Professional Documents
Culture Documents
ISPolicy 038
ISPolicy 038
ISPolicy 038
Released on : 31/07/22
This document of R Systems International Ltd. is for internal circulation. No part of this publication may be
Version No: 3.3 Page 1 of 17 Release Date: 31/07/22
reproduced, stored in a retrieval system, or transmitted in any from or by any means – recording,
photocopying, electronics and mechanical without prior written permission of R Systems International Ltd.
©R Systems International Ltd Internal ISPolicy038
Review History
S No. Release Reviewed By Remarks
Date
1 09/06/06 ISMS Forum Doc Changed and DCR raised
2 01/06/09 ISMS Forum Doc Changed and DCR raised
3 07/04/11 ISMS Forum No Change
4 01/06/12 ISMS Forum No Change
5 09/08/12 ISMS Forum Doc Changed and DCR raised
6 01/01/14 Manager QAG Doc Changed and DCR raised
7 15/06/15 Manager QAG Doc Changed and DCR raised
8 15/06/15 Sr. Manager QAG Doc Changed and DCR raised
9 26/10/16 Sr. Manager QAG Doc Changed and DCR raised
10 18/07/17 Sr. Manager QAG Doc Changed and DCR raised
11 23/07/19 Sr. Manager QAG No Change
12 29/07/20 Sr. Manager QAG No Change
13 20/07/21 Sr. Manager QAG No Change
14 20/07/22 AGM- QAG Doc Changed and DCR raised
Document History
Ver. Release DCR Ref. Description of Authored/ Reviewed Approved
No. Date Change Revised By By
By
1.0 09/06/06 DCR/002 Final release QA Group ISMS CISO
Forum
2.0 01/06/09 DCR/ISM ISMS Periodic QAG ISMS CISO
S/065 Review Forum
2.0 07/04/11 NA ISMS Periodic QAG ISMS CISO
Review Forum
2.0 01/06/12 NA ISMS Periodic QAG ISMS CISO
Review Forum
2.1 09/08/12 DCR/ISM Classification QAG ISMS CISO
S/105 changed to Internal Forum
2.2 01/01/14 DCR/ISM RSI Logo Updated ISMS Manager CISO
S/112 Team QAG
3.0 15/06/15 DCR/ISM Document revised ISMS Manager CISO
S/122 and updated as per Team QAG
ISO 27001:2013
3.0 15/06/15 DCR/ISM Annual Review- ISMS Sr. CISO
S/132 22/06/16 Team Manager
QAG
3.1 26/10/16 DCR/ISM Cryptography ISMS Sr. CISO
S/133 Domain become Team Manager
applicable as per QAG
the Observation in
Surveillance Audit
2016
3.1 18/07/17 DCR/ISM Annual Review ISMS Sr. CISO
S/136 Team Manager
QAG
3.2 31/07/20 DCR/ISM Annual Review ISMS Sr. CISO
S/136 date-29 July 20. Team Manager
Sec 6.3.2 updated QAG
3.3 31/07/22 DCR/ISM Annual Review Sec ISMS AGM- CISO
S/151 5 updated by Team QAG
adding ref to Metric
Procedure
Notes:
Only controlled hardcopies of the document shall have signatures on them.
This is an internal document. Unauthorized access or copying is prohibited.
Table of Contents
1. Overview ........................................................................................................... 5
2. Objective ........................................................................................................... 5
3. Scope................................................................................................................ 5
4. Owner ............................................................................................................... 5
5. Information Security Objectives ........................................................................ 5
Objectives .......................................................................................................... 6
6. Policy ................................................................................................................ 6
6.1 Information Security Policies ........................................................................ 6
6.2 Internal Organization .................................................................................. 16
6.2.1 Information Security Roles and Responsibilities ..................................... 16
6.2.2 Segregation of Duties ............................................................................. 16
6.2.3 Contact with Authorities .......................................................................... 16
6.2.4 Contact with Special Interest Group ........................................................ 17
6.2.5 Information Security in Project Management .......................................... 17
6.3 Mobile Device and Teleworking .................................................................... 17
6.3.1 Mobile Device Policy ............................................................................... 17
6.3.2 Teleworking............................................................................................. 17
2. Objective
This document defines the Company’s position on information security. The policy is
applicable across the Company and is also subject to amendment at any time depending
upon the changes in business requirements or environment with requisite approvals.
This objective of this policy is to describe the security requirements for information
assets belonging to R Systems, used across the Company. These assets can be in
written, spoken or computer-based form and the protection and security of these assets
from unauthorized disclosure, misrepresentation, loss or wrongful use is of vital
importance. Management and staff must ensure the Confidentiality, Integrity and
Availability of all information assets, as required.
The information security policy as stated in this document supports the following three
objectives -
Provide management direction and support for information security;
Support the security requirements of the business; and
Build business partnership/relations confidence.
3. Scope
Information Security policy is applicable to entire RSI Noida. This Information Security
Policy aims at providing secure and acceptable use of information assets. This policy is
applicable, for acceptable use of information assets, to the following:
Locations, Business Functions and People
Information Assets
4. Owner
The Chief Information Security Officer (CISO) is the owner of this policy and will be
responsible for reviewing and updating the policy as and when required based on the
change in the business requirements or environment. The CISO will also ensure that the
updated policy is implemented across the organization.
Objectives
1 Information assets are protected against unauthorized access.
2 Information is not disclosed to unauthorized persons through
deliberate or careless action.
3 Information is protected from unauthorized modification.
4 Information is available to authorized users when needed.
5 Applicable regulatory and legislative requirements are met.
6 Business Continuity Plans for IT assets are developed, maintained
and tested as far as practicable.
7 All stakeholders are made aware of Information Security on
continual basis.
8 All breaches of Information Security are reported and investigated.
9 Violations of policies are dealt with appropriate disciplinary actions.
10 Information Security Management System is reviewed on a periodic
basis and updated.
11 Awareness of Information Security Management System
All Information Security objectives are tracked on Defined frequency in ISMS Metrics
Sheet. Please refer ISMS Metrics Procedure (ISProc032)
6. Policy
The below table shows applicable ISO 27001:2013 domains and controls as per RSI context.
• The information security policy will provide management direction and support
to information security.
• The information security policy will be communicated throughout the
organization to users in a form that is relevant, accessible and understandable
to the intended audience.
Policies for • The policy will explain the policies, principles and compliance requirements of
A.5.1.1
information security particular importance to the organization, including:
Information security
Information security shall be addressed in project management, regardless of
A.6.1.5 in project
the type of project.
management
Termination or
Information security responsibilities and duties that remain valid after
change of
A.7.3.1 termination or change of employment shall be defined, communicated to the
employment
employee or contractor and enforced.
responsibilities
A.8 Asset management
Objective: To achieve and maintain appropriate protection of organizational assets.
Password Password management systems shall be interactive and shall ensure quality
A.9.4.3
management system passwords.
Use of privileged The use of utility programs that might be capable of overriding system and
A.9.4.4
utility programs application controls shall be restricted and tightly controlled.
Access control to
A.9.4.5 Access to program source code shall be restricted
program source code
A.10 Cryptography
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or
integrity of information.
Physical security Security parameters shall be defined and used to protect areas that contain
A.11.1.1
perimeter sensitive or critical information and information processing facilities.
Physical entry Secure areas shall be protected by appropriate entry controls to ensure that
A.11.1.2
controls only authorized personnel are allowed access.
Securing offices,
A.11.1.3 Physical security for offices, rooms and facilities shall be designed and applied.
rooms and facilities
Protecting against
external and Physical protection against natural disasters, malicious attack or accidents shall
A.11.1.4
environmental be designed and applied.
threats
Working in secure
A.11.1.5 Procedures for working in secure areas shall be designed and applied.
areas
Access points such as delivery and loading areas and other points where
Delivery and loading unauthorized persons could enter the premises shall be controlled and, if
A.11.1.6
areas possible, isolated from information processing facilities to avoid unauthorized
access.
A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s
operations.
Equipment siting and Equipment shall be sited and protected to reduce the risks from environmental
A.11.2.1
protection threats and hazards, and opportunities for unauthorized access.
Equipment shall be protected from power failures and other disruptions caused
A.11.2.2 Supporting utilities
by failures in supporting utilities.
Installation of
Procedures shall be implemented to control the installation of software on
A.12.5.1 software on
operational systems.
operational systems
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
Information about technical vulnerabilities of information systems being used
Management of
shall be obtained in a timely fashion, the organization's exposure to such
A.12.6.1 technical
vulnerabilities evaluated and appropriate measures taken to address the
vulnerabilities
associated risk.
Restrictions on Rules governing the installation of software by users shall be established and
A.12.6.2
software installation implemented.
A.12.7 Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems.
Audit requirements and activities involving verification of operational systems
Information systems
A.12.7.1 shall be carefully planned and agreed to minimize disruptions to business
audit controls
processes.
A.13 Communications security
Objective: To ensure the protection of information in networks and its supporting information processing facilities
and maintain the security of information transferred within an organization and with any external entity.
Information security
The information security related requirements shall be included in the
requirements
A.14.1.1 requirements for new information systems or enhancements to existing
analysis and
information systems.
specification
Securing application Information involved in application services passing over public networks shall
A.14.1.2 services on public be protected from fraudulent activity, contract dispute and unauthorized
networks disclosure and modification.
Protecting Information involved in application service transactions shall be protected to
A.14.1.3 application services prevent incomplete transmission, mis-routing, unauthorized message alteration,
transactions unauthorized disclosure, unauthorized message duplication or replay.
Secure development Rules for the development of software and systems shall be established and
A.14.2.1
policy applied to developments within the organization.
System change Changes to systems within the development lifecycle shall be controlled by the
A.14.2.2
control procedures use of formal change control procedures.
Technical review of
When operating platforms are changed, business critical applications shall be
applications after
A.14.2.3 reviewed and tested to ensure there is no adverse impact on organizational
operating platform
operations or security.
changes
Restrictions on
Modifications to software packages shall be discouraged, limited to necessary
A.14.2.4 changes to software
changes and all changes shall be strictly controlled.
packages
Secure system
Principles for engineering secure systems shall be established, documented,
A.14.2.5 engineering
maintained and applied to any information system implementation efforts.
principles
Organizations shall establish and appropriately protect secure development
Secure development
A.14.2.6 environments for system development and integration efforts that cover the
environment
entire system development lifecycle.
Outsourced
A.14.2.7 Not Applicable
development
System security
A.14.2.8 Testing of security functionality shall be carried out during development.
testing
System acceptance Acceptance testing programs and related criteria shall be established for new
A.14.2.9
testing information systems, upgrades and newer versions.
A.14.3 Test data
Objective: To ensure the protection of data used for testing.
Protection of test
A.14.3.1 Test data shall be selected carefully, protected and controlled.
data
Assessment of and
decision on Information security events shall be assessed and it shall be decided if they are
A.16.1.4
information security to be classified as information security incidents.
events
Response to
Information security incidents shall be responded to in accordance with the
A.16.1.5 information security
documented procedures.
incidents
Learning from
Knowledge gained from analyzing and resolving information security incidents
A.16.1.6 information security
shall be used to reduce the likelihood or impact of future incidents.
incidents
Collection of The organization shall define and apply procedures for the identification,
A.16.1.7
evidence collection, acquisition and preservation of information, which can serve as
evidence.
The organization shall determine its requirements for information security and
Planning information
A.17.1.1 the continuity of information security management in adverse situations, e.g.
security continuity
during a crisis or disaster.
Implementing The organization shall establish, document, implement and maintain processes,
A.17.1.2 information security procedures and controls to ensure the required level of continuity for
continuity information security during an adverse situation.
Verify, review and The organization shall verify the established and implemented information
A.17.1.3 evaluate information security continuity controls at regular intervals in order to ensure that they are
security continuity valid and effective during adverse situations.
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
Availability of infor-
Information processing facilities shall be implemented with redundancy
A.17.2.1 mation processing
sufficient to meet availability requirements.
facilities
A.18 Compliance
Objective: to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements as defined by organization’s policy, procedure, standard or guideline.
6.3.2 Teleworking
Users shall be allowed to remotely connect to the company network using mobile
computing device to access business information, only after successful
identification and authentication.
In case of Pandemic situation where Work From Home is allowed by the
organization for all employees, employees need to abide by work from home
guidelines (IS Guide020) to avail teleworking service.