Developing an information security policy: A

case study approach

Name:- Abhishek Kadu Roll:- A227
Btech IT Grade

1. What are your organization’s policies that explain information security requirements?

 Privacy and data protection principles followed by Wipro Limited and its entities around the
world with regards to the personal information of its customers partners, employees (current or
former employees, trainees), applicants, contractors, prospects and vendors and current or
former members of the Board of Directors, whose personal information are processed by Wipro

Policies followed by Wipro:-

 Wipro does not share personal information about you with affiliates, partners, service
providers, group entities.

 We may share information about you if Wipro is acquired by or merged with another
company.
 Wipro will not be liable for any unsolicited information provided by you. You consent to
Wipro using such information as per Wipro’s Privacy Statement.
 When you engage with us through social media sites, you may allow us to have access
to certain information from your social media profile based upon your privacy preference
settings on such platform

Personal information that is collected from third party sources:-

Engage with Wipro through social media
You can engage with us through social media websites or through features on Wipro websites
that integrate with social media sites. When you engage with us through social media sites, you
may allow us to have access to certain information from your social media profile based upon
your privacy preference settings on such platform..

Preventive controls used by Wipro are:-

 Signature compliance (AV, IDS, IPS)

 Tool EOL (End Of Life)/EOS (End Of Support) information
 Rule efficiency metrics (typically firewalls)
 Secure configuration and compliance
 Unauthorized configuration changes (Change management tracking)
 % of the estate/constituency covered (for e.g. what percentage of endpoints have up-to-
date AV)
  Patch compliance of security systems
 Business unit based view of security metrics
 Industry benchmarking against peers/competitors
 Capacity utilization metric

2. How have these policies been developed?

 This policies have been developed by keeping into consideration that user data must be
protected from any attacks .These policies focus on the proper methods , rules and regulation
that need to be followed by each and every employee of an organization.

Below are some of the policies of wipro:

Wipro does not share personal information about you with affiliates, partners, service providers,
group entities.

(a) to provide products or services you’ve requested;

(b) when we have your permission:

(c) under the following circumstances:

 We may share information with affiliated entities/subsidiaries/branch offices for legitimate

business purposes.
 We may provide the information to trusted entities who work on behalf of or with Wipro
under strict confidentiality agreements. These entities may use your personal information
to help Wipro communicate with you about offers from Wipro and for other legitimate
business purposes. However, these companies do not have any independent right to
further share or disseminate this information;
 We may share information with statutory authorities, government institutions or other
bodies where required for compliance with legal requirements.
 We may use the information to respond to subpoenas, court orders, or legal process, or
to establish or exercise our legal rights or defend against legal claims;
 We may share information where we believe it is necessary in order to investigate,
prevent, or take action against any illegal activities, suspected fraud, situations involving
potential threats to the physical safety of any person, or as otherwise required by law.
 We may share information where we believe it is necessary in order to protect or enforce
Wipro’s rights, usage terms, intellectual or physical property or for safety of Wipro or
associated parties.
 When you engage with us through social media sites, you may allow us to have access
to certain information from your social media profile based upon your privacy preference
settings on such platform.
 Personal information collected by Wipro: When you provide information that enables us
to respond to your request for products or services, we will, wherever permissible by
 relevant laws, collect, use and disclose this information to third parties for the purposes
described in this Privacy Statement.
 In some instances, Wipro automatically collects personal information pertaining to you
when you visit our websites and through e-mails that we may exchange. We may use
automated technologies including the use of web server logs to collect IP addresses,
device details, cookies and web beacons. The collection of this information will allow us
to improve the effectiveness of Wipro websites and our marketing activities. Please see
the section below on cookies for further details.
 Engage with Wipro through social media:- When you engage with us through social
media sites, you may allow us to have access to certain information from your social
media profile based upon your privacy preference settings on such platform.

3. How easy to follow are these policies for users?

 These policies shows different steps that need to be followed by an user within his ends, this
are basically the do’s and don’ts on the user side.
There are the steps that need to followed by the users for changing their passwords or to
recover the password
These are certain rules that user needs to follow like not sharing the OTP with others. Secondly,
not replying to fishing mails or phone calls done on the name of the organization.

4. How are users made aware of the existence and the importance of these policies?
The work of the IT dept of an organization is to maintain these policies and generally they are
responsible for maintaining these policies. They generally send Email’s to customers which
includes the ISP that might inform the user about the policies of the company.
Below are few steps which Wipro follow for letting their user know about the policies:-
The Information security policies of wipro is given on their website. '
Wipro mandates compliance to this code through periodical certification and company -wide
awareness and testing of the code every year. In addition to the section in Code of Conduct,
Wipro has also defined Privacy policy and this policy is published in the website
(URL: http://www.wipro.com/privacy-policy/ ).. There is an internal Data Protection and Privacy
policy defined under Information Security Management System (ISMS) with the objective – ‘to
define collection, protection and usage of personal data & company confidential information as
per applicable laws and regulations’. We have also established and implemented Security
Incident Management policy that covers procedures for reporting and handling policy violations
& data breaches.

5. What are the most important issues of information security and acceptable use of
network systems and information resources in your organization?
 Issues of information security:-
 Denial Of Service
 Phishing
  Malicious Program
 Besides this ISP documents contain security issues for understanding rules and
regulation made by the organization.

6. What are the advantages of the documents written in your organisation

that explain the information security policies?

1. They helps users to get information about the ISP of the company.
2. It helps in using the company It infrastructure in an desired manner.
3. These policies helps in reducing human errors.

4. No bugs – If you use a PC, your computer is extremely susceptible to online viruses,
commonly referred to as bugs.

5. Protects your customer – Having the proper internet security systems set in place not only will
help to protect you, but it will also keep your clienteles' data safe and secure.

6. Spyware protection – Spyware infects your computer and spy on you. It seeks and steals
your personal info, such as passwords, credit card numbers, addresses, and social security
numbers. Hackers use spyware in an effort to steal your identity, and your money.
7. What are the most important aspects that require further development in these
information security policy documents?

 ISP documents should mention the purpose of the application and the steps for using it.
 ISP documents should also explain the use of work portals.
 The employees must regularly dispose sensitive data