In a knowledge-based economy, information security is a key success factor for any organization. Rapid expansion of enterprise ecosystem, new compliance and regulatory regimes, value migration from physical to information based intangible assets and changing socio-economic environment have changed the security landscape on which leading organizations need to operate effectively. Integration of global economics, exchange of data across organizations, rising security expectations of the customers, shareholders and international markets have put additional responsibilities on us for protection of information assets. Show
The objective of Information Security Policy (ISP) is to ensure the information security of Smartworks and to minimize the risk of damage by preventing security incidents and reducing their potential impact. We maintain confidentiality, integrity and availability of Smartworks information assets to prevent any adverse effect on our operations and our professional standing. To achieve our security objectives, we shall establish comprehensive information security management system covering people, processes, technologies of all business, operational and functional units within Smartworks. We shall implement all reasonable and appropriate security mechanisms for all our information assets at granular levels, thus, increasing effectiveness of our internal control systems. We are committed to build the necessary infrastructure, knowledge and resource base to meet information security requirements within a focus on continual improvement. In all such cases where customer information assets are hosted with us, we shall demonstrate our information security responsibilities by strictly adhering to the contractual obligations. We are confident that our sustained efforts in the area of information security will give us the most competitive advantage by winning customer trust. Information Security Objective
1. Information Security Policy1.1 PurposeThe purpose of Smartworks’s Information Security Policy is to protect the organization’s employees, assets, customer information, integrity and reputation from potential security threats. Security threats can include compromise of confidentiality (people obtaining or disclosing information inappropriately), integrity (information being altered or erroneously validated, whether deliberate or accidental) and availability (information not being available when it is required). 1.2 Scope
1.3 Information Security ObjectivesMain objectives of the policy are to ensure that –
1.4 Policy Statement
2.1 PurposeThe purpose of Human Resource policy is to address the risks of human error, theft, fraud or misuse of facilities and assist all personnel in creating a secure computing environment. Security responsibilities should be addressed at the recruitment stage, included in job descriptions and contracts, and monitored during an individual’s employment as well as at the time of ending of employment / contract. 2.2 ScopeHuman Resource Security policy is one of the most important elements contributing to the overall security of organizational information. The organization should employ prudent hiring practices that should include among other things, background checking of applicant in accordance with the classification of information he/she would handle and the perceived risks therein. The purpose of this policy is to set rules and regulations that apply before, during and after the employment. 2.3 Policy Statement2.3.1 Prior to EmploymentTo ensure that all employees including contractors, or third party understand their roles and responsibilities and are suitable for the roles they are considered. 2.3.2 During EmploymentTo ensure that employees including contractors, or third party are aware of and fulfill their information security responsibilities. 2.3.3 Change of Employment or TerminationTo protect the organization’s interest as part of the process of changing or terminating employment:
3. Access Control Policy3.1 PurposeAccess to information assets is a privilege granted to all Smartworks employees and stakeholders and is vital to performing their daily tasks. Therefore, proper access and authorization to Smartworks information assets. Inappropriate usage exposes Smartworks to risks including virus attacks, compromise of network systems and services, legal issues, monitory loss, loss of reputation and business. The purpose of this policy is to define access controls for information systems and computing resources. 3.2 ScopeThis policy applies to all platforms being used at Smartworks including but not limited to operating systems, applications, software, middleware, screensaver, databases, network device operating systems and tools. Access control protects organizations from security threats such as internal and external intrusions. 3.3 Policy Statement3.3.1 Access Control for Employees & IT Team
3.3.2 User Access Management (User Registration & De-Registration)
3.3.3 Privilege Access Management
3.4 Review of User Access RightsThe reconciliation of the following will be carried out on quarterly basis:
3.5 Information Access Restriction
3.6 Review of Logs to Monitor Access3.6.1 Types of LogsFollowing are the types of logs, but are not limited to:
3.6.2 Log Management Procedure
3.7 Access Control to Program Source Code
4. Physical Security Policy4.1 PurposeThis policy document states that information and information processing facilities should be protected from disclosure to modification of or theft by unauthorized persons, and controls should be in place to minimize loss or damage. Critical or sensitive business information processing facilities should be housed in secure areas, protected by a defined perimeter, with appropriate security barriers and entry controls. All equipment should be physically protected from security threats and environmental hazards to reduce the risk of unauthorized access to data and to protect against loss or damage. 4.2 ScopeThe scope of this policy covers security of information and information processing facilities from unauthorized physical access, damage, interference and prevention of equipment from loss, damage and theft. It applies to all employees, contract employees and any other staff part of service agreement in Smartworks. 4.3 Classification of Physical Security into Zones
Each zone must have appropriate level of access, restrictions and access authorization. 4.4 Policy Statement4.4.1 Physical Entry Controls
4.4.2 Securing offices, rooms and facilities
4.4.3 Equipment Security
5. Acceptable Usage of Information Asset Policy5.1 PurposeTo support Smartworks’s business functions and to provide customer satisfaction, Smartworks provides access to information assets to all the employees. Access to these information assets is a privilege granted to all its employees and stakeholders and is vital to performing their daily tasks. Therefore, proper use and protection of Smartworks’s information assets is essential to Smartworks’s operations. Inappropriate usage exposes Smartworks to risks including virus attacks, compromise of network systems and services, legal issues, monitory loss, loss of reputation and business. The purpose of this policy is to outline the rules those govern acceptable use of all information assets at Smartworks, to protect the information assets from inappropriate usage. 5.2 ScopeThis Acceptable Usage of Information Asset policy governs appropriate usage of all the Information assets of Smartworks. Information security requires the participation and support from all stakeholders of Smartworks with access to information assets. It is thus the responsibility of every member of the Smartworks family to help ensure that all information assets are kept secure and available. 5.3 Policy Statement5.3.1 General Usage and Ownership
5.3.2 Security and Proprietary Information
6. Cryptography Policy6.1 PurposeThe purpose of the policy is to improve security, integrity and confidentiality of the data and reduce the risk of unauthorized access, loss or/ and damage to information. 6.2 ScopeEncryption must be applied as per business requirement for sensitive data that is stored or transmitted and as appropriate for the information classification and businessrequirements from time to time. This policy is applicable to all Employees, Contractors and Vendors of Smartworks and others who have authorization to access or use Smartworks’s information processing facility. 6.3 Policy Statement
7. BYOD Policy7.1 PurposeThis policy establishes rules for the proper usage of handheld devices & applications in corporate environment in order to protect the Confidentiality, Integrity of corporate information/ data, and Availability of Application/ Network services. 7.2 ScopeThe Policy applies to all employees, consultants, vendors, contractors, and others using business or private mobile handheld devices on any premises occupied by Organization. This BYOD Security Policy is applicable to employee owned laptops and all mobile devices namely, Smart Phones (Android, Windows, IOS, Blackberry), Laptops and Tablets (iPad, Android, etc.) and notebooks. 7.3 Policy Statement
8. E-Mail & Internet Security Policy8.1 PurposePurpose of this policy is to provide useful guidelines to help IT Team maximize the security posture to defend Smartworks from all the security risked faced by it from improper email and internet configurations, practices and controls. 8.2 ScopeThis document lists out the policy for proper email and Internet related mechanisms to be followed by the IT team and other email and internet service users of Smartworks to ensure information security at Smartworks. 8.3 Policy Statement
9. Mobile Computing Policy9.1 PurposeThe purpose of Smartworks’s Mobile Computing policy is to establish the rules for the use of mobile computing devices and their connection to the network. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of Smartworks’s information assets. Mobile Computing policy governs the practices to be followed for using mobile devices to ensure protection and availability of the information present in those devices. 9.2 ScopeThis document lists out the policy for identifying mobile devices, their usage and practices that are required to be imbibed for ensuring information security success at Smartworks. 9.3 Policy Statement
10. Data Classification & Media Handling Policy10.1 PurposeThe purpose of this policy is to ensure data protection, so that important and Smartworks business critical records are protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements. Policy states that all information must be properly classified, as per the classification specified in this document, and adequate procedures, as specified here must be followed to ensure that the proper level of protection is used for various levels of information. 10.2 ScopeThis document lists out the policy to be followed by Smartworks for proper infor 10.3 Policy Statement10.3.1 Data ClassificationThe following classes of information exist, depending on the sensitivity of information, and its importance to the business:
The following table explains these classes: CLASS EXPLANATION EXAMPLES CONFIDENTIAL This classification applies to the most sensitive business information, which is intended strictly for use within Smartworks. Its unauthorized disclosure could seriously and adversely impact Smartworks, its business partners and/or its customers leading to legal and financial repercussions and adverse public opinion. Sensitive Data shared by clients / business partners Any other documents shared by clients / business partners The company’s investment strategies / business plans, Proposals and estimates, Sensitive customer information, Intellectual Property. Salary related documents, Correspondence, Employee Records, Accounts Statements, Performance reports INTERNAL Information approved for internal circulation within the organization where its loss would cause inconvenience to the organization or management but where disclosure is unlikely to result in financial loss or serious damage to organization’s credibility. While its unauthorized disclosure is against policy. It may be used freely within Smartworks, and disclosure outside Smartworks is to be done only with clear authorization. Training materials, and policy manuals, security policies and procedures, IP address, Internal Operational Procedures etc. PUBLIC This classification applies to information, which has been explicitly approved by Smartworks management for release to the public. There is no such thing as unauthorized disclosure of this information, and it may be freely disseminated without potential harm. Website Content, advertisements, brochures, job opening announcements, and press releases Every piece of information (printed reports, documents, etc.) must have an owner. The owner of the information is responsible for classifying the document as per the classification described above. The owner must ensure that the document is properly controlled during storage, transmission, and disposal. The owner may decide to downgrade its classification label. 10.3.2 Handling ProceduresCLASS MODE GUIDELINES CONFIDENTIAL Storage Should be clearly labeled as “Confidential” as the case may be – as footer/header in a Word/Excel/Power Point document, or by writing on the CD. Should not be stored on a Shared Folder. Should be stored on a central file server with strictly restricted access. Sensitive data belonging to the clients MUST not be stored on mobile devices or removable media. Where such storage is mandated by business requirements, an incident must be recorded, documenting why it was needed and what measures are in place to safeguard it. Transmission Should be encrypted if being transmitted outside the Smartworks network. Should be encrypted if being sent on storage media to a destination outside the Smartworks office. Should not be communicated over the phone Disposal The disk should be deep formatted by software destruction tool or information should be securely deleted with at least three times. The CD should also be cleanly formatted and broken before disposal. Paper documents and reports should be shredded. INTERNAL Storage May be stored on the File Server with file folder permissions allowing anyone within Smartworks access to the documents. Transmission Internal information may be transmitted within Smartworks, but not outside. Disposal No special requirements. PUBLIC Storage Public information affects the image and reputation of Smartworks. Public information should be checked to make sure it does not damage the reputation, image of Smartworks. Information may be declared ‘PUBLIC’ only after authorization from senior management. Public information may be disclosed on the Internet or in brochures or other forms of public communication Transmission No special requirements Disposal No special requirements 10.3.3 Information Exchange Agreements with Third PartiesAt various stages, information produced by the organization needs to be exchanged in various forms with other organizations. The means and methods adopted for exchange of such information must be secured to protect the confidentiality, integrity and availability of such information. The controls for information exchange with third party organizations can be as follows:
10.3.4 Data ArchivalClient Data should be retained till 15 days after project completion. However, its duration can be extended as per client confirmation. 10.3.5 Disposal of MediaFollowing disposal methods should be used for disposing various types of media: -
Which changeover method requires that both the old and the new information systems operate fully for a specific period?- Parallel changeover requires that both old and new systems operate fully for a specified period.
Is the process of putting new information system online?chapter 11 implement. Is a changeover method that involves implementing the complete new system at a selected location of the company?The pilot operation changeover method involves implementing the complete new system at a selected location of the company.
Which of the following describes the degree of interdependence among modules?Coupling: Coupling is the measure of the degree of interdependence between the modules.
|