POLICY NUMBER

3

EFFECTIVE DATE

1 December, 2017

VERSION NUMBER

3.1

REVIEW DATE

1 December, 2018

 

  • PURPOSE:​​ The Cyber security policy outlines the guidelines and provisions for preserving the security of our company data and technology infrastructure. Our company has made rules for the employees who have access to company technology and information assets must abide.

The more we rely on technology to collect, store and manage information, the more vulnerable we become too severe security breaches. Therefore, we have implemented several security measures.

 

  • SCOPE:​​ This policy is applicable to all the employees who have permanent or temporary access to our system and hardware.

 

  • WHAT ARE WE PROTECTING:​​ It is the obligation of every employee to protect the technology and information assets of the company. This information must be protected from unauthorized access, theft and destruction. The technology and information assets of the company are made up of following components:

 

  • Computer hardware, CPU, Disc, Email, Web application servers, PC Systems, Application software, System software etc.

  • System software including: Operating systems, Database Management systems and Backup and Restore software, Communication protocols etc.

  • Application software including: This includes custom written software application and commercial off the shelf software packages.

  • Communication Network hardware and software including: Routers, hubs, modems, multiplexers, switches, firewalls, private lines and associated network management software and tools.​​ 

 

  • RESPONSIBILITIES OF EMPLOYEES:​​ This policy pertains to all employees who use computer systems, networks and information sources as business partners and individuals who are granted access to the network for the business purpose of the company. Therefore, its employee responsibility to secure the confidential data of the company.

 

    • Confidential Information:​​ The confidential data of the company is secret and valuable. All employees are responsible for protecting all confidential information used or stored on their accounts. The data includes-

  • Unpublished financial information

  • Data of customers/partners/vendors

  • Patents, New technologies

  • Customer lists (Existing or prospective)

 

 

    • Protect personal and company devices:​​ When employees use their digital devices to  ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ access company emails and accounts, they introduce security risk to our data. We advise our employees to keep both their personal or company issued laptop, desktop secure by-

  • Keep all devices password protected.

  • Choose and upgrade complete antivirus software.

  • Ensure they don’t leave their devices unattended.

  • Install security updates of browsers and systems monthly or as soon as updates are available.

  • Log into company accounts and systems through secure and private networks only.

  • Avoid accessing internal systems and accounts from other people’s devices.

Employee should not purposely engage in activity with the intent to – harass other users, degrade the performance of the system; divert system resources to their own use; or gain access to company system for which they don’t have authorization.

Employee should not download unauthorized software from the internet onto their PC’s or workstations.

    • Keep Emails safe:​​ Emails often host scams and malicious software. To avoid virus  ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ infection or data theft, the employees must follow several safety measures-

  • Avoid opening attachments and clicking on the links when the content is not adequately explained.​​ 

  • Be suspicious of Clickbait titles. (For e.g. Offering prizes, attracting offers etc.)

  • Check email and name of the persons they received the message from to ensure they are legitimate.

  • If an employee isn’t sure that an email he/she received is safe, he/she can refer to our IT Specialist.

 

    • Manage Passwords properly:​​ Password leaks are dangerous as it will hamper the entire  ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ security system of the company. Not only should passwords be secure so they won’t be easily hacked, but it should also be remained secret. The following measures should be taken by the employees-

  • Choose passwords with at least eight characters (including capital and lower-case letters, numbers, symbols) and avoid information that can easily be guessed. (e.g. Date of Birth)

  • Remember passwords instead of writing them down. If employees need to write their passwords, they are required to keep the paper or digital document confidential and destroy when their work is done.

  • Exchange credentials only when necessary through phone or email.

  • Change the passwords every two months.

 

    • Transfer data securely:​​ Transferring data introduces security risk. The employee must follow the below instructions:

  • Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless necessary. When mass transfer of such data is needed, we request employees to ask our IT Specialist for help.

  • Share confidential data over the company network/ system and not over public Wi-Fi or Private connection.

  • Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.

  • Inform immediately to your reporting manager and IT Specialist in case of any privacy breaches or hacking attempts so that they can protect our infrastructure.

  • Our IT specialist / Security specialist are responsible for guiding employees on how to detect scam emails.​​ 

 

    • Use Internet securely: The company provide internet access to employees who are connected to their internal network and who has the business need for this access. It is a business tool for the company.

  • Employees must use the internet for business related purposes such as communicating via electronic email with business partners and customers, obtaining useful relevant business information.

  • The internet service may not be used for transmitting, retrieving or storing any communications of a discriminatory or harassing nature, or defamatory or threatening in nature or any other purpose which is illegal or for personal gain.

 

    • Additional security measures:​​ To reduce the chances of security breaches, the employees have the responsibility to-

  • Turn off their screen and lock their devices when leaving their desks.

  • Report stolen or damaged equipment as soon as possible to HR Department.

  • Change all account passwords at once when a device is stolen.

  • Report a perceived threat or possible security weakness in company systems.

  • Refrain from downloading suspicious, unauthorized or illegal software from their PC’s or laptops.

  • Avoid accessing suspicious websites.

 

    • Remote Access:​​ The employees who are accessing our company’s account and system from a distance​​ due to business need​​ are responsible to follow all data encryption, protection standard and settings and ensure their private network is secure.

  • Employee should not install personal software designed to provide remote control of the PC or workstation. This type of remote access bypasses the authorized highly secure methods of remote access and possesses a threat to the security of entire network.

  • Employees must use authorized connection all the time and in case of using remote access, the employee should have a secure ID which connect his/her system with the internal network.

 

 

 

 

  • DISCIPLINARY ACTION:​​ The Company takes the issue of security seriously. Those employees who use the technology and information resources of company must be aware that they can be disciplined if they violate this policy.

  • First time, unintentional, small scale security breach: We may issue a verbal warning and train the employee on security.

  • Intentional, repeated or large-scale breaches: The company will take severe disciplinary action up to and including termination. The specific discipline imposed will be determined by case-by-case basis, taking into consideration the nature and severity of the violation of Cyber Security policy.