Information Security Policy
Introduction
The company’s data is among its most valuable assets. Information Security deals with the protection of this data against loss, misuse or damage of information processed, stored, transmitted or retrieved from an electronic medium.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security / cyber security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security focuses on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer.
The policy manual document is based on internationally recognized standards, best practices and regulatory guidelines (if applicable).
Information Security has become a critical business function and an essential component of governance and management affecting all aspects of the business environment. Effective IS controls are necessary to ensure the confidentiality, integrity, availability, durability and quality of technology resources and associated information/data. These assets shall be adequately protected from unauthorized access, deliberate misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure. To achieve these objectives, Tapal tea shall establish an Information Security program to manage the risks identified through their assessment, commensurate with the sensitivity of the information and the complexity of their information security risk profile. Management may consider a variety of policies, procedures, technical controls and adopt measures that appropriately address identified risks.
Tapal tea regards information, as a highly valuable asset and our information systems are critical to the business. The Tapal tea aims to protect information assets and effectively manage risks in the environments within which it operates. Protection will be provided by adherence to these Information Security Policies through the cost and risk-effective combination of hardware, software and security measures.
All employees (management, end users, support personnel, managers, administrators etc.) and contractual personnel therefore, have a responsibility in protecting Tapal tea’s information through compliance with established policies, standards, guidelines and procedures.
-
Waiver and Exception Criteria
This Policy is intended to address information security requirements. Requested waivers and exceptions must be formally submitted to the Information Security including justification and benefits attributed to the waiver, and must be approved by the Steering Committee. The waiver should only be used in exceptional situations when communicating non-compliance with the policy for a specific period of time (subject to a maximum period of 1 year). At the completion of the period the need for the waiver should be reassessed and re-approved, if necessary. No policy should be provided waiver for more than three consecutive terms.
The seriousness of threats we face in an increasingly hostile and open world means that it is imperative and we must collectively comply with the Information Security Policies. Failure of any employee to do so may result in disciplinary action.
-
Layout of Information Security Policy Framework Document
The Information Security Policy Framework document comprises of the following sections:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical & Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security aspects of Business Continuity Management
- Compliance
Document Owner and Maintenance
Tapal tea’s Information Security Function is responsible for administering these policies. This task includes updating the Policy document from time to time to reflect updates, amendments, and circumstances requiring change in policies, and training the personnel.
The primary owner of the Document is the General Manager IS, and will be responsible for reviewing & managing the plans while Custodian is Steering Committee.
The maintainer of the Document is Information Security in collaboration with other IS Team. Information Security is responsible for preparing, amending and updating the plans at regular intervals.
The document shall be reviewed by the GM IS for its appropriateness and submitted to the Steering Committee for approval.
Any gaps in understanding regarding any individual policy enclosed within the Information Security Policies Document shall be addressed by the GM IS.
All users are required to read, understand and comply with the Information Security policies, procedures and relevant documentation. The Steering Committee shall resolve any conflicts arising from this Policy.
Revision Procedure and Control Techniques
When there is an apparent need for new or revised policies, the GM IS will submit it through appropriate channels to the Steering Committee.
After the Steering Committee has approved the new or revised policy, it may direct that the policy be issued and administered immediately.
Approved policies will be distributed to authorized management and officials by the Information Security / GM IS.
The following manual revision control techniques will be used:
- The policy holders must be responsible to point out the need for revision when it is indicated that current instructions will be impracticable.
- Issue revised contents and index pages frequently with a request that policy holders check manuals for completeness.
The version of the manual is mentioned on the title page along with the date of publish i.e. “Version 1.0, April, 2018”. A new version of the manual will be released after significant changes in the individual chapter of this manual.
The Release of the manual is mentioned on the first page (release-number, 00 month 0000) i.e. “Release 01, 15 June, 2018”, and on the second page under Document Change History.
Release level may be maintained separately for each chapter / annexure. The old replaced pages shall be stored as a record of revision of the manual.
This charter defines the mission and objectives of Tapal tea Information security program, outlines the scope of the company's mandate, defines terms, and delineates roles and responsibilities for information security throughout the company. Unauthorized access, breach of confidentiality, loss of integrity, disruption of availability, and other risks threaten Tapal tea Information Assets. Tapal tea’s Information Security policies are aimed at reducing exposure to threats, thereby minimizing risk in order to protect assets. Policies are goals or mandates used to cultivate standards. Tapal tea’s security standards define metrics against which results can be measured to determine compliance with the policies and describe objectives for procedures. Tapal tea’s security procedures detail how to implement standards in order to comply with policies. Guidelines are suggested methods, best practices, or clarifications to assist with the implementation of standards.
Employees, Personnel, contractors and any individual accessing Tapal tea’s information assets, who fail to adhere to this charter, may be subject to explanations and disciplinary action, both within and outside the Tapal tea. Violations will be handled through the Tapal tea’s disciplinary procedures applicable to the relevant division or employee. The Tapal tea may suspend, block or restrict access to its resources, employees, and/or Divisions independent of such procedures, when it reasonably appears in the best interest of the Tapal tea to do so. The Tapal tea may also refer suspected violations of applicable law to appropriate law enforcement agencies.
Distribution of Policy and Custodians
This policy will be issued to appropriate management and supervisory officials. The person to whom the policy is issued shall be responsible for its safekeeping and maintenance and therefore should be familiar with the information contained in the policy and any amendments thereto.
It is Policy holders’ responsibility to communicate these policies to staff and for implementing and administering these policies in a consistent and impartial manner. The following staff members will be provided with a copy of the policy:
- CEO;
- Chief Financial Officer;
- Business Heads;
- Head of Human Resources;
- IS Department and
- All employees (Relevant Extracts).
Information Security Policies
Information Security Policies
The purpose of this policy is to provide guidelines to provide management direction and support for information security in accordance with Tapal tea’s business requirements, and relevant applicable laws and regulation.
This policy applies to all users of information assets including the Tapal tea’s employees, employees of sister company, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.
This Policy covers all Information Systems environments operated by the Tapal tea. The term “Information System environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
This policy is management direction and support for Information Security in accordance with business requirements and relevant laws and regulations.
Management Direction for Information Security
Policies for Information Security
- This policy document is defined and based on internationally recognized standards, best practices and regulatory guidelines.
- All employees (management, end users, support personnel, managers, administrators etc.) and contractual personnel therefore, have a responsibility in protecting Tapal tea’s information through compliance with established policies, standards, guidelines and procedures.
- This policy document is composed of baseline controls for the governance and protection of Tapal tea’s information and IT infrastructure.
- This policy document primarily addresses the requirements created by business strategy, regulation and legislation and contracts, the current and projected information security threat environment.
- This policy document is categorized as defined in The “Layout of Information Security Policy Framework Document” and has been mapped with ISO 27001: 2013 standard.
Review of Policies of Information Security
- Tapal tea’s management shall ensure that, Information Security Policy Framework document will undergo a formal review annually to confirm incorporation of all the changes to the business/IT environment since the last review. Information Security Policy Framework document shall also undergo an independent review whenever required and all results of such reviews shall be retained by the management. The review process shall include the following information at a minimum:
- Results of previous reviews
- Status of all preventive and corrective actions suggested in the previous reviews
- Number of non-compliant processes and exceptions
- New and popular trends regarding information security (Threats and Vulnerabilities)
- The output from the management review should include any decisions and actions related to:
- Improvement of the company's approach to managing information security and its processes
- Improvement of control objectives and controls
- Improvement in the allocation of resources and/ or assignment of responsibilities
- Changes that could affect the company's approach to managing information security includes; changes to the organizational environment, business circumstances, insurance, human resource, resource availability, technical environment, or changes in the contractual, regulatory, legislative and legal conditions.
-
For revision procedure and document history, refer “Document Owner & Maintenance” section of the policy document.
Organization of Information Security
Organization of Information Security
The purpose of this policy is to manage information security and maintain appropriate security controls in the information processing facilities within the company and outsourced to third parties.
This Policy covers all Information System environments operated by the Tapal tea. The term “Information System environments” defines the total technology environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
Information security deals with all aspects of information, whether spoken, written, printed, electronic or relegated to any other medium, regardless of whether it is being created, viewed, transported, stored or destroyed.
Information Services organizational structure shall commensurate with the size, scale, business objectives and nature of business activities carried out by the Tapal tea. Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively to other than the Tapal tea’s Information Security policies. All users are required to read, understand and comply with the Information Security policies. If any user does not fully understand anything in this document he/she should consult with the Information Security function or policy owner / custodian.
Information security activities shall be coordinated by representatives from different parts of the company with relevant roles and job functions. This coordination is required to streamline the Information Security related process and procedures, including incident response and management and should report to the Steering Committee.
This Policy suggests guidelines for defining the roles and responsibilities pertaining to information security throughout the Tapal tea. To ensure that information security is properly implemented, all the Tapal tea associates must understand and comply with the responsibilities identified in this document when their duties entail one or more of the roles described below.
A structured management framework directs, monitors and controls the implementation of information security as a whole within organization. In order to achieve stated objectives. The following information security structures/functions (organization) have been envisaged for Tapal Tea (Private) Limited (Tapal Tea).
For IS organization structure, please refer Annexure A.
Information Security Roles and Responsibilities
The Manager Information Security
- The Manager Information Security is responsible for the following:
- Apply / direct the application of Information Security Policies, Information Security Standards & Procedures and any other agreed specific security and control requirements.
- Develop security strategy, oversee the security program and initiatives, and liaise with Business Heads for on-going alignment.
- Update and obtain approval from management and IT Steering committee on latest security events and recommended measures.
- Identify significant threats to the Information Processing facilities and devise appropriate mitigating controls.
- Oversee the investigation of security breaches, and assist with disciplinary matters associated with such breaches as necessary.
- Implement a process to expeditiously and effectively address information security incidents in coordination with IS Division.
- Ensure the risk and business impact assessment are conducted when required.
- Liaise with other assurance providers e.g. Internal/External Auditors or regulators.
- Assess the adequacy and coordinate the implementation of information security controls.
- Responsible for ensuring appropriate classification of Data, Information and all Information processing assets and determining the adequate level of controls and protection to be provided to each information asset in collaboration with the Data Owners.
- Responsible for management and mitigation of information/cyber security risks across the enterprise and devising strategies to monitor and address current and emerging risks.
- Responsible for seeking resources or risk acceptance (dispensation) from the Departmental Head in the event of problems applying policies, standards & procedures or control requirements.
- Tapal Tea shall put in place a security / system administration function and set formal procedures for reviewing the allocation of access rights to system resources and application systems and monitoring the use of system resources to detect any unusual or unauthorized activities.
- Responsible for developing and implementing a security awareness program periodically for all staff.
- Responsible for conducting security assessments of vendor supplied and in-house developed applications prior to being purchased, put into production, and after maintenance.
- Responsible for ensuring the correct operation of the process for authorization to access logical or physical assets.
- Responsible for ensuring the correct operation of the application major/minor change management process.
- Information Security function will also be responsible to review all system generated reports (both standard and MIS reports) including security logs to validate that all maintenance activities being done are in line with IS approved policies and standards.
- Have authority to investigate, report or recommend any individual/process/system, if it is believed that it is compromising the information security.
- Have authority to stop application development or deployment efforts if it is found during a Risk Assessment that impact of a particular threat will compromise the information security of Tapal Tea and/or its associated programs/facilities until a remedy is implemented to reduce or eliminate the impact of that threat.
- The Information Security function shall have no operational business access or need to access the data (information repository), business system or application.
- Staff assigned in information security function shall not perform other duties which can create any conflict of interest.
General Manager Information Services (GM IS)
- The GM IS is responsible for:
- Enabling and supporting the Information Security to establish downstream policies, procedures and controls in line with the security standard.
- Making investment decisions, up to the GM IS authorized financial limit, regarding the information security activities, or those delegated by the Steering Committee to the GM IS.
Information Security Team
- The Manager Information Security is responsible for execution of the following through Information Security Team:
- Defining technical and non-technical information security standards, procedures and guidelines.
- Supporting Information Assets Owners (IAOs) and managers in the definition and implementation of controls, processes and supporting tools to comply with the policy manual and manage information security risks.
- Reviewing and monitoring compliance with the policy statements and contributing to Internal Audit processes.
- Collecting, analyzing and commenting on information security metrics and incidents.
- Supporting asset owners in the investigation and remediation of information security incidents or other policy violations.
- Liaising as necessary with related internal functions such as IT Operations, Risk Management, Compliance and Internal Audit, as well as the Regulators.
- Organizing a security awareness campaign for personnel to enhance the security culture and develop a broad understanding of the requirements of information security and related standards.
- Informing line manager / GM IS of actual or suspected policy violations (information security incidents) affecting their assets.
Business Managers/ Information Asset Owners (IAOs)
- Business Managers/IAOs are managers held accountable for the protection of particular Significant Information Assets. IAOs delegate information security tasks to managers or other individuals but remain accountable for proper implementation of the tasks. IAOs are responsible for:
- Appropriate classification and protection of the information assets.
- Specifying and funding suitable protective controls.
- Authorizing access to information assets in accordance with the classification and business needs.
- Undertaking or commissioning information security risk assessments to ensure that the information security requirements are properly defined and documented during the early stages of development.
- Ensuring timely completion of regular system/data access reviews.
- Monitoring compliance with protection requirements affecting their assets.
- Information security risk acceptance
All Tapal Tea Staff
- All Tapal Tea staff (i.e. employees on the payroll and others acting in a similar capacity, such as contractors, consultants, student placements etc.) are responsible for:
- Complying with the principles and policies in the information security policy manual where relevant to their jobs.
- They are responsible for maintaining the security of all information entrusted to them.
- Upon hire, as a condition of employment, each worker undertakes to comply with Tapal Tea’s information security policies.
- Job descriptions or contracts must specify any additional information security responsibilities beyond the general policies.
- Tapal Tea will achieve effective employee awareness and understanding through information security training and ongoing security-related communications, employee certifications of compliance, self-assessments, third-party audits, and monitoring.
- Any worker / employee failing to comply with the security policies could be subject to disciplinary action, potentially including termination of employment or contract and/or prosecution.
- Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the Tapal Tea’s assets.
- The initiation of the event shall be separated from its authorization.
- Whenever it is difficult to achieve segregation of duties, alternative controls must be considered and applied.
- Activities which cannot be separated with segregation of duties must be logged in audit trail.
- Within security administration, there must be a functional segregation between individuals responsible for administering access and those responsible for reviewing log files.
- Dual control should be considered for functions which, if executed by the same individual, could be misused, or allow errors to go undetected.
- Where there is any segregation of duties conflict, the conflicts shall be documented with a valid reason and approved by the management.
- For critical systems the input, authorization and verification functions should be separated.
- A List must be maintained by IT Department for Key contact in-case of incident or disaster, which include internet service provider, IT vendors etc.
- A list must be maintain by relevant stakeholders which may contain the contacts of premises owner, legal authority and other investigating authority to take action against any mishap and security incident or loss or valuable asset.
Contact with special interest groups
- Tapal Tea should monitor technological developments and keep abreast with new the technology governance and cyber risk management processes that can effectively counter existing and new forms of technological requirements.
- A list must be maintained for the Tapal Tea’s Information Service / Info Sec. contact with special interest or group to get updates about market technology / security trends; news and alert about latest advancements, threats; vulnerabilities and patches; best practice adopted by the market.
Information security in project management
- Refer “System Development and Acquisition Framework”, “Project Management in system Development & Acquisition” and “Security in Development and Support Processes”
Mobile devices and Teleworking
- Company will not provide mobile devices to an employee of Tapal Tea. Further, following policy should be considered if IS department is letting user’s devices to company’s network.
Bring your Own Device (BYOD)
- Jail broken and rooted devices should not be allowed to be connected on company’s network.
- User is responsible for storing processing company’s data in their own device. If any device found compromised, IS department has an authority to block services.
- Employee will be blocked from accessing certain websites during while connected to the corporate network at the discretion of company. (List of such websites)
- The following app are not allowed (Facebook, iTunes, Play store etc.) as per the black list apps.
- Password locking should be enabled and security timeout should be enabled at 5 minutes
- Device must be enrolled / registered to Company’s Mobile Device Management solution (MDM), if applicable.
- Ensure that relevant security patches are implemented and antivirus software are installed and updated on mobile devices, if applicable.
- Business data and personal data must be kept separately (where applicable).
- Corporate data should not be allowed to be downloaded or stored on local devices. Only allow access to sensitive information while connected to the corporate network.
- In case smartphone is lost/stolen, Information security / IS Department should be informed to ensure that Tapal Tea data is adequately protected.
- Inform the IS Team if the user is giving the phone for repair to ensure that the Tapal Tea data on the phone is protected at all time.
Teleworking
- Controls should be developed and implemented for teleworking sites.
- Remote access to internal systems and applications must be governed by appropriate authentication and encryption controls only.
- The business need for remote access to Tapal Tea’s systems represents one of the greatest risks to Tapal Tea’s information assets. Therefore, Departmental Head must approve any mechanism that allows remote access to Tapal Tea’s information prior to its use.
- Only users that have a justifiable business need for remote access shall be authorized for that access by the Departmental Head.
- Vendors and other third parties requests for remote access should be authorized only in cases where there is a justifiable business need and a risk assessment has been performed. Such an access will only be granted upon the joint approval of the Information Security and Departmental Head.
- Production servers shall not be directly exposed through external connections.
- All remote diagnostic connections for maintenance support and special services (like administration) shall be secured and controlled.
- All remote users accessing Tapal Tea’s information assets must be authenticated through the firewall infrastructure before session is granted.
- The Information Security function shall maintain and update a list of users with remote access, which will be reviewed on periodic basis by department heads.
- Remote access logs will be reviewed bi-annually by the Information Security function for any unusual occurrences, depending on the frequency of remote access usage.
- The Tapal Tea shall establish control procedures covering approval process on user requests; authentication controls for remote access to networks, host data and/or systems; protection of equipment and devices. Control should be in place for teleworking site if user is involved in remote activity.
- Network services (LAN & WAN related) must be disabled when using broadband / private DSL services. All network printers having fax facility within them should be protected from broadband / DSL related attacks.
- Remote access to internal network should be done using cryptographic controls and encrypted channels (for example, Secure Socket Layer, Secure ID’s using crypto-cards, RSA Keys, VPN etc.).
- User using VPN services shall only allowed using company’s provided machines
Information Security Risk Management
- In assessing risks, the first step is to define the scope of the effort. In this step, different assets of the Tapal Tea are identified and work as an input to the risk management activity. Different types of assets may involve Information, software assets, physical assets, services, people (including third party staff) and their qualifications, skills and experience, intangibles, such as reputation and image of the Tapal Tea.
- Owing to the requirements of Tapal Tea business process, the IT management shall select relevant standards to define and assess its IT related risk management initiatives such as ISO 27005, COBIT for Risk, ISACA's ITS Risk Framework etc.
- The GM IS is responsible for ensuring that the risk management processes in the Tapal Tea are coordinated in accordance with the policy.
- The system owners are responsible for ensuring that risk assessments within their area of responsibility are implemented in accordance with the policy.
- Tapal Tea shall institute the following components of risk management for the technology and infrastructure security that commensurate with size, services and complexity of its IT operations:-
- Tapal Tea shall annually conduct a risk-based vulnerabilities identification exercise across the entire Tapal Tea covering critical information systems and supporting infrastructure assets.
- On the basis of threats and vulnerabilities, the Tapal Tea shall formulate a list of all risks that may create severe harm and disruption to the operations of Tapal Tea.
- Assets should be identified from observations, inventories and personnel interview, along with the existing resource ownership. An inventory of Information processing assets and the risk pertaining to those assets should be periodically assessed, reviewed and updated
- Information assets must be classified based on their individual level of criticality and importance to Tapal Tea. This is required to identify the boundaries of the information assets to provide information essential for defining the risks associated with them.
- After risk identification, the Tapal Tea shall perform an analysis and quantify the potential impact, consequences of vulnerabilities and associated risks identified in the risk identification exercise on the overall business and operations.
- Tapal Tea shall develop a methodology to assess the impact of the threats to its information security environment and prioritize all material information security risks.
- Tapal Tea shall develop and implement risk mitigation and control strategies that are consistent with the value of the information system assets and the level of risk tolerance.
- Tapal Tea shall give priority to threat and vulnerability pairings with high risk ranking, which can cause significant harm or impact to its operations.
- When deciding the adoption of alternative controls and security measures, the Tapal Tea shall also keep in view costs and effectiveness of the controls with regard to the risks being mitigated.
- All preventive, detective and corrective controls that have been implemented or are planned to be implemented for IT systems, must be analyzed in an efficient and systematic manner to mitigate or eliminate the likelihood of a vulnerability being exercised by using technical and non-technical control methods.
- Tapal Tea shall refrain from implementing and running a system where the threats to the safety and soundness of the information systems cannot be adequately controlled.
- The probable adverse impact of an Information Security breach must be analyzed in terms of loss of integrity, availability & confidentiality and magnitude of impact must be defined as either low, medium or high.
- As a risk mitigating measure, Tapal Tea may consider taking insurance cover for various insurable risks, including recovery and restoration costs.
This policy establishes security requirements to reduce the risks of human error, theft, fraud or misuse of the Tapal tea’s information assets and other operational facilities.
This policy applies to all users of information assets including the Tapal tea’s employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.
This Policy covers all Information Systems environments operated by the Tapal tea. The term “Information Security environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
This Policy not covers the matter exclusively other than the Tapal tea Information Security policies. All users are required to read, understand and comply with the Information Security policies. If any user does not fully understand anything in this document he/she should consult with GM Information Services.
Information Security function in consultation with Manager Human Resources, shall resolve any conflicts arising from this Policy.
Personnel at all levels are required to contribute to maintaining a high level of information security. Security is one of the prime objectives of the Tapal tea where staff members are to be active agents and is an integral part of everyone’s job profile and objectives.
This document lays out the Tapal tea information security policies relating to the Tapal tea’s employees, employees of temporary employment agencies, vendors and contractor personnel. It includes security in job definitions, user training, and responding to security incidents and malfunctions.
- Background checks shall be performed on all new employees, as per HR policy. Hiring process will also be done by HR in accordance with their own policy.
- Background verification checks on all candidates for employment, contractors, and third party users shall be carried out. These checks shall commensurate with relevant laws, regulations and the level of position under consideration.
- The Human Resources personnel shall communicate policies concerning the handling of secure and confidential information to the new employees.
- Information provided by personnel at the time of recruiting must be subjected to HR verification procedures, including credit and criminal record checks etc.
- All departmental heads are responsible for the performance and conduct of the personnel reporting to them. The departmental heads should monitor performance and conduct of each of their staff, as well as to assess their impact on the security of the information resources to which the staff has access. For e.g. bi-annually review of Access Control List (ACL), regularly/ review of system generated activity logs etc.
- All candidates’ data that includes their salary information, medical records and other PII (Personally. Identifiable Information) is to be treated as strictly confidential and made available to only properly authorized persons.
Terms and Conditions of employment
- All job roles and responsibilities must be formally documented and signed off. It must include general as well as specific responsibilities for implementing, maintaining or ensuring compliance to the Tapal tea’s Information Security Policies.
- Employees will be provided with access to authorized Sections of the IS Policies Manual and its content during their induction to employment with Tapal tea.
- In case of any doubt or need of any clarification employees must seek guidance from their immediate line management.
- Line management must ensure that all employees under their control are aware of IS Policies, its importance and requirements.
- A signed statement musts be taken from all employee at the time of induction, as per Acceptable Use Policy (AUP), which indicate they have understood the conditions.
- All Employees are responsible to protect Tapal tea’s information assets from unauthorized access, disclosure, modification, destruction or interference.
- Employees must report any significant breach of IS Policy to line management & Human Resource Department / Information Security.
- Employees continue to have the appropriate skills and qualifications to adequately perform their job.
- That staff members have the expertise necessary to perform their jobs and achieve institutional goals & objectives
- That employees are encouraged to obtain professional trainings in order to support the business/technology objectives.
- The communication of termination responsibilities should include ongoing security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality or non-disclosure agreement, and the terms and conditions of employment continuing for a defined period after the end of the employee's, contractor's or third party user's employment.
- In cases where an employee, contractor or third party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the company.
- Hiring and training process are governed by appropriate policies and procedures.
Management Responsibilities
Non-disclosure Agreements
- Confidentiality or non-disclosure agreements should address the Tapal tea requirement to protect confidential information using legally enforceable terms and comply with all applicable laws and regulations issued by regulatory institutions.
- Users are required not to disclose Tapal tea’s information. For this reason, all users of the Tapal tea Information Assets will be required to accept non-disclosure obligations.
- All users will be required to re-affirm their non-disclosure obligations by signing the code of conduct, which contains a section on Non-disclosure affirmation.
- If any changes occur in the requirements of confidentiality and non-disclosure, these should be incorporated in IS policies.
Third Party Staff
- Third party users who are given access to sensitive information shall abide by the confidentiality and/or non-disclosure agreement.
- Background verification applied to contractors and third party shall be of the same type and scope as applied to Tapal tea staff, where applicable.
- The requirement for third parties and their staff to comply with relevant aspects of IS Policy must be documented in the contract and must be applied to the work.
- Where contractors are provided through an agency, the contract between Tapal tea and agency must clearly specify the agency’s responsibility to follow Tapal tea standards for background verification checks. Management must ensure that all obligations to comply with relevant aspects of IS Policy are transferred and communicated appropriately.
- Impact of the non-availability of access to the third party, when required, should be assessed to avoid undesirable consequences.
Information Security awareness, education, and training
- Each employee must be provided with information security awareness trainings. Training shall be a continuous process and may be carried out annually or a pre-determined scheduled or in major technological change communicated to all employees from time to time.
- Training need identification process should be applied. Details of training and certificates (if any) issued during the training must be documented and maintained in each personnel profile.
- Managers in business departments and personnel with privileged system or having sensitive business functions access must receive customized training explaining their vital roles for ensuring awareness among all users and specific information security training for system / database / application administrators.
- Staff should be trained in the accurate use of information processing facilities (e.g. log-on procedure, passwords, use of software packages etc.) so that any security mechanisms included in them are used properly and securely.
- The security awareness training shall include:
- Information on known threats.
- The employee responsibilities with regard to security and confidentiality of information and information assets.
- Details of whom to contact for information security guidance.
- Details of proper communication channel for reporting information security incidents.
- Correct use of information processing facilities e.g. log-on procedure, use of licensed software packages and information on the security awareness.
- Information Security awareness training shall be provided to new employees.
Note: A detailed Schedule will be rolled out subsequent to the formal approval of the policy, with due coordination with HR- ER (training)
- The ER department, with due coordination of Information Services including Information Security will initiate disciplinary actions for violation of Information Security Policies, and will take appropriate action against any user found to be violating the law as per severity of the situation.
- The disciplinary process shall not be commenced without prior verification / collection of evidence that a security breach has occurred.
- The formal disciplinary process shall ensure correct and fair treatment for employees who are suspected of committing breaches of security.
- The formal disciplinary process shall provide for a graduated response that takes into consideration factors such as:
- The nature and gravity of the breach and its impact on business;
- Whether or not this is a first or repeated offence;
- Whether or not the convicted staff was properly trained for allowed use;
- Relevant legislation;
- Business contracts; and
- In serious cases of misconduct the process shall allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the premises, if necessary.
Termination and Change of Employment
Termination and change of employment responsibilities
- Once termination has taken effect, line management must specifically confirm with all relevant departments (e.g. Security Administrator, Premise security etc.) that all access to information, systems and premises has already been terminated.
- If changes in responsibilities of employee, contract or third party staff arise, line management must notify Employee Relationship department and Information Services Departments to modify logical / Physical access rights
- The respective HOD / in-charge shall be responsible for transfer and documentation of user knowledge that is important to ongoing operations.
Tapal tea is committed to protect its information assets (including people, procedures, data and information, software, hardware, and networking elements). In order to determine the level of protection required, the information assets are required to be identified, and classified.
Information asset classification determines the relative sensitivity and criticality of information assets, which provide the basis for protection efforts, business continuity planning, and access control. It provides a basis to establish proportionality between the level of IS control and the asset value in order to avoid the cost of overprotecting or the risk of under protecting information assets.
This policy defines the criteria for the identification and classification of the Tapal tea’s Information Assets.
This Policy covers all Information Systems environments operated by the Tapal tea. The term “Information Systems environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (Desktop/Laptop/Smart Phones, network devices, wireless devices and printers), software, and information.
This policy document addresses security issues related to information assets about information asset inventory, information asset classification, handling and labelling of information assets.
- The Tapal Tea (Private) Limited’s (Tapal Tea) IT assets must be recorded in an inventory register (manually) and maintained electronically on ITAM. Each asset must be clearly identified individually and (if appropriate) collectively in combination with other assets to form an identifiable information system. Company shall formulate a policy on information system asset protection in which, criticality of information system assets shall be identified and ascertained in order to develop appropriate plans to protect them.
- All hardware inventory lists must be maintained by Information Services Department and periodically reviewed by Sr. System Manager.
- Tapal Tea shall adequately protect critical information system assets from unauthorized access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure.
- The physical assets inventory shall be updated for any change to the assets.
- The Tapal Tea shall maintain an inventory of all information assets and identify the information owners, who shall be responsible to ensure confidentiality, integrity and protection of these classification strategy in accordance with the degree of sensitivity and criticality of information assets.
- The Information assets inventory will be categorized into two major classes, i.e. IT based assets and Non IT Based assets.
IT Based assets
- Hardware
- Software
- Network equipment
The information asset inventory for the above type of assets will be maintained according to the criteria mentioned below:
Asset identification (Serial Tags) and Asset description
- Asset unique identification number
- Asset location
- Asset owner / designation
- Asset custodian
Asset classification (Please refer Annexure - “B” for complete grid).
Non- IT based assets
- People
- Procedures, Flow charts and diagrams, SOPs, Manuals
- Data and Information
The criteria for classifying non-IT based assets will remain the same. However, the attributes would change according to the nature of the assets as mentioned in “Annexure C”.
- Each information asset must have a nominated owner. The information asset owner has the responsibility of classifying the asset on the basis of the Tapal Tea’s asset classification scheme (Refer Annexure “B”). The owner of information asset must identify / approve the controls implemented to provide appropriate protection to the asset. The owner of the information asset is accountable for the security of the information asset and is responsible for approving who may have access to it and the type of access they are permitted.
- Each information asset must also have a nominated custodian (who may be separate from the “owner” of the information asset). The custodian of the information asset will be responsible for the protection of the asset and or implementing the controls related to the protection of the asset.
- If required rules for acceptable use of information assets associated with information processing facilities must be identified, documented, classified as an acceptable use document and implemented by the concerned department.
- Introduction of unauthorized copies of licensed software & hardware (piracy/copyright & patent infringement) to Tapal Tea information resources and the copying of such material shall be prohibited. Further, prohibition on installation of unlicensed software should be ensured.
- The storage, processing, or transmittal of unauthorized copies of licensed software & hardware (piracy/copyright & patent infringement), by Tapal Tea personnel associates shall be strictly prohibited.
- Only IS nominated staff shall be allowed to install any kind of software on the user’s system. User shall not be given the authority to install software.
- Introduction of freeware and shareware and other type of software whether downloaded from the Internet or obtained through any other media to Tapal Tea information systems shall be subject to a formal evaluation and approval process prior to its installation. A list of those programs should be maintained which has malicious history.
- Usage of Tapal Tea information systems to store, process, download or transmit data that can be construed as biased (politically, religiously, racially, ethnically, etc.) or supportive of harassment shall be strictly prohibited.
- Downloading, redistribution and printing of copyrighted articles, documents, or other copyrighted materials to Tapal Tea information systems shall be strictly prohibited.
- Receiving, printing, transmitting, or otherwise disseminating proprietary data, business strategies, secrets of Tapal Tea or other confidential information in violation of Tapal Tea policies or proprietary agreements shall be strictly prohibited.
- Downloading inappropriate material such as executable files, music files, or video files for personal use shall be strictly prohibited.
- Games are not permitted and shall be removed from all systems.
- Introduction of destructive programs (e.g., viruses, self-replicating code) in order to cause intentional damage, interfere with others, gain unauthorized access, or inhibit Tapal Tea environment access are prohibited.
Tapal Tea (Private) Limited’s Desktops / Laptops
- Every desktop/laptop or peripheral must have an owner, who is accountable for the machine.
- Usage of additional gadgets e.g. speakers, TV card, and other devices with the Tapal Tea’s desktops/laptop or any other devices should not be allowed until and unless a valid business need is identified. Head of Department to grant approval in such a case.
- Desktop / Laptops should always be locked when left unattended.
- Laptops would be issued on need basis based on management approval. Laptop models will be decided by the IS department aligned with corporate procurement policy and requirements.
- In case an Tapal Tea employee or contracted personnel, who was issued a laptop/desktop, resigns or is terminated, it shall become the Head of Department and HR’s responsibility to return the machine to the Tapal Tea’s IS department prior to his/her departure from the Company.
- Software approved by Tapal Tea’s IS department shall only be loaded onto company desktops/laptops. Any employee or contracted personnel requiring additional software should contact IS service desk / Support for assistance.
- Chatting, playing games, personal subscriptions and social activities other than business and any such activities are not allowed.
- Authorized software and licensed products provided by IS Department must be installed only on the Tapal Tea’s machines.
- Laptop/desktop hard drives should be encrypted to prevent unauthorized access to sensitive data, in case of loss or theft.
Data Backup
- Employees are responsible for taking backup of their critical data residing on their local hard drives / mobile device.
- Critical data should always be kept on the allocated cloud drives so that it is secured and available in case of contingency.
Maintenance & Troubleshooting
- Employees/third party contractual staff must not attempt to fix PC and other IT equipment problem themselves, but contact IS service desk / Support for assistance.
Personal Machines
- Personal laptops, desktops and other peripheral devices are prohibited to connect to Tapal Tea’s network, unless approved by GM Information Services.
- Connection of desktop, laptop or any other device belonging to other companies e.g.; vendors, must not be connected to Tapal Tea’s network without formal approval of GM Information systems.
- Any Tapal Tea information classified as confidential or sensitive that is stored or used on an ongoing basis on laptops, portable drive or other mobile computing devices must be protected via an approved encryption facility or security as advised by IS Department.
External Devices
- Use of any External devices through any means (e.g. Personal Smart Phones, Card Readers, Bluetooth, USB, and Optical Disks etc.) is strictly prohibited. Special permissions can be granted to users on the basis of their work after formal approval from head of department.
Printers and Scanners
- Users shall make sure to use the right printer for the right job. Not doing so can lead to unnecessary waste in resources such as paper and ink.
- Users shall always follow good printing practices like multiple pages per sheet and both sides printing. Good printing practices can contribute to corporate and environmental savings.
- Classified/sensitive information should be cleared from printer trays immediately and if possible use PIN code based printing for highly confidential information.
- Printers should be used for business purposes only.
- Appropriate controls should be taken, if dedicated desktop has been utilized for scanning purpose. Scanned copy must be removed once the task has been completed.
- In case of using shared drives, user should be instructed to retrieve scanned document right after scanning and removed the document from the share derive.
- Printer summary reports for user prints should be viewed by Head of Department on quarterly basis.
- Line management must always keep a list of assets given to their staff and review it at least annually.
- On termination of employees, contractors and third party staff, ER / HR will inform the Administration and IS Department for the take-over of assets (e.g. equipment, software, official documents, mobile computing devices, manuals etc.). Once all the assets are returned, the HR department is intimated of the same after which the clearance letter is issued to the moved out employee. In case of a contractor, this termination responsibility process may be undertaken by the agency responsible for the contractor.
- If at the time of leaving the Tapal Tea, staff request to purchase Tapal Tea (Private) Limited equipment in use, request should be processed as per General Laptop policy. However it is essential that release of that equipment, which contain Tapal Tea (Private) Limited data or other information, should be removed and released with the prior approval of IS Department, who will ensure that no compromise on data integrity be allowed.
Information Classification
Classification of Information
- The management shall implement an information classification strategy and Information must be classified in term of its value, legal requirements, sensitivity, and criticality to Tapal Tea (Private) Limited’s business requirements and strategy. The classification of any information stored or processed in an application should be reviewed annually by Business Heads / owners of that application. Owner shall reclassify the information asset when its value or inherent risk would have changed.
- Tapal Tea (Private) Limited shall develop guidelines and definitions for each classification and define an appropriate set of controls and procedures for information protection in accordance with the classification scheme.
- Classification of information must occur during the valuation or business impact assessment phase of the formal risk analysis mandated for application and infrastructure developments. This is an opportunity to classify information that is central to business processing and the standard model for distinguishing the levels of requirement for confidentiality, integrity and vulnerability is embedded in the formal risk analysis.
- The classification of information and systems must dictate what level of security protection needs to be applied to protect that information. This will normally be conducted during the technology selection and vulnerability assessment phases of the formal risk analysis.
- Information assets must be classified in accordance with asset classification scheme (Please refer “Annexure - B”).
- Data contained within an information system (master data, data under process, etc.) and the output from information system assets will also derive its classification label based on the Tapal Tea (Private) Limited’s asset classification scheme (Please refer “Annexure C”).
- The information asset classification scheme will consider:
- Loss of Confidentiality - the property that information is made available or disclosed to unauthorized individuals, entities, or processes.
- Loss of Integrity - the property of safeguarding the accuracy and completeness of assets (information/data).
- Loss of Availability - the property of not being accessible and usable upon demand by an authorized entity.
- The Information Security function shall assist information owners (Business Heads) in the asset classification process to ensure that all Tapal Tea’s information-related assets are appropriately classified. However, the prime responsibility for asset classification shall remain with the designated information asset owner.
- The asset classification scheme must be updated for any change to information systems asset inventory.
- All information assets shall be labelled physically or electronically in accordance with their asset classification scheme as described in Annexure - “B”.
- All kinds of asset must be stored in a safe and secure environment, in accordance with manufactures’ specifications and requirements.
- Controls over the storage and handling of information should be consistent with the classification label assigned to the information in accordance with the asset classification and access control policy.
- Personnel who are not employees of Tapal Tea, or contractors shall not be able to identify critical business information assets by their labels.
- List of distribution and authorized recipients should be maintained for information handling and the list will undergo a formal review over regular intervals.
Management of removable media
- Media (e.g. backup tapes, microfilms, transparencies, compact discs, portable hard disks, hardcopy documents etc.) must be controlled and physically protected to prevent interruptions to business activities and damage to critical business information assets.
- Removable computer media (for e.g., CD’s, backup tapes, removable/portable hard disks etc.) must be duly managed and controlled and their movement must be appropriately monitored and logged.
- All kinds of Media must be stored in a safe and secure environment, in accordance with manufactures’ specifications and requirements.
- Tapal Tea (Private) Limited shall establish secure processes and procedures for secure and safe disposal and destruction of sensitive information in both paper and electronic media.
- Media containing all type information (including sensitive and non-sensitive with aggregative effect) should be disposed-off securely and should be logged. All media items should be collected and disposed together. Adequate controls should be ensured while outsourcing disposal of media. This must cover all media including hardcopy materials, carbon paper, one-time-use printer or fax ribbons, magnetic tapes, hard drives / SSDs, storage, removable disks or cassettes, etc.
- The previous contents of any re-usable media must be completely erased.
- Transport mechanism or couriers to be used by Tapal Tea (Private) Limited shall be authorized by the management at appropriate level and a list of couriers should be maintained and agreed with the management.
- All employees including contractors and third party must ensure that confidential or sensitive information or media containing it must be transported, using physically secure containers and secure methods of carriage, involving authorized and approved agents (e.g. courier).
- Confidential or sensitive information that is reproduced in hard copy form, to dispatch or distribute, either internally or externally, must be physically protected.
- Confidential or sensitive information or media that has been encrypted must not be physically transported in the same route and method as the cryptographic keys.
The purpose of this policy is to establish security requirements for access to the information resources of Tapal Tea. Effective implementation of this policy will minimize unauthorized access to Tapal Tea’s proprietary information systems.
This policy applies to all employees of Tapal Tea and consultants, contractors and vendors employees, who have access to the Company’s IS Systems.
This Policy covers all Information Systems environments operated by the Tapal Tea. The term “Information Services environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
This policy addresses business requirement for controls related to user access & responsibilities in accessing information systems.
Business requirements of Access Control
- Access to Tapal Tea (Private) Limited’s information and system resources must be based on each individual’s role and responsibilities. All such access must be authorized by the Departmental Head /Application Owner or their delegate who is responsible for the system, application or data.
- Access levels should be defined in terms of job roles or standard profiles as far as possible for a particular system/application rather than on an individual basis.
- Access to critical business information assets and activation of user accounts for contractors, consultants, temporary workers, external auditors, internal auditors or vendor personnel must only be in effect when the individual is actively performing service for the Organization. All such access should be allowed following approval process and adopting minimum access requirements including legal and regulatory requirements, as far as possible, to discourage such users from intruding into the Tapal tea’s data or other information.
- There should be a proper segregation between systems (operating system and databases), network and application security administration. No individual should have the ability to set-up both the system and application level access for a specific user. If this cannot be achieved, then an independent and effective review process must be performed regularly.
- All new system/application accounts must require and be assigned a password that is generated randomly and must be changed at first login. New user accounts and passwords must be issued to users in a secure manner.
- Vendor shall not be provided access to the production environment under normal circumstances. Access to production environment shall only be provided in case of emergency or any exception but with the following controls:
- Audit logs should be made;
- Audit logs should be monitored by relevant stakeholders;
- All activities should be signed off and retained with the consent of Head of Department.
- User accounts must be attributable to a single individual. Generic / shared user accounts should not be used. If necessary then individual should be held accountable for generic user activities.
- All exceptions against the policy such as usage of generic account, login required of service account, services required for business purposes, system limitation, password controls etc. should be submitted to IT Steering Committee for approval with appropriate business justification. Further, documents with respect to all exceptions should be maintained for record purposes.
Access to network and network services
- Access to the Tapal tea’s networks and network services must be specifically authorized.
- Access to networks and network services (for example, telnet, ftp, etc.) will be controlled on the basis of business and security requirements, and access control rules defined for each network.
These rules at a minimum will take into account the following: -
- Security requirements of the Organization’s network or network service(s)
- An identified business requirement for the user to have access to the Organization’s network or network service
- The user’s security classification and the security classification of the network / network service (Asset Classification Policy)
- Legal and/or contractual obligation to restrict or protect access to assets
- Definition of user access profiles and management of user access rights throughout the IS network of the Organization.
- All entry points into Tapal Tea (Private Limited’s networks must be protected from unauthorized access and require user identification and authentication. Connections to Tapal tea network from the outside must be strictly controlled to ensure the integrity, confidentiality, and availability of Tapal Tea (Private) Limited’s data. As the number and type of connections allowed to external networks increases, the security exposure and risk increases; therefore, only connectivity necessary to meet business shall be provided;
- Purchase, downloading, or installation of hardware, software, or network data monitoring tools, including sniffers and packet data filters, are prohibited unless the activity is registered with and approved by Information Security function.
- All network connections to the internet and intranet must be protected from unauthorized access via firewall (Perimeter and Internal). All connections originating from within Tapal Tea (Private) Limited network should only be allowed through the firewall.
User registration and Deregistration
- All access requests (new or modification) shall be made by the users using centralized access management system / form or via an email.
- Temporary staff or staff filling a temporary role must not be lent an existing user ID of users; a new account should be created and suspended as per formal procedure.
- All users of information resources must have a unique User ID which shall be approved by the management at appropriate level.
- A formal record of all registered users shall be maintained. This record shall be checked periodically for unused, redundant, or expired user accesses or accounts, or incorrect privileges.
- Access rights shall be immediately removed for users who have left the organization.
- The level of access granted shall be appropriate to the business purpose and shall be consistent with Tapal Tea (Private) Limited’s policy.
- Access rights shall be immediately blocked for users who have changed roles.
- Access requests (new or modification) shall be formally approved by the relevant HOD / Unit Head.
- No users shall be provided access before the full completion of authorization process.
- All users shall be required to sign statements and as per acceptable use policy (AUP) indicating that they understand the conditions of access.
- All third party personnel requiring access to Tapal Tea (Private) Limited’s information systems shall follow this policy for registration to access Tapal Tea (Private) Limited’s information assets. An evaluation of the sensitivity and criticality of information based on information classification should be performed before granting access to the information.
- Access by third parties to the Tapal Tea (Private) Limited’s information should not be provided until the suitable controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement.
- Users will be held responsible for all activities performed with their User IDs. User IDs must not be utilized by anyone but the individuals to whom they have been issued. Users must not allow others to perform any activity with their User IDs.
- Accounts that are inactive for a maximum period of 90 days must be disabled after verification from the Departmental Head and/or HR Department for a valid cause.
- New accounts that have not been logged on within a maximum period of 45 days must be disabled.
- The Human Resources Department and/or the manager must notify the IS Department upon the resignation, termination or transfer of employees/ third party contract personnel. Upon notification of change in employment status, relevant application / system administrators must immediately revoke or modify access privileges, especially in the case of involuntary termination.
- Under no circumstance terminated employees must be allowed to access information assets, once he/she is terminated. All items belonging to Tapal Tea (Private) Limited must be collected (laptop, computer, smartphone, USB, software, manuals, etc.
Management of privileged access rights
- The number of unsuccessful, successive log-on attempts must be limited up to a maximum of three (3).
- Staff with privileged accounts must use a separate, non-privileged account for performing normal business functions unless adequate compensating controls are in place to monitor the privileged accounts.
- Privileges shall be granted after formal authorization in the form of a centralized access management mechanism by the GM Information Services.
- System administrators must be assigned an individual privileged account with the access required for their documented administrative tasks. Generic privileged accounts (e.g. administrator, root) must be used only if unavoidable. Under no circumstance must staff user accounts be shared or password information divulged. Staff must be provided with security training on this matter and be advised of the policy when issued with their user account.
- Changes to privileged accounts should be logged for periodic review.
- Generic ID must only be used for specific purposes with ownership of ID formally documented and approved. Where possible, use of generic ID should be restricted to specified workstations or servers.
Management of secret authentication information of users
- Initial passwords must be communicated to the user securely i.e. User ID can be sent to requestor but the requestor must call the administrator, who after verifying that caller is indeed the requestor, shall divulge the password.
- Password must not be communicated or stored in clear text.
- The system should prevent the selection of easy to guess passwords (including user own ID, organization name, words present in the dictionary and encyclopaedia, etc.) if possible filters must be applied to prevent users from selecting these passwords.
- A formal sign-off / acknowledgment must be taken form user regarding secure password usage as stated in Password Management Policy
- Employees are advised to follow best password practices stated in the Password Management policy.
Review of user access rights
- Review of special privileged User IDs (e.g. Administrators, users/groups with special rights) must be reviewed regularly by the Information Security function on quarterly basis.
- Activity logs of privileged users (including system start-up and stop, I/O device attachment/ detachment, processes) must be maintained and reviewed on a quarterly basis by the Information Security function.
- Bi-annually, IS Department should send Access Control Lists to the respective Business Heads (or delegates) for their review to assess users’ access rights.
- Any amendment in the access rights will be done by the IS Department on Department Head’s formal request.
Removal or adjustment of access rights
- Once notice of termination has been given or upon acceptance of resignation of the staff, line management must notify Human Resources department to revoke access rights of information systems (e.g. emails, O/S & applications), Tapal Tea (Private) Limited’s premises and accessible assets.
- Line management must take-over the High Privilege ID passwords (Domain, administrator and other password driven controls), security keys of fire proof cabinets, confidential files, electronic, control devices, controller keys (if any), pre-defined parameters for combination of locks, as per staff exit procedure, from the departing employees, contractors and third party staff.
- Physical access of the departing staff, contractor or third party staff must be immediately removed from the information processing facilities, customer records and other safe-keeping areas, access to restricted information & circulars and from all the authorize personnel lists. Where applicable combination locks, custodial passwords or the entire locks should be changed.
- Once termination has taken effect, line management must specifically confirm with all relevant departments (e.g. Security Administrator, Premise security etc.) that all access to information, systems and premises has already been terminated.
- If changes in responsibilities of employee, contract or third party staff arise, line management must notify Human Resource department to modify logical / Physical access rights.
Use of secret authentication information
- Each user of Tapal Tea (Private) Limited computing and information resources must realize the fundamental importance of information resources and recognize their responsibility for the safekeeping of those resources. Users must guard against abuses that disrupt or threaten the viability of all systems.
- Users, who can access internal systems, shall be required to accept/acknowledge an Acceptable-Use Policy (AUP) document before using a system.
- The following are specific responsibilities of all Tapal Tea (Private) Limited information system users:
- Understand what the consequences of their actions are with regard to computing security practices and act accordingly. Embrace the “Security is everyone’s responsibility” philosophy to assist Tapal Tea (Private) Limited in meeting its business goals.
- Maintain awareness of the contents of the information security policies.
- Read and sign the Tapal Tea (Private) Limited Security Awareness and Acceptable Use Policy.
- Classify confidential and sensitive information based on information classification that is received unclassified. Limit the distribution of this information accordingly and report to the information security function.
- Responsible for educating third party/vendor whom they contact for any business engagement (including vendors and business partners)
System and application access control
Information access restriction
- Tapal Tea (Private) Limited management shall ensure that sensitive applications / systems are specifically identified through the risk assessment process based on information classification. Sensitive applications and systems shall be logically and physically segregated where information requirements dictate special handling and protection. Wherever possible and practical, for critical systems or for users/systems where access is only required during business hours, active sessions shall be limited to a specified timeframe.
- Display a general notice warning / banner that the computer shall only be accessed by authorized users.
- Access to operating/application systems should use secure log-on mechanisms; the system/application must not provide any help to the user during the log-on process that could aid an unauthorized user.
- On un-successful log-on, system must not reveal which part of the log-on data is invalid.
- On successful log-on, following details should be displayed
- Date and time of previous successful log-on
- Details of any unsuccessful log-on attempt occurred since last successful logon.
- The number of unsuccessful, successive log-on attempts must be limited up to a maximum of three (3).
- Not transmit passwords in clear text over a network.
Password management system
- At a minimum, all system access will be authenticated by passwords.
- Each staff must have a unique User ID (name based/personnel ID) in the context of a specific system/application.
- User ID’s and passwords must be allocated to an individual and must not be shared. However, there is an exception in case of ERP or Core Business Application, where the number of users in each department are more than the user ID’s created, for cost saving purposes business owners have shared the user ID’s between users with almost same functions and working on shifts for same job. Any entry that bears financial impact can be traced with the help of a report which identifies machine name and IP. In this way risk has been minimized.
- Newly issued password must expire on first log -on, forcing user to change his initial password, where applicable.
- Security Administrator must ensure that newly issued passwords must be unique and random.
- Passwords must never be displayed on the screen in a readable form when being entered.
- For verification purpose while changing the password, user must be prompted to re-enter the password.
- User must be forced to change passwords at a maximum every 90 days, where applicable.
- Authentication must be given to individual users, not to groups.
- Security / System Administrator must follow the “Logical Access Management – Account Reactivation Procedure” when dealing with the user request for lock or forgotten passwords.
- Passwords must not be shared even with IS service desk / Support staff or Security / System Administrator or senior management. However, to address specific conditions the password used may immediately be changed with prior permission of line management.
- Passwords must be kept confidential.
- New passwords must be at least 2 characters different than the previous password, where applicable.
- Password cookies should be disabled.
- Passwords must not be hard coded e.g. in batch files, scripts and others.
- User must be allowed to change their own passwords and there should be a notification for input errors.
Password Standard
- Password length must be 8 or greater alpha-numeric characters and must be case sensitive.
- Password shall contain both upper and lower case characters (e.g., a-z, A-Z).
- Password shall have digits and punctuation characters as well as letters e.g., 0-9,! @#$%^&*()_+|~-=\`{}[]:";'<>?,./).
-
The user must not be permitted to change their password to any of the last 5 passwords they had (if this is not possible then it should be the maximum supported in a particular environment).
- Password must be changed immediately when compromised by disclosure or possible disclosure.
- The user account should be locked after 5 consecutive unsuccessful log-on attempts, locked accounts will be unlocked automatically after a certain time period.
Password for High Privilege IDs
- Password length for high privilege IDs must be 12, or greater alphanumeric characters, wherever applicable.
- High Privilege ID’s owner must not be permitted to change password to any of the last 5 passwords, wherever applicable.
- Privilege ID’s password should be kept in sealed envelope or should be prevented with software envelopes (if applicable) within fire proof locker under custody of GM Information Services / Information Security and could be used under logged control in case ID holder is unavailable/forgotten password.
- If Security / System Administrator finds out that, his own ID is locked due to un-successful attempts then this should be treated as security breach and action should be taken as per pre-defined Incident Management procedure.
Use of privileged utility programs
- Technology management shall ensure that all utility programs, having the capability of overriding system and application controls, are identified and catalogued. Installation of such utilities shall be forbidden, unless explicitly authorized jointly by IS and Information Security, with clear requirements. Access to such utility programs shall be granted only for a specific duration to authorized personnel.
- System utilities that over-ride application controls are used, the following should be considered:
- Segregation of system utilities from applications software
- Logging of all use of system utilities
- Defining and documenting of authorization levels for system utilities
- Removal or disabling of all unnecessary software based utilities and system software
- System utilities should not be available to users who have access to applications on systems where segregation of duties is required
Access control to program source code
- Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) shall be strictly controlled, in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes; for program source code, this can be achieved by controlled central storage of such code, preferably in program source libraries held in secure environment.
- Modified source code can be deposited into the library as a new version of the source code. However, overwriting or modification of existing source code in the library is strictly prohibited.
- Implement version controls to ensure that only authorized programs are migrated to quarantine and production environments.
- Archive old versions of source codes with a clear indication of the precise date, time and all necessary information.
- Establish a secured library or quarantine area for program pending migration to the production environment, which are accessible by the personnel, who have performed the migration process
- Only the designated and authorized source code librarian (and no other person) should have “write” access to the source code library. An audit log should be maintained of all accesses to program source libraries.
The purpose of cryptography policy is to ensure that encryption keys are securely managed throughout the lifecycle. This include their creation, storage and the manner in which they are used and destroyed.
This Policy covers all Information Services environments operated by the Tapal tea. The term “Information Services environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively other than the Company’s Information Security policies. All users are required to read, understand and comply with the Information Security policies.
Encryption is an important method in securing the system that has a significant impact on information security. Therefore a documented policy covering encryption techniques, key agreement and authentication, key generation and key management.
Policy on the use of cryptographic controls
- The encryption method or technique must be approved by the GM IS. The use of encryption is for business purpose only. Use of unauthorized encryption technique must be strictly prohibited.
- Tapal tea shall ensure encryption at database level, storage level and during network transmission as per the classification and sensitivity of the data.
- The required level of protection of information using cryptography should be based on:
- A risk assessment of the target information-set;
- Applicability of relevant regulations (if any);
- Country restrictions (if any);
- Laws regarding trans-border flow of encrypted information.
When implementing the company’s cryptographic policy, consideration should be given to the regulations and national restrictions that might apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow of encrypted information.
- Encryption methods and techniques must be considered for the following:
- Use of encryption for protection of information transported by mobile or removable media devices or across communication line
- Where applicable Company’s provided desktop / laptop / portables must also be secured by approved encryption method
- Email carrying sensitive or confidential data must be encrypted.
- A public facing website which offer e-commerce, digital / online facilities and have payment gateway (if any).
- Employees connecting to corporate network form the remote location
- Cryptographic controls can be used to achieve different information security objectives, e.g.
- Confidentiality: using encryption of information to protect sensitive or critical information, either stored or transmitted;
- Integrity/authenticity: using digital signatures or message authentication codes to verify the authenticity or integrity of stored or transmitted sensitive or critical information;
- Non-repudiation: using cryptographic techniques to provide evidence of the occurrence or non-occurrence of an event or action;
- Authentication: using cryptographic techniques to authenticate users and other system entities requesting access to or transacting with system users, entities and resources.
- Since data encryption is important for protecting data stored or transmitted by the company to prevent damages, employees that purposely violate this policy may be subject to disciplinary action as deemed appropriate by the Management. Any employee aware of any violation of this policy is required to report it to their Line Manager / Information Security.
- The following items should be considered for compliance with the relevant agreements, laws and regulations:
- Restrictions on import and/or export of computer hardware and software for performing cryptographic functions.
- Restrictions on import and/or export of computer hardware and software which is designed to have cryptographic functions added to it.
- Restrictions on the usage of encryption.
- Encrypted by hardware or software to provide confidentiality of content.
- Encryption key lengths or protocols must be approved by GM IS / Steering Committee.
- Key management should be in place to support the use of cryptographic techniques such that:
- All cryptographic keys are protected against modification, loss, and destruction
- Secret and private keys are protected against unauthorized disclosure
- Dealing with compromised keys
- Equipment used to generate, store and archive keys is physically protected.
- An encryption key change is the process of generating a new key, decrypting the current production data and re-encrypting the confidential data with the new key.
- All data encryption keys must be changed regularly or when circumstances dictate a change to maintain encryption or key integrity.
- Adequate controls and requirements must be applied to encryption keys and cryptographic certificates containing encryption keys. Creation of encryption keys must be accomplished using a random or pseudo-random number generation algorithm. Depending on the encryption scheme in question, the following are minimum length requirements for the encryption keys:
- Triple-DES – 128 bits
- AES – 256 bits
- RSA – 2048 bits
Where check values are used, recorded or displayed key-component check values and key check values shall not exceed six hexadecimal characters in length.
- Generating encryption keys must be accomplished by a minimum of two custodians. Each custodian will generate one random clear text piece (key component) that will be used to create the encryption key.
- Cryptographic keys must be distributed using a secure mechanism that is not the same as the channels to be opened (Offline)
- To prevent unauthorized substitution of keys, physical and logical access to the key generating procedures and mechanisms must be secured.
- All digital key must be stored in encrypted form using an approved encryption protocol and technique
- Only custodians are allowed to retrieve key components from secure storage or distribute keys. Custodians must document all key distribution actions in the prescribed logs. The encryption keys must be placed in secure packaging prior to being returned to storage.
- Any digital keys that suspected to be compromised must be revoked immediately and affected parties must be informed
- Backups of encryption key components must be stored separately in tamper-evident packaging in a secure location.
- Key change/destruction activities shall be recorded and audit trail shall be maintained.
- In order to reduce the likelihood of compromise, activation, and deactivation dates for keys should be defined so that the keys can only be used for a limited period of time. This period of time should be dependent on the circumstances under which the cryptographic control is being used, and the perceived risk.
- In case of obtaining contracting with cryptographic service from an external party, Service Level Agreement Policy will be applicable
- All Internet servers handling Tapal tea business to which customers prospects and others may contact must have a current digital certificate.
- All passwords shall be unreadable during transmission and storage on all system components using strong cryptography.
- Encryption keys must not be revealed to any one unless the approval of GM IS is obtained.
- The secrecy of any encryption key used for confidentiality purposes must be maintained until all of the protected information is no longer considered confidential
- All key management processes and procedures for cryptographic keys used for encryption of critical data, backups or any other confidential information shall be fully documented and implemented, including the following:
- Generation of strong cryptographic keys.
- Secure cryptographic key distribution.
- Secure cryptographic key storage.
- Cryptographic key changes for keys that have reached the end of their crypto period (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner.
- Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key), or keys are suspected of being compromised.
- If manual clear-text cryptographic key management operations are used, these operations must be managed using split knowledge and dual control (for example, requiring two or three people. each knowing only their own key component, to reconstruct the whole key).
- Prevention of unauthorized substitution of cryptographic keys.
- Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.
Physical and Environmental Security
Physical and Environmental Security
This policy establishes guidelines to prevent unauthorized access and interference to the Company’s premises and information assets. It also suggests guidelines to build security controls to prevent damage from physical security threats and environmental hazards.
This policy applies to all users of information assets including the Company’s employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.
This policy covers all Information Systems environments operated by the Company. The term “Information System environments” defines the total environment and includes, but is not limited to, all documentation, customer records, Company’s source documents, CDs, DVDs, flash/pen drives, USB etc., physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
Although this policy explicitly covers the responsibilities of users, it does not cover the matter exclusively other than the Company’s Information Security policies. All users are required to read, understand and comply with the Information Security policies.
Physical and environmental security protects information and information systems facilities from physical and environmental threats. Physical access to information processing areas and their supporting infrastructure (communications, power, and environmental) must be controlled to prevent, detect, and minimize the effects of unintended access to these areas.
This policy document addresses issues related to physical security perimeter, physical entry controls, working conditions, securing offices, data centres, equipment security and general clear desk / clear screen controls.
Physical Security Perimeter
- Tapal Tea (Private) Limited (Tapal tea) shall formulate procedures in line with best international standards for building and maintaining data centre structures and operations.
- The strength and complexity of security perimeter applied to Tapal tea premises must be consistent with value of the information and other assets contained there, based on the results of the risk assessment.
- Access to premises, buildings and areas should be justified, authorized, logged and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.
- Tapal tea Data Centre and processing equipment rooms must have a delegate in charge responsible for maintaining equipment and consumable inventory and ensuring compliance with policy.
- When premises are unoccupied, all lockable doors, windows and openings in the premises must be closed and locked.
- Access to areas used for handling confidential or sensitive information and related processes must be restricted to authorized personnel only and a list of their names should be displayed on the entrance.
- Data Centre or any other Information Processing equipment room facilities, if are operated by an out sourced services supplier, the contract between Tapal tea and supplier must at least indicate that:
- All the policy requirements regarding physical security must be complied with.
- Non-Disclosure Agreement between the two parties.
- The responsibility of physical security lies with the suppliers.
- Tapal tea reserves the right to review the physical security status at any time.
- Access to such facilities dedicated to Tapal tea, must be authorized by General Manager IS.
- Management of Tapal tea Surveillance CCTV, DVR and relevant system should be maintained by Admin Department.
- All employees, employees of temporary employment agencies, vendors and contractor personnel and other visitors entering the Tapal tea’s premises are required to wear the company supplied identification cards.
- All Tapal tea staff accessing secure area must wear company provided I.D. Cards, and they should be encouraged to challenge unescorted strangers and anyone not wearing visible identification.
- Details of all visitors should be recorded in a visitors log at the entrance and they should be given a visitor’s pass upon depositing a valid Identification Card. All Locations where passes are issued, procedures must be placed to assure the return of visitor’s pass. Visitors are, by definition, anyone who needs to enter premises (or other secure areas) for which they are not normally allowed.
- Personnel and visitors must declare their belongings like laptop computer, mobile phone, portable devices etc. before entering restricted premises.
- Physical access to the Tapal tea’s information systems facilities is to be restricted to authorized persons only. Authorization to enter restricted facilities is to be granted only when there is a business or technical reason for the person to enter the premises. Authorization to enter such facilities is to be only issued by the GM IS or his delegate.
- Delegated IT personnel should issue instructions to outsiders (visitors/third party employees/vendor etc.) on the security requirements of the area and safe exit, in case of emergency.
- Appropriate physical barriers/access control devices must be installed to restrict access to the Tapal tea’s data centres and information processing facilities.
- Data Centres and other Information Processing equipment rooms must be:
- Critical information processing facilities shall be housed in secure areas such as data centers and network equipment rooms with appropriate security barriers and entry controls.
- Physically secure via digital/biometric/swipe card lock and, fire-resistant doors and windows installed with alarms.
- Have appropriate control mechanisms (e.g. burglar alarms, smoke detectors, heat detectors, fire extinguishing mechanism)
- Be under surveillance by means of CCTV camera, with the footage recorded and retained as per requirements.
- A list of authorized staff must be displayed at the entrance of the Data Centre and other Information processing equipment rooms. This list must be reviewed bi-annually by the relevant Information Security Management and updated if required. Access to these areas shall be restricted to authorized personnel only and the access rights shall be reviewed and updated regularly.
- Access to data centres and information processing facilities by vendors/third parties /contractual staff etc. should be logged. The logbook should at a minimum record, the visitor’s name, person to visit name, Tapal tea, and purpose for visiting, time of entrance, time of departure, and date. This log should be reviewed by the GM IS and relevant delegate from time to time depending upon frequency of these visits etc.
- Access to sensitive or critical information processing facilities outside normal working hours must be specifically authorized and logged.
- A valid gate pass should be issued by the administration or designated authority for the removal or shifting of property Tapal tea premises. The security guard must counter check the item/ property being removed or shifted from the Tapal tea’s premises and must verify if a valid gate pass has been granted for it.
- Physical access rights must be revoked immediately, if any, upon termination/ resignation of employees or completion of a consultation or vendor agreement.
Securing Offices, Rooms and Facilities
- No physical security perimeters in the Tapal tea’s premises containing information processing facilities or Data Centres must be designed or implemented in such a way as to compromise personnel health and safety, especially in case of any emergency.
- Data Centre, equipment rooms, and telecommunications closets must be protected from unauthorized or unnecessary access. The construction of data centres, equipment rooms and telecommunication closets must take into account:
- Specifications developed as a response to potential threats to the asset.
- Specifications developed in accordance with the assets classification
- Vendor Specifications.
- The area housing Data Centre or information processing equipment rooms must be unobtrusive and give minimal indication of their purpose, with no obvious signs, outside or inside the building identifying the presence of information processing activities.
- All data centres, server cabinets, equipment rooms and telecommunications closets must be locked when unattended.
- Network devices such as firewalls, routers, core-switches etc. must be placed in restricted access zones that provide protection from unauthorized or unnecessary access. These areas should be subject to CCTV Surveillance in order to record all movements during the day and off hours
- All source media for operating system software, applications, backup tapes/devices, documentation and license keys must be clearly labelled and stored in a software library (preferably within a fireproof cabinet) in a restricted access zone with access for authorized personnel only.
- Adequate intrusion detection controls e.g. burglar alarm, motion detector etc., and safety devices, fire alarm, smoke detector, close circuit televisions etc. must be placed in all offices, switch rooms and data centres, depending on the nature and criticality of information assets present.
- Directories and internal telephone books identifying locations of sensitive information processing facilities should be marked as “for internal use only” and not be readily accessible by the public.
- All data centres, equipment rooms, and telecommunications closets must have a documented evacuation plan which should be included in the business continuity and disaster recovery plans.
Protecting Against External and Environmental Threats
- Selection and design of secure areas must be chosen as to minimize the risks of fire, flood, earthquake, explosion, civil unrest and other forms of natural, man-made disaster and security threats from neighbouring premises.
- The Tapal tea shall consider environmental threats which can adversely affect the operation of information processing facilities or when selecting the locations of data centres.
- Data Centre and equipment room environmental conditions must be regularly monitored and evidence of monitoring retained.
- The server rooms shall be equipped with supporting infrastructure (e.g. air conditioning systems and security alarm systems, automatic emergency lighting where applicable); they must have a enable, consistent electrical power supply that is free from surges and interference (e.g. UPS) and stable water supply to prevent damages to equipment or fire suppression from acting effectively.
- Secure areas must be fitted with suitable and centralized fire suppression and extinguishing system.
- Smoke detectors shall be installed throughout the information processing facility to detect fire incidents timely. The detectors shall produce an audible alarm when activated.
- Fall-back equipment and backup-media must be available at a sufficient distant location to avoid damage from a disaster affecting the main site.
- Smoke detectors and fire extinguishers shall be tested periodically (at least bi-annually) in line with local fire insurance policy and local regulations.
- No combustible material, i.e. cardboard, foam, or paper etc. may be stored in Data Centre.
- Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment such as Data Centre.
- Telecommunications equipment should be connected to the utility provider by at least two diverse routes to prevent failure in one connection path removing voice services. Voice services should be adequate to meet local legal requirements for emergency communications. The server rooms shall be equipped with wired telecommunication landline phone.
- Personnel should only be aware of the existence of or activities within, a secure area on a need to know basis.
- All work must be done under supervision of the respective department management.
- All vacant secured areas must be locked and inspected periodically.
- Management should ensure that unsupervised working in secure areas should be avoided both for safety reasons and to prevent opportunities for malicious activities.
- Vendors/third parties/contractual staff visits to data centres and other information processing facilities are supervised by Data Centre In-Charge and their activities shall be monitored and reviewed periodically.
- Photographic, video, audio, mobile recording devices or other recording equipment should not be allowed, unless authorized.
Public Access, Delivery and Loading Areas
- Data centre and secure areas must be isolated from the public access area from where unauthorized persons may enter the Tapal tea’s secure areas.
- All equipment that are taken in or out of data centre and secure areas must be inspected by local physical security & responsible IT staff and must be signed off by GM IS or designated staff.
- Incoming and outgoing shipments should be physically segregated, where possible.
- Incoming material should be registered in accordance with Information System Asset Inventory policy on entry to the site.
- Equipment must be protected from environmental threats and hazards and opportunities for unauthorized access.
- All equipment should have adequate warranty / SLA or insurance based on its value.
- Equipment critical to the operation of IT infrastructure, must not be moved from its location unless authorized.
- General Manager Information Services must ensure that the environment provided for processing equipment rooms and Data Centre is appropriate to protect the continuous availability of processing, including but not limited to power supply, equipment cooling, air conditioning, fire control and suppression and in-room surveillance.
- Equipment should be protected from power failures and electrical anomalies.
- Critical equipment must be supported by uninterruptible power supply (UPS) and backup power generating equipment. Fall-back plans must describe in detail the action to be taken in case of a continued power outage.
Tapal tea shall take adequate measures to protect equipment from power failures and electrical supply fluctuations.
- Electrical supply must conform to the manufacturer’s specifications for each piece of equipment.
- Emergency power-off switches should be located near emergency exits of data centres and information processing facilities to facilitate rapid power down in case of an emergency. Emergency lighting should be provided in case of main power failure.
- Power and telecommunications lines into information processing facilities must be protected from interception or damage. Network cabling should be protected from unauthorized interception or damage, for example by using armoured conduit / channels, locked rooms or boxes at inspection and termination points; or by avoiding routes through public areas.
- Power cables should be segregated from telephone exchange or communications cables to prevent interference or electromagnetic shielding and should be checked and documented, in accordance with the manufacturer’s instructions.
- Clearly identifiable cable and equipment markings should be used to minimize handling errors, such as accidental patching of wrong network cables. A documented patch list should be used to reduce the possibility of errors.
- For sensitive or critical systems further controls to consider include use of alternative routings and/or transmission media providing appropriate security and use of fibre optic cabling.
- Equipment preventive maintenance should be done in accordance with the supplier’s recommended service intervals and specifications.
- The Tapal tea shall formulate preventive maintenance plan on the basis of following principles:
- Before organizing preventive maintenance plan, Tapal tea need to set goals that are to be achieved by using the system.
-
Asset Inventory should be formulated according to Information System Asset Inventory policy
- Determine priority assets keeping in view the sensitivity of operations they perform. Thereafter, Tapal tea shall determine that the performance of assets is in line with the operational goals.
- Keeping in view the cost effectiveness, the Tapal tea shall prioritize all IT assets, which shall be included in Preventive Maintenance Plan (PMP).
- The Tapal tea shall create a schedule for preventive maintenance plan for all the prioritized assets. Further, the IT management shall regularly review the results of the PMP.
- The Tapal tea shall focus on the capacity building of all the staff involved in the process of PMP.
- Backup power supply equipment including UPS, backup generators etc. must be subject to regular maintenance and tested according to the maintenance standards as per the manufacturer’s specifications.
- Data Centre manager should ensure that only authorized maintenance personnel should carry out repairs and equipment services.
- Records should be kept for all suspected or actual faults, and all preventive and corrective maintenance.
- Appropriate controls should be implemented when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the Tapal tea; where necessary, sensitive information should be cleared from the equipment. It should also be ensured that maintenance work carried out by 3rd party personnel should be strictly supervised and logged.
- All requirements imposed by insurance / SLA / warranty policies should be complied with.
Security of Equipment off Premises
- IT must keep a formal record of all equipment taken offsite with details of the equipment.
- An approved list must be maintained of all employees, contractors and third party users who are permitted to take equipment off premises.
- Time limits for equipment removal should be set and returns checked for compliance.
- Staff shall take precautions to safeguard the security of Tapal tea owned laptops and other portable equipment and the information held on them.
- Equipment and media taken off the premises should not be left unattended in public places; portable computers should be carried as hand luggage and disguised where possible when travelling.
- Manufacturer’s instructions for protecting equipment should be observed at all times, e.g. protection against exposure to strong electromagnetic fields.
- Adequate insurance cover should be in place to protect valuable equipment off-site.
Unattended User Equipment
- Unattended systems must be set to lockout after fifteen (15) minutes of inactivity and terminate active sessions. The time-out delay should reflect the security risks of the systems / applications.
- Workstations must be locked/secured with password prior to being left unattended
Clear Desk and Clear Screen
- The Tapal tea should promote clear desk and clear screen standard. These standards could at a minimum, include the following:
- Paper and computer media must be stored in suitable locked cabinets and/or other forms of security furniture when not in use, especially off working hours.
- Sensitive or critical business information should be locked away (ideally in a fire-resistant safe or cabinet) when not required, especially when the office is vacated.
- Laptops must be either locked with a locking cable (if available) or locked away in a drawer or cabinet.
- Computer workstations must be shut completely down at the end of the work day.
- Sensitive or classified information, when printed, should be picked from printers immediately or use PIN code based Printing solution (if available)
- Incoming and outgoing postal mail points and unattended facsimile machines should be protected.
The purpose of this policy document is to ensure the right and secure operation of information processing facilities; to minimize risk due to system failures and to safeguard the integrity of information processing facilities and software. This policy also suggests guidelines to ensure secure IT and network operations and exchange of information within the Company and externally.
This policy applies to all users of information assets including the Tapal tea employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.
This Policy covers all Information Services environments operated by the Tapal tea. The term “Information Services environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively other than the Tapal tea’s Information Security policies. All users are required to read, understand and comply with the Information Security policies, procedures and relevant documentation.
Operations management is an important function that has a significant impact on information security. Therefore a documented policy covering operational procedures, segregation of duties, backup and media handling, monitoring and guidelines on exchange of information, is required.
Operation Procedure and Responsibilities
Documented operating procedures
- Tapal Tea’s Operating Procedures shall enforce all components of the Information Security Policies.
- Operating procedures must exist for all aspects of managing the operational environment.
- The respective In-Charge / Department Head shall be owner of its respective operating procedures and shall follow these procedures in their department.
- Operating procedures must describe the correct execution of activities.
- IS Department must maintain a technical or operating manual that is easy to use and up to date. The manual shall contain but not limited to:
- Enterprise architecture of overall IS application and network setup.
- System setup and installation instructions
- Application & Database setup and installation instructions
- Application of security patches on Operating system/ Application / Database
- Description of equipment being used
- System restart and recovery procedures for use in the event of system failure
- Management of audit-trail and system log information
- Backup of operational / administrative information
- The handling of errors and exception conditions.
- Details of support contacts in the event of unexpected operational or technical difficulties.
- The secure disposal of output from failed processing runs
Security of System Documentation
- Tapal Tea Pvt Limited should ensure that complete and updated system documentation of such applications is available and are secured against unauthorized access.
- System documentation must be protected from unauthorized access and stored in secure place.
- Copies of system documentation shall also be stored securely at the Disaster Recovery Site or any other safe location authorized by the company.
- Access to system documentation shall be on need-to-know basis and authorized by the Information Security and GM Information Services.
- The system or application owner must authorize or approve distribution lists for system documentation relevant to his/her department. System documentation may include sensitive or confidential department information e.g. master data required for testing. This list must be restricted to a minimum number of parties.
- Valid documentation that supports the Tapal tea’s departments, and which is used by programming, operations, and user personnel, must be developed, maintained, and protected. Access to this documentation must be restricted to personnel performing official duties.
- Maintain the type and level of documentation for each project phase including business case, project requests, feasibility studies, project strategy, project plans, testing plans and lesson learned documentation etc.
- Establish system documentation including system concept narratives, data flow charts and database architecture and specifications.
- Establish application technical documentation including application descriptions, programming flowcharts, work flow processes, operations and user instructions.
- Define roles and responsibilities of administrators to ensure that all changes to system, application and configuration documentation are made according to prescribed standards.
- Formulate procedures on system development and all related documentation including development, testing, trainings, production, operational administration and user manuals.
- All changes to the Tapal tea’s information systems environment must be documented, reviewed, authorized, tested (testing environment) prior to being made operational in the production environment. The term “changes to the Tapal tea’s information systems will include but is not limited to the following:
CHANGES TO
}
- Hardware (Servers / Infrastructure) and their configurations
- Operating systems and operating system configurations
- Application software programs and application software configurations
- Database configurations
- Network and communication device configurations
- At a minimum, the following requirements must be adhered to when significant changes are being made to the production environment:
- Risk and impact analysis of the change request should be performed in relation to existing infrastructure, network, up-stream and downstream systems. Further, risk assessment must be performed to identify potential impacts of the change on business operations and interdependent systems.
- Time frame for the approval process must be established.
- Approval must be documented.
- Documentation supporting the change must at a minimum reflect the:
- proposed change
- management’s approval
- details of the changes to be performed, and
- the eventual outcome
- Responsibilities and accountability for changes must be identified.
- A Change Advisory Board (CAB) must be formed. At minimum, following representation should be considered:
- General Manager IS (Head of IS)
- Senior Manager IS Operations
- Senior Systems Manager
- Business Analyst Manager (SAP)
- IS Manager Operations
- Business Systems Manager (Secondary Sales)
- Chief Finance Officer (where applicable)
- Business Head (Relevant Data Owners)
- Representatives from IS Department and affected Business units must be additionally involved in reviewing proposed changes and in the decision making process.
- Principles regarding segregating duties must be followed (i.e. developers must not be permitted to access to production data, modify systems, or move software to the production environment).
- An appropriate procedure to verify changes and to ensure that no unauthorized changes have been made.
- Version Control Systems should be followed and properly documented for every step and change made in the system.
- Roll back / fall back & back - out procedures should be identified and documented to revert to a former version of the system or application if a problem is encountered during or after the deployment, where applicable.
- Alternative recovery options should be established to address situations where a change does not allow the Tapal tea to revert to a prior status for future need.
- Where practical, changes to computer environment / operations parameters must be carried out in a test environment before migrating to the production.
- The impending change should adequately be tested and ensure that it is accepted by users prior to the migration of the changed modules to the production system. Test plans for the impending change should be developed and documented appropriately. Further, test results with user sign-offs prior to the migration should be obtained.
- Emergency changes procedures must be established and in cases where emergency changes are carried out, they must be documented and go through post review and approval.
- The logging facility should be enabled to record activities that are performed during the migration process including Hardware.
- Post implementation reviews of application and other systems operations at certain frequency must be conducted to ensure that only authorized changes have been made.
Software Patching
- All service packs, security patches and fixes must be applied as soon as they become available.
- Tapal Tea shall establish procedures to test patches in a segregated environment, and to install them when appropriate. The procedures shall include the identification, categorization, prioritization of security patches and their testing processes.
- All other servers must have critical security patches applied as soon as they become available and have passed the system acceptance testing. All other patches must be applied as appropriate. There must be a full record of when and which patches have been applied.
- Upon need or request of business user or IS, patches will be incorporated in system through a systematic way. The patch/enhancement is first implemented on Dev/QA environment which is then reviewed in accordance with the change management policy and then it is implemented on the Production server with whole trail being documented through a centralized change management mechanism.
Configuration Management
- Procedures or automated tools must be available for detecting configuration changes to a system and for generating alerts as appropriate.
- Management must adopt latest technical standards and develop baselines to configure each component accordingly.
- Adequate documentation of all configurations and settings of operating systems, software, databases and servers.
- A centralized configuration database must be maintained for Production and DR site, consist of software, hardware and network configuration confirmation.
- Secure configuration of hardware, operating systems, software, applications, databases and servers with all unnecessary services and programs disabled or removed.
- All configuration changes by Application / System / Database Administrator must be verified against current standards and for appropriate levels of approval.
- Audit log containing components that records change history, must be maintained by management for ready reference.
- The Sr. Manager IS Operations / Sr. Systems Manager / GM IS with the help of team shall be responsible for identifying new and ongoing activity and their capacity requirements regarding their relevant area.
- The Sr. Manager IS Operations / Sr. Systems Manager / GM IS with the help of team shall ensure that system tuning and monitoring is applied, ensuring the availability and efficiency of systems.
- The Sr. Manager IS Operations / Sr. Systems Manager / GM IS with the help of team in collaboration with respective technical lead shall project future capacity requirements taking into account new business and system requirements and current and projected trends in the Tapal Tea (Private) Limited’s information processing capabilities.
- The Tapal Tea (Private) Limited shall initiate capacity planning to address internal factors (growth, mergers, acquisitions, new product lines and the implementation of new technologies) and external factors (shift in customer preferences, competitor capability or regulatory or market requirements).
- Procedures should be in place to monitor the future capacity requirements of the information systems and key personnel.
- Capacity planning shall be closely integrated with the budgeting and strategic planning processes. It shall also address personnel issues including staff size, appropriate training and staff succession plans.
- Capacity management requirements must be documented on a standard format and agreed with Business Head, Information Security Function & Information Services Department for all new developments before they go live in the production environment.
- Capacity requirements must be outlined in anticipation of the demand of these resources before servers (application, database, file, web etc.) and network infrastructure are placed into the production environment. At a minimum, the following should be determined when planning capacity requirements:
- Storage requirements
- Peak and off-peak usage requirements
- Procurement of resources for long lead time
- Scalability of the resource in meeting unexpected demands
- Capacity utilization monitoring, and
- Trend documentation and analysis
- The Tapal Tea (Private) Limited shall monitor technology resources for capacity planning including platform processing speed, core storage for each platform's central processing unit, data storage, and voice/data communication bandwidth.
- Information systems, which require high availability, must use a suitable combination of robust hardware and software components and duplicate components in order to achieve the desired level of resilience. Hardware and software components used in high availability systems must have been tested for robust and controlled operation and approved for use in such resilient systems.
- During the formal risk analysis process when the system is being developed or changed, the Departmental Head in collaboration with GM Information Services must determine the need for, and extent of, resilient facilities and features.
- Develop training programs for major new technologies before their deployment.
- Carry out performance / stress testing of newly developed critical systems to ensure effective and smooth operation before deploying the same in production environment.
Separation of development, testing and operational environments
- Development and test environments must be completely segregated from production environments.
- Any changes to the operational system shall only be allowed after successful User Acceptance Testing (UAT) and final approval by Business Owner and GM Information Services.
- Tapal Tea shall put in place an appropriate procedure to verify changes and to ensure that no unauthorized changes have been made.
- Compilers, editors and other development tools or system utilities shall not be installed on operational/production systems.
- Development, test and production environments must be logically as well as physically separated and a formal documented process must be in place to manage the migration of application code, changes or additions in system from one environment to another.
- The test environment should emulate the production system environment, configurationally, as closely as possible.
- Client’s information and the integrity of its software applications must be protected from malicious software (malware). Clear responsibilities should be defined and appropriate controls along with user training and awareness program must be put in place to ensure protection.
Controls against Malicious Code
- Anti-malware software must be installed and maintained on all workstations and servers and provided on appropriate points on the network. The software must be from an established vendor with consistent results in recognizing and removing malware. All updates must be installed as soon as they are available, after appropriate testing.
- Periodic review of all business critical systems must be conducted to identify all software running on the systems. Any unauthorized files or software must be formally investigated and if appropriate be deleted and reported to respective Head of Department.
- To protect systems from malware, users must not:
- Install software from any external source including the internet, CD / DVD-ROMs, USB memory sticks etc. on their workstation.
- Add their personal screensavers, desktop images, photos or utilities to the workstation / terminals.
- All workstation software must be approved and installed by Information Services in accordance with the IS Policy.
- Software must be controlled to ensure compliance with licensing requirements
- Malware can be introduced through hoax emails and users must be vigilant to guard against this. Users must not forward emails that claim to be warnings these are often chain emails. Users must report the email to the Information Services service desk.
- All files received should be checked for malware at the point of entry onto the network.
- A suitable training shall be provided in relevance to reporting.
- Backup frequency must be determined in line with the classification of information. It must specify the type of backup required (full, partial, incremental, differential, and real-time) and the requirements of the Business Continuity and Disaster Recovery Plan for each application.
- Backup copies must be retained in accordance with legal, regulatory and Tapal Tea (Private) Limited requirements.
- Each application must have a documented backup strategy. E.g. making both on-site and off-site backups and its transfer to off-site location. Backup storage at off-site must be kept in physical secured locations i.e. protected from fire, water, dust etc.
- The details of the planned backup schedule for each business application must include the retention period for backup or archived information and the retention period must be consistent with legal, regulatory and company’s requirements.
- All copies of executable code must be considered as sensitive information and must be backed up to off- site storage.
- All media contained backup information must be maintained with the information content, backup cycle, backup serial identifier, backup date and classification of the information content.
- System programs and configuration information must be included in backups as well as data.
- Confidential information on backup media must be encrypted or otherwise normal backup media be physically secured to prevent interception.
- All backup drives/tapes which are to be stored on off-site location must be transferred as per schedule on daily basis.
- All long-term backup media must be refreshed within the expected working life of the media; backed up information must be transferred to new copies of the relevant media or alternative, long lifetime media.
- System and application software backup shall be performed before system upgrades and/or maintenance.
- Tapal Tea (Private) Limited shall create backup of all operating system and device configurations on regular basis.
Backup of Licensed Software
- Backup copies of purchased software must be in accordance with the vendor’s licensing agreement. Unauthorized copying of purchased commercial software is considered software piracy and is a violation of copyright law and Tapal Tea (Private) Limited policy.
- Backup copies of purchased commercial software must not be used on any computer outside of those in the original license, with the exception of contingency testing / disaster recovery.
Backup Rotation
- Rotation logs must be kept to indicate date and time backup was sent offsite, expected onsite return date and name of person transporting the backup. Only approved and authorized personnel shall be used and notification and receipt of backup must be provided, especially if the service is performed by a third party.
Recovery Testing
- All backup processes, procedures and integrity of information backed up will go through recovery testing procedures. A log of recovery tests / drills will be kept with the backup procedures/configuration.
- Restoration procedures must be documented and formally tested to ensure that they are completed within the time allotted as per the operational procedures for recovery.
- Backup recovery testing should be done to the restoration machine rather than the machine that created the backup (to ensure there is no specific fault with the disk write system on the machine being backed-up).
- Recovery testing must not compromise the access control rules on the primary information. This process may need to be automated or otherwise involve the staff or representatives of the Departmental Head.
Documentation
- Complete and updated copies of all technical and operational manuals, IT policies. IS policies, Business continuity and disaster recovery plans must be stored DR site at a secured location. These copies must reflect the current environment so must be updated accordingly.
Audit Logging
- Error logging should be enabled on critical business systems.
- User activity logs must be monitored regularly by Information Security function.
- User password change must be recorded in the logs.
- All information systems (including protection system) must be developed in a manner to provide security logs.
- Frequency for the review of security logs depend on the risk assessment of the information systems and relevant legal requirement.
- Security logs of all critical information systems must be stored at an off-site location regularly.
- Audit logs should be archived as per business, regulatory and contract requirements.
- Off-line storage logs must be retained for a period consistent with relevant local legal and regulatory requirements and business/operational needs. At regular intervals, these security logs must be monitored
Fault Logging
- The Tapal Tea (Private) Limited may create users’ service desk to ensure that they perform their job functions in an efficient and effective manner. The Service Desk may record and track incoming problem reports, being handled by live operators or automated systems. Further, Tapal Tea (Private) Limited may also define Key performance indicators (KPI) for the resolution of different problems / issues.
- Users must report all incidents to IT service desk / Support in which the system is unable to function as required.
- Information Security in collaboration with Information Services should review the log of all faults reported by users to ensure that the faults have been satisfactorily resolved.
- Corrective measures should be reviewed to ensure that security controls have not been compromised and the action taken is fully authorized.
Protection of log information
- Controls should aim to protect against unauthorized changes to log information and operational problems with the logging facility including:
- Alterations to the message types that are recorded;
- Storage capacity of the log file media being modified, resulting in either the failure to record events or over-writing of past recorded events.
- All security activities and events recorded in a security log must have date, time stamps and terminal identity on them at the time of log-in and log-off.
- Information system must be logged as an evidence of unauthorized or unusual use that include, at a minimum, the following:
- Unsuccessful login
- Attempt to login outside of working hours
- Failed attempt to access controlled files, directories or other resources
- DB Tables Accessed/ Altered/ Dropped/ Created
- Changes to system configuration
- Use of privileges
- Use of system utilities and application
- System Driven Approvals (For e.g. approval of gate passes)
- Deactivation of audit logging / trail.
Administrator and operator logs
- System / Database Administrators must not be allowed to erase or de-activate logs of their own activities. These files should be marked as read-only.
- Adequate logging and monitoring of systems and user activities to detect irregularities and secure protection of logs from manipulation.
- Security logs must be reviewed regularly by reviewer independent of users who perform the activity such as; users, administrators, developers and support functions.
- Procedure should be in place to check information-processing system’s clock with Local Standard Time, if applicable.
- Privilege to set or re-set system time should be restricted.
- Processes must be in place to ensure the accuracy of clocks used to put timestamps on security log entries.
- Any variation in time shall be reported to GM of Information Services and Information Security Officer.
Control of Operational software
Installation of software on operational systems
- Procedures should be implemented to control the installation of software on operational systems.
- The updating of operational software, applications and program libraries should only be performed by trained administrators upon appropriate management authorization.
- Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. Tapal tea should consider the risks of relying on unsupported software.
Technical Vulnerability Management
Management of technical vulnerabilities
- Tapal Tea (Private) Limited should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required.
- All critical information systems assets vulnerabilities must be properly identified, classified and remediated according to the applicable regulations and Tapal Tea (Private) Limited’s policies.
- Tapal Tea (Private) Limited shall perform vulnerability assessments to identify and assess security vulnerabilities in their systems and processes. Tapal tea shall also perform subsequent validation test to assess that the gaps identified during VA have been properly filled in.
- Information Security must ensure that publicly accessible systems are tested for vulnerabilities prior to being made available.
- A timeline should be defined to react to notifications of potentially relevant technical vulnerabilities
- Information Technology / Information Security must ensure that technical vulnerabilities, including vendor supplied patches, are classified using the rating system defined below. Operational groups are required to remediate technical vulnerabilities or install patches using the following schedules:
- Critical: Threats that are actively impacting the environment. Must be implemented without delay using emergency change control procedures.
- Important: No existing negative impacts on operating results. Must be implemented upon first available normal operational opportunities, typically within 7 days using normal change control procedures.
- Operational: Enhancement patches that improve operations, but are not required for fixing inaccurate data or process results. Must be implemented upon the next operational patch promotion schedule, typically within 30 days using normal change control procedures.
- GM IS must ensure that vulnerability remediation efforts, including patch implementations, are coordinated and processed according to the change management policy, and Software Patching. This includes meeting all testing and documentation requirements.
- Information Security must perform internal and external network vulnerability scans on an annual basis and after any significant change in the network.
- Tapal Tea (Private) Limited shall carry out annual penetration tests to identify vulnerabilities that may affect their systems, networks, people or processes. Penetration tests on internal systems shall also be conducted at the time of major update and deployment of the software/system. These penetration tests must include network-layer penetration analysis, and application-layer penetration analysis (including associated databases)
- Management shall ensure that all information systems are configured in a secure manner that can effectively block attack and reduce the threat of exploitation. Measures may include removal or uninstalling of the software or vulnerable services that are not needed on a system, which eliminates the vulnerability and other associated threats
Restrictions on software installation
- Management should define and enforce strict policy on installation of restricted software. A List of restricted software should be developed and maintained.
- If there is business need, such software should only be installed after formal approval by Information Security / IS Department
Information System Audit Considerations
Information systems audit controls
- The Tapal Tea shall plan, manage and monitor rapidly changing technologies to enable them to deliver and support new products, services and delivery channels. These changes and the increasing reliance on technology make the IT audit coverage essential to an effective overall audit program.
- An annual audit plan should be considered detailing IT audit's budgeting and planning processes including audit goals, schedules, staffing needs and reporting requirements.
- Audit scope, requirements and activities involving checks on operational systems shall be carefully planned and agreed to minimize the risk of disruptions to business processes.
- Appropriate measures should be taken when granting system access to the auditors such as restricting the access to read-only.
The purpose of this policy document is to ensure the right and secure operation of information processing facilities; to minimize risk due to system failures and to safeguard the integrity of information processing facilities and software. This policy also suggests guidelines to ensure secure IT and network operations and exchange of information within the Company and externally.
This policy applies to all users of information assets including the Company employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.
This Policy covers all Information System environments operated by the company. The term “Information Services environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively other than the Tapal Tea’s Information Security policies. All users are required to read, understand and comply with the Information Security policies, procedures and relevant documentation.
Communications security is an important function that has a significant impact on information security. Therefore a documented policy covering, network security management and information transfer.
Network Security Management
- The Network Administrator and Information Security shall oversee the network service to ensure that the required security controls are in place, and the defined service levels are met.
- An inventory of all equipment connected to Tapal Tea wired and wireless networks shall be maintained.
- Direct connections to the Tapal Tea internal network from an external entity are not allowed. All external connections must terminate in the demilitarized zone (DMZ).
- Logging and monitoring of all remote access communications and provision of more stringent security controls (i.e., data encryption, two-factor authentication process). A Virtual Private Networking (VPN) device or equivalent must be used when Company PC’s connect remotely to the internal Tapal Tea Network. Authentication mechanisms for such devices must use strong two factor authentication.
- Firewalls (External and Internal), Routers and Switches must be configured to prevent the disclosure of the configuration of the internal network to external entities or internal unauthorized users.
- Data Centre environment including Servers/Databases/Operating Systems/Network Devices/ Storage and client terminals should be updated with the latest security patches released.
- File/printer sharing should be done carefully to minimize the risk of sharing of confidential information. Where possible, implement password controls over file sharing.
- File/peer to peer sharing software and websites should be blocked.
- Ports not being used by any services/applications should be blocked.
- Unnecessary network/Operating System services being used should be disabled.
- Physical/Logical access to networking hardware and software must be limited to authorized personnel.
- The use of network diagnostic and security tools must be assigned to specifically designated staff, which should be in accordance with their approved job responsibilities.
- Unattended network connection ports (i.e. conference rooms, empty offices, etc.) must be enabled only when needed
Security of Network Services
- The security features, service levels and management requirements, for network service provider shall be determined by GM Information Services in consultation with the Network Manager and Information Security function.
- The GM Information Services shall provide the final sign-off for security features, service levels and management requirements for network service provider.
- Tapal Tea’s information systems network shall be divided into logical segments based on the access requirements.
- The criteria for division of networks shall also consider the relative cost and performance impact of incorporating suitable technology.
- Segregation of networks should be based on the value and classification of information stored or processed in the network, levels of trust, or lines of business, in order to reduce the total impact of a service disruption.
- Internal network shall be segregated from the external network with different perimeter security controls on each of the networks.
- The connectivity between internal and external networks shall be controlled.
Firewall/Routers/Network Switches
- Any services that are not required shall be blocked, preferably at the firewall level.
- No local user accounts should be configured on the firewall/router/switch.
- IP directed broadcasts should be disabled.
- Strong security algorithms be used to protect wireless networks e.g. WPA 2, TKIP AES etc.
- The enable password functionality on the firewall/router/switch must be kept in a secure encrypted form.
- Default User ID and Password should be changed before using them on the Company network
- Access rules should be added as needs arise or based on security requirements as per the advice of information security function.
- IP redirects and IP source routing should be disabled.
- The router/switch should have MAC level address filtering enabled if the option is available.
- The firewall/router/switch should disable a port or group of ports if new or unregistered MAC addresses appear on a port, if the feature is available.
- The firewall/router/switch should be placed in a location where physical access must be limited to authorized personnel only.
- All external network perimeters must be hardened and configured to protect against unauthorized traffic. All inbound and outbound points must be protected by means at least a firewall, and, if possible, intrusion detection systems (IDS) or intrusion prevention systems (IPS).
- Network/System Administrator must develop procedures to address intrusion detection and it should be authorized by the Information Security Function & GM Information Services.
- Network based intrusion detection must at least monitor following details:
- Unauthorized access originating from outside the Company’s network
- Bandwidth & resource utilization.
- Attacks exploiting specific vulnerabilities and exposures
- Denial of service and distributed DOS attacks
- IP packet level attacks, including malformed packets, packet flooding, etc.
- Password sniffing and downloads
- Network Administrator must develop a formal documented process for the inspection of intrusion event logs on a regular basis.
- The Company shall evaluate and implement appropriate controls relative to the complexity of their network. Further, the Company shall deploy an effective mechanism to monitor security policy violations and atypical activities on their network.
- Information Security function, along with the Network Infrastructure team, will monitor the activities over the network for any unusual occurrences, system alerts or failure of system.
- Capacity, uptime and quality of the Tapal Tea’s networks should be sufficiently monitored in order to ensure reliable operation and availability. Monitoring technology resources for capacity planning include but not limited to platform processing speed, core storage for each platform's central processing unit, data storage, and voice/data communication bandwidth etc.
Information transfer policies and procedure
Exchange of Information and Software
- To prevent loss, modification, destruction, or misuse of information, the Company’s departments must protect and control exchange of critical business information assets and software.
- Responsibilities and liabilities in the event of information security incidents, such as loss of data.
- Ownership and responsibilities for data protection, copyright, software license compliance and similar considerations.
Agreement on information transfer
- At a minimum, the following areas should be considered when establishing formal Information and Software Exchange agreements:
- Exchange of critical business information assets or software with outside Tapal Tea (for e.g. Communication Service Providers, Internet Service Providers, Hardware Vendors, Software Vendors, etc.). The department requiring this exchange should be responsible for the formal agreements.
- Management responsibilities for controlling and notifying transmission, dispatch, and receipt;
- These agreements must include both manual and electronic exchanges.
- These agreements must reflect the sensitivity of the critical business information assets being exchanged and must describe any protection requirements which ensure traceability and non-repudiation.
- These agreements at a minimum should specify management responsibilities, notification requirements, technical standard for recording and reading, packaging and transmission standards, escrow agreements, courier identification, responsibilities and liabilities, data and software ownership, protection responsibilities and measures, and all encryption requirements.
Acceptable Use
- Employees must only use the Company’s email facilities for business messaging (emails); use of personal and/or external email services for business messaging is prohibited, unless it is used for unclassified information with due care.
- When critical business decision is being made based on the email, employees must confirm the validity of email content, internal or external; by directly contacting the originator with another means.
- Before sending the email, employees must take care to check for correct email addressing, particularly when the recipient has a common name.
- Before forwarding email or replying, employees must consider the confidentially and sensitivity of all content, especially on an extended chain of emails.
- Subscribing to distribution lists and other forms of e-mail subscription services related to your job function is allowed with formal information to IS department.
- Email account must be used by its owner only.
- All employees should enable out of office notification when going on vacation or official trips.
- All employees should have their complete and standardized signature defined (including Full Name, Title, Department, location, Tel, Fax).
- Unnecessary attachments should not be sent via email. Where necessary attachment limit is restricted to 15 MB per email.
- Information involved in electronic messaging (such as email, EDI-Electronic Data Interchange, and instant messaging) should be appropriately protected. Security considerations for electronic messaging may include the following:
- Protecting messages from unauthorized access, modification or denial of service.
- Ensuring correct addressing and transportation of the message.
- General reliability and availability of the service.
- Legal considerations, for example requirements for electronic signatures.
- Obtaining approval prior to using external public services such as instant messaging or file sharing.
- Stronger levels of authentication controlling access from publicly accessible networks.
Unacceptable Use
- Employees must not transmit information by email, which contains defamatory, abusive or libellous statements; involve any form of racial or sexual abuse, or damages the reputation of Tapal Tea. Tapal Tea reserves the right to monitor or inspect email traffic on its systems without warning.
- Employees must confirm the validity of any email content, internal or external, by direct contact with the originator before any critical business decision is made based on the content.
- Employees must not forward chain of emails, other than business correspondence.
- Sending email containing sensitive /critical/confidential information to competitors.
- Using email resources for personal or monetary gain.
Monitoring
- Tapal Tea may monitor the use and content of any email generated, stored or handled on its systems for the purpose of detecting infringements of its Information Security Policy.
- Any employee found misusing the email facility will have to face disciplinary action as deemed appropriate by the management.
Email Disclaimer
- Forwarding Email transmission from Tapal Tea must have a disclaimer statement with the prior approval of management stating that:
“The email contains confidential information intended only for the addressee. If you are not the intended recipient of this email then please delete it without copying, distributing or disseminating its contents. All intended recipients (internal or external) agree to Non-Disclosure terms for the contents/attachments of emails being received from Tapal Tea Pvt. Ltd. The user assumes the entire risk as to the accuracy and the use of this email. Tapal Tea Pvt. Ltd uses various methods to block spams & viruses but it shall in no way be liable for any damages, arising out of transmission failures, viruses, external influence, delays & other factors”.
Confidentiality or non-disclosure agreements
- For Non-Disclosure Agreements refer Policy # 7.2.1 Management Responsibilities in Human Resource Security.
- Company employees are expected to use the Internet responsibly and productively. Internet access is limited to job-related activities only and personal use is not permitted. Use of personal internet dongle and Wi-Fi connections are strictly not allowed except for Company’s provided dongle/Wi-Fi or approved by department head.
- Job-related activities include research, visiting industry websites, reviewing competitor information etc. that may be found via Internet and fulfils employee's job responsibilities. Employees may access the Company’s internet facility outside of scheduled work hours, for personal development and improvement, provided such use is within professional conduct.
- Employees are discouraged from visiting or downloading high bandwidth consuming websites. IS department is responsible for allotting bandwidth limits to such websites.
- All files received from the internet must be scanned by official anti-virus management system before opening.
- Restricted Internet access will normally be allowed to all employee. Special access may be granted to designated employees whose work requires internet access. Such special access shall only be granted after formal request from respective business heads.
- Access may also get blocked on the request departmental head.
- All laptops, Desktops and handheld devices will be restricted to update their firmware, software updates, software downloading & installation. Installation / updates will be managed centrally by Service desk team.
- Internet access provided by the Company must not be used to engage in any activity which gathers, generates or distributes any information that is defamatory, abusive, involves any form of racial or sexual abuse, could damage the reputation of the Company, or any material that is detrimental to any party outside the specific business interests of the Company.
- Accessing sites that contain:
- obscene, hateful, pornographic, unlawful, violent or otherwise illegal material
- gambling or personal financial gains
- Sharing confidential material, trade secrets, or proprietary information outside of the Company.
- Information classified as confidential or sensitive must not be sent over the internet, whether as a file transfer, email content, file attachment or via a web session, unless protected by an approved encryption mechanism.
- Downloading of content from Internet sites is strictly prohibited, until and unless it is work related.
- Users must not alter the configuration of the Internet Security Settings on their machines. Downloading of software and installing on Company desktops/laptops is strictly prohibited to employees other than dedicated machines of IS Department.
Privileged Internet Access
- Unauthorized Audio/Video (AV) calling software (WhatsApp, Tango etc.) are not allowed to any user. Only authorized calling software will be allowed to particular individual with justified business needs.
- Access to blocked websites may be granted to users with specific business needs.
- Approval of GM Information Services with recommendation of relevant Business Head shall be required to allow such websites access to specific users.
- It will be the responsibility of the Business Head to ensure correct utilization of privileged internet access granted to user(s).
- The equipment, services and technology used to access the Internet are the property of Tapal Tea and the Company reserves the right to monitor and examine Internet traffic and access data that is composed, sent or received through its online connections.
- All sites and downloads may be monitored and/or blocked by Tapal Tea if they are deemed to be harmful and/or not productive to business.
- Any employee found misusing internet facility will have to face disciplinary action as deemed appropriate by the management.
System Acquisition Development and Maintenance
System Acquisition, Development and Maintenance
Development and acquisition refers to the Company's ability to identify, acquire, install and maintain appropriate information technology systems. The process includes the internal development of software applications or systems and the purchase or acquisition of hardware, software, or services from third parties. The development, acquisition and maintenance process includes numerous risks. Effective project management manages the possibility of loss resulting from inadequate processes, personnel or systems. Losses can result from errors, fraud or an inability to deliver products or services, maintain a competitive position or manage information.
This policy establishes guidelines for incorporating security controls into business applications during development or customization phase (includes acquired and internally developed applications).
This policy applies to the IS department personnel including Information Security and related third parties/vendors involved in information system implementation and/or development.
This Policy covers all Information Services environments operated by the Company. The term “Information Services environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
In order to maintain a high level of information security, the security requirements of an information technology should be considered, documented and planned for, prior to the development or acquisition of the system itself.
This document lays down the Company’s information security policies relating to development and maintenance of its information systems
Security Requirement of Information Systems
Information Security requirements, analysis and specifications
- All kinds of changes to applications at Tapal tea shall be carried out in accordance with the software change management procedures.
- The Information Security function shall develop security risk self-assessment procedures to assist development staff in identifying and determining potential weaknesses in information systems. Developers shall follow the security risk self-assessment procedures and identify the appropriate controls required during the design stage of information system development.
- The security and controls analysis shall incorporate major aspects of infrastructure security, packaged application security and custom developed application security. It must focus on automated as well as manual controls as applicable. This security and controls documentation must be justified, agreed and documented as part of the overall business case for an information system.
- All architecture layers (business, data, applications and technology) should be designed as per information security need.
- The design of the audit trail (logging) of an application under development must ensure the security of any confidential or sensitive information.
- In case acquired software/infrastructure does not fulfil the Tapal tea’s requirements, and the third party is unable to make adequate modifications, dispensation must be sought.
- Use of software other than licensed products such as freeware or shareware must not be done without prior testing / obtaining recommendation from reliable sources.
- All system / technical documentation must be updated to reflect changes and retained.
- Quality assurance standards address issues such as validation of project assumptions, adherence to project standards and testing of a product's performance.
Securing Application services on public networks
Publicly Available Information
- The integrity of information being made available on a publicly available system should be protected to prevent unauthorized modification. The publicly accessible system should be tested against weaknesses and failures prior to information being made available. There should be a formal approval process before information is made publicly available. In addition, all input provided from the outside to the system should be verified and approved.
- Electronic publishing systems, especially those that permit feedback and direct entering of Information may be carefully controlled according to data classification policy so that:
- Information is obtained in compliance with any data protection legislation or internal policies.
- Information input to, and processed by, the publishing system will be processed completely and accurately in a timely manner.
- Sensitive information will be protected during collection, processing, and storage.
- Access to the publishing system does not allow unintended access to networks to which the system is connected.
Security in Development and Support Processes
Secure development policy
- Introduction of new systems and major changes to existing systems shall follow a formal process of documentation, specification, testing, quality control, and managed implementation; this process shall include a risk assessment, analysis of the impacts of changes, and specification of security controls needed; this process shall also ensure that existing security and control procedures are not compromised.
- Secure coding guidelines, techniques and secure development methodology should be followed throughout software development life cycle.
- Developers must not have access to production environments for the purpose of support and emergency fixes, unless authorized and monitored.
- Release of changed versions of coded deliverables must occur only after successful testing and approval.
- Automatic updates shall not be used on critical systems as some updates may cause critical applications to fail.
- All emergency application code, configuration, database or data changes undertaken under time pressure and before formal change control can be applied, must be retrospectively reviewed and authorized after a successful resolution to the emergency has been achieved.
- Ensure developers are adequately trained in the development of secure software before developing the system. This includes application of engineering disciplines to design, development, configuration control, and integration and testing.
System change control procedures
- Audit trail and automated version control shall be maintained for all the changes made e.g. Software change request forms, approvals, version numbers etc. (where applicable)
- If changes are necessary to the original software then Change Management Policy is to be followed.
- Prior to implementation of the updates in the production environment, Tapal tea shall test the operation and compatibility of existing application with the proposed updates
- Change Control/Patch Management Procedures shall address all changes, enhancements and version updates.
- Changes should never be implemented without clearly-validated rollback/back-out plans in order to mitigate the risk of failed changes (where applicable).
- Clear responsibilities should be defined to monitor vulnerabilities regarding new releases of patches and fixes and updates.
Technical review of applications after operating platform changes
- Ensure that notification of operating system changes is provided in time to allow appropriate tests and reviews to take place before implementation.
- Ensure that appropriate changes are made to the business continuity plan.
- All updates, patches, version changes, etc. shall be tested and reviewed for security controls prior to implementation.
Post-Implementation Review
- For critical projects/systems, the Tapal tea shall:
- Conduct a post implementation review at the end of a project to validate the application's operational performance.
- Assess the relative success of the project by comparing planned and actual cost, benefits and completion time.
- Record reasons in a post implementation evaluation report if the planned objectives do not materialize.
- Present post implementation evaluation report to senior management / IS Steering Committee highlighting operational or project management deficiencies (if any).
Restrictions on changes to software packages
- Modifications to software packages should be discouraged. As far as possible, and practicable, vendor- supplied software packages should be used without customizations.
- Where a software package needs to be modified the following points should be considered:
- The risk of built-in controls and integrity processes being compromised;
- Whether the consent of the vendor should be obtained;
- The possibility of obtaining the required changes from the vendor as standard program updates;
- The impact if Tapal tea becomes responsible for the future maintenance of the software as a result of changes.
Secure system engineering principles
- Secure information system engineering procedures should be established, documented and applied to in-house/ outsourced information system engineering activities based on security engineering principles / best practices. The established engineering procedures should be regularly reviewed.
Secure development environment
- Development environments must be subjected to basic security controls such as control over access and change control, albeit at a lower level of rigor than in production environments.
- Risks should be assessed for individual system development efforts and secure development environments should be established for specific system, considering:
- Applicable external and internal requirements, e.g. from regulations or policies.
- The degree of outsourcing associated with system development.
- Monitoring of change to the environment and code stored therein.
- Access to controlled versions of development deliverables must be restricted to authorized developers engaged on the specific development project; authorization must be provided by the relevant development project manager.
Security in Application Systems and Infrastructure
- Applications should provide for the validation of input data against predefined parameters e.g. range checks, missing or incomplete data, data volume limit, validation of input data against master data i.e. if an address of a vendor is being input, it should be matched against address in vendor master data.
- The application must provide facilities to enable changes to the data input validation parameters, which should be carried out in line with the change management procedures of the Tapal tea.
- IT management shall ensure that appropriate validation controls are developed and applied in the business applications that detect any corruption of information through processing errors or deliberate act.
- Data output from an application should be validated by Tapal tea business to ensure that the processing of stored information is correct and appropriate to the circumstances and expected result.
- The integrity and completeness of printed output from an application must be able to get validated using report numbering, end of report messages, nil reports etc.
- Modifications to critical static data and configuration data must only be allowed by certain privileged application accounts that should be allocated to authorized staff.
- Changes to predefined input validation parameters in any application must be logged, and reviewed by management as per the change management policy using the application to ensure that errors are timely resolved. Where applicable, review should be done in conjunction with source documentation.
- All application output must be protected against unauthorized modification, deletion, replacement or replication.
- All changes to production security infrastructure (e.g. core network equipment) must be authorized by Sr. Manager IS Operations.
- Business sensitive information should be adequately protected to avoid unauthorized access.
- Information Services / Information Security management shall ensure that appropriate controls are implemented that safeguard all the points from where data can be exported on to portable storage. In addition, controls shall also be deployed on the network layer for the prevention of eavesdropping and similar threats.
- If development of application or infrastructure is being conducted by third party, the contract must be in line with applicable regulations and Tapal tea’s outsourcing policies.
- Third party development environment must not be connected directly to the Tapal tea’s network and the contract must provide suitable assurances that the developed code must have been kept secure during development.
- If third party software is being considered for critical business activity, the Tapal tea must license the software or legal binding from the third party.
- An escrow arrangement exists in cases where core applications are developed by vendors but the source codes were not released to the Tapal tea. The third party must provide source code to a mutually agreed outside party who will hold the source code in escrow each time the source code is revised.
- All documentation, which describes systems or systems procedures, must be reviewed by Information Services Department in conjugation with Information Security to ensure that confidential information is not being inadvertently disclosed, prior to being released to third parties.
- Tapal tea should reserve the right to audit of the outsourced services on periodic basis or as and when required, in order to ensure the quality and accuracy of work done.
- All outsourced source code must be subject to prior testing before being deployed to production environment considering security controls (i.e. malicious or Trojan code etc.).
- For new information systems or changes to existing systems, Information Security, GM Information Services, Business Heads and persons with systems or network responsibilities must ensure that the requirements and criteria for systems are clearly defined, agreed upon, documented and tested.
- Conduct system testing using documented test plans encompassing all predetermined data or processing problems and business scenarios.
- Applications that rely on externally supplied software and modules should be monitored and controlled to avoid unauthorized changes.
System acceptance testing
- The end user shall provide formal acceptance through sign-off.
- GM IS or his delegated employee shall confirm that test activities are successful and recorded before the modified programs is transferred to the production environment.
- The acceptance test (for in-house or off-the-shelf software) will be co-coordinated by Application Administrator in conformity with functional team, to assure the adequacy of:
- Business requirements
- Performance and Systems Capacity requirements
- Error recovery, restart procedures, contingency plans and relevant arrangements.
- Security controls
- User training
- Software licenses for the proposed system and user base
- Formal agreements, if third parties manage systems
- User Manuals containing procedures for using the application
- Estimated consumption of resources.
- Ensure that adequate test scenarios are formulated and sufficiently tested in UAT.
- System acceptance testing must be included as part of the change management.
- System test data must be subject to the same level of access controls as the production data from which it was derived or extracted.
- If copies of production data are used for testing purpose they must be made masked / anonymous, sanitized or de- personalized, where possible.
- Business information may only be used for scenario / code testing under development if the relevant Business Head has given specific permission. Further, appropriate data masking may be done based on the criticality of data
The purpose of the policy is to ensure the availability of the information system resources and services from the outsourced parties. It highlights the issues related to confidentiality, availability, integrity and protection of data, from environmental threats, while using the services of a third party.
Management shall be aware of and mitigate risks associated with technology operations. Many operations have significant risk factors that shall be addressed through effective management and control.
This policy applies to all users of information assets including the Company’s employees, employees of temporary employment agencies, vendors, business partners, and contractor personnel.
This Policy covers all Information Services environments operated by the Company or contracted to a third party. The term “Information System environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. distributed, desktop, network devices, and wireless devices), software, and information. If any user does not fully understand anything in this document he/she should consult with General Manager Information Services.
The Steering Committee shall resolve any conflicts arising from this Policy.
This policy addresses the security issues related to the availability of services with respect to Service Level Agreements (SLA’s)
Information security in supplier relationships
Information security policy for supplier relationships
- Any contract for the provision of outsourced activities must be in compliance with Tapal tea’s policies, local laws and regulations. If the agreement involves co-operation with Tapal teas in other countries, respective laws will be applicable.
- Identifying and documenting the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, which the Tapal tea will allow to access its information.
- Where applicable, access control policy must be adhered by suppliers.
-
- Information security requirements for mitigating the risks associated with supplier’s access to the Tapal tea’s assets should be agreed with the supplier and documented.
- Before engaging any third parties, proper due diligence must be performed by Supply Change Management Department (SCM) to make sure that the entity follows all information security requirements applicable to the services they provide.
- The following terms should be considered by SCM and IS Departments for inclusion in the agreements in order to satisfy the identified information security requirements:
- A standardized process and lifecycle for managing supplier relationships
- Description of the information to be provided or accessed and methods of providing or accessing the information.
- Classification of information according to the Tapal tea’s classification scheme (see section 4); if necessary also mapping between the Tapal tea’s own classification scheme and the classification scheme of the supplier.
- Legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured that they are met.
- Rules of acceptable use of information, including unacceptable use if necessary.
- Explicit list of supplier personnel authorized to access or receive the Tapal tea’s information or procedures or conditions for authorization, and removal of the authorization, for access to or receipt of the Tapal tea’s information by supplier personnel.
- Incident management requirements and procedures (especially notification and collaboration during incident remediation).
- Relevant regulations for sub-contracting, including the controls and processes for services to meet critical functionality which need to be implemented.
- Relevant agreement partners, including a contact person for information security issues.
- Defect resolution and conflict resolution processes.
- Mitigation of risk associated with unavailability of services or supplier (i.e. services / components no longer available or supplier no longer in business).
- Information sharing rules, in-case of any potential issues and compromises.
- Assurance that critical components and their origin can be traced throughout the supply chain; and delivered product is functioning as expected without any unwanted features.
- Regular audits of the services including the storage/processing sites against contractual agreements shall be carried out and shortfalls shall be addressed.
- Supplier’s obligations to comply with the Tapal tea’s security requirements.
Addressing security within supplier agreements
- There must be agreed and monitored SLAs between Tapal tea and external service provider for functions being outsourced.
- All third party service level agreements must have a detailed description of services (e.g. system availability, maintenance / support services, system backups and recovery services, information classification, problem management and escalation, change management, security management and monitoring services) provided by the service provider.
- SLAs should contain references to the following criteria, where applicable:
- The names/roles of Head of Business, Information Services Management and GM Information Services.
- Ownership and duration of validity of the SLA.
- Service availability (dates, times, response times).
- Responsibilities for the security administration of the service including granting and withdrawal of access rights.
- Adherence to (or deviation from) Organization’s Policies or Standards.
- Allocation and charging of costs of services and related expenses.
- Service reporting mechanisms and processes including frequency of management reporting.
- Responsibilities and liabilities associated with service provision.
- Right to intellectual property, trademarks and copyrights.
- Non-disclosure agreement.
- Disaster recovery process including backup and recovery of data.
- Responsibility of third party personnel should include the following:
- Hardware and software installation.
- Clear reporting structure, agreed reporting formats.
- Acceptable and unacceptable level of service.
- Involvement of sub-contractors.
- Indemnification for losses, damages, claims, costs, expenses, interest, awards, judgments and penalties as a result of third party’s actions.
- Clause for termination / renegotiation of the terms of the contract
- Adherence to Tapal tea’s Information Classification policy.
- During the delivery of any outsourced activity, Tapal tea’s related portion of Information Security Policy will be made available to third party Tapal tea and their staff.
- In the terms and conditions of the agreement, Tapal tea should reserve the right to inspect facilities, premises and staff of the outsourced Tapal tea on periodic basis or as and when required, in order to ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly.
- Wherever applicable, Tapal tea must legally bind the outsourced Tapal tea for an Escrow Agreement and appoint a mutually agreed designated Escrow Agent/Escrow Custodian for the management of Escrow Material i.e. the source code of vendor’s proprietary application, in an event where the hired outsourced Tapal tea files for financial bankruptcy or litigation.
- The outsourcing Tapal tea bounded by Escrow agreement must adhere to the confidentiality and IS guidelines as laid down in Tapal tea’s IS Policy.
- On termination, at the end of the contract or at an agreed point in time information and /or asset will be returned by the third party to Tapal tea. The return of assets and or information is the responsibility of the third party or the agency responsible for the contract.
- Contract must specify the exact ownership of information assets involved in the outsourced activities and must preserve the Tapal tea’s ownership of proprietary information in any form, where applicable.
- A schedule of maintenance and/or support services for systems stating the hardware, software, technology, time period and exclusions / exceptions must be provided in the SLA, where applicable.
- SLAs must specify the procedure for systems backup and recovery, with regards to schedule, type of back-ups, onsite and off-site storage locations, retention period, recovery circumstances and responsibilities of personnel accountable for this job, where applicable.
- A list of personnel associated with the specific information system(s) and their contact details must be provided in the SLA.
- SLAs must contain procedures and guidelines for change management compliant with the Tapal tea’s change management procedures.
- SLAs must specify the accountability and responsibility of personnel held for security controls for the services offered, equipment, backup devices, storage media and access to systems.
Information and communication technology supply chain
- For requirements in agreement associated with supply chain policy # 15.1.2 Addressing security within supplier agreements should be followed.
Supplier service delivery management
Monitoring and review of supplier services
- All SLAs would be subject to independent monitoring.
- Review service reports produced by the third party and arrange regular progress meetings as required by the agreements
- Tapal tea shall regularly monitor and review the services, reports and records provided by the third party to ensure that they are delivered and are appropriate, and meets all security requirements stated in the contractual agreement by third parties as part of their contract.
Managing changes to supplier services
- Change to the provision of services by outsourced provider shall be managed by taking into account the criticality of business information, systems and processes involved and re-assessment of information security risk. The process of managing changes to a third party service needs to take account of:
- Changes made by Tapal tea to implement
- Enhancements to the current services / infrastructure offered;
- Development of any new applications and systems;
- Modifications or updates of the applicable regulations, Tapal tea's policies and procedures;
- New controls to resolve information security incidents and to improve security.
-
While managing the changes in supplier services, following aspect should be considered:
- Changes and enhancement to IT infrastructure
- Use of new technologies
- Adoption of new products or newer version / releases
- New development tools and environments;
- Changes to physical location and services facilities
- Changes of suppliers;
- Sub-contracting to another suppliers
Information Security Incident Management
Information Security Incident Management
Incident management is defined as the capability to effectively manage unanticipated disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits. Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as per business requirements.
The purpose of this policy is to reduce any potential business impact and risk of similar incident occurring, by responding to incidents in a manner allowing timely corrective action and to identify perpetrators of malicious acts and preserve sufficient evidence to prosecute them, if required.
The objective of the incident management is to restore the service as quickly as possible to meet Service Level Agreements. The process is primarily aimed at the user level. On the other hands, problem management deals with solving the underlying cause of one or more incidents.
This Policy covers all Information Services environments operated by the Company. The term “Information Security environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
The Policy aims to identify, analyse, manage and respond effectively to unexpected events that may adversely affect Tapal Tea’s information assets and/or its ability to operate. It includes disruptions to, or failures or misuse of, information processing functions, but will also include events that may adversely impact other information assets of the Tapal Tea. Incidents that may come about as a result of accidents, mistakes, intentional acts of malice, theft, embezzlement, extortion, fraud, espionage etc.
This policy applies to all users of information assets including the Company’s employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location. If any user does not fully understand anything in this document he/she should consult with GM Information Services.
In order to maintain business operations, the effects and impact of any security breach to the Company must be minimized. This policy provides guidelines on timely reporting of all vulnerabilities and security breaches, take measures to stop reoccurrence, and create staff awareness accordingly.
Management of information security incidents and improvements
Responsibilities and procedures
- A formal incident management procedure should be in place for reporting incidents or weaknesses.
INCIDENT
}
- IS Service Desk (Secondary Sales)
- Network
- Hardware Equipment
- IS Asset
- OS
- software
- Power (UPS)
- SAP ERP Support
- Google App
- Web Portal (Service Desk, FIORI, TWIN)
- The Service Desk portal for incident management shall also be used to log user request.
- Develop and implement processes to ensure the timely identification of information security incidents.
- Establish and maintain incident escalation and notification processes to ensure that the appropriate stakeholders are involved in incident response management.
- Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
- Assign clear and documented roles and responsibilities within IT in terms of desired outcomes.
- Where a security incident has occurred that involves legal action (either civil or criminal) investigation of the nature, scope and causes of the incident must be undertaken that will preserve the evidentiary value of all information concerning the incident.
Establish and maintain integration among the incident response plan, disaster recovery plan and business continuity plan.
- In order to have effective incident management, Tapal tea shall:
- Continuously develop problem and error controls.
- Formulate a tiered support structure, where the team understands different levels of tiers.
- Formulate a continual service improvement program that measures efficiency and effectiveness through KPIs aligned to company-wide goals and objectives.
Reporting information security events
- Tapal tea should form organized, trained and equipped teams to effectively respond to information security incidents in a timely manner.
- All staff members, contractors and third parties staff must be made aware of how to identify a security breach and whom to contact in such an event.
- All security events but not limited to listed as under, shall be reported to the Information Security function/ GM IS:
- Loss of service, equipment or facilities
- System malfunctions or overloads
- Non-compliance with policies or guidelines
- Breaches of physical security arrangements
- Uncontrolled system changes
- Malfunctions of software or hardware
- Access violations
Reporting information security weaknesses
- All employees, contractors and third party staff must be aware of the status of the information, computer equipment and systems for which they have custody, responsibility or use. They should avoid taking any action on their own instead they must note and report any unusual, suspicious or unauthorized use or behaviour and report it as per policy.
- Any security breach, security weakness and malfunction related to information assets must be formally reported to the Business Head or Information Security who then after having clear understanding of the situation should formally report the matter to the General Manager IS, Legal Department and Manager HR / ER as quickly as possible. Tapal tea should ensure that all employees and employees of temporary employment agencies are aware of this practice. However, vendors & contractors shall report any such instances to the management of Tapal tea.
- Employees, contractors and third party users shall not attempt to prove suspected security weaknesses unless approved by Tapal tea Management.
Assessment of and decision on information security events
- Procedure should be in place to record details of incidents to identify recurring or high impact incidents.
- Information Security function will lead the investigation and assess the severity of information security incident. Results of the assessment should be adequately documented.
- Prioritization must be set based upon severity of incident, following severity level must be considered:
Severity Level
Description
Major
- Threatened or limited actual loss of reputation or impact to Tapal tea, core business processes, regulatory or settlement capabilities
- Severe outage affecting one or multiple lines of business or locations
- System is down - work around is available - however impact is severe and resolution is needed for smooth functioning
Medium
- Insignificant / minimal degradation to a key service, business process or:
- More severe degradation or outage to a non-critical service, business process or location
- System is up and running with degraded capability
Low
- Small issue with localized scope, typically effecting one person.
- Can either be tolerated or worked around for an extended period of time due to its limited impact.
- Information gained from the evaluation of information security incidents should be maintained to strengthen areas of weak controls
- Establish and maintain organization wide definition of, and severity hierarchy for, information security and IS incidents to allow accurate identification of and response to incidents.
- For Incident Resolution refer Annexure “D” for application wise work around time. Severity Level of incident will be considered for incident response time.
- Information security event reporting forms must be developed to support the reporting action, and to help the person reporting to remember all necessary actions in case of an information security event.
- Service desk will resolve the incident but final closure of incident should take place when initiating user confirm that incident is now resolved and service is restored.
- Suitable response processes should be developed to ensure that those personnel reporting information security events are notified of results after the issue has been dealt with and closed.
- Conduct post incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
- Test and review the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
- All emergency action taken over incident should be documented accordingly in details, and should be reviewed in orderly manner.
- Feedback procedures must be in place for the notification of results after the issue stands closed.
- For unforeseen incidents like fire, earthquake, storms and terrorism, existing Tapal tea's incident response must be complemented with adequate coverage of insurance policies.
Learning from information security incidents
- There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored.
- Information Security will be required to analyse security incidents and identify proactive measures to be undertaken to avoid similar incidents in future, which shall be reported to the IT Steering Committee on periodic basis.
- A security incident database shall be developed for future reference.
- Procedure should be developed for collecting sufficient evidences as soon as possible to achieve admissibility in court. Where possible, a strong trail of evidence should be maintained including original paper document, computer media.
- Where a follow-up action against a person after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down.
Information Security aspect of BCM
Information Security aspects of BCM
The goal to develop comprehensive Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP) shall be to minimize financial losses to the institution, serve customers with minimal disruptions and mitigate the negative effects of disruptions on business operations and to ensure its compliance with information security policies. This plan should be documented and tested to ensure the continuity of operations and availability of critical resources in the event of disaster.
Tapal Tea could face the suspension of critical operations due to natural disasters, terrorist attacks, environmental incidents, computer problems, and other causes and hence need to secure business continuity by formulating action plans in advance to ensure quick recovery. Business Continuity Planning (BCP) is a comprehensive enterprise-wide process that defines how Company respond to and recover from business disruptions in case of a disaster, enabling the Company to continue services to the customers and stakeholders alike.
This Policy covers all Information Services environments operated by the Tapal Tea. The term “Information Services environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
The scope of this policy covers availability of all critical resources and information systems to ensure the continuity of operations after disaster.
Business Continuity Plan (BCP) and disaster recovery plan (DRP) must be made available to all key persons to ensure Business continuity in the event of a loss of service or disaster. BCP and DRP must incorporate adequate level of controls to comply with the information security policies of the Company.
Information security continuity
Planning information security continuity
- Tapal Tea shall develop a comprehensive business continuity plan (BCP) / Disaster recovery plan (DRP) as part of the business continuity planning process.
- The DRP shall be based on the size and complexity of the Tapal Tea and shall be consistent with its overall business strategy.
- Each business function must assign responsibilities to an appropriate level for the development of their (BCP) / (DRP). All the plans developed should have consistent information with business priorities clearly identified.
- All IT systems must go through a business impact analysis to prioritize critical business process and determine the adverse impact levels associated with the compromise of Tapal Tea’s information assets based on a qualitative and quantitative assessment of the sensitivity and criticality of those technology assets. Events that can cause potential disruptions should be identified and a risk-based approach must be adopted for the development of BCP/DRP which should not only be limited to information processing facilities but also include all business processes.
Implementing information security continuity
- The probable adverse impact of an Information Security breach must be analysed in terms of loss of integrity, availability and confidentiality and magnitude of impact must be defined as either low, medium or high.
- BCP / DRP must be included in the systems development life cycle for all systems and applications that have been identified as important or critical, or that have a high availability requirement. Information owners are responsible for developing these plans in conjunction with Information Security and Information Technology.
- Define system recovery, business resumption priorities and establish specific recovery objectives including Recovery Time Objectives (RTO) and Recovery Point Objective (RPO) for IT systems, applications and critical paths.
- Invocation Procedures must be clearly defined in the Disaster Recovery Plan. Invocation Procedures must cater for incidents occurring both within normal office hours, and outside office hours with details of office and home contact numbers.
- Involve the respective business unit heads/ unit heads while signing-off test results of DR-BCP drills.
- Implement replication, rapid backup and recovery capabilities at the individual system or application cluster level.
- Estimate maximum allowable downtime as well as the acceptable level of losses, associated with business functions and processes.
Verify, review and evaluate information security continuity
- BCP/DR drills planned with third parties, if any, shall be performed annually.
- Revision of the DRP and testing program should be based upon changes in business operations, audit recommendations and test results.
- BCP / DRP must be tested prior to transferring systems and applications to the production environment. Once transferred to the production environment periodic tests and drills must be performed for critical systems (which are located in-house and offshore) and applications to ensure that defined recovery time and point objectives are met. Incremental tests must be performed for all other systems and applications. Test results must be provided to the Information Owner, and made available to any compliance audit.
- Manager IS Operation North as Disaster Recovery Manager or any designated executive must be responsible for ensuring that Disaster Recovery Plans are in place for all sites. Appropriate training must be provided to all personnel (including business users) regarding agreed procedures and processes, including crisis management.
- Business users shall be involved in the design and execution of comprehensive test cases to verify that recovered systems function properly.
- Identify and address various types of contingency scenarios, which may be caused by system faults, hardware malfunction, operating errors or security incidents and total incapacitation of the primary Datacentre
- Tapal Tea shall identify legal and regulatory requirements for its business functions and processes.
- Review of BCP / DRP should be regularly performed to ensure that the plan is up to date and all changes have been incorporated such as:
- Personnel;
- Addresses or telephone numbers;
- Business strategy;
- Location, facilities, and resources;
- Legislation;
- Contractors, suppliers, and key customers;
- Processes, or new or withdrawn ones;
- Risk (operational and financial).
- Consider inter-dependencies between critical systems in drawing up its recovery plan and conducting contingency tests.
- Tapal Tea’s response, resumption and recovery plans shall be subject to periodic review and testing. Tapal Tea shall also conduct exercises to test the ability of their staff and processes to respond to unfamiliar scenarios, with a view to achieve strong operational resilience.
- A variety of techniques should be used in order to provide assurance that the plans will operate in real life. These should include:
- table-top testing of various scenarios (discussing the business recovery arrangements using example interruptions);
- simulations (particularly for training people in their post-incident/crisis management roles);
- technical recovery testing (ensuring information systems can be restored effectively);
- testing recovery at an alternate site (running business processes in parallel with recovery operations away from the main site);
- tests of supplier facilities and services (ensuring externally provided services and products will meet the contracted commitment);offs
- Total shutdown/complete switchover of the primary site as well as component failure at the individual system or application cluster level. (Testing that the Tapal Tea, personnel, equipment, facilities, and processes can cope with interruptions or total shutdown of systems).
Risk Assessment and Management of BCP/ DRP
- The BCP / DRP shall be based on a comprehensive BIA and risk assessment exercise, reviewed and approved by the board at least annually. It shall be documented in a written program and disseminated across the Tapal Tea.
- Test and validate, at least annually, the effectiveness of recovery requirements and the ability of staff to execute the necessary emergency and recovery procedures.
- The Tapal Tea shall perform risk assessment considering the following aspects:
- Perform a "gap analysis" to compare existing BCP to the policies and procedures which shall be implemented based on prioritized disruptions identified and their resulting impact on the Tapal Tea.
- BIA assumptions should be evaluated using various threat scenarios
- The selection of DR specifications shall be made according to the BIA to address the identified threats and to meet the recovery objectives
- Analyze threats based upon the impact to the institution, its customers and other relevant stakeholders; and
- Prioritize potential business disruptions based on their severity;
- The BCP / DRP shall, among other things, specify the conditions which shall prompt implementation of the plan and the process for invoking the BCP and immediate steps to be taken during a disruption.
- The BCP / DRP shall be:
- Flexible to respond to unanticipated threat scenarios and changing internal conditions,
- Focused on the impact of various threats that could potentially disrupt operations rather than on specific events,
- Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies.
- Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the:
- Incorporation of the BIA and risk assessment into the BCP / DRP and testing program;
- Development of an enterprise-wide testing program;
- Assignment of roles and responsibilities for implementation of the testing program;
- Completion of annual, or more frequent, tests of the BCP / DRP;
- Evaluation of the testing program and the test results by management and the board;
- Assessment of the testing program and test results by an independent party
- Revision of the BCP / DRP and testing program based upon changes in business operations, audit recommendations and test results
DR Site
- Establish a recovery site that is geographically separated from the primary site to enable the restoration of critical systems and resumption of business operations in case of disruption at the primary site. Further, Tapal Tea shall also address cross-border network redundancies (in case of offshore outsourcing arrangements), with strategies such as engagement of different network service providers and alternate network.
- An updated copy of DR Plan with restoration procedures and other details must be present at DR Site.
- Each DR site storage capacity should meet the requirement in terms of restoring critical applications in the event of disaster
- BCP/DRP tests shall ensure that all members of the recovery team and relevant staff are aware of the plans. Further, staff must be aware about their responsibilities and procedures which are required to be followed to get the disaster site operational.
- Each site must have nominated staff who will be responsible and work under BCP / DRP manager for the effective implementation of the DRP.
- DR servers and other equipment patches and database updates must be maintained in line with the production machines.
Availability of information processing facilities
- Keeping in view the size, nature and complexity of business operations and IT systems, Tapal Tea shall consider developing built-in redundancies to reduce single points of failure which can bring down the entire network.
- The Tapal Tea shall maintain standby hardware, software and network components that are necessary for fast recovery.
- Tapal Tea shall achieve high systems availability (or near zero system downtime) for critical systems which is associated with maintaining adequate capacity, reliable performance, fast response time, scalability and swift recovery capability.
The purpose of this policy is to follow and implement IS Policy to avoid breaches of any law, statutory, regulatory or contractual obligations and any security requirements.
This policy applies to all users of information assets including the Tapal Tea’s employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.
This Policy covers all Information Services (IS) environments operated by the Company. The term “IS environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.
Tapal Tea’s information security policies and standards are rendered ineffective unless they are supported by ongoing compliance checks and monitoring. The Company may incur financial penalties or suffer damage to its brand reputation if it fails to comply with its legal, regulatory or contractual obligations.
Compliance with legal and contractual requirements
-
-
Identification of applicable legislation and contractual requirements
- All relevant legislative statuary, regulatory, contractual requirements shall be explicitly identified, documented and maintained up to date for information system.
Intellectual property rights
- Appropriate procedure shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software and products.
- The following guidelines should be considered to protect any material that may be considered intellectual property:
- Publishing an intellectual property rights compliance policy which defines the legal use of software, information and products.
- Acquiring software only through known and reputable sources, to ensure that copyright is not violated.
- Maintaining awareness of policies to protect intellectual property rights, and giving notice of the intent to take disciplinary action against personnel breaching them
- Maintaining proof and evidence of ownership of licenses, master disks, manuals etc.
- Implementing controls to ensure that any maximum number of users permitted is not exceeded.
- Carrying out checks that only authorized software and licensed products are installed.
- Providing a policy for maintaining appropriate license conditions.
- Providing a policy for disposing or transferring information or software to others.
- Using appropriate audit tools.
- Complying with terms and conditions for software and information obtained from public networks. Not duplicating, converting to another format or extracting from commercial recordings (film, audio, image) other than permitted by copyright law.
-
Not copying in full or in part, books, articles, reports or other documents, other than permitted by copyright law.