iQ_Security Policy

Security Policy

iQuanti Security Policy

 

 

Security Policy

Version 3.0

Protecting the Company and Clients’ Information

August 12, 2016

Intended Audience

 

Any person having access to iQuanti Information assets

  • Employees
  • Contract Employees
  • Consultants

 

 

Overview

 

  • Security Responsibility
  • Information security‚Äč
    • Legal Implications
    • Addressing Information Security
  • Data Classification
  • System Access Control
    • IT Resources
    • Internet Usage
    • Non-Disclosure Agreement
  • Business Continuity and Disaster Recovery
  • Emergency Response Team
  • Employee Responsibilities
  • Incident Reporting
  • Disciplinary Action
  • Quiz

 

Security Responsibility

 

  • Security is everyone's responsibility
  • Unauthorized disclosure of classified or sensitive information can adversely effect our business
  • You must not share and discuss classified information with anyone other than who need to know

 

 

Why Security Policy?

 

Protecting our client and company assets is crucial.

This involves:

  • Protecting the data of our clients and our company
  • Protecting the intellectual property of our clients and the company
  • Protecting the physical property of the company
  • Protecting information identity of our employees and contractors

 

 

Why Security Policy?

Impacts of Information Security breach may be:

  • Legal implications
  • Loss of customer confidence
  • Loss of business or financial loss
  • Loss of competitive advantage
  • Loss of productivity
  • Loss of company reputation/goodwill

 

 

What is Information Security?

 

  • Information security means protecting information and information systems against unauthorized access, use, disclosure, modification, disruption or destruction

 

  • Protect information from deliberate or accidental loss or misuse by guaranteeing:
    • Confidentiality - Only authorized users access information
    • Integrity - The information is accurate and complete
    • Availability - Authorized users have access when it is needed.

 

Security

 

 

  • Physical Security
  • People Security
  • Data Security
  • IT Security

 

What is Information Security?

 

  • Forms in which information exists:
    • Printed or written on paper
    • Spoken in conversation (meetings, conference calls, informal conversations, etc.)
    • Stored electronically (Hard disks, Media(tapes, CDs, DVDs), etc.)
    • Transmitted in by post/courier or electronically (Email, FTP, etc.)

 

 

How does an Information Security Breach create Legal Implications?

The answer arises from the two aspects of Information that we use:

  1. Intellectual property (IP) : legal property rights over creations of the mind, both artistic and commercial. The majority of intellectual property rights provide creators of original works economic incentive to develop and share ideas through a form of temporary monopoly.
  2. Data : refers to information or facts usually collected as the result of experience, observation or experiment, or processes within a computer system, or premises.

For our context: we look at data that contains confidential and proprietary information and personal information.

 

Legal Implications

Intellectual Property:

 

  • Laws that protect the owners rights to own and use at his/her volition
    • Indian Copyright Act: Civil and Criminal prosecution for violation of IP rights of any person
    • Information Technology Act: Criminal Prosecution for violation of IP rights of any person

 

 

 

Legal Implications

Data Protection:

 

  • Information Technology Act: Civil and Criminal prosecution for unauthorized access and use of data; requires a body corporate to have security practices and procedures for data protection. Standards yet to notified.

 

  • Legislations in client locations: GLB, HIPPA, FCRA etc.
    • These require the client’s service provider to have security practices and procedures to protect data
    • They also require that data not be used for any purposes other than for what it is disclosed
    • They specify norms for disclosure wherever disclosure is necessary

Legal Implications

 

Other general offences and violations under the Information Technology Act (relevant in the context of networks and internet)

  • Tampering with computer source documents
  • Hacking into computer systems
  • Publishing of info which is obscene in electronic form
  • Breach of confidentiality and privacy
  • Violation of copyrights
  • Publication of false digital signature certificates
  • Publication of digital signatures for fraudulent purposes

These offences give rise to civil and criminal prosecution.

 

 

Addressing Information Security

What does an organization need to do to meet its Information Security Requirements?

  • Information Security Management System
    • A process/system framework to identify information security needs
    • Establish and implement necessary policies and procedures
    • Monitor their effectiveness and continuously improve
  • Technical measures
    • Implement technical controls to protect information; e.g. Firewall, IDS, VLANs, User domains, etc.

 

Addressing Information Security

  • Compliance to ISMS by end users - All employees, contractors and consultants adhere to the information security policies and procedures during the course of their work

This is where all of us have a role to play

 

Scenario 1

Data Classification

 

Data at iQuanti Inc is classified into four levels

Level 1: Highly Confidential

Level 2: Business Confidential

Level 3: Internal Open

Level 4: Public 

 

 

Data Classification

Level 1: Highly Confidential,

Level 2: Business confidential

Permission to view, print, modify, store and transmit

  • Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know basis
  • Viewing and modification restricted to authorized individuals as needed for business-related roles
  • Data Owner or designee grants permission for access, plus approval from supervisor
  • Authentication and authorization required for access
  • Confidentiality agreement needed

Data Classification

Level 1: Highly Confidential,

Level 2: Business confidential

Permission to view, print, modify, store and transmit

 

  • Data should only be printed when there is a legitimate need
  • Every copy must be numbered . kept track of and destroyed when not required
  • Should not store on an individual workstation or mobile device (e.g., a laptop computer)
  • Mobile device (laptop) should be password protected, locked when not in use
  • Whole disk Encryption to be used
  • Cannot transmit via e-mail unless encrypted and secured with a digital signature

 

Data Classification

Level 1

Examples :

  • Social Security numbers
  • Credit Card numbers of individuals
  • Medical records of individuals

Level 2

Examples :

  • Company financial information
  • Product development plans of the company
  • List of clients
  • Client Presentation

Data Classification

Level 3: Internal Open

  • Data intended for internal business use only. Access is restricted to external parties, clients or affiliates with a legitimate need
  • Data should only be printed when there is a legitimate need. Copies must be limited to employees
  • Mobile device (laptop) should be password protected, locked when not in use

Examples :

  • Organization Chart
  • Employee phone numbers

 

Data Classification

Level 4: Public

  • No restriction for viewing or distribution.
  • Authorization by Data Owner or designee required for modification
  • Mobile device (laptop) should be password protected, locked when not in use

Examples :

  • iQuanti Inc public web site
  • Privacy Policy
  • Press Releases

Scenario 2

System Access Control

 

  • Passwords
    • Set strong, complex, non-guessable passwords for your user accounts
    • Do not share your passwords with anyone
    • Keep all passwords you have been authorized to know confidential
    • Do not write down passwords on paper or keep them in files where they can be accessible to others
  • Accounts - Limit use of Privileged Accounts
  • Session Controls
    • Password protected screensaver
    • Ctrl-Alt Delete (enter) or Windows L

Access Control and CCTV

 

  • Access to Office premises will be restricted and secured with the Access control ID
  • Access will be logged in the access control system
  • Access is monitored using CCTV camera
  • Employees are required to use access card for entry
  • Visitors will be accompanied by employees for entry

 

IT Resources

List of resources provided for business purpose to all employees

  • Telephone (Common Office Phone)
  • Desktop and/or laptop
    • All desktops and laptops must be on original Operating system
    • Users should not install applications, not in line with business requirements
    • Users should take approval prior to any new application installation
    • Server logs will be used to monitor unauthorized usage
    • All external ports, will be disabled to protect company proprietary data
    • Desktop/laptops should not disable virus updates, which can affect entire network

IT Resources

 

  • Internet
    • Firewall has been configured to disable unauthorized/unwanted network access
    • Employees should ensure usage of internet does not adversely affect other Users
  • E-Mail
    • Employees should not use business email for personal communication

 

  • Printer
    • Printer is provided for business purposes
    • Care must be taken to ensure that sensitive data is not printed
    • Care must be take to ensure that company confidential data is not left un-attended

Scenario 3

IT Resources

 

  • Server
    • All Employees are given access to external network via server
    • All employees are expected to change their passwords once in 45 days, beyond which server will disable the login, which can be enabled only by admin
    • Care must be taken to ensure that the password is protected

All employees are required to sign NDA

Internet Usage

 

  • Use Internet facility for your professional improvement only
  • Do not allow other users to use your PC to access Internet
    • You are accountable for any misuse of Internet from your PC
  • Do not try to open blocked sites
  • You may post personal messages to technical discussion forums
    • Do not claim to represent iQuanti on the Internet unless authorized to do so by the management
    • Do not provide company or customer confidential information in the message
  • Use disclaimer
  • Do not download software (freeware, shareware, trial versions) 

Misuse of internet resources will attract disciplinary actions.

Non-Disclosure Agreement

 

  • All employees and contractors required to sign a NDA and confidentiality agreement
    • All employees and contractors required to sign an IP assignment agreement
  • iQuanti Inc. must have a legal agreement with clients, contractors and partners with indemnity and non-liability clauses

Business Continuity and Disaster Recovery

 

  • A Disaster recovery plan is prepared to deal with extended outage due to man-made or natural disaster and to restore services.
  • List of identified disaster/outage cause which can cause disruption to services to customer are
    • Fire
    • Theft
    • ISP outage
    • Hosting Server outage
    • CRM (WHMCS) outage
  • In the event of disaster, an evaluation is made on the degree of disaster and projected outage
  • Recovery team will be responsible for carrying out steps outlined in the disaster recovery procedure