Upload
dohanh
View
218
Download
1
Embed Size (px)
Citation preview
Bharti Infratel Limited
Policy –Abridged Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy –Abridged Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Bharti Infratel Limited
Policy –Abridged Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy –Abridged Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Abridged Bharti Infratel Third Party Security Policy
Version 1.0
Bharti Infratel Limited
Policy –Abridged Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy –Abridged Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Document Control
Document No. : 40
Document Name : Policy –Abridged Bharti Infratel Third Party Security Policy-ISBC-40-
V1
Version : 1.0 Date of Release : 30th October 2012
Name Function / Designation
Signature
Prepared by Mr. Rajesh Mittal Information Security
Management
Representative
Process Owner Mr. Prashant Veer Singh Chief Information
Security Officer
Reviewed by Mr. Prashant Veer Singh Chief Information
Security Officer
Mr. Devender Singh Rawat Chief Executive Officer
Document Change Approvals
Version
No. Revision Date Nature of Change Date Approved Approved by
1 - - - -
2 - - - -
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
IIInnndddeeexxx
1. Bharti Infratel Third-party Security Policy (BITSP - 001) ........................................7
1.1. Introduction ........................................................................................... 7
1.2. Scope ................................................................................................... 8
1.3. Policy Statement and Objective .................................................................... 9
1.4. Disciplinary Measures for Non-Compliance ........................................................ 9
1.5. Exceptions ............................................................................................. 9
2. Information Security Organisation Policy (BITSP – 002) ........................................ 10
2.1. Introduction ......................................................................................... 10
2.2. Policy Statement and Objective .................................................................. 10
2.3. Sub-Contractors ..................................................................................... 12
3. Asset Management Policy (BITSP – 003) ........................................................... 14
3.1. Introduction ......................................................................................... 14
3.2. Policy Statement and Objective .................................................................. 14
3.3. Asset Register ....................................................................................... 14
3.4. Asset Management Responsibilities .............................................................. 14
3.5. Information Asset Classification .................................................................. 15
4. Human Resources Security Policy (BITSP - 004) ................................................. 18
4.1. Introduction ......................................................................................... 18
4.2. Policy Statement and Objective .................................................................. 18
4.3. During Recruitment ................................................................................. 18
4.4. During Employment ................................................................................. 19
4.5. Termination or Change of Employment Responsibility ........................................ 21
5. Physical and Environmental Security Policy (BITSP – 005) .................................... 22
5.1. Introduction ......................................................................................... 22
5.2. Policy Statement and Objective .................................................................. 22
5.3. Secure Areas ......................................................................................... 22
5.4. Equipment Security ................................................................................. 24
6. Communication and Operations Management Policy (BITSP – 006) .......................... 28
6.1. Introduction ......................................................................................... 28
6.2. Policy Statement and Objective .................................................................. 28
6.3. Operational Procedures and Responsibilities ................................................... 28
6.4. Sub-Contractor Service Delivery Management .................................................. 31
6.5. System Planning and Acceptance ................................................................. 32
6.6. Protection against Malicious and Mobile Code .................................................. 32
6.7. Back-up ............................................................................................... 33
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
6.8. Network Security Management ................................................................... 33
6.9. Media Handling ...................................................................................... 36
6.10. Exchange of Information ........................................................................ 37
6.11. Electronic Commerce Services ................................................................. 39
6.12. Monitoring ........................................................................................ 40
7. Access Control Policy (BITSP – 007) ................................................................ 42
7.1. Introduction ......................................................................................... 42
7.2. Policy Statement and Objective .................................................................. 42
7.3. User Access Management .......................................................................... 42
7.4. User Responsibilities ............................................................................... 45
7.5. Network Access Control ............................................................................ 47
7.6. Operating System Access Control ................................................................. 49
7.7. Application and Information Access Control .................................................... 51
7.8. Mobile Computing and Teleworking .............................................................. 51
8. Information Systems Acquisition, Development & Maintenance Policy (BITSP – 008) .... 53
8.1. Introduction ......................................................................................... 53
8.2. Policy Statement and Objective .................................................................. 53
8.3. Security Requirements of Information System .................................................. 53
8.4. Correct Processing in Application ................................................................ 54
8.5. Cryptographic Controls ............................................................................. 55
8.6. Security of System Files ............................................................................ 56
8.7. Security in Development and Support Processes ............................................... 57
8.8. Technical Vulnerability Management ............................................................ 59
9. Information Security Incident Management Policy (BITSP – 009) ............................ 60
9.1. Introduction ......................................................................................... 60
9.2. Policy Statement and Objective .................................................................. 60
9.3. Security Incident Identification ................................................................... 60
9.4. Reporting Information Security Events and Weakness ......................................... 61
9.5. Security Incident Response, Recovery and Improvements .................................... 62
10. Business Continuity Management Policy (BITSP – 010) ......................................... 64
10.1. Introduction ...................................................................................... 64
10.2. Policy Statement and Objective ............................................................... 64
10.3. Information Security Aspects of Business Continuity Management ....................... 64
11. Compliance Policy (BITSP – 011).................................................................... 67
11.1. Introduction ...................................................................................... 67
11.2. Policy Statement and Objective ............................................................... 67
11.3. Compliance with Legal Requirements ........................................................ 67
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
11.4. Information Systems Audit Considerations ................................................... 70
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
1. Bharti Infratel Third-party Security Policy (BITSP - 001)
1.1. Introduction
In a rapidly expanding telecom and telecom passive infrastructure market, it is
almost impossible to deliver services to customers and value to stakeholders
without the collaboration of third parties. Today, third parties are extended
members of the value chain of Bharti Infratel Limited (hereafter referred to as
Bharti Infratel). This calls for improving Bharti Infratel’s relationship with third
parties, particularly in the area of information security.
Given the potential for increased information security lapses from the part of
third parties, a stringent Bharti Infratel Third-party Security Policy (hereafter
referred to as the BITSP in this document) is framed to help Bharti Infratel
insulate itself from the risks that are likely to arise from such relationships. The
foundation on which the BITSP is based is “trust but verify stringently”.
Accordingly, there is a need to involve information security ‘before’, ‘during’ and
‘after’ the relationships with third parties are established and to impose strict
security standards and practices on third parties involved with Bharti Infratel
Information Security Policy (BIISP). There is also a need to ensure that these third
parties communicate the effectiveness of their information security controls by
obtaining security certifications such as ISO 27001:2005 and/or by having an
independent body review their information security and privacy practices against
BIISP.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
1.2. Scope
The Bharti Infratel Third-party Security Policy (BITSP) is applicable to all Third-parties providing
services to Bharti Infratel.
Definition of ‘Third-party’: For the purposes of this document, a ‘Third-party’ is a service
provider/vendor who associates with Bharti Infratel and is involved in handling, managing, storing,
processing and transmitting information of Bharti Infratel. The Third-Party could be a service
provider/vendor as mentioned below but not limited to:-
• Diesel Filler Vendors (for e.g. Pratap, Perigreen etc.);
• Physical Security Vendor (for e.g. CheckMate etc.);
• Equipment Suppliers (for e.g. Mahindra, ACME, & Bluestar etc.);
• IT Equipment Suppliers (for e.g. AGC, Lenovo, & Sony etc.);
• IT Services Vendor (for e.g. IBM, AES, & AGC Networks etc.);
• Site Builtup Services Vendor (for e.g. TVSICS, Emerson, & Punj Lloyd etc.);
• Liasioning Services Vendor ( for e.g. TVSICS etc.);
• Non-conventional Energy Suppliers (for e.g AST, KMR, & OMC etc.);
• Management Consulting/ Manpower Service Provider (for e.g. Adecco,E&Y, Protiviti etc.);
• Office Admin Services (for e.g. CBRE etc.);
• Equipment Services Vendor like AMCs
This definition also includes all sub-contractors, consultants and/or representatives of the Third-
party.
The BITSP is applicable across all geographies where information of Bharti Infratel is processed
and/or stored by Third-party.
Policy Owner
The owner of the BITSP is the Chief Information Security Officer (hereinafter referred to as CISO in
this document).
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
1.3. Policy Statement and Objective
Security of information assets used by Third-parties for providing services to Bharti Infratel is of
paramount importance and Confidentiality, Integrity and Availability of these shall be maintained
at all times by the Third-parties concerned through controls commensurate with the asset value.
The objectives of this policy are to:
• Provide the Third-party with an approach and directives for implementing information
security of all information assets used by them for providing services to Bharti Infratel; and
• Ensure that the Third-party adheres to all provisions of the Third-party Security Policy.
1.4. Disciplinary Measures for Non-Compliance
Non-compliance with the BITSP is ground for disciplinary actions up to and including termination of
the contract.
1.5. Exceptions
The BITSP is intended to be the statement of information security requirements that need to be
met by the Third-party. However, in case a Third-party perceives difficulty in adhering to any of
the controls, exceptions for an individual control may be requested by the Third-party. Exceptions
are applicable only if approved by the CISO.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
2. Information Security Organisation Policy (BITSP – 002)
2.1. Introduction
The Third-party is required to ensure that they have an Information Security Organisation structure
in place along with mutually-agreed responsibilities, authority and relationships to maintain
information security requirements as per the BITSP.
2.2. Policy Statement and Objective
The Third-party shall ensure that they have an Information Security Organisation in place to
implement the provisions of the Third-party Security Policy.
2.2.1 Management Commitment to Information Security
Control Statement: The Management of the Third-party shall be committed to implement and
adhere to the information security requirements of Bharti Infratel.
Explanatory Notes: The Management of the Third-party is required to extend its full co-operation
and support to the information security requirements of Bharti Infratel and also ensure that all its
employees working for/at Bharti Infratel respect and adhere to the BITSP.
2.2.2 Information Security Co-ordination
Control Statement: A suitable management body to co-ordinate and maintain information security
activities in Bharti Infratel shall be nominated.
Explanatory Notes: It is recommended that the Third-party ensures that all its functions such as
HR, Administration, Information Technology (IT), IAG, Legal and others willingly co-operate and co-
ordinate with Bharti Infratel to satisfy the latter’s information security needs. The Third-party is
required to nominate a SPOC to interface with Bharti Infratel for all its information security
activities. The SPOC is required to communicate to its team that caters to Bharti Infratel the
relevant sections of the BITSP. The CISO of Bharti Infratel and the Third-party Security SPOC shall
coordinate with each other for the implementation of BITSP and address any security-related
issues.
2.2.3 Responsibility for Information Security
Control Statement: The Information Security responsibilities of all employees working for Bharti
Infratel shall be defined and communicated.
Explanatory Notes: The Third-party shall ensure that the information security responsibilities of
third-party are identified, documented and communicated to its employees providing services to
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Bharti Infratel. The employees of the third-party are required to understand their security roles and
responsibilities that they need to practise in their day-to-day operations in Bharti Infratel.
2.2.4 Authorisation Process for Information Processing Facilities
Control Statement: An authorisation process for new information processing facilities shall be
implemented by the Third-party.
Explanatory Notes: Third-party shall ensure that they obtain an authorisation from the appropriate
authority of Bharti Infratel for obtaining access to information systems and/ or processing facilities
of Bharti Infratel.
Similarly, all new information processing facilities used for providing services to Bharti Infratel shall
be set up only after receiving approvals from the relevant management of third-party. Personal
computing devices that are not allowed into the Bharti Infratel and / or Third-party facility shall be
communicated to the third-party employees, and visitors. It shall be ensured that these devices are
not brought inside the facility without proper authorisation. In case these devices are brought
inside the facility and are required to connect to Bharti Infratel network, it shall be ensured that an
appropriate authorisation is obtained from Bharti Infratel.
Any laptop or other information processing units owned by the Third-party could introduce new
vulnerabilities and therefore, controls like antivirus update, personal firewall software and other
relevant desktop/laptop security software is required to be configured on the system before
connecting it to Bharti Infratel network.
The Information processing facility like an offshore development centre of the Third-party, which
needs to connect to Bharti Infratel network shall require approval from Bharti Infratel before
permitting access.
2.2.5 Confidentiality & Non-Disclosure Agreements
Control Statement: A Non-Disclosure Agreement with Bharti Infratel shall be signed.
Explanatory Notes: The Non-Disclosure Agreement mandates that the Third-party shall not disclose
any information related to Bharti Infratel which is identified as ‘Restricted’, ‘Confidential’ or
‘Internal’ to Bharti Infratel. The Third-party shall ensure that they read, accept and sign the Non-
Disclosure Agreement provided by Bharti Infratel.
2.2.6 Contact with Local Authorities
Control Statement: Appropriate contacts with all relevant local authorities shall be established and
maintained.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Explanatory Notes: The Third-party is required to ensure that appropriate contacts are established
with all local authorities such as Fire, Police, Hospital(s), Ambulance and the other
authorities/services which need to be contacted in case of an emergency. An individual shall be
identified (preferably from the Admin function) and assigned with the responsibility to maintain all
such contacts.
2.2.7 Contact with Special Interest Groups
Control Statement: Appropriate contacts with relevant special interest groups shall be established
and maintained.
Explanatory Notes: The Third-party shall establish and maintain contacts with special interest
groups to ensure that the understanding of the information security environment is current,
including updates on security advisories, vulnerabilities and patches. The IT security function of the
Third-party should subscribe to these groups and, based on the periodic updates received; they
shall take initiatives to analyse and resolve the security. It should be ensured that the contacts with
these forums/groups are for only receiving the alerts; users should not post any queries to such
forums revealing details of information assets or network of Bharti Infratel.
2.2.8 Independent Review of Information Security
Control Statement: An independent review of information security should be conducted to assess
the compliance with BITSP.
Explanatory Notes: An independent review should be conducted on a yearly basis to assess the
compliance of Third-party towards BITSP. Bharti Infratel reserves the right to audit the Third-party.
The independent review should be conducted by a reputed audit organisation. It is recommended
that the Third-party obtains audit certification/verification from the auditors. The Third-party may
need to share the audit report with Bharti Infratel if required.
If, during the audit, it is found that the Third-party is not compliant with the directions stated in
the BITSP, actions as stated in the clause for non-compliance shall be applicable.
2.3. Sub-Contractors
2.3.1 Identification of Risk Related to Sub-contractor
Control Statement: All threats and risk related to sub-contractors shall be identified and
mitigated.
Explanatory Notes: The Third-party shall conduct a Risk Assessment and ensure that all risks due to
sub-contractor access to Bharti Infratel information assets are identified, measured and mitigated
appropriately before providing access to Bharti Infratel information assets. The Risk Assessment
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
report is required to be shared with the CISO of Bharti Infratel prior to providing access to
information and/or information-processing facilities to the sub-contractor.
2.3.2 Addressing Security when Dealing with Customers
Control Statement: Appropriate security controls shall be addressed when dealing with customers.
Explanatory Notes: Controls shall be in place so that information assets or Information processing
environment used for providing services to Bharti Infratel are physically and logically segregated
from other customers. Specific approval is required to be taken from CISO for any exception to this.
2.3.3 Addressing Security in Sub-contractor Agreements
Control Statement: Agreements with the sub-contractors, who are involved in providing services to
Bharti Infratel, shall cover information security requirements as applicable in the BITSP.
Explanatory Note: Agreements with the sub-contractors who are engaged by Third party and are
involved in accessing, processing, communicating or managing the information of Bharti Infratel
shall cover all information security requirements in accordance with the BITSP. Additionally, the
Third-party should ensure that their sub-contractors access the information assets of Bharti Infratel
only after signing a formal contract and a Non-Disclosure agreement with them. The Third-party is
also required to ensure that Intellectual Property Rights are honoured by all its sub-contractors.
Such contracts and Non-Disclosure agreements entered with sub-contractors shall be shared with
Bharti Infratel in case required by Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
3. Asset Management Policy (BITSP – 003)
3.1. Introduction
All information assets deployed for providing services to Bharti Infratel by the Third-party shall be
provided comprehensive protection. The Third-party, being the owner and/ or custodian of the
information assets and associated processing facilities, shall be responsible for implementing the
controls defined in this policy to maintain confidentiality, integrity and availability of these
information assets.
3.2. Policy Statement and Objective
Identification, classification and CIA valuation of information assets including the identification of
asset owner and custodian are extremely important to design and implement the required controls
for the protection of the assets.
The objectives of the policy are to ensure that:
• All information assets used by Third-party in providing services to Bharti Infratel have been
identified and designated owner and custodian appointed by the Third-party;
• All information assets are classified based on their criticality to the business; and
• All information assets receive an appropriate level of protection by implementing relevant
controls.
3.3. Asset Register
Third-party shall create and maintain asset registers for all information assets belonging to them
that are deployed to provide services to Bharti Infratel. The asset register is required to contain, at
a minimum, the following information about the assets:
• The identification and location of assets;
• The name of business function, process or function that uses this asset;
• The type and classification of asset;
• The Asset Owner, Custodian and User; and
• The Confidentiality, Integrity and Availability ratings of the asset.
3.4. Asset Management Responsibilities
The responsibility for implementing appropriate security controls to identify, classify and protect
the assets is required to be defined.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
3.4.1 Inventory of Assets
Control Statement: Information assets owned by the Third-party shall be identified and an
inventory of these assets shall be documented and maintained.
Explanatory Notes: An inventory of all important assets is required to be maintained by the Third-
party. Such an inventory shall include all necessary information, including type of asset, asset
owner, asset custodian, asset location (office location) and criticality value in order to recover
from a disaster. This Inventory is required to be maintained in accordance with the Asset
Management Procedure laid down by Bharti Infratel.
3.4.2 Ownership of Assets
Control Statement: Information assets that are used to provide services to Bharti Infratel shall
have a designated owner from the Third-party.
Explanatory Notes: Assets owned by the Third-party and used to process information of Bharti
Infratel is required to be owned by a designated individual belonging to the Third-party. The asset
owner shall be responsible for the following:
• Ensuring that the assets are appropriately classified as per the Classification Guidelines
(Refer BITSP - section 3.5.1);
• Ensuring that assets are correctly entered in the Asset Register as per a formal Asset
Management Procedure;
• Defining and reviewing periodically the access rights to their respective assets.
3.4.3 Acceptable Use of Assets
Control Statement: Third-party shall develop and implement Rules for the acceptable use of
information assets that are used to provide services to Bharti Infratel.
Explanatory Notes: The Third-party is required to ensure that its employees adhere to the
acceptable use of assets as developed by them.
3.5. Information Asset Classification
The information assets have different degrees of sensitivity and criticality. Some items may require
an additional level of protection or special handling. The information classification criteria shall be
used by the Third-party to classify the information assets used to provide services to Bharti Infratel.
Information Assets that are owned by Bharti Infratel are classified by Bharti Infratel and third-party
have to handle them based on the classification level.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
3.5.1 Classification Guidelines
Control Statement: All information assets shall be classified in terms of its value, sensitivity, and
criticality to Bharti Infratel.
Explanatory Notes: Important information assets shall be assigned an asset criticality rating as per
guidelines laid down in the Asset Management Procedure, to assess the relative importance of such
assets to Bharti Infratel and to determine the level of security measures to be implemented for
their protection.
The information assets shall be classified in terms of its sensitivity and criticality to the business of
Bharti Infratel, into one of the following categories:
• Restricted: This classification applies to the most critical business information, which is
intended strictly for the use of Bharti Infratel. Its unauthorised disclosure could adversely
impact the Bharti Infratel business, its stockholders, its business partners, and/ or its
customers leading to the legal and financial repercussions and adverse public opinion. The
information that some people would consider to be private is included in this classification.
Examples: Critical Servers, Critical Passive Infrastructure devices, System Access Controls,
System Passwords, Technology related Documents, Engineering documents, etc.
• Confidential: This classification applies to the sensitive business information, which is
intended for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact
Bharti Infratel business, its stockholders, its business partners, its employees, and/or its
customers.
Examples: System configuration procedures, internal audit reports which comprise the
collective experience, knowledge, skill, and information of Bharti Infratel.
• Public: This classification applies to the information, which has been explicitly approved by
the Bharti Infratel management for release to the public. By definition, there is no such
thing as unauthorised disclosure of this information and it may be freely disseminated
without potential harm.
Examples: advertisements, and published press releases.
• Internal: This classification applies to the information, which is specifically meant for
internal use within Bharti Infratel. While its unauthorised disclosure is against the policy, it
is not expected to seriously or adversely impact business of Bharti Infratel, its employees,
customers, stockholders & business partners.
Examples: Telephone directory, training materials and manuals, internal staff circulars.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
3.5.2 Information Asset Labelling and Handling
Control Statement: The Third-party shall follow the procedures for information asset labelling and
handling for all information assets that are used to provide services to Bharti Infratel.
Explanatory Notes: All information assets are required to be labelled by the Third-party and
maintained as per a formal Information Labelling and Handling Guideline. These assets shall be
labelled (marked) using the classification scheme only to indicate the level of sensitivity of the
information. This may exclude public information.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
4. Human Resources Security Policy (BITSP - 004)
4.1. Introduction
The Human Resource Security Policy defines the controls that are required to be implemented and
maintained during the recruitment process, employment process and termination or change of
employment to ensure the protection of information assets that are used to provide services to
Bharti Infratel from human error, misuse, theft or fraud.
4.2. Policy Statement and Objective
All employees of the Third-party with access to the information assets of Bharti Infratel shall
understand their responsibilities for the comprehensive protection of information and processing
facilities of Bharti Infratel.
The objectives of this policy are to:
• Ensure that appropriate security controls are followed at the time of recruitment by the
Third-party.
• Ensure that the Third-party employees understand their responsibilities and roles regarding
information security in Bharti Infratel;
• Reduce the risks of human error, theft, fraud or misuse of the information assets; and
• Ensure that employees are aware of information security threats and concerns and are
equipped to support the BITSP in the course of their work.
• Failure to adhere to information security responsibilities may entail appropriate disciplinary
action.
4.3. During Recruitment
The Human Resources function of Third party shall ensure that security responsibilities are defined
and addressed prior to employment in adequate job descriptions and in terms and conditions of
employment. It is strongly recommended that background verification checks are conducted for the
employees who will provide services to Bharti Infratel.
4.3.1 Roles and Responsibilities
Control Statement: The security roles and responsibilities of employees shall be defined and
documented.
Explanatory Notes: It is required that HR function of the Third-party define and document and
communicate the security roles and responsibilities of its employees to ensure that they
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
• Act in accordance with the BITSP;
• Protect assets from unauthorised access, disclosure, modification and destruction; and
• Execute specific security processes and activities.
4.3.2 Screening
Control Statement: Background verification checks shall be carried out for the employees who will
provide services to Bharti Infratel.
Explanatory Notes: It is required that the Third-party carries out background verification checks
for employees who have access to Bharti Infratel information systems and processing facilities.
They are also recommended to provide an evidence of the same to Bharti Infratel.
4.3.3 Terms and Conditions of Employment
Control Statement: The Third-party shall ensure that their employees read and accept the terms
and conditions of employment, which shall reflect the information security requirements of Bharti
Infratel as specified in the BITSP.
Explanatory Notes: Before deployed in Bharti Infratel for providing the services as per contract,
third-party is required to define terms and conditions of employment and communicate them to its
employees. Terms and conditions are required to include the following:
• Sign a confidentiality agreement which may hold them liable for any unauthorised
disclosure, modification and/or destruction of information, information systems and/or
processing facilities of Bharti Infratel;
• Legal responsibilities and rights;
• The responsibility for handling information as per its level of classification;
• The responsibility for exhibiting due diligence while handling information received from
external parties and protecting its confidentiality and integrity;
• The actions to be taken, if any employee disregards the information security requirements
of Bharti Infratel.
4.4. During Employment
HR function and concerned personnel of the Third-party are required to take appropriate actions to
ensure that:
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
• The employees are duly informed of their information security responsibilities to maintain a
reasonable level of security for information assets and processing facilities used to provide
services to Bharti Infratel; and
• An adequate level of awareness, education and training on the information security is
provided to all employees.
4.4.1 Management Responsibilities
Control Statement: The Management of the Third-party should require its employees to adhere to
information security requirements in accordance with the BITSP.
Explanatory Notes: It is recommended that the Management of the Third-party should ensure that
its employees providing services to Bharti Infratel apply security in adherence to the BITSP. The
Management of Third-party should ensure that:
• Employees are properly communicated regarding their roles and responsibilities towards
information security in Bharti Infratel.
• Employees achieve a level of awareness on security in proportion to their roles.
• Employees attend the information security awareness training program before deploying
them in Bharti Infratel premises.
• Employees have appropriate skills and qualifications required to do the job for Bharti
Infratel.
4.4.2 Information Security Awareness, Education and Training
Control Statement: Employees providing services to Bharti Infratel should receive appropriate
awareness training and regular updates on the BITSP and information security, as relevant to their
job.
Explanatory Notes: The Third-party shall ensure that all employees receive formal training in
Information Security Awareness. Inputs and updates for this will be provided by Bharti Infratel to
the Third-party as and when they become available. The Third-party should ensure that they
update their employees as and when these are made available.
4.4.3 Disciplinary Process
Control Statement: A disciplinary process for information security violations shall be established,
and documented. Employees shall be communicated of the disciplinary process.
Explanatory Notes: A formal disciplinary process is required to commence against the BITSP after
verification that a security breach/violation has occurred involving an employee.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
The Third-party is required to ensure that its employees are made aware of the formal disciplinary
process which may be initiated, if they violate the BITSP or commit/participate in any kind of
security breach.
4.5. Termination or Change of Employment Responsibility
Adequate security measures are required to be taken by the Third-party when employees undergo
role transformation within the Third-party organisation, or withdraw from Bharti Infratel project,
or resign from the Third-party organisation.
It is required to be ensured that the access rights provided to such employees on information,
information assets and/or processing facilities are reduced/changed/revoked depending on the
situation.
4.5.1 Return of Assets
Control Statement: The Third-party’s employees shall return all assets in their possession, used to
provide services to Bharti Infratel, upon termination of their employment.
Explanatory Notes: All Third-party’s employees are required return of all previously-issued
software, documents, equipments, laptops, PDA, access cards, manuals, and information stored on
electronic media which are used to provide services to Bharti Infratel.
4.5.2 Removal of Access Rights
Control Statement: The access rights of employees shall be revoked at the time of termination or
changed when the current role of the employee changes.
Explanatory Notes: Access rights to information and information-processing facilities held by
employees of the Third-party is required to be revoked upon termination or withdrawn from Bharti
Infratel project. It is required that all passwords for active accounts that a departing employee has
known are forcefully changed with immediate effect. In case of change of role of a Third-party
employee, BITSP is required to revise and adjust the access rights as appropriate.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
5. Physical and Environmental Security Policy (BITSP – 005)
5.1. Introduction
The Physical and Environmental Security Policy defines the appropriate controls to maintain the
required physical and environmental security of information assets and information-processing
facilities that are used to provide services to Bharti Infratel.
5.2. Policy Statement and Objective
Assets and facilities, which house information of Bharti Infratel, shall be protected from
unauthorised physical access and environmental threats. All physical access and movement of
information systems shall be monitored and reviewed.
• The objectives of the policy are to:
• Prevent unauthorised physical access, damage, and interference to information assets;
• Critical and sensitive information systems located at Third-party location and used to
provide services to Bharti Infratel are recommended to be protected by defined security
perimeters parameters, with appropriate security barriers and entry controls;
• Protect assets by implementing environmental controls to prevent damage from
environmental threats; and
• Regularly conduct preventive maintenance for infrastructural equipment to ensure faultless
services.
5.3. Secure Areas
An adequate level of security shall be provided to the facilities and office locations housing
information assets used to provide services to Bharti Infratel.
5.3.1 Physical Security Perimeter
Control Statement: The Third-party shall ensure that a physical security perimeter is defined and
implemented for office locations and facility, housing information assets that are used to provide
services to Bharti Infratel.
Explanatory Notes: The Third-party is required to ensure that a physical security perimeter is used
to secure all such facilities where the information systems that are used to provide services to
Bharti Infratel are hosted. Physical security perimeters such as a wall, card-controlled entry gates
and/or manned reception desks should be used to secure the facility.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
5.3.2 Physical Entry Controls
Control Statement: Secure areas within the facility of the Third-party shall be protected by
appropriate entry controls to ensure authorised access.
Explanatory Notes: Third-party is recommended to ensure that only authorised persons are
provided access to secure areas (areas hosting information systems/ equipment). Access to all such
areas should be controlled, recorded and monitored by the Third-party. The secure areas shall have
physical security check points.
5.3.3 Securing Offices, Rooms and Facilities
Control Statement: Physical security controls for offices, rooms and facilities should be designed
and applied.
Explanatory Notes: The Third-party is recommended to ensure that offices, rooms and facilities
that store critical information of Bharti Infratel are secured. The following is recommended to be
considered:
• Relevant safety regulations and standards are implemented;
• Key facilities should be sited securely so as to avoid access by the public; and
• Where applicable, buildings should be unobtrusive and give minimum indication of their
purpose, with no obvious signs, outside or inside the building identifying the presence of
information processing activities that are used to provide services to Bharti Infratel.
5.3.4 Protection against External and Environmental Threats
Control Statement: Protection against damage from natural and man-made disasters shall be
designed and implemented.
Explanatory Notes: Physical protection against damage from fire, flood, earthquake, explosion,
civil unrest, and other forms of environmental, natural or man-made disaster is required to be
designed and applied. It should be considered that:
• Adequate air-conditioning and humidity-control systems are implemented to support
information systems and equipment that are used to provide services to Bharti Infratel;
• Fire suppression systems are installed wherever applicable;
• Hazardous, combustible material and stationery items are stored at a secure distance from
the secure area.
• Adequate power supply controls are implemented to ensure continuous power supply at the
facilities being used to provide services to Bharti Infratel;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
• Fallback equipment and back-up media are sited at a different location to ensure continuity
of business operations.
5.3.5 Working in Secure Areas
Control Statement: Guidelines for working in secure areas shall be designed and implemented.
Explanatory Notes: BITSP is required to ensure the following guidelines:
• Personnel should be aware of the existence of, or activities within, a secure area only on a
‘need-to-know’ basis;
• Unsupervised working in secure areas is required to be avoided to prevent opportunities for
malicious activities;
• Vacant secure areas is required to be physically locked and periodically checked;
• Photographic, video, audio or other recording equipment, such as cameras in mobile
devices, shall not be allowed in restricted areas, unless authorised by the management of
the Third-party.
5.3.6 Public Access, Delivery and Loading Areas
Control Statement: All loading and un-loading areas shall be isolated from information-processing
facilities that are used for providing services to Bharti Infratel.
Explanatory Notes: Entry points in the Third-party’s location such as delivery and loading areas and
other points where unauthorised personnel may enter are required to be controlled and isolated
from information-processing facilities to avoid unauthorised access.
5.4. Equipment Security
Security controls shall be implemented to prevent loss, damage, theft of any equipment,
compromise of information systems and interruption to the services provided to Bharti Infratel by
the Third-party. ‘Equipment’ hereinafter refers to as systems that are used to store and process
information of Bharti Infratel. They include, but are not limited to, laptops, desktops, servers, and
network devices.
5.4.1 Equipment-Siting and Protection
Control Statement: All equipment used to provide services to Bharti Infratel, shall be sited and
protected to reduce risks from environmental threats and hazards and opportunities of
unauthorised access.
Explanatory Notes: All equipment used to provide services to Bharti Infratel is required to shall be
protected against environmental threats and unauthorised access. It is required to ensure that:
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
• The equipment are appropriately located and security controls put in place to reduce risk
of potential threats (e.g., theft, fire, explosive, smoke, flooding, dust, vibrations, chemical
effects, electrical supply interference) to their incessant use;
• Appropriate controls such as for temperature and humidity are implemented for the safety
of the equipment.
• Guidelines for eating, drinking and smoking in the proximity of any equipment shall be
established.
• All equipment that process sensitive data of Bharti Infratel shall be positioned in such way
to restrict the viewing angle in order to reduce the risk of information being viewed by
unauthorised personnel.
5.4.2 Supporting Utilities
Control Statement: All equipment used to provide services to Bharti Infratel shall be protected
from power failures and other disruptions caused by failure of supporting utilities.
Explanatory Notes: The Third-party is required to ensure that:
• All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and
air-conditioning are in appropriate condition for the systems being used to provide services
to Bharti Infratel.
• Uninterruptible Power Supply (UPS) systems and generators are installed to support
controlled shutdown or continued functioning of equipment being used to provide services
to Bharti Infratel.
• An alarm system to highlight any malfunctioning of any of the supporting utilities is
installed.
• Adequate contacts are in place with vendors to provide services whenever there is an
emergency.
5.4.3 Cabling Security
Control Statement: Power and telecommunication network cables shall be protected from damage
or interception.
Explanatory Notes: In places where Bharti Infratel information assets are housed for maintenance,
third-party is required to identify and mark network cables and their corresponding terminals being
used to provide services to Bharti Infratel. Third-party is required to segregate power cables from
the communication cables through a separate conduit to prevent any interference.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
5.4.4 Equipment Maintenance
Control Statement: All equipment shall be appropriately maintained to ensure their continued
availability and integrity.
Explanatory Notes: All equipments that are used for providing services to Bharti Infratel are
required to be maintained in accordance with the supplier’s recommended service intervals and
specifications.
A preventive maintenance exercise for all equipment being used to provide services to Bharti
Infratel are required to conducted at scheduled intervals ensuring their continued availability and
integrity. The Third Party shall ensure that appropriate controls are applied to prevent any
information leakage or destruction when equipment is scheduled for preventive maintenance.
5.4.5 Security of Equipment Off-premises
Control Statement: Security shall be applied to off-site equipment taking into account different
risks outside the premises.
Explanatory Notes: All equipments being used for Bharti Infratel (e.g. tower, backup media, and
laptops) are required to receive the appropriate level of protection against physical and
environmental threats. The equipments that are used for providing services to Bharti Infratel and
are installed outside the Third-party’s premises are to be monitored at regular intervals.
The Third-party is required to ensure that the information asset of Bharti Infratel is not taken out
without an authorised gate pass signed by concerned authorised personnel.
5.4.6 Secure Disposal and Re-use of Equipment
Control Statement: The equipment containing information of Bharti Infratel shall be disposed of in
a secure manner.
Explanatory Notes: Equipments like OSS and data switches containing information like the
configuration parameters for Bharti Infratel are required to be erased and/ or disposed in a secure
manner. If equipments are un-repairable, they shall be physically destroyed. In case of re-use of
such equipments, third-party shall ensure that they erase/ format all information parameters used
for Bharti Infratel.
5.4.7 Removal of Property
Control Statement: The equipment, information or any software shall not be taken off-site without
prior authorisation.
Explanatory Notes: Any equipment, information system, storage device or software having
information that belongs to Bharti Infratel shall not be taken outside the Third-party’s premises
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
without prior authorisation from the management of the Third-party. Gate-pass shall be used as a
means to prevent any unauthorised removal of property.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
6. Communication and Operations Management Policy (BITSP – 006)
6.1. Introduction
The Communication and Operations Management Policy establishes appropriate controls, including
development of operating procedures, monitoring user-activities, and deploying appropriate
technology to prevent unauthorised access, misuse or failure of the information systems and
equipment and to ensure confidentiality, integrity and availability of information that is processed
by, or stored in, the information systems/equipment.
6.2. Policy Statement and Objective
The Third-party shall ensure that all defined procedures are followed and implemented to ensure
secure and correct operations.
The objectives of the policy are to:
• Develop documented operation procedures for the information systems and computing
devices used to provide services to Bharti Infratel;
• Ensure protection of information during its transmission through communication networks;
• Protect integrity of software and information against the malicious codes;
• Develop an appropriate backup strategy and monitoring plan for protecting integrity and
availability of information;
• Have appropriate controls over storage media to prevent its damage and/or theft; and
• Maintain security during the information exchange with other organisations.
6.3. Operational Procedures and Responsibilities
6.3.1 Documented Operating Procedure
Control Statement: Standard operating procedures pertaining to all system activities shall be
documented, maintained and followed.
Explanatory Notes: Procedures are required to be in place, to ensure that activities performed for
day-to-day system operations are carried out in a secure manner. Third party is required to
document all Operating Procedures to maintain confidentiality, integrity and availability of that
specific platform or application. The Third-party is required to ensure that procedures are made
available to all their employees who are involved in the respective operations and processes for
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Bharti Infratel. All system and application administrators shall ensure that operating procedures are
kept up-to-date in accordance with any system changes.
• The procedures are required to include, but not limited to, the following:
• Any automated or scheduled processes that are running on the system or application
associated with Bharti Infratel information;
• Day-to-day operational tasks that need to be performed by the operator;
• The actions performed when an error or an exceptional condition occurs, including listed
contact details for people that may be required to assist or that may have a dependency on
that service;
• The actions required for start-up, restart or shutdown of the system or application
associated with Bharti Infratel information;
• The actions performed for system or application backup;
• The actions performed for system or application recovery or restoration;
• The actions performed for handling of information; for example, backup tapes or disposal
of output (such as printed output) from failed runs of automated processes; and
• Management of audit trail and system log information.
6.3.2 Change Management
Control Statement: A formal Change Management Process shall be developed and implemented for
carrying out changes to information systems associated with Bharti Infratel.
Explanatory Notes: To ensure that the security of the systems/environments is not compromised,
Third party is required to manage the change(s) in the production systems/environment of assets
used to provide services to Bharti Infratel.
Third-party shall ensure that:
a. Change control is required to be applied to all security aspects of the production
applications and infrastructure associated with Bharti Infratel.
b. All Third-party service providers are required to manage the change(s) to the systems and
services supplied to Bharti Infratel.
c. All approved changes are required to be tested in a test setup prior to implementing them
on the production systems.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
6.3.3 Patch Management
Control Statement: A formal Patch Management Process shall be developed and implemented for
applying patches to the information systems associated with Bharti Infratel.
Explanatory Notes: Third party is required to apply the patches to the systems being used to
provide services to Bharti Infratel in a timely manner to ensure that the systems are running at
their optimum level and the threat from vulnerabilities and malicious agents are reduced to an
acceptable level.
6.3.4 Segregation of Duties
Control Statement: Duties and areas of responsibility should be segregated to reduce opportunities
for unauthorised or unintentional modification or misuse of assets.
Explanatory Notes: Third party is recommended to implement segregation of duties so that no one
user has the opportunity to subvert any security control associated with Bharti Infratel information.
Any one employee of Third-party should not be responsible for more than one of the following
duties, at any given point of time: data entry, computer operation, network management, system
administration, systems development, change management, security administration, security audit,
security monitoring.
Where segregation of duties is not possible or practical, the process is recommended to include
compensating controls such as monitoring of activities, maintenance and review of audit trails and
management supervision. Collusion shall be removed from the design and deployment architecture
of the compensating control.
6.3.5 Separation of Development, Test, and Operational Facilities
Control Statement: Development, test and operational facilities which are used to provide services
to Bharti Infratel shall be separated to reduce the risk of unauthorised access or changes to the
operational system.
Explanatory Notes: The development and production facilities/environments used to provide
services to Bharti Infratel is required to be physically and/or logically separated.
a. Development and Operational software is required to run on different systems.
b. Compilers, editors, and other development tools or system utilities shall not be accessible
from operational systems when not required.
c. Sensitive data shall not be copied into test environment for testing purpose.
d. A formal Change Management Process is required to be followed for implementing any
changes to the development, test and operational facilities.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
6.4. Sub-Contractor Service Delivery Management
In the course of providing services to Bharti Infratel, the Third-party may outsource some services
to a Sub-contractor. When using the services of a Sub-contractor, the Third-party shall ensure that
agreed service delivery levels are met and security controls are adhered to by the Sub-contractor.
The Third-party shall monitor and review the services of its sub-contractor on an ongoing basis to
ensure that services offered to Bharti Infratel are supported without any interruption.
6.4.1 Service Delivery
Control Statement: Appropriate security controls, service definitions and delivery levels included
in the Sub-contractor service delivery agreement shall be implemented, operated and maintained.
Explanatory Notes: Service delivery by a Sub-contractor is required to include the agreed security
arrangements, service definitions, and other aspects of service management.
The Third-party is required to ensure that the Sub-contractor maintains sufficient service capability
together with workable plans designed to ensure that agreed service continuity levels to Bharti
Infratel are maintained.
6.4.2 Monitoring and Review of Sub-contractor Services
Control Statement: A documented process shall be established to ensure the services, reports and
evidences provided by the Sub-contractors who are involved in providing services to Bharti Infratel
are monitored and reviewed on defined periodic basis.
Explanatory Notes: Third-party is required to monitor and review sub-contractor services to ensure
that the BITSP is being adhered to and that information security incidents and problems are
managed properly.
Audits to assess compliance of the Sub-contractor’s services with the agreed contract shall be
conducted on a periodic basis. The responsibility of managing the relationship with a Sub-
contractor of the Third-party is required to be assigned to a designated individual or service
management team.
6.4.3 Managing Changes to Sub-contractor Services
Control Statement: A documented procedure to control changes pertaining to a Sub-contractor’s
services shall be implemented.
Explanatory Statement: The Third-party is required to ensure that all changes pertaining to the
Sub-contractor’s services are maintained, agreed and documented. Services to Bharti Infratel shall
not be disrupted due to any changes in service levels between the Third-party and its Sub-
contractor.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
6.5. System Planning and Acceptance
6.5.1 Capacity-Management
Control Statement: Resource utilisation shall be monitored and projections shall be made for the
future capacity requirements to ensure adequate system performance.
Explanatory Notes: The Third-party is required to ensure that the capacity of systems used to
provide services to Bharti Infratel is monitored on a periodic basis. Capacity planning shall be
carried out by the Third-party to ensure future capacity requirements and enhancements. This is
required for security-related logging, analysis and exception-reporting for the systems being used
to provide services to Bharti Infratel. The system/application administrator shall monitor capacity
utilisation and project future capacity requirements to ensure that adequate processing power and
storage are available for systems that are used to provide services to Bharti Infratel.
6.5.2 System-Acceptance
Control Statement: Acceptance criteria for new information systems, upgrades and new versions
shall be defined and followed.
Explanatory Notes: The acceptance criteria for new information systems, upgrades and new
versions of system/software are required to be followed by the Third-party for any new system that
is deployed to provide services to Bharti Infratel. The following is recommended to be considered
prior to formal acceptance:
a. Performance and computer capacity requirements;
b. Error recovery and restart procedures,
c. Contingency plans;
d. Agreed set of security controls in place;
e. Effective manual procedures;
f. Evidence that installation of the new system shall not adversely affect existing systems;
g. Training in the operation or use of new systems; and
h. Ease of use, as this affects user performance and avoids human error.
6.6. Protection against Malicious and Mobile Code
6.6.1 Controls Against Malicious Code
Control Statement: Appropriate controls for detection, prevention and recovery of the information
systems against malicious code shall be developed and implemented.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Explanatory Notes: Malicious codes are codes which are capable of creating malfunctions in the
system. They may be something like virus, Trojan horse, worms, adware, spyware and backdoor.
The Third-party is required to design and implement prevention, detection and recovery controls
for malicious codes on all information systems associated with Bharti Infratel.
The implemented controls are required to address the latest vulnerabilities and insecurities that
can bring the system down or result in information disclosure, destruction or modification.
6.6.2 Controls Against Mobile Code
Control Statement: Only authorised mobile codes shall be allowed to execute the information
systems and network environment.
Explanatory Notes: Mobile code is a software code like ActiveX or java code which transfers from
one computer to another computer and then executes automatically and performs a specific
function with little or no user interaction. Third party is required to allow only authorised codes to
be executed. Appropriate safeguards are required to be implemented in the information systems to
prevent the execution of unauthorised mobile code.
6.7. Back-up
6.7.1 Information Back-up
Control Statement: Information back-up shall be performed as per a formal Back-up Procedure
approved by Bharti Infratel.
Explanatory Notes: The information of Bharti Infratel which is managed by the Third-party is
required to be backed up in accordance with a Back-up Procedure. Restoration-testing is required
to be conducted for the backed up data at regular intervals as defined by Bharti Infratel and logs
for backup/restoration shall be stored with restricted access. Log analysis shall be carried out for
all failed backup and restorations and corrective actions shall be taken.
6.8. Network Security Management
Development and implementation of network management controls is required to manage and
maintain the security of information effectively. These controls shall be applied to networking
devices such as switches and routers and any network-attached host or system.
6.8.1 Network Controls
Control Statement: The Third-party shall ensure the security of the networks being used to provide
services to Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Explanatory Notes: The Third-party is required to design and implement appropriate network
controls to safeguard information of Bharti Infratel. Controls shall also be implemented to maintain
the availability of network services and computers connected. Operational responsibility for
managing the network is required to be segregated from that of system management. Responsibility
for managing remote equipment shall be established. Appropriate logging and monitoring shall be
applied to enable recording of security-relevant actions.
6.8.2 Wireless Local Area Network (WLAN)
Control Statement: A wireless infrastructure system to provide services to Bharti Infratel should be
designed, deployed and maintained taking into account the appropriate information security
requirements.
Explanatory Notes: The following measures are recommended to be implemented for the Wireless
Local Area Network (hereinafter referred to as WLAN) security by the Third-party:
a. WLAN should be separated from the wired LAN by implementing a firewall;
b. All wireless communication devices should be configured appropriately, including secure
configuration of Access Points and wireless client devices such as laptops/workstations;
c. A strong key management system is recommended to be implemented for the
authentication of clients connecting to the WLAN associated with Bharti Infratel;
d. Appropriate physical and environmental security controls should be implemented to protect
wireless access points against theft and damage; and
e. A wireless intrusion detection system is recommended to be deployed to identify and
respond to rogue access points, intruders, poorly configured wireless access points, attacks
and misuse directed over the WLAN associated with Bharti Infratel.
6.8.3 Firewall
Control Statement: A firewall management standard and procedure shall be established and
implemented in all firewalls used to provide services to Bharti Infratel.
Explanatory Notes: A Firewall segments the network based on risk levels. The information systems
with similar risk levels shall be put into one segment. For example, if the firewall is segregating the
internal network from the Internet there shall be a minimum of three segments - one for Internet,
one for internal network and one for systems that are accessed from both (the internal network and
the Internet), called the de-militarized zone. The following controls shall be ensured:
a. An updated, reviewed and approved network diagram with all connections to and from the
firewall shall be documented;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
b. A documented list of services and ports required to be enabled shall be available;
c. An operation procedure for firewall policy changes, performance monitoring, firewall
backup and firewall change control shall be documented; and
d. Audit and logging shall be enabled on the firewall to ensure that all critical accesses and
changes to firewall configuration and policy are tracked. These logs shall be regularly
reviewed by the firewall administrator.
6.8.4 Security of Network Services
Control Statement: The network services that are enabled shall be securely configured and
services that are not required for the business shall be disabled.
Explanatory Notes: The network services that are required for the business shall be identified and
documented. Non-essential services shall be disabled on all information systems. The services found
to be vulnerable shall be fixed by implementing alternative mitigation controls on the information
systems.
a. Security arrangements necessary for particular services, such as security features, service
levels, and management requirements, shall be identified. The Third-party shall ensure
that these measures are implemented stringently to maintain security and availability of
network services.
b. Network services may include the provision of private network services, value-added
services and managed security solutions like firewall and intrusion detection/prevention
systems.
c. The security features of network services shall include the following:
i. Technology applied for security of network services, such as authentication,
encryption, and network connection controls;
ii. Technical parameters required for secured connection with the network services in
accordance with security and network connection rules; and
iii. Procedures for network service usage to restrict access to network services or
applications, where necessary.
d. Changes to the security of network services in Bharti Infratel shall follow the
steps/measures enumerated in a formal Change Management Process.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
6.9. Media Handling
6.9.1 Management of Removable Media
Control Statement: A formal Removable Media Management Guideline shall be developed and
implemented for any media containing information of Bharti Infratel.
Explanatory Notes: The Third-party shall ensure that they develop and implement the Removable
Media Management Guideline. The developed procedure shall include re-use, storage availability,
registration and authorisation of removable media.
6.9.2 Disposal of Media
Control Statement: All media containing information of Bharti Infratel shall be disposed off as per
a formal Media Disposal Procedure.
Explanatory Notes: Devices containing information of Bharti Infratel is required to be disposed in a
secure manner. The devices like magnetic media, optical media are required to be physically
destroyed. The Third-party personnel are required to ensure the disposal of media as per a formal
Media Disposal Procedure. When a magnetic media has to be reused, it shall be degaussed to
eradicate all information and make it non-retrievable. All print media like hardcopies shall be
disposed off using shredders. Disposal shall be done by authorised users only.
6.9.3 Information Handling Procedures
Control Statement: The Third-party shall implement and follow an Information Labelling and
Handling Guidelines to ensure that information pertinent to Bharti Infratel is handled accordingly.
Explanatory Notes: The Information Labelling and Handling Guidelines shall be developed and
implemented to handle information on media pertinent to Bharti Infratel. Access restrictions shall
be implemented to prevent access to information of Bharti Infratel by unauthorized personnel.
6.9.4 Security of System-Documentation
Control Statement: The Third-party shall ensure that system-documentation of systems used to
provide services to Bharti Infratel shall be protected against unauthorised access.
Explanatory Notes: Appropriate security measures shall be implemented by the Third-party to
maintain the security of the system-documentation for all information systems used to provide
services to Bharti Infratel.
To secure system-documentation, the following shall be considered:
a. System-documentation shall be stored securely;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
b. The distribution list for system-documentation shall be limited to those personnel who
require it on a ‘need-to-know’ basis.
c. System-documentation held on a public network, or supplied via a public network, shall be
protected appropriately.
d. All system documentations are required to be classified as per the Asset Management Policy
and handled as per a formal Information labelling and handling guideline.
6.10. Exchange of Information
6.10.1 Information Exchange Policies and Procedures
Control Statement: Formal exchange policies, procedures and controls shall be put in place to
protect the exchange of information through the use of various types of communication facilities.
Explanatory Notes: Appropriate security controls should be implemented for exchange of business
information or software assets between the Third-party, sub-contractors and Bharti Infratel. The
following shall be considered:
a. Policy or guidelines outlining acceptable use of electronic communication facilities;
b. Ensuring that sensitive or critical information of Bharti Infratel is not left unattended on
printing facilities (copiers, printers or facsimile machines), as these may be accessed by
unauthorised personnel; and
c. Reminding the personnel that they shall take appropriate precautions not to reveal
sensitive information inadvertently, as being overheard or intercepted when making a
phone call, by:
i. People in their immediate vicinity, particularly when using mobile phones;
ii. Wiretapping and other forms of eavesdropping through physical access to the phone
handset or the phone line, or using scanning receivers; and
iii. People at the recipient’s end.
6.10.2 Exchange Agreements
Control Statement: The Third-party shall ensure that they maintain appropriate information
exchange agreements with the sub-contractors who are involved in providing services to Bharti
Infratel.
Explanatory Notes: Agreements shall be made between the Third-party and sub-contractor or
customers. The exchange agreements shall include, but not limited, to the following:
a. Procedures for notifying the sender of transmission, dispatch and receipt;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
b. Procedures to ensure traceability and non-repudiation;
c. Courier-identification standards; and
d. Responsibilities and liabilities in the event of information security incidents, such as loss of
data.
6.10.3 Physical Media in Transit
Control Statement: Media containing sensitive information of Bharti Infratel shall be protected
against unauthorised access, misuse or corruption during transportation within and beyond the
physical boundaries.
Explanatory Notes: The documents and removable media carrying information of Bharti Infratel
(other than the information classified as ‘Public’) shall be transported using only authorised courier
agency. These courier agencies are required to sign a Non-Disclosure Agreement with the third-
party. All Third-party employees carrying media are required to ensure its protection during transit.
6.10.4 Electronic Messaging
Control Statement: The Third-party shall ensure that the information of Bharti Infratel is protected
appropriately while using electronic messaging facilities.
Explanatory Notes: Bharti Infratel recognises the importance of the electronic mail system for
business operations and understands that the E-mail system of the Third-party may contain
information of Bharti Infratel. The Third-party shall ensure that its E-mail system is not vulnerable
to unauthorised access, modification and/or misuse and shall implement relevant E-mail security
guidelines (applicable to their organisation), consisting of appropriate security measures in order to
protect information of Bharti Infratel.
6.10.5 Business Information Systems
Control Statement: Appropriate security controls shall be developed and implemented to protect
the information processed through the interconnection of business information systems.
Explanatory Notes: Business Information systems are opportunities for faster dissemination and
sharing of business information using a combination of documents, computers, mobile
communication, mails, voice mail and other means. The consideration given to the security and
business implications of interconnecting Bharti Infratel and Third-party network shall include the
following:
a. Vulnerabilities of information in business communication systems, e.g., recording phone
calls or conference calls, confidentiality of calls, storage of facsimiles, opening mail,
distribution of mail;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
b. Appropriate controls to manage information sharing; and
c. Restricting access to information relating to selected individuals, e.g., personnel working
on sensitive projects.
6.11. Electronic Commerce Services
6.11.1 Electronic Commerce
Control Statement: The Third-party shall ensure that the information involved in electronic
commerce passing over public networks shall be protected from fraudulent activity, contract
dispute and unauthorised disclosure and/or modification.
Explanatory Notes: The Third-party shall ensure that the information involved in electronic
commerce is secured and the following controls are followed:
a. An appropriate authentication mechanism shall be implemented in the applications
facilitating the online transaction and secure web services;
b. Prior to the online transaction, it shall be ensured that that trading partners are fully
informed of their authorisations; and
c. The confidentiality and integrity of any order, transactions, payment information, delivery
address details and confirmation of receipts shall be maintained only through secure
channel.
6.11.2 On-Line Transactions
Control Statement: Appropriate controls shall be applied to protect the Information involved in on-
line transactions.
Explanatory Notes: The Third-party shall ensure that incomplete transmission, misrouting,
unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or
replay are prevented in on-line transactions related to Bharti Infratel. The communications path
between all involved parties for online transaction shall be set up using secure protocol like Secure
Socket Layer (SSL).
6.11.3 Publicly Available Systems
Control Statement: Information published on a publicly-available system shall be protected from
unauthorised modification.
Explanatory Notes: Adequate security controls shall be put in place to ensure confidentiality,
integrity and availability for information related to Bharti Infratel information contained in
publicly-available systems of third-party. The publicly available systems owned by the Third-party
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
shall be tested against vulnerabilities and it shall be ensured that the identified vulnerabilities are
fixed prior to publishing the information in such systems.
6.12. Monitoring
6.12.1 Audit Logging
Control Statement: The audit logs recording user activities, exceptions and security events shall be
appropriately enabled and stored.
Explanatory Notes: The Third-party should ensure that the audit logs are enabled on critical
systems and stored for a reasonable period as decided by Bharti Infratel in the contract. In
accordance with the business requirement, user activities, exceptions and security events should be
recorded. Access control monitoring of the systems related to Bharti Infratel shall be done
periodically. The logs shall be monitored and analysed for any possible unauthorised use of
information systems. Privacy protection measures shall be taken for audit logs for these systems. It
shall be ensured that the system administrators do not have permissions to erase or de-activate logs
of their own activities.
6.12.2 Monitoring System Use
Control Statement: The utilisation of information systems that are used to provide services to
Bharti Infratel shall be monitored and controlled.
Explanatory Notes: The results of the monitoring activities are required to be reviewed at regular
intervals by the Third-party. The intervals shall be decided as per criticality of the information
systems and a consolidated report for all reviewed monitoring activities shall be prepared.
An appropriate tool for storing and monitoring the logs shall be implemented by the Third-party.
Log storing and monitoring shall cover the following:
a. Authorised access;
b. All privileged operations;
c. Unauthorised access attempts; and
d. Changes to, or attempts to change, system security settings and controls.
6.12.3 Protection of Log Information
Control Statement: Logging facilities and log information shall be protected against tampering and
unauthorised access.
Explanatory Notes: The log information of systems/equipments/network devices used to provide
services to Bharti Infratel shall be protected against unauthorised access, alterations and
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
operational problems. The Third-party shall ensure that access to logs shall be provided only on a
‘need-to-know’ and ‘need-to-have’ basis. Appropriate controls shall be implemented to prevent:
a. Alterations to the message types that are recorded;
b. Log files being edited or deleted; and
c. Storage capacity of the logging media being exceeded.
6.12.4 Administrator and Operator Logs
Control Statement: System administrator and system operator activities shall be logged.
Explanatory Notes: The information systems being used to provide services to Bharti Infratel are
required to be configured in such a way that the system administrator and system operator
activities are logged and are secure from unauthorised modification. The system administrator and
system operator shall not have rights to access administrator and operator logs. The logs shall be
reviewed by an independent person so as to identify any malpractices happening.
6.12.5 Fault Logging
Control Statement: Fault logging shall be enabled, analysed, and appropriate action shall be taken
on fault-logging.
Explanatory Notes: The Third-party are required to maintain logs of all the faults related to the
data processing problems and communication systems that are used to provide services to Bharti
Infratel. The Third-party shall ensure that such issues are corrected as per the Service Level
Agreement (hereinafter referred to as the SLA). The Third-party shall also ensure that root-cause
analysis is carried out to prevent any reoccurrence of faults.
6.12.6 Clock Synchronisation
Control Statement: The clock time of critical systems that are used to provide services to Bharti
Infratel should be synchronised with an accurate time source.
Explanatory Notes: Systems/equipment being used to provide services to Bharti Infratel shall be
synchronised with a Network Time Protocol server. The clock time shall be identical across all
systems used to provide services to Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
7. Access Control Policy (BITSP – 007)
7.1. Introduction
The Access Control Policy defines the appropriate access controls that need to be put in place by
the Third-party to prevent unauthorised access to information systems that are used to provide
services to Bharti Infratel.
7.2. Policy Statement and Objective
Access to information assets that are used to provide services to Bharti Infratel shall be
controlled, based on the business and security requirements and commensurate with asset
classification.
The Objectives of Access Control Policy are to:
a. Control the access to information, information systems and processing facilities as per
business requirement of Bharti Infratel;
b. Prevent unauthorised access to information systems, networked services, operating systems
and information held in application systems associated with Bharti Infratel information;
c. Ensure that security controls are in place while using the mobile computing and teleworking
facilities associated with Bharti Infratel information; and
d. Ensure that information access controls are implemented to meet relevant legislation,
contractual and statutory requirements.
7.3. User Access Management
Procedures shall be developed to control the allocation of access rights to information systems and
services. The Third-party shall ensure that the procedures cover all stages in the life-cycle of user
access, from the initial registration of new users in Bharti Infratel to the final de-registration of
users who no longer require access to information systems and services. Special attention shall be
given, where appropriate, to the need to control allocation of privileged access rights, which allow
users to override system controls.
7.3.1 Access Control Policy
Control Statement: Access control shall be implemented and applied to all information systems/
equipments/ network devices that are used to provide services to Bharti Infratel.
Explanatory Notes: Access control rules and rights for each user or group of users shall be clearly
stated. Access controls are both logical and physical, and these shall be considered together to
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
prevent any unauthorised access to information assets that are used to provide services to Bharti
Infratel.
7.3.2 User Registration
Control Statement: Formal user registration and de-registration procedure shall be implemented
for granting and revoking access to all information systems and services that are used to provide
services to Bharti Infratel.
Explanatory Notes: Procedures for user registration and de-registration are required to be defined,
documented and implemented for granting access to information systems that are used to provide
services to Bharti Infratel. These procedures shall include the following:
a. All users shall have a unique user ID based on a standard naming convention, for accessing
information systems;
b. Appropriate authorisation shall be obtained prior to creating the user IDs;
c. An audit trail shall be kept for all requests for addition, modification or deletion of user
accounts/ IDs and access rights;
d. User accounts shall be reviewed at regular intervals, at least quarterly for sensitive systems
and half-yearly for the other systems, to identify and facilitate removal/ deactivation of
inactive accounts or accounts that have not been used for a long duration;
e. The Application Administrator must be responsible for implementing access control as
defined by the Application owner.
f. The results of user account reviews, including subsequent actions, shall be documented to
provide an audit trail; and
g. "Guest" accounts and other default accounts shipped with software/ applications shall be
disabled or their passwords changed from the default value, in case there is a justified
business requirement for using these accounts.
7.3.3 Privilege Management
Control Statement: Privileged user access associated with the operating system, database
management system and applications that are used to provide services to Bharti Infratel have to be
identified, allocated and controlled by the Third-party.
Explanatory Notes: Privilege accounts have administrator access on the system. The creation and
allocation of privilege user accounts/IDs on information systems that are used to provide services to
Bharti Infratel shall be controlled through a formal authorisation process. The authorisation process
shall consider the following:
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
a. The privilege associated with each system (e.g. operating systems, databases, applications
etc.) and their corresponding users are identified;
b. The privileges are allocated to individuals on a ‘need-to-have’ basis. The authorisation
process for access
c. Third-party shall approve the usage of group privilege user ids if required. Accountability
shall be ensured for group privilege user ids that are used to access information of Bharti
Infratel.
7.3.4 Password Management
Control Statement: Allocation of passwords for systems that are used to provide services to Bharti
Infratel shall be controlled through a formal Password Management Process.
Explanatory Notes: Passwords shall be distributed to the users in a secure manner. The following
controls relating to password management should be implemented:
a. Users should be forced to change their password during the first log-on and after 45 days of
each password change. However, users shall receive password change warning 15 days prior
to its expiry;
b. Passwords should have combination of alpha-numeric characters and a minimum length of
eight characters;
c. Passwords should have a minimum age of one day;
d. Passwords for all user and privilege accounts should expire after 45 days from its last
change, with the exception of accounts used by services; password for privilege accounts
should have lesser period to change the password
e. A record of five previous passwords should be maintained to prevent the re-use of these
passwords;
f. A maximum of three successive login failures should result in account lockout;
g. A ‘locked out’ user should not be able to login until the account is unlocked by the system
administrator or by the user himself, using the ‘Password Reset’ solution;
h. Passwords should not be displayed in clear text when it is being keyed in or otherwise;
i. Support procedures should be in place to deal with forgotten passwords and account
lockouts;
j. User password resets should be performed only when requested by the individual to whom
the user ID is assigned, after verification of their identity by a defined procedure;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
k. When passwords are reset, users should be forced to change their password to a password
of their choice on the first use after the reset;
l. Default accounts should be disabled and/or the associated default passwords shall be
changed immediately;
m. A secure ‘Password List’ should be maintained for all critical accounts. Only authorised
individuals should have access to this ‘Password List’; and
n. Passwords should not be coded into logon scripts, batch programs or any other executable
files when user authentication or authorisation is required to complete a function.
7.3.5 Review of User Access Rights
Control Statement: User access rights on systems used to provide services to Bharti Infratel shall
be reviewed at regular intervals, using a formal process.
Explanatory Notes: The review of access rights shall consider the following:
a. User access rights are reviewed at regular intervals, for e.g., a period of three months and
after any change in status of employment, such as promotion, demotion or termination;
b. Whenever the user is moving from one employment to another within the Third-party’s
organisation, user access rights are to be reviewed and re-allocated;
c. Authorisations for special privileged access rights are reviewed at more frequent intervals,
for e.g., every month;
d. Privilege allocations are checked at regular intervals to ensure that unauthorised privileges
have not been obtained; and
e. Changes to privileged accounts are logged for periodic reviews.
7.4. User Responsibilities
All employees of Third-party with access to information systems and facilities that are used to
provide services to Bharti Infratel should be made aware of their responsibilities for maintaining
effective access controls, particularly regarding the use of passwords and the security of user
equipment. A ‘clear desk and clear screen’ policy shall be implemented at all locations and
functions of Bharti Infratel.
7.4.1 Password Use
Control Statement: The Third-party shall ensure that their employees follow good security
practices for the selection and use of passwords for systems that are used to provide services to
Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Explanatory Notes: The Third-party shall ensure that users with access to information or
information systems that are used to provide services to Bharti Infratel shall be advised for the
following:
a. Keeping the passwords confidential and avoiding the recording of passwords, unless this can
be stored securely and the method of storing approved;
b. Changing passwords whenever there is any indication of possible system or password
compromise;
c. Choosing quality password which is easy to remember but difficult to guess; and
d. Changing passwords at regular intervals or based on the number of accesses (passwords for
privileged accounts shall be changed more frequently than normal passwords).
7.4.2 Unattended User Equipment
Control Statement: The Third-party shall ensure that unattended information systems that are
used to provide services to Bharti Infratel shall not be left unattended.
Explanatory Notes: Appropriate technical controls shall be applied to ensure that the information
systems are locked after a specified duration of inactivity (the duration should be kept as low as
possible). Employees of the Third-party shall be made aware of the security requirements and
procedures for protecting unattended equipment, as well as their responsibilities for implementing
such protection. The Third-party shall ensure that its employees:
Terminate active sessions when finished, or implement an appropriate locking mechanism, for
e.g., a password-protected screen saver;
Log-off office PCs and servers and network devices when the session is finished (i.e., not just
switch off); and
Use the key lock or an equivalent control to secure PC terminals from unauthorised use.
7.4.3 Clear desk and Clear Screen Policy
Control Statement: A clear desk policy for papers and removable storage media containing
information of Bharti Infratel and a clear screen policy for information processing units that are
used to provide services to Bharti Infratel shall be developed and implemented.
Explanatory Notes: Critical information on paper and removable media containing information of
Bharti Infratel are required be locked inside the drawers after office hours or when the office is
vacated by the user.
Information systems that are used to process, manage and/ or store information of Bharti Infratel
are required to be turned off or logged off when the users are away from their systems.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
7.5. Network Access Control
Appropriate controls for user access to networks and network services shall be applied. The
controls shall ensure that:
Appropriate interfaces are in place to segregate Bharti Infratel network and the networks
owned by other organisations and public networks;
Appropriate authentication mechanisms are applied for the users and equipment; and
Control of user access to the information services is enforced.
7.5.1 Policy on Use of Network Services
Control Statement: The Third-party shall ensure that its employees are provided the least access
privileges to the services which are necessary to perform the job.
Explanatory Notes: The Third-party shall ensure that its users shall be provided with access to the
services only on a ‘need-to-have’ basis. An authorisation process shall be developed and followed to
ensure that only users who are authorised can access the respective network segments and
services. These services are required to be reviewed at regular intervals.
Virtual Local Area Networks (hereinafter referred to as VLAN) should be created to segregate the
networks being used to provide services to Bharti Infratel.
7.5.2 User Authentication for External Connection
Control Statement: The Third-party shall ensure that adequate security controls are implemented
to authenticate users for external connections to systems that are used to provide services to
Bharti Infratel.
Explanatory Notes: The Third-party shall ensure that:
a. Remote access connections to networks being used to provide services to Bharti Infratel are
provided only to authorised users. This shall be authorised by Bharti Infratel;
b. Secure channels like Virtual Private Networks shall be implemented.
c. Modems connected to the end user workstations/laptops are configured to reject all
incoming traffic initiated from other external sources; and
d. Only approved remote control software is used in the network for external connections, if
required.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
7.5.3 Equipment Identification in Network
Control Statement: Automatic equipment identification should be considered as a means to
authenticate connections from specific locations and equipment.
Explanatory Notes: Equipment identification shall be used, if it is important that the
communication can only be initiated from a specific location or equipment. An identifier shall be
used to indicate whether this equipment is permitted to be connected to the network used to
provide services to Bharti Infratel.
7.5.4 Remote Diagnostic and Configuration Port Protection
Control Statement: Physical and logical access to diagnostic and configuration ports shall be
controlled on systems/network devices that are used to provide services to Bharti Infratel.
Explanatory Notes: Ports, services and similar facilities enabled on the computers or networks that
are not specifically required for the business of Bharti Infratel shall be disabled or removed. Access
to diagnostic and configuration ports shall include the use of a key lock and supporting procedures
to control access to the port. These ports shall be used after appropriate approval and at the time
of diagnostic or configuration support only.
7.5.5 Segregation in Network
Control Statement: The Third-party shall ensure that segregation in network is implemented to
prevent any unauthorised access to systems in the network used to provide services to Bharti
Infratel.
Explanatory Notes: The security of networks associated with information that belongs to Bharti
Infratel should be divided into separate physical and/ or logical network domains. A graduated set
of controls shall be applied in different logical network domains to further segregate the network’s
security environments.
The Third-party shall ensure that they segregate the network used for Bharti Infratel from the rest
of its network.
7.5.6 Network Connection Control
Control Statement: The Third-party should ensure that, in case of shared networks (shared with
public network); the capability of the users to connect to the network used to provide services to
Bharti Infratel shall be restricted.
Explanatory Notes: The Third-party should ensure that the connection capability of users is
restricted through firewalls. FTP downloads and uploads from the Internet shall be permitted only
for business use and only after approval from Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
The only exclusion to this is when fault logs are required to be sent to suppliers for repairs and/or
diagnostics of systems.
7.5.7 Network Routing Control
Control Statement: Routing controls should be implemented for networks to ensure that computer
connections and information flows are as per the Access Control Policy of BITSP.
Explanatory Notes: Network routing controls are based on positive source and destination address-
checking mechanisms. The Third-party shall ensure that they implement network routing controls
to prevent any unauthorised access to information systems that provide services to Bharti Infratel.
7.6. Operating System Access Control
Adequate security controls shall be implemented on the information systems that are used to
provide services to Bharti Infratel to restrict access to authorised users only. The controls shall
authenticate authorised users as per Access Control Policy and record the successful and failed
system authentication attempts.
7.6.1 Secure Log-on Procedure
Control Statement: The Third-party shall ensure that access to operating systems that are used to
provide services to Bharti Infratel are controlled by a secure log-on procedure.
Explanatory Notes: The operating systems that are used to provide services to Bharti Infratel
information are recommended be controlled by secure log-on procedure. The log-on procedure
shall not disclose any version or configuration information about the system. The remote log-on
procedure, if applicable and authorised, is recommended to be designed with encryption of
password during its transmission.
7.6.2 User Identification and Authentication
Control Statement: The Third-party shall ensure that its employees who have access to the
information systems that are used to provide services to Bharti Infratel shall be assigned a unique
login ID for accessing those information systems. A suitable authentication mechanism shall be used
to allow authorised users to access the information systems.
Explanatory Notes: The Third-party shall ensure that unique user id is assigned to each user who
needs to access the information systems that are used to provide services to Bharti Infratel. An
authentication system is required to be implemented to identify the user. As an exception,
group/shared ID may be used but an approval shall be obtained from Bharti Infratel. Additional
compensating controls shall be established in this case.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
The authentication methods alternative to passwords, such as cryptographic means, smart cards,
tokens or biometric means shall be used appropriately.
7.6.3 Password Management System
Control Statement: The system for managing passwords shall be interactive and capable of
implementing quality passwords on systems/network devices that are used to provide services to
Bharti Infratel.
Explanatory Notes: As passwords are the principal means of validating a user’s authority on a
system, a system that ensures the use of quality passwords shall be identified and implemented by
the Third-party.
7.6.4 Use of System Utilities
Control Statement: The use of utility programs shall be restricted and tightly controlled.
Explanatory Notes: Utility programs are those programs which are capable of changing
configuration parameters on the system. Access to such utilities shall be restricted only to
authorised personnel. A formal Change Management Process shall be followed before using utilities
that might be capable of overriding system parameters.
7.6.5 Session Time-Out
Control Statement: Inactive sessions of applications and systems shall shut down after a defined
period of inactivity.
Explanatory Notes: All information systems that are used to provide services to Bharti Infratel are
required to have a time-out facility to clear the session screen and also, possibly later, close both
application and network sessions after a defined period of inactivity. The sessions shall be shut
down to prevent access by unauthorised persons and the possibility of denial of service attacks. The
terminal time-out shall be configured for all the terminals connected to critical systems.
7.6.6 Limitation of Connection Time
Control Statement: Restrictions on connection times shall be configured on high-risk
applications/systems that are used to provide services to Bharti Infratel.
Explanatory Notes: The applications and information systems that are catering to sensitive
information of Bharti Infratel shall have restrictions on connection times as an additional security
control. The following shall be considered:
a. Using predetermined time slots, for e.g., for batch file transmissions, or regular interactive
sessions of short duration;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
b. Restricting connection times to normal office hours if there is no requirement for overtime
or extended hours of operation;
c. Considering re-authentication at timed intervals.
7.7. Application and Information Access Control
Logical access to the application software that is used to provide services to Bharti Infratel
information shall be restricted to authorised users only. Appropriate security controls shall be used
to restrict access to application systems.
7.7.1 Information Access Restriction
Control Statement: The Third-party shall ensure that access to information and functional
application systems by users and support personnel is restricted.
Explanatory Notes: Access to application systems shall be restricted to users who require them.
The system administrator or the person performing the equivalent role shall maintain the updated
user access matrix detailing privileges assigned to them.
7.7.2 Sensitive System Isolation
Control Statement: Sensitive systems that are used to provide services to Bharti Infratel shall have
a dedicated (isolated) computing environment.
Explanatory Notes: The application systems hosting sensitive information of Bharti Infratel shall
not be hosted on a shared server. All such application systems are required to be identified and
hosted on an isolated dedicated server by the Third-party.
7.8. Mobile Computing and Teleworking
7.8.1 Mobile computing and communication
Control Statement: Appropriate security measures shall be adopted to protect against the risks of
using mobile computing and communication facilities.
Explanatory Notes: Mobile computing devices include laptops, handheld computing devices like
PDA, blackberry and palmtops. The Third-party shall ensure that only authorized users have access
to such mobile computing devices that are used to provide services to Bharti Infratel. The
employees shall take special care of the mobile computing resources to prevent any compromise of
business information of Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
7.8.2 Teleworking
Control Statement: An authorisation process shall be established and implemented for endorsing
teleworking requests.
Explanatory Notes: Teleworking means working from a remote site, in the sense that the Third-
party may connect to the network (containing information of Bharti Infratel) from an outside site
through internet or any other remote connectivity. Adequate teleworking security process shall be
established and implemented. At a minimum, the following should be addressed:
a. Use of two-factor authentication for authenticating the users of teleworking solutions;
b. Secure teleworking solutions for enabling users to remotely access information assets;
c. Physical security for all teleworking sites/devices.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
8. Information Systems Acquisition, Development & Maintenance
Policy (BITSP – 008)
8.1. Introduction
Bharti Infratel extends its information security requirements to the software developed by the
Third-party for providing services to Bharti Infratel. The Third-party shall ensure that information
security is integrated to information system acquisition, development and maintenance processes.
The security requirements shall be identified and agreed prior to the development and/ or
implementation of information systems. This methodology ensures that the software shall be
adequately documented and tested before it is used for critical information processing.
8.2. Policy Statement and Objective
The purpose of this policy is to ensure that the Third-party addresses confidentiality, Integrity and
availability of all Information assets and Information Processing facilities during their complete
lifecycle and integrate security requirements in Information System Acquisition, Development and
Maintenance Processes.
The objectives of this policy are to:
a. Strengthen the confidentiality, integrity and availability of applications developed by the
Third-party;
b. Ensure that information security is an integral part of information systems, right from the
requirement phase and shall be incorporated in the design phase consequently; and
c. Maintain the information security of application-system software and information during its
lifecycle.
8.3. Security Requirements of Information System
8.3.1 Security Requirements Analysis and Specification
Control Statement: The Third-party shall ensure that security requirements are established for the
development of new systems and for carrying out enhancements to existing systems.
Explanatory Notes: The Third-party is required to ensure that they consider appropriate automated
controls while designing the information systems that are used to provide services to Bharti
Infratel.
All new application systems developed/to be deployed by the Third-party to provide services to
Bharti Infratel shall be formally reviewed for compliance with the security policy before being
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
deployed in the production environment. The development, testing, operations and maintenance
teams of the Third-party shall be trained on security aspects of application development and
maintenance.
8.4. Correct Processing in Application
It is very crucial that correct processing is undertaken to prevent error, loss, unauthorised
modification or misuse of information in applications. This can be done by implementing security
controls at the data input stage, internal processing stage and, finally, at the output stage.
8.4.1 Input Data Validation
Control Statement: Appropriate security controls shall be built into the applications to validate the
data entered in the application system.
Explanatory Notes: System requirements specification shall include controls in the application for
the input data provided. Periodic reviews of the content of key fields or data files to confirm their
validity and integrity shall be conducted by the Third-party. Procedures for responding to validation
errors and defining the responsibilities of personnel involved in the data input process shall be
documented by the Third-party.
8.4.2 Control of Internal Processing
Control Statement: Validation checks shall be incorporated into the applications developed to
provide services to Bharti Infratel, to detect any corruption of information through processing
errors or deliberate acts.
Explanatory Notes: Risk associated to processing facilities shall be minimised by considering
security controls in the design and implementation phase of applications development and
deployment. Specific security controls that are required to be incorporated in this stage are as
follows:
a. Session or batch controls, to reconcile data file balances after transaction updates;
b. Balancing controls, to check opening balances against previous closing balances, namely:
i. Run-to-run controls;
ii. File update totals;
iii. Program-to-program controls;
c. Validation of system-generated input data;
d. Checks on the integrity, authenticity or any other security feature of data or software
downloaded, or uploaded, between central and remote computers;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
e. Hash totals of records and files;
f. Checks to ensure that application programs are run at the correct time;
g. Checks to ensure that programs are run in the correct order and terminate in case of a
failure, and that further processing is halted until the problem is resolved;
h. Creating a log of the activities involved in the processing.
8.4.3 Message Integrity
Control Statement: The requirements for ensuring authenticity and protecting message integrity in
application shall be identified and appropriate controls identified and implemented.
Explanatory Notes: The validity of the message integrity shall be protected by appropriate
encryption management for developing applications that will be used to provide services to Bharti
Infratel. It deals with methods that ensure that the contents of a message have not been tampered
and/ or altered. Message integrity protection requirements shall be identified by Third-party in the
applications and information systems and the controls for integrity shall be implemented. An
assessment of security risks shall be carried out by Third-party to determine if message integrity is
required. Appropriate method of message integrity check shall be identified as per the risk
assessment results.
8.4.4 Output Data Validation
Control Statement: Data output from an application shall be validated to ensure that the
processing of stored information is correct and appropriate to the circumstances.
Explanatory Notes: During the development stage of application systems, data generated from the
application system after processing of the stored information shall be validated to ensure that
output is correct and appropriate.
8.5. Cryptographic Controls
8.5.1 Policy on Use of Cryptographic Controls
Control Statement: Use of cryptographic controls for the protection of information shall be
implemented.
Explanatory Notes: The appropriate cryptographic controls shall be applied to protect information
assets which require stringent security. Examples of cryptographic controls are public and private
key cryptosystems. Third-party shall define and deploy the procedures for maintenance of the keys.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
8.5.2 Key Management
Control Statement: The key management procedures shall be put in place to support the use of
cryptographic techniques.
Explanatory Notes: Wherever required, the appropriate encryption controls shall be implemented
by Third-party to protect the confidentiality and integrity of information on the applications/
systems that are used to provide services to Bharti Infratel. The encryption type and other
implementation details shall be decided by Third-party after taking into account relevant
legislative and regulatory requirements.
The access to sensitive commands pertaining to encryption key data on the devices shall be
restricted to key administrators only. The activities of the users having access to such sensitive
commands shall be appropriately logged and monitored periodically.
8.6. Security of System Files
8.6.1 Control of Operational Software
Control Statement: The procedures shall be put in place to control the installation of software on
operational systems. The controls to implement software on operational systems to minimise the
risk of corruption of operational systems shall be deployed.
Explanatory Notes: Applications and operating system software shall only be implemented after
extensive and successful testing. All tests shall be carried out on separate systems and the tests
results shall be documented for the tests on usability, security, effects on other systems and user-
friendliness. Third-party shall ensure that all corresponding program source libraries have been
updated. The modifications to the operational environment shall be logged and previous versions
shall be maintained for contingency/ roll back purpose. The operational systems shall only hold
executable code.
8.6.2 Protection of System Test Data
Control Statement: The third-party shall ensure that test data is selected carefully and is
protected and controlled.
Explanatory Notes: The test data that has classified information of Bharti Infratel shall be secured
and controlled appropriately in the testing environment and the Third-party shall ensure that this
information is not leaked outside. The Third-party shall ensure that the test data is secured and
sanitised during testing. Testing reports shall be documented and maintained till the new
application stabilises. These reports shall be stored securely and available to authorised personnel
of third-party.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
8.6.3 Access Control to Program Source Code
Control Statement: The access to program source code of operational systems that are used to
provide services to Bharti Infratel shall be restricted.
Explanatory Notes: Third-party shall identify program librarians to maintain source libraries of
operational application systems in configuration management database. All source codes shall be
stored in a secure environment. All updates or issue of program sources to developers shall be
carried out through an authorised request. Configuration changes to program source codes shall be
made through configuration management process to prevent any unauthorised and unintentional
changes. Previous versions of source programs shall be archived, with a clear indication of the
precise dates and times when they were operational, together with all supporting software, job
control, data definitions and procedures.
8.7. Security in Development and Support Processes
8.7.1 Change Control Procedure
Control Statement: The changes to application systems shall be carried out in a controlled manner
as per a formal Change Management Process developed by the Third-party.
Explanatory Notes: A formal Change Management Process is required to be developed and
implemented for all changes pertinent to Bharti Infratel applications and systems. The Third-party
shall ensure:
a. The recording of changes in change request forms and approval of change requests;
b. That impact assessment due to the change is being carried out;
c. The documentation of changes is being carried out; and
d. The changes shall not be carried out in production environment directly; all changes shall
be applied to development/ test environment.
8.7.2 Technical Review of Applications after Operating System Changes
Control Statement: When operating systems are upgraded, business critical applications shall be
reviewed and tested to ensure there is no adverse impact on operations and security of applications
that are used to provide services to Bharti Infratel.
Explanatory Notes: A review of application control and integrity procedures shall be done to
ensure that they have not been compromised by the operating system changes. Third-party shall
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
ensure that notification of operating system change is provided in time to allow appropriate test
being done.
8.7.3 Restrictions on Changes to Software Packages
Control Statement: The vendor supplied software packages shall not be modified as far as possible
without consulting the vendor.
Explanatory Notes: Third-party shall ensure that vendor supplied software packages are not
changed. If changes are essential, then original software shall be retained and changes could be
applied to a clearly identified copy. In such cases, changes shall be carried out only by authorised
users. The Risk factors like vendor’s continued support for maintenance of the application before
making any change to the software and compromise of built-in controls shall be considered before
making changes.
8.7.4 Information Leakage
Control Statement: The risks related to information leakage shall be prevented for systems that
are used to provide services to Bharti Infratel.
Explanatory Notes: The following controls shall be considered for preventing information leakage.
a. Scanning of outbound media and communications for hidden information;
b. Making use of systems and software that are considered to be of high integrity, e.g. using
evaluated products;
c. Regular monitoring of personnel and system activities, where permitted under existing
legislation or regulation; and
d. Monitoring resource usage in computer systems.
8.7.5 Outsourced Software Development
Control Statement: Third-party shall ensure the monitoring and review of further outsourced
software development.
Explanatory Notes: For the customised (not off the shelf/ standard offerings) software developed
by Third-party’s sub-contractor, the arrangements pertaining to licensing, code ownership and the
intellectual property rights shall be documented in the contract between Third-party and its sub-
contractor. As per the applicability, the contract shall also include at a minimum, Third-party’s
and/ or Bharti Infratel right to audit quality and accuracy of software development and testing
work carried out by the sub-contractor vendor. Such software code shall also have escrow
arrangements.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
8.8. Technical Vulnerability Management
8.8.1 Control of Technical Vulnerabilities
Control Statement: Timely information about technical vulnerabilities shall be obtained for the
information systems that are used to provide services to Bharti Infratel and timely & appropriate
measures shall be taken to address the associated risk.
Explanatory Notes: All technical vulnerabilities of information systems that are used to provide
services to Bharti Infratel shall be identified and documented. Appropriate measures shall be taken
to address the associated risk. Timelines shall be defined to respond to technical vulnerabilities
observed in the system. Third-party shall define and establish the roles and responsibilities
associated with technical vulnerability management, including vulnerability monitoring,
vulnerability risk assessment, patching, and any coordination responsibilities required. All patch
management shall be followed using a formal Patch Management Process.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
9. Information Security Incident Management Policy (BITSP – 009)
9.1. Introduction
The Information Security Incident Management Policy provides directions to develop and implement
the information security incident management process for networks and computers, improving user
security awareness, early detection and mitigation of security incidents and suggesting the actions
that can be taken to reduce the risk due to security incidents.
9.2. Policy Statement and Objective
All security breaches or attempts to breach and all identified security weaknesses in information
systems and processing facilities that are used to provide services to Bharti Infratel information
shall be reported. The information security incident management process shall ensure that all
reported security breaches or weaknesses are responded to promptly and appropriate actions
taken to prevent reoccurrence.
The objective of this policy is to:
a. To develop proactive measures to minimise the impact of any Incident on information
systems and processing facilities associated with the information;
b. To create the awareness among users of Third-party and encourage them to report the
security weaknesses and/ or incident that they identify/notice;
c. Enable the proactive management of problems by capturing data that can be used to
analyse trends and problems areas, thereby preventing the security incidents to occur; and
d. Learning from the incidents and continually improving.
9.3. Security Incident Identification
a. A security incident is the act of violating an explicit or implied security policy. The actions
that may be classified as incidents are, but not limited to, the following:
i. Attempts to gain unauthorised access to a system or its data; masquerading,
spoofing as authorised users;
ii. Unwanted disruption or denial of service;
iii. The unauthorised use of a system for the processing or storage of data by
authorised/ unauthorised users;
iv. The changes to the system hardware, firmware or software characteristics and data
without the application/ information system owner's knowledge;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
v. The existence of unknown user accounts;
vi. Information system failures;
vii. Malicious code;
viii. Denial of service;
ix. Errors resulting from incomplete or inaccurate business data (for example, invalid
input, failed processes);
x. Breaches of confidentiality and integrity; and /or
xi. Misuse of information systems.
9.4. Reporting Information Security Events and Weakness
9.4.1 Reporting Information Security Events
Control Statement: Information security events within Third-party organisation for those
information assets that are used to provide services to Bharti Infratel shall be reported to incident
management team within Third-party.
Explanatory Notes: Third-party shall ensure that they have an incident management team in place
to respond to information security incidents pertaining to information asset of Bharti Infratel. This
team shall submit security incidents reports to Bharti Infratel on request.
A formal Information Security Incident Management Process shall be developed and implemented
within Third-party organisation. The process shall include the incident reporting, incident response,
escalation and incident resolution pertinent to Bharti Infratel information. The Third-party
employees shall be made aware of their responsibilities regarding information security incident
management.
9.4.2 Reporting Information Security Weaknesses
Control Statement: Third-party shall ensure that their employees note and report any observed or
suspected security weaknesses in systems or services that are used to provide services to Bharti
Infratel.
Explanatory Notes: All employees of Third-party shall report the information security weaknesses
to their Incident Management Team. The users shall not attempt to prove the suspected security
weaknesses. In addition to this, users shall not test the existence of vulnerability in any information
system used to provide services to Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
9.5. Security Incident Response, Recovery and Improvements
9.5.1 Responsibilities and Procedures
Control Statement: The responsibilities and supporting procedures shall be established to ensure a
quick, effective and orderly response to information security incidents.
Explanatory Notes: The responsibilities shall be identified and defined within Third-party
organisation to ensure a quick, efficient and systematic response to information security incident.
The procedures shall be established to handle the different types of information security incidents.
A formal review process shall be conducted after the recovery from incident has been completed
(within two weeks). A feedback mechanism shall be available to identify improvements to the
incident handling process.
The audit trails and similar evidence shall be collected during the whole incident handling process -
from the initial incident report to the incident follow-up. The audit trails shall be used for the
following:
a. Internal problem analysis (or root cause analysis) of how the incident occurred;
b. As forensic evidence in relation to a potential contract breach or regulatory requirement or
in the event of civil or criminal proceedings and shall include the following types of logs:
i. Communication log;
ii. Incident survey, containment land eradication logs; and
iii. Raw data, as in. actual system logs;
c. Retention of incident reports and logs shall be in accordance with the legal and regulatory
requirements; and
d. The incident handling procedures shall be regularly reviewed and tested to establish their
ongoing effectiveness.
9.5.2 Learning from Information Security Incidents
Control Statement: The information gained from the evaluation of information security incidents
shall be used to reduce the recurrence of the security incidents.
Explanatory Notes: Third-party shall ensure that there are mechanisms in place to enable the
types, volumes and costs of information security incidents to be quantified and monitored. The
information gained from the evaluation of information security incidents should be used to identify
recurring or high impact incidents.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
9.5.3 Collection of Evidence
Control Statement: Third-party shall ensure that they collect sufficient amount of evidence during
the incident analysis phase.
Explanatory Notes: Third-party shall ensure that the evidence is collected in a manner that does
not destroy its evidentiary value. While collecting the evidences, the following shall be considered
by Third-party:
a. Applicability of evidence: The evidence can be used in court; and
b. Weightage of evidence: The quality and completeness of the evidence.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
10. Business Continuity Management Policy (BITSP – 010)
10.1. Introduction
Bharti Infratel recognises the criticality and need of its business and understands the importance of
the availability of its information, information systems and processing facilities. The dependency of
Bharti Infratel business on Third-party induces to develop and maintain the business continuity
plans by Third-party to ensure timely resumption of essential operations in case of disasters
pertinent to Bharti Infratel business.
10.2. Policy Statement and Objective
Information systems shall be planned for the continuity of operations in the event of disasters. A
documented Business Continuity Management Plan shall be maintained, tested and updated by
Third-party, for systems that are critical and are used to provide services to Bharti Infratel.
The objectives of this policy are to
a. To identify the critical business processes and to integrate the information security
management requirements of business continuity with other continuity requirements
relating to such aspects as operations, staffing, materials, transport and facilities;
b. To strengthen the continuity of services offered to Bharti Infratel in case of any disaster;
and
c. To provide a disaster recovery plan to understand the current state, mitigating risks and
planning for recovery.
10.3. Information Security Aspects of Business Continuity Management
Third-party shall ensure that Business Impact Analysis (BIA) is carried out for all the business
processes to assess the consequences of disasters, security failures, loss of services and service
availability to Bharti Infratel. The business continuity management shall include the controls
required for the identification and mitigation of risks, in addition to the general risks assessment
process to limit the consequences of damaging incidents, and ensure that information required for
the business processes is readily available to serve Bharti Infratel.
10.3.1 Including Information Security in the Business Continuity Management Process
Control Statement: A business continuity management process should be developed for the
processes and facilities that are used to provide services to Bharti Infratel. It should include the
information security requirements of Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Explanatory Notes: The business continuity plan developed by Third-party should include the risk
assessment, prioritisation and treatment for the critical services to Bharti Infratel. The business
continuity management process shall be able to identify the impact of interruptions caused by
information security incidents on business.
10.3.2 Business Continuity and Risk Assessment
Control Statement: Events that can cause interruptions to business processes pertinent to Bharti
Infratel should be identified, along with the probability and impact on business continuity.
Explanatory Notes: A risk assessment should be executed for all applicable assets required for
business continuity, considering all the events that can cause disruption to the Third-party services
to Bharti Infratel. The considered threats/ events that shall be included are man-made error/
disaster, natural disaster and technical failure.
10.3.3 Developing and Implementing Continuity Plans including information security
Control Statement: Plans shall be developed and implemented to maintain and restore the
operations and ensure the availability of services that are used to provide further services to Bharti
Infratel at the required level and time scales.
Explanatory Notes: The business continuity management plans shall be developed and
implemented by Third-party to maintain and restore operations and ensure the availability of
services, considering the recovery time objective (RTO), recovery point objective (RPO) and
information security requirements for the critical applications/ business processes along with the
acceptable loss of information and services to Bharti Infratel.
10.3.4 Business Continuity Planning Framework
Control Objective: A business continuity planning framework shall be developed to ensure all plans
are consistent, to constantly address information security requirements.
Explanatory Notes: The controls that are required to ensure the availability of information and
information systems being used to provide services to Bharti Infratel shall be identified. A
consolidated and consistent approach for the continuity of all important business processes,
applications and Information processing facilities shall be included in business continuity planning
framework.
10.3.5 Testing, Maintaining and Re-assessing Business Continuity Plans
Control Statement: Business continuity plans should be tested and updated as per the test plan.
Explanatory Notes: Each Third-party shall ensure that:
a. The developed business continuity plan is tested in defined intervals;
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
b. The developed business continuity plan is effective;
c. The relevant controls with their corresponding roles and responsibilities are maintained,
working and known to the concerned individual of the BCP team;
d. The effectiveness of business continuity plans is measured and reviewed; and
e. The test results are presented to Bharti Infratel on request.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
11. Compliance Policy (BITSP – 011)
11.1. Introduction
The Compliance Policy provides the compliance requirements of Bharti Infratel from its Third-party.
Third-party shall ensure that effective arrangements to comply with statutory, regulatory and
contractual requirements are implemented in their organisation pertaining to information assets
that are used to provide services to Bharti Infratel.
11.2. Policy Statement and Objective
A compliance culture shall be that helps the organisation to prevent breaches of any law,
regulatory requirements and helps in complying with the organisation security policies and
standards.
The objectives of this policy are to:
a. Avoid breaches of any law, statutory, regulatory or contractual obligations, and security
requirements;
b. Ensure that Third-party employees and their sub-contractor users are aware of regulatory
and contractual security requirements which may have an impact on their responsibilities
towards Bharti Infratel;
c. Assist in complying with the organisation security policies; and
d. Maximize the effectiveness of and to minimize interference to/from the information
systems audit process.
11.3. Compliance with Legal Requirements
11.3.1 Identification of Applicable Legislation
Control Statement: All relevant statutory, regulatory and contractual requirements and the
approach to meet these requirements shall be defined, documented and kept up to date.
Explanatory Notes: A list of all relevant statutory, regulatory and contractual requirements shall
be maintained by Third-party.
11.3.2 Intellectual Property Rights (IPR)
Control Statement: Appropriate procedures shall be implemented to ensure compliance with
legislative, regulatory, and contractual requirements on the use of material in respect of which
there may be intellectual property rights and on the use of proprietary software products that are
used to provide services to Bharti Infratel.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
Explanatory Notes: Third-party shall ensure the following:
a. Acquiring software only through reputable sources;
b. Maintaining proof of ownership of licenses of software procured to provide services to
Bharti Infratel; and
c. Carrying out checks that only authorised and licensed software are used to provide services
to Bharti Infratel.
d. Bharti Infratel reserves the right to audit the Third-party for all/ any authorised and/ or
licensed software used to provide services to Bharti Infratel.
11.3.3 Protection of Organisational Records
Control Statement: The organisational records pertinent to Bharti Infratel shall be prevented from
loss, damage and falsification in accordance with the relevant legislative, regulatory and
contractual requirements.
Explanatory Notes: The mechanism used for the storage and handling of records pertinent to Bharti
Infratel, shall ensure clear identification of records and the retention period as defined by national
or regional legislation or regulations.
a. The records pertinent to Bharti Infratel shall be retained and stored as per the Control of
Record Procedure;
b. Information Labelling and Handling Guidelines and Media Disposal Procedure shall be
applicable to records pertinent to Bharti Infratel;
c. The review period and review rights of Bharti Infratel institutionalised records shall be
defined; and
d. The backup of records pertinent to Bharti Infratel shall adhere to the Back-up Procedure.
11.3.4 Data Protection and Privacy of Personal Information
Control Statement: The data protection and privacy as required in relevant legislation, regulations,
and, if applicable, contractual clauses shall be ensured.
Explanatory Notes: A data protection and privacy policy shall be developed and implemented. This
policy should be communicated to all persons involved in the processing of personal information of
Bharti Infratel’s customers. Third-party shall ensure that they adhere to the Bharti Infratel
information security policy for protecting personal information of Bharti Infratel’s customers.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
11.3.5 Prevention of Misuse of Information Processing Facilities
Control Statement: The appropriate access controls shall be implemented to prevent the users
from misusing the information systems and/ or facilities that are used to provide services to Bharti
Infratel.
Explanatory Notes: Third-party shall ensure that their users are prevented from misusing the
information processing systems/ facility that is used to provide services to Bharti Infratel. Adequate
detection and monitoring controls shall be implemented to prevent any misuse on the information
systems/ facilities.
11.3.6 Regulation of Cryptographic Controls
Control Statement: The appropriate cryptographic controls in compliance with the relevant
agreements, laws, and regulations shall be identified and applied.
Explanatory Notes: Legal advice shall be sought to ensure compliance with national laws and
regulations. The appropriate procedure for compliance assurance shall be documented and
maintained by Legal function.
11.3.7 Compliance with BITSP
Control Statement: Third-party shall ensure compliance with the BITSP.
Explanatory Notes: Third-party shall ensure compliance with the BITSP. Bharti Infratel reserves the
right to audit the third-party as per the controls of BITSP applicable to them. Third-party shall
ensure that they implement all those controls applicable to them. Non-compliance to the BITSP
may subject to penalty charges as mentioned in the business contract.
11.3.8 Technical Compliance Checking
Control Statement: Information systems shall be regularly checked for compliance with security
standards.
Explanatory Notes: The technical compliance checking shall cover the penetration testing and
vulnerability assessments of systems/ network devices that are used to provide services to Bharti
Infratel information. All identified vulnerabilities shall be analysed and fixed within a definite time-
frame. Bharti Infratel reserves the right to review the vulnerability closure report and / or conduct
technical compliance checking on third-party network.
Bharti Infratel Limited
Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1
Policy -Bharti Infratel Third Party Security
Version: 1 Date: 30th
October 2012
11.4. Information Systems Audit Considerations
11.4.1 Information Systems Audit Controls
Control Statement: Third-party shall ensure that the audit requirements and activities involving
checks on operational systems shall be carefully planned and agreed to minimise the risk of
disruptions to services pertinent to Bharti Infratel.
Explanatory Notes: The audit activities involving checks on operational systems shall be carefully
planned as they may result in service disruption and in turn affect the services for Bharti Infratel.
Third-party shall ensure checks shall only allow read-only access.
11.4.2 Protection of Information Systems Audit Tools
Control Statement: Third-party shall ensure that the information system audit tools are protected
to prevent their misuse.
Explanatory Notes: Information system audit tools shall be separated from the development and
operational systems. An authorisation process shall be developed to allow access to the audit tools.
Third-party shall ensure that they provide adequate controls to prevent audit tools from running in
the environment that carries information of Bharti Infratel.