Information security policy
OBJECTIVES
Security Of IT Infrastructure And Its Related Assets, Viz. Information, Computer Systems, Network Elements, Related Services Are Vital Importance To FarEye Technologies Pvt Ltd (Herein After “FarEye”). Hence It Is Essential That Effective And Efficient Security Measures Are Followed Within The Company’s Facilities And In Its Operations. This Policy Aims At A Secure IT Environment In FarEye To Provide Confidentiality, Integrity And Availability Of Information And Its Processing Pertaining To The Company, Customers And Interested Parties.
The Policy Statements Mentioned In This Document Are Derived Based On The Business Requirements And Risks Prevailing Due To External And Internal Issues.
SCOPE
FarEye Information Security Management Systems (ISMS) Shall Include IT Services (ITS) – Complete Range Of Services From System Integration To Application Management And Software Development, Support & Consulting Along With In-House Supporting Activities Including Facilities Management, HR, Legal And IT Within FarEye Locations.
APPLICABILITY
This Document Specifies A High-Level Statement Of The Various Security Policies Followed At All FarEye’s Facilities And FarEye Personnel Deputed On-Site For Project Execution. This Policy Statement Shall Be Reflected And Implemented Through Issue Specific Second Level Detailed Policies, Procedures, Guidelines And Configuration Documents Of The Respective Functions / Departments/ Processes.
This Policy Applies To All Information And IT Assets Owned By And / Or Administered In FarEye Or By FarEye. Information Security Shall Be A Team Effort Involving The Participation And Support Of Every User Who Deals With Information And / Or Information Systems. Every User (Which Includes Employee, Contractor, Consultant, Temporary Staff, Intern, Supplier, Partner, Subsidiary, Visitor Etc.) Shall Comply With The Information Security Policies Specified Herein And Related Documents When Working For FarEye.
REFERENCES
- ISO 27001:2018
- ISO 27001:2013
HIGH LEVEL INFORMATION SECURITY POLICY STATEMENTS
a. SECURITY ORGANISATION
Information Security Encompasses The Entire Organization And Will Be The Responsibility Of All Relevant Functions. The Information Security Function Will Spearhead This Security Initiative.
Information Security Function Shall Promote Information Security Within The Organization Through Appropriate Commitment And Adequate Resourcing And Also Be Responsible For Overseeing Overall Security. The Function Would Comprise Of Top Executives And Senior Members From Various Functions Like Sales Presales, Legal, It, HR, Admin And Finance.
The Organizational Aspects Of Security Would Be Coordinated By Information Security Function As An Internal Security Function, The Specific Roles And Responsibilities Of Each Function Would Be Detailed In The Respective Function Manuals.
Co-Operation Between Organizations
IT Shall Maintain Appropriate Liaison & Contacts With ISPs, Telecommunications Operators And Admin Shall Maintain Appropriate Liaison With Police And Other Authorities To Ensure Prompt Response In Case Of A Security Incident.
b. INFORMATION AND ASSET CLASSIFICATION AND CONTROL
All Information, IT Assets (Both Hardware And Software) And Facility Management Assets Shall Have Designated Owners. All Information In Either Electronic Or Paper Form Shall Be Identified And Classified As Per Information And Asset Classification Policy.
Comprehensive, Accurate And Updated Asset Lists Shall Be Maintained For Hardware, Software (Being Used For FarEye’s Business Operations) And Information Assets.
Information And Asset Movement Whether Electronic Or Physical From FarEye Facilities Would Be Authorized And Controlled.
c. DATA PROTECTION
Users Shall Keep All Customers And FarEye Business Data, IPR Or IPR Protected Information, Software Code And Designs Confidential (Or In Line With Classification Done). No Such Information Must Be Disclosed By Action Or Omission Or Negligence To Any Person Or Party Not Authorized To View This Information. All Customer Information Must Be Confined Based On A Need To Know And Need To Do Basis Within The Project Team. Customer Data Must Not Be Shared With Other Project Teams Working For The Same Or Different Customers And Third Parties Without Explicit Authorization Of The Project Manager.
Ref. Data Privacy And Protection Policy.
d. ACCESS MANAGEMENT
Access (Both Logical And Physical) To Information And IT Assets Shall Be Authorized Based Upon Roles, Need To Know And Need For Performance Of Tasks. The Usage Of These Resources Shall Be Monitored And Controlled Through Appropriate Authentication Procedure Of Respective Functions. Proper Records Shall Be Maintained For The Same.
All Access To Company Confidential Records Like Customer Contracts, Personnel Records, Financial Information Shall Be Controlled And Provided Adequate Protection To Minimize Any Security Breach.
e. PERSONNEL SECURITY
All Recruitments Shall Be Done After Scrutiny And Examination.
All Users Shall Have A Contractual Agreement With FarEye For Not Divulging Any Sensitive Or Privacy Marked Information To Unauthorized Parties.
Security Responsibilities Shall Be Defined. All Users Would Be Communicated Their Role And Responsibility In Maintaining Security.
FarEye Has Mandated The Associates To Undergo The Training And Awareness Programs For All Users On Security And System Usage Responsibilities. Training Modules Shall Be Made Available To All The Users.
f. ACCEPTABLE USAGE
It Shall Be Mandatory For All Users To Abide By Security Policy And The User Guidelines Pertaining Thereto. The Security Of Information And IT Assets Under A User’s Control Or Custody Is The Responsibility Of The Respective User. Users Shall Be Accountable For The Ethical And Appropriate Use Of Information, IT Assets And Services. Users Misusing The Systems Or Privileges May Be Subjected To Disciplinary Action, Including Termination.
g. COMMUNICATION & OPERATION MANAGEMENT
All IT Operating Procedures And Guidelines Pertaining To All Technical Infrastructure Elements And Services Shall Be Formally Documented.
Virus Protection
Malicious Software Such As Viruses Can Cause Considerable Damage To Information & IT Assets. FarEye Shall Ensure That Effective Anti-Virus Measures Are Followed Across FarEye.
Email & Internet Services
FarEye Shall Provide Electronic Mail Service To All Employees And Contractors For Conducting Its Business. Limited Personal Use Is Acceptable As Long As It Does Not Hamper FarEye’s Functioning And Interest. FarEye Reserves The Right To Monitor The Email Communications Of All Its Users In Compliance With Applicable Law. The Provisions Of FarEye's Data Privacy And Protection Policy Contain More Information About The Company And Its Group's Approach To Monitoring Staff Communications And Internet Usage.
Internet Access Shall Be Provided To Users After Authorization. Users Are Prohibited From Surfing, Transmitting Or Downloading Material That Is Obscene, Pornographic, Threatening Or Sexually Harassing.
Information & Software Exchange
All Agreements Entered By FarEye With Customers Shall Provide, Wherever Necessary, For Secure Transmission Of Sensitive/Critical Information & Software Between Them.
User Logs
Log Files Will Be Maintained Where It Is Technically Feasible.
Licensed Software
Only Licensed Software Shall Be Used In The Company. Users Shall Ensure That All Commercial Software Be Used In Accordance With The Licensing Agreements And Copyright Law.
Change Management
All New Applications, Computer Systems Or Networks Shall Be Secured By Default. All New Deployments And Modifications Of Existing And Future Internal Applications/ Computer Systems/ Networks Shall Be Done After An Appropriate Risk Assessment And Approval.
System Acceptance Testing
FarEye Shall Ensure That Requirements And Criteria For Acceptance Of New Information Systems And Components, Upgrades And New Versions Are Clearly Defined, Agreed, Documented And Tested And Suitable Tests Of The System Carried Out Prior To Acceptance.
h. NETWORK SECURITY
FarEye’s Network And Public Web Sites Shall Be Secured Against Intrusions And Network Failures That Would Affect Confidentiality, Availability And Integrity Of Information And Information Assets.
FarEye Networks Shall Be Segregated From External Networks By Firewall. FAREYE Shall Maintain Due Care For Protecting The Customer Network Interconnecting To Its Own From Threats Originating From Within FarEye.
i. SYSTEM DEVELOPMENT AND MAINTENANCE
FarEye Shall Secure Its Software Development Environment To Ensure That Security Is Built Into The Development Process And That All Customers Are Reasonably Assured As To The Security Of The Software Developed By FarEye.
Proper Change Control Procedure Shall Be Implemented For Any Software Changes To Ensure That They Do Not Compromise Security.
j. BUSINESS CONTINUITY MANAGEMENT
FarEye Business Continuity Management System Aligns To ISO22301 Standards. The Business Continuity Management Commitment Flows Top Down With An Institutionalized Policy And Framework Implemented. The Four Pillars Of Continuity And Resilience Include People Safety, Asset Protection, Environment Safety – IT And Non-IT As Well As Continuity Of Business – Services, Internal And External Customers. The BCM Policy Of The Organization As Well As The Management Review Of The Business Continuity Management Framework Demonstrates Organizational Intend.
k. IT- OUTSOURCING
Information Security Policy Shall Be Followed By Vendors Of Outsourced Functions And By Their Representatives While Carrying Out Any Work For FarEye. This Shall Also Be Specified In All Vendor Contracts. Respective Function Head/Owning Manager Shall Be Responsible For Monitoring And Ensuring That All Vendors Follow The Security Measures.
All Users Shall Have A Contractual Agreement With FarEye For Not Divulging Any Sensitive Or Privacy Marked Information To Unauthorized Parties.
l. PHYSICAL SECURITY
Safety Of Human Life Shall Be Given The Highest Priority And FarEye Shall Have Systems To Ensure Their Safety In Case Of Disaster Like Fire.
FarEye Shall Ensure That All Major Client Areas Or Server Rooms Shall Be Physically Segregated From Other Areas.
Physical Access To FarEye Facilities And Secure Areas Within The Facility Would Be Restricted, Through The Use Of Appropriate Access Control And Identification Mechanisms.
Physical Security Requirements Shall Be Considered In The Design Stage Of New Or Upcoming Facilities And Areas.
Clients / Visitor Meetings Shall Be Conducted In Separate Facilities Or In Adequately Segregated Areas.
Users Shall Be Responsible For The Physical And Data Safety Of Mobile Computing Devices Like Laptops.
m. APPLICATION SECURITY
All Applications Developed Or Purchased For The Conduct And Running Of FarEye Business Would Be Secured To Ensure The Confidentiality Of Company Information, The Integrity Of Business Processes And The Availability Of The Systems.
Security Shall Be Considered In All The Phases Of Software Development Life Cycle To Ensure That Security Is Built Into Applications Developed And Used By FarEye.
n. INCIDENT MANAGEMENT
A Formal Incident Reporting And Management Procedure Shall Be In Place To Explain Escalation Levels In Detail. Users Shall Not Report To Or Discuss About Incidents With Other Users Or External Persons.
FarEye Shall Have A Formal Process For The Reporting Of Any Incidents To The Press, Clients Or Security Agencies Like Police.
Ref- Data Privacy And Protection Policy.
o. PURCHASE
Most IT Products Are Vulnerable To Security Threats. It Is Important That Prior To Purchase, These Items Are Evaluated To Determine The Security Risks And Ensure Appropriate Safeguards. No Products Shall Be Purchased Or Used Without Infosec Approval.
p. RISK ASSESSMENT
IT Environment Is Continuously Changing, And It Is Therefore Imperative To Re-Evaluate The Risks To Information & IT Assets On An Ongoing Basis. In Order To Proceed In The Right Direction, It Is Necessary To Explore The External And Internal Issues As Well As Protect The Intentions Of The Interested Third Parties.
Risk Assessment For Critical Information And IT Assets Shall Be Carried Out By Risk Owners And Reviewed By FarEye Information Security Function. Information Security Function And The Concerned Risk Owners Shall Carry Out Such An Exercise Jointly; Annually Or Whenever There Is A Major Change In The Company’s Business.
The Criteria For Evaluating The Risks To Be Treated Will Be Based On The Potential Business Impact Of The Risk Materializing. Typically, The Business Impact Will Be Determined Considering The Loss To One Or Several Of The Following: Revenue, Profits, Company Image, And Strategic Relevance.
q. COMPLIANCE
FarEye Shall Comply With All Relevant Laws And Regulations Having Bearing On Information Security Or Seeking Some Requirement From Information Systems. Information Security Function/ Top Management Shall Review Information Security Policy At Least Once A Year. Any Changes Due To Changed Circumstances In Business Or Processes Or Newly Emerged Threats Shall Be Incorporated In This Policy After Review.
6. ROLES & RESPONSIBILITIES
The Overall Security Implementation And Maintenance Within FarEye Is Cross-Functional And Is The Responsibility Of The Information Security Function. But The Ownership Is Spread Over Different Functions And Groups. The Coverage Chart Given Below States The Functions/Groups Responsible For The Ownership Of Individual Policy Elements:
| Policy Areas | Responsibility/Ownership |
|---|---|
| Security Organization | Information Security Function |
| Information & Asset Classification And Control | Hardware And Packaged Software - IT Facilities And Equipment’s Like AC, UPS-Admin Information - Data Owners / Function Head |
| Data Protection | Data Owners, All Users |
| Access Management | Physical Access – HR, Admin Logical Access– Data Owners / IT |
| Personnel Security | HR |
| Acceptable Usage | All Users |
| Communication And Operation Management | IT |
| Network Security | IT |
| Software Development And Maintenance | Project Owners, Development Team |
| Business Continuity Management | Customer Success Manager, DevOps And Engineering, Respective Function, InfoSec Function |
| IT- Outsourcing | IT, Admin, Head Of Function Outsourcing The Project |
| Physical Security | Admin |
| Application Security | Application Owner |
| Incident Management | Users, IT, Admin, Information Security Function |
| Purchase | Function And Project Owners |
| Risk Assessment | Risk Owners And Information Security Function |
| Compliance | Information Securoty Function, Users, Legal Function |
7. ANNEXURE A
The Internal And External Context/ Issues That Create Uncertainty And In Turn Give Rise To Risk Are Listed Below. The Details Are Listed, Reviewed, And Updated Periodically In The Business Continuity Framework Document.
The Interested Parties/Stakeholders For FarEye Are Customers, Investors, Shareholders, Government, Insurers, IT And Non-IT Service Providers, Media And Emergency Services.
| S. No | External Context/ Issues | Internal Context/ Issues |
|---|---|---|
| 1. | Social | Service Or Deliverables To Customers |
| 2. | Economic | Competitors |
| 3. | Legal And Regulatory | Governance |
| 4. | Technological | Roles And Responsibilities |
| 5. | Impact From Competitors | Organization Culture, Perceptions And Values |
| 6. | Views Of External Stakeholders/Interested Parties | Interested Parties Within The Organization. |
| 7. | Pressure Groups - Impact Due To Bad Publicity | Internal Risks Identified By Delivery And Support Groups |
8. DOCUMENT HISTORY
| Version | Date | Author (Function) | Reviewed By | Approved By | Nature Of Changes |
|---|---|---|---|---|---|
| V.1.0 | 01-12-2017 | Monika Parashar | Kushal Nahata | Gautam Kumar | First Integrated Issue |
| V.1.0 | 01-12-2018 | Monika Parashar | Kushal Nahata | Gautam Kumar | No Change |
| V.1.0 | 01-12-2019 | Monika Parashar | Kushal Nahata | Gautam Kumar | No Change |
| V.2.0 | 10-02-2020 | Parveen Kumar | CISO Team | Gaurav Sharma | Updated In Latest Template |
| V.2.0 | 18-04-2021 | Parveen Kumar | CISO Team | Gaurav Sharma | No Change |
| V.3.0 | 19-01-2022 | Parveen Kumar | Information Security Function | Arun Kumar | Entity Name Change |
| V.3.0 | 15-03-2023 | Dinkar Singh | InfoSec Team | Hariprasad Sanapoori | No Change |
| V.3.1 | 12-01-2024 | Manhar Sharma | InfoSec Team | Ratnesh Ranjan | Approval process on Software Purchase updated |
9. ANNUAL REVIEW HISTORY
| Annual Review Conducted On | Version Reviewed | Is Change Required (Y/N) | Remarks |
|---|---|---|---|
| 02-12-2017 | Version 1.0 | N | Ok |
| 06-12-2018 | Version 1.0 | N | Ok |
| 02-12-2019 | Version 1.0 | N | Ok |
| 13-02-2020 | Version 2.0 | N | Ok |
| 21-04-2021 | Version 2.0 | N | Ok |
| 19-01-2022 | Version 3.0 | N | Ok |
| 15-03-2023 | Version 3.0 | N | Ok |