | Security in employee management | C | C | N | N | P | N | N | N |
9.0 | Secure Working Areas and equipment security | C | C | N | N | N | P | N | C |
10.0 | Communication and Operations Management | C | C | N | P | N | C | N | C |
11.0 | Access Control | C | C | N | P | N | C | N | C |
13.0 | Incident Management | C | P | N | S | S | S | C | C |
14.0 | Business Continuity Management | C | P | N | S | S | S | S | C |
15.0 | Compliance with Legal Requirements | P | S | N | C | C | C | C | C |
Information Security Management Forum (ISMF)
ISMF is a management framework established to ensure management of information security within the organization. The committee will comprise of the organization’s management representatives including the CISO.
The responsibilities are:
The following Operations Manuals and Procedures represent the Company’s management system and have been developed to ensure each department is working in a defined and documented manner to acceptable practices.
Sales – LD-BIZD-DM-1-1
Operations – LD-OPS-DM-1-1
Software Development – LD-SDEV-DM-1-1
Information Security – LD-IS-ISM-1-1
IT – LD-ITA-ITP-1-1
Legal Operations – LD-LEO-DM-1-1
HR – LD-HR-DM-1-1
Admin – LD-ADM-DM-1-1
Purpose
The purpose of this procedure is to establish a uniform and consistent method for internal audit of the Information Security management system.
Scope
This procedure is applicable to all internal audits carried out by DESK NINE PVT LTD at the location. All security system elements applicable to ISO 27001:2013 is audited for compliance as per this procedure.
References
ISO 27001:2013 Clause No. 6
Definition
Internal Audit: It is the process of determination of compliance of Company’s Information Security management systems with the requirements of ISO 27001:2013
Responsibility
The Corporate Internal Audit Team contains Lead Auditor and Internal Auditors identified in the organization.
Purpose
The purpose of this procedure is to provide a uniform and consistent method for undertaking corrective and preventive actions to eliminate the causes of actual or potential non-conformances.
Scope
This procedure is applicable to all system related non-conformances or potential non-conformances observed either during supervision, review and internal audit. It is also applicable to all customer or third party complaints whether written or verbal.
References
ISO 27001:2013 Clause No. 8.2 and 8.3
Definitions:
Auditee – the process owner or department head or members authorized to represent the particular process/departments during audit.
CAR – Corrective Action Request
Correction: Action to eliminate a detected non-conformity.
Corrective action: Action to eliminate the cause of a detected non-conformity or other undesirable situation.
ISMF – Information Security Management Forum
Preventive action: Action to eliminate the cause of a detected non-conformity or other undesirable potential situation.
Procedure
Non-conformances or potential non-conformances, which require issuing of CAR, may be observed in the security system in any of the following situations.
ISC has to co-ordinate and ensures that ‘Corrective Action Request’ is investigated and corrective and preventive actions are taken.
Reviews, Investigation and Implementation
o CISO, ISC and Auditee or the person responsible for the activity has to review the Corrective Action Request.
o After review and investigation of the observed or potential non-conformance or improvement suggestion or complaint, the reviewer proposes corrective and preventive actions and is recorded in the Corrective Action Request.
o The proposed actions are implemented by the responsible person.
o Follow-up audits are undertaken by CISO/ person identified by CISO to verify that the corrective and preventive actions are implemented and to ensure that the desired goals are achieved.
o The CAR is closed if the corrective and preventive actions are satisfactory.
o Effectiveness of the corrective action initiated is reviewed by the ISC. Based on the effectiveness of the action, the ISC/CISO is authorized to close the corrective action request.
o Effectiveness of the preventive action taken is reviewed. Based on the effectiveness of the action, the ISC/CISO is authorized to close the corrective action request.
Records
Incident Report Register
Corrective Action Request Form
Purpose
Access to DESK NINE PVT LTD computing resources is granted in a manner that carefully balances restrictions designed to prevent unauthorized access against the need to provide unhindered access to informational assets.
Scope
All assets identified under the ownership of IT Department are included under IT Assets Control Policy.
Responsibility
IT Manager
Access Control
DESK NINE PVT LTD will provide all employees and other users with the information they need in order to carry out their responsibilities in an effective and efficient manner as possible. Access to Confidential Information would be limited to authorized persons determined by an approval process, as per the job responsibilities and subjected to applicable laws and regulations.
Procedure
Exceptions
Best Practices
Definitions
Ø Access is defined as the ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system.
Ø Confidential Information: All information that is generally confidential in nature. For instance, the term includes Information in the nature of proprietary, intellectual property, client related and trade secrets, those are unknown to the general public.
Ø Authorized Persons are defined as people who have established a need and received the necessary authorization. Persons must be a member of the management or staff or other individuals sponsored by the Company.
Ø Informational Processing Facilities include computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services at DESK NINE PVT LTD.
Purpose
The main reasons for a clean desk policy are:
Scope
Applicability
This Policy guideline applies to all DESK NINE PVT LTD employees, including directors, officers and agents, consultant or contractors, who collect, generate, use or otherwise handle Confidential or Internal Use information.
Guidelines
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Such breaches are considered incidents which shall be reported to any member of the Information Security Team or their hierarchical managers.
Summary
All employees and personnel having access to organizational computer systems must adhere to the IT asset control policy in order to protect the security of the network, protect data integrity, and protect and control computer systems and organizational assets. This policy is defined to assist the IT department in tracking and protecting their assets include safe disposal.
Purpose
To protect organizational resources on the network
Scope
IT assets
Responsibility
IT Manager
Policy
This defines the assets that are covered under this policy and the extent to which they are tracked and protected.
The IT assets categorized for implementing this policy are:
Regardless of costs, all IT assets of DESK NINE PVT LTD India Private Limited shall be tracked, especially assets holding data. For this purpose, the assets could include:
Measures to be taken to effectively secure the data stored on any hard devices before disposed to third party vendor for secure storage or destruction or for maintenance. Any devices authorized and approved by the IT Manager shall be allowed and tracked and it is the User’s responsibility to handle the company’s assets in a responsible manner.
Asset tracking requirement
Requirements
This procedure applies to all requests made under B (1) (f) of this Policy and shall be implemented accordingly:
This policy applies to any assets transferred under C (1), including, but not limited to:
This procedure applies to all requests made under C (2) (5) of this policy and shall be implemented accordingly:
Sensitivity of the data shall be determined on the basis of following categorization:
Disposal Procedure
The methods approved for use at DESK NINE PVT LTD are two of those identified as “effective removal methods”: wiping and destruction.
Applicability
This procedure applies to all assets that are owned by DESK NINE PVT LTD India Private Limited.
This policy defines the types of data that may be stored on removable media and whether that media may be removed from a physically secure facility and under what conditions it would be permitted. Removable media includes:
Below is listed the policy for the device based on the rated data sensitivity of data stored on the device according to the data assessment process.
Disposal of media shall be implemented according to D (2) of this Policy.
This procedure applies to all assets that are owned by DESK NINE PVT LTD India Private Limited.
Since data security and integrity along with resource protection is critical to the operation of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
Overview
Email is perhaps the most important means of communication throughout the business world. Messages can be transferred quickly and conveniently across our internal network and globally via the public Internet. However, there are risks associated with conducting business via email. Email is not inherently secure, particularly outside our own internal network. Messages can be intercepted, stored, read, modified and forwarded to anyone, and sometimes go missing. Casual comments may be misinterpreted and lead to contractual or other legal issues.
Scope
This policy defines and distinguishes acceptable/appropriate use of email from unacceptable/inappropriate use of electronic email.
Applicability
This is a standard corporate policy that applies throughout the organization as part of the corporate governance framework. It applies to all users of the corporate email systems.
Policy Axioms (Guiding Principles)
Detailed Policy Requirements
Responsibilities
All employees of DESK NINE PVT LTD India Private Limited shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
III. IT Help Desk is responsible for assisting users with secure use of email facilities, and acts as a focal point for reporting email security incidents.
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Purpose
DESK NINE PVT LTD provides fast, efficient, and cost-effective electronic services for a variety of clients worldwide. As an industry leader, it is critical for DESK NINE PVT LTD to set the standard for the protection of information assets from unauthorized access and compromise or disclosure. Accordingly, DESK NINE PVT LTD has adopted this information classification policy to help manage and protect its information assets.
Scope
DESK NINE PVT LTD and its associates (i.e. includes affiliates, third party, vendors, and outsourcing partners) share in the responsibility for ensuring that organization’s information assets receive an appropriate level of protection by observing this policy.
Responsibility
Policy
All Company information and all information entrusted to Company from third parties falls into one of four classifications in the table below, presented in order of increasing sensitivity.
Information Category | Description |
Public | Information is not confidential and can be made public without any implications for Company. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital. |
Internal | Information is restricted to internal access within management approved departments and protected from external access. Unauthorized access could influence Company’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital. |
Confidential | Information received from clients or produced within the company accessible to a restricted department or members in any form for processing in production by Company. The original copy of such information must not be changed in any way without written permission from the owner (either Client or the Company). The highest possible levels of integrity, confidentiality, and restricted availability are vital. |
Classified | Information with a “Top Management Only” visibility.
Example: Business Plan |
Purpose
To allow IT Manager or Departmental Manager or any designated security officer to perform periodic information security risk assessments (RA) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.
Scope
Risk assessments can be conducted on any entity within DESK NINE PVT LTD or any outside entity that has signed a Third Party Agreement with DESK NINE PVT LTD. Risk Assessment can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.
Policy
The execution, development and implementation of remediation programs are the joint responsibility of the IT Department and respective process or domains for which the systems are being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with other departments including the Information Security Team in the development of a remediation plan.
Risk Assessment Process
For additional information refer to “InfoSec Risk Management Approach”
For additional details contact IT Department.
Enforcement
Anyone found to have violated this Policy may have their network access privileges temporarily or permanently revoked.
Definitions
Term | Explanation |
Entity | Any business unit, department, group, or third party, internal or external to DESK NINE PVT LTD, responsible for maintaining DESK NINE PVT LTD assets. |
Risk | Those factors that could affect confidentiality, availability, and integrity of DESK NINE PVT LTD’s key information assets and systems. The Risk Assessment Team is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets on DESK NINE PVT LTD networks, while minimizing the impact of security procedures and policies upon business missions. |
Purpose
This policy describes the controls necessary to minimize information security risks affecting DESK NINE PVT LTD laptops.
Scope
This policy refers to certain other/general information security policies, but the specific information given here is directly relevant to laptops and, in case of conflict, takes precedence over other policies.
Applicability
Ø All DESK NINE PVT LTD computer systems face information security risks. Laptops and desktops are an essential business tool but their very portability makes them particularly vulnerable to physical damage or theft. Furthermore, the fact that they are often used outside DESK NINE PVT LTD’s premises increases the threats from people who do not work for the DESK NINE PVT LTD and may not have its interests at heart.
Ø Portable computers are especially vulnerable to physical damage or loss, and theft, either for resale (opportunistic thieves) or for the information they contain (industrial spies).
Ø Do not forget that the impacts of such breaches include not just the replacement value of the hardware, but also the value of any DESK NINE PVT LTD data on them, or accessible through them. Information is a vital DESK NINE PVT LTD asset. We depend very heavily on our computer systems to provide complete and accurate business information when and where we need it. The impacts of unauthorized access to or modification of, important and/or sensitive DESK NINE PVT LTD data can far outweigh the cost of the equipment itself.
Guidelines on Physical Security
Virus protection for laptops
Ø Unauthorized software
Do not download, install or use unauthorized software programs. Unauthorized software could introduce serious security vulnerabilities into the DESK NINE PVT LTD networks as well as affecting the working of your laptop. Software packages that permit the computer to be ‘remote controlled’ (e.g. PC anywhere) and ‘hacking tools’ (e.g. network sniffers and password crackers) are explicitly forbidden on DESK NINE PVT LTD equipment unless they have been explicitly pre-authorized by management for legitimate business purposes.
Ø Unlicensed software
Be careful about software licences. Most software, unless it is specifically identified as “freeware” or “public domain software”, may only be installed and/or used if the appropriate licence fee has been paid. Shareware or trial packages must be deleted or licensed by the end of the permitted free trial period. Some software is limited to free use by private individuals whereas commercial use requires a licensed payment. Individuals and companies are being prosecuted for infringing software copyright: DO NOT RISK by bringing yourself and DESK NINE PVT LTD into disrepute by breaking the law.
Ø Backups
Unlike desktop PCs which are backed up automatically by IT, you must take your own backups of data on your laptop. The simplest way to do this is to logon and upload a data from the laptop to the network on a regular basis – ideally daily but weekly at least. If you are unable to access the network, it is your responsibility to take regular off-line backups to CD/DVD, USB memory sticks etc. Make sure that off-line backups are encrypted and physically secured. Remember, if the laptop is stolen, lost or damaged, or if it simply malfunctions, it may be impossible to retrieve any of the data from the laptop. Off-line backups will save you a lot of heartache and extra work.
Ø Laws, regulations and policies
You must comply with relevant laws, regulations and policies applying to the use of computers and information. Software licensing has already been mentioned and privacy laws are another example. Various corporate security policies apply to laptops, the data they contain, and network access (including use of the Internet).
Ø Inappropriate materials
Be sensible! DESK NINE PVT LTD will not tolerate inappropriate materials such as pornographic, racist, defamatory or harassing files, pictures, videos or email messages that might cause offence or embarrassment. Never store, use, copy or circulate such material on the laptop and steer clear of dubious websites. IT staff routinely monitor the network and systems for such materials and track use of the Internet: they will report serious/repeated offenders and any illegal materials directly to management, and disciplinary processes will be initiated. If you receive inappropriate material by email or other means, delete it immediately. If you accidentally browse to an offensive website, click ‘back’ or close the window straight away. If you routinely receive a lot of spam, call IT Help Desk to check your spam settings.
Ø Health and safety aspects of using laptops
Laptops normally have smaller keyboards, displays and pointing devices that are less comfortable to use than desktop systems, increasing the chance of repetitive strain injury. Balancing the laptop on your knees hardly helps the situation! Limit the amount of time you spend using your laptop. Wherever possible, place the laptop on a conventional desk or table and sit comfortably in an appropriate chair to use it. If you tend to use the laptop in an office most of the time, you are advised to use a ‘docking station’ with a full-sized keyboard, a normal mouse and a display permanently mounted at the correct height. Stop using the portable and consult Health and Safety for assistance if you experience symptoms such as wrist pain, eye strain or headaches that you think may be caused by the way you are using the portable.
Objective
This policy specifies controls to reduce the information security risks associated with outsourcing.
Scope
The policy applies throughout DESK NINE PVT LTD for any service that is expected from outsourcing providers (also known as “outsourcers”) include:
The policy addresses the following controls found in the ISO/IEC 27002:2005 and ISO/IEC 27001 standards:
Exception
The list of approved vendors prior to the implementation of this Policy shall not be subjected to procedural formalities, except having a Confidentiality Agreement executed.
Policy Axioms
Procedure
Ø Selection of an Outsourcer
Criteria for selecting an outsourcer shall be defined and documented, taking into account the:
Further, information security criteria may be defined as the result of the risk assessment.
Ø Assessing outsourcing risks
Management shall nominate a suitable DESK NINE PVT LTD owner for each business function/process outsourced. The owner, with help from the local Information Risk Management Team, shall assess the risks before the function/process is outsourced, using DESK NINE PVT LTD’s standard risk assessment processes.
In relation to outsourcing, specifically, the risk assessment shall take due account of the:
ü nature of logical and physical access to DESK NINE PVT LTD information assets and facilities required by the outsourcer to fulfill the contract;
ü sensitivity, volume and value of any information assets involved;
ü commercial risks such as the possibility of the outsourcer’s business failing completely, or of them failing to meet agreed service levels or providing services to DESK NINE PVT LTD’s competitors where this might create conflicts of interest; and
ü Security and commercial controls known to be currently employed by DESK NINE PVT LTD and/or by the outsourcer.
The result of the risk assessment shall be presented to management for approval prior to signing the outsourcing contract. CISO shall present the results of the risk assessment to the Management for strategy decisions without violating the business policy and legal requirements. Management shall decide if DESK NINE PVT LTD will benefit overall by outsourcing the function to the outsourcer, taking into account both the commercial and information security aspects. If the risks involved are high and the commercial benefits are marginal (e.g. if the controls necessary to manage the risks are too costly), the function shall not be outsourced.
Ø Contracts and confidentiality agreements
A formal contract between DESK NINE PVT LTD and the outsourcer shall exist to protect both parties. The contract shall clearly define the types of information exchanged and the purpose for so doing. If the information being exchanged is sensitive, a binding confidentiality agreement shall be in place between DESK NINE PVT LTD and the outsourcer, whether as part of the outsource contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated).
o Information security policies, procedures, standards and guidelines, normally within the context of an Information Security Management System such as that defined in ISO/IEC 27001;
o Background checks on employees or third parties working on the contract;
o Access controls to restrict unauthorized disclosure, modification or destruction of information, including physical and logical access controls, procedures for granting, reviewing, updating and revoking access to systems, data and facilities etc.;
o Information security incident management procedures including mandatory incident reporting;
o Return or destruction of all information assets by the outsourcer after the completion of the outsourced activity or whenever the asset is no longer required to support the outsourced activity;
o Copyright, patents and similar protection for any intellectual property shared with the outsourcer or developed in the course of the contract;
o Specification, design, development, testing, implementation, configuration, management, maintenance, support and use of security controls within or associated with IT systems, plus source code escrow;
o Anti-malware, anti-spam and similar controls;
o IT change and configuration management, including vulnerability management, patching and verification of system security controls prior to their connection to production networks;
Although outsourcers that are certified compliant with ISO/IEC 27001 can be presumed to have an effective Information Security Management System in place, it may still be necessary for DESK NINE PVT LTD to verify security controls that are essential to address DESK NINE PVT LTD’s specific security requirements, typically by auditing them.
Ø Hiring and training of employees
Outsource employees, contractors and consultants working on behalf of DESK NINE PVT LTD shall be subjected to background checks equivalent to those performed on DESK NINE PVT LTD employees. Such screening shall take into consideration the level of trust and responsibility associated with the position and (where permitted by local laws):
Companies providing contractors/consultants directly to DESK NINE PVT LTD or to outsourcers used by DESK NINE PVT LTD shall perform at least the same standard of background checks as those indicated above.
Suitable information security awareness, training and education shall be provided to all employees and third parties working on the contract, clarifying their responsibilities relating to DESK NINE PVT LTD information security policies, standards, procedures and guidelines (e.g. privacy policy, acceptable use policy, procedure for reporting information security incidents etc.) and all relevant obligations defined in the contract.
Ø Access controls
In order to prevent unauthorized access to DESK NINE PVT LTD’s information assets by the outsourcer or sub-contractors, suitable security controls are required as outlined in this section. The details depend on the nature of the information assets and the associated risks, implying the need to assess the risks and design suitable controls architecture.
ü Technical access controls shall include:
Procedural components of access controls shall be documented within procedures, guidelines and related documents and incorporated into awareness, training and educational activities. This includes:
ü Physical access controls shall include:
If parts of DESK NINE PVT LTD’s IT infrastructure are to be hosted at a third party data center, the data center operator shall ensure that DESK NINE PVT LTD’s assets are both physically and logically isolated from other systems.
DESK NINE PVT LTD shall ensure that all information assets handed over to the outsourcer during the course of the contract (plus any copies made thereafter, including backups and archives) are duly retrieved or destroyed at the appropriate point on or before termination of the contract. In the case of highly classified information assets, this normally requires the use of a schedule or register and a process whereby the outsourcer formally accepts accountability for the assets at the point of hand-over.
Ø Security audits
Responsibilities
Ø Management is responsible for designating suitable owners of business processes that are outsourced, overseeing the outsourcing activities and ensuring that this policy is followed.
Ø Management is responsible for mandating commercial or security controls to manage the risks arising from outsourcing.
Ø Designated owners of outsourced business processes are responsible for assessing and managing the commercial and security risks associated with outsourcing, working in conjunction with Information Security, Legal and other functions as necessary.
Ø Members of Information Security Management System at DESK NINE PVT LTD, in conjunction with functions such as Legal, Compliance and Risk Management, is responsible for assisting outsourced business process owners to analyze the associated risks and develop appropriate process, technical, physical and legal controls.
Ø Members of the Information Security Team shall be also responsible for maintaining this policy.
Ø Internal Audit is authorized by management to assess compliance with all corporate policies at any time.
Ø Internal Audit may assist with audits of outsourcing contracts including security compliance audits, and advise management on the risks and controls relating to outsourcing.
Purpose
The purpose of this Policy is to provide guidance for those staff/employees/agents of DESK NINE PVT LTD who use any of the equipment identified below.
A breach of security and/or confidentiality can occur very easily with the loss or misuse of portable equipment.
Scope
All information recorded and/or stored onto portable equipment must comply with the DESK NINE PVT LTD Information Security Policy. This should also be referred to when reading and referring to this Policy.
Management responsibilities
User responsibilities
The User authorized to carry the equipment shall follow:
Physical Protection
Software/Data protection
Retention of information
Purpose
Intentional and unintentional misuse and abuse of DESK NINE PVT LTD systems pose the greatest threats to information confidentiality, integrity, and availability. Therefore, DESK NINE PVT LTD requires that all users of organizational information systems meet minimum personnel requirements related to the sensitivity of their roles, suitability for employment, personnel investigations, and other personnel security considerations.
Scope
All personnel who use, manage, design, or implement DESK NINE PVT LTD Information Resources.
Roles and Responsibilities
CISO
Information Security Coordinator (ISC)
IT Manager
Users
Policy
Enforcement
Gross negligence or willful disclosure leading to illicit exposure of DESK NINE PVT LTD information may result in prosecution for misdemeanor or felony resulting in fines, imprisonment, civil liability, and/or dismissal.
7.11 VIRUS/MALWARE PREVENTION POLICY
Overview
The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Thus, organization implement solid security policies by blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents.
Purpose
The purpose of Policy is to describe the requirements for dealing with computer virus, worm and Trojan Horse prevention or any other malware and their detection and cleanup.
Scope
The Virus/malware Prevention Policy applies equally to all individuals that use any DESK NINE PVT LTD Information Resources.
Policy Guideline
Enforcement
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of DESK NINE PVT LTD Information Resources access privileges, civil, and criminal prosecution.
Overview
The practice of sending unsolicited, commercial mass e-mails represents a potential threat to organizational reputation and may be violation, which defines the quantity and characteristics of bulk commercial e-mails that may legally be sent.
All communications with customers, prospects and other professionals reflect DESK NINE PVT LTD. In light of increasing antipathy to unsolicited email promotions of any kind, it is generally in the best interest of DESK NINE PVT LTD to limit electronic mailings to legitimate communications with individuals have indicated a willingness to receive them.
Purpose
This policy describes the permitted and prohibited uses of corporate email systems for bulk emailing. Its purpose is to:
Scope
All individuals who use the DESK NINE PVT LTD e-mail systems and addresses to send bulk e-mails to customers, prospects, or other types of recipients.
Guideline
o Recipients who specifically consented to receive DESK NINE PVT LTD marketing or sales emails
o Recipients who have not explicitly opted out of receiving marketing or sales DESK NINE PVT LTD emails
o Contain false or misleading information in the subject line, headers, or email body
o In any way misrepresent or disguise the sender, point of origin, or transmission path
Anti-spam restrictions also apply to other forms of electronic messaging:
Enforcement
Violation of this policy may result in disciplinary action which may include performance sanctions; termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers. Additionally, individuals are subject to restriction or suspension of DESK NINE PVT LTD email privileges, as well as civil and criminal prosecution.
Overview
Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, or system operations errors.
Purpose
The purpose of the DESK NINE PVT LTD Data Backup and Storage Policy is to establish the rules for the backup and storage of DESK NINE PVT LTD electronic information.
Scope
The DESK NINE PVT LTD Data Backup and Storage Policy apply to all individuals within the DESK NINE PVT LTD enterprise who are responsible for the installation and support of information resources, individuals charged with Information Security; and data owners. Information Services may have existing contracts for offsite backup data storage. These services can be extended to all DESK NINE PVT LTD entities upon request.
Policy
Enforcement
Violation of this policy may result in disciplinary action, including but not limited to performance penalties, employment termination, contract invalidation, civil action, and criminal prosecution. Additionally, violators may lose access privileges to DESK NINE PVT LTD Information Resources.
PASSWORD MANAGEMENT POLICY
Overview
DESK NINE PVT LTD balances the need for employees to access systems and information with the need to control access for the purposes protecting information confidentiality, integrity, and availability. Account passwords are a mainstay of information security controls. This policy establishes management controls for granting, changing, and terminating access to automated information systems, controls that are essential to the security of DESK NINE PVT LTD information systems.
Scope
All employees who use DESK NINE PVT LTD Information Resources must unique user account information, including passwords for access to various information systems. These procedures apply to accounts on all organizational systems: both in operation and in development.
Roles and Responsibilities
CISO
Information Security Coordinator (ISC)
IT Manager
Users
Policy
Access Authorization Requirements
Access to DESK NINE PVT LTD resources shall be controlled and shall be based on an approved System Access Request Form for each of the systems.
Password Parameters
All user and system passwords, even temporary passwords set for new user accounts, should meet the following characteristics:
In addition, users are required to select a new password immediately after their initial logon. Passwords must be changed at least every 40 days. Previously used 3 passwords may not be re-used.
Password and Account Security
Password Protection Standards
Ø If someone demands a password, refer them to this document or have them call someone in the Information Security department or IT Manager.
Ø All passwords are to be treated as sensitive, Confidential Information of DESK NINE PVT LTD India Private Limited.
Ø All passwords are to be changed once every quarterly, except system-level passwords to be changed once in every forty two (42) days.
Ø If an account or password is suspected to have been compromised, report the incident to ISMS team and ensure IT Manager takes measures to change all passwords.
Ø Periodic assessments to be performed on password cracking by ISMS team and report the same to Information Security Coordinator who shall submit the same to the review and approval of the Information Security Officer. During assessment the IT Manager and finds any violation to this Policy on the Passwords maintained he shall sent a written mail to the respective User to change the password and ensure they change it.
Enforcement
Violation of this policy may result in disciplinary action, including but not limited to performance penalties, employment termination, contract invalidation, civil action, and criminal prosecution. Additionally, violators may lose access privileges to DESK NINE PVT LTD Information Resources.
PHYSICAL SECURITY POLICY
Overview
Controlling physical access to Information and Information Processing Facilities (referred to herein as “Information Resource”) is an extremely vital/ principal function of the DESK NINE PVT LTD security program. This policy sets forth rules for establishing, controlling, and monitoring physical access to Information Resource facilities.
Scope
This policy applies to all individuals within DESK NINE PVT LTD who are responsible for day to day access to information and information processing facilities, installation and support of Information and information processing facilities, members of information security management and personnel, other employees and data owners.
Policy
Information resources must be physically protected in proportion to the criticality, sensitivity, or business importance of their function(s)
General
Physical access management
Protection of physical access cards and keys
Monitoring and Documentation
Enforcement
Gross negligence or willful disregard of this standard may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of DESK NINE PVT LTD Information Resources access privileges, civil, and criminal prosecution.
POLICY ON CONTROL OF REMOVABLE MEDIA
Purpose
This document states the Removable Media policy for DESK NINE PVT LTD. The policy establishes the principles and working practices that are to be adopted by all users in order for data to be safely stored and transferred on removable media.
This policy aims to ensure that the use of removable media devices is controlled in order to:
Scope
This policy applies to all Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have access to DESK NINE PVT LTD information, information systems or IT equipment and intends to store any information on removable media devices.
Definition
This policy should be adhered to at all times, but specifically whenever any user intends to store any information used by the Company to conduct official business on removable media devices.
Removable media devices include, but are not restricted to the following:
Risks
DESK NINE PVT LTD recognizes that there are risks associated with users accessing and handling information in order to conduct official Company business. Information is used throughout the Company and sometimes shared with external organizations and applicants. Securing PROTECT or RESTRICTED data is of paramount importance – particularly in relation to the Company’s need to protect data in line with the requirements of the Data Protection. Any loss of the ability to access information or interference with its integrity could have a significant effect on the efficient operation of the Company. It is therefore essential for the continued operation of the Company that the confidentiality, integrity and availability of all information recording systems are maintained at a level, which is appropriate to the Company’s needs.
This policy aims to mitigate the following risks:
Non-compliance with this policy could have a significant effect on the efficient operation of the Company and may result in financial loss and an inability to provide necessary services to our customers.
Policy Statement
DESK NINE PVT LTD will ensure the controlled use of removable media devices to store and transfer information by all users who have access to information, information systems and IT equipment for the purposes of conducting official Council business.
Applying the Policy
Restricted Access to Removable Media
It is DESK NINE PVT LTD policy to prohibit the use of all removable media devices. The use of removable media devices will only be approved if a valid business case for its use is developed. There are large risks associated with the use of removable media, and therefore clear business benefits that outweigh the risks must be demonstrated before approval is given.
Requests for access to, and use of, removable media devices must be made to IT Manager. Approval for their use must be given by Chief Information Security Officer (CISO).
Should access to, and use of, removable media devices be approved the following sections apply and must be adhered to at all times.
Procurement of Removable Media
All removable media devices and any associated equipment and software must only be purchased and installed by IT Services. Non-Company owned removable media devices must not be used to store any information used to conduct official Company business, and must not be used with any Company owned or leased IT equipment.
The only equipment and media that should be used to connect to Company equipment or the Company network is equipment and media that has been purchased by the Company and approved by the IT Manager or has been sanctioned for use by the CISO.
Security of Data
Data that is only held in one place and in one format is at much higher risk of being unavailable or corrupted through loss, destruction or malfunction of equipment than data which is frequently backed up. Therefore removable media should not be the only place where data obtained for Company purposes is held. Copies of any data stored on removable media must also remain on the source system or networked computer until the data is successfully transferred to another networked computer or system.
In order to minimize physical risk, loss, theft or electrical corruption, all storage media must be stored in an appropriately secure and safe environment.
Each user is responsible for the appropriate use and security of data and for not allowing removable media devices, and the information stored on these devices, to be compromised in any way whist in their care or under their control.
All data stored on removable media devices must, where possible, be encrypted. If this is not possible, then all PROTECT or RESTRICTED data held must be encrypted.
Users should be aware that the Company will audit / log the transfer of data files to and from all removable media devices and Company-owned IT equipment.
Incident Management
Third Party Access to Company Information
Preventing Information Security Incidents
Disposing of Removable Media Devices
Removable media devices that are no longer required, or have become damaged, must be disposed of securely to avoid data leakage. Any previous contents of any reusable media that are to be reused, either within the Company or for personal use, must be erased. This must be a thorough removal of all data from the media to avoid potential data leakage using specialist software and tools. All removable media devices that are no longer required, or have become damaged, must be returned to IT Department for secure disposal.
For advice or assistance on how to thoroughly remove all data, including deleted files, from removable media contact the IT Manager.
User Responsibility
All considerations of this policy must be adhered to at all times when using all types of removable media devices. However, special attention must be paid to the following when using USB memory sticks (also known as pen drives or flash drives), recordable CDs, DVDs and diskettes:
For advice or assistance on how to securely use removable media devices, please contact the IT Manager.
Enforcement
If any user is found to have breached this policy, they may be subject to DESK NINE PVT LTD Disciplinary Policy and related procedures. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek advice from CISO.
DISCIPLINARY PROCEDURE
Purpose and scope
This procedure is designed to help and encourage all employees to achieve and maintain standards of conduct, attendance and job performance. The company rules (a copy of which is displayed in the office) and this procedure apply to all employees. The aim is to ensure consistent and fair treatment for all in the organization.
Principles
ü Counseling will be offered, where appropriate, to resolve problems.
ü No disciplinary action will be taken against an employee until the case has been fully investigated.
ü At every stage in the procedure the employee will be advised of the nature of the complaint against him or her and will be given the opportunity to state his or her case before any decision is made.
ü At all stages of the procedure the employee will have the right to be accompanied by a trade union representative, or work colleague.
ü No employee will be dismissed for a first breach of discipline except in the case of gross misconduct, when the penalty will be dismissal without notice or payment in lieu of notice.
ü An employee will have the right to appeal against any discipline imposed.
ü The procedure may be implemented at any stage if the employee’s alleged misconduct warrants such action.
ü The minimum three-step statutory procedures will be followed if an employee faces dismissal or certain kinds of action short of dismissal.
Procedure
Stage 1 – improvement note: unsatisfactory performance
If performance does not meet acceptable standards the employee will normally be given an improvement note. This will set out the performance problem, the improvement that is required, the timescale and any help that may be given. The individual will be advised that it constitutes the first stage of the formal procedure. A record of the improvement note will be kept for 6 months, but will then be considered spent – subject to achievement and sustainment of satisfactory performance.
Or
Stage 1 – first warning: misconduct
If the conduct does not meet acceptable standards the employee will normally be given a written warning. This will set out the nature of the misconduct and the change in behavior required. The warning should also inform the employee that a final written warning may be considered if there is no sustained satisfactory improvement or change. A record of the warning should be kept, but it should be disregarded for disciplinary purposes after a specified period (eg, six months).
Stage 2: final written warning
If the offence is sufficiently serious, or there is a failure to improve during the currency of a prior warning for the same type of offence, a final written warning may be given to the employee. This will give details of the complaint, the improvement required and the timescale. It will also warn that failure to improve may lead to action under Stage 3 (dismissal or some other action short of dismissal), and will refer to the right of appeal. A copy of this written warning will be kept by the supervisor but will be disregarded for disciplinary purposes after 6 months subject to achievement and sustainment of satisfactory conduct or performance.
Stage 3 – dismissal or other sanction
If there is still a failure to improve the final step in the procedure may be dismissal or some other action short of dismissal such as demotion or disciplinary suspension or transfer (as allowed in the contract of employment). Dismissal decisions can only be taken by the appropriate senior manager, and the employee will be provided, as soon as reasonably practicable, with written reasons for dismissal, the date on which the employment will terminate, and the right of appeal. The decision to dismiss will be confirmed in writing.
If some sanction short of dismissal is imposed, the employee will receive details of the complaint, will be warned that dismissal could result if there is no satisfactory improvement, and will be advised of the right of appeal. A copy of the written warning will be kept by the supervisor but will be disregarded for disciplinary purposes after 6 months subject to achievement and sustainment of satisfactory conduct or performance.
Statutory Discipline and Dismissal Procedure
If an employee faces dismissal – or certain action short of dismissal such as loss of pay or demotion – the minimum statutory procedure will be followed. This involves:
The employee will be reminded of their right to be accompanied.
Gross Misconduct
The following list provides examples of offences which are normally regarded as gross misconduct:
If you are accused of an act of gross misconduct, you may be suspended from work on full pay, normally for no more than five working days, while the alleged offence is investigated. If, on completion of the investigation and the full disciplinary procedure, the organization is satisfied that gross misconduct has occurred, the result will normally be summary dismissal without notice or payment in lieu of notice.
Appeals
An employee who wishes to appeal against a disciplinary decision must do so within five working days. The HR Manager will hear all appeals and his/her decision is final. At the appeal any disciplinary penalty imposed will be reviewed.
Purpose
The purpose of this policy is to address all issues relevant to software installation and deployment on DESK NINE PVT LTD’S computer systems.
Authority
Continuance
This policy is a living document and may be modified at any time by the IT Manager, Human Resources, or the Top Management.
Mission
DESK NINE PVT LTD’s IT objective is to enable its employees to perform their tasks with technology that is in good operating condition while appropriately addressing the business needs.
Dilemma
Historically, we have not consistently addressed how software is to be deployed to DESK NINE PVT LTD’s computer systems. This lack of a standard policy has adversely affected the IT mission at times. This policy will set protocol as to how software is to be delivered to better enable IT to achieve its objective of delivering stable, well-performing technology solutions.
Installation and Support of DESK NINE PVT LTD’s software
The DESK NINE PVT LTD, IT department is exclusively responsible for installing and supporting all software on company computers. This responsibility set includes:
The DESK NINE PVT LTD, IT department relies on installation and support to provide software and hardware in good operating condition to DESK NINE PVT LTD, employees so that they can best accomplish their tasks.
Current software
DESK NINE PVT LTD, IT, in coordination with all other departments, has decided upon the following software standards:
Approved Software list:
Operating System with latest service pack |
Office Suite |
Acrobat Reader |
Archiving / File Compression Tool |
Antivirus |
Instant Messaging Application |
The current software can exist in any one of the following scenarios:
Software cannot be present on DESK NINE PVT LTD, computers in the following scenarios:
Software licensing
Most of the software titles on DESK NINE PVT LTD’s current software list are not freeware; therefore, the cost of software is a consideration for most titles and their deployment.
It is the goal of the IT department to keep licensing accurate and up to date. To address this, the IT department is responsible for purchasing software licenses for the following software categories:
The other software categories (workgroup-specific titles) are the purchasing responsibility of the workgroup in which they serve. However, the application(s) are still installed and supported by the IT department.
To control costs, licensing costs are a factor in the decision-making processes that go into client software planning and request approval.
Software Requests
If a user is to request software for their computer, the proper method will be to send a request to the IT manager.
A response is guaranteed within one business day via e-mail. If the Urgent option is selected or an in-person appearance occurs, a solution may be delivered at the first possible time. All in-person or “walk-in” requests are logged by a manual entry into the support request system to track licensing needs and costs.
Summary: DESK NINE PVT LTD’s software installation policy
This policy is designed to let DESK NINE PVT LTD, employees achieve their business objectives. Any aberrations from this strategy will require the IT department to redeploy software and/or hardware solutions. Full cooperation with this policy is appreciated so that all goals can be met in accordance with the business objectives.
POLICY ON USE OF NETWORK RESOURCES AND SERVICES
Background and Purpose:
This document represents the company-wide guidelines and responsibilities required to maintain acceptable and proper use of all DESK NINE PVT LTD network resources and services. The intent of this policy is to educate users about their responsibilities regarding computing resources and services while identifying certain unacceptable uses of network resources and services.
Scope
This policy covers all computer and communication equipment owned or operated by DESK NINE PVT LTD including all equipment attached to or using DESK NINE PVT LTD resources. Explicit in the above statement is that this policy also includes ANYONE using DESK NINE PVT LTD computer and/or communications equipment and/or ANYONE accessing and/or using DESK NINE PVT LTD resources.
User Responsibilities
Courtesy and respect for rights of others
The DESK NINE PVT LTD campus community has the responsibility to foster a positive and secure campus community by respecting and valuing the right of privacy and the diversity of the population and opinion in the community. In addition, all are responsible for complying with Company policy and all laws and contracts regarding the use of information.
Use of resources
Information integrity
Rules
Ø No one shall use any Company network resources or services without proper authorization. No one shall assist in, encourage or conceal any unauthorized use or attempt at unauthorized use of any of the Company’s network resources and services.
Ø Use of network resources and services without permission is theft of services and is illegal under state and company law.
Ø Authorized use of DESK NINE PVT LTD-owned or operated computing and network resources are in use that is consistent with the academic and service missions of the Company.
Ø No one shall knowingly endanger the security of any DESK NINE PVT LTD network resource, nor willfully interfere with others’ authorized network usage.
Ø No one shall use DESK NINE PVT LTD’s network resources or services to attempt unauthorized use, nor to interfere with others’ legitimate use, of any network facility anywhere.
Ø No one shall connect any computer or network equipment to any of the Company’s network resources or services until the equipment has been registered with the IT Infrastructure Department.
Ø Users are responsible for adhering to the Internal Network Equipment Policy when connecting any devices to the DESK NINE PVT LTD. One improperly configured computer or network device on a network can cause company-wide disruption.
Ø Devices include, but are not limited to computers, laptops, servers, routers, switches, hubs, wireless devices.
Ø No one without specific authorization shall use any Company network resource or service for non-Company business.
Ø By law, the Company can only provide computer resources and services for its own work, not for private use. Therefore, using Company resources or services to establish, run or support a personal and/or non-Company related business venture (e.g. via email, web site, listserv, etc.) is prohibited.
Ø Users in need of computing/printing resources for private or personal purposes will need to contact local computer vendors for procurement options.
Ø No one shall create, install or knowingly distribute a computer virus or other surreptitiously destructive program on any DESK NINE PVT LTD network resource , regardless of whether any demonstrable harm results.
Ø File sharing software is not permitted.
Enforcement
These policies and procedures are designed to ensure the integrity, security, and proper effective functioning of company IT services. All policy and procedure violations will be subject to investigation and appropriate disciplinary action through established channels that may include, for serious violations, letters of reprimand and/or termination of employment.
USER REGISTRATION, DE-REGISTRATION PROCEDURES
Summary
The following procedures refer to the preparation required to ensure new employees gain access to network and e-mail facilities as quickly and safely as possible on commencement of employment. It also details the process required when removing an individual from the system (e.g. when an individual leaves their employment with DESK NINE PVT LTD).
User Registration
De-registration & Asset Recovery
o The ID account is disabled and employee is removed from all distribution list
o The telephone (ext.) will be disabled (if applicable)
o The Mobile Phone’s Calls will be diverted to their reporting / Departmental Managers
o The users’ Home Directory is disabled
o The users IT equipment is collected
o Mails will be forwarded to authorized personnel/Departmental Manager
o An Auto Response to user email will be inserted
Purpose
The purpose of this policy is to define standards for systems that monitor and limit web use from any host within DESK NINE PVT LTD India Private Limited’s network. These standards are designed to ensure employees use the Internet in a safe and responsible manner, and ensure that employee web use can be monitored or researched during an incident.
Scope
This policy applies to all DESK NINE PVT LTD India Private Limited employees, contractors, vendors and agents with a DESK NINE PVT LTD India Private Limited owned or personally-owned computer or workstation connected to the DESK NINE PVT LTD India Private Limited network.
This policy applies to all end user initiated communications between DESK NINE PVT LTD India Private Limited‘s network and the Internet, including web browsing, instant messaging, file transfer, file sharing, and other standard and proprietary protocols. Server to Server communications, such as SMTP traffic, backups, automated data transfers or database communications are excluded from this policy.
Policy
The Information Technology (IT) Department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for sixty (60) days.
General trending and activity reports will be made available to any employee as needed upon request to the Information Technology Department. Members authorized by the Departmental Manager or Top Management for overseeing incidents under Incident Management Policy and the Information Security Coordinator shall have access to all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside only upon written or email request to Information Systems from a Human Resources Representative.
The Information Technology Department shall block access to Internet websites and protocols that are deemed inappropriate for DESK NINE PVT LTD India Private Limited’s corporate environment. The following protocols and categories of websites should be blocked:
The Information Technology (IT) Department shall periodically review and recommend changes to web and protocol filtering rules. Human Resources shall review these recommendations and decide if any changes are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy.
If a site is mis-categorized, employees may request the site be un-blocked by submitting a ticket to the Information Technology help desk. An IT employee will review the request and un-block the site if it is mis-categorized.
Employees may access blocked sites with permission if appropriate and necessary for business purposes. If an employee needs access to a site that is blocked and appropriately categorized, they must submit a request to their Human Resources representative. HR will present all approved exception requests to Information Technology in writing or by email. Information Technology will unblock that site or category for that associate only. Information Technology will track approved exceptions and report on them upon request.
Enforcement
The IT Manager will periodically review Internet use monitoring and filtering systems and processes to ensure they are in compliance with this policy. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Definitions
Terms | Explanation |
Internet Filtering | Using technology that monitors each instance of communication between devices on the corporate network and the Internet and blocks traffic that matches specific rules. |
User ID | User Name or other identifier used when an associate logs into the corporate network |
IP Address | Unique network address assigned to each device to allow it to communicate with other devices on the network or Internet. |
SMTP | Simple Mail Transfer Protocol. The Internet Protocol that facilitates the exchange of mail messages between Internet mail servers |
Peer to Peer File Sharing | Services or protocols such as BitTorrent and Kazaa that allow Internet connected hosts to make files available to or download files from other hosts |
Social Networking Services | Internet sites such as MySpace and Facebook that allow users to post content, chat, and interact in online communities. |
SPAM | Unsolicited Internet Email. SPAM sites are websites link to from unsolicited Internet mail messages. |
Phishing | Attempting to fraudulently acquire sensitive information by masquerading as a trusted entity in an electronic communication. |
Hacking | Sites that provide content about breaking or subverting computer security controls. |
Purpose
This policy will outline how DESK NINE PVT LTD India Private Limited handles employee privacy.
Scope
This policy shall apply to all employees handling personal information of employees stored with DESK NINE PVT LTD India Private Limited.
Exceptions
There is no specific exception authorized under this policy. This policy is applicable for all employees whose work is reviewed safeguarding their privacy that is owned during their time at work.
Privacy Rights
Without limitations to any other policy or procedures followed in DESK NINE PVT LTD India Private Limited and any applicable legal requirements, all employees of DESK NINE PVT LTD India Private Limited can expect a reasonable amount of privacy during the work day. The organization and management trust employees to work on company business while at work with the exception of break periods or observed lunches.
During work, an employee may receive phone calls, email messages, or communications that are not related to work. If these do not interfere with the regular performance of job duties for that employee they are allowed.
Electronic Communication And Documents
Use of Internet Access
Using the Internet during company time when not required by job duties for research or other purposes should be limited to break periods. Any use for non-work purposes that interferes with productivity and performance will not be allowed. Such usage shall adhere to the Internet Usage Policy requirements.
Internal Auditee and Auditors Team (IA) | Emergency Response Team (ERT) | ||
NAME | TEAM | NAME | TEAM |
Prajwal Tiwari | Internal Auditor | Prajwal Tiwari | Information Security |
Aarthy Venkat | Auditee (LEO) | Aarthy Venkat | Legal Operations |
Deepa Krishnamurthy | Auditee (HR) | Riku Srivastav | Software Development |
Karan Rao | Auditee (BIZD) | Sudarshan KR | IT Admin |
Pallavi Basvaraju | Auditee (OPS/CSU) | ||
Riku Srivastav | Auditee (SDEV) | ||
Sumithra K | Auditee (ADM) | ||
Sudarshan KR | Auditee (ITA) |
* In the case of “offshore” outsourcing, special consideration must be given to the ramifications of transferring information between countries or jurisdictions, particularly where privacy and similar laws may conflict. Take qualified legal advice as a matter of course.
Disclaimer
By accessing the website www.legaldesk.com, you acknowledge that you are seeking information about Legaldesk of your own accord and that there has been no form of solicitation, advertisement, or inducement by Legaldesk or its employees or members. The content on this website is for informational purposes only and should not be construed as soliciting or advertisement. No material or information provided on this website should be considered legal advice. LegalDesk.com does not provide any legal advice, consultation, accounting or auditing services, and is not a law firm, chartered accountancy, or company secretary firm. The services provided by LegalDesk.com cannot be construed as a substitute or alternative for legal advice. The website provides legal articles, news, and drafts for informational and educational purposes only. However, due to changing laws and amendments in the law, we cannot guarantee the accuracy or correctness of the content provided therein. Please be aware that due to the differences in laws across jurisdictions, we do not assure the accuracy and applicability of any documents or templates or other services in other jurisdictions. Please consult your lawyer or chartered accountant for the same. The use of this website does not create an attorney-client relationship between LegalDesk.com, its employees, and any customer.