©R Systems International Ltd Internal ISPolicy038

R Systems International Ltd.

C-40, Sector 59
Noida 201 307
(U.P.), India
http://www.rsystems.com/

Information Security Policy

Document Id.: ISPolicy038

Version No. : 3.3

Released on : 31/07/22

This document of R Systems International Ltd. is for internal circulation. No part of this publication may be
Version No: 3.3 Page 1 of 17 Release Date: 31/07/22
reproduced, stored in a retrieval system, or transmitted in any from or by any means – recording,
photocopying, electronics and mechanical without prior written permission of R Systems International Ltd.
©R Systems International Ltd Internal ISPolicy038

Review History
S No. Release Reviewed By Remarks
Date
1 09/06/06 ISMS Forum Doc Changed and DCR raised
2 01/06/09 ISMS Forum Doc Changed and DCR raised
3 07/04/11 ISMS Forum No Change
4 01/06/12 ISMS Forum No Change
5 09/08/12 ISMS Forum Doc Changed and DCR raised
6 01/01/14 Manager QAG Doc Changed and DCR raised
7 15/06/15 Manager QAG Doc Changed and DCR raised
8 15/06/15 Sr. Manager QAG Doc Changed and DCR raised
9 26/10/16 Sr. Manager QAG Doc Changed and DCR raised
10 18/07/17 Sr. Manager QAG Doc Changed and DCR raised
11 23/07/19 Sr. Manager QAG No Change
12 29/07/20 Sr. Manager QAG No Change
13 20/07/21 Sr. Manager QAG No Change
14 20/07/22 AGM- QAG Doc Changed and DCR raised

Version No: 3.3 Page 2 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

DOCUMENT CONTROL SHEET

Document History
Ver. Release DCR Ref. Description of Authored/ Reviewed Approved
No. Date Change Revised By By
By
1.0 09/06/06 DCR/002 Final release QA Group ISMS CISO
Forum
2.0 01/06/09 DCR/ISM ISMS Periodic QAG ISMS CISO
S/065 Review Forum
2.0 07/04/11 NA ISMS Periodic QAG ISMS CISO
Review Forum
2.0 01/06/12 NA ISMS Periodic QAG ISMS CISO
Review Forum
2.1 09/08/12 DCR/ISM Classification QAG ISMS CISO
S/105 changed to Internal Forum
2.2 01/01/14 DCR/ISM RSI Logo Updated ISMS Manager CISO
S/112 Team QAG
3.0 15/06/15 DCR/ISM Document revised ISMS Manager CISO
S/122 and updated as per Team QAG
ISO 27001:2013
3.0 15/06/15 DCR/ISM Annual Review- ISMS Sr. CISO
S/132 22/06/16 Team Manager
QAG
3.1 26/10/16 DCR/ISM Cryptography ISMS Sr. CISO
S/133 Domain become Team Manager
applicable as per QAG
the Observation in
Surveillance Audit
2016
3.1 18/07/17 DCR/ISM Annual Review ISMS Sr. CISO
S/136 Team Manager
QAG
3.2 31/07/20 DCR/ISM Annual Review ISMS Sr. CISO
S/136 date-29 July 20. Team Manager
Sec 6.3.2 updated QAG
3.3 31/07/22 DCR/ISM Annual Review Sec ISMS AGM- CISO
S/151 5 updated by Team QAG
adding ref to Metric
Procedure

Notes:
 Only controlled hardcopies of the document shall have signatures on them.
 This is an internal document. Unauthorized access or copying is prohibited.

Version No: 3.3 Page 3 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

 Uncontrolled when printed unless signed by approving authority.

© R Systems International Limited 2022

Table of Contents

1. Overview ........................................................................................................... 5
2. Objective ........................................................................................................... 5
3. Scope................................................................................................................ 5
4. Owner ............................................................................................................... 5
5. Information Security Objectives ........................................................................ 5
Objectives .......................................................................................................... 6
6. Policy ................................................................................................................ 6
6.1 Information Security Policies ........................................................................ 6
6.2 Internal Organization .................................................................................. 16
6.2.1 Information Security Roles and Responsibilities ..................................... 16
6.2.2 Segregation of Duties ............................................................................. 16
6.2.3 Contact with Authorities .......................................................................... 16
6.2.4 Contact with Special Interest Group ........................................................ 17
6.2.5 Information Security in Project Management .......................................... 17
6.3 Mobile Device and Teleworking .................................................................... 17
6.3.1 Mobile Device Policy ............................................................................... 17
6.3.2 Teleworking............................................................................................. 17

Version No: 3.3 Page 4 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

Information Security Policy

1. Overview
This document outlines management’s intent to establish & manage information security
within organization and implementing adequate controls to ensure the security of
information and information processing facilities.

2. Objective
This document defines the Company’s position on information security. The policy is
applicable across the Company and is also subject to amendment at any time depending
upon the changes in business requirements or environment with requisite approvals.
This objective of this policy is to describe the security requirements for information
assets belonging to R Systems, used across the Company. These assets can be in
written, spoken or computer-based form and the protection and security of these assets
from unauthorized disclosure, misrepresentation, loss or wrongful use is of vital
importance. Management and staff must ensure the Confidentiality, Integrity and
Availability of all information assets, as required.
The information security policy as stated in this document supports the following three
objectives -
 Provide management direction and support for information security;
 Support the security requirements of the business; and
 Build business partnership/relations confidence.

3. Scope
Information Security policy is applicable to entire RSI Noida. This Information Security
Policy aims at providing secure and acceptable use of information assets. This policy is
applicable, for acceptable use of information assets, to the following:
 Locations, Business Functions and People
 Information Assets

4. Owner
The Chief Information Security Officer (CISO) is the owner of this policy and will be
responsible for reviewing and updating the policy as and when required based on the
change in the business requirements or environment. The CISO will also ensure that the
updated policy is implemented across the organization.

5. Information Security Objectives

RSI aims to protect its business information from threats identified, either internal or
external by enforcing and measuring appropriate controls. RSI ISMS management shall
adhere to the Information Security Policy and establish underlying detailed procedures.
The management shall also conduct periodic management review meetings for the
continual improvement of information security. RSI management has identified the
following objectives for the Information Security Management System:

Version No: 3.3 Page 5 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

Objectives
1 Information assets are protected against unauthorized access.
2 Information is not disclosed to unauthorized persons through
deliberate or careless action.
3 Information is protected from unauthorized modification.
4 Information is available to authorized users when needed.
5 Applicable regulatory and legislative requirements are met.
6 Business Continuity Plans for IT assets are developed, maintained
and tested as far as practicable.
7 All stakeholders are made aware of Information Security on
continual basis.
8 All breaches of Information Security are reported and investigated.
9 Violations of policies are dealt with appropriate disciplinary actions.
10 Information Security Management System is reviewed on a periodic
basis and updated.
11 Awareness of Information Security Management System

All Information Security objectives are tracked on Defined frequency in ISMS Metrics
Sheet. Please refer ISMS Metrics Procedure (ISProc032)

6. Policy

6.1 Information Security Policies

The below table shows applicable ISO 27001:2013 domains and controls as per RSI context.

A.5 Information security policies

Objective: To provide management direction and support for information security in accordance with business
requirements and relevant laws and regulations

A.5.1 Management direction for information security

A set of policies for information security shall be defined, approved by the management, published and
communicated to the employees and relevant external parties

• The information security policy will provide management direction and support
to information security.
• The information security policy will be communicated throughout the
organization to users in a form that is relevant, accessible and understandable
to the intended audience.
Policies for • The policy will explain the policies, principles and compliance requirements of
A.5.1.1
information security particular importance to the organization, including:

Legislative, regulatory, and contractual compliance;

Security education, training, and awareness requirements;
Business continuity management; and
Consequences of information security policy violations.

Version No: 3.3 Page 6 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

• The information security policy will be reviewed and approved by the

management annually.
• The effectiveness of implementation of information security will be reviewed
by the management annually.
Review of the • The review will include, but not limited to:
A.5.1.2 policies for 1- Feedback from business users;
information security 2- Change in the business;
3- Change in the IT environment;
4- Trends related to threat and vulnerabilities; and
5- Reported security incidents and audit findings.
• Records for the management review and approval will be maintained.

A.6 Organization of information security

Objective: to manage information security within the organization.

A.6.1 Internal organization

Information Security Organization shall be created to establish, implement, operate, monitor and improve
Information Security Management System (ISMS) within RSI.
Information security
A.6.1.1 roles and All information security roles & responsibilities shall be defined and allocated.
responsibilities
All the mutually exclusive roles and corresponding access permissions shall be
identified and reviewed annually.
Whenever a company computer-based process involves sensitive information,
A.6.1.2 Segregation of duties
the system will include controls involving separation of duties or other
compensating control measures that ensure that no one individual has
exclusive control over these types of information assets.
Contact with
A.6.1.3 Appropriate contacts with relevant authorities shall be maintained
authorities
Appropriate contacts with special interest groups or other security forums and
Contact with special professional associations will be formed to maintain and improve the
A.6.1.4
interest groups knowledge of good practices and receive early warning of alerts, advisories and
patches in order to reduce vulnerabilities.

Information security
Information security shall be addressed in project management, regardless of
A.6.1.5 in project
the type of project.
management

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.
A policy and supporting security measures shall be adopted to manage the
A.6.2.1 Mobile device policy
risks introduced by using mobile devices.
A policy and supporting security measures shall be implemented to protect
A.6.2.2 Teleworking
information accessed, processed or stored at teleworking sites.

A.7 Human resource security

Objective: Appropriate controls shall be established to ensure that employees and third parties understand their
responsibilities and suitable controls are implemented for reducing risk of theft, fraud and misuse.

A.7.1 Prior to employment

Objective: To ensure that employees and contractors understand their responsibilities and are suit-
able for the roles for which they are considered.

Version No: 3.3 Page 7 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

Background verification checks on all candidates for employment shall be

carried out in accordance with relevant laws, regulations and ethics and shall
A.7.1.1 Screening
be proportional to the business requirements, the classification of the
information to be accessed and the perceived risks
Terms and
The contractual agreements with employees and contractors shall state their
A.7.1.2 conditions of
and the organization's responsibilities for information security
employment
A.7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security
responsibilities.
Management shall require all employees and contractors to apply information
Management
A.7.2.1 security in accordance with the established policies and procedures of the
responsibilities
organization
Information security
All employees of the organization and, where relevant, contractors shall receive
awareness,
A.7.2.2 appropriate awareness education and training and regular updates in
education and
organizational policies and procedures, as relevant for their job function
training
There shall be a formal and communicated disciplinary process in place to take
A.7.2.3 Disciplinary process
action against employees who have committed and information security breach

A.7.3 Termination and change of employment

Objective: To protect the organization’s interests as part of the process of changing or terminating employment.

Termination or
Information security responsibilities and duties that remain valid after
change of
A.7.3.1 termination or change of employment shall be defined, communicated to the
employment
employee or contractor and enforced.
responsibilities
A.8 Asset management
Objective: To achieve and maintain appropriate protection of organizational assets.

A.8.1 Responsibility for assets

Objective: To identify organizational assets and define appropriate protection.
All the Information Assets shall be identified and a list maintained/ updated as
per Asset Management Guidelines. These assets shall be categorized based
A.8.1.1 Inventory of assets
on the valuation of asset depending on their Confidentiality, Integrity and
Availability (CIA) requirements and related business impact.
Each asset shall have identified owner who shall be responsible for ensuring
A.8.1.2 Ownership of assets
appropriate controls to safeguard the asset including their physical security.
Rules for the acceptable use of information and of assets associated with
Acceptable use of
A.8.1.3 information and information processing facilities shall be identified, documented
assets
and implemented.
All employees and external party users shall return all of the organizational
A.8.1.4 Return of assets assets in their possession upon termination of their employment, contract or
agreement
A.8.2 Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance with its
importance to the organization.
Classification of Information shall be classified in terms of legal requirements, value, criticality
A.8.2.1
information and sensitivity to unauthorized disclosure or modification.
An appropriate set of procedures for information labelling shall be developed
Labelling of
A.8.2.2 and implemented in accordance with the information classification scheme
information
adopted by the organization

Version No: 3.3 Page 8 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

Procedures for handling assets shall be developed and implemented in

A.8.2.3 Handling of assets accordance with the information classification scheme adopted by the
organization
A.8.3 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on
media.
Management of Procedures shall be implemented for the management of removable media in
A.8.3.1
removable media accordance with the classification scheme adopted by the organization.
Media shall be disposed of securely when no longer required, using formal
A.8.3.2 Disposal of media
procedures.
Physical media Media containing information shall be protected against unauthorized access,
A.8.3.3
transfer misuse or corruption during transportation.
A.9 Access control
Objective: To limit access to information and information processing facilities
A.9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
An access control policy shall be established, documented and reviewed based
A.9.1.1 Access control policy
on business and information security requirements.
Access to networks Users shall only be provided with access to the network and network services
A.9.1.2
and network services that they have been specifically authorized to use.
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
User registration and A formal user registration and de-registration process shall be implemented to
A.9.2.1
de-registration enable assignment of access rights.
User access A formal user access provisioning process shall be implemented to assign or
A.9.2.2
provisioning revoke access rights for all user types to all systems and services.
Management of
The allocation and use of privileged access rights shall be restricted and
A.9.2.3 privileged access
controlled.
rights
Management of
The allocation of secret authentication information shall be controlled through a
A.9.2.4 secret authentication
formal management process.
information of users
Review of user
A.9.2.5 Asset owners shall review user's access rights at regular intervals.
access rights
Removal or The access rights of all employees and external party users to information and
A.9.2.6 adjustment of access information processing facilities shall be removed upon termination of their
rights employment, contract or agreement, or adjusted upon change.
A.9.3 User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
Use of secret
Users shall be required to follow the organization's practices in the use of
A.9.3.1 authentication
secret authentication information.
information
A.9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
Information access Access to information and application system functions shall be restricted in
A.9.4.1
restriction accordance with the access control policy.
Secure log-on Where required by the access control policy, access to systems and
A.9.4.2
procedures applications shall be controlled by a secure log-on procedure.

Version No: 3.3 Page 9 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

Password Password management systems shall be interactive and shall ensure quality
A.9.4.3
management system passwords.
Use of privileged The use of utility programs that might be capable of overriding system and
A.9.4.4
utility programs application controls shall be restricted and tightly controlled.
Access control to
A.9.4.5 Access to program source code shall be restricted
program source code
A.10 Cryptography
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or
integrity of information.

A.10.1 Cryptographic controls

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or
integrity of information.
Policy on the use of
A policy on the use of cryptographic controls for protection of
A.10.1.1 cryptographic
information shall be developed and implemented.
controls
RSI Supporting policies and procedures on the use, protection and lifetime of
A.10.1.2 Key management
cryptographic keys shall be developed and implemented.

A.11 Physical and environmental security

Objective: To prevent unauthorized physical access, damage, and interference to the organization’s premises
and information.

A.11.1 Secure areas

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information
and information processing facilities.

Physical security Security parameters shall be defined and used to protect areas that contain
A.11.1.1
perimeter sensitive or critical information and information processing facilities.
Physical entry Secure areas shall be protected by appropriate entry controls to ensure that
A.11.1.2
controls only authorized personnel are allowed access.
Securing offices,
A.11.1.3 Physical security for offices, rooms and facilities shall be designed and applied.
rooms and facilities
Protecting against
external and Physical protection against natural disasters, malicious attack or accidents shall
A.11.1.4
environmental be designed and applied.
threats
Working in secure
A.11.1.5 Procedures for working in secure areas shall be designed and applied.
areas
Access points such as delivery and loading areas and other points where
Delivery and loading unauthorized persons could enter the premises shall be controlled and, if
A.11.1.6
areas possible, isolated from information processing facilities to avoid unauthorized
access.

A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s
operations.

Equipment siting and Equipment shall be sited and protected to reduce the risks from environmental
A.11.2.1
protection threats and hazards, and opportunities for unauthorized access.
Equipment shall be protected from power failures and other disruptions caused
A.11.2.2 Supporting utilities
by failures in supporting utilities.

Version No: 3.3 Page 10 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

Power and telecommunications cabling carrying data or supporting information

A.11.2.3 Cabling security
services shall be protected from interception, interference or damage.
Equipment Equipment shall be correctly maintained to ensure its continued availability and
A.11.2.4
maintenance integrity.
Equipment, information or software shall not be taken offsite without prior
A.11.2.5 Removal of assets
authorization.
Security of
Security shall be applied to offsite assets taking into account the different risks
A.11.2.6 equipment and
of working outside the organization's premises.
assets off-premises
All items of equipment containing storage media shall be verified to ensure that
Secure disposal or
A.11.2.7 any sensitive data and licensed software has been removed or securely
re- use of equipment
overwritten prior to disposal or re-use.
Unattended user
A.11.2.8 Users shall ensure that unattended equipment has appropriate protection.
equipment
Clear desk and clear A clear desk policy for papers and removable storage media and a clear screen
A.11.2.9
screen policy policy for information processing facilities shall be adopted.
A.12 Operations security
Objective: to ensure the correct and secure operation of information processing facilities.

A.12.1 Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing facilities.
Documented Operating procedures shall be documented and made available to all users
A.12.1.1
operating procedures who need them.
Change Changes to the organization, business processes, information processing
A.12.1.2
management facilities and systems that affect information security shall be controlled.
Capacity The use of resources shall be monitored, tuned and projections made of future
A.12.1.3
management capacity requirements to ensure the required system performance.
Separation of
development, testing Development, testing and operational environments shall be separated to
A.12.1.4
and operational reduce the risks of unauthorized access or changes to operational environment.
environments
A.12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
Controls against Detection, prevention and recovery controls to protect against malware shall be
A.12.2.1
malware implemented, combined with appropriate user awareness.
A.12.3 Backup
Objective: To protect against loss of data.
Backup copies of information, software and system images shall be taken and
A.12.3.1 Information backup
tested regularly in accordance with and agreed backup policy.
A.12.4 Logging and monitoring
Objective: To record events and generate evidence.
Event logs recording user activities, exceptions, faults and information security
A.12.4.1 Event logging
events shall be produced, kept and regularly reviewed.
Protection of log Logging facilities and log information shall be protected against tampering and
A.12.4.2
information unauthorized access.
Administrator and System administrator and system operator activities shall be logged and the
A.12.4.3
operator logs logs protected and regularly reviewed.
Clock The clocks of all relevant information processing systems within an organization
A.12.4.4
synchronization or security domain shall be synchronized to a single reference time source.

Version No: 3.3 Page 11 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

A.12.5 Control of operational software

Objective: To ensure the integrity of operational systems.

Installation of
Procedures shall be implemented to control the installation of software on
A.12.5.1 software on
operational systems.
operational systems
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
Information about technical vulnerabilities of information systems being used
Management of
shall be obtained in a timely fashion, the organization's exposure to such
A.12.6.1 technical
vulnerabilities evaluated and appropriate measures taken to address the
vulnerabilities
associated risk.
Restrictions on Rules governing the installation of software by users shall be established and
A.12.6.2
software installation implemented.
A.12.7 Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems.
Audit requirements and activities involving verification of operational systems
Information systems
A.12.7.1 shall be carefully planned and agreed to minimize disruptions to business
audit controls
processes.
A.13 Communications security
Objective: To ensure the protection of information in networks and its supporting information processing facilities
and maintain the security of information transferred within an organization and with any external entity.

A.13.1 Network security management

Objective: To ensure the protection of information in networks and its supporting information
processing facilities.
Networks shall be managed and controlled to protect information in systems
A.13.1.1 Network controls
and applications.
Security mechanisms, service levels and management requirements of all
Security of network
A.13.1.2 network services shall be identified and included in network services
services
agreements, whether these services are provided in-house or outsourced.
Segregation in Groups of information services, users and information systems shall be
A.13.1.3
networks segregated on networks.
A.13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
Information transfer
Formal transfer policies, procedures and controls shall be in place to protect the
A.13.2.1 policies and
transfer of information through the use of all types of communication facilities.
procedures
Agreements on Agreements shall address the secure transfer of business information between
A.13.2.2
information transfer the organization and external parties.
Electronic
A.13.2.3 Information involved in electronic messaging shall be appropriately protected.
messaging
Confidentiality or Requirements for confidentiality or non-disclosure agreements reflecting the
A.13.2.4 non- disclosure organization's needs for the protection of information shall be identified,
agreements regularly reviewed and documented.
A.14 System acquisition, development and maintenance
Objective: To ensure that Information Security is integral part of information system.

Version No: 3.3 Page 12 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

A.14.1 Security requirements of information systems

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle.
This also includes the requirements for information systems which provide services over public networks.

Information security
The information security related requirements shall be included in the
requirements
A.14.1.1 requirements for new information systems or enhancements to existing
analysis and
information systems.
specification
Securing application Information involved in application services passing over public networks shall
A.14.1.2 services on public be protected from fraudulent activity, contract dispute and unauthorized
networks disclosure and modification.
Protecting Information involved in application service transactions shall be protected to
A.14.1.3 application services prevent incomplete transmission, mis-routing, unauthorized message alteration,
transactions unauthorized disclosure, unauthorized message duplication or replay.

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of
information systems.

Secure development Rules for the development of software and systems shall be established and
A.14.2.1
policy applied to developments within the organization.
System change Changes to systems within the development lifecycle shall be controlled by the
A.14.2.2
control procedures use of formal change control procedures.
Technical review of
When operating platforms are changed, business critical applications shall be
applications after
A.14.2.3 reviewed and tested to ensure there is no adverse impact on organizational
operating platform
operations or security.
changes
Restrictions on
Modifications to software packages shall be discouraged, limited to necessary
A.14.2.4 changes to software
changes and all changes shall be strictly controlled.
packages
Secure system
Principles for engineering secure systems shall be established, documented,
A.14.2.5 engineering
maintained and applied to any information system implementation efforts.
principles
Organizations shall establish and appropriately protect secure development
Secure development
A.14.2.6 environments for system development and integration efforts that cover the
environment
entire system development lifecycle.
Outsourced
A.14.2.7 Not Applicable
development
System security
A.14.2.8 Testing of security functionality shall be carried out during development.
testing
System acceptance Acceptance testing programs and related criteria shall be established for new
A.14.2.9
testing information systems, upgrades and newer versions.
A.14.3 Test data
Objective: To ensure the protection of data used for testing.
Protection of test
A.14.3.1 Test data shall be selected carefully, protected and controlled.
data

A.15 Supplier relationships

Objective: To ensure protection of the organization's assets that is accessible by suppliers and maintain an
agreed level of information security and service delivery in line with supplier agreements.

Version No: 3.3 Page 13 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

A.15.1 Information security in supplier relationships

Objective: To ensure protection of the organization’s assets that is accessible by suppliers.
Information security Information security requirements for mitigating the risks associated with
A.15.1.1 policy for supplier supplier's access to the organization's assets shall be agreed with the supplier
relationships and documented.
Addressing security All relevant information security requirements shall be established and agreed
A.15.1.2 within supplier with each supplier that may access, process, store, communicate, or provide IT
agreements infrastructure components for, the organization's information.
Information and
Agreements with suppliers shall include requirements to address the
communication
A.15.1.3 information security risks associated with information and communications
technology supply
technology services and product supply chain.
chain
A.15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with supplier
agreements.
Monitoring and
Organizations shall regularly monitor, review and audit supplier service
A.15.2.1 review of supplier
delivery.
services
Changes to the provision of services by suppliers, including maintaining and
Managing changes improving existing information security policies, procedures and controls, shall
A.15.2.2
to supplier services be managed, taking account of the criticality of business information, systems
and processes involved and re-assessment of risks.

A.16 Information security incident management

Objective: to ensure information security events and weaknesses associated with information systems are
communicated in a manner allowing timely corrective action to be taken.

A.16.1 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach to the management of information security incidents,
including communication on security events and weaknesses.

Responsibilities and Management responsibilities and procedures shall be established to ensure a

A.16.1.1
procedures quick, effective and orderly response to information security incidents.
Reporting
Information security events shall be reported through appropriate management
A.16.1.2 information security
channels as quickly as possible.
events
Reporting Employees and contractors using the organization's information systems and
A.16.1.3 information security services shall be required to note and report any observed or suspected
weaknesses information security weakness in systems or services.

Assessment of and
decision on Information security events shall be assessed and it shall be decided if they are
A.16.1.4
information security to be classified as information security incidents.
events

Response to
Information security incidents shall be responded to in accordance with the
A.16.1.5 information security
documented procedures.
incidents
Learning from
Knowledge gained from analyzing and resolving information security incidents
A.16.1.6 information security
shall be used to reduce the likelihood or impact of future incidents.
incidents
Collection of The organization shall define and apply procedures for the identification,
A.16.1.7
evidence collection, acquisition and preservation of information, which can serve as

Version No: 3.3 Page 14 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

evidence.

A.17 Information security aspects of business continuity management

Objective: to counteract interruptions to business activities and to protect critical business processes from the
effects of major failures of information systems or disasters and to ensure their timely resumption.

A.17.1 Information security continuity

Objective: Information security continuity shall be embedded in the organization’s business continuity
management systems.

The organization shall determine its requirements for information security and
Planning information
A.17.1.1 the continuity of information security management in adverse situations, e.g.
security continuity
during a crisis or disaster.
Implementing The organization shall establish, document, implement and maintain processes,
A.17.1.2 information security procedures and controls to ensure the required level of continuity for
continuity information security during an adverse situation.
Verify, review and The organization shall verify the established and implemented information
A.17.1.3 evaluate information security continuity controls at regular intervals in order to ensure that they are
security continuity valid and effective during adverse situations.

A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.

Availability of infor-
Information processing facilities shall be implemented with redundancy
A.17.2.1 mation processing
sufficient to meet availability requirements.
facilities
A.18 Compliance
Objective: to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements as defined by organization’s policy, procedure, standard or guideline.

A.18.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information
security and of any security requirements.
Identification of All relevant legislative statutory, regulatory, contractual requirements and the
applicable legislation organization's approach to meet these requirements shall be explicitly
A.18.1.1
and contractual identified, documented and kept up to date for each information system and the
requirements organization.
Appropriate procedures shall be implemented to ensure compliance with
Intellectual property
A.18.1.2 legislative, regulatory and contractual requirements related to intellectual
rights
property rights and use of proprietary software products.
Records shall be protected from loss, destruction, falsification, unauthorized
A.18.1.3 Protection of records access and unauthorized release, in accordance with legislator, regulatory,
contractual and business requirements.
Privacy and
protection of
Privacy and protection of personally identifiable information shall be ensured as
A.18.1.4 personally
required in relevant legislation and regulation where applicable.
identifiable
information
RSI does not expose its data publicly, it is accessed within the RSI Network
Regulation of
only. IPSEC VPN tunnel is being used inorder to connect to any client of RSI.
A.18.1.5 cryptographic
RSI does not store/manage any cryptographic keys.
controls

Version No: 3.3 Page 15 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational
policies and procedures.

The organization's approach to managing information security and its

Independent review
implementation (i.e. control objectives, controls, policies, processes and
A.18.2.1 of information
procedures for information security) shall be reviewed independently at planned
security
intervals or when significant changes occur.
Compliance with Managers shall regularly review the compliance of information processing and
A.18.2.2 security policies and procedures within their area of responsibility with the appropriate security
standards policies, standards and any other security requirements.
Technical Information systems shall be regularly reviewed for compliance with the
A.18.2.3
compliance review organization's information security policies and standards.

6.2 Internal Organization

6.2.1 Information Security Roles and Responsibilities

 CISO
 ISMS Forum
 Security Focus Group

The identified and defined Information security responsibilities shall be allocated in

accordance with the information security policy. These shall include but not be
limited to:
 The responsibilities of the identified Security Organization (ISMS Forum)
 The responsibilities towards information security and guidelines for end
users.

For Roles and Responsibilities, refer to IS_Manual

6.2.2 Segregation of Duties

Duties and areas of responsibility is segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of RSI’s assets. Care is
taken that no single person can access, modify or use assets without
authorization or detection. The initiation of an event are separated from its
authorization.

6.2.3 Contact with Authorities

The contact with relevant authorities like law enforcement, fire department,
utilities and emergency service providers are maintained. Procedures describing
the point-of-contact of authorities to be contacted and by whom, shall be defined
and institutionalized. These procedures and list of contact authorities are
regularly updated.

Version No: 3.3 Page 16 of 17 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy038

6.2.4 Contact with Special Interest Group

Contacts with special interest groups or other specialist security forums and
professional associations shall be maintained to enhance knowledge about best
practices pertaining to security information and to share & exchange information
about new technologies, products, threats or vulnerabilities.

6.2.5 Information Security in Project Management

Information Security is to be addressed in project management plan, regardless
of the project. For this, project needs to create PISP where the security
requirements and the controls implemented at project level will be addressed.

6.3 Mobile Device and Teleworking

6.3.1 Mobile Device Policy

Users shall take special care of the mobile computing resources, such as
laptops, mobile phones, etc. to prevent the compromise of business information.
Latest virus definitions shall be updated on the mobile computing devices
regularly to prevent the corruption of the information stored on these devices.
Mobile computing devices shall not be connected to the company network
without approval from HOD IT Infrastructure

6.3.2 Teleworking
Users shall be allowed to remotely connect to the company network using mobile
computing device to access business information, only after successful
identification and authentication.
In case of Pandemic situation where Work From Home is allowed by the
organization for all employees, employees need to abide by work from home
guidelines (IS Guide020) to avail teleworking service.

Version No: 3.3 Page 17 of 17 Release Date: 31/07/22