AHP Learning Works Pvt Ltd

Infosec Manual

Disclaimer This document contains confidential information, and it is

intended for AHP Learning Works PVT LTD use only. If you are not
the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of
this information is strictly prohibited.

Format ID AHP-ISMS-01- Infosec Manual

Contents
Introduction..............................................................................................................................................3
Goals......................................................................................................................................................3
Objectives...............................................................................................................................................3
ISMS FRAMEWORK................................................................................................................................4
CONTEXT OF ORGANISATION................................................................................................................4
AHP - Mumbai..........................................................................................................................................5
Departments......................................................................................................................................5
Organization Structure......................................................................................................................6
INFORMATION SECURITY POLICY......................................................................................................6
Headquarters- AHP-Mumbai – Overview..............................................................................................7
Top Management..............................................................................................................................7
Human Resources..............................................................................................................................7
Software Development......................................................................................................................8
Operations - Project Management....................................................................................................9
Operations – Information Security Management............................................................................10
AUDIT PROGRAM.........................................................................................................................10
MANAGEMENT REVIEW...............................................................................................................11
IMPROVEMENT............................................................................................................................12
IT Department.................................................................................................................................12
COMMUNICATION...............................................................................................................................13
 AHP Learning Works PVT LTD
Introduction
Incorporated in 2006, AHP Learning Works PVT LTD is a private firm. The firm was founded by three
friends and now each manages them at different roles. The highest investor was appointed as CEO.
AHP caters to clients in India and US only. The major services and products the organization caters to
are e-learning modules with advanced animations, animations learning videos which can be viewed
online and are converted into DVDs and video files

All products are designed internally by the team based on the requirement provided by the client. The
company believes in educating lives with innovation coupled with user friendly technology. The
organization focuses on mix of age and youth for ensuring freshness in execution and experience and
strategy. The company culture is constitutes of innovations, execution and more importantly
compliance.

The company has grown ten times financially and this has caused a rapid increase in the employee
strength.

As global security norms have become stringent and also clients have made it mandatory to ensure
information security, AHP management has decided to go for ISO 27001:2013 implementation

The case study focuses on the business operations of AHP and the interactions it has with its different
departments, offices and customers across the globe.

Goals
1. To enable a work environment and culture where information security is also considered as a
top priority in service delivery at all stages of operation.

2. To create maximum awareness and implement proactive mechanisms in order to encourage all
employees and stakeholders to be actively involved in nurturing a positive approach to
information security.

3. To be able to demonstrate compliance with accepted standards of Data and Information

handling while promoting best practices relevant to the same in all operations.

Objectives
The main objectives of Information Security Management may be summarized as:

1. Designing a security policy (in collaboration with customer and suppliers) that is aligned with
the needs of the business.
2. Ensuring compliance with the agreed security standards.
3. Minimizing the security risks threatening continuity of service.
ISMS objectives are articulated to periodic measurement and improvement of the Learning Works PVT
LTD’s ISMS framework;

1. Number repetitive of security incidents to be minimized to be less than 5 annually.

2. Reduction of Security Incidents by 5% annually.
3. Ensure awareness of Information Security for new employees/contractors during induction and
repeated refresher trainings once annually.

ISMS FRAMEWORK
Clause 4 – CONTEXT OF Clause 8 –
ORGANISATION
Clause 5 – LEADERSHIP OPERATIONS
Clause 6 – PLANNING
Clause 7 – SUPPORT

PLAN DO

ACT CHECK

Clause 10 – IMPROVEMENT Clause 9 –

PERFORMANCE
EVALUATION

CONTEXT OF ORGANISATION

Identification of Identification of Identification of

Internal Context External Context Interested Party
Consider internal Consider external cultural, Context
process, scenario, political, legal, financial, Consider customers,
organization structure, technological, economic, suppliers, employees,
business model, natural & competitive statutory and regulatory
organization culture and environment under which bodies, third party related
other internal matters organization operates and requirements and
under which list such scenarios scenario
organization operates
and list such scenarios

Finalizing the Organization

Context

Review of Organization Accepting the Organization

Context minimum at Context
once in a year
AHP - Mumbai

AHP is only present in India, Mumbai. Overall employee strength is 350 people including the Top
management. AHP has major clients in US.

Departments

Software
HR Operations IT
Development

The facility has two huge (facilities (A-B)) and both these facilities play active role in managing the
operations of AHP. Few projects are managed in facility A and few works which need specific
technology are managed in facility B. Access permission is restricted to need basis. Only top
management can access both the facilities rest need approvals and checks. AHP is located in a low
lying area and is very close to the sea area. Both the facilities are on rental basis and there are many
other companies operating in the same business arcade. The entire business arcade comes under CSL
group and the arcade is under the name CSL business complex.

AHP facility is monitored using a centralised CCTV facility. The entire facility is 24x7 live and working
with security professionals manning the doors and access.

AHP has two leased lines of (16Mbps, 5 GBps) coming from three different service providers. The wing
A uses (5GBps), wing B (uses 16 Mbps). The entire server facility is managed in wing A which is
secluded and manned using physical security and i-card scanners.

Any visitor coming to AHP is first attended at reception and guided to relevant zones with permissions
from the relevant supervisor.

The organization attends to lot many number of visitors during the day who come to visit the facility for
different business purposes.

Busy business workings enable lot of access to and fro to both the facilities by employees and at times
key business visitors. And many a times this causes delay in security assessments and access
allowance.

.
Organization Structure

CEO

Chief
Chief Creative
Operating
Officer
Officer

Operations-
Software
HR Project IT
Development
Management

INFORMATION SECURITY POLICY

This Information Security Policy demonstrates the direction and commitment of AHP Learning
Works Pvt Ltd to information security in order to protect its own information assets and those
provided to the AHP Learning Works Pvt Ltd by their customer.
Our information security management system will ensure that:
1. Critical information is protected from unauthorized access, use, disclosure, modification and
disposal.
2. The confidentiality, integrity and availability of such information, whether acquired, provided or
created, are ensured at all times.
3. Awareness programs on Information Security are available to all employees and wherever
applicable to third parties viz. subcontractors, consultants, vendors etc.
4. All contractual requirements with respect to information security are met wherever applicable
and comply with all relevant information security laws, regulations.
5. Any incident of Policy infringement will be reported and corrective/preventive actions are taken.
6. We would strive for the continual improvement of the information security management system

All employees should understand their obligations to protect these assets and implement security
practices consistent with security manual. Compliance will be checked periodically through reviews,
audits, and then corrective & preventive actions will be initiated.
Headquarters- AHP-Mumbai – Overview
Top Management
Top management meetings happen every first week of the month. Top management discusses the
status of strategy execution and also takes the stock of actual vs planned for every business unit. The
agenda also focuses on discussing new research breakthroughs, new product development and other
business related points (cost, employee engagement, organizational initiatives for improvement of
organization effectiveness.

Top management committee meetings also focus on monitoring the status of ongoing projects and
analysing the status of projects which are in the pipeline. The CEO chairs the meeting and the entire
business unit Directors attend and present the reports related to their business vertical. One of the
major agendas of Board meeting is connecting with Legal partners (outsourced) and checking the
status of legal compliance of the organization’s working.

The minutes of the meeting are recorded in an online internally built application (MyMinutes.online)
which is made available for only top management. During special cases the top management grants
permission to department supervisors to access the data and frame the necessary report. Ms. Elizabeth
John (CEO office) has complete access to MyMinutes.online and she manages the access, data and
archiving of the records. The minutes are electronically approved by CEO and Business Unit Directors
before circulation. Minutes are circulated only in PDF format. Ms. Elizabeth is the sole access owner for
downloading and circulation of Minutes of meeting of top management committee meetings.

Recently during the board meeting MyMinutes.Online link wasn’t responding after several attempts
because the connecting network link was down and alternate link wasn’t activated as backup measure.
Hence the minutes were recorded on Ms.Elizabeth’s local laptop and were later uploaded by IT team
using backend upload procedures and scripts.

Human Resources
Human resource department is newly formed. Earlier the entire human resource operations where
managed by Top management. As the company grew it became imperative to have professional and
seasoned personnel to manage the operations. The HR department has four personnel including the
HR director. The department focuses on entire activities of human resource operations. Since earlier
the department wasn’t existing so all processes are being created and implemented.

The organization has engaged a recruitment firm to help with the recruiting process. The recruitment
firm sources the resumes to the organization and further rounds of selection are managed at the
organizational level. The HR department primarily engages itself in below set of activities

 Payroll Management
 Recruiting
 Learning and Development
 Employee engagement process
 Employee cycle management
The HR department also manages the Admin department as there is no dedicated admin manager for
the organization. The newly appointed HR director Ms. Rakhi Malhotra on temporary basis has hired a
consultant to manage the admin related activities and report to the HR function. The activities that fall
under the admin department include

 Vendor management
 Facility Management
 Physical Security Management
 Purchase and Procurement

As the HR process is newly created and implemented, the organization is facing issues in ensuring the
compliance of retrospective data and recruitments. The organization has initiated a screening and
background verification process for new joiners but is struggling to get the data and verification done for
old employees who are almost 200 in numbers. The organization takes an undertaking on government
authorised stamp paper from the joiners for ensuring compliance in organization interactions and
businesses.

The entire HR and admin related files containing hardcopies are preserved in a cabinet available in the
HR director’s cabin. The master key is with HR director and there is no other key made available.

Recently, the admin department procured cctv cameras which were reported faulty after two months of
installation. On investigation it was understood that camera wasn’t working for past 45 days before it
was reported faulty. The entire backup of CCTV footage is managed by local IT team who clears all
backup after 7 days.

Recently an employee was terminated without prior warning for forging the credentials and other critical
documents.

Software Development

The organization’s main business is developing e-learning animation modules for clients in and around
India and few clients in US. Software development team also known as codeline team ensures the
codes are written, tested and quality check approved before packaging into the final module.

The software development department is internally segregated into below micro units

 Codeline- Developers
 Codline- Testers
 Codeline-QAs
 Codeline-Implementors

The team has two types of approach when it comes to create learning animations. In certain cases
unless specified by the client, the team uses few animation software packages (Maya, 3D max,). Herein
they make some custom changes to the animation software packages according to the functional
requirement and also at times based on the updates provided by the software owners. When these
changes are made into the animation software packages then they are internally tested by codeline-
Testers and then approved to use for the production requirement. The entire change and test data are
managed by department Director on company SharePoint (Webmax). The access to the sharepoint is
managed by respective project leads are managed based on their project requirements. Upgrade and
Downgrade of access is managed through email process.

In certain cases the software team creates animation scripts and integrates them into learning modules.
These scripts are later used as short applications for other projects where similar functionality is
envisaged or proposed by the client. These scripts are stored in separately in a secured environment
on the SharePoint (webmax) where the access is only available for Project leads and approved
personnel.

The entire development cycle follows a fixed pathway as defined by the industry which can be co-
related to requirement gathering---designing---prototyping---coding---testing—Quality check---
integration testing----sign off
Designi Prototy Quality
Require Coding Testing Sign off
ng ping Check
ment
gatheri
Each stage is approved by respective function leads via email or signed document process on need
ng
basis.

There is a no separate environment (sandbox) for these stages. It is managed at one environment but
with a manual controlled segregation and access.

When the project is complete the access details are reset to basic level on information received from
the project leader. IT team manages the access allocation and de-allocation based on email
confirmation form project leader.

Last month few accesses were seen active even when the resources no longer used them. Since it was
not on production files noting serious was reported.

Since it is a niche market the developers are scarce and they retention is a huge problem. Majority of
the time they are hired by competitors because they there are not many players in the market.

Operations - Project Management

Project management processes are managed at individual project level. The organization doesn’t have
a centralised project management process like PMO or a centralised server for managing all project
administrations. The project managers maintain their project reports and project plans at FTP servers
which help them to access these files when they working from remote locations. The access to project
folders is given to respective project managers only and in their absence nobody can access those files
neither access any reports.
The project managers are not allowed to access any company related confidential information via
Smartphone or non-company assets. The project manages access list for every project and it is
checked every six months to check for the allocation and de-allocation of access rights.

The final client delivery is completely handled by project manager and it is passed to the client side via
FTP servers provided to them by the client.

Recently, due to the unavailability of project manager (Mr. Ranjan) due to his family emergency, the
client deliverable was delayed by a day and organization had to serve a show cause notice from the
client. As the nature of business is very confidential and very innovative it is very risky to make many
people to access client FTP and manage client deliveries.

The project team members working on the project were recently spotted accessing internet website
from local machine which were blocked by IT. No access to internet was hampering their productivity
since they couldn’t access Google information in case of queries or design confusions. To solve there
are four internet KIOSK installed on the production floor where team can browse internet and download
the files. But will need approval from IT to move these downloaded file to local machine for reference.

The team in the past have faced four project delays due to link issues and server congestions. The
organization is in process of installing a new server only to manage the final client deliverables but has
been delayed due to business exigencies.

Operations – Information Security Management

The management of the information security management system throughout the organisation is the
responsibility of the Operation team. The head of Operation is appointed as the Chief Information
Security Officer.

AUDIT PROGRAM
Procedures have been established that ensure that all processes of the Management System are
regularly audited.

The IS Executive prepares an annual audit program in the Myaudit portal. A schedule is prepared on
the basis of the status and importance of the activities and taking into account the results of previous
audits. The audit program is constructed in such a way that both individual audit results and collective
results of the program allow the determination of whether the system continues to comply with ISO
27001. Upon approval by the Operation Head the audit schedule is circulated electronically to all
concerned.

Audits are prepared and planned by the auditors. The audit plan ensures that the processes in a given
area and their interactions are assessed to verify their effectiveness in producing the required results.
Program planning ensures that in all cases the auditors will be independent from the persons
responsible for the area being audited and will not be involved in the work being audited.

All nonconformities discovered during the audit are recorded separately and an Audit Report is
prepared. The results of the audits are communicated to the respective department managers, who are
responsible for carrying out the agreed corrective actions within the time limit agreed. The procedure
requires that the implementation and effectiveness of corrective action is verified by a follow-up audit,
which is initiated by the IS Executive.

The Operation Head submits the audit results to the next Committee Meeting. This information is
evaluated to assess the effectiveness of the quality system and to determine if any improvements in the
system are required.

See document:

AHP-PR- 02 – Internal Audits.

AHP-PR- 03 – Remedial, Corrective and Preventive Action

MANAGEMENT REVIEW
Top Management will be reviewing the organization’s ISMS at annual intervals to ensure its continuing
suitability, adequacy and effectiveness. This review includes accessing opportunities for the
improvement and the need for changes to ISMS, including the information security policy and
information security objectives. The results of the reviews are clearly documented and the records are
maintained.

REVIEW INPUT
The Management review input includes:
1. Results of ISMS audits and reviews
2. Feedback from interested parties.
3. Techniques, products or procedures, which could be used in the organization to improve the
ISMS performance and effectiveness
4. Status of corrective actions for the non-conformities rose during the internal and external audit.
5. Vulnerabilities or threats not adequately addressed in the previous risk assessment
6. Results from effectiveness measurements
7. Follow-up actions from previous management reviews
8. Any changes that could affect the ISMS
9. Recommendations for improvement

REVIEW OUTPUT
The output from the management review meeting includes any decisions and actions related to the
following:
1. Improvement of the effectiveness of the ISMS
2. Update of the risk assessment and risk treatment plan
3. Modification of procedures and controls that effect information security, as necessary, to
respond to internal or external events that may impact to the ISMs, including changes to:
 Business requirements
 Security requirements
 Business process effecting the existing business requirements
 Regulatory or legal requirements
 Contractual obligations and
 Levels of risk and/or criteria for accepting risks.
4. Resource needs
5. Improvement to how effectiveness of controls is being measured
IMPROVEMENT

Continual Improvement
The Organization continually improves the effectiveness of the ISMS through the use of the information
security policy, information security objectives, audit results, analysis of monitored events, corrective
actions and management review.

Corrective Action
The Organization will be taking actions to eliminate the cause of non-conformities with the ISMS
requirements in order to prevent recurrence. The documented procedure for corrective action shall
define requirements for:
1. It describes investigation of nonconformities, initiation of corrective action to eliminate the
recurrence and reviewing the action for effectiveness by all concerned, in consultation with Top
management.

2. It applies to all information security related nonconformities with respect to ISMS, Processes &
Product requirements / performance and audit findings. The scope also covers the security
incidents raised by the interested parties.

3. For the non-conformities or security incidents the process owners along with auditor reviews to
find the root cause of the nonconformity or security incidents by studying the process,
interactions and discussions. The root cause is recorded in Myaudit portal.

4. Based on root cause analysis one or more of the following actions are taken by the Top
management to avoid recurrence.

 Design correction at product or process

 Amendment in the ISMS documentation.
 Provision of additional resources
 Increase in the awareness among employees related to ISMS compliance

Effectiveness of Corrective actions is reviewed by the Top management on regular basis based on the
criticality of the non conformity. All non-conformities brought out by internal & external auditing are
reviewed during the management review meetings.

IT Department

IT Department is head by one of the owners of the company. The organization doesn’t have a
dedicated CISO. The department takes off the entire IT infrastructure for the organization. The
organization primarily works on LINUX systems and allied servers. It also has few systems and servers
which are run on windows platform. The windows machines and servers don’t interact with the
production and operations environment. These machines are used to basic purposes for HRD and
accounts department.

The organization IT lead who reports to the designated CISO is a commerce graduate with an
experience of seven years in IT domain and is CISCO certified professional. The IT department is
managed by four team members who work on a rotational shift basis. Organization doesn’t work 24*7.
The entire architecture was been setup by the organization when the business unit was entering into
the US market. With increase in business growth organization has introduced few more network servers
and routers to expedite the business process. The core switch is old model and doesn’t have option for
time setting and organization is aware of this issue but due to finance constraints it has not upgraded
the switches.

IT runs in virus scan for Windows machine using manual procedure. According to organization LINUX
is robust and secured hence no virus management mechanisms are paid attention to.

Asset inventory for IT assets are managed by IT department and they conduct inventory checks based
on the availability of the resources but make sure to enter the new IT assets in the tracker which is
available at the IT lead’s machine.

Recently few vendors were replaced by IT team as they delivered low quality products. All IT assets
(desktops, servers, mouse, keypad, etc) are on a rental basis. The team also shares admin
responsibility with HR function. The top management’s laptops are purchased by the organization and
don’t have any uniform branding. Email access is made available to top management in their
blackberry, android and ios phones. Since it is top management no approval records or documents are
maintained.

Since AHP uses O365 (cloud service email provider), the emails can be configured on the smartphones
of the employees.

The users shall be made aware of the dos and don’ts while using emails on the smartphone.

All employees shall have no expectation of privacy in any information they store, send, or receive on
the company’s email system. Management has the rights to access incoming and outgoing email
messages without prior notice in case of any security breach or his/her usage or involvement is
excessive or inappropriate. AHP is not obliged to monitor all email messages.

The O365 Audit Logs shall be generated and maintained in a shared drive by IT for 365 days. The
personal information in the audit logs are masked while configuring the logs. After the retention period
the logs would be permanently deleted. The deletion logs would be verified by the Head of IT.

COMMUNICATION
Objective: The organization shall determine the need for internal and external communications relevant
to the information security management system
 Entity What When How / How Often Who To Whom

e-mail / Once a
ISMS policies/ procedures When approved by CEO year / on the event CEO Staff
of change

Staff
Presentation
Induction Training –
slides / procedure
Awareness Training Employee start up CEO Staff
documents
Periodic ISMS Training
Once a year

IS Policy When required

Customers Audit reports e-mail CEO Customers

Upon request
Business Continuity Plan

IS Policy / Third Party

connection policy / supplier
relationship procedure
Agreements /
IT Service Incident Reporting When renewing the Point of contact of the
Upon New or CEO
Providers agreements service provider
Renewal
Change Management

Business Continuity plan

requirements

IS Policy
Upon renewing the Agreements/
Point of contact of the
Contractors NDA agreements (when NDAs CEO
service provider
required) e-mail
Incident Reporting

Written statement,
compliance reports
Legal &
/ According to the
Regulatory Compliance and Violation of law When required CEO Relevant legal body
requirement OR
bodies
Upon occurrence
of incidents

Electronic or Print
Media Marketing materials When required CEO Potential customers
media