ISMS POLICY FOR NEXTENDERS (INDIA) PVT LTD€¦ · NX/ISMS/P-01 Rev: 6 ISMS POLICY FOR NEXTENDERS (INDIA) PVT LTD The information contained within this document is the property of

NX/ISMS/P-01 Rev: 6

ISMS POLICY

FOR

NEXTENDERS (INDIA) PVT LTD

The information contained within this document is the property of Nextenders (India) Pvt Ltd. and is

issued in confidence and must not be reproduced in whole or in part or used in tendering or

manufacturing purpose or given or communicated to any third party

© Copyright 2015, Nextenders (India) Pvt Ltd

Issued By P a g e | 1 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta

NX/ISMS/P-01 Rev: 6

1.0 Introduction

2.0 Terms and Definitions

3.0 Security Policy

4.0 Asset Classification

5.0 Human Resource Security

6.0 Physical and Environmental Security

7.0 Communications and Operational Facility

8.0 Access Control

9.0 Information System

10.0 Information Security Incident Management

11.0 Business Continuity Plan

12.0 Compliance

13.0 Information Security Objective & Planning

14.0 Communication Matrix

15.0 Information Security in Project Management

16.0 Mobile Device Policy

17.0 Delivery and Loading Areas


NX/ISMS/P-01 Rev: 6

INTRODUCTION

1.1 Purpose – The purpose of this policy document is to provide all employees and stake

holders a clear view of management’s intent with regards to information security within

the organization.

1.2. Information security is about – TRUST that clients repose in Nextenders (India) Pvt.

Ltd. This is the foundation of our relationship with our client and our employees are a

very important part of this committed relationship of TRUST. All client information in all

forms – paper, electronic or brain ware is to be treated with utmost care by one and all of

the organization.

1.3 List of Interested Parties & Their Requirements

Sr. No. Interested parties Requirements of interested Parties

1. Eurocert ISO Certification Standard and compliance

2. STQC Vulnerability assessment and compliance

3. Net magic Data Centre hosting services

4. Provident Fund / ESIC /

Professional Tax

Statutory Compliances

5. Client eProcurements, eAuction, Services and Supply

6. NGO Prevention, Prohibition and Redressal of Sexual

Harassment at Workplace Act, 2013.

1.3. MANAGEMENT COMMITMENT:

NEXTENDERS MANAGEMENT is committed to continually improve the overall

information security in NEXTENDERS by involving and sensitizing all employees,

channel partners, constantly reviewing the overall risk to information security

and reviewing & updating NEXTENDERS’s security policy in context of continuous

risk assessment.

1.4. SCOPE

The ISMS scope will cover location of Mumbai office


NX/ISMS/P-01 Rev: 6

1st

Floor “Yuchit”, Juhu Tara Road

Mumbai – 400 049

Maharashtra, India

1.5. RESPONSIBILITY

Responsibility for Information Security on a day-to-day basis is every User’s duty.

Users must report any Information Security related incidents, using the regular

incident reporting channels.

1.6. QUESTIONS /SUGGESTIONS

If you have any questions about this Security Policy, or about Information

Security issues in general, or suggestions for improvement, please contact the

Information Security Manager at the following address:

[email protected]

2.0. TERMS AND DEFINITIONS

2.1. Information Security

Today information is stored, processed and communicated using computer systems.

Information Technology is the ubiquitous common thread that runs across and connects

all Company’s business activities. As a company, Nextenders India Pvt. Ltd. is wholly

dependent on computer systems to carry on all its client servicing activities and could

be exposed to the risks pertaining to IT if appropriate protection and prevention

mechanisms are not developed, implemented and complied with.

2.2. Information Security Criteria

2.2.1. Availability: All Information Systems including hardware, communication

networks, software programs and the data they hold will be available to all

those users who need the systems at all times they are needed, to carry out

business activities.

2.2.2. Confidentiality: No data or information will be disclosed to any person

within or outside the company, other than the persons who are authorized

to use that data.

2.2.3. Data Integrity: No data / information / programs will be allowed to be

modified by anyone without proper authority and authorizations. This will

ensure the accuracy and completeness of information and processing

methods. No data will be modified, added, edited or deleted except by

users or programs that are authorized to do so and in a manner as approved

or designed.


mailto:[email protected]

NX/ISMS/P-01 Rev: 6

2.3. Risk

Combination of probability of an event and its consequence

2.4. Source

Item or activity having a potential for a consequence

2.5. Risk Criteria

Terms of reference by which significance of risk is assessed- e.g. cost and benefits,

legal requirements, environmental aspects, concerns of stakeholders.

2.6. Risk management

Coordinated activity of risk assessment, treatment, acceptance and communication

2.7. Risk Analysis

Systematic use of information (historical data, theoretical analysis, informed

opinions, concerns of stakeholders) to identify sources and estimate risks

2.8. Information security incident

A single of series of unwanted or unexpected events that have significant

probability of compromising business operations and threatening information

security

2.9. Integrity

The property of safeguarding the accuracy and completeness of asset

2.10. Confidentiality

The property that information is not made available of disclosed to unauthorized

individuals, entities or processes

2.11. Availability

The property of being accessible and usable upon demand by authorized users 2.12. ISCG ( Information Security Core Group)

The core group is responsible for implementing policies and controls and reviewing

information security incidents and policies

- HR

- System Admin

- Development Head

- CEO

3.0. SECURITY POLICY

The IT Security Policy document establishes the Organization’s approach to managing information

security.

The Policy provides the broad-level framework of the Organization’s objective with respect to

information security

3.1 Review The owner or approval authority of this policy is responsible for its review at least

once in a year involving the ISCG( Information Security Core Group) generally done during the management review.

3.2 Information Security Organization


NX/ISMS/P-01 Rev: 6

Process Owner Is part of ISCG/Reporting to ISCG

Expectations/Output

Asset classification/ Administration Manager(Mr. Vakil)

ISCG Asset Inventory – Risk Asset, register maintained

Risk Assessment Administration Manager(Mr. Vakil)

ISCG Risk Analysis

Authorization process for Information processing facilities

Sys Admin (Mr. Devendra Zope)

ISCG Logical Access Policy

Confidentiality Agreements ( Vendors, customers, third party)

Company Secretary and Compliance Officer (Mrs. Jayita Ganguly)

ISCG

Confidentiality Agreements(internal)

Company Secretary and Compliance Officer (Mrs. Jayita Ganguly

ISCG

Contact with Authorities Administration Manager(Mr. Vakil)

ISCG

Contact with Interest Groups

Sys Admin (Mr. Devendra Zope)

ISCG

Independent review of IS Sys Admin (Mr. Devendra Zope)

ISCG ISMS – Review

Outsourcing Technical Director(Mr. Sujeet Bhatt)

ISCG

Back up Policy Sys Admin (Mr . Devendra Zope)

ISCG Is as per the ISMS Policy

4.0. ASSET CLASSIFICATION:

An asset inventory list is maintained and reviewed on a yearly basis by the ISCG. This Asset list

also defines the ownership of the asset and is used further in the risk analysis and treatment of

the risks by applying suitable control after _assessing cost benefit.

4.1 ACCEPTABLE USE OF ASSETS POLICY

4.1.1 PURPOSE : The explicit publication of this policy in the ISMS policy document

is to


NX/ISMS/P-01 Rev: 6

emphasize to all employees the importance of Acceptable use of all

assets

Protect the privacy, confidentiality and security of Nextenders

information

To reduce incidents of inappropriate use.

4.1.2 SCOPE : All Employees

4.1.3 POLICY

Individuals must use Nextenders-provided or authorized information

technology resources as the business tools required to do their work and

provide efficient service delivery.

Do’s

Comply with all applicable legislation, regulations, policies and

standards;

use all appropriate anti-virus precautions when accessing non-

Nextenders data and systems from the Nextenders network;

Adhere to licensing agreements for all software used;

Respect copyright and other intellectual property rights in relation

to both programs and data while making content for Nextenders

and otherwise

Only use the email account provided by Nextenders when

conducting Nextenders business over email

Use approved security measures when accessing the Nextenders

network from home or a non Nextenders computer;

Only use messaging forums (e.g., Internet Relay Chat, internet

newsgroups, social networking sites) when conducting work-related

business or exchanging technical or analytical information

Use the rules for complex passwords to create password.

keep passwords confidential;

change passwords whenever there is any indication of possible

system or password compromise;

select quality passwords with sufficient minimum length which are:

1) easy to remember;

2) not based on anything somebody else could easily guess or obtain

using person related information, e.g. names, telephone numbers,

and dates of birth etc.;

3) not vulnerable to dictionary attacks (i.e. do not consist of words

included in dictionaries);

4) free of consecutive identical, all-numeric or all-alphabetic

characters.


NX/ISMS/P-01 Rev: 6

change passwords at regular intervals or based on the number of

accesses (passwords for privileged accounts should be changed

more frequently than normal passwords), and avoid re-using or

cycling old passwords;

change temporary passwords at the first log-on;

terminate active sessions when finished, unless they can be secured

by an appropriate locking mechanism, e.g. a password protected

screen saver;

log-off mainframe computers, servers, and office PCs when the

session is finished (i.e. not just switch off the PC screen or terminal);

secure PCs or terminals from unauthorized use by a key lock or an

equivalent control, e.g. password access, when not in use

Don’t s

Attempt to circumvent or subvert system or network security

measures;

Propagate viruses knowingly or maliciously;

Detrimentally affect the productivity, integrity or security of

Nextenders’ systems;

Access a personal external email account (e.g., Gmail ) from a

Nextenders workstation for reasons unrelated to Nextenders

business;

Access social networking websites (e.g. Facebook, MySpace) for

reasons unrelated to Nextenders business;

Obtain or distribute files from unauthorized or questionable sources

(e.g., racist material, pornography, file swapping sites);

Access Internet sites that might bring the public service into

disrepute or harm Nextenders’ reputation, such as those that carry

offensive material;

Access radio stations or video clips (typically referred to as

“streaming” audio or video) over the Internet, unless the access is

work-related and approved by a Nextenders Manager;

Download non-work related files, such as Freeware, Shareware,

movie or music files;

Divulge, share or compromise their own or another’s Nextenders

authentication credentials;

Transmit or otherwise expose sensitive or personal information to

the internet;

Use information and technology resources for commercial

solicitation or for conducting or pursuing business interests

unrelated to the business of Nextenders;

Distribute hoaxes, chain letters, or advertisements;


NX/ISMS/P-01 Rev: 6

Send rude, obscene or harassing messages;

Attempt to obscure the origin of any message or download material

under an assumed internet address;

Knowingly enable inappropriate levels of information access by

others;

Disclose any information you do not have a right to disclose

avoid keeping a record (e.g. paper, software file or hand-held

device) of passwords, unless this can be stored securely and the

method of storing has been approved;

not include passwords in any automated log-on process, e.g. stored

in a macro or function key;

not share individual user passwords;

not use the same password for business and non-business

purposes.

4.1.4 IMPLEMENTATION :

Implementation of the above Acceptable Use of policy enlisted as do’s and

don’ts will be ensured by all managers

4.2 INFORMATION Classification and Labeling :

4.2.1 While Nextenders simply recognizes two levels of Information as

4.2.1.1 Sensitive: all information related to Nextenders other than access

control information

4.2.1.2 More Sensitive: all access control information and client Data

However Nextenders does not apply any policy for _mplement of information assets. We only

apply labels to hardware such as computers, servers and laptops which contain information assets.

5.0 HUMAN RESOURCE SECURITY

5.1 BEFORE JOINING

5.1.1 Roles and Responsibilities: key responsibilities related to Information

Security are outlined in section 3.2 of this policy which may be delegated OR

subdivided and delegated by the owner to any employee or entity engaged

by Nextenders however the ultimate responsibility rests with the owners

as outlined.

5.1.2 Screening- Screening is done by means of Reference Check Format ISMS-HR-

F-01.

5.1.3 Terms and Conditions of employment: Terms and conditions are controlled

as ISMS- HR –F-02. Employment Contract Agreement is signed by both the

parties which contains the Terms and conditions of the employment.


NX/ISMS/P-01 Rev: 6

5.2 DURING EMPLOYMENT

5.2.1 Management Responsibilities: The ISCG is responsible for sensitizing

managers in implementation of the Information Security policy as outlined

in this document and all necessary support from seniors and colleagues are

extended with regard to understanding of the ISMS policy.

5.2.2 Information Security Awareness Education and Training: An assessment

form ISMS- HR-F-03 is administered to all new employees and record for this

assessment is kept.

5.3 TERMINATION OR CHANGE OF EMPLOYMENT:

5.3.1 Termination Responsibility: Responsibility for termination the services of

Employees rest with HR Head in the following conditions.

5.3.1.1 Initiated by CEO because of indiscipline/Breach of contract of

employment.

5.3.1.2 Initiated because of employee tendering in his/her resignation

In both the case the Employee Disassociation No dues format ISMS- HR-F-04

has to be completed which takes care of

RETURN OF ASSET

AND

REMOVAL OF ACCESS RIGHT

Only after completion of Employee Disassociation No dues format HR will

issue the Relieving Letter.

6.0. PHYSICAL AND ENVIRONMENTAL SECURITY

5.4 SECURE AREAS

5.4.1 PHYSICAL SECURITY PERIMETER: The office is having premises on first floor

and is around 500 meters from the Sea. It is a two story building with only

ONE access gate which is manned by Security (24X7)

5.4.2 PHYSICAL ENTRY CONTROLS: The premises have only one gate manned by

the security guard of the company. A CC TV camera is also installed and its

records are part of the database backup.

5.4.3 SECURING OFFICES ROOMS AND FACILITIES: The three Halls are controlled

by Biometric access control devices. The access is governed by an Id-Card

issued by the Administration Head.

5.4.4 PROTECTION AGAINST EXTERNAL AND ENVIRONMENTAL THREATS: The

Office is located at 1st

floor and the building is structurally safe and is only

two story high. The Fire extinguishers and CCTV are placed in the LOBBY and

in EACH hall.

5.5 EQUIPMENT SECURITY


NX/ISMS/P-01 Rev: 6

5.5.1 All Computers are sited safely at least 2 inches above the ground. Server is

sited in a special lockable cabinet. The equipment are sited to prevent

physical threats like thefts, vibration, water and vandalism.

5.5.2 “No Eating /smoking” near any Information Processing facility is allowed.

5.6 SUPPORTING UTILITIES :

A UPS is available for back up of power supply as a power contingency plan for Server

and Development computers. The location Mumbai does not have a history of

prolonged power cuts so no generator is necessary.

6.4 CABLING SECURITY

Power and communication cabling are separate. Network cables are identified. Limited alterations to power cabling can be done because the Office is on rent.

6.5 EQUIPMENT MAINTENANCE

All equipment’s are normally maintained in house Laptops are sent to service center after confiscation of data for servicing. Delivery challans for the same are maintained.

6.6 SECURITY OF EQUIPMENT OFF PREMISES:

Laptops are issued to employees who take it along themselves for implementation and trouble shooting in client premises. Data is protected by encryption on all laptops and password protected access is mandated. It is the employee’s responsibility not to leave it unattended in Public places and protect it from Strong Electromagnetic fields.

6.7 SECURE DISPOSAL AND REUSE/REMOVAL OF EQUIPMENTS

Secure Disposal /maintenance form ISMS-FRM-F-08 will be used for disposal and it is ensured that the media in the equipment if applicable is formatted in low level

7.0. COMMUNICATIONS AND OPERATIONAL FACILITY

7.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES

7.1.1 DOCUMENTED OPERATING PROCEDURES:

Documented operating procedures for use of Information processing facility are followed.

Standard Operating procedure for Software change, Recruitment, Asset Allocation,

Employee Assessment Forms is in place.

7.1.2 CHANGE MANAGEMENT


NX/ISMS/P-01 Rev: 6

Application Change Approval Form (ISMS-FRM-F-02-A) is used for changes in all installed

applications for existing client. No changes can be done to the PC’s by user as no

administrator rights have been given to the user. It can be done only by System

Administrator – for which no log is to be maintained. No Formal request is needed by

developers for the application or part of application under development.

A CVS has been configured for the Development team for application control and backup.

7.1.3 SEGREGATION OF DUTIES

As of now the following segregation of Duties is done in the following area

USER System: Changes can be affected only by System Administrator

APPLICATION ACCEPTANCE: Testing of application is done by separate testers who

are not involved in development of the application.

7.1.4 Separation of development, test, and operational facilities.

This is ensured by the System administrator.

7.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT

7.2.1 SERVICE DELIVERY and Monitoring and review and changes of Third Party Services:

Following Third party Service Delivery

Service Name Security mentioned in Contract

Review of Service

Changes to contract

Comments

ISP X Informally based on complaints

Done by System Admin Head or Director

Employees are encouraged to compliant formally in case of any problems faced by third party services

Data Center √ Informally based on complaints



Computer Hardware -

X Informally based on complaints



Firewall X Informally based on complaints


Employees are encouraged to compliant formally in case of any problems


NX/ISMS/P-01 Rev: 6

faced by third party services

7.3 SYSTEM PLANNING AND ACCEPTANCE:

Capacity management and System acceptance practices are monitored as per the required

capacity like RAM, Storage, Power requirements etc. & tested. They are also kept in stock.

7.3.1 Protection against malicious and mobile code: A Individually updated – Antivirus at

each system exists. It is the user’s responsibility to update it whenever notification to update

pops up. Unauthorized software are prohibited for all Employees. The following settings on

antivirus should be always enabled by the Users.

14) Checking any files on electronic or optical media, and files received over networks, for malicious code before use;

2) Checking electronic mail attachments and downloads for malicious code before use;

this check should be carried out at different places, e.g. at electronic mail servers, Desktop computers and when entering the network of the organization;

3) Checking web pages for malicious code;

Apart from antivirus a SONICWALL firewall is in place.

- Bluetooth and any other mobile is disabled to computer access

- Soft lock for USB Data Storage to be enabled in all computers

7.4 BACK UP

ISMS – FRM –F-05 describes Back up policy, schedule and testing. At the minimum the

following are always ensured in the Back up policy. This list can be increased by decisions

taken in management review.

S. No ITEM 1 CC TV Footage 2 Application Source code 3 Application Backups

4 Agreements


NX/ISMS/P-01 Rev: 6

7.5 NETWORK SECURITY MANAGEMENT

All computers are wired other than the director hall where a CISCO Wi-Fi router is placed – this has additional layer of security and password protected access. The information going through the network is not encrypted. Software fire wall (SQUID) exists and logs review on a monthly basis. Firewall log review register ( ISMS-FRM-F-01)

7.6 REMOVABLE MEDIA

CDROMS are disabled in all Desktops but not in laptops

-soft lock for USB is enabled other than the following systems

S. No ITEM 1 CC TV Footage 2 Application Source code 3 Application Backups 4 Agreements

- Personal Removable media not allowed - in do’s don’ts

visitor register has a column for screening removable Media. The staff

maintaining the visitor register is sensitized to specially check and ask for

Removable media.

Employees are to take this exercise for the screening of removable media

positively and cooperate with the screening process.

Notice to Declare REMOVABLE MEDIA is posted in the lobby

7.7 INFORMATION HANDLING PROCEDURE

Access restrictions to prevent access from unauthorized personnel; Making copy of information is discouraged in general. Information has to be given on a need to Know basis.

Source code to be kept only in CVS – and on developer machine

7.8 INFORMATION EXCHANGE POLICY and ELECTRONIC MESSAGING.

Following media is generally used by company employees for information

exchange

- Email

- Fax

- Voice

- Video


NX/ISMS/P-01 Rev: 6

Employees should not use their email password or system password in any other site

Only official Email/Fax should be used for sending and receiving Information. Photocopies of sensitive data should not happen from outside photocopiers.

Directors have digital signature and can send email with digital signatures.

Employee, contractor and any other user’s responsibilities not to compromise

the organization, e.g. through defamation, harassment, impersonation,

forwarding of chain letters, unauthorized purchasing, etc.;

Employees should take appropriate precautions, e.g. not to reveal sensitive information to avoid being overheard or intercepted when making a phone call by:

1. people in their immediate vicinity particularly when using mobile phones;

2. wiretapping, and other forms of eavesdropping through physical access to the Phone handset or the phone line, or using scanning receivers;

3. people at the recipient’s end;

EXCHANGE AGREEMENTS AND PHYSICAL MEDIA IN TRANSIT ARE NOT EMPLOYED BY THE

COMPANY AS CONTROLS

7.9 ELECTRONIC COMMERCE SERVICES

This is applicable to our application which we make and deliver to our clients

a) The level of confidence each party requires in each other’s claimed identity, e.g.

through authentication;

b) Authorization processes associated with who may set prices, issue or sign key

trading documents;

c) Determining and meeting requirements for confidentiality, integrity, proof of

dispatch and receipt of key documents, and the non-repudiation of contracts,

e.g. associated with tendering and contract processes;

d) The level of trust required in the integrity of advertised price lists;

e) The confidentiality of any sensitive data or information;

f) The confidentiality and integrity of any order transactions, payment

information, delivery address details, and confirmation of receipts;

g) The degree of verification appropriate to check payment information supplied


NX/ISMS/P-01 Rev: 6

by a customer;

h) Selecting the most appropriate settlement form of payment to guard against

fraud;

i) The level of protection required to maintain the confidentiality and integrity of

order information;

j) Avoidance of loss or duplication of transaction information;

7.10 PUBLICLY AVAILABLE INFORMATION:

Website is the only applicable publicly available information. It is hosted in a

secured Data Centre.

7.11 MONITORING

Monitoring is exercised by a review of firewall logs by system admin on a

monthly basis. Logs are not to be deleted by anybody including the system

Administrator

7.12 EMAIL POLICY

7.12.1 RESTRICTED USE OF EMAIL. The Nextenders email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs and national origin. Employees who receive any emails with this content from any Nextenders employee should report the matter to their supervisor immediately.

7.12.2 PERSONAL USE OF EMAIL.

Using a reasonable amount of Nextenders resources for personal emails is acceptable, but emails not related to Nextenders work shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a Nextenders email account is prohibited. Virus or other malware warnings and mass mailings from Nextenders shall be approved by Nextenders Head Information Technology before sending. These restrictions also apply to the forwarding of mail received by a Nextenders employee.

7.12.3 MONITORING

Nextenders employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. Nextenders may monitor messages without prior notice. Nextenders is not obliged to monitor email messages.


NX/ISMS/P-01 Rev: 6

7.12.4 ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

8.0. ACCESS CONTROL

8.1 ACCESS CONTROL POLICY AND PRIVILEGE MANAGEMENT:

Access control policy and privilege management is governed by Baseline

access policy

8.2 USER REGISTRATION and EMAIL CREATION for new user is done using

ISMS-FRM-F-06 Email id and User Registration. The No Dues Form Employee

Disassociation form (ISMS-HR-F-04) ensures outgoing employee’s user id is

cancelled.

8.3 USER PASSWORD MANAGEMENT: as given in section Do’s and Don’ts of

Acceptable use of Asset policy.

8.4 REVIEW OF USER ACCESS RIGHTS:

ISMS Policy for baseline access is reviewed in Management review

8.5 NETWORK ACCESS CONTROL

8.5.1 POLICY ON USE OF NETWORK SERVICES

The network of Nextenders can be only used by Nextenders’ employees and

guests. Using Wi-Fi and Wired network after access has been granted by the

System Admin.

8.5.2 USER AUTHENTICATION FOR EXTERNAL CONNECTIONS

Logical access for outsiders (Third Party) is prohibited

8.5.3 EQUIPMENT IDENTIFICATION IN NETWORK

All equipment in the network are identified in the organisation’s Asset

Inventory along with the Risk value.

8.5.4 R E M O T E D I A G N O S T I C A N D C O N F I G U R A T I O N P O R T

P R O T E C T I O N

Only one port in the network is open for diagnostic purpose of computer

equipment.


NX/ISMS/P-01 Rev: 6


Session Time out is applied only in the Application (Application for eTendering) and not for network users inside the premises.

8.7 APPLICATION AND INFORMATION ACCESS CONTROL

8.7.1 Separate Shared folders for Developers and Administration are made

for sharing any information. Information access control is applied in the

Application (Application for e-Tendering) 8.7.2 Sensitive System Isolation: All

developer and tester systems are isolated in a separate zone which has

separate physical access control

8.8 MOBILE COMPUTING AND TELEWORKING

Mobile computing i s restricted by not controlling all PDA/laptop access into the

premises. As of now no decision has been taken for Smartphones and phones.

Although Bluetooth communication from phone to computers is disabled. The Wi-Fi

access to the organisation network is also restricted.

Teleworking is prohibited in the organization.

9.0. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

The organization has chosen consciously to apply this part on the application

being developed (Procurement System)

9.1 APPLICATION DEVELOPMENT PROCEDURE /CORRECT PROCESSING IN

APPLICATION

9.1.1 Input Data validation

a) Dual input or other input checks, such as boundary checking

or limiting fields to specific ranges of input data, to detect the

following errors:

1) out-of-range values;

2) Invalid characters in data fields;

3) Missing or incomplete data;

4) Exceeding upper and lower data volume limits;

5) Unauthorized or inconsistent control data;

b) Periodic review of the content of key fields or data files to

confirm their validity and integrity;

d) Procedures for responding to validation errors;

e) Defining the responsibilities of all personnel involved in the

data input process;

f) Creating a log of the activities involved in the data input

process

NX/ISMS/P-01 Rev: 6

9.2.2 Control of Internal Processing

a) the use of add, modify, and delete functions to implement

changes to data;

b) the procedures to prevent programs running in the wrong

order or running after failure of prior processing ;

c) protection against attacks using buffer overruns/overflows.

d) session or batch controls, to reconcile data file balances

after transaction updates;

e) validation of system-generated input data

f) checks on the integrity, authenticity or any other security

feature of data or software downloaded, or uploaded,

between central and remote computers;

g) hash totals of records and files;

h) checks to ensure that application programs are run at the

correct time;

i) checks to ensure that programs are run in the correct order

and terminate in case of a failure, and that further processing

is halted until the problem is resolved;

j) creating a log of the activities involved in the processing

9.2.3 Message Integrity

2048 bit encryption is used in the application for message integrity

9.2.4 Output Data Validation

a) reconciliation control counts to ensure processing of all data;

b) providing sufficient information for a reader or subsequent processing

system to determine the accuracy, completeness, precision, and classification

of the information;

d) procedures for responding to output validation tests;

e) creating a log of activities in the data output validation process.

9.3 CRYPTOGRAPHIC CONTROL (Application)

The use of Cryptographic control in the application is guided by Secure Bid

Process


NX/ISMS/P-01 Rev: 6

9.4 SECURITY OF SYSTEM FILES

9.4.1 CONTROL OF OPERATIONAL SOFTWARE

Control of operating system is restricted to System administrator and restore

point is used for restoring the original operating system configuration

9.4.2 Access control to system test data program source code and change

control procedure is done through a SVN.

9.4.3 Technical review of applications after operating system changes

this control is applicable only to the application we develop and install at the

client end and if the AMC is given to us. This will be elaborated further in

future.

9.5 TECHNICAL VULNERABILITY MANAGEMENT

9.5.1 CONTROL OF TECHNICAL VULNERABILITIES

Mr. Sujeet Bhatt (CTO) is responsible for proactively identifying the

vulnerability of the application (Procurement System) and Mr. Devendra

Zope is responsible for proactively identifying the vulnerability of the Server

and systems inside the premises of the organization.

The vulnerabilities identification process will be developed and refined and

all vulnerabilities identified should be resolved within 2 months of

identification. Solutions identified should be applied to all existing

applications installed

10.0. INFORMATION SECURITY INCIDENT MANAGEMENT

10.1 Information Security events are recorded in ISMS-FRM-F-07 – All

incidents are to be recorded. All employees are encouraged to report as

many incidents of security /information security breach or THREATS to the

system administrator. System administrator has to record all incidents

however silly it may look in the register ISMS-FRM-F-07.

The reporting can be done verbally or by email or phone to the system

administrator.


NX/ISMS/P-01 Rev: 6

All Incidents are to be reviewed by ISCG on a quarterly basis, identify root

causes and take corrective actions in order to improve the Information

Security management system.

11.0. BUSINESS CONTINUITY PLAN

Business continuity plan is executed once in a year. The records or findings

in the BCP are documented for reference.

12.0. COMPLIANCE

12.1. A legal register ISMS-FRM-F-09 has been made and reviewed in Management

Review for identification of all legal legislation

12.2. Intellectual Property Rights:

We at Nextenders only employ licensed software and purchase software

through reliable software vendors and authorized vendors.

Employees are advised to

a) Comply with terms and conditions for software and information obtained

from public networks;

b) Not duplicating, converting to another format or extracting from

Commercial recordings (film, audio) other than permitted by copyright

law;

c) Not copying in full or in part, books, articles, reports or other documents,

other than permitted by copyright law.

12.3. PROTECTION OF ORGANIZATIONAL RECORDS

Important records are protected from loss, destruction, and falsification, in

accordance with statutory, regulatory, contractual, and business

requirements. They are also backed up as part of the backup policy

12.4. PRIVACY

Nextenders is committed to implement privacy of people and information as

mentioned in the privacy policy as mentioned at

http://www.nextenders.com/privacy-statement.aspx

12.5 INFORMATION SECURITY AUDIT

Internal Information Security Audit in accordance with ISO 27001:2013 will be

conducted on a yearly basis by the ISCG and records of Non conformity identified

will be kept and corrective actions after root cause analysis will be taken.


http://www.nextenders.com/privacy-statement.aspx

NX/ISMS/P-01 Rev: 6

13.0 INFORMATION SECURITY OBJECTIVE & PLANNING

Control Area

Information

Security

Objective

Resources Responsibility Target

Date

Evaluation

Criteria

A – 5 ISMS Policy will

be

reviewed

twice

Documents

/ Templates of best practice

Jayita Ganguly March

end

No. of

changes

made

6.1.3 Ten relevant

Contacts of

Authorities

List of

Authorities

Shailesh Vakil /

Deven Zope

June Contact

nos / email

Id /

Address

7.2.2 Two hours

training to

each person

on security

awareness

Presentation

/ LMS / Questioner

HR June

end

70%

Success

A –

8.1.4

100%

Ownership

of Assets.

Hardware /

Software

Ownership

intimation letter with responsibility

System Admin March

end

Results of

Asset

Inventory

Audit / No.

of wrong

defined

Assets

A –

9.2.3

100%

Definition &

Updating of

Privilege /

Accessibility

for every

users

Access

rights documents and approval for

change of rights

System Admin March

end

No. of

undefined

users with

regards to

Policy no.

of missed

approvals

A –

12.3

100%

_implementa

tion n of

backup Policy

Backup

Policy / Backup Restoration

Developers /

System Admin

Backup

Policy

update

No. of

missed

backup /

Backup

restoration


NX/ISMS/P-01 Rev: 6

failure

A –

14.1.3

One

Vulnerability Assessment of

Transaction

In-house

with

OWASP /

STQC

System Admin Oct

end /

every 6

month

s

Testing

Report /

Assessmen

t Report

14.0 COMMUNICATION MATRIX

Internal communication

What When Whom Who Process Confidential Information / Breach related to ISMS Policy

At the time of joining / All present employees

New joined employee / All present employees

HR Providing information through email / Conducting exam / Training

Training / Induction

At the time of joining / As and when required

New joined employees / All the employees

HR/ Trainer Presentation / Training Sessions

ISMS Policy / Procedures

At the time of preparing / revision of Policy

All employees ISMS committee

Sending information through email / document repository

Job Responsibilities

At the time of joining/ review

During Interview / New joined employees/during review of existing employees

Respected Department Head/in charge

Once to one communication

Patch Management

As per requirement

Implementation Team /Client

System Admin

Process / Release Document

External Communication Bid related info Bid

preparation Client Chief delivery

officer / Chief Sales Officer / Bid Executive

Going through Bid document / Eligibility Criteria qualification / Technical /Functional Qualification

Pre-Bid Query

As per the schedule given in the Bid Document

Client Bid Executive

Through email/ Fax / Letter

New features in At Client Project Co- Demo / Screen short /


NX/ISMS/P-01 Rev: 6

application implementa tion Level

ordination / Implementer

email

Incident report and corrective Action

After incident is rectified

Client Senior Management

Email / Letter

Customer Requirements

Periodical Project Manager

Business Head Email / Process document / SRS

Non-disclosure Agreement / Services Level Agreement

At the time of entering into Agreement

Client / Supplier / Partners

Company Secretary and Compliance Officer

Email/Agreement copies

ISMS Policy At the time of preparing / revision of Policy

Interested Parties

ISMS committee

Sending information through email / document repository / website

15.0 INFORMATION SECURITY IN PROJECT MANAGEMENT

Control

Information security is addressed in project management, regardless of the type of the

project.

Implementation guidance

Information security is integrated into the organization’s project management method(s) to

ensure that information security risks are identified and addressed as part of a project. This

applies generally to any project regardless of its character, e.g. a project for a core business

process, IT, facility management and other supporting processes.

The project management methods in use are:

a) Information security objectives are included in project objectives;

b) An information security risk assessment is conducted at an early stage of the project to

identify necessary controls;

c) Information security is part of all phases of the applied project methodology.

Information security implications are addressed and reviewed regularly in all projects.

Responsibilities for information security is defined and allocated to specified roles defined in

the project management methods.

16.0 MOBILE DEVICE POLICY

The mobile device policy allows the use of privately owned mobile devices, the policy and

related security measures are also consider:

Issued By P a g e | 24 Date of Issue 27.11.2015

NX/ISMS/P-01 Rev: 6

Approved /Owned By Mr. Tapan Mehta

a) Separation of private and business use of the devices, including using software to support

such separation and protect business data on a private device;

b) Providing access to business information only after users have signed an end user

agreement acknowledging their duties (physical protection, software updating, etc.), waiving

ownership of business data and allowing remote wiping of data by the organization in case of

theft or loss of the device or when no longer authorized to use the service.

17.0 DELIVERY AND LOADING AREAS

Control

Delivery and loading areas are restricted for unauthorized persons to enter the office Premises are controlled

Implementation guidance

The following guidelines are considered:

a) Access to a delivery and loading area from outside of the office premises are restricted;

b) The security takes delivery of the courier, parcels and handover it to the Admin Manager. This is also been monitored in CC TV. Due to the Bio metric device unauthorized persons are not allowed to enter the office premises.

c) The external doors of a delivery and loading area are controlled by the bio metric devises;

d) Incoming material are inspected and examined by the security guard to avoid any explosives, chemicals or other hazardous materials, before it moves in the office premises

e) Incoming materials are registered in accordance with asset management procedures

f) Incoming and outgoing shipments are physically segregated, where possible


NX/ISMS/P-01 Rev: 6

End of the Document
