IT SECURITY POLICY


Dated: 4th April 2015

Content

1. INTRODUCTION

1.1. INFORMATION SECURITY

Information Security Policies are the cornerstone of information security effectiveness. The Security Policy is intended to define what is expected from an organization with respect to security of Information Systems. The overall objective is to control or guide human behavior in an attempt to reduce the risk to information assets by accidental or deliberate actions. Information security policies underpin the security and well being of information resources. They are the foundation, the bottom line, of information security within an organization. We all practice elements of data security. At home, for example, we make sure that deeds and insurance documents are kept safely so that they are available when we need them. All office information deserves to be treated in the same way. In an office, having the right information at the right time can make the difference between success and failure. Data Security will help the user to control and secure information from inadvertent or malicious changes and deletions or unauthorized disclosure. There are three aspects of data security:

Confidentiality: Protecting information from unauthorized disclosure like to the press, or through improper disposal techniques, or those who are not entitled to have the same.

Integrity: Protecting information from unauthorized modification, and ensuring that information, such as a beneficiary list, can be relied upon and is accurate and complete.

Availability: Ensuring information is available when it is required.

2. SECURITY POLICY FOR NETWORKS

2.1. CONFIGURING NETWORKS

“The network must be designed and configured to deliver high performance and reliability to meet the needs of the operations whilst providing a high degree of access controls and range of privilege restrictions.”

The configuration of network impacts directly on its performance and affects its stability and information security. Information security issues to be considered, when implementing the policy, include the following:

  • Poor network stability can threaten operations.
  • Inadequate control over access to network can jeopardize the confidentiality and integrity of data.
  • Slow or inadequate system response times impede the processing.

2.2. MANAGING THE NETWORK

“Suitably qualified staff are to manage the organization’s network, and preserve its integrity in collaboration with the nominated individual system owners.”

All but the smallest networks, where changes are relatively infrequent, require ongoing management. Information security issues to be considered, when implementing the policy, include the following:

  • Inappropriate control over access to the network will threaten the confidentiality and integrity of data.
  • Inadequate capacity can make efficient operation difficult or impossible.
  • Slow or inadequate system response times impede the processing.

2.3. FIREWALL SECURITY

All the networks of OGS Paylab should be protected from Internet threats using a firewall except monitoring systems that have to be at the perimeter.

2.4. FIREWALL AUDITING

There should be adequate logging on the firewall to track and monitor the connections going through the firewall.

2.5. NETWORK CONNECTIVITY WITH PARTNERS / CUSTOMERS

All the network connectivity of OGS PAYLAB partners or customers should be directed through a Firewall after appropriate approvals from the Chief Product Officer (CPO). Access should be granted only from specific hosts either through IPSEC VPN or whitelisting of IP’s. Access should be granted to specific hosts on the OGS PAYLAB Technology Network only. Access should be controlled at the Firewall. It is mandatory for the Customer or Partner to connect using a static Public IP only.

2.6. ENFORCED PATH

Users should be allowed only to traverse outside networks and Internet through specified gateways. Enforced paths should be implemented in terms of default gateways for segregated networks and channeling the flow of data through monitored points.

2.7. INTERNET ACCESS

  • Access to the Internet from OGS PAYLAB premises and systems must be authorized.
  • Internet access provided by OGS PAYLAB - Chennai must not be used to transact any commercial business activity that is not done by or on behalf of OGS PAYLAB. Personal business interests of staff or other personnel must not be conducted.
  • Internet access provided by OGS PAYLAB must not be used to engage in any activity that knowingly contravenes any criminal or civil law or statute. Any such activity will result in summary dismissal of the personnel involved.
  • Internet access provided by OGS PAYLAB must not be used to engage in any activity that gathers, generates or distributes any information that is defamatory, abusive, involves any form of racial or sexual abuse, could damage the reputation of OGS PAYLAB, or any material that is detrimental to any party outside the specific business interests of OGS PAYLAB. Any such activity is likely to result in disciplinary action being taken against the personnel involved.
  • Where the Internet is used to acquire products and services for OGS PAYLAB via prearranged agreements or purchases, such transactions must have been properly authorized by appropriate line management in advance and must be conducted.
  • Information classified as CONFIDENTIAL or PROPERIETARY must not be sent over the Internet, whether as a file transfer, email content, file attachment or via a web session, unless protected by appropriate security measures.

2.8. GENERAL ANTIVIRUS GUIDELINES

  • Anti-virus software scanning engine and the virus pattern files should be kept up-todate. The time of updating the virus patterns should be kept minimized. The time frame acceptable for updating the new pattern file is 24 hours after the release of the patch.
  • All computers of OGS PAYLAB including servers, desktops & laptops should have standard and supported anti-virus software installed.
  • The virus scanner should be scheduled to run to scan for viruses at regular intervals.
  • Virus-infected computers should be removed from the network as soon as they are identified, until they are verified as virus-free.
  • Central monitoring and logging console should be deployed, to monitor the status of pattern updates on all the computers and to log the activities performed on them.
  • All virus detection incidents should be logged, along with the action taken. Quarantine, Deletion or Successful cleaning.
  • The CPO should identify a person or a team that is responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free.
  • Formal procedures for responding to a virus incident should be developed, tested and implemented.
  • Virus incident response should be regularly reviewed and tested.
  • Hoax threats can deflect attention from the genuine viruses and other malicious code, increasing susceptibility to infection. The policy should communicate the users not to mass mail any virus-related hoax, but to forward the same to the relevant person identified by the CPO.
  • Regular audit should be done in all the user’s desktops / laptops on a periodic basis to ensure that proper and latest version of virus engines and the definitions files are running, and no virus threat exists.
  • Disabling running of the Anti-virus software is prohibited even if it means degradation of performance in some cases.
  • User awareness should be created for all employees of OGS PAYLAB for virus -free systems.
  • Users should be informed of any new virus releases and the impact of their computers getting infected.

2.9. ANTIVIRUS GUIDELINES FOR EMPLOYEES

Guidelines for employees to ensure a clean virus free system and to prevent spreading of virus/worms are:

  • USB’s should be disabled in all machines in OGS PAYLAB connecting to the LAN
  • Both inbound and outbound SMTP messages should be scanned for viruses
  • NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash.
  • Delete Spam, chain, and other junk email without forwarding.
  • Never download files from unknown or suspicious sources.
  • Avoid direct disk sharing with read/write access unless there is absolutely a business requirement to do so. If the business so requires, share only the relevant folders (and not entire hard disk drives) protected by strong passwords.
  • Avoid using all removable medium for copying or transferring documents.
  • Back-up critical data and system configurations on a regular basis and store the data in a safer place.
  • Any activities with the intention to create and/or distribute malicious programs into and from OGS PAYLAB’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited.
  • If testing conflicts with anti-virus software, run the anti-virus utility to ensure a clean machine, disable the software, then run the lab test. After the test, enable the antivirus software. When the anti-virus software is disabled, do not run any applications that could transfer a virus, e.g., email or file sharing.

2.10. RESPONSES TO A VIRUS INFECTION

  • IT Department must be contacted immediately when a computer has been infected with a virus. The IT Infrastructure Management Team will in turn take virus removal steps to clean up the computer infected.
  • If the IT Department is unable to remove a viral infection, the computer's hard drive must be reformatted and all software reinstalled using clean, licensed copies.
  • If an infected computer is deemed capable of infecting or affecting other computers or the network, the infected computer will be immediately disconnected from the network until it is serviced by Technicians or Engineers who will then verify that the computer is virus-free.

3. BACKUP AND RECOVERY PROCEDURES

Back-up copies of essential business data and software should be taken regularly. Adequate back-up facilities should be provided to ensure that all essential business data and software could be recovered following a computer disaster or media failure. Backup arrangements for individual systems should meet the requirements of business continuity plans.

3.1. BACKUP CONTROLS

  • IT Department personnel should establish and formally document an appropriate schedule of full backups.
  • A minimum level of back-up information, together with accurate and complete records of the back-up copies, must be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site.
  • Back-up data must be given a level of physical and environmental protection, consistent with the standards applied at the main site. The controls applied to media at the main site must be extended to cover the back-up site.
  • Backup data should be regularly checked, to ensure that they could be relied upon in an emergency.
  • Data should be retained for the period necessary to satisfy both business and legislative requirements. Data owners should identify the retention period for essential business data and should establish any requirement for archive copies to be retained.

3.2. PROCEDURE FOR DATA BACKUP

Backups should be taken monthly, and one external hard drive should be stored locally and the other in a remote location.

3.3. BACKUP MEDIA AND SECURITY

It should be ensured by IT department that the media is regularly examined for readability of the data. The backup media should be replaced immediately after encountering the error or at predefined time intervals whichever is earlier. The backup media should be appropriately labeled and numbered. Backup media should be controlled and physically protected. Appropriate operating procedures should be established to protect tapes, disks, data cassettes, input/output data and system documentation from damage, theft, unauthorized access and virus attacks as appropriate.

Data on workstations and notebooks should be backed up on the network drive.

  • Media should not be removed from the company without written authorization.
  • All media is to be stored in a safe, secure environment, and in accordance with the manufacturers' specifications.

3.4. STORAGE OF BACKUP

3.4.1. ON-SITE

On-site data backup should be maintained in safe custody and in a fireproof cabinet. The key to the cabinet should be available only with personnel designated by the Chief Product Officer (CPO) and the duplicate should be kept with the CPO for emergency use.


3.4.2. OFF-SITE

Off-site data backup should be maintained at a location identified as ‘off-site’ in the ‘Business Continuity Plan’ (BCP). Whenever, the backup media is moved to and from offsite location, it should be carried in sealed and tamper-proof envelope or pouch.

4. USER ACCESS CONTROL AND DISCRETIONARY ACCESS

A normal user of the data should be provided access on need-to-know basis. Based on the hierarchy in the management, discretionary access to application systems and data should be applied through configuration of user and group file-access rights. Strict controls should be placed on application system source code, compilers, computer operating software and scripting facilities to ensure that the system's access control mechanisms cannot be bypassed through code subversion.

Users should also be briefed on application and operating system access control functions on a need-to-know basis. Menu systems may also be used to control access to application and system functions rather than allowing users access to a command prompt interface.

4.1. SYSTEM ACCESS CONTROL

Operating system access controls must be employed for all systems connected to external networks. Where possible, access restrictions are to be based on user groups/domains with individual user IDs assigned to the groups as required. User authentication is based on Active Directory domain passwords.

5. PHYSICAL IT SECURITY POLICY

Server room will be locked, and designated personnel access will be provided from time to time as approved by the CPO. The office floor will be locked, and only restricted number of people will have keys to open the office for the employees.

Contact


  • Telephone:
  • +91 44 4581 8480
  • +91 44 4213 8701
  • E-mail:
  • solutions@ogspay.com

Connect



© Copyright 2020 OGS PayLab Private Limited. All Rights Reserved

Security Policy. Terms and Conditions.