Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
NX/ISMS/P-01 Rev: 6
ISMS POLICY
FOR
NEXTENDERS (INDIA) PVT LTD
The information contained within this document is the property of Nextenders (India) Pvt Ltd. and is
issued in confidence and must not be reproduced in whole or in part or used in tendering or
manufacturing purpose or given or communicated to any third party
© Copyright 2015, Nextenders (India) Pvt Ltd
Issued By P a g e | 1 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
1.0 Introduction
2.0 Terms and Definitions
3.0 Security Policy
4.0 Asset Classification
5.0 Human Resource Security
6.0 Physical and Environmental Security
7.0 Communications and Operational Facility
8.0 Access Control
9.0 Information System
10.0 Information Security Incident Management
11.0 Business Continuity Plan
12.0 Compliance
13.0 Information Security Objective & Planning
14.0 Communication Matrix
15.0 Information Security in Project Management
16.0 Mobile Device Policy
17.0 Delivery and Loading Areas
Issued By P a g e | 2 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
INTRODUCTION
1.1 Purpose – The purpose of this policy document is to provide all employees and stake
holders a clear view of management’s intent with regards to information security within
the organization.
1.2. Information security is about – TRUST that clients repose in Nextenders (India) Pvt.
Ltd. This is the foundation of our relationship with our client and our employees are a
very important part of this committed relationship of TRUST. All client information in all
forms – paper, electronic or brain ware is to be treated with utmost care by one and all of
the organization.
1.3 List of Interested Parties & Their Requirements
Sr. No. Interested parties Requirements of interested Parties
1. Eurocert ISO Certification Standard and compliance
2. STQC Vulnerability assessment and compliance
3. Net magic Data Centre hosting services
4. Provident Fund / ESIC /
Professional Tax
Statutory Compliances
5. Client eProcurements, eAuction, Services and Supply
6. NGO Prevention, Prohibition and Redressal of Sexual
Harassment at Workplace Act, 2013.
1.3. MANAGEMENT COMMITMENT:
NEXTENDERS MANAGEMENT is committed to continually improve the overall
information security in NEXTENDERS by involving and sensitizing all employees,
channel partners, constantly reviewing the overall risk to information security
and reviewing & updating NEXTENDERS’s security policy in context of continuous
risk assessment.
1.4. SCOPE
The ISMS scope will cover location of Mumbai office
Issued By P a g e | 3 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
1st
Floor “Yuchit”, Juhu Tara Road
Mumbai – 400 049
Maharashtra, India
1.5. RESPONSIBILITY
Responsibility for Information Security on a day-to-day basis is every User’s duty.
Users must report any Information Security related incidents, using the regular
incident reporting channels.
1.6. QUESTIONS /SUGGESTIONS
If you have any questions about this Security Policy, or about Information
Security issues in general, or suggestions for improvement, please contact the
Information Security Manager at the following address:
2.0. TERMS AND DEFINITIONS
2.1. Information Security
Today information is stored, processed and communicated using computer systems.
Information Technology is the ubiquitous common thread that runs across and connects
all Company’s business activities. As a company, Nextenders India Pvt. Ltd. is wholly
dependent on computer systems to carry on all its client servicing activities and could
be exposed to the risks pertaining to IT if appropriate protection and prevention
mechanisms are not developed, implemented and complied with.
2.2. Information Security Criteria
2.2.1. Availability: All Information Systems including hardware, communication
networks, software programs and the data they hold will be available to all
those users who need the systems at all times they are needed, to carry out
business activities.
2.2.2. Confidentiality: No data or information will be disclosed to any person
within or outside the company, other than the persons who are authorized
to use that data.
2.2.3. Data Integrity: No data / information / programs will be allowed to be
modified by anyone without proper authority and authorizations. This will
ensure the accuracy and completeness of information and processing
methods. No data will be modified, added, edited or deleted except by
users or programs that are authorized to do so and in a manner as approved
or designed.
Issued By P a g e | 4 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
2.3. Risk
Combination of probability of an event and its consequence
2.4. Source
Item or activity having a potential for a consequence
2.5. Risk Criteria
Terms of reference by which significance of risk is assessed- e.g. cost and benefits,
legal requirements, environmental aspects, concerns of stakeholders.
2.6. Risk management
Coordinated activity of risk assessment, treatment, acceptance and communication
2.7. Risk Analysis
Systematic use of information (historical data, theoretical analysis, informed
opinions, concerns of stakeholders) to identify sources and estimate risks
2.8. Information security incident
A single of series of unwanted or unexpected events that have significant
probability of compromising business operations and threatening information
security
2.9. Integrity
The property of safeguarding the accuracy and completeness of asset
2.10. Confidentiality
The property that information is not made available of disclosed to unauthorized
individuals, entities or processes
2.11. Availability
The property of being accessible and usable upon demand by authorized users 2.12. ISCG ( Information Security Core Group)
The core group is responsible for implementing policies and controls and reviewing
information security incidents and policies
- HR
- System Admin
- Development Head
- CEO
3.0. SECURITY POLICY
The IT Security Policy document establishes the Organization’s approach to managing information
security.
The Policy provides the broad-level framework of the Organization’s objective with respect to
information security
3.1 Review The owner or approval authority of this policy is responsible for its review at least
once in a year involving the ISCG( Information Security Core Group) generally done during the management review.
3.2 Information Security Organization
Issued By P a g e | 5 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
Process Owner Is part of ISCG/Reporting to ISCG
Expectations/Output
Asset classification/ Administration Manager(Mr. Vakil)
ISCG Asset Inventory – Risk Asset, register maintained
Risk Assessment Administration Manager(Mr. Vakil)
ISCG Risk Analysis
Authorization process for Information processing facilities
Sys Admin (Mr. Devendra Zope)
ISCG Logical Access Policy
Confidentiality Agreements ( Vendors, customers, third party)
Company Secretary and Compliance Officer (Mrs. Jayita Ganguly)
ISCG
Confidentiality Agreements(internal)
Company Secretary and Compliance Officer (Mrs. Jayita Ganguly
ISCG
Contact with Authorities Administration Manager(Mr. Vakil)
ISCG
Contact with Interest Groups
Sys Admin (Mr. Devendra Zope)
ISCG
Independent review of IS Sys Admin (Mr. Devendra Zope)
ISCG ISMS – Review
Outsourcing Technical Director(Mr. Sujeet Bhatt)
ISCG
Back up Policy Sys Admin (Mr . Devendra Zope)
ISCG Is as per the ISMS Policy
4.0. ASSET CLASSIFICATION:
An asset inventory list is maintained and reviewed on a yearly basis by the ISCG. This Asset list
also defines the ownership of the asset and is used further in the risk analysis and treatment of
the risks by applying suitable control after _assessing cost benefit.
4.1 ACCEPTABLE USE OF ASSETS POLICY
4.1.1 PURPOSE : The explicit publication of this policy in the ISMS policy document
is to
Issued By P a g e | 6 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
emphasize to all employees the importance of Acceptable use of all
assets
Protect the privacy, confidentiality and security of Nextenders
information
To reduce incidents of inappropriate use.
4.1.2 SCOPE : All Employees
4.1.3 POLICY
Individuals must use Nextenders-provided or authorized information
technology resources as the business tools required to do their work and
provide efficient service delivery.
Do’s
Comply with all applicable legislation, regulations, policies and
standards;
use all appropriate anti-virus precautions when accessing non-
Nextenders data and systems from the Nextenders network;
Adhere to licensing agreements for all software used;
Respect copyright and other intellectual property rights in relation
to both programs and data while making content for Nextenders
and otherwise
Only use the email account provided by Nextenders when
conducting Nextenders business over email
Use approved security measures when accessing the Nextenders
network from home or a non Nextenders computer;
Only use messaging forums (e.g., Internet Relay Chat, internet
newsgroups, social networking sites) when conducting work-related
business or exchanging technical or analytical information
Use the rules for complex passwords to create password.
keep passwords confidential;
change passwords whenever there is any indication of possible
system or password compromise;
select quality passwords with sufficient minimum length which are:
1) easy to remember;
2) not based on anything somebody else could easily guess or obtain
using person related information, e.g. names, telephone numbers,
and dates of birth etc.;
3) not vulnerable to dictionary attacks (i.e. do not consist of words
included in dictionaries);
4) free of consecutive identical, all-numeric or all-alphabetic
characters.
Issued By P a g e | 7 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
change passwords at regular intervals or based on the number of
accesses (passwords for privileged accounts should be changed
more frequently than normal passwords), and avoid re-using or
cycling old passwords;
change temporary passwords at the first log-on;
terminate active sessions when finished, unless they can be secured
by an appropriate locking mechanism, e.g. a password protected
screen saver;
log-off mainframe computers, servers, and office PCs when the
session is finished (i.e. not just switch off the PC screen or terminal);
secure PCs or terminals from unauthorized use by a key lock or an
equivalent control, e.g. password access, when not in use
Don’t s
Attempt to circumvent or subvert system or network security
measures;
Propagate viruses knowingly or maliciously;
Detrimentally affect the productivity, integrity or security of
Nextenders’ systems;
Access a personal external email account (e.g., Gmail ) from a
Nextenders workstation for reasons unrelated to Nextenders
business;
Access social networking websites (e.g. Facebook, MySpace) for
reasons unrelated to Nextenders business;
Obtain or distribute files from unauthorized or questionable sources
(e.g., racist material, pornography, file swapping sites);
Access Internet sites that might bring the public service into
disrepute or harm Nextenders’ reputation, such as those that carry
offensive material;
Access radio stations or video clips (typically referred to as
“streaming” audio or video) over the Internet, unless the access is
work-related and approved by a Nextenders Manager;
Download non-work related files, such as Freeware, Shareware,
movie or music files;
Divulge, share or compromise their own or another’s Nextenders
authentication credentials;
Transmit or otherwise expose sensitive or personal information to
the internet;
Use information and technology resources for commercial
solicitation or for conducting or pursuing business interests
unrelated to the business of Nextenders;
Distribute hoaxes, chain letters, or advertisements;
Issued By P a g e | 8 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
Send rude, obscene or harassing messages;
Attempt to obscure the origin of any message or download material
under an assumed internet address;
Knowingly enable inappropriate levels of information access by
others;
Disclose any information you do not have a right to disclose
avoid keeping a record (e.g. paper, software file or hand-held
device) of passwords, unless this can be stored securely and the
method of storing has been approved;
not include passwords in any automated log-on process, e.g. stored
in a macro or function key;
not share individual user passwords;
not use the same password for business and non-business
purposes.
4.1.4 IMPLEMENTATION :
Implementation of the above Acceptable Use of policy enlisted as do’s and
don’ts will be ensured by all managers
4.2 INFORMATION Classification and Labeling :
4.2.1 While Nextenders simply recognizes two levels of Information as
4.2.1.1 Sensitive: all information related to Nextenders other than access
control information
4.2.1.2 More Sensitive: all access control information and client Data
However Nextenders does not apply any policy for _mplement of information assets. We only
apply labels to hardware such as computers, servers and laptops which contain information assets.
5.0 HUMAN RESOURCE SECURITY
5.1 BEFORE JOINING
5.1.1 Roles and Responsibilities: key responsibilities related to Information
Security are outlined in section 3.2 of this policy which may be delegated OR
subdivided and delegated by the owner to any employee or entity engaged
by Nextenders however the ultimate responsibility rests with the owners
as outlined.
5.1.2 Screening- Screening is done by means of Reference Check Format ISMS-HR-
F-01.
5.1.3 Terms and Conditions of employment: Terms and conditions are controlled
as ISMS- HR –F-02. Employment Contract Agreement is signed by both the
parties which contains the Terms and conditions of the employment.
Issued By P a g e | 9 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
5.2 DURING EMPLOYMENT
5.2.1 Management Responsibilities: The ISCG is responsible for sensitizing
managers in implementation of the Information Security policy as outlined
in this document and all necessary support from seniors and colleagues are
extended with regard to understanding of the ISMS policy.
5.2.2 Information Security Awareness Education and Training: An assessment
form ISMS- HR-F-03 is administered to all new employees and record for this
assessment is kept.
5.3 TERMINATION OR CHANGE OF EMPLOYMENT:
5.3.1 Termination Responsibility: Responsibility for termination the services of
Employees rest with HR Head in the following conditions.
5.3.1.1 Initiated by CEO because of indiscipline/Breach of contract of
employment.
5.3.1.2 Initiated because of employee tendering in his/her resignation
In both the case the Employee Disassociation No dues format ISMS- HR-F-04
has to be completed which takes care of
RETURN OF ASSET
AND
REMOVAL OF ACCESS RIGHT
Only after completion of Employee Disassociation No dues format HR will
issue the Relieving Letter.
6.0. PHYSICAL AND ENVIRONMENTAL SECURITY
5.4 SECURE AREAS
5.4.1 PHYSICAL SECURITY PERIMETER: The office is having premises on first floor
and is around 500 meters from the Sea. It is a two story building with only
ONE access gate which is manned by Security (24X7)
5.4.2 PHYSICAL ENTRY CONTROLS: The premises have only one gate manned by
the security guard of the company. A CC TV camera is also installed and its
records are part of the database backup.
5.4.3 SECURING OFFICES ROOMS AND FACILITIES: The three Halls are controlled
by Biometric access control devices. The access is governed by an Id-Card
issued by the Administration Head.
5.4.4 PROTECTION AGAINST EXTERNAL AND ENVIRONMENTAL THREATS: The
Office is located at 1st
floor and the building is structurally safe and is only
two story high. The Fire extinguishers and CCTV are placed in the LOBBY and
in EACH hall.
5.5 EQUIPMENT SECURITY
Issued By P a g e | 10 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
5.5.1 All Computers are sited safely at least 2 inches above the ground. Server is
sited in a special lockable cabinet. The equipment are sited to prevent
physical threats like thefts, vibration, water and vandalism.
5.5.2 “No Eating /smoking” near any Information Processing facility is allowed.
5.6 SUPPORTING UTILITIES :
A UPS is available for back up of power supply as a power contingency plan for Server
and Development computers. The location Mumbai does not have a history of
prolonged power cuts so no generator is necessary.
6.4 CABLING SECURITY
Power and communication cabling are separate. Network cables are identified. Limited alterations to power cabling can be done because the Office is on rent.
6.5 EQUIPMENT MAINTENANCE
All equipment’s are normally maintained in house Laptops are sent to service center after confiscation of data for servicing. Delivery challans for the same are maintained.
6.6 SECURITY OF EQUIPMENT OFF PREMISES:
Laptops are issued to employees who take it along themselves for implementation and trouble shooting in client premises. Data is protected by encryption on all laptops and password protected access is mandated. It is the employee’s responsibility not to leave it unattended in Public places and protect it from Strong Electromagnetic fields.
6.7 SECURE DISPOSAL AND REUSE/REMOVAL OF EQUIPMENTS
Secure Disposal /maintenance form ISMS-FRM-F-08 will be used for disposal and it is ensured that the media in the equipment if applicable is formatted in low level
7.0. COMMUNICATIONS AND OPERATIONAL FACILITY
7.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES
7.1.1 DOCUMENTED OPERATING PROCEDURES:
Documented operating procedures for use of Information processing facility are followed.
Standard Operating procedure for Software change, Recruitment, Asset Allocation,
Employee Assessment Forms is in place.
7.1.2 CHANGE MANAGEMENT
Issued By P a g e | 11 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
Application Change Approval Form (ISMS-FRM-F-02-A) is used for changes in all installed
applications for existing client. No changes can be done to the PC’s by user as no
administrator rights have been given to the user. It can be done only by System
Administrator – for which no log is to be maintained. No Formal request is needed by
developers for the application or part of application under development.
A CVS has been configured for the Development team for application control and backup.
7.1.3 SEGREGATION OF DUTIES
As of now the following segregation of Duties is done in the following area
USER System: Changes can be affected only by System Administrator
APPLICATION ACCEPTANCE: Testing of application is done by separate testers who
are not involved in development of the application.
7.1.4 Separation of development, test, and operational facilities.
This is ensured by the System administrator.
7.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT
7.2.1 SERVICE DELIVERY and Monitoring and review and changes of Third Party Services:
Following Third party Service Delivery
Service Name Security mentioned in Contract
Review of Service
Changes to contract
Comments
ISP X Informally based on complaints
Done by System Admin Head or Director
Employees are encouraged to compliant formally in case of any problems faced by third party services
Data Center √ Informally based on complaints
Done by System Admin Head or Director
Employees are encouraged to compliant formally in case of any problems faced by third party services
Computer Hardware -
X Informally based on complaints
Done by System Admin Head or Director
Employees are encouraged to compliant formally in case of any problems faced by third party services
Firewall X Informally based on complaints
Done by System Admin Head or Director
Employees are encouraged to compliant formally in case of any problems
Issued By P a g e | 12 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
faced by third party services
7.3 SYSTEM PLANNING AND ACCEPTANCE:
Capacity management and System acceptance practices are monitored as per the required
capacity like RAM, Storage, Power requirements etc. & tested. They are also kept in stock.
7.3.1 Protection against malicious and mobile code: A Individually updated – Antivirus at
each system exists. It is the user’s responsibility to update it whenever notification to update
pops up. Unauthorized software are prohibited for all Employees. The following settings on
antivirus should be always enabled by the Users.
14) Checking any files on electronic or optical media, and files received over networks, for malicious code before use;
2) Checking electronic mail attachments and downloads for malicious code before use;
this check should be carried out at different places, e.g. at electronic mail servers, Desktop computers and when entering the network of the organization;
3) Checking web pages for malicious code;
Apart from antivirus a SONICWALL firewall is in place.
- Bluetooth and any other mobile is disabled to computer access
- Soft lock for USB Data Storage to be enabled in all computers
7.4 BACK UP
ISMS – FRM –F-05 describes Back up policy, schedule and testing. At the minimum the
following are always ensured in the Back up policy. This list can be increased by decisions
taken in management review.
S. No ITEM 1 CC TV Footage 2 Application Source code 3 Application Backups
4 Agreements
Issued By P a g e | 13 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
7.5 NETWORK SECURITY MANAGEMENT
All computers are wired other than the director hall where a CISCO Wi-Fi router is placed – this has additional layer of security and password protected access. The information going through the network is not encrypted. Software fire wall (SQUID) exists and logs review on a monthly basis. Firewall log review register ( ISMS-FRM-F-01)
7.6 REMOVABLE MEDIA
CDROMS are disabled in all Desktops but not in laptops
-soft lock for USB is enabled other than the following systems
S. No ITEM 1 CC TV Footage 2 Application Source code 3 Application Backups 4 Agreements
- Personal Removable media not allowed - in do’s don’ts
visitor register has a column for screening removable Media. The staff
maintaining the visitor register is sensitized to specially check and ask for
Removable media.
Employees are to take this exercise for the screening of removable media
positively and cooperate with the screening process.
Notice to Declare REMOVABLE MEDIA is posted in the lobby
7.7 INFORMATION HANDLING PROCEDURE
Access restrictions to prevent access from unauthorized personnel; Making copy of information is discouraged in general. Information has to be given on a need to Know basis.
Source code to be kept only in CVS – and on developer machine
7.8 INFORMATION EXCHANGE POLICY and ELECTRONIC MESSAGING.
Following media is generally used by company employees for information
exchange
- Fax
- Voice
- Video
Issued By P a g e | 14 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
Employees should not use their email password or system password in any other site
Only official Email/Fax should be used for sending and receiving Information. Photocopies of sensitive data should not happen from outside photocopiers.
Directors have digital signature and can send email with digital signatures.
Employee, contractor and any other user’s responsibilities not to compromise
the organization, e.g. through defamation, harassment, impersonation,
forwarding of chain letters, unauthorized purchasing, etc.;
Employees should take appropriate precautions, e.g. not to reveal sensitive information to avoid being overheard or intercepted when making a phone call by:
1. people in their immediate vicinity particularly when using mobile phones;
2. wiretapping, and other forms of eavesdropping through physical access to the Phone handset or the phone line, or using scanning receivers;
3. people at the recipient’s end;
EXCHANGE AGREEMENTS AND PHYSICAL MEDIA IN TRANSIT ARE NOT EMPLOYED BY THE
COMPANY AS CONTROLS
7.9 ELECTRONIC COMMERCE SERVICES
This is applicable to our application which we make and deliver to our clients
a) The level of confidence each party requires in each other’s claimed identity, e.g.
through authentication;
b) Authorization processes associated with who may set prices, issue or sign key
trading documents;
c) Determining and meeting requirements for confidentiality, integrity, proof of
dispatch and receipt of key documents, and the non-repudiation of contracts,
e.g. associated with tendering and contract processes;
d) The level of trust required in the integrity of advertised price lists;
e) The confidentiality of any sensitive data or information;
f) The confidentiality and integrity of any order transactions, payment
information, delivery address details, and confirmation of receipts;
g) The degree of verification appropriate to check payment information supplied
Issued By P a g e | 15 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
by a customer;
h) Selecting the most appropriate settlement form of payment to guard against
fraud;
i) The level of protection required to maintain the confidentiality and integrity of
order information;
j) Avoidance of loss or duplication of transaction information;
7.10 PUBLICLY AVAILABLE INFORMATION:
Website is the only applicable publicly available information. It is hosted in a
secured Data Centre.
7.11 MONITORING
Monitoring is exercised by a review of firewall logs by system admin on a
monthly basis. Logs are not to be deleted by anybody including the system
Administrator
7.12 EMAIL POLICY
7.12.1 RESTRICTED USE OF EMAIL. The Nextenders email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs and national origin. Employees who receive any emails with this content from any Nextenders employee should report the matter to their supervisor immediately.
7.12.2 PERSONAL USE OF EMAIL.
Using a reasonable amount of Nextenders resources for personal emails is acceptable, but emails not related to Nextenders work shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a Nextenders email account is prohibited. Virus or other malware warnings and mass mailings from Nextenders shall be approved by Nextenders Head Information Technology before sending. These restrictions also apply to the forwarding of mail received by a Nextenders employee.
7.12.3 MONITORING
Nextenders employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. Nextenders may monitor messages without prior notice. Nextenders is not obliged to monitor email messages.
Issued By P a g e | 16 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
7.12.4 ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
8.0. ACCESS CONTROL
8.1 ACCESS CONTROL POLICY AND PRIVILEGE MANAGEMENT:
Access control policy and privilege management is governed by Baseline
access policy
8.2 USER REGISTRATION and EMAIL CREATION for new user is done using
ISMS-FRM-F-06 Email id and User Registration. The No Dues Form Employee
Disassociation form (ISMS-HR-F-04) ensures outgoing employee’s user id is
cancelled.
8.3 USER PASSWORD MANAGEMENT: as given in section Do’s and Don’ts of
Acceptable use of Asset policy.
8.4 REVIEW OF USER ACCESS RIGHTS:
ISMS Policy for baseline access is reviewed in Management review
8.5 NETWORK ACCESS CONTROL
8.5.1 POLICY ON USE OF NETWORK SERVICES
The network of Nextenders can be only used by Nextenders’ employees and
guests. Using Wi-Fi and Wired network after access has been granted by the
System Admin.
8.5.2 USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
Logical access for outsiders (Third Party) is prohibited
8.5.3 EQUIPMENT IDENTIFICATION IN NETWORK
All equipment in the network are identified in the organisation’s Asset
Inventory along with the Risk value.
8.5.4 R E M O T E D I A G N O S T I C A N D C O N F I G U R A T I O N P O R T
P R O T E C T I O N
Only one port in the network is open for diagnostic purpose of computer
equipment.
Issued By P a g e | 17 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
Issued By P a g e | 18 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
Session Time out is applied only in the Application (Application for eTendering) and not for network users inside the premises.
8.7 APPLICATION AND INFORMATION ACCESS CONTROL
8.7.1 Separate Shared folders for Developers and Administration are made
for sharing any information. Information access control is applied in the
Application (Application for e-Tendering) 8.7.2 Sensitive System Isolation: All
developer and tester systems are isolated in a separate zone which has
separate physical access control
8.8 MOBILE COMPUTING AND TELEWORKING
Mobile computing i s restricted by not controlling all PDA/laptop access into the
premises. As of now no decision has been taken for Smartphones and phones.
Although Bluetooth communication from phone to computers is disabled. The Wi-Fi
access to the organisation network is also restricted.
Teleworking is prohibited in the organization.
9.0. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
The organization has chosen consciously to apply this part on the application
being developed (Procurement System)
9.1 APPLICATION DEVELOPMENT PROCEDURE /CORRECT PROCESSING IN
APPLICATION
9.1.1 Input Data validation
a) Dual input or other input checks, such as boundary checking
or limiting fields to specific ranges of input data, to detect the
following errors:
1) out-of-range values;
2) Invalid characters in data fields;
3) Missing or incomplete data;
4) Exceeding upper and lower data volume limits;
5) Unauthorized or inconsistent control data;
b) Periodic review of the content of key fields or data files to
confirm their validity and integrity;
d) Procedures for responding to validation errors;
e) Defining the responsibilities of all personnel involved in the
data input process;
f) Creating a log of the activities involved in the data input
process
NX/ISMS/P-01 Rev: 6
9.2.2 Control of Internal Processing
a) the use of add, modify, and delete functions to implement
changes to data;
b) the procedures to prevent programs running in the wrong
order or running after failure of prior processing ;
c) protection against attacks using buffer overruns/overflows.
d) session or batch controls, to reconcile data file balances
after transaction updates;
e) validation of system-generated input data
f) checks on the integrity, authenticity or any other security
feature of data or software downloaded, or uploaded,
between central and remote computers;
g) hash totals of records and files;
h) checks to ensure that application programs are run at the
correct time;
i) checks to ensure that programs are run in the correct order
and terminate in case of a failure, and that further processing
is halted until the problem is resolved;
j) creating a log of the activities involved in the processing
9.2.3 Message Integrity
2048 bit encryption is used in the application for message integrity
9.2.4 Output Data Validation
a) reconciliation control counts to ensure processing of all data;
b) providing sufficient information for a reader or subsequent processing
system to determine the accuracy, completeness, precision, and classification
of the information;
d) procedures for responding to output validation tests;
e) creating a log of activities in the data output validation process.
9.3 CRYPTOGRAPHIC CONTROL (Application)
The use of Cryptographic control in the application is guided by Secure Bid
Process
Issued By P a g e | 19 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
9.4 SECURITY OF SYSTEM FILES
9.4.1 CONTROL OF OPERATIONAL SOFTWARE
Control of operating system is restricted to System administrator and restore
point is used for restoring the original operating system configuration
9.4.2 Access control to system test data program source code and change
control procedure is done through a SVN.
9.4.3 Technical review of applications after operating system changes
this control is applicable only to the application we develop and install at the
client end and if the AMC is given to us. This will be elaborated further in
future.
9.5 TECHNICAL VULNERABILITY MANAGEMENT
9.5.1 CONTROL OF TECHNICAL VULNERABILITIES
Mr. Sujeet Bhatt (CTO) is responsible for proactively identifying the
vulnerability of the application (Procurement System) and Mr. Devendra
Zope is responsible for proactively identifying the vulnerability of the Server
and systems inside the premises of the organization.
The vulnerabilities identification process will be developed and refined and
all vulnerabilities identified should be resolved within 2 months of
identification. Solutions identified should be applied to all existing
applications installed
10.0. INFORMATION SECURITY INCIDENT MANAGEMENT
10.1 Information Security events are recorded in ISMS-FRM-F-07 – All
incidents are to be recorded. All employees are encouraged to report as
many incidents of security /information security breach or THREATS to the
system administrator. System administrator has to record all incidents
however silly it may look in the register ISMS-FRM-F-07.
The reporting can be done verbally or by email or phone to the system
administrator.
Issued By P a g e | 20 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
All Incidents are to be reviewed by ISCG on a quarterly basis, identify root
causes and take corrective actions in order to improve the Information
Security management system.
11.0. BUSINESS CONTINUITY PLAN
Business continuity plan is executed once in a year. The records or findings
in the BCP are documented for reference.
12.0. COMPLIANCE
12.1. A legal register ISMS-FRM-F-09 has been made and reviewed in Management
Review for identification of all legal legislation
12.2. Intellectual Property Rights:
We at Nextenders only employ licensed software and purchase software
through reliable software vendors and authorized vendors.
Employees are advised to
a) Comply with terms and conditions for software and information obtained
from public networks;
b) Not duplicating, converting to another format or extracting from
Commercial recordings (film, audio) other than permitted by copyright
law;
c) Not copying in full or in part, books, articles, reports or other documents,
other than permitted by copyright law.
12.3. PROTECTION OF ORGANIZATIONAL RECORDS
Important records are protected from loss, destruction, and falsification, in
accordance with statutory, regulatory, contractual, and business
requirements. They are also backed up as part of the backup policy
12.4. PRIVACY
Nextenders is committed to implement privacy of people and information as
mentioned in the privacy policy as mentioned at
http://www.nextenders.com/privacy-statement.aspx
12.5 INFORMATION SECURITY AUDIT
Internal Information Security Audit in accordance with ISO 27001:2013 will be
conducted on a yearly basis by the ISCG and records of Non conformity identified
will be kept and corrective actions after root cause analysis will be taken.
Issued By P a g e | 21 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
13.0 INFORMATION SECURITY OBJECTIVE & PLANNING
Control Area
Information
Security
Objective
Resources Responsibility Target
Date
Evaluation
Criteria
A – 5 ISMS Policy will
be
reviewed
twice
Documents
/ Templates of best practice
Jayita Ganguly March
end
No. of
changes
made
6.1.3 Ten relevant
Contacts of
Authorities
List of
Authorities
Shailesh Vakil /
Deven Zope
June Contact
nos / email
Id /
Address
7.2.2 Two hours
training to
each person
on security
awareness
Presentation
/ LMS / Questioner
HR June
end
70%
Success
A –
8.1.4
100%
Ownership
of Assets.
Hardware /
Software
Ownership
intimation letter with responsibility
System Admin March
end
Results of
Asset
Inventory
Audit / No.
of wrong
defined
Assets
A –
9.2.3
100%
Definition &
Updating of
Privilege /
Accessibility
for every
users
Access
rights documents and approval for
change of rights
System Admin March
end
No. of
undefined
users with
regards to
Policy no.
of missed
approvals
A –
12.3
100%
_implementa
tion n of
backup Policy
Backup
Policy / Backup Restoration
Developers /
System Admin
Backup
Policy
update
No. of
missed
backup /
Backup
restoration
Issued By P a g e | 22 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
failure
A –
14.1.3
One
Vulnerability Assessment of
Transaction
In-house
with
OWASP /
STQC
System Admin Oct
end /
every 6
month
s
Testing
Report /
Assessmen
t Report
14.0 COMMUNICATION MATRIX
Internal communication
What When Whom Who Process Confidential Information / Breach related to ISMS Policy
At the time of joining / All present employees
New joined employee / All present employees
HR Providing information through email / Conducting exam / Training
Training / Induction
At the time of joining / As and when required
New joined employees / All the employees
HR/ Trainer Presentation / Training Sessions
ISMS Policy / Procedures
At the time of preparing / revision of Policy
All employees ISMS committee
Sending information through email / document repository
Job Responsibilities
At the time of joining/ review
During Interview / New joined employees/during review of existing employees
Respected Department Head/in charge
Once to one communication
Patch Management
As per requirement
Implementation Team /Client
System Admin
Process / Release Document
External Communication Bid related info Bid
preparation Client Chief delivery
officer / Chief Sales Officer / Bid Executive
Going through Bid document / Eligibility Criteria qualification / Technical /Functional Qualification
Pre-Bid Query
As per the schedule given in the Bid Document
Client Bid Executive
Through email/ Fax / Letter
New features in At Client Project Co- Demo / Screen short /
Issued By P a g e | 23 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
application implementa tion Level
ordination / Implementer
Incident report and corrective Action
After incident is rectified
Client Senior Management
Email / Letter
Customer Requirements
Periodical Project Manager
Business Head Email / Process document / SRS
Non-disclosure Agreement / Services Level Agreement
At the time of entering into Agreement
Client / Supplier / Partners
Company Secretary and Compliance Officer
Email/Agreement copies
ISMS Policy At the time of preparing / revision of Policy
Interested Parties
ISMS committee
Sending information through email / document repository / website
15.0 INFORMATION SECURITY IN PROJECT MANAGEMENT
Control
Information security is addressed in project management, regardless of the type of the
project.
Implementation guidance
Information security is integrated into the organization’s project management method(s) to
ensure that information security risks are identified and addressed as part of a project. This
applies generally to any project regardless of its character, e.g. a project for a core business
process, IT, facility management and other supporting processes.
The project management methods in use are:
a) Information security objectives are included in project objectives;
b) An information security risk assessment is conducted at an early stage of the project to
identify necessary controls;
c) Information security is part of all phases of the applied project methodology.
Information security implications are addressed and reviewed regularly in all projects.
Responsibilities for information security is defined and allocated to specified roles defined in
the project management methods.
16.0 MOBILE DEVICE POLICY
The mobile device policy allows the use of privately owned mobile devices, the policy and
related security measures are also consider:
Issued By P a g e | 24 Date of Issue 27.11.2015
NX/ISMS/P-01 Rev: 6
Approved /Owned By Mr. Tapan Mehta
a) Separation of private and business use of the devices, including using software to support
such separation and protect business data on a private device;
b) Providing access to business information only after users have signed an end user
agreement acknowledging their duties (physical protection, software updating, etc.), waiving
ownership of business data and allowing remote wiping of data by the organization in case of
theft or loss of the device or when no longer authorized to use the service.
17.0 DELIVERY AND LOADING AREAS
Control
Delivery and loading areas are restricted for unauthorized persons to enter the office Premises are controlled
Implementation guidance
The following guidelines are considered:
a) Access to a delivery and loading area from outside of the office premises are restricted;
b) The security takes delivery of the courier, parcels and handover it to the Admin Manager. This is also been monitored in CC TV. Due to the Bio metric device unauthorized persons are not allowed to enter the office premises.
c) The external doors of a delivery and loading area are controlled by the bio metric devises;
d) Incoming material are inspected and examined by the security guard to avoid any explosives, chemicals or other hazardous materials, before it moves in the office premises
e) Incoming materials are registered in accordance with asset management procedures
f) Incoming and outgoing shipments are physically segregated, where possible
Issued By P a g e | 25 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta
NX/ISMS/P-01 Rev: 6
End of the Document
Issued By P a g e | 26 Date of Issue 27.11.2015 Approved /Owned By Mr. Tapan Mehta