Information security policy

OBJECTIVES

Security Of IT Infrastructure And Its Related Assets, Viz. Information, Computer Systems, Network Elements, Related Services Are Vital Importance To FarEye Technologies Pvt Ltd (Herein After “FarEye”). Hence It Is Essential That Effective And Efficient Security Measures Are Followed Within The Company’s Facilities And In Its Operations. This Policy Aims At A Secure IT Environment In FarEye To Provide Confidentiality, Integrity And Availability Of Information And Its Processing Pertaining To The Company, Customers And Interested Parties.

The Policy Statements Mentioned In This Document Are Derived Based On The Business Requirements And Risks Prevailing Due To External And Internal Issues.

SCOPE

FarEye Information Security Management Systems (ISMS) Shall Include IT Services (ITS) – Complete Range Of Services From System Integration To Application Management And Software Development, Support & Consulting Along With In-House Supporting Activities Including Facilities Management, HR, Legal And IT Within FarEye Locations.

APPLICABILITY

This Document Specifies A High-Level Statement Of The Various Security Policies Followed At All FarEye’s Facilities And FarEye Personnel Deputed On-Site For Project Execution. This Policy Statement Shall Be Reflected And Implemented Through Issue Specific Second Level Detailed Policies, Procedures, Guidelines And Configuration Documents Of The Respective Functions / Departments/ Processes.

This Policy Applies To All Information And IT Assets Owned By And / Or Administered In FarEye Or By FarEye. Information Security Shall Be A Team Effort Involving The Participation And Support Of Every User Who Deals With Information And / Or Information Systems. Every User (Which Includes Employee, Contractor, Consultant, Temporary Staff, Intern, Supplier, Partner, Subsidiary, Visitor Etc.) Shall Comply With The Information Security Policies Specified Herein And Related Documents When Working For FarEye.

REFERENCES

  1. ISO 27001:2013
  2. ISO 22301:2012

HIGH LEVEL INFORMATION SECURITY POLICY STATEMENTS

a. SECURITY ORGANISATION

Information Security Encompasses The Entire Organization And Will Be The Responsibility Of All Relevant Functions. The Information Security Function Will Spearhead This Security Initiative.

Information Security Function Shall Promote Information Security Within The Organization Through Appropriate Commitment And Adequate Resourcing And Also Be Responsible For Overseeing Overall Security. The Function Would Comprise Of Top Executives And Senior Members From Various Functions Like Sales Presales, Legal, It, HR, Admin And Finance.

The Organizational Aspects Of Security Would Be Coordinated By Information Security Function As An Internal Security Function, The Specific Roles And Responsibilities Of Each Function Would Be Detailed In The Respective Function Manuals.

Co-Operation Between Organizations

IT Shall Maintain Appropriate Liaison & Contacts With ISPs, Telecommunications Operators And Admin Shall Maintain Appropriate Liaison With Police And Other Authorities To Ensure Prompt Response In Case Of A Security Incident.

b. INFORMATION AND ASSET CLASSIFICATION AND CONTROL

All Information, IT Assets (Both Hardware And Software) And Facility Management Assets Shall Have Designated Owners. All Information In Either Electronic Or Paper Form Shall Be Identified And Classified As Per Information And Asset Classification Policy.

Comprehensive, Accurate And Updated Asset Lists Shall Be Maintained For Hardware, Software (Being Used For FarEye’s Business Operations) And Information Assets.

Information And Asset Movement Whether Electronic Or Physical From FarEye Facilities Would Be Authorized And Controlled.

c. DATA PROTECTION

Users Shall Keep All Customers And FarEye Business Data, IPR Or IPR Protected Information, Software Code And Designs Confidential (Or In Line With Classification Done). No Such Information Must Be Disclosed By Action Or Omission Or Negligence To Any Person Or Party Not Authorized To View This Information. All Customer Information Must Be Confined Based On A Need To Know And Need To Do Basis Within The Project Team. Customer Data Must Not Be Shared With Other Project Teams Working For The Same Or Different Customers And Third Parties Without Explicit Authorization Of The Project Manager.

Ref. Data Privacy And Protection Policy.

d. ACCESS MANAGEMENT

Access (Both Logical And Physical) To Information And IT Assets Shall Be Authorized Based Upon Roles, Need To Know And Need For Performance Of Tasks. The Usage Of These Resources Shall Be Monitored And Controlled Through Appropriate Authentication Procedure Of Respective Functions. Proper Records Shall Be Maintained For The Same.

All Access To Company Confidential Records Like Customer Contracts, Personnel Records, Financial Information Shall Be Controlled And Provided Adequate Protection To Minimize Any Security Breach.

e. PERSONNEL SECURITY

All Recruitments Shall Be Done After Scrutiny And Examination.

All Users Shall Have A Contractual Agreement With FarEye For Not Divulging Any Sensitive Or Privacy Marked Information To Unauthorized Parties.

Security Responsibilities Shall Be Defined. All Users Would Be Communicated Their Role And Responsibility In Maintaining Security.

FarEye Has Mandated The Associates To Undergo The Training And Awareness Programs For All Users On Security And System Usage Responsibilities. Training Modules Shall Be Made Available To All The Users.

f. ACCEPTABLE USAGE

It Shall Be Mandatory For All Users To Abide By Security Policy And The User Guidelines Pertaining Thereto. The Security Of Information And IT Assets Under A User’s Control Or Custody Is The Responsibility Of The Respective User. Users Shall Be Accountable For The Ethical And Appropriate Use Of Information, IT Assets And Services. Users Misusing The Systems Or Privileges May Be Subjected To Disciplinary Action, Including Termination.

g. COMMUNICATION & OPERATION MANAGEMENT

All IT Operating Procedures And Guidelines Pertaining To All Technical Infrastructure Elements And Services Shall Be Formally Documented.

Virus Protection

Malicious Software Such As Viruses Can Cause Considerable Damage To Information & IT Assets. FarEye Shall Ensure That Effective Anti-Virus Measures Are Followed Across FarEye.

Email & Internet Services

FarEye Shall Provide Electronic Mail Service To All Employees And Contractors For Conducting Its Business. Limited Personal Use Is Acceptable As Long As It Does Not Hamper FarEye’s Functioning And Interest. FarEye Reserves The Right To Monitor The Email Communications Of All Its Users In Compliance With Applicable Law. The Provisions Of FarEye's Data Privacy And Protection Policy Contain More Information About The Company And Its Group's Approach To Monitoring Staff Communications And Internet Usage.

Internet Access Shall Be Provided To Users After Authorization. Users Are Prohibited From Surfing, Transmitting Or Downloading Material That Is Obscene, Pornographic, Threatening Or Sexually Harassing.

Information & Software Exchange

All Agreements Entered By FarEye With Customers Shall Provide, Wherever Necessary, For Secure Transmission Of Sensitive/Critical Information & Software Between Them.

User Logs

Log Files Will Be Maintained Where It Is Technically Feasible.

Licensed Software

Only Licensed Software Shall Be Used In The Company. Users Shall Ensure That All Commercial Software Be Used In Accordance With The Licensing Agreements And Copyright Law.

Change Management

All New Applications, Computer Systems Or Networks Shall Be Secured By Default. All New Deployments And Modifications Of Existing And Future Internal Applications/ Computer Systems/ Networks Shall Be Done After An Appropriate Risk Assessment And Approval.

System Acceptance Testing

FarEye Shall Ensure That Requirements And Criteria For Acceptance Of New Information Systems And Components, Upgrades And New Versions Are Clearly Defined, Agreed, Documented And Tested And Suitable Tests Of The System Carried Out Prior To Acceptance.

h. NETWORK SECURITY

FarEye’s Network And Public Web Sites Shall Be Secured Against Intrusions And Network Failures That Would Affect Confidentiality, Availability And Integrity Of Information And Information Assets.

FarEye Networks Shall Be Segregated From External Networks By Firewall. FAREYE Shall Maintain Due Care For Protecting The Customer Network Interconnecting To Its Own From Threats Originating From Within FarEye.

i. SYSTEM DEVELOPMENT AND MAINTENANCE

FarEye Shall Secure Its Software Development Environment To Ensure That Security Is Built Into The Development Process And That All Customers Are Reasonably Assured As To The Security Of The Software Developed By FarEye.

Proper Change Control Procedure Shall Be Implemented For Any Software Changes To Ensure That They Do Not Compromise Security.

j. BUSINESS CONTINUITY MANAGEMENT

FarEye Business Continuity Management System Aligns To ISO22301 Standards. The Business Continuity Management Commitment Flows Top Down With An Institutionalized Policy And Framework Implemented. The Four Pillars Of Continuity And Resilience Include People Safety, Asset Protection, Environment Safety – IT And Non-IT As Well As Continuity Of Business – Services, Internal And External Customers. The BCM Policy Of The Organization As Well As The Management Review Of The Business Continuity Management Framework Demonstrates Organizational Intend.

k. IT- OUTSOURCING

Information Security Policy Shall Be Followed By Vendors Of Outsourced Functions And By Their Representatives While Carrying Out Any Work For FarEye. This Shall Also Be Specified In All Vendor Contracts. Respective Function Head/Owning Manager Shall Be Responsible For Monitoring And Ensuring That All Vendors Follow The Security Measures.

All Users Shall Have A Contractual Agreement With FarEye For Not Divulging Any Sensitive Or Privacy Marked Information To Unauthorized Parties.

l. PHYSICAL SECURITY

Safety Of Human Life Shall Be Given The Highest Priority And FarEye Shall Have Systems To Ensure Their Safety In Case Of Disaster Like Fire.

FarEye Shall Ensure That All Major Client Areas Or Server Rooms Shall Be Physically Segregated From Other Areas.

Physical Access To FarEye Facilities And Secure Areas Within The Facility Would Be Restricted, Through The Use Of Appropriate Access Control And Identification Mechanisms.

Physical Security Requirements Shall Be Considered In The Design Stage Of New Or Upcoming Facilities And Areas.

Clients / Visitor Meetings Shall Be Conducted In Separate Facilities Or In Adequately Segregated Areas.

Users Shall Be Responsible For The Physical And Data Safety Of Mobile Computing Devices Like Laptops.

m. APPLICATION SECURITY

All Applications Developed Or Purchased For The Conduct And Running Of FarEye Business Would Be Secured To Ensure The Confidentiality Of Company Information, The Integrity Of Business Processes And The Availability Of The Systems.

Security Shall Be Considered In All The Phases Of Software Development Life Cycle To Ensure That Security Is Built Into Applications Developed And Used By FarEye.

n. INCIDENT MANAGEMENT

A Formal Incident Reporting And Management Procedure Shall Be In Place To Explain Escalation Levels In Detail. Users Shall Not Report To Or Discuss About Incidents With Other Users Or External Persons.

FarEye Shall Have A Formal Process For The Reporting Of Any Incidents To The Press, Clients Or Security Agencies Like Police.

Ref- Data Privacy And Protection Policy.

o. PURCHASE

Most IT Products Are Vulnerable To Security Threats. It Is Important That Prior To Purchase, These Items Are Evaluated To Determine The Security Risks And Ensure Appropriate Safeguards. No Products Shall Be Purchased Or Used Without Approval.

p. RISK ASSESSMENT

IT Environment Is Continuously Changing, And It Is Therefore Imperative To Re-Evaluate The Risks To Information & IT Assets On An Ongoing Basis. In Order To Proceed In The Right Direction, It Is Necessary To Explore The External And Internal Issues As Well As Protect The Intentions Of The Interested Third Parties.

Risk Assessment For Critical Information And IT Assets Shall Be Carried Out By Risk Owners And Reviewed By FarEye Information Security Function. Information Security Function And The Concerned Risk Owners Shall Carry Out Such An Exercise Jointly; Annually Or Whenever There Is A Major Change In The Company’s Business.

The Criteria For Evaluating The Risks To Be Treated Will Be Based On The Potential Business Impact Of The Risk Materializing. Typically, The Business Impact Will Be Determined Considering The Loss To One Or Several Of The Following: Revenue, Profits, Company Image, And Strategic Relevance.

q. COMPLIANCE

FarEye Shall Comply With All Relevant Laws And Regulations Having Bearing On Information Security Or Seeking Some Requirement From Information Systems. Information Security Function/ Top Management Shall Review Information Security Policy At Least Once A Year. Any Changes Due To Changed Circumstances In Business Or Processes Or Newly Emerged Threats Shall Be Incorporated In This Policy After Review.

6. ROLES & RESPONSIBILITIES

The Overall Security Implementation And Maintenance Within FarEye Is Cross-Functional And Is The Responsibility Of The Information Security Function. But The Ownership Is Spread Over Different Functions And Groups. The Coverage Chart Given Below States The Functions/Groups Responsible For The Ownership Of Individual Policy Elements:

Policy AreasResponsibility/Ownership
Security OrganizationInformation Security Function
Information & Asset Classification And ControlHardware And Packaged Software - IT
Facilities And Equipment’s Like AC, UPS-Admin
Information - Data Owners / Function Head
Data ProtectionData Owners, All Users
Access ManagementPhysical Access – HR, Admin
Logical Access– Data Owners / IT
Personnel SecurityHR
Acceptable UsageAll Users
Communication And Operation ManagementIT
Network SecurityIT
Software Development And MaintenanceProject Owners, Development Team
Business Continuity ManagementCustomer Success Manager, DevOps And Engineering, Respective Function, InfoSec Function
IT- OutsourcingIT, Admin, Head Of Function Outsourcing The Project
Physical SecurityAdmin
Application SecurityApplication Owner
Incident ManagementUsers, IT, Admin, Information Security Function
PurchaseFunction And Project Owners
Risk AssessmentRisk Owners And Information Security Function
ComplianceInformation Securoty Function, Users, Legal Function


7. ANNEXURE A

The Internal And External Context/ Issues That Create Uncertainty And In Turn Give Rise To Risk Are Listed Below. The Details Are Listed, Reviewed, And Updated Periodically In The Business Continuity Framework Document.

The Interested Parties/Stakeholders For FarEye Are Customers, Investors, Shareholders, Government, Insurers, IT And Non-IT Service Providers, Media And Emergency Services.

S. NoExternal Context/ IssuesInternal Context/ Issues
1.SocialService Or Deliverables To Customers
2.EconomicCompetitors
3.Legal And RegulatoryGovernance
4.TechnologicalRoles And Responsibilities
5.Impact From CompetitorsOrganization Culture, Perceptions And Values
6.Views Of External Stakeholders/Interested PartiesInterested Parties Within The Organization.
7.Pressure Groups - Impact Due To Bad PublicityInternal Risks Identified By Delivery And Support Groups


8. DOCUMENT HISTORY

VersionDateAuthor (Function)Reviewed ByApproved ByNature Of Changes
V.1.001-12-2017Monika ParasharKushal NahataGautam KumarFirst Integrated Issue
V.1.001-12-2018Monika ParasharKushal NahataGautam KumarNo Change
V.1.001-12-2019Monika ParasharKushal NahataGautam KumarNo Change
V.2.010-02-2020Parveen KumarCISO TeamGaurav SharmaUpdated In Latest Template
V.2.018-04-2021Parveen KumarCISO TeamGaurav SharmaNo Change
V.3.019-01-2022Parveen KumarInformation Security FunctionArun KumarEntity Name Change
V.3.015-03-2023Dinkar SinghInfoSec TeamHariprasad SanapooriNo Change


9. ANNUAL REVIEW HISTORY

Annual Review Conducted OnVersion ReviewedIs Change Required (Y/N)Remarks
02-12-2017Version 1.0NOk
06-12-2018Version 1.0NOk
02-12-2019Version 1.0NOk
13-02-2020Version 2.0NOk
21-04-2021Version 2.0NOk
19-01-2022Version 3.0NOk
15-03-2023Version 3.0NOk