Isms CRM Manual

ISMS & CRM MANUAL
Rev No. : 3
Date : 15-Dec-22
APPROVAL Page : 1 of 1
ISMS & CRM MANUAL

EDITION – 2
Notes:
1. This manual is valid from the issue date.
2. This manual is not to be altered or marked in any way.
3. Any review or alteration to this manual is to be carried out as per the system
procedures.
4. Any revisions of this manual will be recorded on the Revision sheet.
Approved By:
Issued By:
Synergy Maritime Private Limited
Head of Ship Management Team
This publication is the property of Synergy Group. No part of this publication is to be

reproduced, stored in a retrieval system, or transmitted in any form or by any means
without the prior permission of Management.
RESTRICTED Master List of Documents
Master List of Documents
Document Ref. No. ISMS_Man_001 Version No.2.2

Revision No: 2 Page 1 of 6
DOCUMENT SUMMARY:
AUTHOR MR. KARTHIKEYAN N

REVIEWED BY MR. GAURAV SINGH
CURRENT VERSION 2.3
DATE OF CURRENT VERSION 15TH DEC 2022
DATE OF ORIGINAL VERSION 25TH,FEB,2015
DOCUMENT CIRCULATION ISSC TEAM
OWNER CISO
NAME: MR. GAURAV SINGH
APPROVED BY
DESIGNATION MANAGER -IT / CISO
Revision History
Version Revision Issue Date Changes
1.0 0 25th Feb, 2015 Initial

Whole content reviewed and
2.0 0 30th Sep 2019
changes applied.
Review & Updation of document
2.1 1 23rd Dec 2019 revisions / versions of listed
documents
Added CRM Manual -
ISMS_Man_048 and updated
revisions / version of ISMS Manual,
2.2 2 18th Dec 2020
Master list of Document, Risk
Methodology, Proc. For Internal
Audit
2.3 3 15th Dec 2022 Changes Made to CRM Manual with
respect to Chief Engineer
Responsibilities

Master List of Documents
SL Ver
Document Reference No Document Name Dated Category
No.
1 ISMS_Man_001 Master List of Document 2.2 18th Dec 2020 Restricted
2 ISMS_Man_002 ISMS Manual 2.2 18th Dec 2020 Restricted
3 ISMS_Man_003 ISMS Policy & Objectives 2.0 30th Sep 2019 Public
4 ISMS_Man_004 Statement of Applicability 2.1 23rd Dec 2019 Restricted
5 ISMS_Man_005 ISMS Roles, Responsibility and Authority 2.1 23rd Dec 2019 Restricted
6 ISMS_Man_006 AntiVirus Policy 2.0 30th Sep 2019 Restricted
7 ISMS_Man_007 Application Security Policy 2.0 30th Sep 2019 Restricted
8 ISMS_Man_008 Asset Management Policy 2.0 30th Sep 2019 Restricted
9 ISMS_Man_009 Backup & Restoration Policy 2.0 30th Sep 2019 Restricted
10 ISMS_Man_010 Capacity Management Policy 2.0 30th Sep 2019 Restricted
11 ISMS_Man_011 Clean Desk Policy 2.0 30th Sep 2019 Restricted
12 ISMS_Man_012 Cryptographic Controls Policy 2.0 30th Sep 2019 Restricted
13 ISMS_Man_013 Customer Data & Information Handling Policy 2.0 30th Sep 2019 Restricted
14 ISMS_Man_014 E-Mail Security Policy 2.0 30th Sep 2019 Restricted

15 ISMS_Man_015 Firewall Security Policy 2.0 30th Sep 2019 Restricted
16 ISMS_Man_016 License Management Policy 2.0 30th Sep 2019 Restricted
17 ISMS_Man_017 Change Management Policy 2.0 30th Sep 2019 Restricted
18 ISMS_Man_018 Asset Disposal Process 2.0 30th Sep 2019 Restricted
19 ISMS_Man_019 Incident Management Policy 2.0 30th Sep 2019 Restricted
20 ISMS_Man_020 Incident Response Plan 2.0 30th Sep 2019 Restricted
21 ISMS_Man_021 Information Classification Policy 2.0 30th Sep 2019 Restricted
22 ISMS_Man_022 Internet Access and Security Policy 2.0 30th Sep 2019 Restricted
23 ISMS_Man_023 Internet Usage Policy 2.0 30th Sep 2019 Restricted
24 ISMS_Man_024 Log and Audit Trail Policy 2.0 30th Sep 2019 Restricted
25 ISMS_Man_025 Logical Access Control Policy 2.0 30th Sep 2019 Restricted
26 ISMS_Man_026 Mobile computing Policy 2.0 30th Sep 2019 Restricted
27 ISMS_Man_027 Network and Telecommunication Security Policy 2.0 30th Sep 2019 Restricted
28 ISMS_Man_028 Password Management Policy 2.0 30th Sep 2019 Restricted
29 ISMS_Man_029 Physical and Environment Security Policy 2.0 30th Sep 2019 Restricted
30 ISMS_Man_030 Punitive Actions Policy 2.0 30th Sep 2019 Restricted

31 ISMS_Man_031 Server Security Policy 2.0 30th Sep 2019 Restricted
32 ISMS_Man_032 Social Media Usage Policy 2.0 30th Sep 2019 Restricted
33 ISMS_Man_033 Tele working Policy 2.0 30th Sep 2019 Restricted
34 ISMS_Man_034 Third Party Security Policy 2.0 30th Sep 2019 Restricted
35 ISMS_Man_035 Vendor Management Policy 2.0 30th Sep 2019 Restricted
36 ISMS_Man_036 Procedure for Control of Documents 2.1 23rd Dec 2019 Restricted
37 ISMS_Man_037 ISMS Control of Records 2.0 30th Sep 2019 Restricted
38 ISMS_Man_038 Procedure for corrective Action 2.1 23rd Dec 2019 Restricted
39 ISMS_Man_039 Procedure for Internal Audits 2.1 18th Dec 2020 Restricted
40 ISMS_Man_040 Procedure for Management review 2.0 30th Sep 2019 Restricted
41 ISMS_Man_041 Risk Assessment Methodology 1.1 18th Dec 2020 Restricted
42 ISMS_Man_042 Business Continuity / Disaster Recovery Plan 2.0 30th Sep 2019 Restricted
43 ISMS_Man_043 Communication Matrix 2.1 23rd Dec 2019 Restricted
44 ISMS_Man_044 Risk Document 2.1 17th Dec 2019 Restricted
45 ISMS_Man_045 Objective Planning 2.0 30th Sep 2019 Restricted
46 ISMS_SOP_001 Change Management Procedure 2.0 30th Sep 2019 Restricted

47 ISMS_SOP_002 IT Asset Procurement & Deployment Procedure 2.0 30th Sep 2019 Restricted
48 ISMS_SOP_003 Logical Access Control Procedure 2.0 30th Sep 2019 Restricted
49 ISMS_SOP_004 Physical Access Control Procedure 2.0 30th Sep 2019 Restricted
50 ISMS_Man_046 E - Waste Management Policy 1.0 23rd Dec 2019 Restricted
51 ISMS_Man_047 IT Asset Configuration 1.0 23rd Dec 2019 Restricted
Cyber security Risk Management Manual for the Safety

52 ISMS_Man_048 2.0 15TH Dec 2022 Restricted
Management System (CRM Manual)

RESTRICTED ISMS Manual
ISMS Manual
Document Ref. No. ISMS_Man_002 Version No. 2.2

DOCUMENT SUMMARY
AUTHOR MR. KANNAN

CURRENT VERSION 2.2
DATE OF CURRENT VERSION 23RD, AUGUST,2022
OWNER CISO
APPROVED BY DESIGNATION MANAGER -IT / CISO
Revision History
Whole manual content reviewed and

2.0 0 30th Sep 2019
changes applied.
2.1 1 23rd Dec 2019 Changes done A10.1.2
Added CRM Manual reference and IMO

2 18th Dec 2020
2.2 Guideline references
Changes Made to CRM Manual with

3 23rd August 2022
2.3 respect to Chief Engineer
Responsibilities

TABLE OF CONTENTS
1.0 SCOPE ....................................................................................................................................................... 8

1.1 AUDIENCE .................................................................................................................................................................................... 8
1.2 OWNERSHIP ................................................................................................................................................................................. 8
1.3 REVIEW MECHANISM ................................................................................................................................................................... 8
2.0 NORMATIVE REFERENCES ........................................................................................................................ 9
3.0 TERMS AND DEFINITIONS ........................................................................................................................ 9
4.0 CONTEXT OF THE ORGANIZATION ......................................................................................................... 13
4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT ........................................................................................................ 13
4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES ............................................................................ 13
4.3 DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM .............................................................. 14
4.4 INFORMATION SECURITY MANAGEMENT SYSTEM..................................................................................................................... 14
5.0 LEADERSHIP ............................................................................................................................................ 15
5.1 LEADERSHIP AND COMMITMENT ............................................................................................................................................... 15
5.2 POLICY ........................................................................................................................................................................................ 15
5.3 ORGANIZATION ROLES, RESPONSIBILITIES AND AUTHORITIES................................................................................................... 15
6.0 PLANNING .............................................................................................................................................. 15
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES ................................................................................................................... 15
6.1.1 General ................................................................................................................................................... 15
6.1.2 Information security risk assessment ...................................................................................................... 16
6.1.3 Information security risk treatment ........................................................................................................ 16
6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM ................................................................................ 16
7.0 SUPPORT ................................................................................................................................................ 17
7.1 RESOURCES ................................................................................................................................................................................ 17
7.2 COMPETENCE............................................................................................................................................................................. 17
7.3 AWARENESS ............................................................................................................................................................................... 17
7.4 COMMUNICATION ..................................................................................................................................................................... 17
7.5 DOCUMENTED INFORMATION ................................................................................................................................................... 18
7.5.1 General ................................................................................................................................................... 18
7.5.2 Creating and updating ............................................................................................................................ 18
7.5.3 Control of documented information ....................................................................................................... 18
8.0 OPERATION ............................................................................................................................................ 19
8.1 OPERATIONAL PLANNING AND CONTROL .................................................................................................................................. 19
8.2 INFORMATION SECURITY RISK ASSESSMENT .............................................................................................................................. 19
8.3 INFORMATION SECURITY RISK TREATMENT ............................................................................................................................... 19
9.0 PERFORMANCE EVALUATION ................................................................................................................ 19
9.1 MONITORING, MEASUREMENT, ANALYSISAND EVALUATION ................................................................................................. 19
9.2 INTERNAL AUDIT ........................................................................................................................................................................ 20
9.3 MANAGEMENT REVIEW ............................................................................................................................................................. 21
10.0 IMPROVEMENT ...................................................................................................................................... 21
10.1 NONCONFORMITY AND CORRECTIVE ACTION ........................................................................................................................... 21

10.2 CONTINUAL IMPROVEMENT ...................................................................................................................................................... 21

A.5 INFORMATION SECURITY POLICIES .............................................................................................................. 22
A.5.1 MANAGEMENT DIRECTION FOR INFORMATION SECURITY ............................................................................................................. 22
A.5.1.1 Policies for information security .............................................................................................................. 22
A.5.1.2 Review of the policies for information security ........................................................................................ 22
A.6 ORGANIZATION OF INFORMATION SECURITY ............................................................................................. 22
A.6.1 INTERNAL ORGANIZATION .............................................................................................................................................................. 22
A.6.1.1 Information security roles and responsibilities ........................................................................................ 22
A.6.1.2 Segregation of duties ............................................................................................................................... 22
A.6.1.3 Contact with authorities .......................................................................................................................... 22
A.6.1.4 Contact with special interest groups ....................................................................................................... 23
A.6.1.5 Information security in project management.......................................................................................... 23
A.6.2 MOBILE DEVICES AND TELEWORKING ............................................................................................................................................ 23
A.6.2.1 Mobile device policy ................................................................................................................................ 23
A.6.2.2 Teleworking ............................................................................................................................................. 23
A.7 HUMAN RESOURCE SECURITY ...................................................................................................................... 23
A.7.1 PRIOR TO EMPLOYMENT ................................................................................................................................................................. 23
A.7.1.1 Screening ................................................................................................................................................. 24
A.7.1.2 Terms and conditions of employment ..................................................................................................... 24
A.7.2 DURING EMPLOYMENT................................................................................................................................................................... 24
A.7.2.1 MANAGEMENT RESPONSIBILITIES .............................................................................................................................................. 24
A.7.2.2 Information Security awareness, education and training ....................................................................... 24
A.7.2.3 Disciplinary Process.................................................................................................................................. 24
A.7.3 TERMINATION AND CHANGE OF EMPLOYMENT ............................................................................................................................. 24
A.7.3.1 Termination Responsibilities .................................................................................................................... 25
A.8 ASSET MANAGEMENT .................................................................................................................................. 25
A.8.1 Responsibility for assets .............................................................................................................................. 25
A.8.1.1 Inventory of assets................................................................................................................................... 25
A.8.1.2 Ownership of asset .................................................................................................................................. 25
A.8.1.3 Acceptable use of assets .......................................................................................................................... 25
A.8.1.4 Return of assets ....................................................................................................................................... 25
A.8.2 Information classification ........................................................................................................................... 25
A.8.2.1 Classification of information.................................................................................................................... 25
A.8.2.2 labelling of Information ........................................................................................................................... 25
A.8.2.3 Handling of assets ................................................................................................................................... 26
A.8.3 Media handling ........................................................................................................................................... 26
A.8.3.1 Management of removable media .......................................................................................................... 26
A.8.3.2 Disposal of media .................................................................................................................................... 26
A.8.3.3 Physical media transfer ........................................................................................................................... 26
A.9 ACCESS CONTROL ......................................................................................................................................... 27
A.9.1 Business requirements of access control .................................................................................................... 27
A.9.1.1 Access control policy ................................................................................................................................ 27
A.9.1.2 Access to networks and network services ............................................................................................... 27
A.9.2 User Access Management........................................................................................................................... 27
A.9.2.1 User registration and de-registration ...................................................................................................... 27
A.9.2.2 User access provisioning .......................................................................................................................... 27
A.9.2.3 Management of privileged access rights ................................................................................................. 27
A.9.2.4 Management of secret authentication information of users ................................................................... 27
A.9.2.5 Review of user access rights..................................................................................................................... 27

A.9.2.6 Removal or adjustment of access rights .................................................................................................. 28

A.9.3 User responsibilities .................................................................................................................................... 28
A.9.3.1 Use of secret authentication information ............................................................................................... 28
A.9.4 System and application access control ....................................................................................................... 28
A.9.4.1 Information access restriction ................................................................................................................. 28
A.9.4.2 Secure log-on procedures ........................................................................................................................ 28
A.9.4.3 Password management system............................................................................................................... 28
A.9.4.4 Use of privileged utility Programs ........................................................................................................... 28
A.9.4.5 Access control to program source code ................................................................................................... 29
A.10 CRYPTOGRAPHY .......................................................................................................................................... 29
A.10.1 Cryptographic controls ............................................................................................................................. 29
A.10.1.1 Policy on the use of cryptographic controls ........................................................................................... 29
A.10.1.2 Key management................................................................................................................................... 29
A.11 PHYSICAL AND ENVIRONMENTAL SECURITY .............................................................................................. 29
A.11.1 Secure areas ............................................................................................................................................. 29
A.11.1.1 Physical security perimeter .................................................................................................................... 29
A.11.1.2 Physical entry controls ........................................................................................................................... 29
A.11.1.3 Securing offices, rooms and facilities .................................................................................................... 30
A.11.1.4 Protecting against external and environmental threats ....................................................................... 30
A.11.1.5 Working in secure areas ........................................................................................................................ 30
A.11.1.6 Public access, delivery and loading areas .............................................................................................. 30
A.11.2 Equipment security ................................................................................................................................... 30
A.11.2.1 Equipment siting and protection ........................................................................................................... 30
A.11.2.2 Supporting utilities ................................................................................................................................ 30
A.11.2.3 Cabling security ..................................................................................................................................... 31
A.11.2.4 Equipment maintenance........................................................................................................................ 31
A. 11.2.5 Removal of assets.................................................................................................................................. 31
A.11.2.6 Security of equipment and assets off-premises ..................................................................................... 31
A.11.2.7 Secure disposal or re-use of equipment ................................................................................................. 31
A.11.2.8 Unattended user equipment .................................................................................................................. 32
A.11.2.9 Clear desk and clear screen policy ......................................................................................................... 32
A. 12 OPERATIONS SECURITY ............................................................................................................................. 32
A.12.1 Operational procedures and responsibilities............................................................................................. 32
A.12.1.1 Documented operating procedures ....................................................................................................... 32
A.12.1.2 Change management ............................................................................................................................ 32
A.12.1.3 Capacity management........................................................................................................................... 33
A.12.1.4 Separation of development, test and operational environments .......................................................... 33
A.12.2 Protection from malware ......................................................................................................................... 33
12.2.1 Controls against malware ......................................................................................................................... 33
A.12.3 Backup ...................................................................................................................................................... 33
A.12.3.1 Information backup ............................................................................................................................... 33
A.12.4 Logging and monitoring ........................................................................................................................... 33
A.12.4.1 Event logging ......................................................................................................................................... 33
A.12.4.2 Protection of log information ................................................................................................................ 34
A.12.4.3 Administrator and operator logs ........................................................................................................... 34
A.12.4.4 Clock synchronization ............................................................................................................................ 34
A.12.5 Control of operational software................................................................................................................ 34
A.12.5.1 Installation of software on operational systems ................................................................................... 34
A.12.6 Technical vulnerability management ....................................................................................................... 34
A.12.6.1 Management of technical vulnerabilities .............................................................................................. 34
A.12.6.2 Restrictions on software Installation ..................................................................................................... 35

A.12.7 Information systems audit considerations ................................................................................................ 35

A.12.7.1 Information systems audit controls ....................................................................................................... 35
A.13 COMMUNICATIONS SECURITY.................................................................................................................... 35
A.13.1 Network security management ................................................................................................................ 35
A.13.1.1 Network controls ................................................................................................................................... 35
A.13.1.2 Security of network services .................................................................................................................. 36
A.13.1.3 Segregation in networks ........................................................................................................................ 36
A.13.2 Information transfer ................................................................................................................................. 36
A.13.2.1 Information transfer policies and procedures ........................................................................................ 36
A.13.2.2 Agreements on information transfer ..................................................................................................... 36
A.13.2.3 Electronic messaging ............................................................................................................................. 37
A.13.2.4 Confidentiality or nondisclosure agreements ........................................................................................ 37
A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE .................................................................... 38
A.14.1 Security requirements of information systems ......................................................................................... 38
A.14.1.1 Information Security requirements analysis and specification .............................................................. 38
A.14.1.2 Securing application services on public networks ................................................................................. 38
A.14.1.3 Protecting application services transactions ......................................................................................... 38
A.14.2 Security in development and support processes ....................................................................................... 38
A.14.2.7 Outsourced development ....................................................................................................................... 38
Refer: Vendor Management Policy ....................................................................................................................... 39
A.14.3 Test data ................................................................................................................................................... 39
A. 14.3.1 Protection of test data .......................................................................................................................... 39
A.15 SUPPLIER RELATIONSHIPS .......................................................................................................................... 39
A.15.1 Information security in supplier relationships .......................................................................................... 39
A.15.1.1 Information security policy for supplier relationships ........................................................................... 39
A.15.1.2 Addressing security within supplier agreements ................................................................................... 39
A.15.1.3 Information and communication technology supply chain ................................................................... 39
A.15.2 Supplier service delivery management ..................................................................................................... 39
A.15.2.1 Monitoring and review of supplier services ........................................................................................... 39
A.15.2.2 Managing changes to supplier services ................................................................................................. 40
A.16 INFORMATION SECURITY INCIDENT MANAGEMENT ................................................................................. 40
A.16.1 Management of information security incidents and improvements ........................................................ 40
A.16.1.1 Responsibilities and Procedures ............................................................................................................ 40
A.16.1.2 Reporting information security events .................................................................................................. 40
A.16.1.3 Reporting information security weakness ............................................................................................. 40
A.16.1.4 Assessment of and decision on information security events ................................................................. 41
A.16.1.5 Response to information security incidents........................................................................................... 41
A.16.1.6 Learning from information security incidents ....................................................................................... 41
A.16.1.7 Collection of evidence ............................................................................................................................ 41
A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT ....................................... 41
A.17.1 Information security continuity ................................................................................................................ 41
A.17.1.1 Planning information security continuity .............................................................................................. 41
A.17.1.2 Implementing information security continuity ...................................................................................... 41
A.17.1.3 Verify, review and evaluate information security continuity ................................................................ 41
A.17.2 Redundancies............................................................................................................................................ 42
A.17.2.1 Availability of information processing facilities..................................................................................... 42
A.18 COMPLIANCE .............................................................................................................................................. 42
A.18.1 Compliance with legal and contractual requirements .............................................................................. 42

A.18.1.1 Identification of applicable legislation and contractual requirements .................................................. 42

A.18.1.2 Intellectual property rights .................................................................................................................... 42
A.18.1.3 Protection of records ............................................................................................................................. 43
A.18.1.4 Privacy and protection of personally identifiable information .............................................................. 43
A.18.1.5 Regulation of cryptographic Controls .................................................................................................... 43
A.18.2 Information security reviews .................................................................................................................... 44
A.18.2.1 Independent review of information security .......................................................................................... 44
A.18.2.2. Compliance with security policies and standards .................................................................................. 44
A.18.2.3 Technical compliance review.................................................................................................................. 44

1.0 Scope
This Manual of Security Policies (“Policy Manual”) prescribes the policies that govern the
management and administration of the Information security management system covers
the location at Synergy Maritime Private Limited 4th Floor, AKDR Towers, Door No. 3/381,
Rajiv Gandhi Salai (OMR), Chennai – 600097, India.
The purpose of this document is to provide management direction and control to address
information security needs in accordance with the relevant laws, regulations & contractual
obligations. This document lays down the processes for security enhancement and
recommends best practices to be followed at Synergy Maritime, (hereinafter referred to as
“Synergy”)
1.1 Audience
This document is written for personnel covered by information security policy at three distinct
levels:
 High-level managers who need to understand some of the risks and implications
associated with security breach and so that they can appropriately allocate resources
and delegate responsibility,
 Mid-level managers who will need to set company-specific policies, and
Administrators and technical people who need to understand the technical controls
they will have to implement along with implications of the same.
 End users who are to maintain actions in line with the acceptable usage policy for
all company resources and are to assist in all forms of security related to the company
functioning.
1.2 Ownership
CISO is the owner of the Information Security policy and will drive all reviews and
changes in conjunction with the other representatives involved in creation of the policy
that will collectively formulate a Security Organisation within Synergy.
Primarily these representatives are
1. Information System Security Manager
2. System Engineers/Administrators
3. Network Administrators
4. Database Administrators
1.3 Review mechanism

The security policy is subject to scheduled reviews for:
1. The policy’s effectiveness shall be reviewed every 6 months in effective
maintenance of security with regard to,
a. Nature
b. Number
c. Impact
Of any recorded security incidents within the period of review and additional
parameters as deemed fit would be considered defined as reviewed factors for
evaluation of the policy effectiveness;
2. Cost and impact of controls on business efficiency;

3. Effect of changes to technology, which will lead to changes in the policy in terms
of operation of components such as
a. Servers
b. Desktops,
c. Applications,
d. Links of connectivity
e. Security devices
f. Risk assessment results
g. Personnel additions and resulting training
h. Any other component that may be deemed to form a critical part.
2.0 Normative References

1. ISO/IEC 27001:2013, Information technology — Security techniques —
Information security management systems — Requirements
2. ISO/IEC 27002:2013, Information technology — Security techniques — Code of

practice for information security management
3. GUIDELINES ON MARITIME CYBER RISK MANAGEMENT - MSC-FAL.1/Circ.3
5 July 2017
3.0 Terms and Definitions

Access Control: A process by which a system or individual makes decisions on access and
rights to resources based upon established policy and the verified identity of an individual or
other system.
Authentication: To positively verify the identity of a user, device, or other entity, often as
a prerequisite to allowing access to resources.
Authenticity: Determining that information is in its original form and that it has come from
the appropriate party.
Authorization: Granting a subject (individual, information system, process, application,

etc.) access rights and associated privileges (read, write, modify, delete, etc.) to information
and information systems.
Availability: The Property of being accessible and usable upon demand by an authorized
entity.It means that access to information and information systems is not denied to
authorized users when required.
Certification and Accreditation: An administrative process used to ensure the

development and implementation of a secure information system or other information
resource (network, application, etc.)
Confidentiality: The property that information is not made available or disclosed to

unauthorized individuals,entities or processes.It means keeping data private or secret ,with
access limited t appropriate persons or systems.
Configuration Management: The management of changes made to a system's hardware,

software, firmware, documentation, tests, test fixtures, and test documentation throughout
the development and operational life of the system.
Countermeasure: Any security control (policy, system, configuration, procedure) or other

measure to reduce a vulnerability.

Information Assurance: Protecting and defending information and information systems

by ensuring their availability, integrity, and confidentiality. This includes providing for
restoration of information systems by incorporating protection, detection, and reaction
capabilities.
Information Security: The protection of information and information systems.
Information System: A system that processes, stores, transmits, or monitors digital

information.
Integrity: The property of safeguarding the accuracy and completeness of assets.Integrity

means that information is correct and has not been altered or corrupted in some way during
transmission or processing. It also means that programs, applications, procedures, and
systems function as intended.
Least Privilege: The concept of least privilege dictates that individuals are given only those
accesses and rights necessary for job completion, and no more.
Policy: Established compulsory guidance that provides high-level goals and objectives.
Privacy: As used in this policy, security provides enforcement of privacy policies. This policy
does not define privacy or provide guidance for privacy policies; those are found in
administrative rules, state and federal laws, and other state and federal policies and
standards.
Procedure: Line by line guidance, which generally implements a process.
Process: A detailed operation that implements a policy or standard.
Risk: Combination of the probability of an event and its consequence.
Risk Assessment: A report of vulnerabilities, criticalities, threats, likelihood, loss or impact

and an assessment of the effectiveness of security measures. This includes determining
expected loss and establishing the degree of acceptability to system operations.
Risk Management: The total process to identify, control, and minimize the impact of
uncertain events. The objective of the risk management program is to mitigate risk as much
as possible and identify residual risk.
Risk Treatment: Process of selection and implementation of controls to modify risk.
Security: The ability to protect the integrity, confidentiality, and availability of information
processed, stored, and transmitted by an agency and to protect information technology (IT)
assets from unauthorized use or modification and from accidental or intentional damage or
destruction.
Security Requirements: Types and levels of protection necessary for equipment, data,
information, applications, and facilities.
Standard: Established compulsory guidance of a more detailed nature that supports

established policy.
Statement of applicability: Documented statement describing the control objectives and

controls that are relevant and applicable to the organizations ISMS.
Threat: A potential cause or an unwanted incident that may result in harm to a system or
organization
Threat Assessment: The process of evaluating the degree of threat to an information

technology resource.

Vulnerability: A flaw that provides for potential exploitation of information or information

systems. This is not limited to flaws of a technical nature, but may include weaknesses in
policies, standards, processes, and procedures, administrative controls, and physical location
or layout.
Vulnerability Assessment: A systematic examination of an information system, database,

or other application to determine the adequacy of security measures, identify security
deficiencies, provide data from which to predict the effectiveness of proposed security
measures, and confirm the adequacy of such measures after implementation.
Abbreviations
AV Anti-Virus
ACL Access Control List
BCP Business Continuity Plan
BSI (PD) British Standard Institution (Public Document)
CA Certifying Authority
CERT Computer Emergency Response Team
CIO Chief Information Officer
CISO Chief Information Security Officer
CPU Central Processing Unit
CRM Cybersecurity Risk Management
DES Data Encryption Standard
DMZ Demilitarized zone
DR Disaster Recovery
EDI Electronic Data Interchange
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol (Internet protocol)
HTTPS HTTP over SSL (Internet protocol)
H/W Hardware
IDS Intrusion Detection System
INFOSEC Information Security
Info. System Information System
IP Internet Protocol
IPLC International Private Leased Circuit
IS Information System
ISDN Integrated Services Digital Network

ISMS Information Security Management System
ISO International Standards Organization
ISO 27001 Code of Practice for Information Security Management
ISSC Information Security Steering Committee
ISM / ISSM Information System Security Manager / Information

Security Manager
ISSO Information System Security Officer
IT Information Technology
LAN Local Area Network
MD Managing Director
Mgmt Management
NAT Network Address Translation
NDA Non-Disclosure Agreement
PC Personal Computer
PGP Pretty Good Privacy
PKI Public Key Infrastructure
PSTN Public Switched Telephone Network
SLA Service Level Agreement
SSH Secure Shell (Internet protocol)
SSL Secure Sockets Layer (Internet protocol)
ISWG Information Security Working Group.
SOA Statement of Applicability
SoC Selection Of Controls
SOPs Secure Operating Procedures
TCP Transmission Communication Protocol
TLS Transport Layer Security (Internet protocol)
UPS Uninterruptible Power Supply
VLAN Virtual Local Area Network
VPN Virtual Private Network

WWW World Wide Web (Internet protocol)

4.0 Context of the organization
4.1 Understanding the organization and its context

Synergy has evaluated the issues, both external and internal issues that may have an impact while
meeting the business objectives. By defining the relevant issues to its purpose, the organization
can set directional goal for establishing their framework. In addition, the internal and external
issues that might affect the potential to meet the expected outcomes are understood.
EXTERNAL ISSUE - DETAILS OF ISSUE

ISSUE SOURCE
Human Resource Competent People
Technology Changes in Technology
Notice from Legislative /

Legal / Statutory
Statutory Body
Customer Customer Information Breach
INTERNAL ISSUE - DETAILS OF ISSUE

ISSUE SOURCE
Securing Information Safety of Internal Information
Internal Requirements Resource Requirement
4.2 Understanding the needs and expectations of interested parties

Synergy will be determined the interested parties and their expectations towards Information
Security Management System including of their legal and regulatory requirements and contractual
obligations.
Interested parties (External)

1. Legal Authorities
2. Synergy Customers/Clients
3. Synergy Contractors/Suppliers/Consultants
4. Public
5.Competitors.
Interested parties (Internal)

1.Top Management/Board of Directors
2.Synergy Employees and Contract Employees
3.Internal Business Units

Expectation of External Interested parties

1.Meeting the Legal, Regulatory and Contractual Requirements.
2.Meeting SLA requirements.
3. Implementation of Information Security Management System.
4. Protection of Information Assets by preserving Confidentiality, Integrity and Availability of the
Information Assets etc.
5. Carrying out Operations without affecting public.
6. Competitors Interested in Synergy's Customer Base.
Expectation of Internal Interested parties

1. Objectives are achieved effectively and efficiently The development and maintenance of
effective control processes are promoted throughout. Risks are appropriately and continuously
identified, assessed and managed.
2. Learning opportunities, Supportive Work environment, Business continuity, Availability of
Information resources and tools.
3. Proper Communication of Information and timely addressing of resource requirement.
4.3 Determining the scope of the information security management

system
Synergy has documented the scope of ISMS and approved by the Management.
Scope Statement : “SHIP MANAGEMENT SERVICES”
Location:
Synergy Maritime Private Limited
4th Floor, AKDR Towers,Door No. 3/381, Rajiv Gandhi Salai (OMR), Chennai – 600097, India
Location:
Synergy Navis Marine Private Limited
Onyx, 3rd Floor, N Main Rd, Koregaon Park, Pune, Maharashtra 411001.
Location:
Synergy Maritime Recruitment Services Private Limited
601, Prudential Building, Central Ave, HiranandaniGardens, Powai, Mumbai, Maharashtra 400076.
Location:
Synergy Marine Germany GmbH
Überseeallee 3, 20457 Hamburg, Germany.
Location:
Synergy Maritime Pte Limited
1 Kim Seng Promenade, #10-11/12 West Tower, 237994
Location:
Synergy Yangon Private Limited
No.25, Shwe Taung Kyar Street, Quarter No.2, Bahan Township, Yangon, Myanmar.

Location:
Synergy Denmark A/S
Kay Fiskers Plads 10,
2300 Copenhagen S, Denmark.

Note: The scope statement has been defined, so as to provide maximum flexibility after
adapting. The scope will be reviewed, and appropriate changes will be incorporated based on
the business needs, Mission, vision and Belief - https://www.synergymarinegroup.com/mission-
vision-beliefs/
Ref: ISMS_Man_004 (Statement of Applicability)
4.4 Information security management system

Synergy has established, implemented, maintained and continually improving an information
security management system as per ISO 27001:2013 standard requirements.

5.0 Leadership
5.1 Leadership and commitment
Information Security Steering Committee (Hereafter referred as ISSC) is directly involved and
committed to implement Information Security Management System at Synergy. To show direct
involvement and strong commitment towards Information Security Management System, ISSC has
established information security policy and objectives, Integrated information security
management system requirements into the organization’s process and the formed the Information
Security Team, Business Continuity Management Team and Security Maintenance Team and
defined the roles and responsibilities for these teams. Synergy is conducting periodic Internal
Audits, Conducting periodic Management Review Meetings. To show the continual improvement
of the Information Security Management System, ISSC has set some measurable objectives to
achieve the goals.
5.2 Policy
Synergy has established the information security policy and objectives, approved by the top
management and communicated to the employees and other relevant interested parties.
Refer: ISMS_Man_003
5.3 Organization roles, responsibilities and authorities

Synergy Top Management has defined and communicated the responsibilities and authorities for
relevant roles within the organization.
Synergy Top Management assigns the roles, responsibilities and authority to
a) Ensure that the information security management system conforms to the requirements of
this International Standard; and
b) Reporting on the performance of the information security management system to top
management.
Refer: ISMS Roles, Responsibility and Authority ( ISMS_Man_005) and CRM Manual (ISMS_Man_48)
6.0 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
Synergy has determined the risks and opportunities for issues and requirements identified in 4.1
and 4.2 sections and this will address to
a) ensure the information security management system can achieve its intended outcome (s)
b) Prevent, or reduce, undesired effects; and
c) achieve continual improvement
Synergy will plan to take actions to address these risks and opportunities and integrate and
implement the actions into its information security management system processes and evaluate
the effectiveness of these actions

6.1.2 Information security risk assessment

Synergy has defined and documented the Risk assessment methodology. Risk Assessment/Risk
review will be conducted at least annually once. Risk Assessment/Risk review will be done by BU
Heads/Project Heads/Department Heads in consultation with CISO. CISO is responsible to ensure
Risk Assessment/Risk review is done as per the defined periodicity and as per the documented
methodology.
The following points are addressed in the risk assessment procedure:

a) risk acceptance criteria and criteria for performing information security risk assessments
b) repeated information security risk assessments produce consistent, valid and comparable
results
c) identifies the information security risks and risk owners, identify the risks associated with
the loss of confidentiality, integrity and availability for information
d) analysis for the information security risks that includes:
 assess the potential consequences
 assess the realistic likelihood of the occurrence of the risks identified
 determine the levels of risk
e) evaluates the information security risks;
 compare the results of risk analysis with the risk criteria established
 prioritize the analysed risks for risk treatment
6.1.3 Information security risk treatment

Synergy has defined and applied risk treatment process and this process:
a) selected the appropriate information security risk treatment options, taking account of risk
assessment results
b) determined all controls that are necessary to implement the information security risk
treatment options
c) compared the controls determined in 6.1.3 b) above with Annex A and verify that no
necessary controls have been omitted
d) Created Statement of Applicability that contains the necessary controls and justification for
inclusions, whether they are implemented or not, and the justification for exclusions of
controls from Annex A
e) formulated an information security risk treatment plan
f) obtained risk owners approval of the information security risk treatment plan and
acceptance of the residual information security risks
Refer: ISMS_Man_044 (Risk Document) , ISMS_Man_041 and CRM Manual (ISMS_Man_48)
6.2 Information security objectives and planning to achieve them

Synergy has established and documented the information security objectives at relevant
functions and levels to measure the performance of Information Security Management System.
Refer: ISMS_Man_003

7.0 Support
7.1 Resources
Synergy has determined and provided the necessary resources needed for the establishment,
implementation, maintenance and continual improvement of the information security
management system
7.2 Competence
a) Synergy determined the necessary competence of employees doing work under its control
that affects its information security performance.
b) Synergy ensures that these employees are competent on the basis of appropriate education,
training, or experience
c) Where applicable, take actions to acquire the necessary competence and evaluate the
effectiveness of the actions taken
d) retain appropriate documented information as evidence of competence .
7.3 Awareness
Synergy provides trainings to all its employees regularly on information security management
system.
a) Training is managed by the training function, which coordinates the training needs and
maintains the records of all the training conducted.
b) Training courses and programs are conducted to meet the needs of all personnel in the
respective functions both at the entry stage and on a continual basis.
c) Training calendar maintained by HR manager is revised as and when new technology and
concepts are introduced, and is made available to all affected people.
d) ISMS concept and process awareness training is conducted to all the personnel’s in the
organization.
e) The HR manager maintains records of education, previous training and experience.
f) The HR manager maintains the training records for all internal and external training.
g) The training function based on a feedback sought from the participants evaluates the training
programs conducted internally and performs a feedback analysis. Based on this analysis,
corrective actions are identified and taken.
7.4 Communication
Synergy determines the need for internal and external communications relevant to information
security management system.
Internal communication regarding the ISMS flows two ways:
Management will communicate to the organization about the ISMS policy and objectives, set of
information security policies, procedures, customer’s legal and regulatory requirements,
contractual obligations etc.

The organization ISMS committee communicates about ISMS performance, the effectiveness of
the ISMS, customer feedback, and opportunities for improvement.
Information is communicated through:
 Paper or electronic documents, such as manuals, procedures, policies, isms records, reports,
etc.;
 E-mails, memos, and meetings;
 Training and awareness programs.
Each Operational heads have the overall responsibility for ensuring that all pertinent documents,
reports and records are distributed to appropriate departments and functions, and that information
and data about ISMS performance and the effectiveness of the ISMS are reported to the top
management through the CISO.
Refer: ISMS_Man_043 (Communication Matrix)
7.5 Documented information

7.5.1 General
Synergy has developed the ISMS documents such as ISMS Manuals, Policies, Procedures, and
Templates etc. in accordance with requirements of ISO 27001:2013 standard to ensure service
confirms to specified requirements.
7.5.2 Creating and updating

Synergy has established the documented procedure “Control of Documents Procedure” to
control the documents in the organization and to ensure appropriate:
a) Identification and description of documents (e.g. a title, date, author, or reference number);
b) Format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) Review and approval for suitability and adequacy.
Refer: Procedure for Control of Documents (ISMS_Man_036)
7.5.3 Control of documented information
Synergy has established the documented “Control of Record Procedure” to ensure:

a) It is available and suitable for use, where and when it is needed; and
b) It is adequately protected (e.g. from loss of confidentiality, improper use, or loss of
integrity).
For the control of documented information, Synergy will address the following activities, as
applicable:
c) Distribution, access, retrieval and use;
d) Storage and preservation, including the preservation of legibility;
e) Control of changes (e.g. version control); and
f) Retention and disposition.

Documented information of external origin, determined by the organization to be necessary for

the planning and operation of the information security management system, will be identified as
appropriate, and controlled.
Refer: ISMS Control of record (ISMS_Man_037)
8.0 Operation
8.1 Operational planning and control
Synergy will plan, implement and control the processes needed to meet information security
requirements, and to implement the actions determined in 6.1. Synergy will also implement plans
to achieve information security objectives determined in 6.2.
Synergy will keep documented information that the processes have been carried out as planned.
Synergy will control planned changes and review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary as per change management procedure.
Synergy has not outsourced any processes.
8.2 Information security risk assessment

Synergy performs information security risk assessments at least annually once or when significant
changes are proposed or occur, taking account of the criteria established in 6.1.2 a) and maintains
the documented information security risk assessments procedure and reports as evidence.
Refer: Risk Assessment Methodology (ISMS_Man_041) & Risk Document (ISMS_Man_044) and CRM
Manual (ISMS_Man_48)
8.3 Information security risk treatment

Synergy will implements the information security risk treatment plan and maintains the Risk
Mitigation Plan as documented evidence.
Refer: Risk Document (ISMS_Man_044) and CRM Manual (ISMS_Man_48)
9.0 Performance evaluation

9.1 Monitoring, Measurement, Analysis and Evaluation
The Synergy is Monitoring, Measuring, Analysing and Evaluating the Information Security
Management System by conducting the below activities periodically.
SL.NO Activities Responsibilities Periodicity
1 Internal Audits CISO Half Yearly
2 Management Review Meeting CISO/ISSM Half Yearly

3 Customer/Client Feedback CISO/ISSM Quarterly
4 Customer/Client Audits CISO/ISSM Ongoing
5 Review of Security Incidents CISO/ISSM As and when

Security
Incidents
Occurs
6 Desktop and Laptop audits CISO/ISSM Half yearly
7 Business Continuity and Backup IT Half Yearly

Restoration Test
Synergy is Monitoring & Reviewing the Information Security Management System to execute the
following
a) To detect errors in the results of processing promptly
b) To identify failed and successful security breaches and incidents promptly
c) To enable management to determine whether the security activities delegated to people or
implemented by information technology are performing as expected
d) Determine the actions taken to resolve a breach of security reflecting business priorities.
e) To undertake regular reviews of the effectiveness of the ISMS (including meeting security
policy and objectives, and review of security controls) taking into account results of security
audits, incidents, suggestions and feedback from all interested Parties.
f) To Review the level of residual risk and acceptable risk, taking into account changes to the
organization; technology; business objectives and processes; identified threats; external
events, such as changes to the legal or regulatory environment and changes in social climate.
g) To conduct internal ISMS audits at planned intervals.
h) To undertake a management review of the ISMS on a regular basis to ensure that the scope
remains adequate and improvements in the ISMS process are identified.
9.2 Internal audit

Synergy will conduct internal audit every six month once as per the documented policy to provide
information on whether information security management system:
a) Conforms to
1) The organization’s own requirements for its information security management system; and
2) The requirements of this International Standard;
b) Is effectively implemented and maintained.
CISO will plan, establish, implement and maintain an audit program, including the frequency,
methods, and responsibilities, planning requirements and reporting. The audit programme(s) shall
take into consideration the importance of the processes concerned and the results of previous
audits;
CISO will define the audit criteria and scope of each audit. CISO will ensure that objectivity and
the impartiality of the audit process while selection of auditors and conduct audits.
CISO will ensure that the results of the audits are reported to relevant management; and retain
documented information as evidence of the audit programme(s) and the audit results.

Refer: Procedure for Internal Audit (ISMS_Man_039)
9.3 Management review

Management reviews the ISMS half yearly to ensure its continuing suitability, adequacy and
effectiveness. This review will include assessing opportunities for improvement and the need for
changes to the ISMS, including the security policy and objectives.
The results of the reviews will be clearly documented and records will be maintained.
The management review will include consideration of:

a) The status of actions from previous management reviews;
b) Changes in external and internal issues that are relevant to the information security
management system;
c) Feedback on the information security performance, including trends in:
1) Nonconformities and corrective actions;
2) Monitoring and measurement results;
3) Audit results; and
4) Fulfilment of information security objectives;
d) Feedback from interested parties;
e) Results of risk assessment and status of risk treatment plan; and
f) Opportunities for continual improvement.
The outputs of the management review will include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
Refer: Procedure for Management Review Meetings (ISMS_Man_040)
10.0 Improvement
10.1 Nonconformity and corrective action
Synergy will handle the Nonconformities and corrective actions, as per the documented
“Nonconformity and corrective action procedure.
Refer: Procedure for corrective action (ISMS_Man_038)
10.2 Continual improvement

To continually improve the suitability, adequacy and effectiveness of the information security
management system. Synergy shall evaluate and take necessary against below activities.
1) Result of Internal Audits
2) Result of External Audits

3) Management Review Meetings output

4) Results of Risk Assessment
5) Input from the Customers/Clients
6) Result of Corrective Actions and Incident Management
7) Result of Internal and External VAPT test
8) Result of Information Security Measurable Objectives
Annexure A
A.5 Information Security Policies

A.5.1 Management direction for information security
A.5.1.1 Policies for information security
The Synergy Information Security Policies document is prepared and approved by the management. The
document is classified as public and circulated to all employees and relevant external parties.
A.5.1.2 Review of the policies for information security
The Information Security Policies will be reviewed yearly once or if significant changes occur to ensure
their continuing suitability, adequacy and effectiveness.
A.6 Organization of Information security

Synergy management as a part of ISMS initiative shall be proactively establishing security within
organization with clear direction; shall demonstrate commitment, explicit assignment on the roles and
responsibilities and review mechanism to measure the effectiveness of ISMS.
A.6.1 Internal Organization

Refer: ISMS roles, responsibility and Authority , Business continuity / Disaster Recovery Plan and CRM
Manual (ISMS_Man_48)
A.6.1.1 Information security roles and responsibilities
All information security responsibilities are defined and allocated.
A.6.1.2 Segregation of duties
Duties have been segregated to eliminate negligent or deliberate system misuse. IT team members are
cross-trained so that expertise / access for a certain system do not lie with a single employee. Critical
servers / applications logs shall be independently verified for security breaches & hardware / software
alerts.
A.6.1.3 Contact with authorities
Synergy uses the services of law enforcement authorities to protect its assets from natural and unnatural
calamities. List of contacts of law enforcement authorities is available with IT department and Synergy
physical security team would also co-ordinate with these authorities in emergencies.

Regular fire drill exercises shall be carried out, which would be conducted by the designated fire experts
hired by the owners of the building.
All communication to external authorities shall be approved by CISO and shall designate point of contact
for defined activities or target authorities.
A.6.1.4 Contact with special interest groups
Synergy encourages its employees to be part of special security forums and professional associations to
keep abreast with the latest security breaches, threats and technology developments, which would
improve knowledge about the best practices ensuring the learning’s are inculcated in their function and
workplace. It has been made mandatory that no information internal to the organization shall be
exchanged in these forums. Employees will inform the CISO of their membership to such groups and
have to get approval for disclosing any non public information to such forum or group.
A.6.1.5 Information security in project management
Information security will be addressed in all the projects which are handled by the Synergy. Project
heads will review information security during the project initiation and project heads are responsible to
address the information security requirements in the part of project plan.
A.6.2 Mobile devices and Teleworking

Refer: Mobile computing Policy and Teleworking Policy
A.6.2.1 Mobile device policy
Users shall take care while using mobile computing facilities in public places, meeting rooms and other
unprotected areas outside the organization’s premises as per the mobile computing Policy. When used
in public places, care shall be taken to avoid the risk of overlooking by unauthorized persons. Unattended
mobile computing devices shall be physically secured by means of lock in a desk drawer or filing cabinet,
or attached to a desk or cabinet via a cable lock system. Users shall carry the mobile computing devices
as hand baggage during travel. All mobile computing devices are insured.
A.6.2.2 Teleworking
Synergy shall allow tele-working on specific request and approval by respective reporting manager to
specific services like E-Mail, Intranet Server and not the entire network when not on local network. Alos
Synergy has established and implemented the Teleworking policy.
A.7 Human Resource Security

Refer: HR Policies (HR department)
A.7.1 Prior to employment

Synergy prior to employment runs the new joinee through security policy guidelines to sensitize on the
understanding of the security aspects and also the risk arising out of human errors, theft, fraud and
misuse of IT facilities. Synergy has made it necessary to ensure that their users are aware of information
security threats and weaknesses, and are equipped to support Synergy Security Policy during the course
of their normal work.

A.7.1.1 Screening
Background verification and screening shall be conducted as per the company HR guidelines; however,
it shall include verifying certificates, relieving letter, experience proof, Address proof, contact numbers,
email confirmation especially on experience & conduct from previous employer.
(Ref: HR Operations - Process Guideline)
A.7.1.2 Terms and conditions of employment
While defining the terms and conditions of employment/ job contract, HR Manager, ISSM and CISO shall
ensure that employee/third party agree and sign the offer letter / terms and conditions of the
employment contract, stating clearly their responsibilities for Information security of Synergy.
A.7.2 During Employment

Synergy shall ensure that all employees, contractors and third party users are aware of security threats
and concerns and shall be equipped to support Synergy security policy thereby minimizing the chances
of human error.
A.7.2.1 Management Responsibilities

ISSM / CISO shall ensure that employees, contractors and third party users are applying security in their
day-to-day operations in accordance with established Security policies and procedures of Synergy. All
shall be briefed on information security roles and responsibilities prior to granting access to information
and information processing facilities. All shall be made to understand the seriousness of security concerns
through training and awareness programs conducted every quarter.
A.7.2.2 Information Security awareness, education and training
Security briefings shall be given to new staff (Employee, Third party) who shall be provided access to
IT systems, information and assets. These briefings should become part of the induction program of a
new employee.
The briefing shall include:
 The access requirements of their position.
 Their responsibilities for safeguarding sensitive information and assets.
 Relevant sections of legislation applicable to their position.
 IT security policy, rules and regulations.
 Procedures for reporting security breaches, violations and concerns
ISSM will conduct regular security awareness sessions (Video, Seminars etc.) as well as trainings users
as relevant to the job functions.
A.7.2.3 Disciplinary Process
A formal disciplinary process is put in place to deal with employees who have allegedly violated
company security policies and procedures. A disciplinary procedure is formulated and followed.
(Ref: Disciplinary Process)
A.7.3 Termination and change of employment

Synergy shall take necessary steps to ensure that its employees, contractors and third party users
exit/change their employment/role in an orderly manner so that the organizational interests are not
affected.

A.7.3.1 Termination Responsibilities
Synergy shall invoke termination process based on the HR Policy.
A.8 Asset Management

Refer: Asset Management Policy, Asset Disposal Process , Information classification Policy , IT Asset
Procurement and Deployment and CRM Manual (ISMS_Man_48)
A.8.1 Responsibility for assets

Synergy has clearly defined asset owners who shall classify and ensure the level of protection for its
organizational assets as per RTP and maintain it.
A.8.1.1 Inventory of assets
Synergy inventory is maintained for each hardware, software, personnel, People and informational asset.
Every asset is labeled as per approved naming / labeling scheme.
Inventory Audit
Inventory Audits for IT assets shall be conducted by IT team every six months.
A.8.1.2 Ownership of asset
ISSM is the sole designated owner of the current assets in the organization with User & Custodian roles
well defined by Synergy. Currently it is ISSM the owner of the assets of the organization and outsourced
partner is the custodian of the IT of Synergy.
A.8.1.3 Acceptable use of assets
ISSM have defined policies [internet usage, email policy, guidelines for mobile devices] for acceptable
use of information and asset issued to user. The acceptable use criteria shall be reviewed and
communicated including identification of new risks with implemented controls as per mitigation plan.
A.8.1.4 Return of assets
HR to ensure that staff (Employee, Third Party) returns all assets (badges, Secure ID, keys, documents,
etc.) issued to them.
Refer: Exit Form
A.8.2 Information classification

A.8.2.1 Classification of information
Naming nomenclature is used for each information asset. Information asset will bear the label with Asset
name as per defined Asset naming Scheme. Asset name is used for Asset tracking purpose.
The purpose of asset classification is to help identify the assets of Synergy and their importance for
business continuity. It also helps Synergy in the creation, classification, storage, movement, handling,
reproduction, transmission, disposal and management rights of information.
A.8.2.2 labelling of Information
All information (whether it is Synergy owned or client owned) shall be labeled as per the Classification
of Assets Procedure.

A.8.2.3 Handling of assets
Synergy has established the Classification of Assets Procedure in the organization to handle the assets
in accordance with information classification schema.
Output from systems containing classified information shall have classification label. The labeling shall
reflect classification according to the rules established as per classification procedure defined by Synergy.
The items for classification includes printed reports, screen displays, recorded media (e.g. – tapes, cd,
DVD), electronic messages and file transfers. Information stored on computer media, systems (Servers,
Workstations, and Laptops), Mail Systems, or printed shall be stored and handled in accordance with
Security guidelines. Printed non-public information shall be locked or be under vigilance of ISSM. In
Synergy, all non-public information shall be password protected (authentication guideline), encrypted,
locked, or handled by ISSM based on sensitivity and value.
Postal & Electronic Mailing - Company Restricted printed information sent through internal mail, private
mail, or by courier should be sent by trusted liasoned courier or registered mail. Methods of mailing that
do not allow tracking are discouraged.
A.8.3 Media handling

To avoid interruptions to the business activities of Synergy, its media shall be controlled and physically
protected. This is necessary to prevent unauthorized and unintended disclosure, modification, removal
or destruction of assets. Appropriate procedures shall be established to protect paper documents and
computer media from damage, theft, unauthorized access and misinterpretation
A.8.3.1 Management of removable media
At Synergy all information shall be stored on enterprise server environment, which are protected against
any hardware malfunction / failure.
As a policy Synergy shall not encourage any data restoration/recovery from any hardware
malfunction/failure of user workstation hard disk. Hard disk which is found faulty shall be identified &
verified by the IT team for physical recovery (repair). If the physical recovery is not possible, then the
hard disk shall be destroyed and disposed.
Synergy has established the Media Handling Procedure to handle the media securely.
A.8.3.2 Disposal of media
All media shall be disposed as per Media Handling Procedure
A.8.3.3 Physical media transfer
Media containing information shall be protected against unauthorized access, misuse or corruption
during transportation.
Below mentioned measures shall be considered while media transportation.
 Reliable mode of transport / courier should be used
 The media should be packed sufficient enough to protect from physical damage or
from environmental factors
 Measures such as delivery by hand, splitting of the consignment etc. should be
followed and recorded.

A.9 Access control

Refer: Customer Data & Information Handling Policy, Firewall policy, Antivirus Policy, Internet access
and security Policy, Internet Usage Policy, Logical Access control Policy, Password Management Policy,
Social Media Usage Policy, Tele working Policies , Third Party Security Policy.
A.9.1 Business requirements of access control

A.9.1.1 Access control policy
Synergy has established access control policy and Access Control Procedure in the organization. Any
access to sensitive information shall be based on “need to know” principle. Any access granted shall be
based on the business requirements and necessity for the job to be carried out.
A.9.1.2 Access to networks and network services
Access to networks and network services is restricted based on the business requirements and handled
in accordance with Access Control Policy and Access Control Procedure.
A.9.2 User Access Management

A.9.2.1 User registration and de-registration
Human Resources Department shall forward information regarding all new employees to ISSM who in
turn coordinates with IT team. IT team after getting approvals from ISSM assigns unique ids and default
passwords to the new users with access privileges. Users are provided with the capability to change their
password on the login interface (after authentication). New users shall be acquainted with the Synergy
organisational Security policy and access procedures and violation of any shall be taken seriously. Access
privileges of users leaving the organizations shall be revoked as soon as Human Resources Department
informs IT team.
A.9.2.2 User access provisioning
Synergy has established formal User Access Control Policy and Access control procedure to assign or
revoke access rights for all users
A.9.2.3 Management of privileged access rights
The privilege allocation is only on need to know basis and shall be reviewed & documented bi- annually.
All the privileged user passwords for Operating Systems, Databases, Applications, Network Equipment
like routers, switches etc., are sealed in an envelope and kept in custody of CISO.
A.9.2.4 Management of secret authentication information of users
The allocation of secret authentication information is handled in accordance with Password Policy and
User Password Management Procedure.
A.9.2.5 Review of user access rights
An initial password is provided to the users & the system configured to force the users to change the
initial password immediately after the first logon. Review of Users Access Rights Privileged user accounts
/ application access rights are reviewed half yearly. Application/Data owner would be responsible for
any change in access to the application/data for a user and the same change shall be communicated to
the IT team for facilitating the access control change.

Access to data, programs, and applications shall be immediately removed for employees who are
transferred from the business unit for project needs.
A.9.2.6 Removal or adjustment of access rights
The access rights of all employees and external parties to information and information processing
facilities will be removed upon termination of their employment, contract or agreement or adjusted upon
change. Dept / project heads are responsible to ensure removal or adjustment of access rights upon
termination of their employment, contract or agreement or adjusted upon change.
A.9.3 User responsibilities

A.9.3.1 Use of secret authentication information
Synergy has established the Password Policy and User Password Management Procedure across the
organization to use and handle the secret authentication information.
A.9.4 System and application access control

A.9.4.1 Information access restriction
Access to information and application system functions shall be restricted as per the Access Control
Policy.
A.9.4.2 Secure log-on procedures
IT Team will ensure that,

 The system shall be setup such that every person using the system has to logon using a
unique user id and password.
 The system shall be configured not to display any help messages or error messages
before the logon procedure is complete.
 Last logon username and time shall not be displayed.
 No. of logon attempts shall be limited as per procedures defined by Synergy.
 User logon time shall be regulated wherever possible.
 All users logging on to Synergy systems shall see an authorized access-warning message
before logging on to the system.
A.9.4.3 Password management system
Synergy will ensure Password management system will be interactive and quality password and also
adopted, that meets most of the following requirements
 Easy user management.
 Safe and secure storage of passwords.
 Encrypted password / key exchange during authentication process.
 Auditable.
 Automatic change of passwords.
 Password policy enforcement.
A.9.4.4 Use of privileged utility Programs
The use of utility program that might be capable of overriding system and application control is
restricted and tightly controlled.

Access to the operating system commands and system utilities will be restricted to authorized personnel
for system administration and management functions. The use of these utilities will be strictly controlled.
Redundant system utilities and software, including compiler programs, must be removed.
Latest service packs and patches will be applied after adequate testing to prevent the exploitation of
the known vulnerabilities of the system utilities.
A.9.4.5 Access control to program source code
Access to program source of operational systems will be controlled and is restricted to Applications and
Service Delivery Manager to prevent any corruption of the application programs. The Synergy will use
configuration management process and identify program librarians to maintain source libraries of
operational application systems in configuration management database. All updates or issue of program
sources to developers will be carried out through an authorized request. Configuration management
database will maintain the version control of all the programs and strict change control procedures will
be followed for any modifications to the program source library.
A.10 Cryptography
Refer: Cryptographic control Policy
A.10.1 Cryptographic controls

A.10.1.1 Policy on the use of cryptographic controls
Cryptographic controls for protection of information is developed and implemented. This will be managed
as per the Cryptography Policy
A.10.1.2 Key management
Default cryptographic controls are used for Synergy operations.
A.11 Physical and environmental security

Refer: Clean Desk Policy and Physical and Environment Security Policy. and CRM Manual (ISMS_Man_48)
A.11.1 Secure areas

A.11.1.1 Physical security perimeter
IT team & Admin team shall ensure that the Server Room and Information Assets are protected against
unauthorized physical access, damage, and interference.
Based on the security requirement of the assets and risk assessment, the security perimeters have been
defined and shall be reviewed from time to time. All entry and exit points of Synergy have been protected
with access cards and physical security.
A.11.1.2 Physical entry controls
Synergy premises are protected by access cards to ensure that only authorized personnel are allowed
access.

A.11.1.3 Securing offices, rooms and facilities
Arrangement has been made to house Project/Program Teams handling sensitive projects/Programs for
clients, in separate secure areas. Access to such areas has been limited to authorized personnel only.
A.11.1.4 Protecting against external and environmental threats
Physical protection against damage from physical protection against natural disasters, malicious attack or
accidents shall be designed and. The following guidelines will be considered to avoid damage from fire,
flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster:
 Hazardous or combustible materials will be stored at a safe distance from a secure area.
 Bulk supplies such as stationery will not be stored within the secure area.
 Fallback equipment and back-up media will be sited at a safe distance to avoid damage
from a disaster affecting the main site.
 Appropriate fire fighting equipment will be provided and suitably placed.
 Synergy Security Personnel will undertake vigil rounds in periodical intervals and mark their
findings within the office premises.
A.11.1.5 Working in secure areas
Personnel will only be made aware of the existence of activities within, a secure area on a need to know
basis. Unsupervised working in secure areas should be avoided both for safety reasons and to prevent
opportunities for malicious activities. Vacant secure areas will be physically locked and periodically
checked. Photography, video, audio and other recording equipment shall not be used in secure areas
unless authorized by Management. The service providers / third parties working in secure areas shall
always be escorted and monitored.
A.11.1.6 Public access, delivery and loading areas
All new equipment landing at the premises shall be redirected to a secure isolated room till installation.
This room shall be properly secured by lock and key and protected against environmental hazards like
sun and rain. The equipments shall be unpacked and checked for the condition of the equipments. The
IT & ISSM shall check the equipments and make note of the equipment details and quantity. An inward
entry shall be made in the register.
A.11.2 Equipment security

A.11.2.1 Equipment siting and protection
The servers and network devices are kept in the secure zone. All the critical servers and equipments are
placed in rack environment so that it is not easy to remove any information facilities. Moreover card
controlled gate is implemented for data center. Access is provided to data center only for authorized
users. Alarms and other precautions are in place. Proper lightning conductors are in place in the building.
The environmental condition of the secure zone is controlled. Suitable modular UPS is deployed to feed
power to the critical equipments.
A.11.2.2 Supporting utilities
IT Team shall ensure the following to protect equipments from failures or disruptions:
Redundant sources of power supply in case of power failure. IT Team and Admin team shall plan,
evaluate and make arrangements for deploying power filters and uninterrupted power supply systems
across the organization to reduce risks of equipment damage because of electric fluctuation or outage.
IT team shall ensure that uninterrupted power supply system is installed to supply power to all critical

equipment in the server room. Emergency lighting shall be readily available in case of main power
failure.
Backup telecom links wherever necessary and shall be responsible for maintenance, up-gradation
and monitoring of the same. All power and telecommunication equipments are kept in securely in
enclosed areas under lock and key. Security personnel shall also monitor these areas.
Air-conditioning shall be maintained for housed equipments to ensure the smooth cooling and
functioning less than 19-23 degree centigrade with humidity levels maintained around 35 % – 50 %.
Fire protection - All important places are fitted with fire alarms and heat sensors. Fire extinguishers
are kept at appropriate locations. Fire exits are provided. Fire drill shall be conducted regularly to check
the functionality of fire equipment. User awareness training is provided to all Synergy employees.
Cabinets & Racks - All critical equipment in the server room are installed in racks or cabinets. These
cabinets shall be equipped with power strips, monitor, keyboard & mouse switch. The cabinets chosen
shall have ventilation to ensure the dissipation of the heat generated from the components within the
rack.
A.11.2.3 Cabling security
All electric and telecom cables are being laid underground through internal Conduits. Power and Data
cables have been segregated and run through separate conduits.
A.11.2.4 Equipment maintenance
All equipments come with 1/2/3 warranty based on the type of component to take care of preventive
maintenance, replacement and repair during warranty period of the equipment. IT Team shall
recommend preventive service maintenance schedules for all sensitive equipment and ISSM shall
oversee this activity. At the same time IT Team shall ensure that
 Ensure service schedules are adhered to.
 Only Authorized Maintenance Staff shall have access to sensitive equipment for preventive
maintenance, replacement or repair purpose.
 Fault Logs and Maintenance Reports are up-to-date for all servers and critical network and
power conditioning equipment.
 Synergy equipments that are not in use or standby equipments are kept safely in the
storeroom. This room is secured using lock and key.
A. 11.2.5 Removal of assets
Equipments carrying information and software cannot be taken off-site without the written approval
from CISO / ISSM.
Refer: Gate pass
A.11.2.6 Security of equipment and assets off-premises
The use of any information processing equipment outside the Synergy premises shall be authorized by
CISO. In the eventuality of misuse, the equipments shall be password protected, which shall not allow
access to it. Security checks shall be put while taking out the equipment and it shall be allowed, if
required only after the approval of CISO / ISSM. Financial risk can be handled through Insurance and
interruption to work can be minimized by maintaining backup of information.
A.11.2.7 Secure disposal or re-use of equipment
Before disposing off, all information and software programs shall be removed from existing equipment.
All such equipment shall be removed only after necessary approval from CISO / ISSM

The disposal methods should be applicable as per the security classification of the asset or the
information; Mechanisms for disposal shall be –
 Crush the equipment.
 In case of outdated equipment - the data shall be destroyed/sanitized and the hard disk
is degaussed/zero filled and given to staff or charitable organizations.
A.11.2.8 Unattended user equipment
Users shall be responsible for safeguarding key data by ensuring that desktop machines are not left
logged-on when unattended, by providing password protected screen-savers and by logging out or
locking the desktop.
Terminal sessions to any network devices / applications shall be terminated after 5 minutes of inactivity.
Terminal sessions to workstations/servers shall be terminated after 5 minutes of inactivity.
A.11.2.9 Clear desk and clear screen policy
As per this policy no unattended documents or papers should be lying near user workspace. The users
shall shred any such document that is not of any use. Housekeeping shall shred any unattended papers
lying in work area or printer area. Staff shall be required to store any secure or sensitive information in
a secure storage if it is left unattended for more than an hour. All documents shall be kept in a secure
storage provided to the users and key shall not be left unattended in or near the secure storage device.
All systems shall have password-protected screensavers activating after 5 minutes of non-use.
A. 12 Operations security
Refer: Function specific SOP’s, change Management Policy, Capacity Management Policy, Antivirus
Policy, Backup & Restoration Policy, Application Security Policy, Logical Access control Policy , Log and
Audit Trail Policy and CRM Manual (ISMS_Man_48)
A.12.1 Operational procedures and responsibilities

A.12.1.1 Documented operating procedures
Operating Procedures are documented, maintained and made available to users.
A.12.1.2 Change management
Changes to organisation, business processes and information processing facilities and systems
shall be done in controlled manner. Changes to the operational systems should only be made when
there are adequate business reasons to do so. All changes to equipment, software, application or
procedures shall be done formally by following the Change Management Procedure.
This will be applicable to critical systems and information processing facilities, and would include but not
limited to:
 Changes to hardware and software configurations.
 Changes to operating systems and operating system configurations.
 Changes to application software programs and application or database software
configurations.
 Changes to network and communication device configurations; and
 Changes to configuration of physical access and environmental control devices.
 Changes to Synergy processes, ISMS policies and procedures.

Refer: Change Management Policy (ISMS_Man_017)
A.12.1.3 Capacity management
With the demands of business growth, Synergy shall strategize capacity planning to ensure availability
of the resources with least disruption keeping in consideration the increasing volumes of data, no of
users, network traffic, etc. CISO / ISSM shall plan along with IT Head, the future projections and
enhancements based on the business growth forecasts. CISO along with ISSM shall plan procurement
and deployment strategies based on the growth plans for information processing facilities of Synergy.
Necessary testing shall be undertaken and product suitability reports shall be prepared before final
procurement and deployment of new hardware /software would be done. These reports shall be shared
with the Top Management.
A.12.1.4 Separation of development, test and operational environments
Development, test and operational environments are separated to reduce the risks of unauthorized
access or changes to the operational environment.
A.12.2 Protection from malware

12.2.1 Controls against malware
Synergy will ensure that information and information processing facilities are protected against malware.
Users are required to comply with software licenses and prohibiting use of unauthorized software,
obtaining software files from external sources.
Servers/applications hosting environments shall be reviewed to identify unapproved or unauthorized
files. Files received from an unknown or distrusted source are checked for virus before use. Electronic
mail attachments and file downloads from internet shall be scanned using an approved antivirus
software. Virus detection and prevention measures and appropriate user awareness procedures are
implemented to contain the virus in the network. Protection shall be based on awareness, change
management and system access controls. There are established Business continuity plans and
arrangements for recovering from virus attacks.
A.12.3 Backup
A.12.3.1 Information backup
Backup of the organization’s data files and software shall be made available following a disaster or media
failure. The backup of the information and software shall be carried out based on the documented
Backup policy of Synergy. The archiving of data shall meet the legal and regulatory requirements.
Refer: Backup and Restoration Policy (ISMS_Man_009)
A.12.4 Logging and monitoring

A.12.4.1 Event logging
All servers and systems shall be configured to log activities. All security-related events on critical or
sensitive systems must be logged and audit trails saved as follows:

 All security related logs will be kept online for a minimum of 1 week.
 Daily incremental tape backups will be retained for at least 1 month.
 Weekly full tape backups of logs will be retained for at least 1 month.
 Monthly full backups will be retained for a minimum of 3 months.
 Yearly full backup will be retained for a minimum of 1 year
 System logs shall be preserved for a period of 3 months and shall be available for
reference on site for checking of the logs in case of review.
Security-related events will be reported to Security team, who will review logs and report incidents to IT
management. Corrective measures shall be prescribed as needed. Security-related events include, but
are not limited to:
 Evidence of unauthorized access to privileged accounts
 Anomalous occurrences that are not related to specific applications on the host.
 Changes to system configuration
 Auditing of events on critical Windows systems such as successful logons, unsuccessful
logons
 Privilege modifications
A.12.4.2 Protection of log information
Access to log information shall be restricted to administrators only and shall be protected against
tampering and unauthorized access. System logs shall not have provisions for editing. Access to the
system log shall require privileged access and shall be protected by password control.
A.12.4.3 Administrator and operator logs
Operations performed on the server /applications shall be logged for reference. Enterprise servers /
applications shall be monitored for availability and performance. Discrepancies in the server / application
performance / errors shall be rectified and logged for analysis and corrective action. Logs shall be
independently verified for security breaches & hardware / software alerts. CISO shall be reviewed these
logs periodically.
A.12.4.4 Clock synchronization
Synergy shall synchronize all servers and network devices with a Timeserver. This Time server is
configured to sync with internationally used Timeservers. This helps to validate all logs and events with
accurate time stamps.
A.12.5 Control of operational software

A.12.5.1 Installation of software on operational systems
Procedures are in place to control the installation of software on operational systems and any upgrades
shall be take into account the business requirements for the change and the security of the release and
install.
A.12.6 Technical vulnerability management

A.12.6.1 Management of technical vulnerabilities
IT team to implement an effective technical vulnerability management in order to minimise risks resulting
from exploitation of published technical vulnerabilities.

IT team to ensure that timely information about technical vulnerabilities of information systems being
used is obtained and organization’s exposure to such vulnerabilities evaluated and relevant measures
taken to mitigate the associated risks, which could include risk assessment, patching, asset tracking and
reconnaissance of the organisation. Half yearly audit of the technical vulnerabilities shall keep Synergy
abreast of the security breaches and published technical vulnerabilities.
A.12.6.2 Restrictions on software Installation
Synergy- has restricted users to install any software on operating system. Only authorized users shall
install licensed software. IT Team shall maintain the software inventory.
A.12.7 Information systems audit considerations

A.12.7.1 Information systems audit controls
Audit of operational system shall be planned by the ISSM and authorized by the CISO. ISSM must assess
the risks from the proposed audit on operational system and advise on necessary risk mitigating steps.
A.13 Communications security

Refer: E-Mail Security Policy, Firewall Security Policy, Internet Access and security Policy, Internet Usage
Policy, Network and Telecommunication Policy , Tele working Policy and CRM Manual (ISMS_Man_48)
A.13.1 Network security management

A.13.1.1 Network controls
IT team shall install network management software to monitor systems or distribute software to client
systems or automate any other aspect of network management. Access to information available through
the Synergy network systems must be strictly controlled in accordance with approved access control
criteria, which is to be maintained and updated regularly.
The network shall have been designed to deliver high performance and reliability to meet the needs of
the business whilst providing a high degree of access control and a range of privilege restrictions.
Suitably qualified staff shall manage the Synergy network, and preserve its integrity in collaboration with
the nominated individual system owners. Networks administration team shall take care install structured
cabling system for both data and voice and shall comply with industry standard.
All Workstations shall be configured for a unique identity before connecting to the Local Area Network.
Access to the LAN is provided as per the Access Control Policy. The WAN links and routers shall be
managed and monitored by corporate approved vendor. Internet traffic shall flow only through the
content filtering tool. Authorized traffic from the firewall is defined on the content filtering security policy
is allowed to pass. The default firewall policies shall be configured to implicitly deny all traffic. Firewall
screens packets use stateful inspection methodology. The IDS extends the security capabilities of
firewalls by providing real time scanning of incoming and outgoing network traffic. Clocks of information
systems shall synchronized for accurate recording of instances.

A.13.1.2 Security of network services
Synergy uses a combination of Firewalls and Intrusion Detection tools to safeguard and monitor its
information assets. All points of entries to the Internet are protected by Firewall. The firewall is
configured with three levels of security.
 Low security: External
 Middle level security: DMZ (Future use)
 High security: Internal
All servers are located in the High security area. The firewall is also used to provide the client with a
single NAT address. Intrusion detection systems are configured to check for untoward activities. These
activities are logged and appropriate actions are taken. All Internet accesses are monitored and
controlled using URL monitoring and filtering software’s. All incoming Emails are scanned for viruses and
attachments on the email gateway. These events are logged.
Routers are configured with access lists and login is provided based on the IP address. Terminal time
outs are configured on all routers. All events are logged on the centralized log server.
A.13.1.3 Segregation in networks
Currently Synergy architecture setup is facilitated in true concept of the network segregation. VLANs are
configured on the local LAN for Security, better performance, availability and for logical segregation.
ACLs shall be defined to ensure the authorised personnel access the informational resources.
A.13.2 Information transfer

A.13.2.1 Information transfer policies and procedures
All computer hardware, software and any data storage medium (for example, hard drives, floppy disks, CD-
ROM, videotape, cassette tape, USB etc.) and all other modes of electronic communication including the
voice mail system in Synergy are the property of the Synergy.
Synergy has a legitimate business interest in the proper utilization of its property. Therefore any use of
Synergy property, and any communication sent or received via electronic mail, the Internet, the intranet,
voice mail or otherwise, may be monitored or reviewed by persons authorized by the Company, at any
time with or without notice to employees.
Access passwords shall provide certain degree of security, however it does not guarantee complete
privacy and passwords are strictly confidential to avoid misuse of Login Ids.
Information and software shall be exchanged electronically via e-mail, external links to clients & business
associates, information networks and Internet as per the email and communication policy established
by Synergy.
E-mail, voice mail, computer files or any other communication means shall not be used to send personal
information, including any obscene information or discuss private matters about anyone, including the
self. Any defamatory, insulting or derogatory remark about any person or group of persons via any of
these communication channels shall be considered as prohibited. Any employee found, who violates this
policy shall be subjected to disciplinary action, including termination.
A.13.2.2 Agreements on information transfer
Information transfer will be addressed in the customer contracts/agreements to secure transfer of

business information and software between the organization and external parties.

Business information of the Synergy will be exchanged with outside organizations as per appropriate
security clauses in the formal agreements/ contracts. The relevant information asset owners will be
responsible for ensuring that such information assets are exchanged only after signing appropriate
agreements.
A.13.2.3 Electronic messaging
Electronic Messaging Device (EMD) includes Personal computers, electronic mail systems, voice mail
systems, electronic bulletin boards, Internet services, mobile data/digital terminals, and facsimile
transmissions.
 EMD's are designed and intended for conducting business of Synergy and are restricted to
that purpose.
 Transmission of electronic messages and information on communications media shall be
treated with the same degree of propriety and professionalism as official written
correspondence.
 Synergy encourages authorized and trained personnel with access to EMD's to utilize these
devices whenever appropriate. However, use of any of these devices is a privilege that is
subject to revocation based on breaches of this policy.
 Employees are advised that they do not maintain any right to privacy in EMD equipment or
its contents. Synergy reserves the right to access any information contained on EMD's and
may require employees to provide passwords to files that have been encrypted or password
protected.
 Personally owned EMD's that are used by on-duty employees must be approved by CISO.
If used on-duty and the EMD are connected to any Synergy network, the personally owned
device is subject to the same restrictions and guidelines.
 Confidential, proprietary or sensitive information may be disseminated only to individuals
with a need and a right to know and when there is sufficient assurance that appropriate
security of such information will be maintained.
 No employee shall access any file or database unless they have a need and a right to such
information. Additionally, personal identification and access codes shall not be revealed to
any unauthorized source.
 Unless authorized by the ISSM, employees shall not install any file, software, or other
materials without System Administrator approval.
 Employees shall not download any executable file, software or other materials from the
Internet or other external sources other without ISSM approval. If any employee is
uncertain whether or not a file is executable, they should contact the ISSM team for
guidance.
 The size of file which can be attached to the email is restricted to 10MB.
 Employees shall observe the copyright and licensing restrictions of all software applications
and shall not copy software from internal or external sources unless legally authorized.
 Employees shall observe copyright restrictions of any documents sent through or stored on
electronic mail
A.13.2.4 Confidentiality or nondisclosure agreements
Confidentiality or non-disclosure agreements reflecting the Synergy’s needs for the protection of
information will be identified, documented and regularly reviewed at least once in a year.

The Business Heads will ensure that appropriate Confidentiality and Non Disclosure Agreement is signed
and understood by the users before allowing access to the Synergy IT Infrastructure.
A.14 System acquisition, development and maintenance

Refer: Application security Policy, Network and Tele communication security Policy, and third party
Security Policy.
A.14.1 Security requirements of information systems

A.14.1.1 Information Security requirements analysis and specification
This control will be applicable to only those Synergy locations which use packed business applications.
Business requirements prepared for (1) developing new systems/ services; (2) carrying out
enhancements to systems/ services; (3) purchasing new software/ hardware/ service; and deployment
of new information technology initiatives will include requirements from a security control perspective.
Risk assessment will be performed to identify the desired security controls to be included in the security
requirements of systems to be deployed. The security control specifications will be analyzed during the
design stage, in the case of development or enhancement to application systems, and in the pre-
purchasing stage, when a product or contract is being evaluated so that they are incorporated in the
systems while they are being built/ purchased/ leased.
All new application system will be formally reviewed for compliance with security policy and verified by
Applications and Service Delivery Manager and approved by Management before being deployed in the
production environment.
The Development, Testing and Operations & Maintenance teams will be trained on security aspects of
application development and maintenance activities.
A.14.1.2 Securing application services on public networks
Information involved in application services passing public any network/ internet is protected from
fraudulent activity, contract dispute and unauthorized disclosure and modification.
Secure services such as https, SSH, SFTP and VPN etc. is used to access information over any public
network/internet. Access to application and data is handled as per the User Access Control Policy.
Currently ftp service and PMS application are accessible over the public network.
A.14.1.3 Protecting application services transactions
Information involved in application services transaction will be protected to prevent incomplete

transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized
message duplication or replay.
Synergy has hosted PMS application to update the employee time sheet tracker. However any
confidential information passing through this application.
A.14.2 Security in development and support processes

A.14.2.7 Outsourced development
To control the out sourced software development activity as per Synergy requirement. This is
implemented by means of contracts as and when required.

Refer: Vendor Management Policy
A.14.3 Test data

A. 14.3.1 Protection of test data
Test data used for testing purpose is selected carefully, protected and controlled.
Production data is not used for the testing purpose. Once testing is done test data will be removed
from the testing environment.
A.15 Supplier relationships

Refer: Vendor management policy, third party security Policy and Physical Access & Environment
Security Policy.
A.15.1 Information security in supplier relationships

A.15.1.1 Information security policy for supplier relationships
Third party/supplier security policy is established and documented to capture information security
requirements to mitigate the risks associated with third party/suppliers access to the organization assets.
A.15.1.2 Addressing security within supplier agreements
A formal contract document with all necessary security controls shall be entered with the Third Party
and outsourced service provider.
 Synergy as an organization has signed SLAs and Service agreements with all outsourced
party / Service vendors, with whom Synergy work and have liasoned.
 Non-disclosure agreements have been signed up with third parties, preventing them from
revealing any information learned about Synergy assets, technology architecture or
operational methodology with specific stress on their information security responsibilities and
issues including the indemnification for copying and disclosing information.
 Liabilities of either party in relation to the contract are mentioned in all contracts and all
contracts have been ratified by the legal department for completeness of legal clauses and
compliance.
A.15.1.3 Information and communication technology supply chain
Synergy will address the information security risks associated with information and communications
technology services and product supply chain in supplier agreements.
A.15.2 Supplier service delivery management

A.15.2.1 Monitoring and review of supplier services
Third party services shall be governed through service level agreements and service levels shall be
monitored on a quarterly basis and penalty clauses invoked as appropriate. The uptime terms as per the
agreed SLA shall define the action thereof. Synergy shall review the contingency plans and test the
procedures to ensure the uptime is guaranteed and competitive strategic advantage is maintained.

A.15.2.2 Managing changes to supplier services
Any changes implemented and incorporated by Synergy in security policies and procedures, new controls
to enhance the protection levels to minimize the security incidents including reassessment of risks,
deployment of new technologies and network enhancements, etc. shall be communicated and shall be
agreed by 3rd party and the service level agreements amended accordingly.
A.16 Information security incident management

Refer: ISMS Roles, Responsibility and Authority, Incident Management Policy , Incident Response Plan
and CRM Manual (ISMS_Man_48)
A.16.1 Management of information security incidents and improvements

A.16.1.1 Responsibilities and Procedures
Incident Management Procedure is established in the organization to ensure a quick, effective and
orderly response to information security incidents.
A.16.1.2 Reporting information security events
Any security incidents coming to the notice of Synergy employees has to be reported to
 IT Helpdesk
 Information security Manager/Officer
 CISO
by the following modes of communication
 Email to IT helpdesk
 Orally in person or phone to ISSM/ISSO/CISO
 SRP Ticketing System
The person receiving the information shall fill the incident report form and forward to ISSM/ISSO for
necessary action. The ISSM/ISSO must notify the same to the CISO and corrective action must be
initiated with the help of IT Dept. / Administration team / Security Incident Response Team.
Information Security events shall be reported to outside authorities whenever this is required to comply
with legal requirements or regulations. This shall only be done by the ISSM or persons authorized by
ISSM in consultation with the legal department.
Suspected Information Security events shall be reported promptly to the IT team or directly to ISSM if
found critical.
Information Security events shall be reported to outside authorities whenever this is required to comply
with legal requirements or regulations. This shall only be done by the ISSM or persons authorized by
ISSM in consultation with the legal department.
A.16.1.3 Reporting information security weakness
Security weaknesses shall be reported without any delay to the ISSM to speed up the identification of
damage caused, its containment and restoration, repair and to facilitate the collection of associated
evidence and shall be recorded and processed for corrective action. Breaches of confidentiality shall be
reported to the ISSM as soon as possible. It shall include breaches of confidentiality arising from a
breach of an employee's NDA.

A.16.1.4 Assessment of and decision on information security events
Assessment of and decision on information security events will be handled in accordance with Incident
Management Procedure
A.16.1.5 Response to information security incidents
Information security Incidents are responded in accordance with Incident Management Procedure
A.16.1.6 Learning from information security incidents
Incident Management Procedure shall assist Synergy to learn from incidents and take preventive actions
to avoid the occurrence of that category of incidents. An Incident Tracker shall be maintained to track
all information security incidents.
A.16.1.7 Collection of evidence
Information Security incidents arising from system failures shall be investigated by competent and skilled
personnel.
During the investigation of Information Security incidents, dual control and the segregation of duties
shall be included in procedures to strengthen the integrity of information and data. Staff shall be advised
for assistance and collective action, through defined security incident checklists, etc., to handle and
respond effectively to an Information Security incident.
An abnormal high risk from the threat of electronic eavesdropping and / or espionage activities be
identified, all employees shall be alerted and reminded of the specific threats and the specific
countermeasures to be deployed.
Information relating to Information Security incidents may only be released by ISSM.
A.17 Information security aspects of business continuity

management
Refer: Business Continuity / Disaster Recovery Plan , BCP Drills records and CRM Manual (ISMS_Man_48)
A.17.1 Information security continuity

A.17.1.1 Planning information security continuity
Synergy is determined its requirements for information security and continuity of information security
management in adverse situations. E.g. during crisis or disaster.
A.17.1.2 Implementing information security continuity
Synergy is established, documented, implemented and maintaining process, procedure and controls to
ensure the required level of continuity for information security during an adverse situation
A.17.1.3 Verify, review and evaluate information security continuity
The Business Continuity Plan shall be periodically tested to ensure that the management and staff
understands, how shall it be executed. All staff shall be made aware of the Business Continuity Plan and
their respective roles. Business continuity plans in conjunction with recovery plans shall be tested
regularly to ensure that they are up to date and effective. Such tests shall also ensure that all members
of the recovery team and other relevant staff / 3rd party are aware and well communicated of the plans.

A.17.2 Redundancies
A.17.2.1 Availability of information processing facilities
Information processing facilities were implemented with redundancy sufficient to meet availability
requirements of the organization
A.18 Compliance
Refer: Statutory/Legal Team Documents, NDA clauses, License Management Policy.
A.18.1 Compliance with legal and contractual requirements

A.18.1.1 Identification of applicable legislation and contractual requirements
Relevant statutory, regulatory, and contractual requirements for all the information processing facilities
will be documented by the relevant Department Heads. Compliance of statutory/regularity framework
will be reviewed periodically (at least once a year or whenever any modification happens) by an internal
legal officer from the legal dept.
The applicable legislation which users shall be required to comply with are as listed below:
 Information Technology Act, 2000
 Information Technology (Amendment) Act,2006, India
 The Patent Act 1970
 The Indian Copyright Act 1957
 Intellectual Property Rights (IPR), Patents (with respect to Software purchased and
downloaded)
 Central Sales Tax Act, India
 Indian Companies Act 1956
 Provident Fund and ESI Acts, India
 Shops & Establishment Act 1948,India
 Professional Tax Act
 Contract Labour Act, India
 Foreign Exchange Management Act (FEMA) Guidelines, India
 Customs Act, India
 Contractual obligations
 Indian Electronic Waste Act
A.18.1.2 Intellectual property rights
Intellectual Property rights shall be honoured and protected as per international convention as India is
also a party to it.
Appropriate procedures shall have been implemented to ensure compliance with legislative, regulatory
and contractual requirements on the use of material in respect of which there shall be intellectual
property rights and on the use of proprietary software products.
 Publishing an intellectual property rights compliance policy which defines the legal use of
software and information products.

 Acquiring software only through known and reputable sources, to ensure that the copyright
is not violated.
 Maintaining awareness of policies to protect intellectual property rights, and giving notice
of the intent to take disciplinary action against personnel breaching them.
 maintaining appropriate asset registers, and identifying all assets with requirements to
protect intellectual property rights
 Maintaining proof and evidence of ownership of license, master disks, manuals etc.
 Implementing controls to ensure that any maximum number of users permitted is not
exceeded.
 Carrying out checks that only authorized software and licensed products are installed.
 Providing a policy for maintaining appropriate license conditions
 Providing a policy for disposing or transferring software to others
 Using appropriate audit tools
 Complying with terms and conditions for software and information obtained from public
networks.
 Not duplicating, converting to another format or extracting from commercial recordings

(film, audio) other than permitted by copyright law.
 Not copying in full or in part, books, article, reports or other documents, other than
permitted by copyright law.
A.18.1.3 Protection of records
Important records of the organization shall be protected from loss, destruction and falsification.
 The procedures for the storage and handling shall be addressed in chapter on Regulatory
compliance process.
 The inventory of information assets and information processing assets shall be maintained.
 The ISSO & Head-IT shall ensure that the category of compliance is maintained as a part
of the checklist.
 The authorized personal shall have access to relevant records and shall give access to the
relevant stake holders based on the need.
 The Head-IT / ISSO shall ensure that all the master approvals and licenses are kept in a
centralized place with a lock and key and also a copy is kept in safe lockers.
 On a yearly basis, a copy of all the records is kept in bank locker or an offsite location as a
BCP / DRP measure.
 Records are retained based on the Regulatory compliance check list.
A.18.1.4 Privacy and protection of personally identifiable information
Organization has ensured privacy and protection of personally identifiable information as required in
relevant legislation and regulation where applicable.
A.18.1.5 Regulation of cryptographic Controls
Additional Ciphering / cryptographic algorithms are not used over the default ciphering /
Cryptographic Algorithms that are provided by the vendors as per regulations prescribed by applicable
regulatory bodies. Hence this control is not Applicable.

A.18.2 Information security reviews

A.18.2.1 Independent review of information security
Synergy will conduct review of its security implementation by Third party auditors every half year. Review
will also be conducted in case of significant changes in the information security implementation.
Any changes and enhancements shall be made to the policy after review with the CISO, ISSM, and ISSC.
A.18.2.2. Compliance with security policies and standards
ISSM in consultation with project/Department heads will review the compliance of information
processing and procedures within their area of responsibility with the appropriate security policy,
standards and any other security requirements.
A.18.2.3 Technical compliance review
The Head IT shall prepare an annual programme for network and server security compliance inspection.
The program shall identify the area and scope to be covered during inspection and the team responsible
to conduct the inspection. The inspection shall be carried out only by competent persons authorized to
do the same or only under the supervision of such persons.
Compliance check of user responsibilities (desktops and laptops)
 This shall be the responsibility of IT Department.

 The areas to be scrutinized are Power-On password, Screen saver password, Shared
folders, Authenticity of software installed on PC, Antivirus software and its configuration.
 The frequency of check shall be at least once in a year.
 All computers shall be checked by IT Team.
 The results shall be recorded and reported to CISO.
Servers and other networking equipment
 This shall be carried out by the IT team for his/her domain.

 The Areas to be scrutinized are security settings in Servers operating system, Backups
frequency, content and storage, Updating of network diagrams, changes to the network and
implications, Settings and configuration on routers, configurations of Firewalls and Email
monitoring.
 The frequency of inspections shall be at least once in a year.
The results shall be recorded and reported to CISO / ISSM
---End of document ---

ISMS POLICY & OBJECTIVES
PUBLIC
INFORMATION SECURITY POLICY & OBJECTIVES
DOCUMENT SUMMARY:
AUTHOR MR. KANNAN

CURRENT VERSION 2.0
DATE OF CURRENT VERSION 30TH, SEPTEMBER,2019
OWNER CISO
Revision History

2.0 0 30th Sep 2019
changes applied.

PUBLIC
PURPOSE
The key objective to ensure the success of Synergy Maritime Private Limited business lies in protecting the business
information of the organization and its customers. To fulfill this strategic business objective, Synergy Maritime
Private Limited has established an Information Security Management System.
POLICY STATEMENT
The Directors, Senior Management and all other employees at Synergy Maritime Private Limited are committed to
protect the confidentiality and integrity of all the information assets, ensure availability in accordance to business
objectives and conduct business in compliance with all statutory and regulatory requirements.
ISMS OBJECTIVES
The Objective of ISMS at Synergy Maritime Private Limited is to ensure that:
 To Ensure Nil unauthorized access either by internal or external Sources.

 To Maintain 100% Confidentiality and Integrity of information.
 To Maintain Zero hour down time there by achieving availability of information always to meet Business
requirements.
 To Test Business continuity and disaster recovery plans at least once in a year each.
 To Maintain 100% Information security awareness among all staff and relevant external parties.
 To Achieve Nil disciplinary action against employees and relevant external parties for not compliance to
this ISMS environment.
 To report and Investigate All breaches of information security, actual or suspected, by the Information
Security Steering Committee.
 All applicable regulatory and legislative requirements are always met.
The management at Synergy Maritime Private Limited ensures that this policy is communicated, understood,
implemented and maintained at all levels of the organization. The policy shall be monitored for compliance and will
be amended, if necessary.
This policy has been approved by the Board of Directors at Synergy Maritime Private Limited.
CISO / HEAD

PUBLIC
ISMS OBJECTIVES
REVIEW UOM (Unit
S.No ISMS Objectives TARGET RESPONSIBILITY
FREQUENCY of Measure)
No. of Unauthorized Access

1 Monthly Nos Zero IT Manager/Admin
(Internal)

2 Monthly Nos Zero IT Manager /Admin
(External)
Confidentiality and Integrity of

3 Monthly % 100% CISO
information
Down time reported with

respect to availability of Zero IT-Manager /Network
4 Monthly Hours
Information for Business Hours team
No. of times business At least
Once in 6
5 continuity and disaster Nos once in Process Owners
recovery plans each Tested
Month
a year
Information Security
Once in 6
6 Awareness to Staff and % 100% CISO and HR
Interested Parties.
Months
No. of Disciplinary actions
CISO and Relevant
7 against Staff and relevant Monthly Nos Zero
Interested Parties.
Process Owners
Information Security Breaches ISSC Committee or

8 Monthly % 100%
under investigation by ISSC team

9 Monthly % 100%
reported and closed by ISSC team
Applicable regulatory and Once in 6

10 Nos. Zero HR and Legal Team
Legislative yet to Met Months
CISO / HEAD

ISMS POLICIES & PROCEDURES MANUAL - OFFICE
Rev No. : 1
Date : 23-12-2019
STATEMENT OF APPLICABILITY Page : 1 of 32
DOCUMENT SUMMARY
AUTHOR Kannan
REVIEWED BY Gaurav Singh
CURRENT VERSION 2.1
DATE OF CURRENT VERSION 23-12-2019
DATE OF ORIGINAL VERSION 24TH FEBRUARY, 2015
OWNER CISO
NAME: Gaurav Singh
APPROVED BY
DESIGNATION CISO
REVISION HISTORY
1 0 24th FEBRUARY, 2015 Initial
Reviewed Based On Gap Assessment
2 0 30-09-2019
changes made
2.1 1 23-12-2019 Changes done in A10.1.2
1.1 PURPOSE
Purpose of this document is to identify from the controls specified in ISO
27001:2013, specification of information security management system, the controls
that applicable to Synergy. Against each of these controls justification for the
inclusion or exclusion of the control, as specified in ISO 27001:2013 6.1.3(d) section,
shall be stated.
1.2 STATEMENT OF CONTROLS
[Type here]
Document Ref:ISMS_Man_004
Rev No. : 1
Date : 23-12-2019
Clause Control Justification for Control Controls Status Reference

No Title inclusion/exclusion applicabl (Implemented/N Documents
of the control. e ot Implemented)
(Yes/No)
A.5 Information Security Policies
A.5.1 Management direction for

information security
A.5.1.1 Policies To ensure there exists Yes Implemented Information_Securi

for an Information ty_Policies
informati security policies,
on which are approved
security by the management,
published and
communicated as
appropriate to all
employees and
relevant external
parties
A.5.1.2 Review of To ensure the Yes Implemented InformationSecurit

the Information Security y_ Manual
policies Policies are reviewed (ISMS_Man_002) –
for at planned intervals, A.5.1.2
informati or if significant
on changes occur to
security ensure its continuing
suitability, adequacy
and effectiveness.
A. 6 Organization of information
Security
A.6.1 Internal Organization
A.6.1.1 Informati To ensure Yes Implemented InformationSecurit

on responsibilities for y_ Manual
security the protection of (ISMS_Man_002)
roles and individual assets, and
responsib for carrying out
specific security
[Type here]
Rev No. : 1
Date : 23-12-2019
ilities processes, were

clearly identified and
defined.
A.6.1.2 Segregati To ensure conflicting Yes Implemented InformationSecurit

on of duties and areas of y_ Manual
duties responsibility are (ISMS_Man_002)
separated, in order to – A.6.1.2
reduce opportunities
for unauthorized or
unintentional
modification or
misuse of the
organization’s assets.
A.6.1.3 Contact To maintain Yes Implemented InformationSecurit

with appropriate contacts y_ Manual
authoritie with relevant (ISMS_Man_002)
s authorities – A.6.1.3
A.6.1.4 Contact To ensure Yes Implemented InformationSecurit

with appropriate contacts y_ Manual
special with special interest (ISMS_Man_002)
interest groups or other – A.6.1.4
groups specialist security
forums and
professional
associations are
maintained.
A.6.1.5 Informati To ensure that Yes Implemented InformationSecurit

on information security y_ Manual
security risks are identified (ISMS_Man_002) –
in project and addressed as part A.6.1.5
managem of a project.
ent
A.6.2 Mobile devices and Teleworking
A.6.2.1 Mobile To ensure this a Yes Implemented I

device formal policy is in InformationSecurit
policy place, and y_ Manual
appropriate security (ISMS_Man_002)
measures are
[Type here]
Rev No. : 1
Date : 23-12-2019
adopted to protect
against the risk of
using mobile devices
A.6.2.2 Teleworki To ensure this a Yes Implemented InformationSecurit

ng formal policy is in y_ Manual
place and persons (ISMS_Man_002)
authorised to use this
facility shall have
access only to specific
services like E-Mail,
Intranet Server and
not the entire
network when not on
local network.
A.7 Human Resource Security
A.7.1 Prior to employment
A.7.1.1 Screening To ensure Yes Implemented HR Operations -

background Process Guideline
verification checks for
all candidates for
employment are
carried out in
accordance to the
relevant regulations,
laws and ethics.
To Ensure check
include character
reference,
confirmation of
claimed academic and
professional
qualifications and
independent identity
checks. Specific
customer
requirements for
screening also need
to be addressed by
[Type here]
Rev No. : 1
Date : 23-12-2019
the organization.
A.7.1.2 Terms To ensure employees Yes Implemented HR Offer Letter

and and contractors are with non
condition asked to sign disclosure clause.
s of confidentiality or
employm non-disclosure
ent agreement as a part
of their initial terms
and conditions of the
employment
contract.
To ensure this
agreement covers the
responsibility of the
organization and the
employee and
contractors.
A.7.2 During Employment
A.7.2.1 Managem To ensure the Yes Implemented InformationSecurit

ent management requires y_ Manual
responsib employees and (ISMS_Man_002) –
ilities contractors to apply A.7.2.1
security in
accordance with the
established policies
and procedures of the
organization.
A.7.2.2 Informati To ensure all Yes Implemented InformationSecurit

on employees in the y_ Manual
security organization, and (ISMS_Man_002) –
awarenes where relevant, A.7.2.2
s, contractors receive
education appropriate security
and awareness training
training and regular updates
in organizational
policies and
procedures as it
pertains to their job
[Type here]
Rev No. : 1
Date : 23-12-2019
function.
A.7.2.3 Disciplina To ensure there is a Yes Implemented InformationSecurit

ry process formal disciplinary y_ Manual
process for the (ISMS_Man_002) –
employees who have A.7.2.3
committed a security
breach.
A.7.3 Termination and change of

employment
A.7.3.1 Terminati To ensure Yes Implemented InformationSecurit

on responsibilities and y_ Manual
Responsib duties for performing (ISMS_Man_002) –
ilities employment A.7.3.1
termination, or
change of
employment, are
clearly defined,
communicated to
employees and
enforced.
A.8 Asset Management
A.8.1 Responsibilities for assets
A.8.1.1 Inventory To ensure all assets Yes Implemented InformationSecurit

of assets are identified and an y_ Manual
inventory or register (ISMS_Man_002) –
is maintained with all A.8.1.1
the important assets.
A.8.1.2 Ownershi To ensure each asset Yes Implemented InformationSecurit

p of identified has an y_ Manual
assets owner, a defined and (ISMS_Man_002) –
agreed-upon security A.8.1.2
classification, and
access restrictions
that are periodically
reviewed.
[Type here]
Rev No. : 1
Date : 23-12-2019
A.8.1.3 Acceptabl To ensure regulations Yes Implemented InformationSecurit

e use of for acceptable use of y_ Manual
assets information and (ISMS_Man_002)
assets associated with
an information
processing facility
were identified,
documented and
implemented.
A.8.1.4 Return of To ensure there is a Yes Implemented InformationSecurit

assets process in place that y_ Manual
ensures all employees (ISMS_Man_002) –
and external party A.8.1.4
users surrender all of
the organization’s
assets in their
possession upon
termination of their
employment,
contract or
agreement.
A.8.2 Information classification
A.8.2.1 Classificat To ensure the Yes Implemented InformationSecurit

ion of information is y_ Manual
informati classified in terms of (ISMS_Man_002)
on its value, legal
requirements,
sensitivity and
criticality to
unauthorised
disclosure or
modification
A.8.2.2 labelling To ensure an Yes Implemented InformationSecurit

of appropriate set of y_ Manual
Informati procedures are (ISMS_Man_002)
on developed and
implemented for
information labelling,
in accordance with
the classification
[Type here]
Rev No. : 1
Date : 23-12-2019
scheme adopted by
the organization.
A.8.2.3 Handling To ensure an Yes Implemented InformationSecurit

of assets appropriate set of y_ Manual
procedures are (ISMS_Man_002) –
defined for assets A.8.2.3
handling, in
accordance with the
classification scheme
adopted by the
organization.
A.8.3 Media handling
A.8.3.1 Managem To ensure procedures Yes Implemented InformationSecurit

ent of exist for management y_ Manual
removabl of removable media, (ISMS_Man_002)
e media such as tapes, disks,
cassettes, memory
cards, and reports in
accordance with the
classification scheme
adopted by the
organization.
A.8.3.2 Disposal To ensure the media Yes Implemented InformationSecurit

of media that are no longer y_ Manual
required are disposed (ISMS_Man_002)
of securely and safely,
as per formal
procedures.
A.8.3.3 Physical To ensure media Yes Implemented InformationSecurit

media containing y_ Manual
transfer information is (ISMS_Man_002)
protected against
unauthorized access,
misuse or corruption
during transportation
beyond the
organization’s
physical boundary.
A.9 Access Control
[Type here]
Rev No. : 1
Date : 23-12-2019
A.9.1 Business requirements of access

control
A.9.1.1 Access To ensure an access Yes Implemented InformationSecurit

control control policy is y_ Manual
policy developed and (ISMS_Man_002)
reviewed based on
the business and
security
requirements.
To ensure both logical
and physical access
control are taken into
consideration in the
policy
To ensure the users
and service providers
were given a clear
statement of the
business requirement
to be met by access
controls.
A.9.1.2 Access to To ensure users are Yes Implemented InformationSecurit

networks provided with access y_ Manual
and only to the services (ISMS_Man_002)
network that they have been
services specifically authorized
to use.
A.9.2 User Access Management
A.9.2.1 User To ensure there is any Yes Implemented InformationSecurit

registrati formal user y_ Manual
on and registration and de- (ISMS_Man_002)
de- registration
registrati procedure for
on granting access to all
information systems
and services.
A.9.2.2 User To ensure there is a Yes Implemented InformationSecurit
[Type here]
Rev No. : 1
Date : 23-12-2019
access formal process to y_ Manual

provisioni assign or revoke (ISMS_Man_002)
ng access rights for all
user types to all
systems and services.
A.9.2.3 Managem To ensure the Yes Implemented InformationSecurit

ent of allocation and use of y_ Manual
privileged any privileges in (ISMS_Man_002)
access information system
rights environment is
restricted and
controlled i.e.,
Privileges are
allocated on need-to-
use basis; privileges
are allocated only
after formal
authorization process.
A.9.2.4 Managem To ensure there is a Yes Implemented InformationSecurit

ent of formal process to y_ Manual
secret allocate the secret (ISMS_Man_002)
authentic authentication
ation information in a
informati control manner
on of
users
A.9.2.5 Review of To ensure there exists Yes Implemented InformationSecurit

user a process to review y_ Manual
access user access rights at (ISMS_Man_002)
rights regular intervals
A.9.2.6 Removal To ensure access Yes Implemented InformationSecurit

or rights of all y_ Manual
adjustme employees and (ISMS_Man_002)
nt of external party users
access to information and
rights information
processing facilities,
will be removed upon
termination of their
[Type here]
Rev No. : 1
Date : 23-12-2019
employment,
contract or
agreement, or will be
adjusted upon
change.
A.9.3 User responsibilities
A.9.3.1 Use of To ensure there are Yes Implemented InformationSecurit

secret any security practice y_ Manual
authentic in place to guide (ISMS_Man_002)
ation users in selecting and
informati maintaining secure
on passwords.
A.9.4 System and application access

control
A.9.4.1 Informati To ensure access to Yes Implemented InformationSecurit

on access information and y_ Manual
restrictio application system (ISMS_Man_002)
n functions by users
and support
personnel is
restricted in
accordance with the
defined access
control policy.
A.9.4.2 Secure To ensure access to Yes Implemented InformationSecurit

log-on operating system is y_ Manual
procedur controlled by secure (ISMS_Man_002)
es log-on procedure.
A.9.4.3 Password The allocation and Yes Implemented InformationSecurit

managem reallocation of y_ Manual
ent passwords should be (ISMS_Man_002)
system controlled through a
formal management
process.
To ensure the users
are asked to sign a
statement to keep
the password
[Type here]
Rev No. : 1
Date : 23-12-2019
confidential.
A.9.4.4 Use of To ensure the utility Yes Implemented InformationSecurit

privileged programs that might y_ Manual
utility be capable of (ISMS_Man_002)
Programs overriding system and
application controls is
restricted and tightly
controlled.
A.9.4.5 Access To ensure that access Yes Implemented InformationSecurit

control to to program source is y_ Manual
program controlled and (ISMS_Man_002)
source restricted
code
A.10 Cryptography
A.10.1 Cryptographic controls
A.10.1. Policy on To ensure the Yes Implemented InformationSecurit

1 the use of organization has y_ Manual
cryptogra Policy on use of (ISMS_Man_002)
phic cryptographic
controls controls for
protection of
information. .
To ensure the policy
is successfully
implemented.
A.10.1. Key No keys have been Yes Implemented InformationSecurit

2 managem envisaged to be used y_ Manual
ent for any of the projects (ISMS_Man_002)
, But Synergy Uses
Default cryptographic
controls
Physical and environmental
A.11
security
A.11.1 Secure areas
[Type here]
Rev No. : 1
Date : 23-12-2019
A.11.1. Physical To ensure Security Yes Implemented InformationSecurit

1 Security perimeters are y_ Manual
Perimeter defined and used to (ISMS_Man_002)
protect areas that
contain either
sensitive or critical
information and
information
processing facilities.
A.11.1. Physical To ensure only Yes Implemented InformationSecurit

2 entry authorized personnel y_ Manual
Controls are allowed access to (ISMS_Man_002)
secure areas
A.11.1. Securing To ensure the rooms, Yes Implemented InformationSecurit

3 Offices, which have the y_ Manual
rooms information (ISMS_Man_002)
and processing service,
facilities are locked or have
lockable cabinets or
safes.
A.11.1. Protectin To ensure the Yes Implemented InformationSecurit

4 g against physical protection y_ Manual
external against natural (ISMS_Man_002)
and disasters, malicious
environm attack or accidents
ent should be designed
threats and applied.
A.11.1. Working To ensure procedure Yes Implemented InformationSecurit

5 in Secure for working in secure y_ Manual
Areas areas is designed and (ISMS_Man_002)
implemented.
A.11.1. Public To ensure the Yes Implemented InformationSecurit

6 access delivery, loading, and y_ Manual
delivery other areas where (ISMS_Man_002)
and unauthorized persons
loading may enter the
areas premises are
controlled, and
[Type here]
Rev No. : 1
Date : 23-12-2019
information
processing facilities
are isolated, to avoid
unauthorized access.
A.11.2 Equipment security
A.11.2. Equipmen To ensure the Yes Implemented InformationSecurit

1 t siting equipment is y_ Manual
protectio protected to reduce (ISMS_Man_002)
n the risks from
environmental
threats and hazards,
and opportunities for
A.11.2. Supportin To ensure the Yes Implemented InformationSecurit

2 g utilities equipment is y_ Manual
protected from (ISMS_Man_002)
power failures and
other disruptions
caused by failures in
supporting utilities.
To ensure
permanence of power
supplies, such as a
multiple feed, an
Uninterruptible
Power Supply (ups), a
backup generator,
etc. are being utilized.
A.11.2. Cabling To ensure the power Yes Implemented InformationSecurit

3 Security and y_ Manual
telecommunications (ISMS_Man_002)
cable, carrying data
or supporting
information services,
is protected from
interception,
interference or
damage.
To ensure there is any
additional security
[Type here]
Rev No. : 1
Date : 23-12-2019
controls in place for

sensitive or critical
information.
A.11.2. Equipmen To ensure the Yes Implemented InformationSecurit

4 t equipment is y_ Manual
Maintena correctly maintained (ISMS_Man_002)
nce to ensure its
continued availability
and integrity.
A.11.2. Removal To ensure any Yes Implemented InformationSecurit

5 of assets controls are in place y_ Manual
so that equipment, (ISMS_Man_002)
information and
software is not taken
off-site without prior
authorization.
A.11.2. Securing To ensure risks were Yes Implemented InformationSecurit

6 of assessed with regards y_ Manual
equipmen to any equipment (ISMS_Man_002)
t off- usage outside an
premises organization’s
premises, and
mitigation controls
implemented.
A.11.2. Secure To ensure all Yes Implemented InformationSecurit

7 disposal equipment, y_ Manual
or re-use containing storage (ISMS_Man_002)
of media, is checked to
equipmen ensure that any
t sensitive information
or licensed software
is physically
destroyed, or securely
over-written, prior to
disposal or reuse.
A.11.2. Unattend To ensure the users Yes Implemented InformationSecurit

8 ed user and contractors are y_ Manual
equipmen made aware of the (ISMS_Man_002)
t security requirements
and procedures for
[Type here]
Rev No. : 1
Date : 23-12-2019
protecting
unattended
equipment.
A.11.2. Clear To reduce the risk of Yes Implemented InformationSecurit

9 Desk and unauthorised access, y_ Manual
clear loss of and damage to (ISMS_Man_002)
Screen information during
Policy and outside normal
working hours
A.12 Operations security
A.12.1 Operational procedure and

responsibilities
A.12.1. Documen To ensure the Yes Implemented InformationSecurit

1 ted operating procedure y_ Manual
operating is documented, (ISMS_Man_002)
procedur maintained and
es available to all users
who need it.
To ensure such
procedures are
treated as formal
documents and
therefore any
changes made need
management
authorization.
A.12.1. Change To ensure Changes to Yes Implemented InformationSecurit

2 managem the organization, y_ Manual
ent business processes, (ISMS_Man_002)
information
processing
facilities and systems
that affect
should be controlled.
A.12.1. Capacity To ensure the Yes Implemented InformationSecurit

managem capacity demands are y_ Manual
[Type here]
Rev No. : 1
Date : 23-12-2019
3 ent monitored and (ISMS_Man_002)

projections of future
capacity
requirements are
made, to ensure that
adequate processing
power and storage
are available.
Example: Monitoring
hard disk space, RAM
and CPU on critical
servers.
A.12.1. Separatio To ensure the Yes Implemented InformationSecurit

4 n of development and y_ Manual
developm testing facilities are (ISMS_Man_002)
ent, test isolated from
and operational facilities.
operation
al
environm
ents
A.12.2 Protection from malware
A.12.2. Controls To ensure detection, Yes Implemented InformationSecurit

1 against prevention and y_ Manual
malware recovery controls, to (ISMS_Man_002)
protect against
malicious code and
appropriate user
awareness
procedures, were
developed and
implemented.
A.12.3 Backup
A.12.3. Informati To ensure back-ups of Yes Implemented InformationSecurit

1 on information and y_ Manual
backup software is taken and (ISMS_Man_002)
tested regularly in
accordance with the
agreed backup policy.
[Type here]
Rev No. : 1
Date : 23-12-2019
To ensure all essential

information and
software can be
recovered following a
disaster or media
failure
A.12.4 Logging and monitoring
A.12.4. Event To ensure recording Yes Implemented InformationSecurit

1 logging event logs user y_ Manual
activities, exceptions, (ISMS_Man_002)
faults and
events and shall be
produced, kept and
regularly reviewed.
A.12.4. Protectio To ensure logging Yes Implemented InformationSecurit

2 n of log facility and log y_ Manual
informati information are well (ISMS_Man_002)
on protected against
tampering and
A.12.4. Administr To ensure system Yes Implemented InformationSecurit

3 ator and administrator and y_ Manual
operator system operator (ISMS_Man_002)
logs activities are logged.
To ensure the logged
activities are
reviewed on regular
basis.
A.12.4. Clock To ensure system Yes Implemented InformationSecurit

4 synchroni clocks of all y_ Manual
zation information (ISMS_Man_002)
processing system
within the
organization or
security domain is
synchronised with an
agreed accurate time
source.
[Type here]
Rev No. : 1
Date : 23-12-2019
(The correct setting of

computer clock is
important to ensure
the accuracy of audit
logs). In the current
situation there are
some systems which
are not synchronized
well due to business
reasons. This has
been accepted as a
risk by the
management.
A.12.5 Control of operational software
A.12.5. Installatio To ensure that Yes Implemented InformationSecurit

1 n of procedures are in y_ Manual
software place to control the (ISMS_Man_002)
installation of
on
software on
operation
operational system
al
systems
A.12.6 Technical vulnerability

management
A.12.6. Managem To ensure timely Yes Implemented InformationSecurit

1 ent of information about y_ Manual
technical technical (ISMS_Man_002)
vulnerabil vulnerabilities of
ities information systems
being used is
obtained.
A.12.6. Restrictio To ensure that Yes Implemented InformationSecurit

2 ns on procedures are in y_ Manual
software place to control the (ISMS_Man_002)
Installatio installation of
n software on
operational system
A.12.7 Information systems audit

considerations
[Type here]
Rev No. : 1
Date : 23-12-2019
A.12.7. Informati To ensure audit Yes Implemented InformationSecurit

1 on requirements and y_ Manual
systems activities involving (ISMS_Man_002)
audit checks on operational
controls systems should be
carefully planned and
agreed to minimise
the risk of disruptions
to business process.
To ensure the audit
requirements, scope
are agreed with
appropriate
management.
A.13 Communications security
A.13.1 Network security management
A.13.1. Network To ensure the Yes Implemented InformationSecurit

1 controls network is adequately y_ Manual
managed and (ISMS_Man_002)
controlled, to protect
from threats, and to
maintain security for
the systems and
applications using the
network, including
the information in
transit.
To ensure controls
were implemented to
ensure the security of
the information in
networks, and the
protection of the
connected services
from threats, such as
A.13.1. Security To ensure security Yes Implemented InformationSecurit

2 of features, service y_ Manual
network levels and (ISMS_Man_002)
management
[Type here]
Rev No. : 1
Date : 23-12-2019
services requirements, of all

network services, are
identified and
included in any
network services
agreement.
To ensure the ability
of the network
service provider, to
manage agreed
services in a secure
way, is determined
and regularly
monitored, and the
right to audit is
agreed upon.
A.13.1. Segregati To ensure groups of Yes Implemented InformationSecurit

3 on in information services, y_ Manual
networks users and information (ISMS_Man_002)
systems are
segregated on
networks.
A.13.2 Information transfer
A.13.2. Informati To ensure there is a Yes Implemented InformationSecurit

1 on formal exchange y_ Manual
transfer policy, procedure and (ISMS_Man_002)
policies control in place to
and ensure the protection
procedur of transfer
es information through
the use of all types of
communication
facilities.
A.13.2. Agreeme To ensure Yes Implemented InformationSecurit

2 nts on agreements are y_ Manual
informati established (ISMS_Man_002)
on concerning exchange
transfer of information and
software between the
[Type here]
Rev No. : 1
Date : 23-12-2019
organization and
external parties.
To ensure the security
content of the
agreement reflects
the sensitivity of the
business information
involved.
A.13.2. Electronic To ensure the Yes Implemented InformationSecurit

3 messagin information involved y_ Manual
g in electronic (ISMS_Man_002)
messaging is well
protected.
A.13.2. Confident To ensure the Yes Implemented InformationSecurit

4 iality or organization’s need y_ Manual
nondisclo for Confidentiality or (ISMS_Man_002)
sure Non-Disclosure
agreemen Agreement (NDA) for
ts protection of
information is clearly
defined and regularly
reviewed.
Address the
requirement to
protect the
confidential
information using
legal enforceable
terms
System acquisition, development
A.14
and maintenance
A.14.1 Security requirements of

information systems
A.14.1. Informati To ensure security Yes Implemented InformationSecurit

1 on requirements for new y_ Manual
Security information systems (ISMS_Man_002)
requirem and enhancement to
ents existing information
[Type here]
Rev No. : 1
Date : 23-12-2019
analysis system specifies the

and requirements for
specificati security controls.
on
A.14.1. Securing To ensure Yes Implemented InformationSecurit

2 applicatio Information involved y_ Manual
n services in application services (ISMS_Man_002)
on public passing over public
networks networks are
protected from
fraudulent activity,
contract dispute and
unauthorized
disclosure and
modification.
A.14.1. Protectin To ensure Yes Implemented InformationSecurit

3 g Information involved y_ Manual
applicatio in application service (ISMS_Man_002)
n services transactions are
transactio protected to prevent
ns incomplete
transmission, mis-
routing, unauthorized
message alteration,
unauthorized
disclosure,
unauthorized
message duplication
or replay.
A.14.2 Security in development and

support processes
A.14.2. Outsourc To control the out Yes Implemented Vendor

7 ed sourced software Management
developm development activity Policy and
ent as per Synergy Information_Securi
requirement. ty_Manual
(ISMS_Man_002) -
A.14.2.7
A.14.3 Test data
[Type here]
Rev No. : 1
Date : 23-12-2019
A.14.3. Protectio To ensure that test Yes Implemented InformationSecurit

1 n of test data selected y_ Manual
data carefully, protected (ISMS_Man_002)
and controlled
A.15 Supplier relationships
A.15.1 Information security in supplier

relationships
A.15.1. Informati To ensure Yes Implemented InformationSecurit

1 on Information security y_ Manual
security requirements for (ISMS_Man_002)
policy for mitigating the risks
supplier associated with
relationsh supplier’s access to
ips the organization’s
assets are agreed
with the supplier and
documented.
A.15.1. Addressin To ensure all relevant Yes Implemented InformationSecurit

2 g security information security y_ Manual
within requirements are (ISMS_Man_002)
supplier established and
agreemen agreed with each
ts supplier that may
access, process, store,
communicate, or
provide IT
infrastructure
components for, the
organization’s
information.
A.15.1. Informati To ensure the Yes Implemented InformationSecurit

3 on and agreements with y_ Manual
communi suppliers include (ISMS_Man_002)
cation requirements to
technolog address the
y supply information security
chain risks associated with
information and
communications
technology services
[Type here]
Rev No. : 1
Date : 23-12-2019
and product supply

chain.
A.15.2 Supplier service delivery

management
A.15.2. Monitorin To ensure the Yes Implemented InformationSecurit

1 g and services, reports and y_ Manual
review of records provided by (ISMS_Man_002)
supplier suppliers are regularly
services monitored and
reviewed.
To ensure audit is
conducted on the
above supplier
Services, reports and
records, on regular
interval.
A.15.2. Managing To ensure changes to Yes Implemented InformationSecurit

2 changes provision of services, y_ Manual
to including maintaining (ISMS_Man_002)
supplier and improving
services existing information
security policies,
procedures and
controls, are
managed.
To ensure this take
into account criticality
of business systems,
processes involved
and re-assessment of
risks
A.16 Information security incident

management
A.16.1 Management of information

security incidents and
improvements
A.16.1. Responsib To ensure Yes Implemented InformationSecurit

1 ilities and management y_ Manual
[Type here]
Rev No. : 1
Date : 23-12-2019
Procedur responsibilities and (ISMS_Man_002)

es procedures were
established to ensure
quick, effective and
orderly response to
incidents.
To ensure monitoring
of systems, alerts and
vulnerabilities are
used to detect
incidents. .
A.16.1. Reporting To ensure Yes Implemented InformationSecurit

2 informati information security y_ Manual
on events are reported (ISMS_Man_002)
security through appropriate
events management
channels as quickly as
possible.
To ensure formal
event reporting
procedure, Incident
response and
escalation procedure
is developed and
implemented.
A.16.1. Reporting To ensure there exists Yes Implemented InformationSecurit

3 informati a procedure that y_ Manual
on ensures all employees (ISMS_Man_002)
security of information
weakness systems and services
are required to note
and report any
observed or
suspected security
weakness in the
system or services.
A.16.1. Assessme To ensure Yes Implemented InformationSecurit

4 nt of and Information security y_ Manual
[Type here]
Rev No. : 1
Date : 23-12-2019
decision events are assessed (ISMS_Man_002)

on and classified as
informati information security
on incidents.
security
events
A.16.1. Response To ensure the Yes Implemented InformationSecurit

5 to information security y_ Manual
informati events are responded (ISMS_Man_002)
on as per Incident
security Management
incidents Procedure
A.16.1. Learning To ensure there is a Yes Implemented InformationSecurit

6 from mechanism in place y_ Manual
informati to identify and (ISMS_Man_002)
on quantify the type,
security volume and costs of
incidents information security
incidents.
To ensure the
information gained
from the evaluation
of the past
incidents are used to
identify recurring or
high impact incidents.
A.16.1. Collection To ensure follow-up Yes Implemented InformationSecurit

7 of action against a y_ Manual
evidence person or (ISMS_Man_002)
organization after an
incident involves legal
action (either civil or
criminal).
A.17 Information security aspects of

business continuity management
A.17.1 Information security
[Type here]
Rev No. : 1
Date : 23-12-2019
continuity
A.17.1. Planning To ensure the Yes Implemented Business

1 informati organization continuity/Disaster
on determined its recovery plan
security requirements for (ISMS_Man_042)
continuity information security
and the continuity of
management in
adverse situations,
e.g. during a crisis or
disaster.
A.17.1. Implemen To ensure plans were Yes Implemented Business

2 ting developed to continuity/Disaster
informati maintain and restore recovery plan
on business operations, (ISMS_Man_042)
security ensure availability of
continuity information within
the required level in
the required time
frame following an
interruption or failure
to business processes.
A.17.1. Verify, To ensure that the Yes Implemented Business

3 review Business continuity continuity/Disaster
and plans are tested recovery plan
evaluate regularly to ensure (ISMS_Man_042)
informati that they are up to
on date and effective.
security
continuity
A.17.2 Redundancies
A.17.2. Availabilit To ensure Yes Implemented Business

1 y of Information continuity/Disaster
informati processing facilities recovery plan
on are implemented with (ISMS_Man_042)
processin redundancy sufficient
g facilities to meet availability
[Type here]
Rev No. : 1
Date : 23-12-2019
requirements of the
organization
A.18 Compliance
A.18.1 Compliance with legal and

contractual requirements
A.18.1. Identificat To ensure all relevant Yes Implemented InformationSecurit

1 ion of statutory, regulatory, y_ Manual
applicable contractual (ISMS_Man_002)
legislation requirements and
and organizational
contractu approach to meet the
al requirements were
requirem explicitly defined and
ents documented for each
information system
and organization.
A.18.1. Intellectu To ensure there are Yes Implemented InformationSecurit

2 al procedures to ensure y_ Manual
property compliance with (ISMS_Man_002)
rights legislative, regulatory
and contractual
requirements on the
use of material in
respect of which
there may be
intellectual property
rights and on the use
of proprietary
software products.
A.18.1. Protectio To ensure important Yes Implemented InformationSecurit

3 n of records of the y_ Manual
records organization is (ISMS_Man_002)
protected from loss
destruction and
falsification, in
accordance with
[Type here]
Rev No. : 1
Date : 23-12-2019
statutory, regulatory,
contractual and
business
requirement.
A.18.1. Privacy To ensure privacy and Yes Implemented InformationSecurit

4 and protection of y_ Manual
protectio personally identifiable (ISMS_Man_002)
n of information is
personall ensured as per
y relevant legislation,
identifiabl regulations and if
e applicable as per the
informati contractual clauses.
on
A.18.1. Regulatio Additional Ciphering / No Not InformationSecurit

5 n of cryptographic Implemented y_ Manual
cryptogra algorithms are not (ISMS_Man_002)
phic used over the default
Controls ciphering /
Cryptographic
Algorithms that are
provided by the
vendors as per
regulations
prescribed by
applicable regulatory
bodies.
A.18.2
Information security
reviews
A.18.2. Independ To ensure the Yes Implemented InformationSecurit

1 ent organization’s y_ Manual
review of approach to (ISMS_Man_002)
informati managing information
on security, and its
security implementation, is
reviewed
[Type here]
Rev No. : 1
Date : 23-12-2019
independently at
planned intervals, or
when major changes
to security
implementation
occur.
A.18.2. Complian To ensure managers Yes Implemented InformationSecurit

2 ce with ensure that all y_ Manual
security security procedures (ISMS_Man_002)
policies within their area of
and responsibility are
standards carried out correctly
to achieve
compliance with
security policies and
standards.
A.18.2. Technical To ensure Yes Implemented InformationSecurit

3 complian Information systems y_ Manual
ce are regularly (ISMS_Man_002)
reviewed for
review
compliance with the
organization’s
policies and
standards.
[Type here]
Rev No. : 1
Date : 23-12-2019
[Type here]
RESTRICTED ISMS Roles , Responsibility and Authority
RECORD SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.1
DATE OF CURRENT VERSION 23RD, DECEMBER,2019
CIRCULATION ISSC TEAM AND PROCESS OWNERS
OWNER CISO

APPROVED BY
REVISION HISTORY

th
1.0 0 25 Feb, 2015 Initial
Whole record content reviewed and Agenda
2.0 0 30th Sep 2019
points applied.
Changes made in ISMS diagram and review ISSC
2.1 1 23rd Dec 2019
and Top Management.
Record Ref. No. ISMS_Man_005 Version No. 2.1

SYNERGY ISMS FORUM
Top Management
ISSC
CISO ISM & Members
Internal Audit Team Department Heads
System / Network Team

Administrator
End Users

These teams shall perform the operation of ISMS as per the responsibilities listed (not exhaustive).
Top Management
Top management demonstrates leadership and commitment with respect to the information security
management system by:
 ensuring the information security policy and the information security objectives are established and
are compatible with the strategic direction of the organization;
 ensuring the integration of the information security management system requirements into the
organization’s processes;
 ensuring that the resources needed for the information security management system are available;
 communicating the importance of effective information security management and conforming to
the information security management system requirements;
 ensuring that the information security management system achieves its intended outcome(s);
 directing and supporting persons to contribute to the effectiveness of the information security
management system;
 promoting continual improvement; and
 supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
 Responsibility for conducting management reviews.
 ensuring that the ISMS conforms to requirements and assign reporting responsibilities in addition
to those listed
 Management has given the authority to each team to enforce the security in their area of work.
Authority
To take financial decisions on issues related to risk
Key skills & Competencies
 Understand the business

 Understand the business need for protection
 Understand the business 'impact' of violation
 Access to the ISMS roles & responsibly document
Training: Attendance to Classroom security awareness session – once in a year (preferable)

Certification: No certification required, should ‘lead’ the risk related decisions.
Information Security steering committee (ISSC)
Responsibilities of Information Security steering committee (ISSC)

 Review Information Security Management Systems
 Review the Information security policy
 Check effectiveness of security implementation of controls
 Analyze cost effectiveness of security implementation
 Review of Security Incidents
 Approval of Security initiatives
 Align changes in policy to new business and technology requirements
 Participate in BCP/DRP activities

 Review and take action on Non-compliance's raised through Internal Audits.

 Review policies and procedure
 Show improvement over effectiveness of implementation.
Chief Information Security Officer (CISO)
Primary Responsibility
 Maintains and updates an ISMS Vulnerability dashboard to keep track or organizational weakness
and present to the management for decisions. Decisions requiring implementation are tracked with
implementation team till closure. Vulnerabilities for which there are no action taken are reported
for residual risk approval to the top management.
 Enterprise project or program office – Verifies and performs risk assessment for any new
product/project/customer acquisition.
 Document Controller for all ISMS related documentation. Document owner is a separate role, CISO
is not necessary the document owner for all security policy/procedures, some of which are owned
by other departments such as IT, HR. Operations, legal, physical security, application development
and top management.
 Identification of new threats/vulnerabilities and reporting to relevant stakeholders in relation to
enterprise information risk.
 Responsible for reporting full or part of the ISMS performance on a monthly basis.
Coordination Responsibility
 Ensures policy objectives are met and responsible for supervision of records generated as per the
security operation.
 Information Security budget preparation and submission to top management for approval
 ISMS Annual program maintenance.
 Key point of contact for day-to-day security implementation/issues.
 Arranges for regular security audits as per management decision.
 Provides inputs to regular internal independent audits.
 Appoints Request for Comment (RFC) team for acceptance and adaptation of specific ISMS
documentation/records.
Authority
To create additional policy, procedure and metrics with respect to ISMS operation.
 Understand information assets.

 Understand information security including CIA.
 Understand ISO 27001 control requirement.
 Ability to interpret policy documents (internal and external) and explains to business 'how to
implement or demonstrate compliance'.
Training: Mandatory attendance to ISO 27001 clause interpretation sessions.

Certifications: preferable, not mandatory - ISO 27001 Lead Auditor, Implementation Training.
Information Security Manager (ISM)
Responsibilities of Information Security Manager (ISM)

 Coordinate installation, modification or replacement of any hardware or software component and
any configuration change that affects System security.
 Coordinate changes to functions or parameters System firewalls, routers and remote interfaces, in
coordination with the site support facility.
 Monitor System information security configuration and user access process to ensure secure
operation of the system.
 Coordinate site-specific, security-related issues between System sites and established interfaces.
 Communicate the information security policy and procedures to its System users.
 Verify that user accounts are deleted when notified of termination, resignation or retirement of
System users.
 Manage local security incident assessment and response.
 Coordinate incidents and security changes with the facility manager, computer specialist, and the
ISSC.
 Assume coordination responsibility for information security with physical site security
accreditation (including risk assessment) with coordination of the facility manager and the ISSC.
 Provide oversight and facilitate the enforcement of information system security directives, orders,
standards, plans, and procedures.
 Provide appropriate labelling guidance to System personnel for documents or files that identify or
describe System critical security functions or parameters.
 Coordinate within the guidelines the release of confidential or sensitive security System documents
and files to specific System users or to non-System personnel.
 Coordinate with appropriate investigation authorities and provide requested media, printouts or
written records of security incidents
 Periodic reporting to Chief Information Security Officer
 Identify and classify assets
 Identify threats and vulnerabilities to assets
 Evaluate security alarms and incidents reported
 Corrective Action
 Preventive Action
 Conduct threat and risk analysis
 Report any significant security violations to the Steering committee
 Cost implications of failure of critical assets
 Participate in BCP/DRP activities
 Responsible for the environmental aspects of a database. In general, these include:
 Recoverability - Creating and testing Backups
 Bring the database backward in time to its state at an instant of logical consistency before the
damage was done.

 Making database backups and storing them in ways that minimize the risk that they will be
damaged or lost
 Integrity - Verifying or helping to verify data integrity
 Security – Authorized users can access and change data as needed Defining and/or implementing
access controls to the data
 Availability - Ensuring maximum uptime
 Performance - Ensuring maximum performance given budgetary constraints
 Development and testing support - Helping programmers and engineers to efficiently utilize the
database.
 Periodic reporting to Chief Information Security Manager.
Training: Attendance to Classroom security awareness session – once in a year (preferable).

Certifications: preferable, not mandatory - ISO 27001 Lead Auditor, Implementation Training, ISO
27001 clause interpretation sessions.
System / Network Administrator
Responsibilities of System / Network Administrator

The System Administrator is responsible for supporting the day-to-day security. He reports directly to
the ISSM, who is responsible for the authorization process. He will assist the ISSM with the
implementation of the Information Security Policies and support employees regarding any security
issues.
The SOP are broadly based and meant to cover all work areas and locations. One of the key
responsibilities is the derivation of SOP specific to work area/location. Specific SOP must be approved
by the CISO.
Your main responsibilities are:
 Assisting with the Information Security Co-ordination
 Implementing Auditing and Accounting Procedures
 Asset Classification and Control
 Providing Security Advice for all Staff
 Implementing Security Incident Response Procedures
 Managing and Testing the Business Continuity Plans
 Assisting with Operational Change Control Management
 Implementing Information Security and Back-Up Procedures
 Assisting with the Network Security Management
 Assisting with the Access Control Policy and Privilege Management
 Managing Password Use
 Monitoring Systems Use
 Assisting with the Remote Access Management
 Conducting Spot Checks to Confirm Compliance with the ISPD
 Assist CISO in threat and vulnerabilities awareness
 Buying and approving peripherals for Synergy based on requirement.
 Setting up and deciding the overall design of organization’s computer systems.

 Maintaining user privileges on server resources

 Maximum uptime of servers
 Advanced planning of system shutdown.
 Periodic preventive maintenance of servers.
 Performing routine audits of systems and software.
 Performing offline backups and restorations.
 Making database backups and storing them in ways that minimize the risk that they will be
damaged or lost to company data.
 Applying operating system updates, patches, and configuration changes.
 Installing and configuring new hardware and software.
 Adding, removing, or updating user account information, resetting passwords, blocking accounts,
etc.
 Maintain and watch e-mail and password policy in place.
 Answering technical queries.
 Responsibility for security.
 Responsibility for documenting the configuration of the system.
 Troubleshooting any reported problems.
 System performance tuning.
 Insuring that the network infrastructure is up and running.
 Data classification maintenance and updation.
 Periodic Review of data classification and security for the team.
 Periodic reporting to Chief Information Security Manage.
 Maintain the hardware and software that comprises the network.
 Deployment, configuration, maintenance and monitoring of active network gear, switches, routers,
firewalls, etc
 Activities such as network address assignment, assignment of routing protocols and routing table
configuration as well as configuration of authentication
 Maintenance of certain network servers, VPN gateways, intrusion detection systems, etc.
 Network design and security, particularly troubleshooting and/or debugging network-related
problems.
 Coordinates voice network services, technical and maintenance support with outside service
providers.
 Creates and maintains logical, physical and protocol maps, and backups of all equipment
configurations parameters, and network documentation standards and procedures.
 Periodic reporting to Chief Information Security Officer.
Training: Attendance to Classroom security awareness session – once in a year (preferable)

Certification: No certification required, should coordinate in the risk related decisions.
Head of Department/Team
Head of department is responsible to ensure the following security processes (not exhaustive):

 Understand and owns security/compliance responsibility as distinctive from operational/revenue

generating responsibilities.
 Risk Owner: Each department head is owner of risks that are allocated to them. In ISO 270001 this
is distributed by the controls to the respective owner, from a formal document – Statement of
Applicability.
 Encourages team members to report security weaknesses or incidents relevant to any part of the
organisation.
 First point of contact within the departments for incident/weakness reporting. If a user has
reported an incident/weakness he/she can classify whether such weakness/vulnerabilities should
be escalated or not.
 Managers have the responsibility to conduct ‘self – assessment’ and report top management/ISMS
manager any deviation or risks. This can be policy gaps, technology gaps, and any other resource
requirement.
 Ensures that any information processing work has segregation of duties well entrenched in the
internal roles such that there is no opportunity of fraud, if applicable to the team or theprocess.
Authority
To inform management about any new risk/vulnerability.

 Understand the business need for protection.
 Understand the business 'impact' of violation.
 Access to the ISMS roles & responsibly document.
Training: Attendance to Classroom security awareness session – once in a year. Participates in any
control specific discussion/exercise related to the area.
Certification: No security certification required, should coordinate in the risk related decisions.
ISMS End-Users
 Complies to end-user policy/procedure, namely Acceptable Usage Policy, which provides

description of each user behavior with respect to information usage.
 Reports security weakness/incidents to either the head of department or the ISMS security
manager.
 End Users do not exploit known security weaknesses.
Authority
To report any new weakness/incident to the head of department/ISMS Manager.

 Ability to communicate any security weakness/incident to supervisors/reporting manager or ISMS
Manager/CISO.
 Ability to comply with end - user compliance requirements.
Training: Attendance to classroom awareness session.

Certification: No security certification required.

Internal Auditors
 Functions upon the directives of the top management/Security forum and carries out regular
review of ISMS, based on the defined scope.
 The individuals nominated should be impartial, who has no material benefit in the outcome of
Internal audit, positive or negative.
 Makes judgment on the effectiveness of the selected policies, procedures and records
 Reports internal audit findings to the top management and recommends preventive and corrective
action, and
 Reviews implementation of the audit findings
 Additional internal audit procedure on internal audit exists to support the role.
Authority
To raise non-conformity in any aspect of ISMS operation.
 Ability to make judgments about the 'intent, implement and effectiveness'.

 Pass a judgment and make a justification of the judgment
 Access to the ISMS roles & responsibly document
Training: Mandatory attendance to ISO 27001 clause interpretation sessions

Certifications: preferable, not mandatory - ISO 27001 IA, Implementation Training

RESTRICTED Antivirus Policy
Antivirus Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
DESIGNATION CISO
REVISION HISTORY
Whole content reviewed and changes

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims to effective and efficient prevention of network virus outbreaks and network security
attacks involving computers associated with Synergy.
2. Scope
This policy applies to all the Synergy employees, contractors and third parties who have been provided
access to Network and Information at Synergy.
3. Policy
1 Anti-virus software should be installed on all the systems.
2 Automatic update features shall be configured on all systems.
3 All systems attached to the Synergy network must have standard, supported anti-virus software
installed. This software must be active, be scheduled to perform virus checks at regular intervals,
and have its virus definition files kept up to date.
4 Any activities with the intention to create and/or distribute malicious programs onto the network
(e.g. viruses, worms, Trojan horses, e-mail bombs, etc.) are strictly prohibited.
5 If an employee receives what he/she believes to be a virus, or suspects that a computer is infected
with a virus, it must be reported to the IT Team/ ISM immediately.
6 No employee shall attempt to destroy or remove a virus, or any evidence of that virus, without
direction from the IT department/ ISM.
7 The Anti-Malware solution shall also be configured to do the following
8 Scan for all files including compressed files up to 5 levels.
9 Clean the Malware detected automatically.
10 Quarantine/ Delete the infected file in case it cannot be cleaned.
11 Send an alert to the IS Custodian in case of any Malware not detected or cleaned and on detecting
any new virus breakout.
12 Anti Virus Solution shall be scheduled to run to scan for Malware at defined intervals.
13 A Centralized Anti-virus server shall be deployed to check all the incoming and outgoing SMTP
traffic through Internet.
14 Anti-Malware activities shall be centrally managed. Central monitoring and logging console shall be
deployed, to monitor the status of pattern updates on all the computers and to log the activities
performed on them.

15 All computers shall be configured to generate an alert at the central Anti Malware console.
16 USB ports shall be blocked by antivirus for LAN PC

17 NON-LAN connected devices USB shall be blocked by USB Blockers
18 Only approved serial numbers USB storage drive allowed as per Antivirus policy
19 For 3rd party separate PC without LAN connected kept in ships office for document
printing and a dedicated printer attached
20
4. Anti-Malware Software on Servers
1 Anti-Malware Solutions shall be installed on, all servers including domain Servers, file and
print servers, Internet proxies, email servers, application servers and Internet gateways.
2 All servers in test environment.
3 It should be updated regularly as and when new updates are released and should be invoked
at start-up and kept enabled all the time.
4 Floppies, CD/DVD’s and flash drives should be scanned prior to use.
5. Anti-Malware Software on Desktops
Anti-Malware software at desktop should be configured to:
1. Invoke automatically at the start-up.

2. Scan for viruses in memory, hard disk & floppies and other removable media.
3. Scan all incoming emails and the attachments.
4. Scan all downloads & Internet browsing by the users.
5. Scan all types of file extensions including compressed and executable files.
6. Scan any removable media as and when used.
7. IT department should ensure protection of the Anti- Malware Software settings with a
password, so that the user cannot modify them.
6. Antivirus Protection in Laptops
1. Besides installation of the Anti Malware Solutions on laptops with the above
configurations as in case of Desktop, the following needs to be ensured:
2. Updating the laptops with latest copy of anti-virus software on the move.

3. Laptops should be scanned for Malware Infections before connecting back to PHOTON
Network.
7. Gateway Level
Anti Malware solution should be configured at the entry point of the network to do the following
1 Scan for all files including compressed files sent as attachment in the incoming and
outgoing mail (SMTP traffic).
2 Clean the Malware detected automatically.
3 Delete the infected file to quarantine folder if unable to clean
4 Automatic Antivirus pattern update should be configured in the Software
5 Alert the Detection in the Central Console.
8. Maintenance/Updating of software
1. Malware Software signature files shall be kept up-to-date. The new virus pattern file
updating shall be immediate after the release of the signature and the Anti-Malware Server
should be configured to immediately push the updates to the clients.
2. Periodic audit on all the servers, users’ desktops and laptops shall be performed to ensure
that proper and latest version of virus engines and the definitions files are running and no
threat exists. Audit Frequency shall be 6 months.
3. Maintain Malware logs of the critical servers for at least 3 month to keep track of virus
activity.
4. The previous month’s logs shall be generated as reports and reviewed.
9. Containment and Managing of Virus incidents
1. All Viruses, Trojan and other Malware incidents should be reported by users to the IT
Team.
2. Malware-infected computers shall be removed from the network or placed in a quarantine
segment as soon as they are identified, until they are verified as virus-free.
3. Potential controls to reduce an outbreak and regain control of the environment shall
include:
 Shutdown of non-essential services.
 Disabling entry and exit points for viruses’ into/ from the network.
 Network filtering of vectors (such as http)
 Segregation of infected network sections.
 Disabling of services such as file sharing.
4. All virus detection incidents shall be logged, along with the action taken;
 Quarantine,
 Deletion or

 Successful cleaning.
5. Logs shall be maintained on the Centralized Anti-virus server.
 When critical vulnerabilities are announced for Application/system software, the
patches shall be applied quickly so that the window of exposure is very small.
10. User Responsibilities
1 Users shall be prohibited from changing the configuration of, removing, de-activation or otherwise
tampering with any Malware prevention / detection Software that has been installed on systems
used by them.
2 Users shall report all incidences of Malware (detected by the installed anti-Virus software)
immediately to the IT team.
3 Users shall ensure that exchanges of media with other organization are checked for Viruses and
Malware.
11. Policy enforcement

Management reserves the right to monitor the compliance to this policy. All reported incidents related to
malicious software should be reported to the ISM and acted upon based on this policy. All necessary
records (emails, etc) for demonstrating the compliance to the enforcement of this policy should be
retained as an audit trail.

RESTRICTED Application Security Policy
Application Security Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
DESIGNATION CISO
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims to describe the proper security controls will be implemented for each application. These
controls will vary in accordance with the sensitivity and criticality of each application.
2. Scope
This policy applies to all the customized applications supporting business processes.
3. Policy
(a) A formal methodology or process is used to guide the development or maintenance of application
systems.
(b) Security requirements should be analyzed and documented as part of the business requirements
specification document.
(c) Application software development and maintenance are performed using a common set of
standards approved by the management to ensure consistency of development and maintenance
activities within the organization.
(d) Development staff is adequately trained and is familiar with a common set of standards,
technology and tools approved by management.
(e) Application systems are developed, modified and tested in an environment separate from the
production environment. Access to these environments must be appropriately restricted,
including segregation of duties between development/test environments and production.
(f) Application stakeholders keep and approve the application test plan. They conduct testing of the
application following the approved test plan, ensuring that it meets the defined and approved
requirements. The final test results are kept and approved by the application stakeholders.
Defects and/or deficiencies are to be corrected before production implementation.
(g) IT staff, along with the application stakeholders ensure that all pertinent information related to
the implementation of the new application is communicated to all interested parties prior to the
implementation date.
(h) All changes to the applications are performed as per the change control procedures.
(i) Application source code version control should be managed through automated systems such as
SVN, etc. These systems should be backed up as per the backup policy and procedure.
(j) Access to source code repositories should be controlled to prevent unauthorized access.
(k) Applications should be tested for security vulnerabilities. Reported vulnerabilities should be
mitigated as per the application change control procedures.

this policy should be reported to the ISM and acted upon based on this policy. All necessary records
(emails, etc) for demonstrating the compliance to the enforcement of this policy should be retained as an
audit trail.
5. References
a) Change management policy
b) Incident management policy
c) Backup and restoration policy

RESTRICTED Asset Management Policy
Asset Management Policy

Revision No: 0
Page 1 of 4
DOCUMENT SUMMARY
AUTHOR MR. KANNAN

CURRENT VERSION 2.0
OWNER CISO
APPROVED BY
DESIGNATION CISO
REVISION HISTORY

th
1.0 0 25 Feb, 2015 Initial
2.0 0 30th Sep 2019
applied.

Revision No: 0
Page 2 of 4
1. Purpose
This policy aims to protect the integrity and availability of all IT assets at Synergy.
2. Scope
This policy applies to all the Synergy IT assets.
3. Policy
a) Department head has approval authority for the procurement of all assets and services, and
approval must be granted prior to procurements.
b) Sourcing agreements for IT assets and services are approved by CISO. A copy of every such
agreement is maintained by Synergy and monitored for conformance.
c) Requests to procure assets that are unacceptable are subject to review and validation by CISO
prior to purchase.
d) ISM ensures that assets meet all applicable security requirements throughout their service life.
e) New products or services are introduced in conformity with the Change Management policy.
f) Inventory of all assets is maintained along with their ownership assigned to each of the newly
introduced assets.
g) A formal asset disposal process is used for assets that have exceeded their usefulness and are
deemed no longer necessary for corporate use.
h) The disposal process shall address the removal of corporate information from the asset.
i) Inventory of all assets (software and hardware) should be maintained by the Synergy IT
Department.
j) Acceptable usage of IT assets should be followed as per the acceptable usage policy.
k) All IT assets should be labelled as per the asset labelling procedure.
Management reserves the right to audit asset inventories to ensure compliance to the above mentioned
policy statements. Any non-compliance found during the audit would be reported to the management and
acted upon case to case basis.

Revision No: 0
Page 3 of 4
5. References
a) Asset Disposal Process
b) Change Management Policy

Revision No: 0
Page 4 of 4
RESTRICTED Backup & Restoration Policy
Backup & Restoration Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of the Policy is to provide for the continuity, restoration and recovery of crucial business
data and systems.
2. Scope
The data backup section of this policy applies to all entities and third parties who use computing
devices connected to networks and users are responsible for arranging adequate data backup
procedures for the data held on IT systems assigned to them.
3. Policy
3.1 General
(a) Backup operations shall be performed regularly in accordance with business, legal, regulatory and
contractual requirements and as per the agreed backup plan maintained by the IT Team.
(b) Data backup strategy and data retention periods should be documented and validated with the
process owners of each business unit and respective business or contractual data retention
requirements. Retention periods should be defined for information.
(c) Backups are sent to an offsite storage facility on a regular basis to minimize the risk of data loss,
and are in accordance with the Business Continuity Plan.
(d) Backup media is stored both in-house/ locally and offshore locations. Removable media is
adequately labeled to enable data classification, identification, and traceability.
(e) Backup restoration exercises should be performed regularly to validate the integrity of the backed
up data from the backup media without risk to the data or business operations.
(f) Review of backup logs is performed daily to verify the successful completion of backup and/or
restore operations.
(g) It should be ensured that the media is regularly examined for readability of the data. The backup
media should be replaced immediately after encountering the error or at predefined time intervals
whichever is earlier.
(h) Rules for rotation of the media should be maintained by the IT team.
(i) The backup media must be appropriately labeled and numbered.
(j) Information to be backed up should be as follows:
i. File Server (includes departmental and individual data)
ii. Server Configurations (e.g. system state backups, etc)
iii. Network & Security Device Configurations (primarily during major IT changes)
iv. Business Applications, Source Codes & Databases (As applicable)

3.2 Backup Plan
3.2.1 Frequency of Backup
Following format is maintained by the ISM, which covers the details of the frequency of backup; backup
content & retention.
Device to be backed up Backup Frequency Backup Content Retention
3.2.2 User Responsibilities
The data on workstations and laptops should be backed up by the respective users on the network share/
file server.
 It is the responsibility of IT users to decide on the criticality, backup and frequency of backup of
the information with respect to the application systems managed by the user departments. The
IT users/ operations team should formally inform the ISM about any new applications and its
data to be backed up. Similarly, the ISM should be informed about discontinuing the backup of
the applications systems no longer in use at the unit.
 The IT Users are responsible for taking and maintaining the backup of all data residing on their
individual workstations, desktops and laptop computers. They should take help of the IT
department/ ISM for taking these backups on the selected backup media.
3.2.3 ISM/ CISO responsibilities
The ISM in consultation with CISO and individual departments or process owners should formulate plans
for revising the backup strategy on a periodic basis (e.g. quarterly or half yearly basis). Necessary
capacity planning should be done to accommodate all the backup information within the existing
infrastructure setup. Additional storage requirements should be identified and discussed with CISO and
Directors. In exceptional cases, ISM/ CISO also reserve the right to optimize the backup plan in line with
the capacity requirements.
3.3 For Exclusion
If any information that is no longer required to be backed up, the concerned Department Head/
Manager must send in an email to the ISM, giving details about the information that is to be
excluded from the backup. The backup operator must then be instructed to carry out the requested
action.

3.4 For Restoration
 The concerned user should make an application through an email/ ticket to their Department
Head/ Line Manager (stating the reasons for restoration) for approval of restoration of data. The
Department Head/ Line Manager should ensure that the user has the right to access the data
required for restoration prior to granting the approval.
 Upon receiving the authorization, the data should be restored by the System Administrator /
Backup Operator.
A log has to be maintained by the System Administrator / Backup Operator which should contain
date and time along with name of the person who required / requested for the restored data. The
Log should also include number of backup media used for restoration.
3.5 Backup Media
3.5.1 On-site Storage

On-site data back-up should be maintained in safe custody, inside the server room. The key to the
cabinet should be available only with Systems Administrator and the duplicate should be kept with the
CISO/ ISM for emergency use.
3.5.2 Off-site Storage
Off-site data back-up should be maintained at a location identified as an ‘off-site’ office location for
backup.
3.5.3 Off-site Backup Movement Register
The backup movement register for the backup media brought to and from the off-site location should
be maintained by the System Administrator / Backup Operator.
3.6 Restoration testing
 To verify the readability of backup media, mock restoration tests should be carried out at least
once in a year on the identified test servers. The restored data has to be checked for its
readability and usability.
 It should be ensured that the restored data is deleted after successful completion of testing.
policy should be reported to the ISM and acted upon based on this policy. All necessary records (emails,
etc) for demonstrating the compliance to the enforcement of this policy should be retained as an audit
trail.

RESTRICTED Capacity Management Policy
Capacity Management Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
Advance planning and preparation are required to ensure the availability of adequate capacity and resources
to deliver the required system performance. Projections of future capacity requirements should be made,
to reduce the risk of system overload.
2. Scope
This policy applies to all the employees, contractors and third parties who have been provided access to
Network and Information at the organization.
3. Policy
3.1 General
The policy of the organization is to ensure:
(a) All services required for the normal execution of business processes or supporting the
achievement of strategic business objectives are governed by the Capacity and Availability
Management policy.
(b) Information Security Organization defines the capacity and availability requirements of each
service, identified by the Process Owners as required for normal business operation or supporting
the achievement of strategic business objectives, reflecting both current and future business
requirements and with consensus of the process owners.
(c) ISM document, maintain and review the capacity and availability requirements of each service
identified. This could also be done with the help of monitoring tools.
(d) ISM allocates sufficient resources to meet, or exceed, the capacity and availability commitments
of each service identified.
(e) ISM reports to Process Owners and CISO on measured capacity and availability proactively.
(f) CISO & ISM remediates deficiencies in measured capacity and availability.
3.2 Capacity Planning

Major IT Asset acquisition should be guided by Capacity Planning. Capacity planning is the responsibility of
the Business process owners/ project managers. The business process owners should at the start of any
project consult with the ISM / CISO regarding the existing capacities and the new required capacities for
the projects.
The Systems Administrators should monitor the systems and capture the technical information. The data
collected must be in conjunction with the following:

 The Helpdesk personnel may be consulted to understand any complaints from users regarding
the degradation of performance of systems / applications.
 The Application Group must be consulted to gather information regarding the performance of the
servers under their purview.
 The Systems Administrator must provide a record of the identified performance indicators on
their respective servers.
3.3 Acquisition of Hardware

The Capacity Planning Documents/ Records should support the acquisition of major hardware systems.
Where necessary, hardware should be checked to ensure that they are compatible with other system
components. The routine hardware purchases would be as per the budgetary sanctions.
3.4 System Acceptance Criteria
An acceptance criterion for new critical information systems, upgrades and new versions should be
established by the IT team and suitable tests of the system carried out prior to acceptance. The IT team
ensures that the requirements and criteria for acceptances of new systems will be as per the requirements
stated in the related purchase order for the equipment. The following controls may be verified:
 Equipment configuration as per the purchase order placed.

 Operational requirements for the equipment as stated by the vendor.
 Confirm that installation of the new system will not adversely affect existing systems.
 To verify on the impact of the overall security of the company by the installation of the new
system/equipment.
 Training in the operation or use of new systems.
3.5 Maintenance of Hardware

Hardware maintenance refers to all activities involved in the upkeep, repair and review of hardware
resources after the installation in order to ensure proper functioning, correction of faults, improvement in
the performance and adaptation of the hardware in the IT environment.
Vendor Service Level Agreements should be defined and enforced during the provision of their services.

audit trail.

RESTRICTED Clean Desk Policy
Clean Desk Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of this policy is to ensure that all protected information’s used in the Synergy Work Areas
are secured from the risk of unauthorized access, loss of, or damage during and outside normal working
hours or when areas are unattended.
2. Scope
This policy applies to all Synergy, contracted personnel and any third parties representatives who have
been provided access to the information assets of Synergy. This policy covers all the employees of
Synergy.
3. Policy
3.1 Secured Work Area
a. Documents classified as Confidential should be stored in locked cupboards when not in use,
especially beyond work hours.
b. Employees should not leave the documents or removable media that may contain business
information unattended.
c. Computer terminals should not be left logged and unattended. Users should lock the workstation
using Ctrl+Alt+Del key when they are not present in the work area.
d. All active application sessions should be terminated upon completion of the work.
e. Equipment, information in any form or software should not be taken off-site without authorization
from the Asset Owner.
f. Confidential/Restricted Information should not be left within Meeting Rooms

g. Any Information written on White Boards or Flip Charts shall be erased at the end of the
meeting.
h. Classified material should only be removed from the office when:
 the material is needed for a declared purpose

 the employee removing the material has specific permission

3.2 Printer
a. Confidential/ Restricted information should never be sent to a network printer, without an
authorized person retrieving it so as to safeguard its confidentiality during and after printing.
b. Documents when printed in the network printer should be cleared/collected by the user
immediately.
c. Printers used for the production of output having direct financial value or confidential information
must be kept in a secure location
3.3 Telephone & Fax
a. Following security safeguards will be observed by users when using Telephones and Fax:
 Identify the caller or the recipient destination

 Establish a clear need for the information asked
 Before sending information classified as Confidential & above, obtain prior approval from
Department Head.
 Fax machines should be protected in a secured area. In case of Common fax machines an
Owner should be identified for each Fax machine and the owner shall ensure that the
documents faxed are delivered to the appropriate person as soon as fax is received. The owner
should be made responsible for the information received till it is delivered to appropriate
person.
3.4 Photocopier
a. Personnel using photocopiers must ensure that the documents (both original, copiers and jammed
ones) are not left at the photocopier after the copying work.
b. Copying must be made only by persons with a need to know. Reproduced documents must bear
the same Security markings/classification as originals. When copies are made using outside
facilities, care must be taken to protect the information security.
c. When using the photocopiers employees will ensure that they do not make any copies of controlled
documents. Any such copies will be made after prior approval and authorizations from the
Department head.
3.5 Information Disposal
a. The information in Hard disks, Floppy disks and CD RWs should be completely erased before
disposal. In the case of CDROM disks, the CDs should be broken before disposing and Hard Disks
degaussed.

b. All documents in paper classified above ‘Public’ when disposed should be shredded to pieces
using Paper shredders.
Management reserves the right to monitor the compliance to this policy. All reported incidents related
to human resources should be reported to the CISO and acted upon based on this policy. All
necessary records (emails, etc) for demonstrating the compliance to the enforcement of this policy
should be retained as an audit trail.

RESTRICTED Cryptographic Controls Policy
Cryptographic Controls Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of the policy is to ensure the customer information, message are concealed and protected
as applicable within the Synergy operations and while transmitting the information.
2. Scope
This policy applies to all data managed by synergy that are identified as protected information.
3. Policy
The policy of Synergy is to ensure:
(a) Before cryptography is employed, a business requirement must exist and exact functional
requirement must be identified.
(b) Encryption is used to conceal the content of the message where preserving the confidentiality of
customer information in electronic form is required during transmission.
(c) Where applicable, cryptographic methods and data encryption products, approved by CISO/ISM,
should be used in handling critical information that must be protected while in transit or at rest.
(d) Cryptographic methods and data encryption products, recommended explicitly by a regulators/
customers/ any other interested party shall be given highest priority.
(e) Necessary security controls should be considered in order to safeguard the interests of the
customer and Synergy such as protecting the encryption passwords and keys, wherever applicable.
E.g. physical/ logical access controls and awareness on secure handling of keys.
(f) Synergy shall use cryptographic controls in compliance with all relevant agreements, laws, and
regulations.
(g) When identifying the level of cryptographic protection following shall be taken into consideration:
a. Type/Quality of Algorithm/ encryption
b. Length of Keys
c. Export/Import Controls, if any
d. National regulations, if any
audit trail.

Customer Data & Information Handling
RESTRICTED
Policy
Customer Data & Information

Handling Policy

RESTRICTED
Policy
DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

RESTRICTED
Policy
1. Purpose
The purpose of this policy is to ensure all relevant legislative statutory, regulatory, contractual
requirements and the organization’s approach to meet these requirements are explicitly identified,
documented and kept up to date for each information system and the organization and to ensure
compliance with legislative, regulatory and contractual requirements related to intellectual property
rights and use of proprietary software products.
2. Scope
This policy applies to all employees who have access to customer data access, server access, data
handling and storage.
3. Policy
3.1 Customer Data Protection Policy
Customer data and server is considered essential, and its quality and security must be ensured to comply
with legal, regulatory, and administrative requirements. Authorization to access customer data and
server varies according to its sensitivity (the need for care or caution in handling). This policy sets forth
the Synergy Standards with regard to the handling of sensitive customer data.
3.2 Data Access and Server Access
a. Customer server access and information/data access should be given based on “need to know” or
“need to use” basis.
b. Only authorized users should access, or attempt to access, customer servers and information/data.
c. Authorization for access to customer servers and information/ data comes from the department head,
and is typically made in conjunction with an acknowledgement or authorization from the requestor’s
department head, supervisor, or other official authority.
d. User should access the customer data with proper valid authentication
e. Users should not access the customer servers from outside the Synergy's Network, if users need to
access the customer servers from outside the Synergy's network, they should connect Synergy's
network through VPN and then must use the customer servers.
f. User access to production servers and confidential/restricted data has to be authorized, use of such
data and servers shall be limited to the purpose required to perform the business task.
g. User access that is having access to “customer servers and information/data” shall be reviewed every
quarter by the Department Head.

RESTRICTED
Policy
h. Notification of a user’s termination or removal of authorized access to confidential/restricted

information/data must be conveyed immediately to the Customer.
i. Users shall respect the confidentiality and privacy of individuals whose information/data they access,
observe ethical restrictions that apply to the information they access, and abide by applicable laws
and policies with respect to accessing, using, or disclosing information.
3.3 Data Collection, Data Storage, Data Handling and Data Transfer
a. Users should collect only the minimum necessary customer information/data required to perform the
business task.
b. Users should not carry any customer provided information/data outside the Synergy, without prior
approval from the department head.
c. Users should not store customer provided information/data (Real data or Test data) beyond project
requirement in user’s desktops. If any users need to store beyond project requirement, they should
take approval from the department head or application owner and data has to encrypt.
d. Users are responsible to protect customer information/data from the misuse, theft or disclose to
unauthorized users, any third party or competitors.
e. Customer provided user “credentials” should not be stored in clear text format and shall be
encrypted.
f. Customer provided user “credentials” should be shared only with authorized group members and
should not be shared with different group members.
g. Department heads must ensure that all decisions regarding the collection, deletion and use of
customer data are in compliance with the law and with Synergy's Policy.
h. Confidential/ Restricted information must not be transferred by any method to persons who are not
authorized to access that information.
i. Users must ensure that adequate security measures are in place at each destination when
Confidential/ Restricted data is transferred from one location to another.
j. Confidential/ Restricted data must be protected from unintended access by unauthorized users.
k. Users must guard against unauthorized viewing of such information which is displayed on the user’s
computer screen.
l. Users must not leave Confidential/ Restricted information/data unattended and accessible.

RESTRICTED
Policy
m. Confidential/ Restricted information/data must not be taken off-campus unless the user is authorized
to do so, and only if encryption or other approved security precautions have been applied to protect
that information.
n. Confidential/ Restricted data should not be transmitted through electronic messaging even to other
authorized users unless security methods, such as encryption, are employed.
o. Physical protection from theft, loss, or damage must be utilized for mobile devices that can be easily
moved such as a PDA, thumb drive or laptop.
p. Physical protection must be employed for all devices storing restricted data. This shall include physical
access controls that limit physical access and viewing, if open to public view when not directly in use,
office, lab, and suite doors must be locked and any easily transportable devices shouldbe secured in
locked cabinets or drawers.
q. Users of lap-top and other mobile computing devices need to be particularly vigilant and take
appropriate steps to ensure the physical security of mobile devices at all times, but particularly when
travelling or working away from Synergy.
r. Synergy managed servers storing Confidential/ Restricted information shall be regularly scanned for
vulnerabilities, patched, and backed-up.
s. Systems (hardware and software) designed to store and transfer Confidential/Restricted

information/data require enhanced security protections and must be closely monitored.
t. Compliance with this customer data protection policy is the responsibility of all members of the
Synergy; Violations of this policy are dealt with seriously and include sanctions up to and including
termination of employment. Users suspected of violating these policies may be temporarily denied
access to Synergy and customer information/data during investigation of an alleged abuse. Violations
can also be subject to prosecution by state and Government authorities.
to Customer Data should be reported to the CISO and acted upon based on this policy. All necessary

RESTRICTED E-Mail Security Policy
E-mail Security Policy
Document Ref. No. ISMS_Man_014 Version No. .2.0

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
Revision History

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of the policy is to ensure the security of emails in terms of their confidentiality, integrity and
availability. It is also to recommend security practices for designing, implementing, and operating email
systems.
2. Scope
This policy covers appropriate use of any email sent from a Synergy email address and applies to all
employees, vendors, and agents operating on behalf of Synergy.
3. Policy
3.1 General
 Email facility should be used only for business purposes.

 Emails shall be secured to preserve their confidentiality, integrity and availability.
 The email servers should be protected to ensure high availability. Necessary redundancy and
backup arrangements shall be done for better continuity purposes.
3.2 Planning and Managing Mail Servers
1. The mail server installation and deployment should be planned by identifying:

 the functions of the mail server.
 categories of information that will be stored on, processed on, and transmitted through
the mail server.
 security requirements of information/ emails.
 business continuity requirements.
 a dedicated host to run the mail server.
 network services that will be provided or supported by the mail server.
 users and categories of users of the mail server and determine privilege for each
category of user.
 user authentication methods for the mail server.
 security or privacy requirements for email address-related information.
2. An appropriate operating system shall be chosen for the mail server which has minimal exposure
to security vulnerabilities. The selected Operating System should also have the ability to:
 restrict administrative level activities to authorized users only.
 deny access to information on the server other than that intended to be available.
 disable unnecessary network services that may be built into the operating system or
server software.
 log appropriate server activities to detect intrusions and attempted intrusions.

3.3 Securing the Mail Server Operating System
1. Security patches and upgrades should be applied as and when they are released by the vendor.
These patches should be tested before being deployed on the production environment.
2. All unnecessary services and applications should be removed or disabled on the server.
 It is preferable to use separate hosts for Web servers, directory servers, and other
services.
3. User authentication mechanisms on the server operating system should be configured by:
 Removing or disabling unneeded default accounts and groups.
 Disabling non-interactive accounts.
 Creating the user groups for the particular computer.
 Creating the user accounts for the particular computer.
 Checking the organization’s password policy, and set account passwords appropriately
(e.g., length, complexity) .
 Installing any other security mechanisms to strengthen authentication.
4. Access controls to files, directories, devices and other resources of the mail server should be
configured appropriately.
5. Privileges for the use of system related tools should be limited to the authorized system
administrators only.
3.4 Securing Mail Servers and Content
Mail server application should be hardened appropriately

1. Mail server software should be installed on dedicated host.
 if Web-based mail access is desired, the mail server software should be installed on a
different host from the Web server.
2. A dedicated physical disk or logical partition (separate from operating system and mail server
application) for mailboxes (databases) and logs should be created on a separate server or the
mail boxes should be hosted on a separate server.
3. All services installed by the mail server application but not required (e.g., Web-based mail, FTP,
remote administration) should either be removed or disabled.
4. All unneeded default login accounts created by the mail server installation should either be
removed or disabled.
5. All test files or programs should be removed from the production server.
6. Wherever possible, apply hardening scripts to the server.
7. SMTP, POP and IMAP service banners (and others as required) should be reconfigured NOT to
report mail server and operating system type and version.
8. All dangerous or unnecessary mail commands (e.g., VRFY and EXPN) should be disabled.
Access controls for the operating system and mail server should be configured appropriately
1. Limit the access of the mail server application to a subset of computational resources .
2. Limit the access of users through additional access controls enforced by the mail server, where
more detailed levels of access control are required.
3. Configure the mail server application to execute only under a unique individual user andgroup
identity with restrictive access controls.

4. Ensure the mail server is not running with system/administrator privileges .
5. Configure the host operating system so that the mail server can write log files but not read them.
6. Configure the host operating system so that temporary files created by the mail server
application are restricted to a specified and appropriately protected subdirectory.
7. Configure the host operating system so that access to any temporary files created by the
mail server application is limited to the mail server processes that created these files.
8. Ensure that the mail server cannot save files outside of the specified files structure dedicated to
the mail server.
9. Configure the mail server application so it cannot consume all available space on its hard drives
or partitions .
10. Limit the size of attachments that are allowed .
11. Ensure log files are stored in a location that is sized appropriately.
All the incoming as well as outgoing emails should be protected from malware
1. Determine which types of attachments to allow. Mail server should be configured accordingly.
2. Consider restricting the maximum acceptable size for attachments .
3. Determine if having access to personal email accounts from organizational computers is
appropriate .
4. Determine which types of active content should be permitted within email messages .
5. Centralized malware scanning mechanisms should be implemented either internally or outsourced
to a security vendor/partner (on the firewall, mail relay, mail gateway, and/or mail server) .
6. Install malware scanners on all client hosts .
7. Implement centralized content filtering.
8. Configure content filtering to block or tag suspicious messages (e.g., phishing, spam) .
9. Configure content filtering to strip suspicious active content from messages.
10. Take steps to prevent address spoofing, such as blocking emails from external locations using
internal “From” addresses.
11. Add a legal disclaimer to emails, if required .
12. Educate users on the dangers of malware and how to minimize those dangers .
13. Notify users when an outbreak occurs.
14. Configure mail server to block email from open relay blacklists or DNS blacklists, if required .
15. Configure mail server to block email from specific domains, if required.
16. Configure mail server to use encrypted authentication.
17. Configure mail server to support Web access only via SSL/TLS and only if such access is deemed
necessary.
18. Spam filter engine scan all outgoing / incoming mails and keep spam manager manages email
threats and spams
19. End users will be notified with spam notification
3.5 Implementing a Secure Network Infrastructure
3.5.1 Firewall configuration
1. Firewall should control all traffic between the Internet and the mail server.

2. Firewall should block all inbound traffic to the mail server except the necessary ports, such as
TCP ports 25 (SMTP), 110 (POP3), 143 (IMAP), 398 (LDAP), 636 (secure LDAP), 993 (secure
IMAP), and 995 (secure POP) .
3. Firewall should block known “blacklisted” networks or subnets, as identified by a trusted external
security response center.
4. Firewall should notify the network administrator or mail server administrator of suspicious activity
through an appropriate means.
5. Firewall should provide content filtering and malware scanning.
6. Firewall logs critical events.
3.5.2 Network Switch Configuration
1. Network switches should be used to protect against network eavesdropping.

2. Network switches should be configured in high-security mode to defeat ARP spoofing and ARP
poisoning attacks.
3.6 Securing Mail Clients
1. Apply all necessary patches to mail clients and web browsers

2. In the email client
 Disable automatic message preview
 Disable automatic opening of messages .
 Disable automatic loading of pictures in messages .
 Disable downloading and processing of active content (if appropriate).
 Enable anti-spam and anti-phishing features .
 Reconfigure portable mail clients, such as those on cell phones and PDAs, to
improve their security.
 Ensure protection of portable mail clients, such as requiring anti-virus software to be
installed and enabled .
 Limit access to VPN clients and other remote access applications on mobile devices, or
remove the clients/applications if they are not needed.
 Enable secure authentication and access.
 Disable ability of mail client to store username and passwords.
 Configure client to use encryption (TLS) for SMTP, POP, and IMAP communications
 Set restrictions on the selection of email addresses, such as ensuring they are unrelated
to user account names.
3. For Access to Web-based mail systems
 Configure Web-based mail access to only use 128-bit SSL/TLS connections.
 Make users aware of what they should do before granting them access to Web based
mail.
 An OTP will be generated every time Web based login need
 An OTP will be generated when password change need

3.7 Administering the Mail Server
3.7.1 Logging
1. All security events in the email server should be logged. The logs should be stored in a separate
partition in the server.
2. Logs should be protected from unauthorized access.
3. Logs should be reviewed by system administrators regularly.
3.7.2 Backups
1. Cloud Based mailboxes and always retain a copy of message policy enabled in O365 server
2. Litigation hold policy applied for all mailboxes which means always a copy available on server
even if users delete mails for client end
3.7.3 Incident Management
1. All incidents, whether suspected or actual should be reported to ISM and acted as per the
Incident Management Policy and Procedure.
3.7.4 Technical vulnerability management
1. Vulnerability assessment and penetration testing should be conducted periodically.
3.7.5 Remote administration
1. Use a strong authentication mechanism.

2. Restrict which hosts can be used to remotely administer the mail server by IP address or by
authorized users.
3. Use secure protocols (e.g., SSH, HTTPS) that can provide encryption for both passwords and
data.
4. Enforce the concept of least privilege on remote administration (e.g., attempt to minimize the
access rights for the remote administration accounts).
5. Change any default accounts or passwords for the remote administration utility or application.
6. Do not allow remote administration from the Internet unless mechanisms such as VPN are used .
7. Do not mount any file shares on the internal network from the mail server and vice versa.
4. User level security of emails
4.1 Prohibited Use
The Synergy email system shall not to be used for the creation or distribution of any disruptive or
offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual
orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who
receive any emails with this content from any Synergy employee should report the matter to their
supervisor immediately.

4.2 Personal Use
Using Synergy email resources for personal needs is not acceptable. Sending chain letters or joke emails
from a Synergy email account is prohibited. Virus or other malware warnings and mass mailings from
Synergy shall be approved by ISM before sending. These restrictions also apply to the forwarding of mail
received by a Synergy employee.
4.3 Monitoring
Synergy’s employees shall have no expectation of privacy in anything they store, send or receive on the
company’s email system. Synergy may monitor messages without prior notice. Synergy is not obliged to
monitor email messages.
4.4 Backup
Emails which are business critical or required by the business units/ managers should be retained as long
as they are required. Necessary backup arrangements should be made by the IT team. During exit of an
employee, this process should be governed under the exit process for all the exit employees.
 The responsibility for defining the backup requirements lies on the line managers.
 Restoration of these backups would be done based on request from the line managers.
4.5 Use of disclaimers
The following disclaimer shall be displayed on all e-mails send outside Synergy domain:
This email and any files transmitted with it are confidential and intended solely for the use of the individual
or entity to which they are addressed. Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system. If you are not the named addressee you
should not disseminate, distribute, copy this e-mail distributing or taking any action in reliance on the
contents of this information is strictly prohibited.
5. Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment.
6. References
 Logical Access Control Policy

RESTRICTED Firewall Security Policy
Firewall Security Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims to describe how the Firewalls will filter Internet traffic to mitigate the risks and possible
losses associated with security threats to the networks and information systems.
2. Scope
access to information or information processing facilities at Synergy.
3. Policy
A Firewall will be installed at any location of Synergy sitting at the perimeter of internal and public network.
This will ensure only authorized and pre-defined entries will be allowed into the internal network. Similarly,
outside public access will be permitted with restrictions (Content filtering service shall be enabled in the
firewall).
Firewall compromise would be potentially disastrous to internal network security. The IT Department will
adhere to the detailed procedures during configuration and subsequent use of firewall.
Firewall configurations shall be based on the following principle:
“Deny all and grant access to what is required”
3.1 General
3.1.1 Use of Firewall
All Internet activity must pass through Synergy Firewall installed on the network perimeter. All users
should be authenticated based on Source/Destination IP addresses and services at the gateway. All
Internet connections to and from the internal computers must be authenticated at the firewall. The
firewall connecting the internal network to the Internet should restrict all services except minimum
required for web browsing and to accomplish business requirements.
3.1.2 Remote Firewall Administration
 Any remote access over untrusted networks to the firewall for administration is not allowed at
Synergy.
 Firewall administration should be directly from the attached terminal from within Synergy LAN.
Physical access to the firewall terminal is limited to the System Administrator, Network
Administrator and ISM.
 All firewall administration must be performed from the local terminal - no access to the firewall
operating software is permitted via remote access.

3.1.3 Virtual Private Networks (VPN)
All VPN connections created at Firewall must be approved and managed by the ISM. Appropriate means
for distributing and maintaining login credentials must be established prior to operational use of VPNs.
3.1.4 Firewall Backup
 To support recovery after failure or natural disaster, backup of data files as well as system
configuration files must be done. The firewall (system software, configuration data, database files,
etc.) must be backed up during configuration change so that in case of system failure, data and
configuration files can be recovered.
 Another backup alternative would be to have another firewall configured as one already deployed
and kept safely so that in case there is a failure of the current one, this backup firewall would simply
be turned on and used as the firewall while the previous one is undergoing a repair. At leastone
firewall shall be configured and reserved (not-in-use) so that in case of a firewall failure, this backup
firewall can be switched in to protect the network.
3.1.5 Firewall Incident Handling
The firewall shall be configured to log all reports on daily basis so that the network activity can be
analysed when needed.
 Firewall logs should be examined on a daily basis to determine if attacks have been detected.
Critical, warning, alerts and information in the firewall logs should be carefully examined by the
network administrator and acted accordingly.
 The ISM shall be notified immediately of any security issue by email or other means so that he can
immediately respond to such incident.
 The firewall shall reject any kind of probing or scanning tool that is directed to it so that information
that is protected is not leaked out by the firewall. The firewall shall block all software types that
are known to present security threats to a network to better tighten the security of the network.
3.1.6 Restoration of Services
Once an incident has been detected, the firewall may need to be brought down and reconfigured. If
it is necessary to bring down the firewall, Internet service should be disabled or a secondary firewall
should be made operational - internal systems should not be connected to the Internet without a
firewall. After being reconfigured, the firewall must be brought back into an operational and reliable
state. In case of a firewall break-in, the network administrator is responsible for reconfiguring the
firewall to address any vulnerability that was exploited. The firewall shall be restored to the state it
was before the break-in so that the network is not left wide open. While the restoration is going on,
the backup firewall shall be deployed.

3.1.7 Revision/Update of Firewall Policy
Firewall security policies should be reviewed on a regular basis or whenever major changes are
incorporated in the Network or Firewall configuration. Change management procedure should be
followed for all such changes.
3.2 Firewall Security - Specific Procedures
3.2.1 User Accounts
Firewall should not be used as general-purpose server. The only user accounts on the firewall should
be those of the IT Administrators who have been authorized by ISM.
3.2.2 Network Trust Relationships
Connections will be allowed only with external networks that have been reviewed and found to have
acceptable security controls and procedures. All connections to approved external networks will pass
through Synergy firewall.
3.2.3 Documentation
The operational procedures for the Firewall and its configurable parameters should be documented,
updated, and kept in a safe and secure place. This ensures that if the responsible person resigns or is
otherwise unavailable, the backup administrator can read the documentation and rapidly pick up the
administration of the firewall. In the event of a break-in such documentation also supports trying to
recreate the events that caused the security incident.
3.2.4 Physical Security of Firewall
Physical access to the firewall must be tightly controlled to preclude any unauthorized changes to the
firewall configuration or operational status, and to eliminate any potential for monitoring firewall
activity. Synergy Firewall should be located in a controlled environment, with access limited to the IT
Administrators.
3.2.5 Upgrading the firewall
 The firewall software and hardware components should be upgraded with the necessary modules
to assure optimal firewall performance. The Administrator should be aware of any hardware and
software bugs, as well as firewall software upgrades that may be issued by the vendor. If an
upgrade of any sort is necessary, certain precautions must be taken to continue to maintain a high
level of operational security. To optimize the performance of the firewall, all vendor
recommendations for processor and memory capacities shall be followed.
 Hardware and software components shall be obtained from a list of vendor-recommended sources.
Any firewall specific upgrades shall be obtained from the vendor. FTP to a vendor's site should be
used for upgrades.

 The Administrator shall monitor the vendor's firewall mailing list or maintain some other form of
contact with the vendor to be aware of all required upgrades. Before an upgrade of any of the
firewall component, the Administrator must verify with the vendor that an upgrade is required.
After any upgrade the firewall shall be tested to verify proper operation.
3.2.6 Logs and Audit Trails (Audit/Event Reporting and Summaries)
Firewall capabilities for logging traffic and network events should be enabled. Firewall audit trail logs
should cover hardware and disk media errors, login/logout activity, connect time, use of system
administrator privileges, inbound and outbound e-mail traffic, TCP network connect attempts and in-
bound and out-bound proxy traffic type.
3.2.7 Roles and Responsibilities related to Firewall Administration
 All connections from Synergy network to external networks must be approved by the ISM
 Regular review of Audit trails and system logs for external network connections.
 The firewall's system integrity database shall be updated each time the firewall configuration is
modified. System integrity files must be stored on file servers or off-line storage.
 The Administrator must evaluate each new release of the firewall software to determine if an
upgrade is required. All security patches recommended by the firewall vendor should be
implemented in a timely manner.
 Periodic Upgrading of the firewall, firewall backup, Incident handling and restoration procedures
should be carried out.
this policy should be reported to the ISM and acted upon based on this policy. All necessary records (emails,
etc) for demonstrating the compliance to the enforcement of this policy should be retained as an audit trail.
5. References
 Log & Audit Trails Policy

 Change Management Policy

RESTRICTED License Management Policy
License Management Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of this policy is that Synergy will maintain a track of all software that is installed on the
servers, workstations and laptops.
2. Scope
It shall be the policy of Synergy that each employee shall work diligently to prevent and combat
Computer Software Piracy in order to comply to intellectual property rights associated with computer
software.
3. Policy
3.1 Software Inventory
Synergy will have a centralized system to keep a track of all software that is installed on the servers
/ workstations. It is the responsibility of the IT Team / ITM to maintain this inventory.
The IT Team will maintain a log for the installation and un-installation of all evaluation software,
used at Synergy.
An approved list of software authorized to be used at Synergy should be evaluated against the
business and security requirements and published to the company employees. This list should
continue to evolve with changing business requirements.
Necessary capacity projections for procurement of new/additional licenses should be made well in
advance to avoid bottleneck situations and non-compliance to licensing agreements.
3.2 Software Copies

The IT Team is permitted to make a copy of licensed/ evaluation software CDs. Software that is
downloaded from the Internet may be written on to a CD. These CDs must not be distributed to the
employees or any third party for personal use. No employee shall make unauthorized copies of any
software.
3.3 Storage of Licenses

The License documents, copyrights agreements and the software media should be placed in a
secured location. Access to this location should be restricted to IT M / CISO and Top management
only.
3.4 Monitoring
The IT Team should monitor all servers and workstations for the software that are installed on them.
Any software found to be installed without proper authorization should be immediately uninstalled.

to human resources should be reported to the CISO and acted upon based on this policy. All

RESTRICTED Change Management Policy
Change Management Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of the change management policy is to control the risks due to changes in the IT
Infrastructure.
2. Scope
This policy applies to all the changes related to critical IT Infrastructure.
3. Policy
(a) All IT services required for the normal execution of business processes, supporting the achievement
of strategic business objectives are governed by Change Management Policy.
(b) All requests to modify an IT service or the underlying technical infrastructure are submitted through
a formal Change Request Form and approved by CISO/ ISM and the Process Owner.
(c) A risk assessment appropriate to the size and complexity of the change request is performed and
documented in conformity with the approved risk assessment methodology.
(d) ISSM shall review and prioritize change requests identified as a high risk and monitor the overall
change process and provide feedback to CISO.
(e) CISO shall ensure that all security related risks are properly identified and mitigated by including
the Information Security Steering Committee in their Change Management process and procedures,
if it is found to be necessary.
(f) CISO communicates to all affected parties of the risk and impact of all change requests.
(g) CISO defines and ISM documents procedures to address emergency change requests, including
authority for authorizing such requests.
(h) Where ever possible, changes are developed and tested in an environment separate from
production environment.
(i) All changes to IT services are approved by the process owners prior to implementation into the
production environment whenever possible.
(j) Backups of configuration, application, and data are performed, to the thoroughness warranted by
the identified risk of the change request, in order to restore the IT service to its previous functional
condition, if it is found to be necessary.
(k) For every change request, CISO identifies any supplemental training requirements for IT personnel
and end-users of the IT service. CISO ensures IT personnel are adequately trained to support the
affected IT service, or the underlying technical infrastructure. CISO forward end-user training
recommendations to business management, if it is found to be necessary.

to this policy should be reported to the ISM and acted upon based on this policy. All necessary records
(emails, etc) for demonstrating the compliance to the enforcement of this policy should be retained as
an audit trail.
5. Reference
Change Management Procedure

RESTRICTED Asset Disposal Process
Asset Disposal Process

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
DESIGNATION CISO
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Introduction
The standard depreciation time for computer hardware (viz., Desktop, Laptop and printers) is three
years. However even when it is fully depreciated, it is still an asset, so no item should be disposed of
without going through the full disposal procedure.
2. Purpose
This procedure is to define the practice of the disposal and data cleansing of computer Hardware
equipment.
As the equipment is typically owned by the originating purchasing cost centre is also responsible for
attracting the best disposal sale price as well as the removal of any proprietary information and software.
3. Background
IT equipment items must be disposed of according to IT Department procedures.
The PIPL must ensure that no equipment contains restricted, confidential, proprietary or other sensitive
information when sold or otherwise disposed. This includes any equipment being re-allocated to other
departments within the PIPL.
Computer software is provided by the PIPL for use on PIPL equipment by staff. It must be removed prior
to disposal of the equipment to avoid breach of copyright or software licensing agreements.
4. Procedure
4.1 Desktops and laptops
Cleansing Removal of PIPL Information: All equipment must have all PIPL related information removed
prior to disposal. This is to be done by physically reformatting any hard disks on the Desktops or laptops.
Where there is a large number of PC’s being disposed of and the media and OEM license is available,
then the operating system can be reinstalled after formatting. For individual disposals the PC will simply
have a C:\ prompt on start-up but with no operating system unless there is an explicit requirement for
the OEM licensed software to be reloaded.
Where the PC or Laptop is severely damaged, and cannot be operated to achieve the removal of
software, any storage media must be either removed and physically reformatted on another PC or
physically destroyed.
The PIPL must retain relevant documentation and licensed software media unless allowed by the license
conditions, for example, software used under a site license.
4.2 Server
Backup Information, as servers often contain data and information used by the whole PIPL community it
is vital to ensure that this is archived at the time the machine is taken out of production service.

Removal of Privacy protected information:
Any such equipment must have all privacy protected information removed prior to disposal. This is to be
done by physically reformatting any hard disks on the server. If the operating system software license
permits then the operating system can be re-installed.
Erase other non-volatile memory If a purchaser requires the presence of the operating system to verify
the working condition of the hardware, the operating system must be set to its original default
distribution state by removing all VU generated data, applications, personal files of users and cleaning of
selected files relating to passwords, groups, logs, mail boxes, print queues etc. After such a
demonstration, to maintain security of the network infrastructure, the disks must be erased.
Where the server is severely damaged, and cannot be operated, any storage media must be either
removed and physically reformatted on another machine or physically destroyed.
PIPL must retain relevant documentation and licensed software media unless allowed by the license
conditions.
Where required all disposals are to be recorded on the “Assets Disposal Register” and forwarded to the
responsible Finance Officer.
5. Definitions
5.1 Disposal is taken to mean
 Selling of equipment externally by the PIPL.

 Selling of equipment internally within the PIPL and PIPL including to staff.
 Trade-in of equipment to a vendor or supplier.
 Re-allocation of equipment within the PIPL.
 Donation of equipment whether the donation is internal or external to the PIPL or PIPL.
5.2 Equipment includes
 Desktops and laptops,
5.3 Servers
 Printers and Peripherals,

 Routers, Switches and hubs.
5.4 Key word
Equipment; Disposal; Cleansing; Assets; Expensed item; Capitalized item.

5.5 Policy
Where an external vendor or outsourced arrangement is in place that includes proper disposal of IT
equipment, the PIPL community is encouraged to take advantage of it.
6. Implementation Plan
The Information Technology Department will be responsible for the overall implementation of this policy.
6.1 Checklist for Cleansing Policy;
Schedule 1 - Checklist for Cleansing Policy
Asset Type:
Asset Description:
Number of Asset Units:
Asset numbers if relevant:

Person Performing cleansing:
PC/Laptop
Disks physically reformatted or destroyed.

Other non-volatile memory erased (e.g. cache)
All software media and documentation located
(OEM or similar) software re-installed
Equipment disposed
Servers
Information and data archived or backed up

Disks physically reformatted or destroyed.
Other non-volatile memory erased (e.g. cache)
All software media and documentation located
(OEM or similar) software re-installed
Equipment disposed
Printers
Note IP Address

User Name and password
Routers , Switches and Hubs
7. Point Of Contact
Chief Information Security Officer /Designated Authority

RESTRICTED Incident Management Policy
Incident Management Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims to describe the requirements for dealing with information security incidents. Security
incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of
computer accounts and computer systems, as well as complaints of improper use of Information
Resources as outlined in the Email Policy, the Internet Policy, the Acceptable Use Policy, etc. associated
with Synergy.
2. Scope
This policy applies to all the Synergy Services, infrastructure, employees, contractors and third parties
who have been provided access to Information and Information Processing Facilities at Synergy.
3. Incident Classifications
All incidents are classified according to the following criteria. An incident may fit into more than one
defined type. A 'security incident' can be defined as any security related event that has an actual or
potential adverse effect on any computing resource or the data contained therein; or the violation of an
explicit or implied security policy.
3.1 Incident Types:
 Denial of Service: An incident by which authorized access to systems or data is prevented or

impaired. Usually a denial of service (DoS) incident is a security event if the DoS is due to
malicious intent. Not all events that prevent or hinder authorized access to systems or data are
security incidents. The mechanical, electrical, or administrative failure of a system or access
mechanism may not be a security incident.
 Unauthorized Access: An incident where unauthorized access is attempted or gained to
systems or data. This access can be logical or physical in nature. Unauthorized access is any
access for which permission has not been granted. Such permissions would include connect,
authenticate, read, write, create, delete, modify, etc. This unauthorized access can be by an
individual or another system.
 Inappropriate Usage: An incident by which acceptable use policies are violated. Acceptable
use policies may include what types of data may be accessed or transmitted, how information
may be accessed or transmitted, and where information may be received from or transmitted
to.
4. Policy
(a) ISSC shall formalize processes and procedures that are used to support the resolution of
Incidents.
(b) ISSC shall define procedures for Incident Management that ensures sufficient information is
recorded to ensure the effective execution of all related incident management procedures.

(c) CISO/ISM ensures the approved method, or methods, for reporting incidents are published and
made available to all end-users.
(d) CISO/ISM ensures analysis of incidents occurs on a periodic and regular basis to determine if there
exists a persistent and recurring defect in information processing facilities. If a persistent and
recurring defect found to exist, then a defect/ weakness will be recorded for resolution.
(e) CISO/ISM ensures all incidents reported or identified are prioritized for resolution based upon their
impact to the normal execution of business processes.
(f) CISO/ISM ensures the impact of incident on service performance or availability is made available
to the concerned people.
(g) CISO/ISM ensures the implementation of solutions is done in accordance with the Change
Management policy, wherever applicable.
(h) Refer Incident response plan for all process
this policy should be reported to the CISO/ISM and acted upon based on this policy. All necessary

RESTRICTED Incident Response Plan
Incident Response Plan

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
An Incident Response Plan provide a well-defined, organized approach for handling any potential threat
to computers and data, as well as taking appropriate action when the source of the intrusion or incident
at a third party is traced back to the organization. The Plan identifies and describes the roles and
responsibilities of the Incident Response Team. The Incident Response Team is responsible for putting
the plan into action.
2. Scope
This Plan applies to all the Synergy Services, infrastructure, and Incident Response Team. The Incident
Response Team act according to the plan when an incident is reported .
3. Incident Response Team

An Incident Response Team is established to provide a quick, effective and orderly response to
computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure
of confidential information to others, system service interruptions, breach of personal information, and
other events with serious information security implications. The Incident Response Team’s mission is to
prevent a serious loss of profits, public confidence or information assets by providing an immediate,
effective and skill full response to any unexpected event involving computer information systems,
networks or databases.
The Incident Response Team is authorized to take appropriate steps deemed necessary to contain,
mitigate or resolve a computer security incident. The Team is responsible for investigating suspected
intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings
to management and the appropriate authorities as necessary. The Chief Information Security Officer will
coordinate these investigations.
The Incident Response Team will subscribe to various security industry alert services to keep abreast of
relevant threats, vulnerabilities or alerts from actual incidents.
3.1 Incident Response Team Members
Each of the following areas will have a primary and alternate member:
 Chief Information Security Office (CISO)

 Information Privacy Office (IPO)
 Network Architecture & Operation Centre
 Operating System Architecture
 Business Applications
 Online Sales
 Internal Auditing

3.2 Incident Response Team Roles and Responsibilities
3.2.1 Chief Information Security Office
 Determines the nature and scope of the incident.

 Contacts qualified information security specialists for advice as needed.
 Contacts members of the Incident Response Team.
 Determines which Incident Response Team members play an active role in the investigation.
 Provides proper training on incident handling.
 Escalates to executive management as appropriate.
 Contacts auxiliary departments as appropriate.
 Monitors progress of the investigation.
 Ensures evidence gathering, chain of custody, and preservation is appropriate.
 Prepares a written summary of the incident and corrective action taken.
3.2.2 Information Operations Centre
 Central point of contact for all computer incidents.

 Notifies Chief Information Security Office to activate computer incident response team.
3.2.3 Information Privacy Office
 Coordinates activities with the Information Security Office.

 Documents the types of personal information that may have been breached.
 Provides guidance throughout the investigation on issues relating to privacy of customer and
employee personal information.
 Assists in developing appropriate communication to impacted parties.

 Assesses the need to change privacy policies, procedures, and/or practices as a result of the
breach.
3.2.4 Network Architecture
 Analyzes network traffic for signs of denial of service, distributed denial of service, or other
external attacks.
 Runs tracing tools such as sniffers, Transmission Control Protocol (TCP) port monitors, and
event loggers.

 Looks for signs of a firewall breach.
 Contacts external Internet service provider for assistance in handling the incident.
 Takes action necessary to block traffic from suspected intruder.
3.2.5 Operating Systems Architecture
 Ensures all service packs and patches are current on mission-critical computers.
 Ensures backups are in place for all critical systems.
 Examines system logs of critical systems for unusual activity.
3.2.6 Business Applications / Online Sales
 Monitors business applications / Online Sales and services for signs of attack.
 Reviews audit logs of mission-critical servers for signs of suspicious activity.
 Contacts the Information Technology Operations Centre with any information relating to a
suspected breach.
 Collects pertinent information regarding the incident at the request of the Chief Information
Security Office.
3.2.7 Internal Auditing
 Reviews systems to ensure compliance with information security policy and controls.
 Performs appropriate audit test work to ensure mission-critical systems are current with
service packs and patches.
 Reports any system control gaps to management for corrective action.
3.3 Incident Response Team Notification
The Information Technology Operations Centre will be the central point of contact for reporting
computer incidents or intrusions. The Operations Centre will notify the Chief Information Security
Officer (CISO).
All computer security incidents must be reported to the CISO. A preliminary analysis of the incident
will take place by the CISO and that will determine whether Incident Response Team activation is
appropriate.
4. Types of Incidents
There are many types of computer incidents that may require Incident Response Team activation.
Some examples include:

 Breach of Personal Information
 Denial of Service / Distributed Denial of Service
 Excessive Port Scans
 Firewall Breach
 Virus Outbreak
Breach of Personal Information - Overview

Definitions of a Security Breach: A security breach is defined as unauthorized acquisition of data
that compromises the security, confidentiality, or integrity of personal information maintained by us.
Good faith acquisition of personal information by an employee of our company for business purposes
is not a breach, provided that the personal information is not used or subject to further unauthorized
disclosure.
This Incident Response Plan outlines steps our organization will take upon discovery of unauthorized
access to personal information on an individual that could result in harm or inconvenience to the
individual such as fraud or identity theft. The individual could be either a customer or employee of
our organization.
In addition to the internal notification and reporting procedures outlined below, credit card companies
require us to immediately report a security breach, and the suspected or confirmed loss or theft of any
material or records that contain cardholder data. Specific steps are outlined in Appendix A. Selected
laws and regulations require the organization to follow specified procedures in the event of a breach
of personal information as covered in Appendix B.
Personal information is information that is, or can be, about or related to an identifiable individual. It
includes any information that can be linked to an individual or used to directly or indirectly identify an
individual. Most information the organization collects about an individual is likely to be considered
personal information if it can be attributed to an individual.
For our purposes, personal information is defined as an individual’s first name or first initial and last
name, in combination with any of the following data:
 Social Security number.

 AADHAR Number.
 PAN Number.
 Driver’s license number or Identification Card number.
 Financial account number, credit or debit card number* with personal identification number such
as an access code, security codes or password that would permit access to an individual’s
financial account.
 Home address or e-mail address.

 Medical or health information.

5. Securing Data
Data owners must identify and document all systems and processes that store or utilize personal
information on individuals. Documentation must contain system name, device name, file name,
location, database administrator and system administrator (primary and secondary contacts for each).
The business area and the IT development group must maintain the contact list of database and system
administrators.
Likewise, all authorized users who access or utilize personal information on individuals should be
identified and documented. Documentation must contain user name, department, device name (i.e.,
workstation or server), file name, location, and system administrator (primary and secondary contacts).
5.1 Data Owner Responsibilities
Data owners responsible for personal information play an active role in the discovery and reporting of
any breach or suspected breach of information on an individual. In addition, they will serve as a
liaison between the company and any third party involved with a privacy breach affecting the
organization’s data.
All data owners must report any suspected or confirmed breach of personal information on individuals
to the CISO immediately upon discovery. This includes notification received from any third party
service providers or other business partners with whom the organization shares personal information
on individuals. The CISO will notify the Chief Privacy Officer (CPO) and data owners whenever a
breach or suspected breach of personal information on individuals affects their business area.
6. Incident Handling
The CISO will determine whether the breach or suspected breach is serious enough to warrant full
incident response plan activation (See “Incident Response” section.) The data owner will assist in
acquiring information, preserving evidence, and providing additional resources as deemed necessary by
the CPO, CISO, Legal or other Incident Response Team members throughout the investigation.
1. Preparation: Preparation has to be completed before effective response to an incident can occur.
Different incident types require different preparation. For each incident response, several things need to
be in place prior to the occurrence of an incident such as: contact information and methodologies for
command staff and team members; facilities for meetings, work, storage, and other activities related to
the incident response; hardware and software tools needed for the recognition and handling of the
incident; as well as documentation and other knowledge bases needed for effective response to the
incident.
2. Detection and Analysis: First reports of an incident – may come from a customer complaint or
report, monitoring tools or other methods. At this step the incident is vetted for validity and categorized
for type and severity. Preliminary notifications and communications are established. Appropriated
response procedures, personnel, and tools are assembled.

3. Containment, Eradication, and Recovery: Based on the results of recognition, the proper
response procedure is implemented. Immediate steps are taken as appropriate to limit loss from the
incident. Evidence is preserved. Impact of this containment to customers and the enterprise is
communicated to those affected. A long term resolution of the incident is developed and implemented.
This step may include policy alteration or development, system redesign, introduction of new systems or
technologies, training, or other actions deemed necessary to permanently resolve an incident. As
necessary, systems are restored and brought back online, data is restored, and appropriate parties are
notified.
4. Post Incident Activity: Report of the incident from start to conclusion is finalized. Updated incident
response procedures, lessons learned, and documentation of any permanent changes to systems as a
result of the incident are generated. Incident data collected is analyzed to determine such things as the
cost of the incident in money, time, etc. Evidence retention policies and procedures are implemented
For the purposes of the Incident Response Plan, the following terms have been defined
 Access – The ability or the means necessary to read, write, modify or communicate
data/information or otherwise use any system resource.
 Access Control – The process that limits and controls access to resources of a computer system;
a logical or physical control designed to protect against unauthorized entry or use.
 Access Control Mechanisms – Hardware, software, or firmware features and operating and
management procedures in various combinations designed to permit authorized, and detect and
prevent unauthorized access to a computer system.
 Access Rights – Also called “permissions” or “privileges”, these are the rights granted to users by
the Organization. Access rights determine the actions users have been authorized to perform
(e.g., read, write, execute, create and delete).
 Consultant Security Official – The individual designated by the organization who is responsible
for the development and implementation of the policies and procedures.
 Application – A computer program or set of programs that processes records for a specific
function.
 Application Controls – These refer to the transactions and data relating to computer-based
applications whose purpose is to ensure the completeness and accuracy of records and the validity
of the entries in the records. Applications controls may be manual or programmed, and the
records and entries may result from both manual and programmed processing. Examples of
application controls include, but are not limited to, data input validation, agreement of batch totals
and encryption of data transmitted.
 Audit – A methodological examination and review of an organization implementation of Security
Policies and Procedures, including but not limited to SOC2, HIPAA, PCI, ISO 27001 ,etc
 Authentication – The corroboration that a person is the one claimed. Authentication is the act of
verifying the identity of a user and the user’s eligibility to access computerized information.

Authentication is designed to protect against fraudulent logon activity. It also can refer to the
verification of the correctness of a piece of data.
 Backup – Exact copies of files and data, and the necessary equipment and procedures available
for use in the event of a failure of applications or loss of data, if the originals are destroyed or
systems are not functioning.
 Business Continuity Plan – Also known as contingency plan. A document describing how an
organization responds to an event to ensure critical business functions continue without
unacceptable delay or change.
 Business Continuity Planning – Business continuity is the ability to maintain the constant
availability of critical systems, applications, and information across the enterprise.
 Data Owners – Individuals employed by organization, who have been given the responsibility for
the integrity, accurate reporting, and use of computerized data.
 Decentralized Procedures – Procedures that are developed, administered and implemented by

the Organization that are Area specific.
 Detection and Analysis - First reports of an incident, may come from a customer complaint or
report, a monitoring tool such as IDS or log, or other method.
 Disaster Recovery Plan – A documented plan that provides detailed procedures to facilitate
recovery of capabilities at an alternate site.
 Disaster Recovery Planning – Disaster recovery refers to the immediate and temporary
restoration of critical computing and network operations after a natural or man-made disaster
within defined timeframes. An organization documents how it will respond to a disaster and restart
the critical business functions within a predetermined period of time; minimize the amount of loss;
and repair, or replace, the primary facility to resume data processing support.
 Encryption – A technique (algorithmic process) used to transform plain intelligible text by coding
the data so it is unintelligible to the reader.
 Information Technology (IT) Resources – IT resources are tools that allow access to
electronic technological devices, or are electronic technological devices themselves that service
information, access information, or are the information itself stored electronically. These resources
include all state-supplied computers and servers; desktop workstations, laptop computers,
handheld computing and tracking devices; cellular and office phones; network devices such as
data, voice and wireless networks, routers, switches, hubs; peripheral devices such as printers,
scanners and cameras; pagers, radios, voice messaging, computer generated facsimile
transmissions, copy machines, electronic communication including email and archived messages;
electronic and removable media including CD-ROMs, tape, floppy and hard disks; external network
access such as the Internet; software, including packaged and internally developed systems and
applications; and all information and data stored on State equipment as well as any other
equipment or communications that are considered IT resources .
 Logical Access Control – The policies, procedures, organizational structure and electronic access
controls designed to restrict access to computer software and data.

 Malicious Software – Software, for example, a virus, designed to damage or to disrupt a system.
 Password – A protected, generally computer-encrypted string of characters that authenticate an
IT resource user to the IT resource.
 Preparation for Incidents - The time prior to the incident that is spent planning for a potential
event. For each incident response, several things need to be in place prior to the occurrence of an
incident such as: contact information and methodologies for command staff and team members;
facilities for meetings, work, storage, and other activities related to the incident response;
hardware and software tools needed for the recognition and handling of the incident; as well as
documentation and other knowledge bases needed for effective response to the incident.
 Preventive Controls – Controls designed to prevent or restrict an error, omission or unauthorized
intrusion to IT resources.
 Risk Analysis – An assessment of the potential risks and vulnerabilities to the confidentiality,
integrity and availability of IT resources.
 Risk Management – The process of identifying, measuring, controlling and minimizing or
eliminating security risks that may negatively affect information systems.
 Security Incident – The attempted or successful unauthorized access, use, disclosure,

modification, or destruction of information or interference with systems operations in an
information system.
 Unique User Identifier – A unique set of characters assigned to an individual for the purpose of
identifying and tracking user identity.
 Workforce Member (User of an Information Technology Resource) – Employees,

volunteers, trainees, and other persons whose conduct, in the performance of work for a covered
entity, is under the direct control of such entity, whether or not they are paid by the covered
entity.
Roles & Responsibilities
1) Lead/ Head /Commander (Incident Management Team)
a) Incident Commander/Lead - Management level person(s) with the authority to make high level
decisions and approve actions to be taken by the incident response team.
b) Information Officer – Person who disseminates public and non-sensitive information to interested
parties.
c) Liaisons – Persons who are the point of contact for other governmental and non-governmental
agencies and organizations.
d) Safety Officer – Person who monitors incident operations and advises on matters related to
operational safety.
e) Legal - Advises incident command on legal matters

2) General Staff
a) Operations staff – responsible for the functional aspects of the incident command structure
i) Operations Chief and deputies
 Directly manages all incident tactical activities
ii) Divisions, Groups, and Resources

 Group – Incident response team members responsible for functional aspects of IT
security policies, and procedures
(a) Group lead – oversees IT security group team members
(b) Security analysts and specialists – team members with incident analysis and
handling skills and experience.
(c) Security SME/Analysts
(i) Intrusion and Monitoring SME and Analysts – Person(s) with firewall, IPS, and
monitoring tool experience.
(ii) Forensic SME - Person(s) with systems analysis and forensic ability and
experience
 Network Group – Incident response team responsible for functional aspects of network
management
(a) Network group supervisor - oversees network group team members
(b) Network SMEs (local area networks, area specialists) – Persons with
experience and authorization necessary to manage affected local area networks.
 Database Group – Incident response team responsible for functional aspects of

database systems
(a) Database group supervisor – oversees database team members
(b) Database SMEs – person(s) with experience and authorization necessary to

manage affected database systems.
(i) Oracle
(ii) Microsoft SQL
(iii) DB2

 Platform Group – Incident response team responsible for functional aspects of server
and workstation platforms
(a) Platform group supervisor – oversees platform group team members

(b) Server Platform SMEs - person(s) with experience and authorization necessary to
manage affected server platforms
(i) Windows
(ii) Linux
(c) Workstation Platform SMEs - person(s) with experience and authorization

necessary to manage affected workstation platforms
(i) Windows
 Application Security Group - Incident response team responsible for functional

aspects of server and client applications
(a) Application group supervisor – oversees application group team members
(b) Web Application SMEs - person(s) with experience and authorization necessary to
manage affected web server applications
(c) Management Application SMEs - person(s) with experience and authorization

necessary to manage affected management information systems
(i) Antivirus
(ii) Patch Management
(iii) Email
(iv) Other incident affected applications

(d) Desktop Application SMEs - person(s) with experience and authorization
necessary to manage affected workstation based applications.
 Continuity of Operations Group – Team responsible for continuity of operations –

responsible for maintenance and implementation of disaster recovery and business
continuity procedures should they be necessary
(a) COOP planner

b) Planning staff
i) Planning section Chief and deputies
 Oversees all incident related data gathering and analysis regarding incident operations
and assigned resources, develops alternatives for tactical operations, conducts planning
meetings, and prepares the incident action plan for each operational period.
ii) Resources Unit – Team responsible for assuring that all assigned personnel and other
resources are available at the incident
 Resource Managers
(a) Human resource manager – responsible for human resource availability
(b) Equipment manager – responsible for equipment maintenance and availability
(c) Facilities manager – responsible for facilities maintenance and availability
iii) Situation Unit – Team responsible for collecting, preparing, organizing, processing, and
disseminating ongoing incident information
 Situation report specialist
iv) Documentation Unit – Team responsible for maintaining accurate and complete incident
records including major steps taken to resolve an incident. Also maintains and stores
incident information for legal, analytical, and historical purposes
 Incident documenters
v) Demobilization Unit – Team responsible for the creation and dissemination of an incident
wide demobilization plan.
 Demobilization planner
vi) Technical Specialists – Team responsible for advising other incident response personnel
on their respective areas of expertise, including but not limited to:
 Legal specialist
 IT specialists
 Medical / healthcare specialist

 Human resources specialist

 Environmental specialist
 Structural specialist
 Industrial hygienist
 Transportation specialist
c) Logistics staff – Responsible for providing all support needs for the incident.
i) Logistics Section Chief and deputies
 Responsible for all support needs for the incident, including coordination of procurement
for required resources, providing facilities, transportation, supplies, food service,
communications, and medical services for incident personnel.
ii) Supply Unit – Team responsible for receiving, storing, and processing all incident related
resources, personnel, and supplies.
 Supply specialist
 Human Resources specialist
 Procurement specialist
iii) Facilities Unit – Team responsible for set-up, maintenance, and demobilization of all
facilities used in the support of incident operations including food and water service,
sleeping, sanitation and showers, and staging.
 Facilities manager
 Facilities specialist
iv) Communications Unit – Team responsible for developing, implementing, and maintaining
a communication plan for the incident.
 Communications specialist
v) Food Unit – Team responsible for determining food and water requirements, developing
menus, ordering food, providing cooking facilities, cooking, serving, maintaining food service
areas, and managing food security and safety concerns.
 Food service specialist

vi) Medical Unit – Team responsible for developing an incident medical plan, providing medical
care, the transportation of sick or injured personnel, and tracking of incident personnel
patients.
 Medical specialist

d) Finance / Administration staff
i) Finance / Admin Chief and deputies

 Responsible for determining current and anticipated requirements for the establishment
of specific incident response units.
ii) Time Unit – Team responsible for ensuring proper daily recording of personnel time.
 Personnel time tracking specialist .

 Equipment time tracking specialist
iii) Procurement Unit – Team responsible administering all financial matters pertaining to
vendor contracts.
 Procurement (purchasing) specialist

iv) Compensation and Claims Unit – Team responsible for documenting and investigating
injury compensation claims.
 Injury compensation and claims specialist

 Human resource specialist
v) Cost Unit – Team responsible for cost analysis data for the incident. Also provides input on
cost estimates to the planning unit.
 Accountant

RESTRICTED Information Classification Policy
Information Classification Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of this policy is to establish a framework for classifying and handling Synergy’s data based
on its level of sensitivity, value and criticality to the Organization.
2. Scope
This policy applies to all Synergy employees who create, modify, access, process, or store sensitive
organization data both in electronic and non-electronic formats.
3. Policy
(a) When an item of Data is created or procured by Synergy, it is classified using its Information
Classification Matrix mentioned in the Asset Management policy.
(b) Individuals with access to data processing facilities are properly instructed to contact the ISM for
instructions on current policy and protection requirements if they are unsure of how to properly
classify, or handle protectively marked data/information.
(c) Recipients of Data must handle it with due care and must respect the classification established by
the originator of the information.
(d) When handling customer or third party proprietary information, personnel understand any
differences in terminology with respect to how their information is classified, and affecting how the
data/information is to be handled or transmitted, to ensure that the information is protected to no
less than the same level as the customer’s or third party’s classification.
audit trail.

Restricted Internet Access and Security Policy
Internet Access and Security Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This document defines the policy for security related to internet services at Synergy.
2. Scope
This policy applies to all the Synergy employees, contractors and third parties who have been
provided access to Network and Information at Synergy.
3. Policy
The policy of Synergy is to ensure the appropriate protection of Synergy’s information transmitted
over the Internet and through emails and to ensure proper availability of internet services for effective
continuity of business operations.
(a) Company employees are encouraged to use the Internet responsibly and productively. Internet
access is limited to job-related activities only and personal use is not permitted.
(b) Availability of internet is very critical for the continuity of business operations. To ensure continued
availability, all employees, who need internet access continuously during business hours, should be
provided with alternate mechanisms to access internet especially when the primary internet
connection in the office is unavailable. E.g. Data Cards
(c) All Internet data that is composed, transmitted and/or received by Synergy’s computer systems is
considered to belong to Synergy and is recognized as part of its official data. It is therefore subject
to disclosure for legal reasons or to other appropriate third parties.
(d) The equipment, services and technology used to access the Internet are the property of Synergy
and the company reserves the right to monitor Internet traffic and monitor and access data that is
composed, sent or received through its online connections.
(e) All sites and downloads may be monitored and/or blocked by Synergy if they are deemed to be
harmful and/or not considered to be valuable/productive to the business.
(f) The installation of software is restricted to authorized people only based on specific business needs.
Unacceptable use of the Internet by employees includes, but is not limited to:
(a) Access to sites that contain obscene, hateful, pornographic, unlawful, violent or otherwise illegal
material.
(b) Sending or posting discriminatory, harassing, or threatening messages or images on the Internet
or via Synergy’s email service.
(c) Using computers to perpetrate any form of fraud, and/or software, film or music piracy.
(d) Stealing, using, or disclosing someone else's password without authorization.
(e) Downloading, copying or pirating software and electronic files that are copyrighted or without
authorization.

(f) Sharing confidential material, trade secrets, or proprietary information outside of the
organization.
(g) Hacking into unauthorized websites.
(h) Sending or posting information that is defamatory to the company, its products/services,
colleagues and/or customers.
(i) Introducing malicious software onto the company network and/or jeopardizing the security of the
organization's electronic communications systems.
(j) Sending or posting chain letters, solicitations, or advertisements not related to business purposes
or activities.
(k) Passing off personal views as representing those of the organization.
to this policy should be reported to the ISM and acted upon based on this policy. All necessary records
an audit trail.

RESTRICTED Internet Usage Policy
Internet Usage Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Overview
Access to the Internet through Synergy is a privilege provided to only select personnel. Users granted
this privilege must adhere to strict guidelines concerning the appropriate use of this information
resource. Users who violate the provisions outlined in this document are subject to disciplinary action
up to and including termination. In addition, any inappropriate use that involves a criminal offense will
result in legal action. All users are required to acknowledge receipt and understanding of guidelines
contained in this document.
2. Purpose
To define policies and procedures for access to the Internet through the company network
infrastructure. Appropriate use exposes Synergy to risks including virus attacks, compromise of
network systems and services, and legal issues.
3. Scope
This policy applies to all personnel with access to Internet and related services through the Company
network infrastructure. Internet Related services include all services provided with the TCP/IP
protocol, including but not limited to Electronic Mail (e-mail), File Transfer Protocol (FTP), and World
Wide Web (WWW) access.
4. Definition
Company: Referred to Synergy here
Blogging: Writing a blog. A blog (short for weblog) is a personal online journal that is frequently
updated and intended for general public consumption
5. Policy
5.1 Acceptable Use
 Access to the Internet is specifically limited to activities in direct support of official Company
business.
 In addition to access in support of specific work related duties, the Company Internet
Connection may be used for educational and research purposes.
 If any user has a question of what constitutes acceptable use he/she should check with their
supervisor for additional guidance. Management or supervisory personnel shall consult with the
Information Services Manager for clarification of these guidelines.

5.2 Unacceptable Use
 The Company, Internet access shall not be used for any illegal or unlawful purposes.
Examples of this would be the transmission of violent, threatening, defrauding, pornographic,
obscene or otherwise illegal or unlawful materials.
 Use of Company electronic mail or messaging services shall be used for the conduct of company,
business only. These services shall not be used to harass, intimidate or otherwise annoy another
person.
 The Company, Internet access shall be responsibly used for private, recreational or other non-
Company related activity.
 The Company Internet connection shall not be used for commercial or political purposes.
Use of the Company, Internet access shall not be used for personal gain such as selling access of
a Company user login. Internet access shall not be used for or by performing work for profit with
Company resources in a manner not authorized by the Company.
 Users shall not attempt to circumvent or subvert security measures on the Company's network
resources or any other system connected to or accessible through the Internet.
 Company users shall not use Internet access for interception of network traffic for any purpose
unless engaged in authorized network administration.
 Company users shall not download inappropriate software/other materials which can lead to
virus, spyware attacks.
 Company users shall not make or use illegal copies of copyrighted material, store such copies on
company equipment, or transmit these copies over the Company network.
5.3 Email and Communication Activties
 Company employees shall ensure all communication through Company e-mail or messaging
services is conducted in a professional manner. The use vulgar or obscene language is prohibited.
 Company users shall not reveal private or personal information without specific approval from
management.
 Users should ensure that e-mail messages are sent to only those users with a specific need to
know. The transmission of e-mail to large groups or messages with large file attachments should
be avoided.
 Electronic Mail is not guaranteed to be private. Messages transmitted through the Company e-
mail system or network infrastructure are the property of Company and are therefore subject to
inspection.
5.4 Blogging
 Blogging by employees, whether using Company’s property and systems or personal computer
systems, is also subject to the terms and restrictions set forth in this Policy. Limited and
occasional use of Company’s systems to engage in blogging is acceptable, provided that it is
done in a professional and responsible manner, and is not detrimental to Company policy and
interests.
 Company’s confidential Information policy also applies to blogging. As such, Employees are
prohibited from revealing any Company confidential or proprietary information, trade secrets or

any other material covered by Company’s confidential Information policy when engaged in
blogging.
 Employees shall not engage in any blogging that may harm or tarnish the image, reputation
and/or goodwill of Company and/or any of its employees. Employees are also prohibited from
making any discriminatory, disparaging, defamatory or harassing comments when blogging.
 Employees may also not attribute personal statements, opinions or beliefs to Company when
engaged in blogging. Employees assume any and all risk associated with blogging.
 Irrespective of using company infrastructure or otherwise, blogging, micro-blogging or posting of
short messages or status messages on social media sites or instant messengers, referring to
company confidential information is prohibited.
6. Security
 Company users who identify or perceive an actual or suspected security problem shall
immediately contact the Compliance Team.
 Users shall not reveal account password or allow another person to use their account. Similarly,
users shall not use the account of another user.
 Access to Company network resources shall be revoked for any user identified as a security risk
or a demonstrated history of security problems
7. Penalty
 Any user violating these policies is subject to the loss of network privileges and any other
Company disciplinary actions deemed appropriate.
8. Enforcement
 Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.

RESTRICTED Log and Audit Trail Policy
Log and audit Trail Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of this policy is to record the activity or “audit trail” of system and application processes at
Synergy for monitoring purposes.
2. Scope
access to Network and Information at Synergy.
3. Policy
Logs and Audit trails are a means of recording a user’s or system activity as it happens. This helps in
tracing out system generated faults or errors that are caused by users. However, logs and audit trails
do not prevent the events from occurring. If publicized as an on-going security practice, this may deter
the misuse of system resources.
3.1 Auditing
Auditing is a means of tracing the activities carried out by users and application events. Operating
systems, applications, databases must be configured to audit the transactions that meet exception
criteria. It must be ensured that these transactions are completely and accurately highlighted.
Adequate audit trails shall be captured and certain information that is needed to determine sensitive
events and pattern analysis that would indicate possible fraudulent use of the system (e.g. repeated
unsuccessful logons, access attempts over a series of days) shall be analysed.
This audit trail must include information as who, what, when, where, and any special information such
as
 Success or failure of the event

The system administrator, database administrator and network administrator should identify the events
and activities that are to be audited and logged.
3.1.1 Who to log
Any user who is carrying out critical activities or is accessing systems that hold sensitive information
must be identified and tracked.
3.1.2 What to log
The following logs may be monitored -
 Logs of system activity.

 Log of user’s access.

 Logs for Network monitoring.

 Logs of Server Performance Monitoring.
 Logs of antivirus activities.

 Logs of regular backup.
3.1.3 When to log
The ISM will define the period for which auditing needs to be enabled on a system.
3.1.4 Where to log
Auditing and logging for the identified events and activities should be enabled on
 Domain Controller
 Critical Servers (E.g. Email, ERP, etc)

 Firewall
 Network Devices
 Databases
Proper selection of audit events requires a careful balance between capturing all the information that
may provide clues to user actions and system performance.
If too many events are captured, system performance may be too slow and the audit logs will be
larger. If enough events are not captured, a critical piece of information required to identify an event,
attacker, or even to notice a system break-in may be missed.
3.1.5 User/process activities to be audited include
 User ID
 System login/logoff
 Successful sign-on by authorized users and failed sign-on attempts
The specific list of events to be audited will depend on the security requirements that get identified
during the system setup process as defined in the operating system security policy. At a minimum, the
system should audit all user logins and any privileged activities.
3.1.6 Database Logs
Following factors should be considered for logging the application systems.
 The database log should record the user ID of the operator and the type of transaction
executed at the database.

 Audit trail report should indicate the evidence/information of unauthorized access.
3.1.7 Operating System Logs
The following event can be captured on an operating system
 Successful and rejected system events.
 Successful and rejected account management.

 Successful and rejected logon events.
 Successful and rejected policy changes.
3.1.8 Logs of Network devices
Firewall Logs:
 Host operating system log messages
 Changes to network interfaces (If Facility Available)

 Changes to firewall policy
 Addition/deletion/changes of administrative accounts

 Unauthorized Access
 Inbound and Outbound packets which have been dropped
3.1.9 CCTV Footages
 CCTV footages are retained for 1 Month.
3.2 Audit trail Protection

Audit trails must be protected from unauthorized access and modifications. In the event of a security
breaches that has been logged as an audit event, care must be taken to protect the evidence.
3.3 Audit trail Retention

Audit trails shall be kept for a minimum period of 24 months, in either hard copy or electronic form. Records,
whichare of legal nature and necessary for any legal or regulation requirement or investigation of criminal
behaviour, shall be retained as per requirements of law.

3.4 Log and Audit Controls

Controls should be implemented so that operational problems do not occur with the logging facilities. It
should be ensured that unauthorized changes are not made to the logging facilities and to the logs. The
following should be considered and ensured.
 Logging facilities are not deactivated.
 Message types that are recorded are not altered.
 Log files are not edited or deleted.
 Log file media do not get exhausted, fail to record events and over write itself.
3.5 Audit review

Automated or manual procedures shall be used to monitor and promptly report all significant security
events, such as accesses, which are out-of-pattern relative to time, volume, frequency, type of information
asset, and redundancy.
Other areas of analysis include -
 Significant computer system events (e.g. configuration updates, system crashes)
 Security profile changes.

 Actions taken by computer operators, system administrators, system programmers, and/or
security administrators.
The manual reviews will be conducted on a periodic basis and a report of the findings must be sent to
the ISM/CISO.
All events that indicate a security breach must be acted upon as per the incident management policy.
audit trail.

RESTRICTED Logical Access Control Policy
Logical Access Control Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims to describe authentication, authorization and accountability in Information Systems by
the employees.
2. Scope
This policy applies to all the Synergy employees who have been provided access to information or
information processing facilities at Synergy.
3. Policy
3.1 General
“Access to the information and business processes shall be controlled on the basis of business and
security requirements”
Access given to all Synergy information resources should be restricted and governed by the principle of
‘least privileges’
Access privileges shall be granted based on ‘authorized to know’ and ‘need to know’ basis.
Periodic reviews of access rights shall be conducted to ensure the above principles are adhered.
All unauthorized/ unwanted access privileges should be revoked upon discovery/ detection or
notification.
Acceptable usage policy plays a critical role in the overall success of security architecture and
organization. Management shall ensure that this policy is followed across the organization without any
exceptions. IT team shall organize surprise checks to ensure compliance and any violation shall be dealt
with strongly.
Access control arrangements should:
 Cover access by all employees, contractors or third party personnel

 Cover information, application / system software, network.
 Restrict access in line with specific access control policies set by business ‘owners’.
Access control arrangements should provide technical mechanisms to:
 Restrict the system functionalities that can be accessed.

 Prevent users from gaining access to system prompts.
 Minimize the need for special access privileges such as local admin rights.
 High-level administration activities should be limited to domain administrators only

3.2 Access rights granted to Third Parties
 Access given to third parties for Synergy’s information resources should be restricted and governed
by the same principle of ‘least privilege’ and ‘need to know’ basis. The Synergy’s employee
coordinating with the respective third party consultants, engineers, vendor’s representatives etc.
are responsible for justifying and authorizing the access rights granted to third parties.
 Remote connectivity from third party representative’s office to Synergy’s network should not be
allowed without permissions from CISO or ISM.
 Access rights to the external agencies should be formally granted and monitored. The relevant
rights should be revoked once the required assignment is over. System Administrator should review
activity logs generated at the System level to monitor activities performed by such external
agencies.
an audit trail.
5. References
 Logical Access Control Procedure.

RESTRICTED Mobile Computing Policy
Mobile Computing Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The policy of Synergy is to ensure that all the Laptops/ mobile computing equipment and the
information on those systems shall be protected from theft, mishandling and environmental threats.
2. Scope
This policy applies to all mobile computing equipment including laptops, PDAs, Smart phones, etc.
3. Policy
(a) The physical and logical controls that are available within Synergy environment are not
automatically available when working outside of that environment. There is an increased risk of
information being subject to loss or unauthorized access. Mobile computing users shall take special
measures (as per the guidelines given to them during the awareness sessions) to protect sensitive
information in these circumstances.
(b) Sensitive data stored on laptops and other mobile storage devices should be kept to a minimum to
reduce risk and impact should a breach of security occur.
(c) Loss of any mobile device containing sensitive data, or any other security breach, should be
reported immediately to ISM/CISO.
(d) Laptops and home personal computers should not be used for business activities without
appropriate security measures, including up to date security “patches” and virus protection.
(e) Sensitive information held on any mobile device must be securely erased before the device is
reassigned to another user or to another purpose.
(f) All the critical information contained in the laptop shall be backed up periodically with the help of
IT department as per the backup policy.
mobile computing devices should be reported to the ISM and acted upon based on this policy. All
5. References
 Backup Policy and Restoration Policy

Network and Telecommunications Security
RESTRICTED
Policy
Networks and Telecommunications

Security Policy

RESTRICTED
Policy
DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

RESTRICTED
Policy
1. Purpose
This policy aims to protect the confidentiality, integrity and availability of data and telecommunications
networks.
2. Scope
The scope of this policy includes network architecture, network security management, network
technology, email security, third-party network connection security, telecommunications security, and
wireless security.
3. Policy
In order to safeguard Synergy information system network, from various business and environmental
threats, systems and procedures will be developed and implemented for usage of telephones, facsimiles
and also by providing network security resources at a level that is appropriate for the nature of the data
transmitted to protect all business data, related application systems and operating systems software
from unauthorized or illegal access. In order to determine the appropriate level of security, data
owners whenever required should perform a risk analysis on the data transmitted every time the nature
of the data changes significantly.
3.1 Network Design
Networks should be designed in conformance with sound disciplines.
The network should be designed to:

 Be compatible with other networks used by the enterprise
 Cope with foreseeable developments in the enterprise’s use of IT (such as by performing
growth projections and adopting open / proprietary standards).
The design of the network should:
 Incorporate coherent technical standards, support consistent naming conventions and

comply with statutory and industry regulations
 Incorporate distinct sub-networks, protected by rule-based traffic filtering, for example
using firewalls
 Minimize single points of failure and the number of entry points into the network
 Allow the network to be remotely configured
 Enable network management reports and audit trails to be maintained.
Network design should take care of users’ service requirements. The IT Department should prepare,
update and maintain the diagrams showing the entire network connectivity in Synergy.

RESTRICTED
Policy
Networks should be segregated into VLANs based on the business and security requirements Sensitive
systems within the network should be isolated in a separate environment.
De-Militarized Zones should also be considered for securing the network.
3.2 Network Connectivity
3.2.1 Control of Local System Control Utilities
Access to local system control utilities (e.g. Remote desktop control software, Batch Files, Unix Scripts
etc.) should be controlled. These utilities should be installed on local PCs and should be intended for
use by the Systems Administrator / help desk to assist end-users resolve problems. Access to the
utilities should be limited to Systems Administrator / authorized helpdesk support personnel only. They
should only be used after IT team has informed the user of this capability.
3.2.2 Use of Modem
Synergy does allow use of Modems within Synergy Network. All data communication should occur
through the installed leased lines only.
3.2.3 Dial-In Authentication
Synergy does not allow any dial-in connection to its network.
3.2.4 Control of Dial-In Telephone Numbers
Synergy does not allow any remote connection to its network via dial in method. No modem servers
are implemented which can allow this type of communication.
3.2.5 Restrictions on Use of Remote Control Software
The CISO/ ISM should impose adequate security controls for protecting the network so that users
cannot attach hardware and install remote control communications software (software that allows a
remote user to dial into a PC attached to the network and issue commands from it as if it were attached
to the network itself). The use of personal communications equipment (modems, ISDN cards, etc.)
attached directly to personal computers with remote control software is strictly prohibited.
3.2.6 Disabling Default Network Equipment Passwords
All network equipment default passwords (e.g., routers) should be changed by the IT personnel, when
installed.
3.2.7 Authentication for external connections
External connections should be allowed only after proper authentication in the network.

RESTRICTED
Policy
3.2.8 Equipment identification in networks
All the equipments in the network should be uniquely identified within the network. Unauthorized
devices should not be assigned IP addresses prior to identification and authorization in the network.
3.3 Network Access
3.3.1 Policy on use of network services
All unwanted and unused ports/ services/ functionalities should be disabled on the devices. Enabling
network ports and services should be done through an authorization and approval process from CISO.
3.3.2 System Validation of User Required Prior to Access
Systems Administrator should require the operating system to validate each user prior to allowing
network access.
3.3.3 Use of Networks limited to Business Use Only
Synergy computers should be used for valid business reasons only. The protection of information
contained on Synergy networks is therefore the responsibility of the management and the activity and
content of user information on Synergy computer networks is within the scope of review by
management. To maintain the privacy of Synergy employees, Synergy networks should not be used
for personal and / or private information, unrelated to job functions.
3.3.4 Restrictions on Network Browsing
All employees should avoid accessing areas on Synergy networks for which they do not have a valid
business need. While networks are intended to share information, it is each user's responsibility to
exercise judgment over the information they access.
3.3.5 Firewall Required for Non-Public Data
 All hosts that run applications or contain data that are non-public should be isolated behind a
firewall from public external networks.
 All outbound traffic from Synergy India to external networks and vice-versa should pass through
a gateway (or firewall). The firewall should not serve as a general-purpose host or have features,
which weaken security (e.g., rlogin, etc.).
 Any connectivity to the external network should be authorized by the CISO.
 The firewall should be installed on gateway PC connected to Internet to control the Internet traffic
(outgoing and incoming) and allow only desired packets to pass through. The firewall should also
perform packet filtering to verify the source and destination IP address.

RESTRICTED
Policy
3.4 Network Operations and Monitoring
3.4.1 Use of Router Access Control Lists (for future use)
IT Personnel should use access control lists on routers. Access control list on all routers should be
defined and documented.
3.4.2 System Greeting Screen
A greeting on any external network connections should not be displayed until the user is authenticated
through a sign-on sequence that requires a unique user ID and password.
3.4.3 System Warning Message
A message should be displayed on all external network connections warning potential users that
unauthorized use is prohibited (e.g. Unauthorized access to the network is prohibited).
3.4.4 Authentication of Unattended File Transfer Processes
Software that performs unattended file transfer to or from other systems should be used to
authenticate the origin and destination file names as well as any user submitting the request unless
the information being transferred is classified as Public.
3.4.5 Logging of Events on Restricted Information Systems
Security-related event logging should be done for all system platforms and all applications, which
utilize restricted information.
3.4.6 Logging of Application/OS Activities
Wherever possible system platforms should have log file access controls enabled that restrict create,
write, and modify capabilities to the application or platform Operating System. Users and Systems
Administrator should be restricted to read-only access.
3.4.6.1 Overwriting Log Files
Important and critical log files should never be overwritten or deleted until they are backed up.
3.4.6.2 Activities to be logged
Wherever possible log files should record:
 Login failures
 Account lockouts

RESTRICTED
Policy
 All system or application administrator actions
 System or application start, stop, re-initialization (with user identity and time of action)
3.4.6.3 Frequency of Log File Review
Log files should be reviewed daily or not less often than log file rotation or overwrite.
3.4.6.4 Responsibility for Log File Review
The CISO/ISM is responsible for log-file review.
3.4.6.5 Provision of Log Files to CISO
Copies of log files and system administrator records should be provided to CISO upon request.
3.4.6.6 Access to Log-Files
Access to log files in both electronic and hard copy form should be limited as per “need-to-know”
basis.
3.4.6.7 Retention of Log Files
Log files should be retained for three months and copied to a disk for key systems like servers,
firewalls, application gateways, routers and other network devices.
(Refer: Log & Audit Trail Policy)
3.5 Network security monitoring
Monitoring of activity on the network environment should be performed using network-monitoring tools.
The system administrator should review the logs and reports generated by the network- monitoring tool
regularly and incidents, which cannot be resolved by him, should be immediately escalated to the CISO.
Availability and Capacity Monitoring is done for Critical Servers and all Network Devices.
3.6 Network Component Security
3.6.1 Identification and Restricted Use of Network Components
CISO/ ISM should ensure that all network components are uniquely identifiable and restricted for
their intended business function. This includes protection for all vulnerable points in the network.
Vulnerability Assessment and Penetration Testing should be conducted periodically to understand the
vulnerable points.

RESTRICTED
Policy
3.6.2 Control of Physical Access to Network Equipment
All network and server equipment including LAN-servers, routers, switches, hubs etc. should be
physically secured from unauthorized access by placing them in locked rooms and closets.
Access to such rooms should be provided only to IT personnel and other personnel on approval from
CISO.
3.6.3 Security of Cable and Line Facilities
All cable and line facilities for both voice and data should be located in secured areas. If the lines
cannot be secured, the personnel responsible for telecommunications should document the reasons
and submit them to the CISO/ISM.
3.6.4 Location of Terminals for Performing Critical Functions
Where technically feasible, access to highly sensitive processing functions should be secured by limiting
the terminals from which these functions should be executed and physically and / or logically restricting
these terminals. These terminals should be secured by physical (e.g., keyboard locks) and / or logical
(access control software) means when unattended.
3.7 Network Device Identification
3.7.1 Identification of Physical Component
The physical component and, where possible, the location of the logical access request should be
identified to the system being accessed. Devices may include terminals, lines, communication nodes,
controllers, remote processors and personal computers.
3.7.2 Identification of Communications Lines to System
Hardwired communication lines (e.g., network lines, telephone lines, etc.) should be catalogued and
uniquely identifiable to the system being accessed to facilitate the discovery of wiretaps. The network
diagram should be kept with the location and a copy should be sent to the CISO and ISM. Wherever
changes are made, they should be appended to the file.
3.7.3 Responsibility
 Network/Systems Administrator (at Server Room) is responsible for maintaining network and
telecommunication security controls of all data, applications and operating systems on the server.
 It is the responsibility of IT users at each location to rigorously follow the network and
telecommunication security policy. The IT users should formally inform the Systems Administrator
about any lapse on the network and telecommunication security either orally or immediately by
mail.

RESTRICTED
Policy
3.8 Voice Communications
When using the telephones, especially a speakerphone or public phone, to discuss sensitive information,
users will ensure that their conversations cannot be overheard. This is especially a problem in public
places such as railway platforms, airports etc. where people are attempting to conduct business and can
be overheard by many people.
human resources should be reported to the ISSC and acted upon based on this policy. All necessary
5. References
 Log & Audit Trail Policy
 Logical Access Controls Policy
 Change Management Policy

RESTRICTED Password Management Policy
Password Management Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of this policy is to establish a standard for security of passwords.
2. Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of
access that supports or requires a password) on any system that resides at any Synergy facility, has
access to the Synergy network, or stores any non-public Synergy information. This also includes all the IT
Infrastructure devices at Synergy.
3. Policy
3.1 Password Management
3.1.1 Confidentiality of Passwords
User passwords should remain confidential and not shared, posted or otherwise divulged in any manner.
3.1.2 Password Composition
Passwords should consist of at least one alphanumeric character with special character. The first alphabet
should be in upper case minimum 8 characters
3.1.3 Password Expiration
Passwords should expire within 45 days for domain login and 90 days for Email account, an OTP must be
generated for email password reset to users office mobile number Users would be prompted on their
individual systems on expiration of the passwords at least 5 days in advance. Additionally, the same
password should not be repeated within a cycle of 3 password changes.
3.1.4 Account Lockout
After 5 unsuccessful login attempts account shall be locked out. Subsequently user needs to raise a
request to the IT team for unlocking the account.
3.1.5 One Time Use of Initial Passwords
If the administrator provides a user with an initial password, the user should change it immediately after
the first time log – in to the system. (One-time password).
3.1.6 User Capability to Select Passwords
Users should be provided with the capability to change their password on the login interface (after
authentication).

3.1.7 Password Reset
User password resets will be performed when requested by the user, after verification of identity. The
‘Password reset request’ should be send by the user to the IT team. The new password should be a one-
time password. Only the individual to whom the user-ID is assigned should request for user password
reset. IT Administrators should be informed whenever a password is reset for a particular user. In case of
request for change of password sent through another user’s login ID, a copy of the mail needs to be sent
to the person whose password is being reset.
3.1.8 Screen Saver Password
All users should use the screen saver with password, which should be activated after a defined period of
inactivity i.e. 5 minutes.
3.1.9 Responsibility
It is the responsibility of IT users to rigorously follow the password security policy. The IT users should
formally inform the Administrators about any lapse on the password security either orally or by e-mail.
3.1.10 Password Security Configuration
Wherever possible systems/servers should be configured to enforce the above mentioned password
policy through automated techniques. E.g. GPO in Windows Active Directory.
The systems should:
a) enforce the use of individual user IDs and passwords to maintain accountability;
b) allow users to select and change their own passwords and include a confirmation procedure to
allow for input errors;
c) enforce a choice of quality passwords

d) enforce password changes
e) force users to change temporary passwords at the first log-on
f) maintain a record of previous user passwords and prevent re-use;
g) not display passwords on the screen when being entered;
i) store and transmit passwords in protected (e.g. encrypted or hashed) form.
3.1.11 Limitations
Wherever the system does not enforce the policy automatically, the users should be advised to change
the passwords manually.

3.2 Password Use Rules
3.2.1 Prohibition of Easy Guess Passwords
Users should be encouraged to create passwords that will prohibit easy guessing (i.e., passwords such as
spouse's first name, Children name, etc.).
3.2.2 Passwords should not be based on any of the following: (Best practices)
All users should ensure that they do not use any of the following to create their individual passwords, as
these are easily guessable by any person with malicious intent.
 Months of the year, days of the week or any other aspect of the date (like date of birth, date of
joining etc.)
 Family names or initials
 Vehicle registration numbers

 Employee No. / Employee Id or designations
 Project or department name or references

 Company names, identifiers or references
 Telephone numbers or similar all-numeric groups
 User ID, user name, group ID or other system identifier
 More than two consecutive identical characters

 All-number or all-alphabetic groups
3.2.3 General rules
 Users should keep passwords confidential

 Users should avoid recording passwords e.g. on paper, software file or hand-held devices
 Users should change passwords whenever there is any indication of possible system or
password compromise. They should also report such incidents to the IT team
 Passwords for privileged accounts should be changed more frequently than normal passwords
 Users should not save passwords on the browsers

 Users should not share their passwords with anyone else
 Users should not use the same password for business and non-business purposes
3.2.4 Password rule enforcement procedure

Set up specific password policies via GPO for Windows systems. Password complexity should be enforced
via group policies. Password minimum length should be 8 characters, with a forceful change after every
45 day cycle. Last 3 passwords should not be usable. The system should prompt wherever possible to the
user for expiring password at least 4 days in advance at logon.
3.3 Specific requirements
3.3.1 Storage of Data Base User Names and Passwords
 Database user names and passwords may be stored in a file separate from the executing body of
the program's code. This file must not be world readable.
 Database credentials may reside on the database server. In this case, a hash number identifying
the credentials may be stored in the executing body of the program's code.
 Database credentials may be stored as part of an authentication server (i.e., an entitlement

directory), such as an LDAP server used for user authentication. Database authentication may
occur on behalf of a program as part of the user authentication process at the authentication
server. In this case, there is no need for programmatic use of database credentials.
 Database credentials may not reside in the documents tree of a web server.
 Pass through authentication (i.e., Oracle OPS$ authentication) must not allow access to the
database based solely upon a remote user's authentication on the remote host.
 Passwords or pass phrases used to access a database must adhere to the password policy
3.3.2 Retrieval of Database User Names and Passwords
 If stored in a file that is not source code, then database user names and passwords must be read
from the file immediately prior to use. Immediately following database authentication, the
memory containing the user name and password must be released or cleared.
 The scope into which you may store database credentials must be physically separated from the
other areas of your code, e.g., the credentials must be in a separate source file. The file that
contains the credentials must contain no other code but the credentials (i.e., the user name and
password) and any functions, routines, or methods that will be used to access the credentials.
 For languages that execute from source code, the credentials' source file must not reside in the
same browseable or executable file directory tree in which the executing body of code resides.
3.3.3 Access to Database User Names and Passwords
 Every program or every collection of programs implementing a single business function must have
unique database credentials. Sharing of credentials between programs is not allowed.
 Database passwords used by programs are system-level passwords as defined by the password
policy

 Developer groups must have a process in place to ensure that database passwords are
controlled and changed in accordance with the password policy
 This process must include a method for restricting knowledge of database passwords to a need-
to-know basis.
4. Enforcement
termination of employment. Password cracking or guessing may be performed on a periodic or random
basis by the Information Security Department or its delegates. If a password is guessed or cracked
during these exercises, the user/owner will be required to change it.
5. Password Deletion
All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is
not limited to, the following:
 When a user retires, quits, is reassigned, released, dismissed, etc.
 Default passwords shall be changed immediately on all equipment.
6. Password Protection Standard:

Do not share passwords with anyone,. All passwords are to be treated as sensitive and confidential
information.
 Don’t reveal a password over the phone to anyone.
 Don’t reveal a password in a mail message.

 Don’t reveal a password to the superior.
 Don’ talk about a password in front of others.

 Don’t hint at the format of a password (e.g., “my family name”).
 Don’t reveal a password on questionnaires or security forms.

 Don’t share a password with family members.
 Don’t reveal a password to a co-worker while on vacation.

 Don’t write passwords down and store them anywhere in your office.
 Don’t store passwords in a file on ANY computer system unencrypted.

7. Remote Access User:
Access to the other networks via remote access is to be controlled by using either a Virtual Private
Network or a form of advanced authentication (i.e., Tokens, Public Key Infrastructure (PKI), Certificates,
etc.).
8. Enforcement
termination of employment.

RESTRICTED Physical and Environmental Security Policy
Physical and Environmental Security

Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Objective
The objective of this policy is to ensure safety and security of Synergy information processing facilities.
2. Scope
access to information or information processing facilities.
3. Definitions/Glossary
Term/Abbreviation Definition/Expansion
Secured Areas Server Room, Records Room, Ups Room
Common areas Cafeterias, conference rooms
Eatables All kinds of edible food and liquids.
Mobile devices Laptop, Blackberry, Palmtop, Tablet Pc, Smart Phones, Mac Mini, MacBook
Pro
Media CD, Pen Drive, External Hard Disk ,Memory Card etc.
4. Policy
4.1 Physical Security Perimeter
 The security perimeter shall be clearly defined and will be physically sound.
 Project level physical security aspects shall be considered, if required.
 A manned reception area shall be established to control physical access.
 A manned Building Management System shall be established to monitor physical access.
 BMS room should monitor all entry and exit doors including fire exit and service doors.
 All fire doors on a security perimeter shall be access controlled and in case of fire alarm same will
open automatically.
 All windows of the entire premises are locked after office hours.
4.2 Securing Offices, Rooms And Facilities
 Buildings shall be unobtrusive and give minimum indication of their purpose, with no obvious
signs, outside or inside the building identifying the presence of information processing activities.

 Support functions and equipment shall be sited to avoid demands for access, which could
compromise information.
 Doors and windows shall be locked when unattended
 External protection shall be considered for windows, particularly at ground level.
 Suitable intruder detection systems shall be installed to cover all external doors and accessible
windows.
 Unoccupied areas shall be manned at all times. Security cover shall also be provided for other
areas, e.g. computer room or communication room.
4.3 Fire Policy
 Smoking is strictly prohibited inside the building.

 All employees are trained with evacuation process in case of fire / emergencies through regular
mock drill sessions.
 The general working environment shall appropriately be secure, such as ensuring lockable
cabinets, physical access control or security at entrance to/exit from work area.
 General safety equipment shall also be provided to assist in emergency such as fire extinguishers,
smoke alarms, etc.
 All general safety equipment should be tested on quarterly basis.
4.4 Information Processing Facilities
 A management authorization process for new information processing facilities shall be

established.
 New facilities shall have appropriate user management approval.
 Where necessary, hardware and software shall be checked for compatibility.
 The use of personal information processing facilities in the work place shall be assessed and
authorized.
 Equipment installation, maintenance and repair shall be restricted to authorized persons only.
 All changes in the facility and Physical Security should follow the change management process.
4.5 Physical Entry Controls
 Visitors are allowed into premises only after showing any Govt. issued Photo IDs at the reception.
After verification, Information is recorded in Visitors Register (Name, Date, In/Out Time, ID
Details, Purpose, Badge , Laptop, etc) and Visitor Badge & Visitor Slip are issued and diverted to
respective floor.
 All the visitors or vendor entering inside the premises need to be reminded by the Security
guards to ensure that they don’t carry any personal laptops, media or electronic devices inside
the premises. Any exception should be authenticated only by Location Head/Compliance Head.
 Prohibit items ie. Gun, Knife, Crackers, Petrol, Pepper spray, non-Synergy Laptops, External Hard
drive, Pen Drive, etc. are no allowed to carry inside Synergy facilities , security guard should
check all Baggage at entry doors to ensure it not contains any prohibited items.
 Visitor / Employee bags will be checked by security of each floor at the time of exit and ensure
bags does not contain any Synergy assets or Synergy Computing Peripherals like Memory Stick,

Hard Disks, Laptop ,Mac Machine, Tablets& Smart Phones etc which they are not authorized to
carry .
 Visitors will be educated by the security on what they should do in case of an emergency and to
get the sign off from the employee in the entry pass slip.
 Visitors shall be granted access for specific, authorized purposes only and their activities in
secured areas are supervised.
 Visitors are issued with instructions on the security requirements of the area and on emergency
procedures.
 For all the other visitors, the Front office executive/Security will call out the respective employee
to the reception for the meeting and ensure he/she is not getting inside the work area without
Synergy employee escort.
 All the employees should have access for all entry and exit doors.
 All personnel shall wear clearly visible Synergy ID card inside Synergy Premises.
 Tailgating a person or allow someone to tailgate is strictly prohibited and penalty will be levied
against the person tailgating. Punitive action will be taken if mistakes are repeated
 In case of tailgating, the concerned employee will be verbally warned by security team. Incident
will be raised in which employee will sign off for acceptance. If it is repeated, the same will be
escalated to HR by email for necessary action.
 Access to sensitive information and information processing facilities shall be controlled and will be
restricted to authorized persons only.
 An audit trail of all access shall be maintained.
 Employee can verify own access details through Access Log Tool.
 Access rights to secure areas shall be regularly reviewed and updated.
 Anyone coming as visitor for more than 3 days will require an approval from Synergy Location
head.
4.6 Physical Access Control
 Access will be provided only on need basis.

 The biometric access is mandatory for all employees.
 The biometric access exception should be approved by HR Head.
 Access will be controlled for all areas of the organization.
 No access will be provided by default. Any access to restricted sections of the organization shall
be provided by competent authorities.
 All critical and confidential records will be stored in a separate room.
 All computer server rooms are entry restricted. Only nominated personnel enter the server room.
Only authorized person having access to server rooms or other restricted areas can take a visitor
along with him or her.
 Security guards will have access to restricted areas which can be used only in emergency.
 Security guards will be posted round the clock on each floor. Entry has to be authorized to
srestricted areas by specific personnel be permitted. Entry in the register is mandatory
irrespective of the designation of the person concerned of company.
 Any visitors have to be authorized and escorted by Synergy employee/Security guard.
 Once an employee terminated / separated / resigned deactivation of access done immediately.
 Housekeeping or any other contractual maintenance staff shall be escorted by staff from IT
Department permitted into the secured area by the Access Control Card

 Security should verify the asset tag employee ID and carrier employee ID’s are should be same.
 If the employee is identified with unregistered personal belonging while exit, the respective
device/asset will be withheld by the Security and the same will be handed over subject to
verification, post approval from their functional head, Admin department and IT Department.
Electronic device like (Mobile Phones, VPN tokens provided by Client, Bluetooth hand free are
exceptional)
4.7 Equipment Sitting And Protection
 Equipment shall be sited to minimize unnecessary access into work place.

 Information processing and storage facilities handling sensitive data shall be positioned to reduce
the risk of overlooking during their use.
 Items requiring special protection shall be isolated
 Appropriate control shall be adopted to minimize the risks of potential threats including - Theft,
Fire, Explosives, Smoke, Water (or supply failure), Dust, Vibration, Chemical effects, Electrical
supply interference, Electromagnetic radiation
 Eating, drinking and smoking in proximity of information processing facilities is prohibited
 All workstation should connect only facility authorized port number
 Security should verify the tag number for Lap top or Tablet movement each entry doors.
 All Synergy owned Laptop, Tablet, Mobiles should have Synergy authorized sticker with serial
number System team will provide laptop users list on weekly basis. Security should verify all
laptops entering in to Synergy premises.
 Environmental conditions shall be monitored for secured areas.
4.8 Power Supplies
Equipment shall be protected from power failures and other electrical anomalies. Options for
continuity can include multiple feeds, UPS, and back-up generator. PS shall be tested regularly to
maintain its operational efficiency
5. Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.

RESTRICTED Punitive Actions Policy
Punitive Actions Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims to describe the disciplinary process necessary to control the information security risks
posed by the employees, contractors or third parties.
2. Scope
provided access to information or information processing facilities at Synergy.
3. Policy
In order to safeguard its values, Synergy has developed Information Security Policies & Procedures
with which every one under the scope of this policy must comply. Synergy has also established a
mechanism to detect and report violations to the corporate information security policy and define
punitive actions to be initiated for such violations.
The punitive actions shall be governed by the extent and level of severity of violation as classified by
this policy and related business impact, risk assessment of any such violation.
The formal disciplinary process would ensure correct and fair treatment for employees, contractors or
third parties who are suspected of committing breaches of security. The formal disciplinary process
would provide for a graduated response that takes into consideration factors such as the nature and
gravity of the breach and its impact on business, whether or not this is a first or repeat offence,
whether or not the violator was properly trained, relevant legislation, business contracts and other
factors as required.
In serious cases of misconduct the process would allow for instant removal of duties, access rights
and privileges, and for immediate escorting out of the site, if necessary.
3.1 Reporting of Violations
Compliance to the information security policy is mandatory. In order to ensure that the policy is
effective and enforceable, an effective mechanism shall be put in place to ensure compliance. All
violations of the information security policy shall be reported to the CISO/ISM and the ISSC.
3.2 Punitive Actions
Violations must be categorized into various levels as described in the Disciplinary procedure. Punitive
actions must be laid down for each category of the violation. The punitive action may be decided on a
case-to-case basis depending on the impact of the violation on the information systems resources of
Synergy.
The list mentioning the type of violation shall be maintained and updated by CISO, HR and IT teams
and should be reviewed and approved by ISSC.

For all new type of violation, punitive actions must be defined by CISO, HR and IT teams in
consultation with ISSC.
to this policy should be reported to the ISSC and acted upon based on this policy. All necessary

RESTRICTED Server Security Policy
Server Security Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy establishes requirements for internal server equipment to help minimize the exposure of
Synergy’s critical infrastructure and information assets to threats that may result from unprotected
hosts and unauthorized access.
2. Scope
This policy applies to server equipment that is owned, operated, and maintained by Synergy.
3. Policy
3.1 General
(a) All changes to server infrastructure should be done as per the change management policy.
(b) Any deviations from the compliance to be above policy should be authorized by the ISM.
(c) All critical servers should have necessary redundancies to support the business in the event of a
disaster.
(d) Power supply requirements to the servers should be evaluated and appropriate controls applied.
(e) IT shall develop and maintain server hardening checklists and monitor the health of the servers
regularly. Necessary records shall be maintained as an audit trail.
(f) To ensure high availability, advanced security controls shall be considered as and when deemed
to be necessary based on the risk assessments i.e. Advanced RAID configurations, Hot swap
mechanisms, Redundant Power Supply (RPS), additional NIC cards, etc.
(g) Vendor support for the entire server infrastructure should be maintained at all times.
(h) Contact with vendors and other special interest groups providing specialist advice on the
management of the servers should be maintained.
3.2 Configuration & Maintenance
3.2.1 Hardware
(a) Configuration details of the server hardware should be maintained in the hardwareinventories.
(b) Physical access to the server should be restricted only to the authorized personnel.
(c) Port access to the server must be configured in a secured manner.
(d) Unused ports in the server should be disabled from the BIOS.
(e) Server maintenance shall be scheduled and performed at regular intervals.
3.2.2 Software
a) Operating system configuration must be done according to the services operated in the Server.
b) Services and applications not serving business requirements must be kept disabled mandatorily.
c) Access to services should be logged and protected through access control methods, if possible.
d) The most recent security patches must be installed on the system as soon as practical, the only
exception being when immediate application would interfere with business requirements.

e) All the security patches should be tested before being applied on the servers.
f) Trust relationships between systems are a security risk and their use must be avoided. Do not
use a trust relationship when another method of communication is sufficient.
g) Always use standard security principles of least privilege access to perform a function. Do not
use root when a non-privileged account access is sufficient.
h) If a methodology for secure channel connection is available, privileged access must be
performed over secure channels (for example, encrypted network connections using SSH or
IPSec). Use of insecure protocols such as Telnet should be restricted.
i) Servers should be physically located in an access-controlled environment. Servers are
specifically prohibited from operating from uncontrolled cubicle areas.
j) All servers must have authorized and supported antivirus software installed and scheduled to
run at regular intervals.
k) System state/ configuration backups of the servers shall be taken regularly.
l) Remote access to servers for specific maintenance purposes should be provided in a secure
manner. Server administration and maintenance activities should be logged and monitored for
compliance. Limitation of connection time to the servers shall be considered depending on the
risk implied. Remote locations/IP addresses for such connections should be restricted to reduce
the risks of unauthorized access.
3.3 Monitoring
(a) All security-related events on critical or sensitive systems must be logged and audit trails saved
as follows:
a. All security related logs must be kept online for a minimum of one week.
b. Weekly full backups of logs must be retained for a minimum of one month.
c. Monthly full backups must be retained for a minimum of six months.
(b) Security-related events must be reported to ISM, who will review logs and record the incidents.
Corrective measures must be prescribed as needed. Security-related events include but are not
limited to the following:
a. Port-scan attacks
b. Evidence of unauthorized access to privileged accounts
c. Anomalous occurrences that are not related to specific applications on the host.
d. Unexpected shut down or restart
e. CPU/ memory utilization
f. Performance issues
(c) Periodic vulnerability assessment and penetration testing shall be conducted for all the servers
4. Policy Enforcement
an audit trail.

5. References
 Change management policy

 Incident management policy
 Backup and restoration policy

RESTRICTED Social Media Usage Policy
Social Media Usage Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
Synergy recognizes that there are legitimate business and personal reasons for using social media at
work or using corporate computing resources. To enable employees to take advantage of the business
value of these sites and to promote an open, trusting, collaborative workplace, Synergy policy allows all
employees to use social media within the Policies & guidelines specified below.
2. Scope
This policy is applicable to all the employees of the Synergy.
3. Policy
3.1 Social Media Definition
Social media includes any Web site in which visitors are able to publish content to a larger group.
Content shared may include (but is not limited to) personal information, opinions, research,
commentary, video, pictures, or business information. Examples of such destinations include large
branded entities such as Facebook, Twitter, YouTube, and LinkedIn. However, blogs, special interest
forums, user communities are also considered social media.
3.2 Social Media Authorization
General Use of Social Media

 General use of social media sites is permitted for specific employees only for Business/Project
requirements however few social media sites like LinkedIn is allowed to be used by all the
employees without restrictions.
3.3 Corporate Social Media Content
a. Posting of content to corporate sponsored social media (e.g. the corporate Facebook page) is
permitted only for the following employees authorized to publicly represent the company.
3.4 Inappropriate Content Policy
a. Inappropriate content should not be accessed by employees while at work, or while using
company resources.
b. Content that is inappropriate for the workplace including nudity, violence, abused drugs, sex, and
gambling.
c. Inappropriate content policy that applies to the broader Web, also applies to content found within
social media.
d. In addition to these guidelines, employees should use common sense and consideration for
others in deciding which content is appropriate for the workplace.

e. The company employs technical controls to provide reminders, monitor, and enforce this policy.
3.5 Productivity Policy
a. Synergy recognizes that employees have a need, at times, to conduct personal business within
social media while at work or using company resources.
b. Therefore, Synergy allows limited access to non-business social media content. For example,
employees are allowed to access personal communications applications, email, and blog content
within social media for limited time by not impacting business activities
c. It is the responsibility of the employee to ensure that personal business Does not affect work
quality or productivity.
3.6 Content Publishing and Confidentiality Policy
a) These policy guidelines apply to all social media communications whether personal or company-
sponsored.
b) Employees are responsible for content they publish in social media and can be held personally
liable for content published.
c) Employees also can be subject to disciplinary action by respective regulatory authorities for
publishing inappropriate or confidential content.
3.7 Competition Component of the Social media Policy
You may not sell any product or service that would compete with any of your company's products or
services without permission in writing from the Management. This includes, but is not limited to
training, books, products, and freelance writing. If in doubt, talk with your manager.
3.8 Guidelines for Malware and Online Crime Prevention
Social media is commonly used by the online criminal community to deliver malware and carry out
schemes designed to damage property or steal confidential information. To minimize risk related to
such threats, adhere to the following guidelines. While these guidelines help to reduce risk, they do
not cover all possible threats and are not a substitute for good judgment.
a) Do not use the same passwords for social media that you use to access company computing
resources.
b) Do not follow links or Download software on social media pages posted by individuals or
organizations that you do not know.
c) If any content you find on any social media Web page looks suspicious in any way, close your
browser and do not return to that page.

d) Configure social media accounts to encrypt sessions whenever possible. Facebook, Twitter and
others support encryption as an option. This is extremely important for roaming users who
connect via public Wi-Fi networks.
3.9 Business Communication
a) Ensure that your communication with any of Synergy leads, clients or any other business contact
is restricted to Synergy email id, Synergy Skype id, Synergy phone.
b) It is recommended not to give your personal email id, Skype/MSN id, personal phone/cell
numbers etc. to Synergy leads, clients or any other business contact.
c) It is your responsibility to let management know if you find anyone on the floor indulging in
communications with Synergy clients in violation of this policy.
3.10 Accepting Assignments from the Virtual World
a) Do not accept tasks from people who have approached you based on your social media profile
(Twitter, Facebook, LinkedIn, etc.) where you have given in your profile that you are an REA, EA,
VA, etc. Instead direct them to GBD team.
b) Do not accept work from existing or past clients who have approached you after they saw your
profile.
c) Do not post testimonials and feedback that you received from your clients on your personal
profiles and blogs.
d) Do not solicit or accept any assignments that are competing with the work that Synergy does.
3.11 Protecting Confidential and Proprietary Information
a) Do not share internal communication with clients
b) Make sure you do not disclose or use Synergy confidential or proprietary information including
pricing
c) Do not comment on confidential financial information such as future business plans, prospects,
strategy, research reports, templates, internal mails, management or HR messages, processes
and data, website and other content, etc.
3.12 Client Data Protection
a) Do not mention the names of clients, suppliers.
b) Do not mention the project details, including the analysis, research reports, certain data etc..
c) Do not share client testimonials, emails, feedback.
d) Do not share project details, inputs that client has given.

e) Do not sell client deliverables even with alterations. It belongs to Synergy or its clients.
3.13 Respect and Privacy Rights
a) Speak respectfully about the company and our current and potential employees, customers,
partners, and competitors. Do not engage in name calling or behavior that will reflect negatively
on your company's reputation. Note that the use of copyrighted materials, unfounded or
derogatory statements, or misrepresentation is not viewed favourably by Synergy and can result
in disciplinary action up to and including employment termination.
b) Honor the privacy rights of our current employees by seeking their permission before writing
about or displaying internal company happenings that might be considered to be a breach of
their privacy and confidentiality.
c) Do not write disparagingly about competitors
d) Respect your audience. Don't engage in any conduct that would not be acceptable in Synergy
workplace. You should also show proper consideration for others' privacy and for topics that may
be considered objectionable or inflammatory—such as politics and religion.
e) Don't pick fights. When you see misrepresentations made about Synergy by media, analysts or
by other bloggers, inform the Management about such issues to get the right response. Always
respond to any Doubts, complaints etc. with respect.
f) Try to add value. Provide worthwhile information and perspective.
g) Synergy brand is best represented by its people and what you publish may reflect on Synergy
brand.
3.14 Your Legal Liability
a) Please note that every employee has signed a legal non-disclosure and confidentiality agreement,
which if violated can be legally enforced.
b) Recognize that if you violate any of the clauses which have legal complications for Synergy, it
can have legal repercussions for you as well
c) Recognize that you are legally liable for anything you write or present online.
d) Use your best judgment. Remember that there are always consequences to what you publish. If
you're about to publish something that makes you even the slightest bit uncomfortable, review
the suggestions above and think about why that is. If you're still unsure, and it is related to
Synergy business, feel free to discuss it with your manager.
e) If you make an error, be up front about your mistake and correct it quickly. In a blog, if you
choose to modify an earlier post, make it clear that you have Done so.
f) Identify yourself—name and, when relevant, role at Synergy—when you discuss company-
related matters. And write in the first person. You must make it clear that you are speaking for
yourself and not on behalf of Synergy if you have not taken our permission.

g) Use a disclaimer. Whether you publish to a blog or some other form of social media, make it
clear that what you say there is representative of your views and opinions and not necessarily
the views and opinions of Synergy. At a minimum in your own blog, you should include the
following standard disclaimer: "The postings on this site are my own and Don't necessarily
represent Synergy positions, strategies or opinions."
3.15 Other Specific Guidelines
a) Do know and follow all privacy and confidentiality guidelines in the Employee Handbook. All
guidelines in the employee handbook, as well as laws such as copyright, fair use and financial
disclosure laws apply to social media.
b) Do not disclose or use Synergy classified information or that of any other person or company.
For example, ask permission before posting someone's picture in a social network or publishing in
a blog a conversation that was meant to be private.
c) Do not comment on company stock price or confidential financial information such as future
business performance or business plans.
d) Do not cite or reference customers, partners or suppliers without their written approval.
e) Do identify yourself. Some individuals work anonymously, using pseuDonyms or false screen
names. Synergy discourages that practice.
f) Do be professional. If you have identified yourself as a Synergy employee within a social
website, you are connected to your colleagues, managers and even Synergy customers. You
should ensure that content associated with you is consistent with your work at Synergy.
g) Do ask permission – to publish or report on conversations that are meant to be private or internal
to Synergy and when in Doubt, always ask permission from the Synergy legal department or
CISO office.
h) Do speak in the first person when engaging in personal social media communications. Make it
clear that you are speaking for yourself and not on behalf of Synergy.
i) Do use a disclaimer – If you publish personal social media communications and it has something
to Do with the work you Do or subjects associated with Synergy
j) Use a disclaimer such as this: "The postings on this site are my own and Don't necessarily
represent those of Synergy”.
k) Do link back to the source – When you Do make a reference to a customer, partner or supplier,
where possible link back to the source.
l) Do use your best judgment – Remember that there are always consequences to what you
publish. If you're about to publish something that makes you even the slightest bit
uncomfortable, review the suggestions above and think about why that is. If you're still unsure,
and it is related to Synergy business, feel free to discuss it with your manager or simply Do not
publish it. You have sole responsibility for what you post to your blog or publish in any form of
social media.

m) Do not use ethnic slurs, personal insults, obscenity, or engage in any conduct that would not be
acceptable in the Synergy workplace.
n) Do not conduct confidential business with a customer or partner business through your personal
or other social media.
o) Do not register accounts using the Synergy brand name or any other unregistered or registered
trademarks.
3.16 Employee Education
 All employees should be notified of this Document upon creation or whenever modifications are
made.
 These guidelines only cover a sample of all possible content publishing scenarios and are not a
substitute for good judgment.
 Synergy employs technical controls to provide reminders, monitor, and enforce these guidelines.
3.17 Technical Controls
The Synergy social media usage policy described above is monitored and enforced by a Secure Web
Gateway system. The Secure Web Gateway must secure all Synergy Internet connected, company-
owned employee computers including mobile laptop computers with direct Internet connections. The
Secure Web Gateway should include the following capabilities.
 Context-Aware Confidential Data Detection – The ability to account for the context of
confidential data strings when identifying outbound data confidentiality violations. For example,
the solution should differentiate between an employee social security number posted alone (not a
violation), and a social security number posted in combination with an employee name (a
violation). Keyword dictionaries and regular expression matching capabilities Do not meet this
requirement.
 Customer Document and Database Fingerprinting – The ability to identify customer
database records (e.g. customers records) and Documents (e.g. business plans).
3.18 Corrective Controls
 Spokesperson- In case of any inquiry or rumours or poor press. Synergy Corporate

communication head or designated spokesperson only can talk with Press, Media and relevant
authorities.
 Incident Response- Such cases will be considered as Information Security Incidents and
appropriate incident response plan will be activated.

4. Policy Enforcement
an audit trail.

RESTRICTED Teleworking Policy
Tele working Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims at controlling the risks related to Teleworking.
2. Scope
This policy applies to all the employees or third parties having Teleworking privileges.
3. Policy
The policy of Synergy for Teleworking is as follows:

(a) Teleworking by remote access to Synergy IT infrastructure for working from home/offsite
locations is permitted solely for specific business needs.
(b) The business process owner or the line manager should approve the business requirement for
Teleworking privileges for any employee.
(c) The risks related to Teleworking facilities should be assessed by the business owner and IT staff
before provisioning such a request. Requirements for monitoring controls should be identified
wherever practicable.
(d) Approvals should be taken from CISO/ISM for granting the privileges of Teleworking.
(e) All the agreed equipment such as laptops and other accessories along with the identified
technologies such as VPN would be arranged for the employee upon authorization from
CISO/ISM for using Teleworking facilities.
(f) All the software required for Tele-working shall be made available by Synergy and the employee
shall not load any pirated/unlicensed versions.
(g) Synergy reserves the right to review the arrangements in place for Teleworking to ensure that
they meet business requirements, are effective and amend the arrangements, if required.
(h) Users are responsible to comply with the clear desk policy, internet usage and email policies.
(i) Security incidents related to their Teleworking should be reported to the CISO/ ISM.
(j) For external parties, remote access should be provided only if there is a business requirement.
(k) The risks for such access privileges should be analyzed and appropriate controls applied.
(l) Limitation to connection time should be considered for access in case of external parties such as
during office hours.
to teleworking should be reported to the ISSC/ISM and acted upon based on this policy. All necessary

RESTRICTED Third Party Security Policy
Third Part Security Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
This policy aims to Synergy security policies designed to safeguard Synergy assets, as well as
information belonging to these Third Parties, from unauthorized or accidental modification, damage,
destruction, or disclosure.
2. Scope
provided access to Network and Information at Synergy.
3. Policy
(a) To maintain security of organizational information processing facilities and information assets
accessed by third parties.
(b) All third parties who are given access to Synergy’s information systems, whether suppliers,
customers or otherwise, must agree to follow Synergy’s information security policies.
(c) Synergy will assess the risk to its information, where deemed appropriate because of the
confidentiality, sensitivity or value of the information being disclosed or made accessible, Synergy
will require external suppliers of services to sign a confidentiality agreement / Non disclosure
agreement to protect its information assets.
(d) Persons responsible for agreeing maintenance and support contracts will ensure that the contracts
being signed are in accordance with the content and spirit of Synergy’s information security policies.
(e) All contracts with external suppliers for the supply of services to Synergy must be monitored and
reviewed to ensure that information security requirements are being satisfied.
(f) Contracts shall include appropriate provisions to ensure the continued security of information and
systems in the event that a contract is terminated or transferred to another supplier.
(g) Any facilities management, outsourcing or similar company with which Synergy may do business
must be able to demonstrate compliance with the Synergy’s information security policies and
enter into binding service level agreements that specify the performance to be delivered and the
remedies available in case of non-compliance.
to third parties should be reported to the ISSC and acted upon based on this policy. All necessary

RESTRICTED Vendor Management Policy
Vendor Management Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

th
1.0 0 25 Feb, 2015 Initial
2.0 0 30th Sep 2019 Whole content reviewed and changes

1. Purpose
To ensure and maintain the security of the organization’s information processing facilities from external
parties, who can access, process, communicate to or manage these facilities.
2. Scope
This policy applies to all purchases that relates to items that relevant to Synergy's core operation.
3. Policy
3.1 Identification of Risks related to Vendor or External Parties :
 Risk based approach shall be followed to identify the potential risks to Synergy Information
Security as a result of Supplier or third party access to Synergy Assets.
 These risks shall be appropriately controlled through effective controls that need to be
implemented to regulate and monitor the confidentiality, integrity and availability of the
information accessed by the supplier or third parties.
 All supplier or third party access to Synergy Information Systems, LAN infrastructure shall be
formally authorized.
 Outsourcing of information or data processing functions or services to Supplier or third party
organizations shall be formally authorized by the CISO.
 During the Risks Identification, that are related to External Party access Synergy shallconsider:
 Possible Impacts to the controls of the information processing facilities involved
 The classification of the information assets.
 Process for identifying, authorizing, authenticating and reviewing access rights of the
supplier or third parties.
 Security Controls to be used by the supplier or third parties when storing, processing,
communicating, sharing or exchanging information.
 Possible Impact to both parties resulting from assets being unavailable.
 Prior to authorizing access to supplier or third parties to access information and information
assets, Information Owners and Information Custodians must confirm that:
 The terms and conditions of access are documented (E.g. Service Level Agreement (SLA),
Contracts, and Memorandum of Understanding).
 Responsibilities for managing and monitoring the supplier or third party access have been
assigned and documented.
 Security Controls have been implemented and tested against identified risks.
3.2 Third Party Access Policy
 All System accessed by supplier’s or third parties such as contractors, customers, consultants
or other external staff must be based on a formal contract and Non Disclosure Agreement
(NDA).
 Access to Synergy Systems or other IT resources by suppliers or Third parties must be
restricted to the services and information they are explicitly authorized to access.

 All suppliers or Third parties shall be provided with a Separate User Account for access and
this account shall expire on completion of the business requirement.
 Supplier or Third party requesting internet access shall accept ownership of account allocated
and is responsible for all actions performed with the Account.
 The Supplier or Third Party Account allocated shall be used only for the business purpose
defined and by the assigned individual.
 The Supplier or Third Party account shall be disabled when not in use and password shall be
managed as per Synergy Password Management Policy.
 All Supplier or Third Party users utilizing Synergy Internet connectivity shall read and
understand the Synergy Internet Policy.
 If the Supplier or Third Party Personnel uses his/her Personal Laptop it must be checked to
be updated with the latest Anti Virus Software, OS Patches, Network and Security Baselines
of Synergy .
 No supplier or third party shall be granted remote access unless prior approval and
authorization is granted from the CISO.
3.2 Addressing Security in the third party Agreement
 Supplier or Third Party Access to Synergy Information Systems shall be provided based on a
formal contract and Non Disclosure Agreement (NDA) between Synergy and the Third party.
 As a minimum, contracts with supplier or third parties for provision of access to Synergy
information systems shall include (but not be limited to) Confidentiality clauses, Non-
disclosure clauses and Acceptable Usage along with complying to Synergy Access Control
and Acceptable Usage clause.
 Contracts with supplier or third parties for provision of access to Synergy information systems shall
be consistent in all aspects with Synergy Information Security Policies, Procedures and Standards.
 Outsourcing contracts shall address the following in any form : -
 The level of physical and logical security that shall be provided to maintain the
confidentiality and integrity of Synergy information / data processed.
 The service level to be provided and the level of availability in the event of a disaster.
 Provision for confidentiality, non-disclosure and acceptable use relating to the
information /data processed by the outsourced function or service.
4. Elements of Risk
When using the services of various third-party or outsourcing entities, a certain element of risk arises
as responsibilities for critical initiatives are now in the hands of another organization. It’s important to
understand these risks, what are they, and how Synergy can readily identify any issues, concerns, or
constraints pertaining to these risks. Failure to mitigate and prevent these risks can result in
significant financial loss, legal issues and public opinion misconceptions, ultimately damaging the
organization.

4.1 Compliance risk:
These are risks arising from violation of applicable laws, rules, and regulatory mandates and along
with other issues, such as non-compliance of internal operational, business specific, and information
security policies, procedures and processes. Regulatory compliance is a large and critically important
component of vendor management, requiring constant monitoring and oversight of third parties for
ultimately ensuring the safety and security of services being provided to Synergy by such entities.
Common compliance initiatives for which third-parties are to including numerous laws, legislative
mandates, and industry specific requirement, including, but not limited to, the following: CE mark,
FDA clearance, SOC 2,PCI DSS, ISO and many other.
4.2 Reputation Risk:
These are risk arising from negative public perception and opinion of a third-party outsourcing entity
for almost any imaginable reason, such as unethical business practices, data breaches resulting in
loss of sensitive and confidential information, investigation from regulator into questionable business
practices, etc.
4.3 Strategic Risk:
These are risk arising from third-parties failing to implement business initiatives that align with the
overall goals and ideas of Synergy, such as not offering services that provides an acceptable return
on investment, both short term and long term. Ultimately, when the long term strategic vision of both
Synergy and the applicable third-party outsourcing entities do not align, relevant risk begin to surface
which can significantly impact the business relationship, often in a negative manner.
4.4 Operational Risk:
These are risks arising from a failed system of operational internal controls relating to individual and
the relevant policies, procedures, processes and practices. This becomes a large issue due to the fact
the many organization integrate their daily operational activities with outsourcing providers, thus a
“breakdown” on the vendor side seriously impact the organization, ultimately affecting productivity,
workflow efficiency and many other issues.
4.5 Transaction Risk:
These are risks arising from a third-party failing to deliver as promised, such as product delivery,
operation efficiency or worse unauthorized transactions and theft of information due to a weak
system of operational and information security internal controls. An important component of
mitigating such risks is having comprehensive, well-documented operational and information security
policies, procedure, process and practices in place for guiding such third-parties on a daily basis.
4.6 Country Risk:
These are risk arriving from the politic, economic and social landscape and other relevant events with
a foreign country that can impact the services being provided by the third party, ultimately affecting
operations for Synergy. Managing such risk can be extremely challenging and complex, especially
when one considers the diverse political landscape in various regions around the globe. Legal issues
also can pose significant country risks, as laws and regulations differ greatly from region to region.

4.7 Information Technology Risk:
These are risk arising from any number of information technology and information security issues,
such as inadequate I.T. resources (hardware and software) along with lack of manpower.
Additionally, risk can arise from abuse, misuse of information technology resources, while data
breaches and security compromises can occur because of improperly designed networks, little to no
information security policies, procedures, etc. Other serious information technology risk can include
not correctly provisioning and hardening critical system resources, failing to implement “defense in
depth” and layered security protocols, etc.
5. Due Diligence in vendor selection

The selection process for new vendor is to consist of exhaustive measures for ensuring all relevant
risk areas have been thoroughly assessed by Synergy, which is to include, but not limited to, the
following measures:
 Review of all applicable financial documentation, such as financial statements, etc.
 Review of all regulatory compliance and operational audits and assessments, etc.
 Experience and overall business “Know-how”.
 Operational capacity and scalability.
 Use of other third-parties by the actual vendor themselves.
 Reputation within the industry and from the general public.
 Inquiry into any past, present or expected legal issues, constrains or concerns.
 Experience and business aptitude, strength and knowledge of senior management and all
other relevant personnel.
 Alignment of vision, strategies, and overall goal with each organization.
 Assessment of operational, business specific and information security policies, procedures
and practices, particularly documentation pertaining to incident response, security
awareness, business continuity and disaster recovery planning.
 Insurance coverage.
6. Legal and Contractual Documentation

Once vendor have been selected for providing critical outsourcing services to Synergy,
comprehensive procedures are to be undertaken regarding all contractual documentation specifically
the following:
 A formalized and written contracts has been produced, one that dutifully identifies roles,
responsibilities, obligations and expectations from all relevant parties.
 The contract has been approved by Top management of Synergy. This also requires
addressing issues like risk, financial relationship and clear documentation.
 Comprehensive and appropriate review undertaken by Top Management, with all issues,
constraints and concerns addressed as necessary.
 Regulatory compliance audits and mandates, such as annual financial statements audits,
annual operational and security assessments (i.e. SOC 2, PCI DSS etc.).
 Information security protection measures regarding the safety and security of sensitive and
confidential information.
 Numerous other legal issues, including, but not limited to the following: resolution
measures, indemnification, continuation of service, default, intellectual property.

7. Labour standards:
Synergy is committed to developing an organizational culture which implements a policy of support
for internationally recognized human rights and labor standards. We support the principles contained
within the United Nations Declaration of Human Rights and the International Labor Organization’s
(ILO) Core Conventions on Labor Standards.
7.1 Child Labor
 Vendors will not use child labor. The minimum age for employment will be the greater of (i) the
minimum age under local law, (ii) the minimum age pursuant to the Convention Concerning
Minimum Age to Employment adopted by the International Labor Organization or (iii) 15.
 Workers below the age of 18 should not be involved in activities likely to jeopardize their health,
safety or morals or interfere with their compulsory education.
 Vendors may be required to disclose any workers under the age of 18 and detail the specifics of
their job functions, including what, if any, support they may be providing to Synergy.
7.2 Involuntary Labor
 Vendors will not use any forced, compulsory or involuntary labor, whether bonded, indentured,
or imprisoned.
 Employees shall be able to terminate their employment within reasonable notice.
7.3 Non-Discrimination
 Vendors will not discriminate on the basis of race, religion, age, nationality, social or ethnic
origin, disability, sexual orientation, gender, gender identity, marital status, veteran status or
political affiliation, in its hiring or employment practices; such as, compensation and benefits,
access to training, promotion, termination and retirement.
7.4 Wages, Benefits and Working Hours

 Vendors will comply with applicable wage and working hour laws and regulations, including
those relating to minimum wages, overtime, maximum hours and legally mandatedbenefits.
 Vendors will compensate their employees for hours worked in a globally known currency, such
as the United States Dollar, British Pound, Japanese Yen, Indian Rupee, etc.
 Vendors will disclose to Synergy, if it deducts workers’ pay for employer provided services such
as living quarters, apartment utilities, food, hygiene products or any other basic human services
employees may require to live. This excludes standard employer provided healthcare and
retirement plans.
7.5 Fair Treatment
 Vendors will treat employees with dignity and respect. Physical abuse, the threat of physical
abuse, sexual or other harassment, verbal abuse or any other form of intimidation are
prohibited.
 Vendors will not retaliate against employees who report abuse, discrimination, ethical concerns
or violations of law.

8 Reference
List of vendors / Suppliers.

Procedure for Control
RESTRICTED
of Documents
Procedure for Control of

Documents

RESTRICTED
of Documents
DOCUMENT SUMMARY
AUTHOR MR. GAURAV SINGH

REVIEWED BY
CURRENT VERSION 2.1
OWNER CISO
APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.
2.1 1 23rd Dec 2019 Content added in section 13 with respect
to IT Asset

RESTRICTED
of Documents
1. Purpose
The purpose of this procedure is to implement a system to control the documents and
avoid their inadvertent use in the IT department.
2. Scope
This procedure is applicable to all the documents related to the ISMS in the IT Department.
3. Responsibility
CISO is responsible for implementation of this procedure.
4. Authority
This procedure is authorized/ approved by the CISO. For any amendment in this procedure
CISO will authorize the same.
5. Definitions
ISM – Information Security Manager
ISMS-Information Security Management System
IT- Information Technology
ITIS - Information Technology Infrastructure
6. Input
 ISO/ BS Standards requirement
 Uncontrolled documents
7. Description
Authorizing/Approving Authority
The documents, controlled by this procedure, are mentioned below along with their
authorizing/ approving and issuing / controlling authorities:
Authorizing
Issuing / Control
No. Document / Approving
Authority
Authority
1 Manual (Policies and

CISO ISM
Procedures)
2 Guidelines CISO ISM
3 Templates CISO ISM
4 Registers CISO ISM
Documents of
5 CISO ISM
external origin
6 IT Asset CISO ISM
8. Manual
Synergy ISMS Manual documents (Policies, Procedures and other related Docs) is prepared
by sections/ function and authorized/ approved for issue by the CISO.

RESTRICTED
of Documents
The Manual is controlled by giving a document reference number ISMS_Man_nnn (‘n’

carries a value 1,2..so on in sequential order).
ISM maintains master list of all Manuals identifying their current revision status.
9. Guidelines
Guidelines related to ISMS are prepared by respective sections/ function and authorized/
approved for issue by the CISO.
All Guidelines are controlled by giving a document reference number ISMS_Gui_nnn (‘n’
ISM maintains master list of all Guidelines identifying their current revision status.
Read only copy is available on the Intranet. Guidelines softcopy can be downloaded as per
requirement.
10. Template
Templates are prepared by respective sections/ function and authorized/ approved for
issue by the CISO.
All Formats are controlled by giving a document reference number ISMS_Tem_nnn (‘n’
ISM maintains master list of all Templates identifying their current revision status.
11. Registers
Registers are prepared by respective sections/ function and authorized/ approved for issue
by the CISO.
All Registers are controlled by giving a document reference number ISMS_Reg_nnn (‘n’
ISM maintains master list of all Templates identifying their current revision status.
12. Documents of External Origin

Documents of external origin (eg. ISO standards) are inwarded and stored securely
All Registers are controlled by giving a document reference number ISMS_Ext_nnn (‘n’
ISM maintains master list of the documents of external origin.
13. IT Assets
IT Assets are maintained by IT Purchase and each assets are identified by Asset Id.
All assets are controlled by giving a asset id SMPL-IT- <Assets type>nnnn (‘n’ carries a
value 1,2..so on in sequential order).
IT Purchase team maintains the Assets list.
Note: <Asset type>
 Monitor MON
 Desktop DES
 Laptop LAP
 Keyboard KEY
 Mouse MOB
 Server SER
 Firewall FIR

RESTRICTED
of Documents
 Switches SWT
 Video Conference VC
14. Operating Procedures

Operating procedures of processes shall be named as ISMS_SOP_nnn (n carries the value
1,2..so on in sequential order)
Controlled documents bear the following details.
No. Document
1 Manual Document Ref. No, Revision No, Issue Date,
version no.
2 Guidelines Document Ref. No, Revision No, Issue Date,
version no.
3 Templates Document Ref. No, Revision No, Issue Date,
version no.
4 Registers Document Ref. No, Revision No, Issue Date,
version no.
5 Documents of Document Ref. No, Revision / Issue details
external origin
15. Review of documents

ISMS Manual and related documents are reviewed by ISM once a year or earlier, if required,
to ascertain whether any revision is required. If a revision is required, ISSM raises a request
to CISO and CISO approves the change to the document if it is found to be necessary.. If the
revision is justified, it is authorized/ approved by the CISO and subsequent revision/ version
no. is given and updated on the Intranet.
16. Amendment/ Revision to documents
Amendment in the documents can be of two types:
1. Version change
2. Revision change
A document after initial creation would be set as version 1, revision 0. Thereafter, on every
revision done by the document reviewers the revision number would be incremented by one.
The revision details should be updated in the revision history table in every document. After
the revisions are over, the version number gets incremented by one as soon as it is approved
by the CISO/ ISSC/ any other approving authority; revision number also gets reset to zero.
Subsequently, on further revisions and approval the same process should be continued to be
followed.
17. Control of obsolete documents

Invalid / obsolete documents are kept in a folder promptly marked as “OBSOLETE”. One
revision just prior to current revision will be retained.
Any obsolete document, retained for legal requirements or knowledge preservation purpose,
is suitably identified and kept separately.
18. Output
 Master Lists of documents
- End of Document -

RESTRICTED ISMS Control of Records
ISMS Control of Records

RESTRICTED ISMS Control of Records
DOCUMENT SUMMARY
AUTHOR MR. KANNAN

CURRENT VERSION 2.0

OWNER CISO
APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
To detail the method of establishing and maintaining records to provide evidence of conformity to
requirements and effectiveness of Information Security Management System.
To define the controls in the identification, storage, protection, retrieval, retention time and
disposal of records.
To comply with relevant legal or regulatory requirements and contractual obligations.
2. Scope
This procedure is applicable to all records identified in the Master list as providing evidence of
conformity to the Information Security Management System.
3. Responsibility
CISO holds full responsibility for the control of records.
The ISSC and the functional heads are responsible for establishing and maintaining the records
identified for their respective functions.
4. Input
 ISO/ BS Standards requirement
 Uncontrolled records
5. Procedure
Examples of records to be established maintained and controlled
 Visitors Books
 Audit reports
 System logs
 Access Authorisation forms
 Incident records
 Change records
 Records shall also be kept of the performance of the process outlined in clause 4.2 of
ISO 27001:2005
The planning and identification of records to be maintained at the various stages of operation is
identified by the respective functional heads along with ISSC in the form of a masterlist.
The masterlist details the method of controls for records as Identification, Storage, Protection,
Retrieval, Retention and Disposal.
Master list shall be maintained as follows
Remarks
Record Retention Expiry (Date of
Record Name Owner Category
Ref No. period Date disposal
etc)
Document Ref. No. Synergy_ISMS_Man_032 Version No.0.0

Pertinency of records in use is controlled by CISO using the Masterlist. The Masterlist of records is
approved by the ISSC. The records shall be created in a legible manner and are maintained to
facilitate ready identification and retrieval.
Records shall be identified by the departments and categorized as record types.
Inventory of records and other information assets shall be maintained.
Records shall be maintained of all the activities and documentation that is deemed necessary by
virtue of a legal or a statutory requirement
Records shall be retained for the period stipulated by the legal/regulatory requirements and
contractual obligations.
The periodicity of maintenance of such records shall be defined, and the expiry date of records
(date of retention) marked on the cover.
The records shall be maintained in a protective environment, safeguarding them against
deterioration, damage by environmental or deliberate threats.
Electronic storage media shall be ensured for the ability to read data throughout the retention
period and safeguarded against loss of readability due to technology change.
The records shall be legible, identifiable and traceable to the activity involved.
Appropriate data storage systems shall be chosen such that the retrieval of records subsequently is
acceptable in a court of law’
Records shall be kept securely and made available to authorized persons when required.
6. Control of obsolete records

Invalid / obsolete records are promptly marked as “OBSOLETE”. Any obsolete record, retained for
legal requirements or knowledge preservation purpose, is suitably identified and kept separately.
7. Output
 Master Lists of records
- End of Document -

Procedure for
Restricted
Corrective Actions
Procedure for Corrective Actions

Procedure for
Restricted
Corrective Actions
DOCUMENT SUMMARY
AUTHOR MR. KANNAN

CURRENT VERSION 2.1
OWNER CISO
REVISION HISTORY

2.0 0 30th Sep 2019
applied.
2.1 1 23rd Dec 2019 Changes done in section 5 for errors and
omissions.

Procedure for
Restricted
Corrective Actions
1. Purpose
The purpose of this document is to detail the procedure of taking Corrective and Preventive
Actions to improve the effectiveness of the Information Security Management System.
2. Scope
This procedure is applicable to all findings identified in the Internal and External audits.
3. Responsibility
CISO/ISM holds full responsibility for the maintenance and follow-up of Corrective actions.
The ISSC and the functional heads are responsible for establishing and maintaining the records
identified for their respective functions.
4. Input
 Internal Audit report
 External audit report
5. Non Conformity handling and Correction

The ISM / CISO shall be responsible for establishing and maintaining the corrective action
procedure.
The Corrective Action Report be the record for the purpose.
The following steps shall be followed:

The auditor shall
 Identify non-conformance.
 Determine the extent or gravity of the non-conformance (There are cases wherein the observed
or detected non-conformance is just the “surface” of a much bigger or serious non-
conformance)
 Issue Corrective Action Report to concerned person or auditee as per the following format
The auditee shall
 Apply immediate / containment action - (Correction) to arrest the non-conformance.
 Determine Root cause of the non-conformance.
 Establish corrective action plan based on root cause analysis

The auditor shall
 Enter the details of corrective action taken in the corrective action report.
 Close the non-conformance in the corrective action report by making suitable remarks if the
corrective action plan is found to be done properly.

Procedure for
Restricted
Corrective Actions
 The Auditor shall make a follow-up with auditee to check the implementation of corrective
action plan as stated on the corrective action report.
The CISO shall independently review the corrective action plan and ensure that the records are
safely stored.
6. Corrective Action Plan

The ISM shall be responsible for identifying the requirement for preventing the recurrence of the
non conformity, provide action to eliminate the root cause of non conformity/ potential non
conformities with the ISMS requirements so as to prevent their occurrence.
The CISO/ISM shall review the corrective action report to ensure that any requirement for corrective
actions from any past incidents are addressed .The repeating non conformities to be taken into
account at the time of the Risk Assessment. The priority of the corrective action shall be determined
based on the results of the risk assessment.
7. Output
 Corrective Action report.
- End of Document -

RESTRICTED Procedure for Internal Audits
Procedure for Internal Audits

DOCUMENT SUMMARY
AUTHOR MR. GAURAV SINGH

REVIEWED BY MR. SRIDHAR MAHADEVAN
CURRENT VERSION 2.1
DATE OF CURRENT VERSION 18TH, DECEMBER,2020
OWNER CISO
NAME: MR. SRIDHAR MAHADEVAN
REVISION HISTORY

2.0 0 30th Sep 2019
applied.
2.1 1 18th Dec 2020 Inclusion of CRM Manual reference in

section 4.0 Input

1.0 Purpose
● To ensure that Synergy continually operates in accordance with the specified policies,
procedures and external requirements in meeting company goals and objectives in
relation to information security.
● To ensure that improvements to the ISMS are identified and implemented.
2.0 Scope
This procedure includes planning, execution, reporting and follow–up of an internal ISMS audit
and applies to all departments that form part of Synergy information security management
system. Legal and regulatory requirements shall be compulsorily audited in all audits and the
other domains in rotation.
3.0 Responsibility
Chief Information Security Officer (CISO)
● Appoints the Lead Auditor /Audit Team.

● Together with the Lead Auditor, reviews the corrective and preventive actions and the
follow-up audits done based on the internal audit report submitted.
● Maintains the confidentiality of the audit results.
Auditor
● Prepares an Audit Plan/Notification as basis for planning the audit and for disseminating
information about the audit.
● Chairs/conducts the internal audit activities.
● Co-ordinates the audit schedule with concerned department/process heads.
● Plans the audit, prepares the working documents and briefs the audit team.
● Consolidates all audit findings and observations and prepares internal audit report.
● Reports critical non-conformities to the auditee immediately.
● Report to the auditee the audit results clearly and without delay.
Auditees
● Receive the audit report and determine, initiate and follow-up the corrective action.
4.0 Input
ISO 27001:2013 Standard requirements and CRM Manual

5.0 Procedure
● An audit plan shall be created that contains all scheduled and potential audits for the
whole calendar year.
● Internal audit shall be scheduled once in six months or on a need-to-do basis i.e.
on-demand.
● Personnel who are independent of the area under audit shall perform the internal
audit.
● The Auditor shall be a person qualified as an ISO 27001 Internal Auditor/ Lead
Auditor.
● The audit shall be done against the requirements specified by the ISO 27001:2013
standard.
6.0 Audit Reporting
The Auditor shall review all of their findings whether they are to be reported as non-
conformance or as improvement potential. Audit finding shall likely be supported by objective
evidence.
The Lead Auditor shall consolidate all the audit findings for the preparation of the audit report.
Evaluation Scheme shall be:
Noteworthy Efforts Substantial improvement due to effective implementation of controls
Nonconformities Failure to fulfill one or more requirements of the management system
(NC): standard or a situation that raises significant doubt about the ability of
the management system to achieve its intended objectives.
The causes of the identified nonconformities must be analyzed and

the planned corrective actions effectively implemented within a
specified time frame. The auditor generally verifies the effectiveness
of corrective action in the follow up audit or in the next internal audit.
Observations (O): In individual cases some of the requirements of the management-

system standard are not fulfilled completely. However, this does not
jeopardize the effectiveness of the management-system element
The causes of the identified observations must be analyzed and the

planned corrective actions effectively implemented within a specified
time frame. The auditor generally verifies the effectiveness of
corrective action in the follow up audit or in the next internal audit.
Opportunity For Aspects that would lead to management system optimization with
Improvement (OFI): respect to a requirement of the standard. Implementation by the
organization is recommended.

(Basic requirement for the identification and recording of

opportunities for improvement is that the requirements of the
standard regarding the process element have been fulfilled but that
there are still areas for potential improvement of system
effectiveness and efficiency.)
The auditors shall follow a code of conduct in the manner of reporting.

● The report should be concise but factual and presented in a constructive manner.
● The findings should be within the scope of audit and shows the relationship of the
ISO 27001 standard.
● The report should not show any bias by the Individual auditor/ Lead Auditor.
The Internal Auditor shall issue a Formal Audit Report to the CISO.
The internal audit report shall be maintained and controlled by the CISO.
7.0 Audit Follow-up
The CISO shall meet the auditors and take overall responsibility for assigning ownership and
follow-up activities of audit findings with the auditees.
Subsequently, the auditees shall propose the corrections for the audit findings stating their root
cause along with expected date of closure of the proposed corrective action. This shall be
indicated in the Corrective Action Register (CAR).
Thereafter, the proposed action shall be accepted by the auditor. In case of non-acceptance,
the auditee shall revise the action plan according to the acceptance criteria specified by the
auditor depending on the situation and the audit finding.
Upon closure of the action(s), the auditee shall indicate the closure of each action by signing-
off against the corresponding actions listed in the corrective and preventive action register
(CAPA Register).
Finally it is the responsibility of the auditor to verify all the line items in the CAPA register and
indicate its successful closure by signing-off the audit report.
Note: Follow-up action will not be considered complete until all corrective actions or measures
have been implemented and the status has been reported to the Lead Auditor for final
verification purposes.
8.0 References
● Audit Plan
● Audit Schedule
● NC Report
- End of Document -

Procedure for
Restricted
Management Review
Procedure for Management Review

Procedure for
Restricted
Management Review
DOCUMENT SUMMARY
AUTHOR MR. KANNAN

CURRENT VERSION 2.0
OWNER CISO
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

Procedure for
Restricted
Management Review
1. Purpose
The objective of this procedure is to evaluate the effectiveness and continual suitability of the ISMS.
2. Scope
This procedure is applicable for Management Review Meetings held in respect of ISMS at Synergy.
3. Responsibility
CISO/ ISM are responsible to organise and conduct the Management Review Meetings once in
every 6 months. The members of the Information Security Steering Committee are responsible to
participate in the meetings.
4. Abbreviations
CISO - Chief Information Security Officer
ISM - Information Security Officer
ISMS - Information Security Management System
MRM - Management Review Meetings

ISSC - Information Security Steering Committee
5. Procedure
6. Management Review Inputs

Management Review Inputs
THE STATUS OF ACTIONS FROM PREVIOUS MANAGEMENT REVIEW
CHANGES IN EXTERNAL AND INTERNAL ISSUES THAT ARE RELEVANT TO THE INFORMATION SECURITY
MANAGEMENT SYSTEM
FEEDBACK ON THE INFORMATION SECURITY PERFORMANCE, INCLUDING TRENDS IN:

NONCONFORMITIES AND CORRECTIVE ACTIONS;
MONITORING AND MEASUREMENT RESULTS;
AUDIT RESULTS; AND
FULFILMENT OF INFORMATION SECURITY OBJECTIVES;
FEEDBACK FROM INTERESTED PARTIES;
RESULTS OF RISK ASSESSMENT AND STATUS OF RISK TREATMENT PLAN; AND
OPPORTUNITIES FOR CONTINUAL IMPROVEMENT.

7. Procedures
1. CISO/ ISM shall call for MRM once in 6 months . However CISO/ ISM shall call for interim
meetings, as and when required.
2. CISO/ ISM shall decide on the date, time venue and agenda for each MRM.
3. MRM shall be chaired by the CISO. In the absence of CISO, ISM is authorized to chair the
meeting.
4. All ISSC members shall be present at the MRM.
5. CISO/ ISM shall prepare the Agenda for the MRM in advance (Based on standard Management
review inputs and outputs) and circulate the Notice of MRM to all the members attending the
MRM.
6. Concerned personnel shall collect the required data and prepare the required presentations and
other materials required for the meeting.
7. ISSC shall conduct the MRM and discuss on achievements, constraints and need for
improvements.
8. Decisions made at Management Review Meetings shall include any decisions and actions related
to:
a. Improvement of the effectiveness of the ISMS and its processes
b. Resource needs
9. ISSC shall after discussion, arrive at decisions and action plans and target dates and record it
in the Minutes of MRM.
10. ISM shall record the Minutes of MRM and decisions of the meeting and circulate to all concerned.
11. Concerned owners shall deploy the decisions and action plans arrived at in the MRM.
12. Concerned owners shall report to the ISM on the status of deployment of the action points
through emails.
13. ISM shall be responsible for taking follow-up actions. He shall be responsible for monitoring
timely completion of the identified action plans.
14. ISM shall consolidate for the next MRM and he shall be responsible for maintaining the records
of MRM.
8. Management Review Outputs

MRM OUTPUT
THE OUTPUTS OF THE MANAGEMENT REVIEW :
 DECISIONS RELATED TO CONTINUAL IMPROVEMENT OPPORTUNITIES

 ANY NEEDS FOR CHANGES TO THE INFORMATION SECURITY MANAGEMENT SYSTEM.

9. Reference
 MRM Plan
 MRM Agenda
 Minutes of MRM

RESTRICTED Risk Assessment Methodology
Risk Assessment Methodology

DOCUMENT SUMMARY:
AUTHOR Kannan
REVIEWED BY Gaurav Singh
CURRENT VERSION 1.1
DATE OF CURRENT VERSION 18TH December, 2020

DATE OF ORIGINAL VERSION 17TH NOVEMBER, 2014
DOCUMENT TYPE INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL
OWNER CISO
NAME: Gaurav Singh
APPROVED BY
DESIGNATION CHIEF INFORMATION SECURITY OFFICER
REVISION HISTORY:

1 0 24th FEBRUARY, 2015 Initial
1.1 1 18th DECEMBER, 2020 CRM Manual reference inserted

Table of Contents
1.0 INTRODUCTION .............................................................................................. 4

2.0 RISK ASSESSMENT ........................................................................................ 4
2.1 BENEFITS OF RISK ASSESSMENT................................................................................................4
2.2 RISK ASSESSMENT COMPONENTS ..............................................................................................5
2.3 ASSETS .............................................................................................................................................5
2.4 ASSET VALUE ..................................................................................................................................5
2.5 ASSET GROUPS ...............................................................................................................................7
2.6 THREATS ..........................................................................................................................................7
2.7 VULNERABILITIES...........................................................................................................................8
2.8 SECURITY RISK ..............................................................................................................................8
2.9 PROBABILITY RATINGS .................................................................................................................8
2.10 CONSEQUENCE RATINGS ...........................................................................................................8
2.11 RISK RANKING .............................................................................................................................9
3.0 RISK OWNER IDENTIFICATION ............................................................... 9
4.0 RISK TREATMENT........................................................................................... 9
3.1 RISK ACCEPTANCE ...................................................................................................................... 10
3.2 RISK MITIGATION ....................................................................................................................... 11
3.3 RISK AVOIDANCE ........................................................................................................................ 12
3.4 RISK TRANSFER........................................................................................................................... 12
3.5 RESIDUAL RISK ........................................................................................................................... 12
5.0 STATEMENT OF APPLICABILITY ............................................................. 13
6.0 ENFORCEMENT ZONE .................................................................................. 13
7.0 RESPONSIBILITIES ..................................................................................... 13
8.0 REFERENCES .................................................................................................. 13
9.0 ISO 27001 REFERENCES............................................................................ 13
10.0 GLOSSARY................................................................................................... 15

1.0 Introduction
This procedure lays down the treatment intent towards identification and enumeration of risks
to the assets of Synergy Maritime. (Here on referred as Synergy), and the framework to work
out treatment of the risks identified by appropriate methods. This procedure shall strive to
document the Risk assessment components and the risk assessment methods & techniques
adopted by Synergy to conduct a Risk Analysis on Assets within the scope defined above.
Subsequently this procedure shall lay down the Risk Treatment framework that has to be
adopted following the risk assessment phase.
This procedure is divided into two parts. Part 1 shall cover the Risk Assessment and part 2 shall
cover the Risk treatment.
2.0 RISK ASSESSMENT
Risk assessment is used to identify the risks, information-processing facilities (or individual
system components) are facing. A risk assessment involves consideration to the following:
 The business harm likely to result from a significant breach of information security,
based on the consequences resulting from a loss or failure of Confidentiality, Integrity
and Availability.
 A realistic probability of occurrence of such a breach in the light of the prevailing
threats, vulnerabilities and existing security controls
The following three main conditions of information security requirements are considered for
doing the risk assessment:
 Unique security risks which could result in significant losses if they occur;
 Legal, statutory and contractual requirements that the organization, its trading
partners, contactors and service providers have to comply;
 Organization wide principles, objectives and requirements to support its business
operations.
2.1 Benefits of Risk Assessment
 Identify assets, vulnerabilities and controls

 Provide basis for decisions to rectify the risk
 Justify expenditures for security.
 Improve security awareness
2.2 Risk Assessment Components
The risk assessment process at Synergy shall include the following components:
 Assets: All the key assets* as identified in the asset enumeration and classification
guideline shall serve as an input to the risk assessment exercise at Synergy.
* The asset value less or equal to 5 would not be consider for Risk
Assessment, as the impact to the business due to these assets would be
acceptable.
 Threats
 Vulnerabilitiesrg
 Probability of Occurrence
 Consequence
2.3 Assets
An asset is a component or part of a total system to which the Synergy directly assigns a value
and therefore, requires protection. Assets encompass all of those items that contribute to the
provision of information that an organization requires to conduct its business.
A comprehensive asset register should be prepared with following categorization:

 Information (e.g. files containing details, image files, product information, manuals,
continuity plans, contracts, completed forms and printed or written papers);
 Software (e.g. system software, application software, development tools and
utilities);
 Physical (e.g. computer and communications equipment, magnetic media,
environmental equipment, furniture, facilities, accommodation, etc...);
 Services (e.g. computing and communications services, service providers, Vendors);
 People/personal (e.g. Employees, Contractors, Visitors, Guest, etc...)
2.4 Asset Value
Asset value is used to determine the importance of the information associated with the asset
to the business and to identify appropriate protection for the asset. These values can be
expressed in terms of the consequences to the business in case of any undesirable events
leading to the loss of confidentiality, integrity and availability.
Three levels of criticality rating are selected for confidentiality, integrity and availability of an
asset and accompanied with numbers to denote the level of criticality of the asset. The

criticality rating of assets is to be entered in respective columns in the Asset register. The
criterion for criticality rating is given at Table 1 & Table -2.
Information Asset Security Elements

Rating
Confidentiality (C) Integrity (I) Availability (A)
1 Public Low Not Important
2 Restricted Medium Important
3 Sensitive High Very Important
Table -1
METRIC RATING DESCRIPTION

Unauthorized disclosure of information/asset will
lead to violation of Client agreement/
3
contract/legal implication/security policy, etc.. and
will have severe impact on the business
CONFIDENTIALITY lead to internal issues affecting the internal
2
functions / cause interruption to the delivery, etc...
and will have moderate impact on the business
1
have negligible impact on the business
Unauthorised modification of information/asset
3 will directly affect the delivery/key services, etc..
and will have severe impact on the business
INTEGRITY 2 will cause interruption in the service/delivery, etc...
and will have moderate impact on the business
1 can cause minor or negligible impact on the
business
Unavailability of asset/service will affect the
delivery / impact on majority of employees / cause
3
financial loss and will have immediate impact on
the business
Unavailabilty of asset/service will slow down the
AVAILABILITY
2 processs, may lead to financial loss and will have
moderate impact on the business
Unavailabilty of asset/service will not affect the
1 processs, and will have no financial impact, but
will affect the business in long run if it continues
Table – 2
The Net asset value of the asset is derived using the following formula: Calculate the sum of
the values of confidentiality, integrity and availability. The formula used has been given below.
Net Asset Value = SUM C+I+A
C = Asset value based on confidentiality
I = Asset value based on Integrity
A= Asset value based on Availability
Example:
If C=2, I=3, A=3 Then Net asset value = SUM 2+3+3 = 8
2.5 Asset Groups
Assets are sub-grouped for each category in the following manner for completing basic risk
assessment (List shown below is illustrative and not exhaustive):
Physical Assets: Software Assets:

Equipment for Physical / logical Anti-Virus Software
security Business Applications
Infrastructure Network Management System software
Laptops Office automation software
Magnetic Media Windows Operating System S/W
Network Equipment
Office Automation
Personal computers Services:
Physical Media Outsourced Operations
Server Racks Outsourced Services
Servers Outsourced Telephone Operations
Storage Security Services
Printed / written Information IT Services
Information Assets:
Backup Head - IT
Database Team leaders
Manual Windows/Solaris system/ ERP Administrators
Requests Helpdesk Coordinators
Access Registers/Database Network
Agreement Administrators
Maintenance personnel
AMC document
Admin & HR
2.6 Threats
A threat is the potential cause of an unwanted event that may cause harm to the organization.
This can take many forms. Threats can be acts of nature (such as flood, fire, earthquake),
intentional or accidental acts. In general, it could result in:
 Destruction of an asset (facilities, data, equipment, communications, personnel)
 Corruption or modification of an asset (data, applications)
 Theft, removal or loss of an asset (equipment, data, applications)
 Disclosure of an asset (data)
 Interruption of services
A threat would need to exploit the vulnerability of the asset in order to successfully cause
harm. Threats should be identified with respect to the intimidations faced by Synergy.

2.7 Vulnerabilities
Vulnerabilities are weaknesses associated with an organization’s assets. Vulnerability is merely

a condition or set of conditions that may allow a threat to affect an asset, either with greater
frequency, greater impact, or both. Therefore, a vulnerability that cannot be exploited by a
threat is not harmful to the asset.
Vulnerabilities should be identified according to the nature of the assets and with inputs from
vulnerability reports and penetration tests. Specific threats and vulnerabilities for the asset are
calculated to arrive at the Security risk.
2.8 Security Risk
A security risk is the potential that a given threat will exploit vulnerabilities to cause loss or
damage to an asset or group of assets, and directly or indirectly affect the organization. The
security risk level is determined from the combination of the asset values and assessed levels
of related threats and associated vulnerabilities. The following points were considered for
arriving at the risk values:
Risk = Net Asset Value * Probability * Consequence
2.9 Probability Ratings:

Probability
Rating Description
Scale
Due to the presence of the control the probability of the
Rare 1
vulnerability to be exploited is extremely low or negligible.
The incident can rarely occur. Adequate controls in place to
Moderate 2
deter the vulnerability from being exploited
The possibility of incident scenario is moderate. The controls in
Likely 3
place would impede the vulnerability from being exploited
The incident scenario is likely to occur. The controls to prevent the
Almost Certain 4
vulnerability exploitation are ineffective
Table - 3
2.10 Consequence Ratings:
Consequence
Rating Description
Scale
The Impacts would not threaten the efficiency or effectiveness of
Minor 1 services, and could be dealt with internally.
The Impacts would not threaten the provision of services, but
Moderate 2 would lead to degradation of the service impacting business
process.
The Impacts would threaten the provision of key services and
Major 3
require top-level treatment.
Severe financial/reputational impact resulting in direct
Catastrophic 4
loss/damages and will cause major problems for customers.

Table – 4
2.11 Risk Ranking

Risk is arrived by considering both net value of the asset and exposure rating. The risks are
ranked into four types depending on the level of impact on the asset and its impact on
operations. Table 5 provides the rankings of the risk and suitable actions that are required to
be taken by various treatment plans for securing the information of the business/organization.
Risk Value Risk Rank Description

Due to existence of a control the potential threat impact to
1 – 36 Low
exploit the vulnerability is low. It only requires monitoring.
The threat impact exploiting the vulnerability exists but the
probability of occurrence is medium and can damage only non-
37 – 72 Medium
critical application/services and associated assets. No impact on
overall security however proactive risk management is required.
The probability of the threat exploiting the vulnerabilities is high

and impacts critical business applications/services resulting in
73 - 108 High
service degradation and may also result in potential impact on
confidentiality, integrity and availability of information.
The probability of the threat exploiting the vulnerabilities is very

high and will adversely impact critical business
109 - 144 Very High applications/services resulting in downtime and business
disruption. Directly impacts the confidentiality, integrity and
availability of information.
Table – 5
3.0 Risk Owner identification

Every department/Project in Synergy has got its own Departmental Head/Project Head who will
identify the Risk Owner based on their business functions. After identification, Risk Owner will
analyse and evaluate the risk as per given Risk treatment criteria.
4.0 Risk Treatment

Risk treatment is the process of making the decisions as to which risks are acceptable and
which risks require immediate mitigation. Risk treatment shall elicit Synergy to make
appropriate decisions to accept, avoid, transfer or mitigate the risks made apparent on the
assets. The risk treatment policy at Synergy shall include the following components:
4.1 Risk Acceptance

4.2 Risk Mitigation
4.3 Risk Avoiding
4.4 Risk Transfer

4.5 Residual Risk
Risk treatment is the process which helps Synergy to make decisions about what risks can be
taken, avoided or which risks need to be mitigated and how much to spend in the process.
Based on the risk ranking Security Forum would decide whether to accept the risk or to treat
the risk.
3.1 Risk Acceptance

Synergy shall decide whether to accept the risk or not, where a risk is identified, but it is not
appropriate to implement controls/countermeasures because of various factors given at 3.4.
The following issues are considered for accepting the risk:
 The level of risk is so low that specific treatment is not appropriate within available
resources.
 No treatment is available for the risk; for example, the risk is not within the control of
the organization.
 The cost of the treatment of the risk including insurance costs, (particularly for lower
ranked risks), outweighs the benefit.
Reasons for accepting a risk
Synergy should manage risks and safeguard their operations in order to effectively protect
information. Part of the process of judging whether the security of information is appropriate
is, by acknowledging that risks cannot be avoided completely and there will always be some
residual risk.
Information Security Forum would need to treat the risks, which have been identified as
unacceptable in order that those risks become acceptable. Constraints that may influence how
to manage a risk include:
Risk: Not justified by the Risk exposure
Budget/financial: There will often-financial constraints on the amount of security that can
be implemented.

Environment: environmental factors may influence the selection of safeguards, such as space
availability, climate conditions, surrounding natural and urban geography.
Organizational: Some measures which are not feasible to implement.
Technology: Some measures are technically not feasible due to the incompatibility with the
hardware and software used by the business.
Culture: Sociological constraints on the implementation of requirements may be specific to a

country, a sector or an organization. Measures will be ineffective if staff and/or clients/stake
holders do not accept them.
Time: Not all requirements can be implemented immediately. Some may need to wait for the
budgetary relaxation; others for a suitable opportunity to arise in a wider improvement plan
e.g. A building upgrade, which permits more secure cable runs to be completed at a lower cost
than if that were to be the only task to be completed.
Not Applicable: Not applicable e.g. the organization may not see itself as large enough in the
terms of control requirement, 6.1.2 which needs a cross-functional forum for co- coordinating
security measures or, in the case of control requirement 12.3.2 it may not be processing highly
sensitive data and therefore see no absolute need to encrypt it.
Other: There may be other reasons for non-implementation other than those listed above.
Personnel: Required manpower is not available, but would be taken care in the future times
to come.
Legal: Legal constraints to implement the controls.
3.2 Risk Mitigation

Security Forum shall select controls and appropriate measures to reduce risks identified on its
assets. Risk reduction is based on the selection of controls objectives and controls to reduce
the assessed risks. Selection of controls involves combining controls to the following types to
achieve the desired reduction in the risk and appropriate level of protection:
 Threat reduction, i.e. To reduce the Probability of a threat occurring

 Vulnerability reduction, i.e., to reduce or remove a vulnerability

 Impact reduction, i.e., to reduce the impact from a security breach to an acceptable
level
 Detection of unwarranted event,
 Recovery from unwanted event
If required additional controls can be selected from other standards. The control would be
selected based on the degree of assurance that it is providing for treating the risk and the
residual risk after implementation of that control. Security Forum should approve the selected
control and should be updated in the “Applicable ISO 27001 controls” Columns. From the
approved controls a detailed risk treatment plan should be prepared and updated in the Risk
treatment plan.
The selected controls and additional controls selected should be updated in Statement of
Applicability with reason for selecting and take approval from the Security Forum. Based on the
approval given by the Security Forum, Risk owners would initiate the processes for acquiring
the required systems, developing/modifying policies, procedures and practices etc… for treating
the risk.
3.3 Risk Avoidance
Security Forum shall decide whether discontinuing the exposed activity or discontinuing the use
of exposed asset to avoid the risk identified.
3.4 Risk Transfer
Security Forum shall decide whether the risk identified can be transferred to achieve a degree
of assurance. It might mean taking insurance on the asset, or outsourcing business processes.
Care should be taken that all security requirements, control objectives and controls are
described in the associated contracts to ensure the sufficient security is inbuilt.
3.5 Residual Risk
Residual risk is the remaining risk after the risk treatment measures have been taken. For each
risk the residual risk should be arrived as given in the following table:
Residual Risk Details

Requires additional controls to further reduce
Very High/ High/ Medium
the risk to acceptable level
Low Residual Risk is at the acceptable level
On a scale of 1 – 144 the acceptable residual risk score is 1 – 36. If the residual risk score is
more than 36, further controls should be implemented. If the residual risk is medium/ high, the
residual risk can be accepted only if it is approved by the Top management. A formal approval
should be taken for accepting the residual risk.
5.0 Statement of Applicability

A statement Applicability should be prepared listing the control objectives, controls and
countermeasures selected as part of the management framework of the ISMS. The Statement
of Applicability should also list control objectives and controls from ISO 27001:2013 that have
not been selected with reference to the reason for exclusion.
In addition to control objectives and controls from ISO 27001, the Statement of Applicability
additionally lists any additional controls required by reasons of legislative, regulatory, corporate
or contractual requirements.
6.0 Enforcement Zone
This Risk assessment methodology is applicable for all the business units and supporting
functions mentioned in the Scope document.
7.0 Responsibilities
 Information Security Forum would take the responsibility of completing the risk
assessment and recommend the required controls.
 Information Security Forum after going through the recommendations and approving
them would provide the necessary budget approvals and other requirements for
implementing the controls.
 Risk owners would implement the required controls for mitigating the risks in co-
ordination with security team members.
8.0 References
 Synergy Asset Register
 Synergy Risk Assessment Sheet
 Risk Treatment Plan
 CRM Manual
9.0 ISO 27001 References

 Clause 6.1, 8.2 & 8.3

 Policies for information security (A.5.1.1)
 Review of the policies for Information security (A.5.1.2)

10.0 Glossary
Consequence
The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, or

disadvantage. There may be a range of possible outcomes associated with an event.
Cost
Of activities, direct and indirect, involving any negative impact, including money, time, labour,
disruption, goodwill, and political and intangible losses.
Event
An incident or situation, which occurs in a particular place during a particular interval of time
Frequency
A measure of the rate of occurrence of an event expressed as the number of occurrences of

an event in a given time. See also Likelihood and Probability.
Information Security Management System
A documented system that describes the information assets to be protected, an organization’s

approach to risk management, the control objectives and controls, and the degree of assurance
required.
Information Integrity
The property that information has not been altered or destroyed in an unauthorized manner
Loss
Any negative Impact, financial or otherwise.
Monitor

To check, supervise, observe critically, or record the progress of an activity, action or system
on a regular basis in order to identify change.
Organization
A company, firm, enterprise or association, or other legal entity or part thereof, whether
incorporated or not, public or private, that has its own function(s) and administration.
Probability
The likelihood of a specific event or outcome, measured in the ratio of specific events or
outcomes to the total number of possible events or outcomes.
Residual risk
The remaining risks after risk treatment measures have been taken.
Risk
The chance of something happening that will have an impact upon objectives. It is measured
in terms of Impacts and likelihood.
Risk acceptance
An informed decision to accept the Impacts and the likelihood of a particular risk
Risk analysis
A systematic use of available information to determine how often specified events may occur
and the magnitude of their Impacts.
Risk assessment
The overall process of risk analysis and risk evaluation
Risk avoidance
An informed decision not to become involved in a risk situation

Risk control
That part of risk management, which involves the implementation of policies, standards,
procedures and physical changes to eliminate or minimize adverse risks.
Risk evaluation
The process used to determine risk management priorities by comparing the level of risk against
predetermined standards, target risk levels or other criteria.
Risk identification
The process of determining what can happen, why and how.
Risk management
The culture, processes and structures that are directed towards the effective management of
potential opportunities and adverse effects
Risk management process
The systematic application of management policies, procedures and practices to the tasks of
establishing the context, identifying, analysing, evaluating, treating, monitoring and
communicating risk.
Risk mitigation
A selective application of appropriate techniques and management principles to reduce either

likelihood of an occurrence or its Impacts, or both
Risk retention
Intentionally or unintentionally retaining the responsibility for loss, or financial burden of loss
within the organization

Risk transfer
Shifting of responsibility or burden for loss to another party through legislation, contract,
insurance or other means. Risk transfer can also refer to shifting a physical risk or part thereof
elsewhere.
Risk treatment
Selection and implementation of appropriate options for dealing with risk
Security control
A practice, procedure or mechanism that reduces risk
Stakeholders
Those people and organizations who may affect, be affected by, or perceive themselves to be
affected by, a decision or activity.
Vulnerability
A characteristic (including a weakness) of an information asset or group of information assets
that can be exploited by a risk
End of the Document

RESTRICTED BUSINESS CONTINUITY/DISASTER RECOVERY PLAN
Business Continuity / Disaster Recovery

Plan

Revision No: 0
Page 1 of 25
DOCUMENT SUMMARY:
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
DATE OF ORIGINAL
25TH,FEB,2015
VERSION
DOCUMENT TYPE ISSC TEAM
DOCUMENT CIRCULATION CISO
OWNER MR. GAURAV SINGH

APPROVED BY
REVISION HISTORY:
Version Revision Issue date Changes

2.0 0 30th Sep 2019
changes applied.
Document Ref. No. ISMS_Man_042

Version No. 2.0
Revision No: 0
Page 2 of 25
Table of Contents
1.0 INTRODUCTION ......................................................................................................................... 4
2.0 PURPOSE ....................................................................................................................................... 4
3.0 POLICY STATEMENT .................................................................................................................. 5
4.0 SCOPE............................................................................................................................................. 5
5.0 BUSINESS CONTINUITY OVERVIEW .................................................................................. 6
5.1 Objective .................................................................................................................................................. 6
5.2 Business Continuity Planning Framework ................................................................................... 6
5.3 Organization ........................................................................................................................................... 6
5.3.1 BCP team and responsibilities.............................................................................................................. 8
5.4 Business Continuity Phases............................................................................................................... 9
5.4.1 Response Phase .................................................................................................................................... 9
5.4.2 Resumption and Recovery Phase ........................................................................................................ 9
5.4.3 Restoration Phase ............................................................................................................................... 10
5.5 Assumptions ......................................................................................................................................... 10
6.0 BUSINESS CONTINUITY PLAN ........................................................................................... 10
6.1 Site outage ............................................................................................................................................ 10
6.2 Critical information assets ............................................................................................................... 11
6.3 Testing of plans ................................................................................................................................... 11
6.4 BCP Notification .................................................................................................................................. 11
6.4.1 Contact list of emergency services .................................................................................................... 11
6.4.2 Vendors and Consultants.................................................................................................................... 11
6.4.3 Employee contact information ........................................................................................................... 11
6.5 Backups .................................................................................................................................................. 11
6.5.1 Data ...................................................................................................................................................... 11
6.5.2 Vital Records/Documentation ............................................................................................................ 12
6.6 Maintenance of backups and documentation offsite ............................................................. 12
6.7 Office Equipment, Furniture and Supplies ................................................................................. 13
7.0 DISSEMINATION OF PUBLIC INFORMATION ............................................................... 13
8.0 PROVISION OF SUPPORT SERVICES TO AID RECOVERY ...........................................13
9.0 EMERGENCY RESPONSE – WORK FLOWS ...................................................................... 14
9.1 Emergency Response- Fire Incident.................................................................................................. 14
9.2 Emergency Response- Bomb Threat ................................................................................................. 15
9.3 Emergency Response- Civil Disturbance .......................................................................................... 16
9.4 Emergency Response- Water Related .............................................................................................. 17
9.5 Emergency Response- Power Outage ............................................................................................... 18
9.6 Emergency Response- Severe Wind ................................................................................................. 19
9.7 Emergency Response- Medical Incident ........................................................................................... 20
9.8 Emergency Response- Terrorism ...................................................................................................... 21
9.9 Emergency Response- Building Access ............................................................................ 22
9.10 Emergency Response- Earthquake ................................................................................................... 23
10.0 ANNEXURES .............................................................................................................................. 24
10.1 Annexure A –BCP procedure for Critical Information Assets .............................................. 24
10.2 Annexure B - Disaster Recovery Test Schedule ......................................................................... 24
10.3 Annexure C – BCP Team Contact list ............................................................................................ 24
10.4 Annexure D - Contact list of Emergency Services ................................................................... 24
10.5 Annexure E-Vendors and consultants ......................................................................................... 25
10.6 Annexure F-Employee contact information ............................................................................... 25
10.7 Annexure G- Emergency Evacuation Procedure ....................................................................... 25
10.8 Annexure H- Insurance details ...................................................................................................... 25

Version No. 2.
Revision No: 0
Page 3 of 25
1. Introduction
This document lays down the processes for Business continuity and Disaster recovery plan to be followed at
Synergy Maritime Private Limited, (hereinafter referred to as “Synergy”)
Synergy recognizes the criticality of business continuity. This document details the Business Continuity Plan
for the activities covering at Synergy, which requires to protect its employees and to prevent the interruption
of vital business operations. The company shall employ all appropriate strategies for anticipating and
controlling crisis situations.
This document takes into consideration some of the immediate future requirements based on the business
vision envisaged by the management of Synergy, like Backup site.
Management is responsible for establishing an emergency response plan and providing contingency plans for
response to threats that could harm their personnel, property, and reputation.
All Synergy employees are expected to comply with established practices and procedures of this plan, which
are designed to minimize risk to themselves and others as well as threats to personnel, technical resources,
and other property, or to the security of the facility.
Synergy Business Continuity Plan and documentation provides base emergency response, resumption and
recovery planning efforts, it is not intended as a substitute for informed decision-making. Business process
managers/Owners must identify services for which disruption will result in significant financial and/or
operational losses. Plans include detailed responsibilities and specific tasks for emergency response activities
and business resumption operations based upon pre-defined time frames.
Copies of this document and other documents referenced in this plan shall be stored off-site and readily
available for reference in the event of an emergency situation that restricts or prohibits access to the normal
workplace.
A Business Continuity Plan is not a one-time commitment; instead, it is an on-going activity, which includes:
 Perform activities required to construct plans

 Train and retrain employees
 Develop and revise policies and standards as and when it demands.
 Exercise strategies, procedures, team and resources requirements
 Re-exercise unattained exercise objectives
 Report on-going continuity planning to senior management and document the same.
 Research processes and technologies to improve resumption and recovery efficiency
 Perform planned maintenance activities
2. Purpose
Synergy is committed to provide continuity of business processes despite interruptions to the normal
operating environment. The purpose of the Business continuity and Disaster recovery plan is to address

Version No. 2.
Revision No: 0
Page 3 of 25
the communication, escalation and actions necessary to continue business processes in the event of a
disaster or an incident.
The plan would provide Synergy with practical approach and process to prevent and contain potential
business disruptions in the event of any disaster, with a view to quickly resume services to customers with
acceptable service levels.
The primary focus of this Business Continuity Plan is continuing operations after a business interruption
irrespective of the nature of the interruption.
This Business Continuity Plan strives to:
 Be a practical business plan for response and recovery

 Provide robust strategies for continuity of operations
 Depict actions that reduce the impact on customers and revenue flow
Although designed to address worst-case scenarios, this plan will also support response to business
interruptions of lesser severity such as utility outages and technology failures.
3. Policy Statement
The aim of this policy is to detail a comprehensive framework for Business Continuity Planning (BCP) so that
in the event of an emergency, Synergy can continue to provide the best possible service for the clients.
The policy includes all management activities and is complemented by a plan which can be used in the event
of a disruption, or threatened disruption.
4. Scope
Business Continuity Plan is designed to create a state of readiness that will provide an immediate response
to any of the following incident scenarios:
 Any incident causing physical damage such as fire, smoke, water damage.
 Any incident which indirectly affects facility access such as storm, emergency building evacuation due
to bomb threat, or external threat such as fire to any of the floors of Synergy building.
 Any environmental incident such as poor ventilation, heating or cooling problems that would
jeopardize operations.
 Impending or unexpected regional disaster such as storm or flood.

 Any external incident, which potentially could cause a business interruption, such as loss of electrical
or telecommunications service.
 Any incident that causes a serious outage to

 Use of or access to the building
 Power
 Communication lines/EPABX
 Critical Applications & Data base Servers
 ISP Links

Version No. 2.
Revision No: 0
Page 3 of 25
 Computing resources/LAN
 Human resources
5. Business continuity overview
5.1 Objective
The objectives of Synergy – BCP
 Provide a practical approach and processes to prevent and contain potential business disruptions.
 Develop and document plans to undertake actions, for direction and control during response and
recovery from disasters.
 Resume business operations within acceptable time lines and acceptable service levels and to
minimize business losses.
 Document the facilitation of off-site storage of backups.

 Identify critical assets and their impact on business and design continuity measures for the same.
 Should an event take place that renders Facility systems ineffective and the inability for physical
access, the alternate site would serve the needs for Business Continuity operations.
The Business continuity plan also includes the following additional objectives
 Minimize the number of decisions which must be made during a contingency

 Identify the resources needed to execute the actions defined by this plan
 Identify actions to be undertaken by pre-designated teams
 Identify critical data in conjunction with customers that will be recovered during the recovery
operations
 Define the process for testing and maintaining this plan and training for contingency teams.
5.2 Business Continuity Planning Framework
A single framework of business continuity plans shall be maintained to ensure that all plans are
consistent, and to identify priorities for testing and maintenance. Each plan clearly identifies conditions
for its activation and also the individuals responsible for executing each component of the plan. The
framework shall comprise of conditions for activation, emergency procedures, fallback procedures,
resumption procedures, maintenance schedule, awareness and education activities and responsibilities of
individuals.
When new requirements are identified, the established emergency procedures shall be amended as
appropriate.
5.3 Organization
The Business Continuity organization’s primary duties are:

Version No. 2.
Revision No: 0
Page 3 of 25
 To protect employees and information assets until normal business operations are resumed.
 To ensure that a viable capability exists to respond to an incident.
 To manage all response, resumption, recovery, and restoration activities.
 To support and communicate with employees, system administrators, vendors, security personnel,
and managers.
 To accomplish rapid and efficient resumption of time-sensitive business operations, technology,

and functional support areas.
 To ensure regulatory requirements are satisfied.

 To exercise resumption and recovery expenditure decisions.
 To streamline the reporting of resumption and recovery progress between the teams and
management of each system.
SYSTEMS
SUPPORT
ADMIN
TEAM
TEAM
BCP
COORDINATOR
FINANCE
OPERATIONS TEAM
TEAM
Figure – 1 BCP Organization

Version No. 2.
Revision No: 0
Page 3 of 25
5.3.1 BCP team and responsibilities
The BCP team consists of BCP coordinator and one or more members from Operations, system support,
administration, finance and offsite. Each team will have a roster and task list of actions and
responsibilities, as outlined below.
BCP coordinator
 Monitor and coordinate Business continuity Plan, training, awareness, exercises and testing.
 Coordinate strategy development with other teams.
 Work closely with other team leaders.
 In-charge to declare about the disaster and invoking a BCP.
 Informs the team/ Team leaders about the initiation of the BCP.
 Informs the management about the BCP initiation.
 Get budgetary approvals from the management for requirements on BCP.
 Prepares reports and submit them to management.
 Implement identified improvements from test/actual data.
 Initiates measures to bring to normalcy.
 Declare the normalcy after BCP.
Operations Team
 Coordinate with systems support team to establish the operations at backup site.
 Define the requirements and submit for approval from ISSC, through the BCP coordinator.
 Coordinate with systems support and admin team for establishing the requirements at offsite.
 Inform other teams about the requirements in both logistics and technical.
 Work in conjunction with other teams involved in BCP testing.
 Coordinate with client in the event of BCP initiation.
 Once normalcy is declared, establish the normal operations at original site with all the data.
Systems Support Team
 Help in defining the requirements with the Operations Team.

 Coordinate in restoring data and communication links between user, computers and client.
 Keep the backup systems and software ready in the event of disaster.
 Periodic testing of hardware, software and backups at offsite.
 Involved in testing the BCP.
 Secure Storage of the backup tapes.
Admin Team

Version No. 2.
Revision No: 0
Page 3 of 25
 Responsible for contacting the vendors, BCP teams.

 Provide the voice communication facilities.
 Logistics support.
 Shifting the people to off-site.
 Coordinate with transporting agency (if required).
 Inform the employees families in the event of disaster.
 Testing of all emergency equipment such as power, lighting etc.
 Shifting the backup tapes/software to offsite securely.
 Other miscellaneous arrangement such as food etc.
Finance Team
 Arrange for finance.

 Prioritize and manage receivables and payables.
5.4 Business Continuity Phases
The Business Continuity Plan Coordinator, in conjunction with other teams will determine which
Teams/Team members are responsible for each function during each phase. As tasking is assigned,
additional responsibilities, teams, and task lists need to be created to address specific functions during a
specific phase.
5.4.1 Response Phase
 To establish an immediate presence at the incident site.

 To conduct a preliminary assessment of incident impact, known injuries, extent of damage, and
disruption to the services and business operations.
 To find and disseminate information on, if or when access to the operations facility will be
allowed.
 To provide management with the facts necessary to make informed decisions regarding
subsequent resumption and recovery activity.
5.4.2 Resumption and Recovery Phase
 To mobilize and activate the support teams necessary to facilitate and support the resumption
process.
 To notify and appraise time-sensitive business operation resumption team leaders of the
situation.
 To prepare and implement procedures necessary to facilitate and support the recovery of time-
sensitive business operations.
 To alert and coordinate with employees, vendors and other internal and external individuals and
organizations.

Version No. 2.
Revision No: 0
Page 3 of 25
5.4.3 Restoration Phase
 To prepare procedures necessary to facilitate the relocation and migration of business operations
to the new or repaired facility.
 Implement procedures necessary to mobilize operations, support and technology group’s
relocation or migration.
 Manage the relocation/migration effort as well as perform employee, vendor, and customer
notification before, during, and after relocation or migration.
5.5 Assumptions
The plan is prepared on the validity of the following assumptions:
The plan is based on the availability of the contingencies or the backup resources. The accessibility of
these, or equivalent backup resources, is a critical requirement.
 An alternate facility is available and maintained with adequate critical infrastructure.

 Offsite Storage facilities and information data backups are in working condition (during the event
of disaster)
 The long distance and local communication lines are available at primary and alternate site.
 Staff are available to perform critical functions defined within the plan.
 Staff can be notified and can report to the backup sites to perform critical processing, recovery
and reconstruction activities.
 Customers, Vendors, Government agencies and others will be reasonably cooperative during the
business recovery period.
 The plan reflects the changing environment and requirements of Synergy. Therefore, the plan
requires the continued allocation of resources to maintain and to keep it in a constant state of
readiness.
6. BUSINESS CONTINUITY PLAN
6.1 Site outage
Scenario: Business functions affected because of non-availability of site or site is unreachable due to
some or the other reason.
Plan:
For Chennai office, other office shall be treated as the alternate site and Vice Versa. The addresses are
given below
 Synergy Location One

 Synergy Location Two
In this scenario BCP Coordinator will be issuing further instructions as per the BCP discussions with the
management.

Version No. 2.
Revision No: 0
Page 10 of 25
6.2 Critical information assets
Scenario: Business functions affected due to failure of any one of the critical devices such as servers,
router, firewall, leased line, switches etc.
Plan: BCP Procedure for critical information assets as per Annexure A.
6.3 Testing of plans
Test plans shall be developed for various scenarios and testing shall be conducted according to the
schedule maintained as per Annexure B.
6.4 BCP Notification
The functional managers for the locations where the critical components of Synergy systems are located
should be provided with the telephone numbers of Synergy BCP team members - Annexure C. Upon
notification, the team will meet for the purpose of conducting initial incident assessment and issuing
advisory reports of status to Synergy and management. If the functional managers, other security team
members or BCP Coordinator has determined that the building cannot be entered, the alternate meeting
place will be at Offsite office.
6.4.1 Contact list of emergency services

The contact information of external agencies for e.g. Govt. administrative authorities, fire brigades,
Business Continuity service providers, agencies, etc shall be maintained as per Annexure D.
6.4.2 Vendors and Consultants
The contact list of all vendors and consultants shall be compiled and maintained as per Annexure E
so as to expedite the recovery process.
6.4.3 Employee contact information
The contact information of employees shall be maintained as per Annexure F. In the event of a disaster,
a lack of specific personal data, including home addresses, cell phone numbers, and alternate contact
information, could result in the inability to locate and contact key personnel and team members. This
personnel database should be maintained and updated continuously. This database may be maintained
by the BCP co-coordinator who will take care that the information contained therein remains current and
accessible and is available as part of the Business continuity plan.
6.5 Backups
6.5.1 Data
The important asset in Synergy is its data and information. Data and information processing are a major
reason for the existence of projects. Moreover, all of the systems are dependent on the preservation of
data, including project manuals and procedural documentation. In order to minimize the impact of a
disaster, it is extremely important to protect data and information.
Effective procedures to perform full data backups on a regular basis must be implemented.

Version No. 2.
Revision No: 0
Page 11 of 25
In case of a disaster, an alternate site shall be prepared, by the systems support team with the help of
other BCP teams.
6.5.2 Vital Records/Documentation
Vital records and important documentation shall be backed up and stored off site. Vital records are any
documents or documentation that is essential to the operations of an organization, such as personnel
records, software documentation, legal documentation, legislative documentation, benefits
documentation, etc.
6.6 Maintenance of backups and documentation offsite.
A copy of the backups shall be stored off site in an environmentally controlled storage facility. A back up
copy must be stored off site and should include documents such as security plans, Business Continuity
plans, risk analysis, and security policies and procedures. Additional copies may be necessary for some
documentation, such as Business Continuity plans, which should be easily accessible in the event of a
disaster.
For Chennai office the backup tapes will be sent to offsite storage location.
It is recommended that copies of the Business Continuity Plan be distributed to Synergy Management,
Business Continuity Plan Coordinator, and Team Leaders for safekeeping.
Documentation should be duplicated either in hard copy or compatible media format and stored at the
off-site storage or the (recovery site) location. The original primary on-site unit retains the original copies
of all information. Updates to documentation should be done as-required basis, under the control of the
responsible team. Off-site documentation should include technical and operational documentation.
The following are examples of documentation that are maintained off site:
 Security related Information security policy & procedure memorandum, circulars, publications.
 Policy statement.
 Letters of delegation for key Information System security personnel.
 Complete hardware and software listings.
 Internal security & Information System audit reports.
 Detailed IT architecture schematics (logical/physical, network, devices).
 Network cable routing schematics (on floor overlay).
 System testing plans/procedures.
 Review and approval of plans/procedures.
 System Configurations.
 Review and approval of proposed configuration.
 Changes made to the system configuration.
 Evaluation of changes for security implications.
 Technical standards.
 Business Continuity plans for incident response procedures and backup operations.

Version No. 2.
Revision No: 0
Page 12 of 25
 Data backup/restoration procedures and procedures for storage, transportation and handling
of backup tapes.
 Reports of security related incidents.
 Sensitivity and criticality determination.
 Baseline security checklist for each system.
 Software licensing information.
Detailed procedural manuals specifying how their functional responsibilities are to be discharged in the
event of their unavailability are to be developed. This is especially important for key personnel. Copies
of these manuals should be kept off-site with other documentation.
6.7 Office Equipment, Furniture and Supplies
Synergy management shall review the supply needs and coordinate with the admin department to
develop a revolving emergency inventory of workspace and survival supplies for immediate use in the
event of a disaster. The revolving inventory of workspace supplies should include not only basic essential
workspace supplies like pens, pencils, note pads, and paper, but also Synergy specific forms and
templates.
7. Dissemination of Public Information
The MD, Synergy is responsible for directing all meetings and discussions with the news media, the public
and Synergy personnel not actively participating in the recovery operation. In the absence of the MD,
Synergy, the responsibility reverts to the senior most official present at the scene.
8. Provision of Support Services to Aid Recovery
During and following a disaster, Synergy Support Teams (All other Employees of Synergy other than those
forming part of BCP team) and other third party service providers of Synergy are responsible for aiding the
BCP Team. They operate under the direction of the Business Continuity Team through the Business
Continuity Plan Coordinator and the Chief Information Security Officer.

Version No. 2.
Revision No: 0
Page 13 of 25
9. Emergency Response – Work Flows
9.1 Emergency Response- Fire Incident
Fire
NO Evacuees report
Employees Manually Auto Alarm
Activate Evacuation Activate Evacuation to Gathering
Activate Alarms activated
Point / Safe Area
Alarm Roll call taken by

monitoring NO team leads
informs Security Guard
ERT Member contacts
ERT
ERT Lead
confirms fire ERT Leader
Incident Informs contacts Fire
BCMT Department
ERT Lead
ERT contacts Fire
informs
Department
BCMT
Fire Engines BCMT informs

arrives CMT
BCMT Leader Floor Marshals

briefs brief BCMT using
Battalion Chief, floor
Informs CMT plans
Fire Department
becomes Incident
Commander
Fire Department
gives All-Clear
signal
BCMT directs
future actions

Version No. 2.
Revision No: 0
Page 14 of 25
9.2 Emergency Response- Bomb Threat
Receives
a threat
Verbal Written
Type of
information and
Threat ERT
informERT
Inform
Contact 100
Inform BCMT
BCMT Response
Team Lead
Bomb Squad
Arrives
Activate Alarm
BCMT briefs
Bomb Squad Activate
Bomb Squad
Leader becomes
Incident
Commander Roll call taken by
team leads
Bomb Squad
gives All-Clear
signal
BCMT is
briefed
BCMT directs
future actions

Version No. 2.
Revision No: 0
Page 15 of 25
9.3 Emergency Response- Civil Disturbance
Civil
Disturbance
Observed

Version No. 2.
Revision No: 0
Page 16 of 25
9.4 Emergency Response- Water Related

Version No. 2.
Revision No: 0
Page 17 of 25
9.5 Emergency Response- Power Outage

Version No. 2.
Revision No: 0
Page 18 of 25
9.6 Emergency Response- Severe Wind

Version No. 2.
Revision No: 0
Page 19 of 25
9.7 Emergency Response- Medical Incident
Medical
Incident
EMT- Emergency Medical Team
Employee
notices the
injured Injured is
alive
No
Yes
Employee informs
ERT
Employee informs
ERT
ERT ERT informs

ERT
calls 108 BCMT
calls 100, informs
BCMT, CMT
First -Aid trained

people transfer
the patient to Emergency
Police arrives EMT arrives Response
EMT
Team contacts
First-Aid
trained personnel
Natural BCMT assumes

BCMT and control and
Police takes actions
verifies
cause of First-Aid trained
death personnel provide Emergency
medical services
Response Team
Informs BCMT
Suspicious BCMT directs
further
actions
Police seals
First-Aid
area for
trained people
investigation
update BCMT

Version No. 2.
Revision No: 0
Page 20 of 25
9.8 Emergency Response- Terrorism
Terrorist Event
Activate security Notify emergency

team notifies all
alarms response team Police Department
Employees on the
threat
Notify BCMT Police personnel

arrive
BCMT assess
situation and Building Security
works with Police
procedures personnel to cordon
BCMT directs all future

actions and executes

Version No. 2.
Revision No: 0
Page 21 of 25
9.9 Emergency Response- Building Access

Version No. 2.
Revision No: 0
Page 22 of 25
9.10 Emergency Response- Earthquake

Version No. 2.
Revision No: 0
Page 23 of 25
10. Annexures
10.1 Annexure A –BCP procedure for Critical Information Assets
Refer to: “Business Continuity Procedure for Critical Assets.doc”
10.2 Annexure B - Disaster Recovery Test Schedule
Sl. Disaster Condition Impact Test Schedule

No
1 Fire Drill High Yearly
2 Server High Every 6 Months
3 Network Devices High Every 6 Months
4 Power High Every 6months
5 Air Conditioning in Server Medium
Rooms Every 6 months
6 UPS High Every 6 months
 These tests are to be conducted with prior scheduled outage notification to Operations.
 During the test schedule, services as given in the table will remain down, as the failure condition
will be simulated. Technology and Operations should test the services and note the test results,
experiences and suggestions.
 Every Service, which is expected to have an impact on the test condition, needs to be tested
individually. Test conditions should be tabulated.
 Required configuration and data backup to be taken before simulating the problem condition.
Objectives of the tests
 To be prepared to meet the failure conditions confidently during live operation.

 Get first-hand experience on the time taken to recover.
 Identify the procedures to be followed to recover from known failure conditions.
 To proactively identify unexpected errors and problems during recovery.
10.3 Annexure C – BCP Team Contact list
Refer to: “BCP Team Contact List.xls”
10.4 Annexure D - Contact list of Emergency Services
Refer to: “Emergency Contact List.xlsx”

Version No. 2.
Revision No: 0
Page 24 of 25
10.5 Annexure E-Vendors and consultants
Refer to: “Vendors and Consultants Contact List.xlsx”
10.6 Annexure F-Employee contact information
Refer to: “Employee Contact Information.xlsx”
10.7 Annexure G- Emergency Evacuation Procedure
Refer to: “Evacuation Procedure.xlsx”
10.8 Annexure H- Insurance details
Refer to: “Insurance coverage detail.xlsx”
-------End of Document -------

Version No. 2.
Revision No: 0
Page 25 of 25
RESTRICTED Communication Matrix
DOCUMENT SUMMARY:
AUTHOR KANNAN
REVIEWED BY GAURAV SINGH
CURRENT VERSION 2.1
DATE OF CURRENT VERSION 23-12-2019
DATE OF ORIGINAL VERSION 24th FEBRUARY, 2015
OWNER CISO
NAME: GAURAV SINGH

APPROVED BY
DESIGNATION CHIEF INFORMATION SECURITY OFFICER
REVISION HISTORY:

1 0 th
24 FEB, 2015 Initial
Whole content is reviewed, and
2 0 30RD SEP 2019
changes applied
Changes made based on Audit
2.1 1 23rd Dec 2019 comments in external
communication.


Who with Whom

When What Why How
(From) (To)
Internal Communication
To Improve Skills,
Process As and when ISMS Training Needs
HR awareness and Mail
Owners required and Requirements
achieve new Skills
ISMS training To execute the

Process When Training
HR Schedule and its training in the Mail and Circulars
Owners Arranged
details planned Date
To provide access
New Recruitment to the IT N/W or To
User details for Login
done / During safeguard Mail / Exit Form
HR IT Access / Deletion of
employee Information from etc
user id.
resignation Ex- Employee's
Access
To safeguard
information and to Mail / Notice
All As and when provide awareness Boards /
IT breach preventive
Department required based on Awareness
measures
Information training
security Updates
To enable process
Process As and When owners to take
CISO status of relevant Mail
Owners required appropriate
department
measures
Once in 6 Months as To ensure the ISMS

Internal Conduction of
CISO / ISSC per Internal audit is In line with the Mail
Auditors Internal Audit
Plan requirements
CISO / ISSC To check the

Once in 6 Months as
Internal and Relevant Nonconformity raised system is in line
per Internal audit Mail / NC report
Auditors Process and action taken with the ISMS
Plan
Owners requirements

To provide
Information security Mail / Verbal (In-
As and When awareness to the
Employees ISSC breaches / Non person) / Incident
required ISSC team and
conforming activity Report
initiate actions
External Communication
Regulatory and As per the legal / Information To keep the

HR / Legal Mail / Letter
Statutory statutory required by the company in
Team correspondence
Bodies requirements bodies operation.
Purchase order
External As and when To address
List of items / and Mail
IT- Purchase Providers / requirements raised resource
Materials / devices correspondence /
/ Purchase Supplier / from relevant requirement of
to be purchased Verbal (Phone
Vendors departments Synergy
calls) / SLA
During Customer To ensure their

Mail and
communication - As Information security (customer data)
Top requirement
Customer and when queries requirements and are safe and their
Management documents /
received from Customer Query requirements are
Reports (if any)
customer met.
External To provide
While dispatching
Providers / IT- Purchase / relevant
the required items / Billed Item details Invoice / Bills /SLA
Supplier / Purchase acknowledgement
Materials / devices
Vendors to Synergy

ESTRICTED RISK DOCUMENT
Doc ref: ISMS_Man_044 Ver: 2.1, Rev:1 , Date 17.12.2019

uthor MR. Kannan
eviewed By MR. Gaurav Singh
urrent Version 2.1
ate of Current Version 17TH, DECEMBER,2019
ate of Original Version 25TH,FEB,2015
ocument Circulation CEO, HEAD-IT, HEAD ADMIN & HR TEAM, All department Heads
wner CISO
Name: MR. Gaurav Singh

pproved by
Designation MANAGER -IT / CISO
vision History
Version Revision Revision / Issue Date Changes

Reviewed Added Risk related to Asset stolen
2.0 0 30th Sep 2019
(Laptop) out side synthesis environment.
Based on Stage 1 audit comments, Reviewed and
2.1 1 17th Dec 2019 additional control measures are added for Medium
risk.
Security classification
Asset Evaluation
Asset Owner Custodian(s) User(s) Location Confidential
Integrity Availability Asset Value Category
ty
PHYSICAL ASSETS
ysical / logical security, Infrastructure, Laptops
Network Equipment, Office Automation, personal
Synergy -
cal Media, Server Racks, Servers, storage, Printed / IT Dept. IT Dept. All End users 3 3 3 9 Restricted
Chennai
on
SOFTWARE ASSETS
re, Business Applications, Network Management
Office automation software, Synergy -
IT Dept. IT Dept. IT Team 3 3 3 9 Restricted
ng System S/W Chennai
INFORMATION ASSETS
, Manual, Requests, Access Registers/Database, Synergy -

IT Dept. IT Dept. IT Team 3 3 3 9 Restricted
document Chennai
SERVICES
ations, Outsourced Services, Outsourced Telephone
Synergy -
rity Services, IT Services IT Dept. IT Dept. All End users 3 3 3 9 Restricted
Chennai
PERSONNELS
aders, Windows/Solaris system/ ERP Administrators,
ators, Network Administrators Respective Respective Synergy -
Synergy 3 3 3 9 Restricted
sonnel, Admin & HR, Physical Security dept. Heads Dept. Chennai
drive post to his/her travel.
Sensitizing employees on a continuous basis by

providing them awareness on ISMS and clean desk
policy, Initiating Disciplinary Action in case of a
breach of policy ISMS committee Additional
All Dept Heads / Controls: Employees shall be provided training Risk to Last reviewed
Nil A 8.3.1, A 8.3.2 3 3 81 High 1 3 27 Low
Process Owners with respect to Information security awareness Mitigate 17.12.2019
such as cleandesk policy etc. Employees shall be
intimated to report incidents to ISM / ISSC with
respect to leaving sensitive data (in any form)
unattended.
Deployment of strict access control procedure

available in synergy environment. Every employees
are instructed to use their access cards during
Last reviewed
Nil A 11.1.2 3 3 81 High Admin Manager each entry and exit. Additional Control: Accepted risk
17.12.2019
1 3 27 Low
Communications shall be initiated with vendors who
is capable of tracking In/Out movements via RFID.
Vendor POC will be planned at Synergy.
Awareness about Information Security and latest

threats are provided to relevant employees as and
when required. Reinforcement through posters,
screen savers, mails etc. Back up of server data is
available on local storage, tape and in cloud Risk to Last reviewed
Nil A 7.2.2 3 4 108 High CISO & ISSC 1 3 27 Low
storage, which enable synergy to resume normal Mitigate 17.12.2019
operations. Additional Control: ISMS Awareness
shall be provided to all identified individuals atleast
once in every year.Periodic drill will be conducted
by IT team and learnings shall be shared to all.
In addition to the existing controls, Information

Security Awareness sessions, Latest cyber threats
ted Anti Virus updates All Department Heads / updates are given to employees.Reinforcement Risk to Last reviewed
High 1
n place. The same is A 12.2.1 3 4 108 Process Owner through posters, screen savers, mailetc. Mitigate 17.12.2019 3 27 Low
viewed by IT team Additional Control Manage switch implemented
between firewall and server inorder to add
additional security levels.
Information Security Awareness sessions, Latest

cyber threats updates are given to employees.
Reinforcement through posters, screen savers, mail
etc. Accounts & Purchase team shall confirm it with
Risk to Last reviewed
Nil A 12.2.1, A 7.2.2 3 4 108 High Purchase Manager vendors and relevant senior managment before
Mitigate 1 3 27 Low
initiating payments. 17.12.2019
Additional Control: Drill condcuted by
sending fake Phishing emails to teams and lessons
learned from it are shared among all.
Along with the existing controls, Firewall rule shall

Configured Backup A 12.3.1 2 3 54 Medium Vessel Master be created to allow publication websites / links for Mitigated Last reviewed
1 2 18 Low
mputer is available updates. This is done to prevent data corruption 30.09.2019
via external source.
tic Backup Methodology Along with the existing controls, Backup software Last reviewed
1
e. Stored in 2 different A 12.3.1 2 3 54 Medium Vessel Master and retentions of data shall be configured, regular Mitigated 30.09.2019 2 18 Low
rs, removable Hard disk drills shall be conducted in vessels.
s Server in Vessel. Anti Approved USB storage devices allowed for the data
ent installed in each transactions with in ship, Also Cyber reposponse
tion. Scanning of Medium Vessel Master plan , Cyber respponse team details and esclations Mitigated Last reviewed 2 18 Low
A 12.2.1 2 3 54 1
le drives mandatory. details are shared with the vessel captain. Incident 30.09.2019
ss Training provided to is recorded and reported to CISO as per the
end users. incident management policy.
loyment of Properly Along with the existing controls, Extra layer of

protection shall be arranged with network switched Last reviewed
nfigured Firewalls A 13.1.3 1 4 36 Low IT Head / CISO
installtions by using managed switch between
Mitigated 1 2 18 Low
30.09.2019
gating both the LANs
firewall and server.
Along with the existing control , Firewall rule shall

et Access provided by A 13.1.3, A 12.2.2.1, A be created to allow publication websites / links for Last reviewed
ng a port on the Firewall 1 4 36 Low IT Head / CISO Mitigated 1 2 18 Low
12.1.2, updates which shall enable to keep marine charts 30.09.2019
ugh proper process up to date.
n disabled in machines,
checking for removable Along with the existing controls, Synergy IT team
devices. Users day-day review these control periodically and updates are Last reviewed 1
A 12.6.2 1 4 36 Low IT Head / CISO Mitigated
30.09.2019
2 18 Low
are carried out via local done in the vessel work stations as and when
login, admin rights not required.
vided to end user.
All vessel work stations are monitored, maintained Last reviewed

Nil A 12.4.1, A 12.4.2, A 12.4.3 2 4 72 Medium IT Head / CISO Mitigated 2 2 36 Low
and reviewed through team viewer and vessel visit. 30.09.2019
Implementation of virtual shippalm server or a

To decide
Redundant Shippalm server is under consideration
Nil A 17.2.1 2 4 72 Medium Vessel Master
and ISMS committee currently performing feasibility
to mitigate and Mitigated Nil Nil Nil Nil
by Apr2020.
study for the same.
The back up data from Synergy office shall be

Last reviewed
Nil A 17.2.1 2 4 72 Medium Vessel Master uploaded in to the affected vessels's new Mitigated
30.09.2019
2 2 36 Low
computer.
List of Threats and Vulnerabilities identified during the Risk Assessment process
Threats Vulnerability
key personnel Staff shortage
terception or interference Lack of segregation of network and power cable
e Lack of Media Handling Policy
e Lack of mobile computing Policy
cision making Absence of key personnel
a) Inadequate network management (resilience of routing).
ervice b) Lack of a Firewall.
C) Lack of IDS/ IPS
f information Lack of NDA with employees
isconduct Lack of Background verification for employees
failure Lack of desktop maintenance
failure Lack of or inadequate maintenance
f relevant clauses in the contracts Insufficient reviews before signing contracts
ntract period Lack of renewal process
n of records Disgruntled employee
lack of environmental controls Combustible material stored in the server room
Inadequate / Poor visibility of the fire exit display
Inadequate maintenance of fire extinguishers
Lack of user training to use the fire extinguisher
Inadequate maintenance of fire Alerting Systems
Unprotected physical storage
s Theft by insider & Wilful damage by insider
Inadequate patch management
Existence of weak security controls and Vulnerabilities
Improper network segregation
alicious code injection Lack of Vulnerability and Penetration Test
alicious code injection Unmanaged applications
ailure Insufficient or inappropriate maintenance of hardware
ailure Faulty or inadequate UPS/generators
a) Inadequate control of software distribution
authorized use of software b) Lack of policy to restrict staff to use only licensed software
c) Lack of software auditing d) Lack of monitoring mechanism
Lack of awareness about latest security threats and about changes in law or
disclosure regulations.
disclosure Lack of access control
disclosure Lack of Clear desk policy
n, operation error Unavailability of ISMS documents ( Policies, procedures, Business continuity plan etc.)
uption Lack of backup and restoration check
ode a) Lack of Anti Virus software
b) Lack of regular updates of Anti virus software
ode Lack of Patch management
a) Uncontrolled downloading and use of software off the Internet
ode b) Lack of Anti Virus software.
c) Lack of regular updates of Anti virus software
ng of user identity Poor password management
ng of user identity Sharing of password
ccess rights Wrong allocation of access rights to camera footage
ccess rights Administrator rights given to users
ccess rights Lack of access control and access review
ccess rights Delay in access revoking for absconding case
neering Poor level of information security awareness
ilure Inadequate reporting and handling of software malfunctions
s Lack of Hard disk encryption
s Inadequate physical protection
s Disgruntled employee
s Lack of physical access control
s Inadequate physical protection
s Improper physical protection
s Unprotected physical storage
s Inadequate protection
ed modification Lack of hardening guideline
ed modification Poor or weak access controls
ed access lack of logical access control
ed access Lack of information classification and labelling
ed access Lack of Clear Desk and Clear Screen
d access Insufficient or poor log configuration and monitoring of Database systems
ed access Inadequate User access management (Modification / Deletion)
ed access Lack of physical protection while transporting
ed access Lack of segregation of duties
ed access Lack of equipment protection
d access Inadequate password management
ed access 1. Improper physical protection
ed changes Lack of change control/management process
ed disclosure of information Lack of access control
ed physical access Lack or inadequate Physical access controls
d physical access Improper use of or bypassing physical access control to data Centre server room
ed physical access Physical access rights are not revoked upon job termination
ed physical access lack of physical or logical access controls, lack of physical or logical access review to server room
ed physical access Lack of physical entry controls to operation floor
d use Lack of laptop policy
ed use Lack of equipment protection
ed use Inadequate protection of cryptographic keys
a) Inadequate control of software distribution
ed use of software b) Lack of policy restricting staff to use only licensed software
c) Lack of software auditing
d) Lack of monitoring mechanism
ed user accounts Lack of user provisioning process
ity of Network connection Improper Cabling
ty of supporting service Inadequate maintenance
ty of supporting service Lack of or inadequate maintenance
incidents Lack of Incident handling procedure
Insufficient security training / awareness (clear desk/clear screen practice, password usage, etc.,)
Lack of Job related training
fying the client settings Lack of user access restriction to Antivirus settings
on client systems Inability of the antivirus software to detect virus attack
pplication lack of Secure development policy
pplication Lack of secure systems engineering procedure
OBJECTIVES PLANNING
PUBLIC
OBJECTIVES PLANNING
DOCUMENT SUMMARY:
AUTHOR MR. KANNAN

CURRENT VERSION 2.0
OWNER CISO
Revision History

2.0 0 30th Sep 2019
changes applied.

OBJECTIVES PLANNING
PUBLIC
PURPOSE
The key objective to ensure the success of Synergy Maritime Private Limited business lies in protecting the business
information of the organization and its customers. To fulfill this strategic business objective, Synergy Maritime
Private Limited has established an Information Security Management System.
POLICY STATEMENT
The Directors, Senior Management and all other employees at Synergy Maritime Private Limited are committed to
protect the confidentiality and integrity of all the information assets, ensure availability in accordance to business
objectives and conduct business in compliance with all statutory and regulatory requirements.
ISMS OBJECTIVES
The Objective of ISMS at Synergy Maritime Private Limited is to ensure that:
 To Ensure Nil unauthorized access either by internal or external Sources.

 To Maintain 100% Confidentiality and Integrity of information.
 To Maintain Zero hour down time there by achieving availability of information always to meet Business
requirements.
 To Test Business continuity and disaster recovery plans at least once in a year each.
 To Maintain 100% Information security awareness among all staff and relevant external parties.
 To Achieve Nil disciplinary action against employees and relevant external parties for not compliance to
this ISMS environment.
 To report and Investigate All breaches of information security, actual or suspected, by the Information
Security Steering Committee.
 All applicable regulatory and legislative requirements are always met.
The management at Synergy Maritime Private Limited ensures that this policy is communicated, understood,
implemented and maintained at all levels of the organization. The policy shall be monitored for compliance and will
be amended, if necessary.
This policy has been approved by the Board of Directors at Synergy Maritime Private Limited.
CISO / HEAD

OBJECTIVES PLANNING
PUBLIC
ISMS OBJECTIVES
REVIEW UOM (Unit
S.No ISMS Objectives TARGET RESPONSIBILITY
FREQUENCY of Measure)

1 Monthly Nos Zero IT Manager/Admin
(Internal)

2 Monthly Nos Zero IT Manager /Admin
(External)
Confidentiality and Integrity of

3 Monthly % 100% CISO
information
Down time reported with

respect to availability of Zero IT-Manager /Network
4 Monthly Hours
Information for Business Hours team
No. of times business At least

Once in 6
5 continuity and disaster Nos once in Process Owners
recovery plans each Tested
Month
a year
Information Security
Once in 6
6 Awareness to Staff and % 100% CISO and HR
Interested Parties.
Months
No. of Disciplinary actions

CISO and Relevant
7 against Staff and relevant Monthly Nos Zero
Interested Parties.
Process Owners

8 Monthly % 100%
under investigation by ISSC team

9 Monthly % 100%
reported and closed by ISSC team
Applicable regulatory and Once in 6

10 Nos. Zero HR and Legal Team
Legislative yet to Met Months

OBJECTIVES PLANNING
PUBLIC
CISO / HEAD

RESTRICTED Change Management Procedure
Change Management Procedure
Document Ref. No. ISMS_SOP_001 Version No. 2.0

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The objective of this procedure is to ensure that all changes made in the IT environment of the
organization are done through a controlled process. The risks and impacts on the targeted and related
systems should be assessed and controlled to avoid unauthorized changes to any IT system and
ensure that all changes are recorded for analysis. This procedure describes various workflows of
change management.
2. Scope
This procedure shall be used by all Users requesting changes to/within the organization’s production
environments including (but not limited to) changes such as:
• Hardware changes
• System software changes
• Application changes (e.g. Functionality updates, web page additions/deletions, URL link
additions/deletions, releases, etc.)
• Network changes
• Operational and support procedures and documentation changes
• Version upgrades/enhancements/patches
• Planned/scheduled outages.

3. Procedure
3.1 High level representation
4. Enforcement
Management reserves the right to monitor the compliance with this procedure. All reported violations
related to this procedure should be reported to the CISO/ISM and acted upon based on relevant ISMS
policies and procedures. All necessary records (emails, MoMs, etc.) for demonstrating the compliance
to the enforcement of this procedure shall be retained as an audit trail.

IT Asset Procurement &
RESTRICTED
Deployment Procedure
IT Asset Procurement & Deployment

Procedure

RESTRICTED
DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 2.0
OWNER CISO

APPROVED BY
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

RESTRICTED
1. Purpose
This procedure aims to protect the integrity and availability of all IT assets at Synergy.
2. Scope
This procedure applies to all the Synergy IT assets.
3. Procedure
All procurement requests are based upon capacity projections done by Synergy IT.
The procurement steps are as follows:
Case I – New/Unknown product or solution; Technical Complexity - High
1. Identify the product to be purchased in discussion with the relevant units/ people; a specific
business requirement must exist for each purchase; requirement should be validated by ISM
2. Depending on the product to be procured, refer to the list of approved vendors for Synergy for
shortlisting three vendors having a capability to deliver, install andmaintain the required product.
3. If the vendor is already an existing and approved vendor for Synergy, raise an EOI (expression of
Interest) to the vendor through emails/phone calls. If it is done through a phone call, a
documented reference should be maintained.
4. In case if the vendor is not listed or existing vendors do not have the right capability to deliver
the desired product, ISM should find out other vendors who are capable of delivering the
product. ISM could find such vendors through online research on the internet, blogs, professional
associations, vendor references (word of mouth), etc.
5. The newly identified vendors should be reviewed by respective persons at synergy. After
successful empanelment, raise an purchase request to the vendor through emails/phone calls. If
it is done through a phone call, a documented reference should be maintained .
6. A minimum of three vendor quotations (where required) / an Quotation shall be requested from
the relevant vendors. In case it is not feasible due to the constraints at vendor, Synergy will
take this case as an exception and proceed as required.
7. Discuss the business requirements with the vendors, whenever required and evaluate the desired
technical specifications/ configurations/ capacity/ price point with the help of vendor
recommendations.

RESTRICTED
8. Discuss and finalize the suitability of product internally within the IT team/ ISSC based on the
inputs given by the three vendors.
9. system acceptance criteria (including the technical specifications/ features) and perform
necessary product demonstrations/ proof of concept exercises, wherever feasible.
10. Based on successful match against the criteria/demos/POCs, a vendor is finalized and a Request
for Quotation (RFQ) on the product is raised to the vendor.
11. In cases where the quotation needs to be sought and finalized prior to a demos/POCs, Synergy
would raise an RFQ ahead of the POC exercise.
12. Subsequently, upon successful acceptance of the demos/POCs in compliance with System
Acceptance Criteria (including pricing) vendor is selected and a purchase order is raised.
Case II – New/Unknown product or solution; Technical Complexity - Low
The procedures are the same as above except for the following:
1. Demos/POCs may not be required from all the vendors as long as Synergy IT has sufficient
knowledge about the usefulness and suitability of the Product under consideration.
Case III – Known product or solution; Complexity - Low
The procedures are the same as above except for the following:
1. POCs may not be required from any of the vendors as long as Synergy IT has sufficient
knowledge about the usefulness and suitability of the Product under consideration.

RESTRICTED
Diagrammatic representation
Receipt of materials (both software and hardware)
1. Verify the adherence to the system acceptance criteria as per the purchase orders
2. Confirm the correctness by signing off on the invoice or delivery challan with date and time
stamp
3. Move the materials to the IT store for inventorying

RESTRICTED
Asset Inventorying
1. Update the asset inventory registers with the product details including but not limited to the
following
a. Serial No./ service tag
b. Express service code, wherever applicable
c. Brand
d. Model
e. Date of purchase
f. Details of PO
g. Details of Invoice
h. Asset ID
i. Ownership
Asset deployment/ allocation
1. For all server room/ data centre related asset releases, the vendor is made responsible to visit
the respective site and assist in the installation/ deployment of the asset.
2. All other assets such as desktops, laptops and other desktop software licenses are allocated to
the respective owners.
3. Asset inventory shall be updated with the respective owner details against each asset.
4. Procedure enforcement
Management reserves the right to audit asset management procedures to ensure compliance to the
above mentioned procedures. Any non-compliance found during the audit would be reported to the
management and acted upon case to case basis.
5. References
 Asset Inventory register or record.

 Purchase order
 Bills / Invoices / SLA

RESTRICTED Logical Access Control Procedure
Logical Access Control Procedure

DOCUMENT SUMMARY
AUTHOR MR. KANNAN

CURRENT VERSION 2.0

OWNER CISO
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of this procedure is to control the risks of unauthorized access into any form of
information or information processing facilities which is critical to the nature of Business.
The primary objectives are to ensure:
 User registration and De-registration is controlled, authorized, and a record is maintained.

 To ensure that the allocation of passwords is controlled and user access rights are reviewed
regularly.
2. Scope
This Procedure applies to
a) All Information assets which are exposed to the risks of unauthorized access. This includes
information on servers, emails, etc.
b) Logical controls implemented over OS, Network, Databases and Applications
c) All employees having access to Information assets and Systems
d) All the equipments that process store and retrieve information

3. Procedure
3.1 User registration
Existing User needs

New User joins
additional Access/
Organization
access modification
HR forwards the Access Request

request to IT with forwarded to RM and
User Details ISM for approval
Request Forwarded to Employee’s

Reporting Manager(RM) with a
copy to ISM. Manager decides the
Access Rights required by the
User; ISM approves the request
Upon Approval
Upon Approval
Request Forwarded
to IT Helpdesk for
access provisioning
Request for Network

Application Services
PC/Laptop &
& Database (AD,Email,
Standard
Access internet
Software Suite
IT Department Access Rights

configure Desktop/ Information System
Laptop with forwarded to IT Administrator (IT
Standard OS, Department/ other Department) create
Software Suite and Application or DB ID and Password
Network Services Administrators
IT hands over the Creation/ IT communicates

asset to the user Modification of the new ID and
and user Application User Password details to
acknowledges Account the user

3.2 Periodic review of user access rights
ISM initiates the process of User access rights

review on Critical Information Systems
IT Administrators generate list of all user

privileges/ rights and accounts on the
respective information systems
Access lists are distributed among all the

authorized reviewers across business units for
review of access rights
The reviewers review and analyze the

discrepancies in the access privileges; These
discrepancies are communicated back to ISM
ISM instructs IT/ Applic tion Administrators to

take necessary action against the
discrepancies either by grant/ revoke/ adjust
The actions are communicated back ISM; the

access lists are updated accordingly based on
the modifications/ adjustments

RESTRICTED Physical Access Control Procedure
Physical Access Control Procedure

DOCUMENT SUMMARY
AUTHOR MR. KANNAN

CURRENT VERSION 2.0
OWNER CISO
REVISION HISTORY

2.0 0 30th Sep 2019
applied.

1. Purpose
The purpose of this procedure is to deal with the issues of unauthorized access to the premises and
the office restricted areas.
2. Scope
This Procedure applies to
a) Entire premises
b) All the restricted areas
3. Procedure
3.1 Visitor entry into the premises
Enter the premises and Visitor to enter his/her details

reports to security in the register sent to the reception
Visitor enquiry and authorization;

Escorted by the concerned person
3.1.1 Key Steps
Responsibility/
S. No. Description
Particulars
1. The visitors after entering the premises report to the security desk Security Personnel
Visitor personal details should be entered into the visitor register Security Personnel/
2.
including the details of electronic media carried by them Visitor Register
Visitor is sent to the reception for further enquiry (whom to meet, Reception
3.
purpose, etc.) and authorization to enter the premises
The reception personnel then discusses with the concerned person Reception
4.
for the authorization
5. The concerned person escorts the visitor into the premises Concerned person

3.2 Entry into restricted areas
Requests for access Approves based on need basis; Forwards

the request for processing
ISM Helpdesk
Employee
3.2.1 Key Steps

Sl. Responsibility/
Description
No. Particulars
For entry into restricted areas such as Server Room, UPS Room, etc. Any Employee
1. prior authorization from the Information Security Manager(ISM) is
mandatory.
The employee or the line manager should send an email to ISM Employee/ Line
2. requesting authorization for access into the particular restricted area Manager/ ISM
and the time limit of the access privilege, if any.
ISM approves the request based on the risks involved for the concerned ISM
3. employee accessing such restricted areas; ISM send out an email to the
concerned department or personnel for granting the access privilege
The concerned department or personnel upon receipt of the approval Concerned

from ISM grants the access into the premises either logically by department or
registering the user for biometric access or by handing over access personnel
4.
cards, keys, etc. If there are any time limits for such privileges, the
concerned department or personnel revokes after the specified time
frame.

RESTRICTED E- Waste management Policy
E - Waste Management Policy

DOCUMENT SUMMARY
AUTHOR MR. KANNAN
CURRENT VERSION 1.0
DATE OF CURRENT VERSION 23RD, DECEMBER ,2019
DATE OF ORIGINAL VERSION 23RD, DECEMBER ,2019
OWNER CISO

APPROVED BY
REVISION HISTORY
1.0 0 23rd, Dec 2019 Initial

1. Purpose
This procedure is to define the practice of synergy with respect to electronic disposal by considering
environmental issues and applicable regulatory requirements.
2. Scope
The scope of this Policy is applicable to electronics devices that shall be disposed post use.
3. Policy
The E-Waste Management Policy has been framed to affirm the Open corporate commitment
to safe and efficient E-waste management, to reduce and recycle waste that was produced. To
ensure compliance with and exceed all legal / regulatory requirements relating to E-waste
management. It also promotes environmental and recycling issues as an integral element of its
activities and demonstrates its commitment to continual improvement in environmental practices.
 Follow efficient E-waste management and recycling practices throughout Synergy and use
recyclable and recycled materials whenever appropriate.
 Promote a awareness in purchasing that will give preference, where practicable, to those
products and services which cause least harm to the environment.
 All E-wastes must be disposed of through a registered E-waste carrier who can demonstrate
their registration and compliance.
 All non-hazardous waste to be disposed based on directions from local bodies.
 The E-waste generated in synergy shall also disposed by transferring devices to the existing
staff member after cleansing process is carried out based on Asset disposal process. This
is done to promote recycle of electronic components.
 Synergy has been working in the area of safe disposal of electronic wastes and shall partnered
with authorized E-waste vendor. Synergy shall seek shared responsibility and cooperation
from E-waste vendor in reducing the environmental impact of their products.
Synergy shall identify a E-waste drop off centre / area and shall communicate the same to all
stake holders at Synergy. The E-waste generated at synergy shall be collected at the identified
Drop off centre / area after informing the designated authority.
Synergy shall ensure that the E-waste vendor has obtained all necessary authorizations from
the appropriate government agencies for their processing facilities.
The Synergy shall consider the following items for E-waste disposal (but not limited to the
below):

1. Desktops / Servers.
2. Laptops / Mobiles.
3. Switches / Hubs / routers / Firewall.
4. Memory Devices.
5. Hard disk / RAM/ Mother board.
6. Laptop / Mobiles Batteries etc.
4. Reference
1. NDA

Cover Page
TED IT ASSET CONFIGURATION
c ref: ISMS_Man_047 Ver: 1.0, Rev:0 , Date 23.12.2019

MR. Kannan
y MR. Gaurav Singh
ion 1.0
ent Version 23rd Dec 2019
inal Version 23rd Dec 2019

irculation CEO, HEAD-IT, HEAD ADMIN & HR TEAM, All department Heads
CISO
Name: MR. Gaurav singh
Designation MANAGER -IT / CISO
rsion Revision Revision / Issue Date Changes

1.0 0 23rd Dec 2019 Initial
Config_ Details
Items Model Configuration /Type Qty Location Re
Servers
Routers
Switch
Server
Hub
Printers
Projector
Scanner
usic System
Mobile
onference
Call Device
MUX
PBX
Modem
RESTRICTED Cyber Security Risk Management
Table of Contents
Cyber security risk management introduction ................................................................ 7
UPDATES TO SAFETY AND ENVIRONMENT PROTECTION POLICY .................................................................... 7
Cyber Security office Charter ........................................................................................................................... 7
Job Description ................................................................................................................................................ 8
Cyber security risk management Theory ....................................................................... 10
Safety and Operational Objectives ................................................................................................................ 10
High Level cyber risks .................................................................................................................................... 10
Safety and Operational Objectives Reliant on Critical Technologies ............................................................. 11
Risk Management Strategy ........................................................................................................................... 11
2.4.1 Cyber Risk Management Process ...................................................................................................... 11
2.4.2 High-Level Resiliency Objective .......................................................................................................... 12
2.4.3 CRM Process ....................................................................................................................................... 12
2.4.4 CRM Control ........................................................................................................................................13
Cyber security risk management Risk Profiling ............................................................. 16

Critical Technologies...................................................................................................................................... 16
Possible Vulnerabilities .................................................................................................................................. 16
Cyber Risk Tolerance...................................................................................................................................... 17
3.3.1 Company's Cyber Risk Tolerance matrix ............................................................................................. 18
Vessel’s Risk Profiling.................................................................................................................................... 19
Cyber security risk management vessel specific documentation ................................. 20

Hardware and Software Inventory ................................................................................................................ 20
Network Drawing requirement...................................................................................................................... 20
Cyber security risk management Process ...................................................................... 21

Management of Changes .............................................................................................................................. 21
Requirement for Vulnerability Management Plan ......................................................................................... 22
Fail safe for critical systems........................................................................................................................... 22
Cyber security risk management Access control ........................................................... 22
MANAGEMENT OF Physical Access to assets ................................................................................................ 22
Username and Password Management ........................................................................................................ 23

Access Authorization .................................................................................................................................... 23

Remote Access Management ........................................................................................................................ 24
Removable Media (USB/CD/DVD) Management .......................................................................................... 25
Remote Maintenance approval and tracking management ......................................................................... 26
Cyber security risk management data security ............................................................. 27

Requirement for OS, Software, Firmware Patch Management ..................................................................... 27
Anomalies and events ................................................................................................................................... 28
Requirement for Hard Drive Storage Capacity Management........................................................................ 27
Baseline of Network Operations and Expected Data flows (System Specific) ................................................ 28
Requirement for Audit and Event Log Management ..................................................................................... 28
Cyber security risk management detections ................................................................ 28
Event Data Collection and Correlation .......................................................................................................... 29
External Technology Cyber Assessment Requirement ................................................................................... 29
Cyber security risk management event detection & process ........................................ 29
Cyber Event Detection Roles and Responsibilities ......................................................................................... 29
Cyber Incident Response ................................................................................................................................ 30
Cyber Incident Recovery................................................................................................................................. 31
Requirement for Cyber Incident Reporting and Cyber Incident Reporting Procedures .................................. 31
Vulnerability Analysis .................................................................................................................................... 32
Requirement for Vulnerability Mitigation and Documentation ..................................................................... 33
Incorporate Lessons Learned in Incident Response Plans .............................................................................. 33
Cyber security risk managemet Security Continuous monitoring .............................. 33
Monitoring for Unauthorized Logical and Physical Activities ........................................................................ 33
Requirement for Vulnerability Scanning ........................................................................................................ 34
Requirement for Malicious Code Detection (Anti Virus) ................................................................................ 34
Requirement for Network Monitoring ........................................................................................................... 35
Requirement for Personnel Activity Monitoring ............................................................................................ 35
Requirement for External Service Provider Activity Monitoring .................................................................... 36
Cyber security risk management Training and testing.................................................. 36

Awareness and Training ............................................................................................................................... 36

Requirement for Detection Process Testing ................................................................................................... 37
Requirement for Incident Response and Recovery Testing ........................................................................... 37

TERMS AND DEFINITIONS

TERM DEFINITION
BIMCO Baltic and International Maritime Council
CLIA Cruise Lines International Association
COTS Commercial Of The Shelf
CSF Cybersecurity Framework
CSO Chief Security Officer
DOA Delegation of Authority
DOC Documents of Compliance
CISO Designated Person Ashore
HSQE Health, Safety, Quality, and Environmental
IACS International Association of Classification Societies
ICS (1) International Chamber of Shipping
ICS (2) Industrial Control System
IMO International Maritime Organization
INTERCARGO The International Association of Dry Cargo Shipowners
INTERTANKO The International Association of Independent Tanker Owners
ISM International Safety Management
IUMI International Union of Marine Insurance
MOC Management of Change
MOCF Management of Change Form
MSC Maritime Safety Committee
NIST National Institute of Standards and Technology
OCIMF Oil Companies International Marine Forum
OT Operational Technology
POAM Plan of Actions and Milestones
SMC Safety Management Certificates

SMS Safety Management System

SOC Security Operations Center
USCG United States Coast Guard
TERM DEFINITION
BIMCO Baltic and International Maritime Council
CLIA Cruise Lines International Association
COTS Commercial Of The Shelf
CSF Cybersecurity Framework
CSO Chief Security Officer
DOA Delegation of Authority
DOC Documents of Compliance
CISO Designated Person Ashore
HSQE Health, Safety, Quality, and Environmental
IACS International Association of Classification Societies
ICS (1) International Chamber of Shipping
ICS (2) Industrial Control System
IMO International Maritime Organization
INTERCARGO The International Association of Dry Cargo Shipowners
INTERTANKO The International Association of Independent Tanker Owners
ISM International Safety Management
IUMI International Union of Marine Insurance
MOC Management of Change
MOCF Management of Change Form
MSC Maritime Safety Committee
NIST National Institute of Standards and Technology
OCIMF Oil Companies International Marine Forum
OT Operational Technology

POAM Plan of Actions and Milestones

SMC Safety Management Certificates
SMS Safety Management System
SOC Security Operations Center
USCG United States Coast Guard

CYBER SECURITY RISK MANAGEMENT INTRODUCTION

UPDATES TO SAFETY AND ENVIRONMENT PROTECTION POLICY
Synergy recognizes that the management of cybersecurity risks is as important as the
management of all other safety and environmental risks identified by the company.
This manual and supporting documents referenced here within shall be read,
understood, and used by the responsible parties defined within this document and
all crew members on board Synergy vessels.
Technical and procedural risk protection and control measures listed in this manual
are requirements for the safe operation of a vessel and protection of the
environment. Cybersecurity risk management (CRM) is managed from the Synergy
office where the Document of Compliance (DOC) resides. Each vessel shall have a
copy of this manual in support of the vessels’ Safety Management Certificates (SMC)
and the shoreside office’s DOC.
CYBER SECURITY OFFICE CHARTER
Cybersecurity responsibilities shall promote collaboration between IT personnel
(including 3rd parties) and the company's operational and technical shipboard
personnel.
CRM key personnel are defined as the office, Company information security officer,
Master, Chief Engineer, and Delegates
The Office

Accountable for CRM compliance and supports by providing resources and services,
as necessary.
Company information security officer
Responsible to manage the CRM program and supports shipboard personnel from
shore.
Master
Accountable for CRM on the vessel and leads shipboard personal on board.
Chief Engineer
Responsible to manage the CRM activities directly involving critical systems and
support shipboard personnel on board.
Delegates
Delegates may be appointed by the CISO, Master, or Chief Engineer to assume those
responsibilities listed under CISO, Master, or Chief Engineer in this manual.
Crew and 3rd Parties
Support CRM activities as listed in this manual under the direction of the Master or
Delegate.
JOB DESCRIPTION
The Office
i. Accountable for CRM compliance and supports by providing resources and
services
ii. Departmental support including Health, Safety, Quality, and Environmental
(HSQE), Information Technology, Facility and Vessel Security, Legal, Financial,
and Engineering or Project support
iii. Corporate programs including training, management of change, logistics,
procurement
CISO
i. Responsible to manage the CRM program
ii. Facilitates cybersecurity risk assessments
iii. Provides a link between company (shoreside) personnel and the shipboard
personnel
iv. Supports the recovery and restoration of vessel critical systems after a cyber
incident or hazards as effects of cyber incidents by ensuring shore-based
resources are available
v. Monitors the CRM program to ensure cyber risk mitigations effectively
manage safety and pollution-prevention goals
vi. Periodically reviews CRM and reports deficiencies to shore-based
management
vii. Monitors internal or external company-related CRM audits

Master
i. Accountable for CRM on the vessel
ii. Motivates the crew to observe the CRM policies and procedures
iii. Participates in cybersecurity risk assessments for the vessel’s critical systems
iv. Authorized to enforce vessel-specific CRM mitigations
v. Ensures cyber risk mitigations are given crew support to effectively manage
safety and pollution-prevention goals
vi. Directs cyber incident response activities
vii. Makes decisions on disconnecting, disabling, or dismantling of vessel critical
systems after a cyber incident to limit the hazardous effects
Chief Engineer
i. Responsible to manage the CRM activities directly involving critical systems
ii. Participate in cybersecurity risk assessments for the vessel’s critical systems
iii. Manage the technical and procedural security measures, mitigation and
remediation efforts, and cybersecurity technologies onboard the vessel
iv. Ensure backups of critical technologies exist onboard the vessel and in
onshore facilities
v. Lead in coordination of cyber incident response activities onboard the vessel
Delegates
i. Delegates may be appointed by the CISO, Master, or Chief Engineer to
assume those responsibilities listed under CISO, Master, or Chief Engineer in
this manual
ii. Delegate identities shall be posted in the CRM Contacts section of this
manual
iii. Authorities are in effect in the absence of the CISO, Master, or Chief
Engineer, or upon direct delegation of authority (DOA) by the CISO, Master,
or Chief Engineer
i. Complete basic cybersecurity awareness course
ii. Support CRM activities as listed in this manual under the direction of the
Master or Delegate

CYBER SECURITY RISK MANAGEMENT THEORY

SAFETY AND OPERATIONAL OBJECTIVES
Safety and operational objectives are listed in the table below in descending order of
priority from highest to lowest.
S No Objective Description
Maintain Recognize and manage cybersecurity‐effects on critical systems and
1 Personnel impacts to personnel safety.
Safety
Maintain Recognize and manage cybersecurity‐effects on critical systems and
2 Environmental impacts to environmental safety.
Safety
Maintain Recognize and manage cybersecurity‐effects on critical systems
3 Operational impacts operational safety and security.
Security
Recognize and manage cybersecurity‐effects on critical systems
Maintain
4 readiness that can impact operations including maintenance,
Preparedness
documentation and testing for safety and security.
Maintain Recognize and manage cybersecurity‐effects on critical systems that
5 Quality of can impact operational quality, maintenance, and systems
Service monitoring.
Meet HR Requirements- Recognize and manage cybersecurity‐effects
(security and privacy) on operational systems impacting security and
trust of personnel and their information.
Administrative Pass Required Audits/Inspections - Develop and implement systems
6
Functions and training of personnel to demonstrate readiness and execution of
established plans.
Obtain Timely Vessel Clearance - Assure cybersecurity dimension of
systems that can impact readiness and operational preparedness.
HIGH LEVEL CYBER RISKS

High-level cyber risks are considered the basis for determining the company’s
objectives for a CRM program. High-level risks can be views as problems to be solved
by the CRM program. This CRM manual describes resolutions for each of these
problems as high-level resiliency objectives.
 Cyber security Risk 1 – Personnel do not know what systems, assets, data and
capabilities (critical systems) to protect on vessels the sudden operational failure of
which will lead to hazardous safety situations.
 Cyber security Risk 2 – Personnel do not adequately protect critical systems on

vessels against cyber events which may lead to hazardous safety situations.
 Cyber security Risk 3 – Personnel are not able to detect cyber events on vessels in
order to respond in a timely manner which may lead to hazardous safety situations.
 Cyber security Risk 4 – Personnel do not have a response plan for critical systems on
vessels if impaired due to a cyber event which may lead to hazardous safety
situations.
 Cyber security Risk 5 – Personnel do not have the backups or images necessary for
the restoration of critical systems on vessels if impaired due to a cyber event which
may lead to hazardous safety situations.
SAFETY AND OPERATIONAL OBJECTIVES RELIANT ON CRITICAL TECHNOLOGIES

The highest priority objective is “Personnel Safety” while the highest impact system
is a “Category III”. This table can be used as a guide to prioritize all CRM activities
Preparedness
Operational
System
Administrative
Environmental
Effects
Quality of
Functions
Category
Security
Personnel
Service
Safety
Safety
Those systems, failure of which could immediately lead
III to dangerous situations for human safety, safety of the X X
vessel and/or threat to the environment.
Those systems, failure of which could eventually lead
II to dangerous situations for human safety, safety of the X X X
Those systems, failure of which will not lead to
I dangerous situations for human safety, safety of the X
RISK MANAGEMENT STRATEGY

2.4.1 CYBER RISK MANAGEMENT PROCESS
The structure for the CRM program includes Objective, Processes, and Controls in
three tiers as shown below.
 Tier 1: High-Level Resiliency Objective
 Tier 2: CRM Process
 Tier 3: CRM Control

2.4.2 HIGH-LEVEL RESILIENCY OBJECTIVE

 Identify – Define personnel roles/responsibilities for cybersecurity risk management
and identify systems, assets, data, and capabilities that, when disrupted, pose risks
to ship operations
 Protect – Implement risk control processes and measures, and contingency planning
to protect against a cyber event and ensure continuity of vessel operations
 Detect – Develop and implement activities necessary to detect a cyber event in a
timely manner
 Respond – Develop and implement activities and plans to provide resilience and
restore systems necessary for vessel operations or services impaired due to a cyber
event
 Recover – Identify measures to back up and restore cyber systems necessary for
vessel operations impacted by a cyber event
Prioritization of High-Level Resiliency Objectives

Resiliency objectives are to be applied in sequential order from Identify, first to
Recover, last and based on system priority from Category III, highest to Category I,
lowest.
2.4.3 CRM PROCESS

The figure below lists out each CRM process and representative icons used to match
the corresponding controls.

2.4.4 CRM CONTROL

System-specific CRM controls are applied to mitigate risks in technologies. These
system-specific controls map to risks and the identified critical systems in the risk
register. The controls listed in the table below are applied as needed to mitigate
cyber risks and will not be broadly applied to all vessel systems.
CRM Process CRM Control Mitigated
Vulnerabilities

Document Ref.
Revision No: 0 No. ISMS_Man_048 Version No.of2.0
Page 13 37
Identity User Name and Password Management Console Access Control

Management, Procedures
Authentication
References to Asset-Specific Physical Physical Security
and Access
Security Plan
Control
Remote Access Management Procedures Connection
Maintenance Support
Access Authorization Management Console Access Control
Procedures
Maintenance Support
Data Security Hard Drive Storage Capacity Management Product Support
Procedures
OS, Software, Firmware Patch Product Support
Management Procedures
Maintenance Management of Technologies Used for Maintenance Support
Maintenance and Repair Procedures
Remote Maintenance Approval and Connection
Tracking Management Procedures
Console Access Control
Maintenance Support
Removable Media (USB/CD/DVD) Connection
Protective Management Procedures Physical Security
Technology
Maintenance Support
Anomalies and Baseline of Network Operations and Connection

Events Expected Data flows
Network Monitoring Procedures Connection
Personnel Activity Monitoring Procedures Physical Security
Malicious Code Detection (Anti-Virus) Product Support
Procedures
Security
Continuous External Service Provider Activity Maintenance Support
Monitoring Monitoring Procedures
Monitoring for Unauthorized Logical and Physical Security
Physical Activities Procedures
Vulnerability Scanning Procedures Product Support
Document Ref.
Document Ref. No.
No. ISMS_Man_048
ISMS_Man_048 Version No.
Version No. 2.0
2.0
Revision No:
Revision No: 00 Page
Page14 of 37
4 of 37
CYBER SECURITY RISK MANAGEMENT RISK PROFILING

CRITICAL TECHNOLOGIES
Critical Information and Operational Technologies (IT/OT), “Critical Systems” are
those which could cause hazardous situations if they become unavailable or
unreliable.
Hazardous situations are those which result in safety or environmental impacts.
Critical systems may be listed at the functional level.
This CRM manual and the critical systems listed in this section shall apply to all
vessels within the scope of the SMS.
The table below lists are critical systems, data, and capabilities on the vessels.
Category Function System(s)
 Gyro Compass
 Auto Pilot
III Navigation  Radars
 ECDIS
 GPS
 AIS
III INMARSAT  BNWAS
 GMDSS
Hull Machinery and  Main Engine Control
III
Equipment  Steering Gear
III Safety System  Fire Detection System

 Voyage Data Recorder
II Cargo Transfer System  Cargo Control/Self Unloading System
 Echo Sounder
II Alarm and Monitoring  Speed Log
 Alarm Management System
I Maritime Satellite  VSAT
I Administrative  Admin Network
POSSIBLE VULNERABILITIES
Cyber vulnerabilities occur in technologies due to pre-existing conditions in
configurations and the operating environment. The risk assessment process focuses
on levels of possibilities of exploitability by threats. Some possible vulnerabilities are:
Connection VLN Wide area network and possible internet access
Document
Document Ref.
Ref. No.
No. ISMS_Man_048
ISMS_Man_048 Version
Version No.
No. 2.0
2.0
Revision
Revision No:
No: 00 Page15
Page 4 of
of 37
37
Local area network without access to other

Complex networks
Serial connectivity only and no internet protocol
Simple (ip) routing
Isolated or air gapped system with no
Discrete interconnections
Equipment has added security, i.e., in a locked
High cabinet
Physical Security
Low Equipment is not locked
Administrative access is configured, and PW
Console Access protected (also applies to systems without
High
Control consoles
System has accounts, but configuration is not
Low restricted
System can be modified by anyone with physical
None access to the console
A vendor or IT staff is required to modify or
Maintenance Support Required reconfigure the system
Crew maintains and reconfigures systems without
None assistance
System components are out of product lifecycle
Product Support End of Life and security update support
System components are current, i.e., operating
Supported systems are supported by oems
CYBER RISK TOLERANCE

Cyber risk tolerance determination is based on impacts to cyber-enabled vessel
systems and those systems’ exposures to cyber-attacks. Cyber risk is determined
following the company’s cyber risk assessment procedure.
Once the cyber risk assessment has been conducted, residual risks are determined
based on the CRM procedures applied to each cyber-enabled vessel system to
mitigate risks. The company makes the determination to accept or apply further
mitigations based on residual risk scoring.
Document Ref.
Document Ref. No.
No. ISMS_Man_048
Version No. 2.0
2.0
Revision No:
Page16 of 37
4 of 37
3.3.1 COMPANY'S CYBER RISK TOLERANCE MATRIX

A risk rating matrix has been created to model the risk acceptance process. Risk
ratings are based on Likelihood of a cyber event occurring correlated to the
Consequence if that event occurs. Risk acceptance rules are as follows:
1. Cyber risk scores of “None” or “Low” are automatically considered
acceptable risks.
2. Cyber risk scores of “Medium” or “High” require management sign-off on the
decision to accept these risks.
3. A cyber risk score of “Critical” is not acceptable at any time.
Consequence Consequence Description

 System: Will immediately lead to dangerous situations
Major
 Impacts Category III systems
 System: Will eventually lead to dangerous situations
Moderate
 Impacts Category II systems
 System: Will not lead to dangerous situations

Minor
 Impacts only Category I systems

Likelihood Likelihood Description
Without control absence of mitigations to cyber higher risks without

exposures additional
mitigations.
With implementation of cyber lead to lower risks
resiliency
Likely • Connection (VLN)
• Physical Security (Low)
• Console Access Control (None)
• Maintenance Support (None)
• Product Support (End of Life)
Possible • Connection (Complex)
With Control
 Console Access Control (Low)
Unlikely • Connection (Simple or
Discrete)
• Physical Security (High)
• Console Access Control (High)
• Maintenance Support
(Required)
• Product Support (Supported)
VESSEL’S RISK PROFILING

Each vessel shall carry out ship specific risk assessment on all critical systems and
cyber enabled vessel technologies. Separate risk assessments shall be prepared for
IT/ OT systems. OT systems must have cyber risk register form ISMS_Tem_020 and IT
system risk assessment as per ISMS_ Man_044
These cyber risk register & assessments must be kept up to date. They shall be
reviewed and updated under following circumstances, which ever come first:
 After installation of new IT or OT system
 Any change in the network map (connectivity of system with one another)
 At least once every year
After review, updated risk register must be sent to office for verification by IT team.
Vessel must retain updated Risk register and approval letter from office with ISMS
manual for reference and audit purpose.

CYBER SECURITY RISK MANAGEMENT VESSEL SPECIFIC DOCUMENTATION

HARDWARE AND SOFTWARE INVENTORY
Inventories are to be maintained for all Hardware and Software provided by external
vendor, supplier or 3rd party.
These inventories shall also include those of packaged navigation or control system.
That means if multiple hardware & software forming part of one system, then
inventory of each part has to be maintained. Eg: ECDIS
Each vessel is responsible to maintain its IT / OT equipment software inventory
onboard using company form ISMS_Tem_021. This inventory shall always remain
updated.
Similarly, hardware inventory of IT & OT system is also needed. Inventory of OT
equipment can be carried in company form ISMS_Tem_020
Its updating is required whenever
 After installation of new IT or OT system
 After removal of old IT or OT system
Along with this inventory a change tracker sheet ISMS_Tem_019 to be maintained to
keep record of each change that has been carried out in hardware or software of
critical systems.
These inventories and change tracker sheet shall be kept in ISMS manual for quick
reference.
Vessels can retrieve the updated inventory of hardware and software of systems
that are connected to vessel internet LAN through ‘spectrum’(only for vessels that
have infinity).
Details of identified OT equipment that are not connected to vessel internet LAN
must be entered manually in spectrum to retrieve the completed inventory.
In lieu of previous requirement, vessel can maintain complete inventory by
maintaining both ‘spectrum’ generated and manually developed inventories for OT
equipment not connected to LAN in form ISMS_Tem_020.
NETWORK DRAWING REQUIREMENT

Network boundaries are described by drawing interconnectivity (data flow maps) as
required for operations. Network drawings shall include all critical systems onboard,
shoreside, and including those managed by third parties
Network drawings of critical systems on each vessel shall be provided to that vessel.
Company IT department is responsible for development, upgradation, and supply of
Network drawings to vessel.

Network drawing need upgradation with

 Changes in inventory of IT / OT equipment
 Changes in connectivity or network arrangements between various critical
equipment
CYBER SECURITY RISK MANAGEMENT PROCESS

MANAGEMENT OF CHANGES
Following changes shall only be carried out through management of change process.
 Authorization for critical system software installations, removals, changes,
and updates
 Proposed OT/IT network reviewed for cyber vulnerabilities in data flows
 Changes in connections of critical systems to other systems to avoid cyber
vulnerabilities
 Integrity checks are completed on critical systems to ensure “known-good
state” after changes are made to include software patching
 Critical system backups are updated after changes occur
 Granting access to systems
Each requested change shall be processed through Cyber MOC form ISMS_Tem_016.
After every change tracker sheet ISMS_Tem_019 shall be updated to keep records
for that change.
All newly commissioned critical systems shall have secure configurations. Chief
Engineers or delegates shall review critical systems upon commissioning to ensure
the following configurations are implemented depending on technology type.
Secure Configuration Device Type (s)
Configuration Benchmark for Operating System Generic computer or server
Configuration Benchmark for Web browser Generic computer or server
Configuration Benchmark for Database Database
Hardware Certification (UL, CSA, ABS-Type) Proprietary devices specially built by
suppliers
Upon the discovery of improperly configured critical systems, the Chief Engineer or
delegate shall develop a plan to mitigate cyber risks or reconfigure systems to meet
the minimum baselines.

REQUIREMENT FOR VULNERABILITY MANAGEMENT PLAN

All critical systems shall have continuous vulnerability management. Vulnerability
management refers to:
1. The discovery or identification of vulnerabilities including:
 missing integrity or security related operating system, firmware, or software
updates
 cyber concerns in critical system designs of data flows maps
2. Analysis of each vulnerability for cyber events or risks
3. Mitigating vulnerabilities in accordance with the Cyber risk management
processes defined in this manual
FAIL SAFE FOR CRITICAL SYSTEMS
All critical systems shall be designed to be failsafe. They shall have proper power and
software backup to avoid failure as result of sudden disconnection or deactivation.
This configuration requirement applies to all critical systems and shall be configured
“as-built” during original system commissioning
CYBER SECURITY RISK MANAGEMET ACCESS CONTROL
MANAGEMENT OF PHYSICAL ACCESS TO ASSETS
Physical access shall be managed to all critical systems when in port or at sea. No
unauthorized person shall be allowed access to those systems. Below mention
controls are not required for all vessel systems.
Following good practices shall be followed:
 Vulnerable components shall be located behind locked door or cabinets
 Keys of these locked doors and cabinets are only managed by SSO and shall
be part of key register
 Sign in sheets must be used to track access to high-security areas
Vessel shall list systems that require physical access control based on the risk register
worksheet.
Some examples of critical system that require restriction for physical access to assets
FASCIMILE BNWAS MSBD Steering Gear Fire Detection System
NAVTEX FB 500 Bridge Manoeuvring Auxiliary Boiler Emergency Shutdown

SSAS GMDSS M/E Control System Composite Smart Ship
Boiler
Document Ref.
Document Ref. No.
No. ISMS_Man_048
Version No. 2.0
2.0
Revision No:
Page22 of 37
4 of 37
FBB 250 Alarm & G/E Control System Cargo &

Monitoring Ballast Control
System
USERNAME AND PASSWORD MANAGEMENT

Refer to Password Management Policy ISMS-Man_028.
Account credentials such as usernames and passwords shall be managed to prevent
unauthorized access to critical systems that have this control identified in the risk
register.
This control is applicable to all vessel systems that have password protection feature.
Following are the controls that shall be incorporated for applicable vessel systems.
 Change Default passwords to unique passwords
 Administrator privileges are only used for authorized maintenance or repair
of critical systems
 For critical systems that are required to be logged continuously, the logged in
accounts only have the access required for the safe operation of the vessel
 Passwords are not posted in clear text on or near monitors, keyboards, or
components of critical systems
 Shore IT team in liaison with Master/ Chief Engineer shall manage user
profiles and passwords in the vessel’s network.
 Default passwords (usually provided by manufacturer) shall be changed
to Ship specific ones
Some examples of critical system that require username and password
Gyro Anemometer SSAS MSBD Radar
ECDIS FBB Bridge NAVTEX
Autopilot
250 Manoeuvring
Voyage Data DGPS BNWAS M/E Control Alarm & Monitoring
Recorder System System
AIS FB 500 G/E Control Auxiliary Boiler
Echo sounder
System
Speed Log FASCIMILE GMDSS Steering Gear


ACCESS AUTHORIZATION
Access to critical systems that have this control identified in the risk register must be
authorized by the Master, Chief Engineer or delegate(s).
ISMS_Tem_016 shall be utilized for granting access.
This access authorization is required for granting console access control and
maintenance support risks in the identified critical systems. Access authorization
controls in this section are not required for all vessel systems
Following authorization method can be utilized:
 Engineer or Administrator - Credentials are granted to engineers or
administrators of critical systems by the Chief Engineer or delegate
- Permissions: Full control and modification of critical systems to include
program and reconfiguration
 Maintenance - Credentials are granted to technical support personnel by the
Chief Engineer or delegate for basic troubleshooting
- Control over desktop environment and applications files which allow for
reboots or service restarts. Does not allow for reprogram orreconfiguration
 Operator - Credentials are granted based on system access need or out login is
enabled
- User interaction with the critical system to allow for view and control of the
process or operations supported by the technology
Contractor Laptops/Devices
 Contractor to update their antivirus and perform a full scan of their laptop
 Contractor to confirm that laptop is malware free
 Disable Bluetooth and Wifi on contractor equipment
 Contractor to Confirm full anti-virus scan was conducted using latest updated software
 Chief engineer to verify and authorize before connection of contractor’s laptop/device
to any of vessel’s IT/OT systems
 Isolate contractor’s laptop from external networks until work is connected and laptop
disconnected form vessel’s IT/OT system.

Some examples of critical system that require access authorization

Echo Bridge
Gyro ECDIS NAVTEX FB 500
sounder Maneuvering
DGPS
Autopilot Speed Log SSAS GMDSS M/E Control System
Alarm &
Voyage Data FBB
Radar AIS Monitoring G/E Control System
Recorder 250
System
MSBD Steering Gear
Echo sounder Anemometer FASCIMILE BNWAS
Auxiliary Boiler
REMOTE ACCESS MANAGEMENT

Remote access to critical systems shall be managed to prevent unauthorized remote
view, control, or maintenance activities.
Remote access controls listed in this section are not required for all vessel systems.
Office IT staff is responsible for establishing the control measures mention below:
Boundary Protection Solution –
Remote Access Security - Network logical boundaries between critical system
networks and 3rd parties
Some examples of critical system that require access authorization if remote access
is possible:
Gyro Anemometer SSAS MSBD Composite

Boiler
Autopilot ECDIS FBB 250 Bridge Maneuvering Cargo &
Ballast Control
Voyage Data DGPS BNWAS M/E Control System Fire Detection
Recorder System
Echo sounder AIS FB 500 G/E Control System Emergency
Shutdown
Speed Log FASCIMILE GMDSS Steering Gear Smart Ship
Radar NAVTEX Alarm & Auxiliary Boiler
Monitoring
System

REMOVABLE MEDIA (USB/CD/DVD) MANAGEMENT

Only authorized memory disk that are already approved by office IT department must
be used in vessel system. Master to ensure that a minimum 4 authorized formatted
virus free memory disk are maintained onboard -for Master, C/E, VDR, ECDIS.
Use of any other memory device is prohibited except when
 It is provided by manufacturer of system and not been tempered or
formatted
 If technician visiting the vessel has a valid business justification.
Any use of memory devices on ship system other than authorized memory disk shall
be permitted with MOC process only using form ISMS_Tem_016.
Following precautions shall be adopted by ship staff to safeguard the risk
i. USB port blockers are installed on all exposed USB ports
ii. Prior using any memory device of visitor:
iii. Scan the device for malware or viruses using a dedicated computer
iv. Tag or label the device with the date scanned
v. Rescan the device upon the visitor’s exiting the vessel and inspect for
unauthorized files
Gangway Control of USB by visitor
Person on gangway shall stop and question each person upon boarding the vessel to
ensure no unauthorized USB or digital storage devices are brought on board.
 Upon the discovery of unauthorized USB or digital storage devices, the
person on watch shall confiscate the device for the duration of the person’s
stay on board.
 USB brought by technician for valid business justification shall be allowed by
recording the device detail & purpose in visitor log.
Use of Personal Devices
No personal use device can be connected to ship’s business LAN/Wi-Fi unless

authorized by the IT team.
Personnel shall ensure that their devices are updated, and anti-virus protected before
connecting to crew Wi-Fi network
Do not connect personal equipment of devices from unknown, unauthorized sources.

REMOTE MAINTENANCE APPROVAL AND TRACKING MANAGEMENT

Management of maintenance and repair technologies shall occur on critical systems.
Remote maintenance approval and tracking controls listed in this section are
required for only those systems for which remote tracking is possible.
Precautions that shall be followed while granting remote access for maintenance
are:
 All remote connections remain disabled until requested to be enabled
 Approval to activate remote maintenance must be granted by Chief Engineer
or delegate
 Personnel accessing critical systems remotely for maintenance must notify
the Chief Engineer as soon as maintenance is completed
 Remote maintenance will be disabled automatically after 1 hour
 Management of change form ISMS_Tem_016 shall be used to track all
remote maintenance activities
Some examples of critical systems that can be maintained remotely provided
systems are designed to do so
Gyro Radar NAVTEX Alarm & Auxiliary Boiler
MonitoringSystem
Autopilot Anemometer SSAS MSBD Composite Boiler
Voyage ECDIS FB Bridge Maneuvering Cargo & Ballast Control

Data B
Recorder 25
0
Echo DGPS BNWAS M/E Control System Fire Detection System
sounde
r
Speed Log AIS FB 500 G/E Control System Emergency Shutdown
Gyro FASCIMILE GMDSS Steering Gear Smart Ship

CYBER SECURITY RISK MANAGEMET DATA SECURITY

REQUIREMENT FOR OS, SOFTWARE, FIRMWARE PATCH MANAGEMENT
OS, software, and firmware patches may be applied basis identification of this
control measure in risk register.
Check for updates or patches and threat bulletins applicable to the following:
 Operating systems and firmware listed in the critical system hardware
inventories
 Software and applications listed in the critical system software inventories
Vessel shall identify critical systems from risk register with unacceptable risk that
require patch management.
REQUIREMENT FOR HARD DRIVE STORAGE CAPACITY MANAGEMENT

Hard drive storage capacity shall be managed on critical systems that have this
control identified in the risk register. Hard drive storage controls listed in this section
are applicable for equipment for which hard disk space can be viewed.
Following shall be implemented
 Periodically check critical system hard drive capacity for free space
 Periodically run hard drive “cleanup” and “defragmentation”
 Where possible configure critical systems to locally notify users prior reaching
storage capacity
BACK UP OF CRITICAL TECHNOLOGIES
System backups allow for the effective and efficient restoration of critical systems
All critical systems shall have current system, program, and hard drive backups that
can be used to restore vessel operations impacted by a cyber incident.
Chief Engineers or delegates shall review critical systems at six-month interval to
ensure the following:
 System, program, and hard drive backups exist for all critical systems
 Critical system backups that are over 12 months old are tested to ensure
functionality
 Critical system backups exist on board the vessel and on shore in the office or
3rd party support office
Please refer to ISMS manual chapter ISMS_Man_009 for detailed policy on back up
and restoring.

CYBER SECURITY RISK MANAGEMET DETECTIONS

ANOMALIES AND EVENTS
BASELINE OF NETWORK OPERATIONS AND EXPECTED DATA FLOWS (SYSTEM
SPECIFIC)
Establishing a baseline of network operations and expected dataflows for the
purpose to detect anomalies shall occur on critical systems that has this control
measure in risk register.
Baselines of network operations and expected data flows listed in this section are
not required for all vessel systems and have been implemented to mitigate
connection risks in the identified critical systems
Baselines for detection of cyber event are:
 Ensure engineering manuals, system design documents, or network drawings
accurately describe system connectivity to be used as baselines.
 Ensure baselines for network operations and expected data flows are
available to those responsible for detecting, managing, and coordinating
cyber incident response activities
Some examples of the critical systems for which these guidelines apply are
Voyage Data ECDIS SSAS Alarm & Steering Gear Emergency
Recorder Monitoring Shutdown
System
Echo sounder DGPS FBB 250 MSBD Auxiliary Smart Ship
Boiler
Speed Log AIS BNWAS Bridge Composite
Maneuvering Boiler
Radar FASCIMILE FB 500 M/E Control Cargo &
System Ballast
Control
Anemometer NAVTEX GMDSS G/E Control Fire
System Detection
System
REQUIREMENT FOR AUDIT AND EVENT LOG MANAGEMENT

Audit and event logs shall be configured and enabled on all critical systems where
capabilities exist.
Configuration required shall include:
i. security logging is enabled
ii. security logging captures both successful and failed access attempts
iii. security logs overwrite only when logs are full
iv. systems notify users prior reaching storage capacity
v. systems notify users in the event of logging failures
Vessel shall identify critical systems that will require collections and review of audits
and event logs.
EVENT DATA COLLECTION AND CORRELATION
All audit and event log data shall be reviewed at every 6 months for the discovery of
information in critical system logs indicating a possible compromise or cyber event.
Personnel responsible for cyber incident detection shall be allowed to utilize
automated methods for detecting cyber events on critical systems when technically
feasible to configure or implement.
While using Cyber incident detection tools, passive monitoring tools shall –
i. Not require reconfiguration or changes to critical systems
ii. Be installed to passively monitor critical system data transferred on networks
iii. Notify the Chief Engineer or delegate of suspected cyber event activities
occur
EXTERNAL TECHNOLOGY CYBER ASSESSMENT REQUIREMENT
All critical systems provided by external vendors, suppliers, or 3 rd parties, to include
those of packaged navigation or control systems shall be assessed using audits, test
results, or other forms of evaluations to confirm they are meeting their contractual
obligations
CYBER SECURITY RISK MANAGEMET EVENT DETECTION & PROCESS
CYBER EVENT DETECTION ROLES AND RESPONSIBILITIES
In critical systems, it might be difficult to distinguish the difference between the
general system noise or failure and an actual cyber event.
In order to manage cyber event detection in a practical way, all crew and vessel
personnel shall use best judgement and report suspected cyber events to the Chief
Engineer or delegate in the same manner that an unexpected system condition
would be reported.
The following roles have been established as having dedicated cyber event detection
responsibilities.
Chief Engineer
 Lead in coordination of cyber incident response activities onboard the vessel
Master
 Directs cyber incident response activities
 Makes decisions on disconnecting, disabling, or dismantling of vessel critical

systems after a cyber incident to limit the hazardous effects
CISO
 Provides a link between company (shoreside) personnel and the shipboard
personnel
 Supports the recovery and restoration of vessel critical systems after a cyber
incident or hazards as effects of cyber incidents by ensuring shore-based
resources are available
 Report suspected cyber events to the Chief Engineer or delegate
 Support cyber incident response activities as directed by the Master or Chiefs
 ISSC (Information Security Steering committee)
 located off vessel and supports the remote detection of cyber incidents
CYBER INCIDENT RESPONSE
All cyber events shall be reported to the Chief Engineer or delegate and treated as
cyber incidents until analysis and the determination can be made.
Cyber event distinctions:
 The Chief Engineer is the cyber incident response lead and coordinator on
board the vessel
 The Master is the decision-making authority on board the vessel for matters
that require immediate disconnections, disabling, or dismantling of critical
systems
 A cyber event is any observable computer-related unexpected occurrence in
a critical system.
 A cyber incident is a computer-related loss of availability or functionality or
the imminent threat of losses of critical systems that results in a safety or
environmental impact.
Cyber incident response planning is as follows:
 Key stakeholders shall refer to cyber incident response workflows for
handling cyber events on critical systems.
 All personnel will report all cyber events to the Chief Engineer or delegate as
soon as discovered.
 Cyber incidents that are automatically discovered using incident detection
technologies will be routed through the same workflow as manually detected
cyber events.
 Cyber incident response workflow includes preparation, detection and
analysis, containment, eradication, and recovery guidelines as shown
below.
Figure 1 Cyber Incident Response Workflow

CYBER INCIDENT RECOVERY
Cyber incident recovery shall be conducted in order of priority from Category III,
first, Category II, second, and Category I systems only after all Category III/II systems
have been restored.
REQUIREMENT FOR CYBER INCIDENT REPORTING AND CYBER INCIDENT
REPORTING PROCEDURES
The Chief Engineer or delegate shall handle all cyber incidents in accordance with the
Cyber Incident Response procedure in the Protect section of this manual.
Backup and recovery procedures that are used for maintenance and repair of critical
systems shall be used to recover critical systems. Restoration priorities should occur
if multiple systems are impacted. Prioritization is based on the system criticality (Cat
III first and Cat I last) and considering the order of the high-level objectives shown
below:
1. Maintain Personnel Safety
2. Maintain Environmental Safety
3. Maintain Operational Security
4. Maintain Preparedness
5. Maintain Quality of Service
6. Administrative Functions
The cyber incident reporting form included in ISMS_Tem_015 should be readily
available and used to track cyber incidents. The cyber incident communication plan
is as follows:
1. Cyber event is detected and reported to the Chief Engineer or delegate
2. Chief Engineer determines the level of assistance required to handle the
cyber incident
3. Chief Engineer begins the containment process with available crew
4. Chief Engineer notifies the Master as soon as a critical system is impacted

5. Master has immediate authority to disconnect or allocate crew resources as
needed
6. Chief Engineer and Master Coordinate with Shoreside personnel through the
CISO and dedicated ISSC
7. CISO ensures that additional IT, 3rd Party, Executive, or “Office” support is
available as needed for containment, eradication, and recovery
8. CISO Keeps DPA Updated
9. Chief Engineer continues to lead containment, eradication, and recovery processes
10. Master leads vessel operations throughout containment, eradication, and
recovery to ensure all hands follow the Chief Engineer’s directions as needed.
11. Chief Engineer and Master inform Crew and CISO when recovery is complete.
12. CISO communicates shoreside with IT, 3rd Party, Executive, or “Office”
personnel when recovery is complete.
VULNERABILITY ANALYSIS
All vulnerabilities discovered on critical systems either by manual or automated
means shall be analyzed for possible cyber events
If an active event is determined, the cyber event shall be immediately reported to
the Chief Engineer or delegate. Leave it to the Chief Engineer to decide whether to
handle as an incident or not.
Once determined as not a cyber event, each vulnerability shall be assessed for risk.
The risk assessment process in this manual shall be used to make a risk acceptance
determination. The model below explains the vulnerability risk acceptance levels.
REQUIREMENT FOR VULNERABILITY MITIGATION AND DOCUMENTATION

All vulnerabilities in critical systems shall be mitigated following the relevant Cyber
risk management processes outlined in this manual. All vulnerabilities shall be
documented using the management of change form.
For automated vulnerability discoveries, the scan reports taken before and after the
mitigations shall suffice as documentation. Complete the management of changes
form for vulnerabilities discover through automated means and reference the before
and after scans as records
INCORPORATE LESSONS LEARNED IN INCIDENT RESPONSE PLANS

All cyber incidents shall be documented using the cyber incident reporting form
included in ISMS_Tem_0215 Each cyber incident report shall be maintained for
record and lessons learned purposes.
Reviews of the lessons learned reports shall occur prior to periodic cyber incident
tests for possible updates to the cyber incident response plan. Possible
improvements include:
 The addition of cyber incident detection technologies
 Changes made to the cyber incident response communication plan
 Addition of steps required for recurrence prevention
 Additional instructions provided by shoreside, CISO, IT, Executive
management, or 3rd parties
CYBER SECURITY RISK MANAGEMENT SECURITY CONTINUOUS MONITORING
MONITORING FOR UNAUTHORIZED LOGICAL AND PHYSICAL ACTIVITIES
Personnel activity monitoring shall occur in the proximity of critical systems that
have this control identified in the risk register.
Monitoring for unauthorized logical and physical activities controls listed in this
section are required for vessels where these systems are fitted.
Physical Security monitoring shall include:
 CCTV installed in area with critical system
 CCTV shall be actively monitored by person on watch for unauthorized
activities
Critical system where physical monitoring may take place
FASCIMILE FB 500 Bridge Maneuvering Composite Boiler
Cargo & Ballast

NAVTEX GMDSS M/E Control System
Control

Alarm & Monitoring Fire Detection

SSAS G/E Control System
System System
Emergency
FBB 250 MSBD Steering Gear
Shutdown
BNWAS FB 500 Auxiliary Boiler Smart Ship
REQUIREMENT FOR VULNERABILITY SCANNING

Vulnerability scanning shall occur on critical systems that have this control identified
in the risk register.
Vulnerability scanning controls listed in this section are not required for all vessel
systems
Vulnerability scans shall cover
 Check for updates or patches and threat bulletins applicable to the following:
- Operating systems and firmware listed in the critical system hardware
inventories
- Software and applications listed in the critical system software inventories
 Analyze all vulnerabilities discovered by automated scans for cyber events
and risks
 Document all vulnerabilities using management of change form
ISMS_Tem_016 and attach scan reports to along with management of change
records
REQUIREMENT FOR MALICIOUS CODE DETECTION (ANTI VIRUS)
Malicious code detection or antivirus software shall be installed on critical systems
that have this control identified in the risk register. Anti-virus controls listed are not
required for all vessel systems.
While using anti-virus system following shall be adhered
 AV Signatures are updated weekly
 AV is configured to scan CD/DVD/USB when inserted or connected
 Scan all media including compact disks, digital video disks, USB devices on
dedicated anti-virus scanning computer prior to connecting to the critical
system

REQUIREMENT FOR NETWORK MONITORING
Network monitoring shall occur on the connections for critical systems that have this
control identified in the risk register. Network monitoring controls listed in this
section are not required for all vessel systems.
Network Firewall –
 Monitor all network logical boundaries between critical systems
Intrusion Detection –
 Monitor network logical boundaries between critical systems and admin,
moral, or business networks
Some examples of the critical systems where control measures apply are
Voyage Data ECDIS SSAS Alarm & Steering Gear Emergency
Recorder Monitoring Shutdown
System
Echo sounder DGPS FBB 250 MSBD Auxiliary Boiler Smart Ship
Speed Log AIS BNWAS Bridge Composite
Maneuvering Boiler
Radar FASCIMILE FB 500 M/E Control Cargo &
System Ballast Control
Anemometer NAVTEX GMDSS G/E Control Fire Detection
System System
REQUIREMENT FOR PERSONNEL ACTIVITY MONITORING

Personnel activity monitoring shall occur in the proximity of critical systems that
have this control identified in the risk register. Personnel activity monitoring controls
listed in this section are not required for all vessel systems.
Method of personnel activity monitoring
 Complete management of change form ISMS_Tem_016 for all visiting
personnel to list out reason for visit
 Brief visiting personnel upon entering the critical system space
 Escort visiting personnel in areas with critical systems
 Observe personnel activities to ensure only relevant maintenance or
operational guidelines are being followed
 Notify the Chief Engineer of cyber event immediately if unauthorized
activities occur
Some examples of the critical systems where control measures apply are
FASCIMILE BNWAS MSBD Steering Gear Fire Detection
System
NAVTEX FB 500 Bridge Auxiliary Boiler Emergency
Maneuvering Shutdown
SSAS GMDSS M/E Control Composite Boiler Smart Ship
System
FBB 250 Alarm & G/E Control Cargo & Ballast
Monitoring System Control
System
REQUIREMENT FOR EXTERNAL SERVICE PROVIDER ACTIVITY MONITORING

External service provider activity monitoring shall occur in the proximity of critical
systems that have this control identified in the risk register. External service provider
activity monitoring as listed in this section is not required for all vessel systems
External Service Provider Activity -
 Monitor all remote maintenance and remote access connections.
 Notify Chief engineer of a cyber event immediately if unauthorized remote
connections are made
CYBER SECURITY RISK MANAGEMENT TRAINING AND TESTING
AWARENESS AND TRAINING
Training of Ship staff
Vessel staff shall undergo regular Cyber security trainings:
 Every quarter as per SF 19C
 Seably Module and online platforms
 Cyber security Video, PPT & Questionnaire hosted on company share point
 Drills conducted from office.
After each training, records shall be maintained in form ISMS_Temp_017.
CRM familiarization
All senior officers joining vessel will be briefed on CRM measures every time during
their pre joining familiarization
Training of Office staff
Awareness sessions on CRM activities are conducted every 6 months with office
staff.
In addition, all the new joiners are briefed by IT department on cyber security
measures.
REQUIREMENT FOR DETECTION PROCESS TESTING

All methods used for cyber event detection shall be tested every quarter. These
periodic tests may occur in line with cyber incident and emergency response testing
as applicable. The objective of the cyber event detection test is to ensure that
procedures and tools that are used for cyber event detection are functioning as
intended and readily available when needed
REQUIREMENT FOR INCIDENT RESPONSE AND RECOVERY TESTING
Personnel shall conduct and track periodic scenario-based tabletop or structured
walkthrough tests of the cyber incident workflows to identify procedures in need of
improvement.
External technology Providers including external vendors, suppliers, or 3 rd parties
who provide ongoing support for packaged navigation or control systems shall be
included in incident response and recovery testing.
Upon the discovery of missing or non-tested backups, the Chief Engineer or delegate
shall build or test backups for critical systems.

Appendix – Cyber Risk Management Ship
RESTRICTED
Specific Documents
Attach following updated ship specific documents in this appendix for recordkeeping
1. IT/ OT inventories
2. IT/OT Change tracker sheet
3. Risk Register along with approval
4. CRM MOC form
5. CRM training records
6. CRM incident reporting
7. CRM periodic testing records
Document Ref. No. Appendix 01 Version No. 2.0


Isms CRM Manual

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Isms CRM Manual

Uploaded by

Copyright:

Available Formats

ISMS & CRM MANUAL

ISMS & CRM MANUAL

Synergy Maritime Private Limited

Head of Ship Management Team

This publication is the property of Synergy Group. No part of this publication is to be

Master List of Documents

Document Ref. No. ISMS_Man_001 Version No.2.2

AUTHOR MR. KARTHIKEYAN N

Version Revision Issue Date Changes

1.0 0 25th Feb, 2015 Initial

Document Ref. No. ISMS_Man_001 Version No.2.2

Master List of Documents

1 ISMS_Man_001 Master List of Document 2.2 18th Dec 2020 Restricted

2 ISMS_Man_002 ISMS Manual 2.2 18th Dec 2020 Restricted

4 ISMS_Man_004 Statement of Applicability 2.1 23rd Dec 2019 Restricted

6 ISMS_Man_006 AntiVirus Policy 2.0 30th Sep 2019 Restricted

7 ISMS_Man_007 Application Security Policy 2.0 30th Sep 2019 Restricted

8 ISMS_Man_008 Asset Management Policy 2.0 30th Sep 2019 Restricted

10 ISMS_Man_010 Capacity Management Policy 2.0 30th Sep 2019 Restricted

11 ISMS_Man_011 Clean Desk Policy 2.0 30th Sep 2019 Restricted

12 ISMS_Man_012 Cryptographic Controls Policy 2.0 30th Sep 2019 Restricted

14 ISMS_Man_014 E-Mail Security Policy 2.0 30th Sep 2019 Restricted

Document Ref. No. ISMS_Man_001 Version No.2.2

15 ISMS_Man_015 Firewall Security Policy 2.0 30th Sep 2019 Restricted

16 ISMS_Man_016 License Management Policy 2.0 30th Sep 2019 Restricted

17 ISMS_Man_017 Change Management Policy 2.0 30th Sep 2019 Restricted

18 ISMS_Man_018 Asset Disposal Process 2.0 30th Sep 2019 Restricted

19 ISMS_Man_019 Incident Management Policy 2.0 30th Sep 2019 Restricted

20 ISMS_Man_020 Incident Response Plan 2.0 30th Sep 2019 Restricted

21 ISMS_Man_021 Information Classification Policy 2.0 30th Sep 2019 Restricted

23 ISMS_Man_023 Internet Usage Policy 2.0 30th Sep 2019 Restricted

26 ISMS_Man_026 Mobile computing Policy 2.0 30th Sep 2019 Restricted

28 ISMS_Man_028 Password Management Policy 2.0 30th Sep 2019 Restricted

30 ISMS_Man_030 Punitive Actions Policy 2.0 30th Sep 2019 Restricted

Document Ref. No. ISMS_Man_001 Version No.2.2

31 ISMS_Man_031 Server Security Policy 2.0 30th Sep 2019 Restricted

33 ISMS_Man_033 Tele working Policy 2.0 30th Sep 2019 Restricted

35 ISMS_Man_035 Vendor Management Policy 2.0 30th Sep 2019 Restricted

37 ISMS_Man_037 ISMS Control of Records 2.0 30th Sep 2019 Restricted

41 ISMS_Man_041 Risk Assessment Methodology 1.1 18th Dec 2020 Restricted

43 ISMS_Man_043 Communication Matrix 2.1 23rd Dec 2019 Restricted

44 ISMS_Man_044 Risk Document 2.1 17th Dec 2019 Restricted

45 ISMS_Man_045 Objective Planning 2.0 30th Sep 2019 Restricted

46 ISMS_SOP_001 Change Management Procedure 2.0 30th Sep 2019 Restricted

Document Ref. No. ISMS_Man_001 Version No.2.2

50 ISMS_Man_046 E - Waste Management Policy 1.0 23rd Dec 2019 Restricted

51 ISMS_Man_047 IT Asset Configuration 1.0 23rd Dec 2019 Restricted

Cyber security Risk Management Manual for the Safety

Document Ref. No. ISMS_Man_001 Version No.2.2

Document Ref. No. ISMS_Man_002 Version No. 2.2

Revision No: 2 Page 1 of 44

AUTHOR MR. KANNAN

Version Revision Issue Date Changes

1.0 0 24th Feb, 2015 Initial

Whole manual content reviewed and

2.1 1 23rd Dec 2019 Changes done A10.1.2

Added CRM Manual reference and IMO

Changes Made to CRM Manual with

Document Ref. No. ISMS_Man_002 Version No. 2.2

Revision No: 2 Page 2 of 44

1.0 SCOPE ....................................................................................................................................................... 8

Document Ref. No. ISMS_Man_002 Version No. 2.2