Information Security Policy

Introduction

The company’s data is among its most valuable assets. Information Security deals with the protection of this data against loss, misuse or damage of information processed, stored, transmitted or retrieved from an electronic medium.

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security / cyber security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take electronic, print, or other forms. Computer security focuses on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer.

The policy manual document is based on internationally recognized standards, best practices and regulatory guidelines (if applicable).

Employees will be provided with access to authorized Sections of the IS Policies Manual and its content via Human Resource function during their induction to employment with Tapal Tea.

Waiver and Exception Criteria

This Policy is intended to address information security requirements. Requested waivers and exceptions must be formally submitted to the Information Technology including justification and benefits attributed to the waiver and must be approved by the Steering Committee. The waiver should only be used in exceptional situations when communicating non-compliance with the policy for a specific period of time (subject to a maximum period of 1 year). At the completion of the period the need for the waiver should be reassessed and re-approved, if necessary. No policy should be provided waiver for more than three consecutive terms.

The seriousness of threats we face in an increasingly hostile and open world means that it is imperative, and we must collectively comply with the Information Security Policies. Failure of any employee to do so may result in disciplinary action.

Document Owner and Revision Criteria

The owner of this document is the Information Technology function, hance will be responsible revision and updated. This Information Security policy shall be approved by the Board of Directors however, workforce shall only be communicated with the relevant sections of this policy.

The IS Policy shall be reviewed by GM Information Technology at least once every three years and whenever there is an apparent need to revise.

Organization of Information Security

Purpose

The purpose of this policy is to manage information security and maintain appropriate security controls in the information processing facilities within the company and outsource it to third parties.

Scope

The scope of this policy covers All organizational activities and operations concerning directly or indirectly to IT department.

Policy Statement

This Policy suggests guidelines for defining the roles and responsibilities pertaining to information security throughout the Tapal Tea. To ensure that information security is properly implemented, all the Tapal Tea associates must understand and comply with the responsibilities identified in this document when their duties entail one or more of the roles described below.

Internal Organization

A structured management framework directs, monitors and controls the implementation of information security as a whole within an organization. In order to achieve stated objectives. The following information security structures/functions (organization) have been envisioned for Tapal Tea (Private) Limited (Tapal Tea).

Information Security Roles and Responsibilities

The Manager Information Security

The Manager Information Security is responsible for the following:

Apply / direct the application and ensure communication of Information Security Policies, Information Security Standards & Procedures and any other agreed specific security and control requirements.
Develop security strategy, oversee the security program and initiatives, and liaise with Business Heads for on-going alignment.
Update and obtain approval from management and IT Steering committee on latest security events and recommended measures.
Identify significant threats to the Information Processing facilities and devise appropriate mitigating controls.
Oversee the investigation of security breaches and assist with disciplinary matters associated with such breaches as necessary.
Implement a process to expeditiously and effectively address information security incidents in coordination with IT Division.
Ensure the risk and business impact assessment are conducted when required.
Liaise with other assurance providers e.g. Internal/External Auditors or regulators.
Assess the adequacy and coordinate the implementation of information security controls.

Responsible for ensuring appropriate classification of Data, Information and all Information processing assets and determining the adequate level of controls and protection to be provided to each information asset in collaboration with the Data Owners.
Responsible for management and mitigation of information/cyber security risks across the enterprise and devising strategies to monitor and address current and emerging risks.
Responsible for seeking resources or risk acceptance (dispensation) from the Departmental Head in the event of problems applying policies, standards & procedures or control requirements.
Tapal Tea shall put in place a security / system administration function and set formal procedures for reviewing the allocation of access rights to system resources and application systems and monitoring the use of system resources to detect any unusual or unauthorized activities.
Responsible for developing and implementing a security awareness program periodically for all staff.
Responsible for conducting security assessments of vendor supplied and in-house developed applications prior to being purchased, put into production, and after maintenance.
Responsible for ensuring the correct operation of the process for authorization to access logical or physical assets.
Responsible for ensuring the correct operation of the application major/minor change management process.
designated IT personnel will also be responsible to review all system generated reports (both standard and MIS reports) including security logs to validate that all maintenance activities being done are in line with IS approved policies and standards.
Have authority to investigate, report or recommend any individual/process/system, if it is believed that it is compromising the information security.
Have authority to stop application development or deployment efforts if it is found during a Risk Assessment that impact of a particular threat will compromise the information security of Tapal Tea and/or its associated programs/facilities until a remedy is implemented to reduce or eliminate the impact of that threat.
The Information Security function shall have no operational business access or need to access the data (information repository), business system or application.
Staff assigned in information security function shall not perform other duties which can create any conflict of interest.

General Manager IT (GM IT)

The GM IT is responsible for:

Enabling and supporting the Information Security to establish downstream policies, procedures and controls in line with the security standard.
Making investment decisions, up to the GM IT authorized financial limit, regarding the information security activities, or those delegated by the Steering Committee to GM IT.

Information Security Team

The Manager Information Security is responsible for execution of the following through Information Security Team:

Defining technical and non-technical information security standards, procedures and guidelines.
Supporting Information Assets Owners (IAOs) and managers in the definition and implementation of controls, processes and supporting tools to comply with the policy manual and manage information security risks.
Reviewing and monitoring compliance with the policy statements and contributing to Internal Audit processes.
Collecting, analyzing and commenting on information security metrics and incidents.
Supporting asset owners in the investigation and remediation of information security incidents or other policy violations.
Liaising as necessary with related internal functions such as IT Operations, Risk Management, Compliance and Internal Audit, as well as the Regulators.
Organizing a security awareness campaign for personnel to enhance the security culture and develop a broad understanding of the requirements of information security and related standards.
Informing line manager / GM IT of actual or suspected policy violations (information security incidents) affecting their assets.

Business Managers/ Information Asset Owners (IAOs)

Business Managers/IAOs are managers held accountable for the protection of particular Significant Information Assets. IAOs delegate information security tasks to managers or other individuals but remain accountable for proper implementation of the tasks. IAOs are responsible for:

Appropriate classification and protection of information assets.
Specifying and funding suitable protective controls.
Authorizing access to information assets in accordance with the classification and business needs.
Undertaking or commissioning information security risk assessments to ensure that the information security requirements are properly defined and documented during the early stages of development.
Ensuring timely completion of regular system/data access reviews.
Monitoring compliance with protection requirements affecting their assets.
Information security risk acceptance

All Tapal Tea Staff

All Tapal Tea staff (i.e. employees on the payroll and others acting in a similar capacity, such as contractors, consultants, student placements etc.) are responsible for:

Complying with the principles and policies in the information security policy manual where relevant to their jobs.
They are responsible for maintaining the security of all information entrusted to them.
Upon hire, as a condition of employment, each worker undertakes to comply with Tapal Tea’s information security policies.
Job descriptions or contracts must specify any additional information security responsibilities beyond the general policies.
Tapal Tea will achieve effective employee awareness and understanding through information security training and ongoing security-related communications, employee certifications of compliance, self-assessments, third-party audits, and monitoring.
Any worker / employee failing to comply with the security policies could be subject to disciplinary action, potentially including termination of employment or contract and/or prosecution.

Segregation of duties

Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the Tapal Tea’s assets.
The initiation of the event shall be separated from its authorization.
Whenever it is difficult to achieve segregation of duties, alternative controls must be considered and applied.
Activities which cannot be separated with segregation of duties must be logged in audit trail.
Within security administration, there must be a functional segregation between individuals responsible for administering access and those responsible for reviewing log files.
Dual control should be considered for functions which, if executed by the same individual, could be misused, or allow errors to go undetected.
Where there is any segregation of duties conflict, the conflicts shall be documented with a valid reason and approved by the user’s line manager with consent of IT business partner.
For critical systems the input, authorization and verification functions should be separated.

Contact with Authorities

A List must be maintained by IT Department for Key contact in-case of incident or disaster, which include internet service provider, IT vendors etc.
A list must be maintained by relevant stakeholders which may contain the contacts of premises owner, legal authority and other investigating authority to take action against any mishap and security incident or loss or valuable asset.

Contact with special interest groups

Tapal Tea should monitor technological developments and keep abreast with new the technology governance and cyber risk management processes that can effectively counter existing and new forms of technological requirements.
A list must be maintained for the Tapal Tea’s Information Service / Info Sec. contact with special interest or group to get updates about market technology / security trends; news and alert about latest advancements, threats; vulnerabilities and patches; best practice adopted by the market.

Information security in project management

Relevant business function shall be responsible to involve IT business partner in project management.
Involvement of IT business partner shall include the following:

All phases of applied project methodology (if needed)
Design stage of every project to perform and integrate security requirements
Information Security risk assessment shall be conducted at the start of the project to identify necessary control.

Refer “System Development and Acquisition Framework”, “Project Management in system Development & Acquisition” and “Security in Development and Support Processes”

Information Security requirements, analysis and specifications

All kinds of changes to applications at Tapal Tea shall be carried out in accordance with the software change management procedures.
The Information Security function shall develop security risk self-assessment procedures to assist development staff in identifying and determining potential weaknesses in information systems. Developers shall follow the security risk self-assessment procedures and identify the appropriate controls required during the design stage of information system development.
The security and controls analysis shall incorporate major aspects of infrastructure security, packaged application security and custom developed application security. It must focus on automated as well as manual controls as applicable. This security and controls documentation must be justified, agreed and documented as part of the overall business case for an information system.
All architecture layers (business, data, applications and technology) should be designed as per information security need.
The design of the audit trail (logging) of an application under development must ensure the security of any confidential or sensitive information.
In case acquired software/infrastructure does not fulfil the Tapal Tea’s requirements, and the third

Mobile devices and Remote working

Company will not provide mobile devices to an employee of Tapal Tea. Further, following policy should be considered if IS department is letting user’s devices to company’s network.

Bring your Own Device (BYOD)

Jail broken and rooted devices should not be allowed to be connected on company’s network.
User is responsible for storing processing company’s data in their own device. If any device found compromised, IT department has an authority to block services.
Web filtering shall be applied where applicable.
Password locking should be enabled, and security timeout should be enabled at 5 minutes
Ensure that relevant security patches are implemented, and antivirus software are installed and updated on mobile devices, if applicable.
Business data and personal data must be kept separately (where applicable).
Corporate data should not be allowed to be downloaded or stored on local devices. Only allow access to sensitive information while connected to the corporate network.
In case smartphone is lost/stolen, Information technology Department should be informed to ensure that Tapal Tea data is adequately protected.
Refer “Acceptable use of assets policy” and “user endpoint protection policy” for further information.

Tapal Tea

Remote working

Controls should be developed and implemented for remote working sites.
Remote access to internal systems and applications must be governed by appropriate authentication and encryption controls only.
Tapal Tea Permanent employees remote access are allowed, however, to contractual employees, line manager’s approval is required prior to access.
Only users that have a justifiable business need for remote access shall be authorized for that access by the Departmental Head.
Vendors and other third parties' requests for remote access should be authorized only in cases where there is a justifiable business need, and a risk assessment has been performed. Such an access will only be granted upon the joint approval of the Information Technology and relevant Departmental Head.
All remote users accessing Tapal Tea’s information assets (such as cloud) must be authenticated.
The Information Security function shall maintain and update a list of users with remote access, which will be reviewed on periodic basis by department heads.
Tapal Tea Remote access to internal network should be done using cryptographic controls and encrypted channels (for example, Secure Socket Layer, Secure ID’s using crypto-cards, RSA Keys, VPN etc.).
Only system Administrator is allowed use VPN.
User using VPN or encrypted services shall only allowed using company’s provided machines.

SAP users are granted remote access to the SAP Cloud through trusted IP addresses, routed via a secure gateway (SAP router).

Information Security Risk Management

In assessing risks, the first step is to define the scope of the effort. In this step, different assets of the Tapal Tea are identified and work as an input to the risk management activity. Different types of assets may involve Information, software assets, physical assets, services, people (including third party staff) and their qualifications, skills and experience, intangibles, such as reputation and image of the Tapal Tea.
Owing to the requirements of Tapal Tea business process, the IT management shall select relevant standards to define and assess its IT related risk management initiatives such as ISO 27005, COBIT for Risk, ISACA's ITS Risk Framework etc.
The GM IT is responsible for ensuring that the risk management processes in the Tapal Tea are coordinated in accordance with the policy.
The system owners are responsible for ensuring that risk assessments within their area of responsibility are implemented in accordance with the policy.
Tapal Tea shall institute the following components of risk management for the technology and infrastructure security that commensurate with size, services and complexity of its IT operations: -

Tapal Tea shall annually conduct a risk-based vulnerabilities identification exercise across the entire Tapal Tea covering critical information systems and supporting infrastructure assets.
On the basis of threats and vulnerabilities, the Tapal Tea shall formulate a list of all risks that may create severe harm and disruption to the operations of Tapal Tea.
Assets should be identified from observations, inventories and personnel interviews, along with the existing resource ownership. An inventory of Information processing assets and the risk pertaining to those assets should be periodically assessed, reviewed and updated
Information assets must be classified based on their individual level of criticality and importance to Tapal Tea. This is required to identify the boundaries of the information assets to provide information essential for defining the risks associated with them.
After risk identification, the Tapal Tea shall perform an analysis and quantify the potential impact, consequences of vulnerabilities and associated risks identified in the risk identification exercise on the overall business and operations.
Tapal Tea shall develop a methodology to assess the impact of the threats to its information security environment and prioritize all material information security risks.
Tapal Tea shall develop and implement risk mitigation and control strategies that are consistent with the value of the information system assets and the level of risk tolerance.
Tapal Tea should give priority to threat and vulnerability pairings with high-risk ranking, which can cause significant harm or impact to its operations.
When deciding the adoption of alternative controls and security measures, the Tapal Tea shall also keep in view costs and effectiveness of the controls with regard to the risks being mitigated.
All preventive, detective and corrective controls that have been implemented or are planned to be implemented for IT systems, must be analyzed in an efficient and systematic manner to mitigate or eliminate the likelihood of a vulnerability being exercised by using technical and non-technical control methods.
Tapal Tea shall refrain from implementing and running a system where the threats to the safety and soundness of the information systems cannot be adequately controlled.
The probable adverse impact of an Information Security breach must be analyzed in terms of loss of integrity, availability & confidentiality and magnitude of impact must be defined as either low, medium or high.
As a risk mitigating measure, Tapal Tea may consider taking insurance cover for various insurable risks, including recovery and restoration costs.

Human Resource Security

Purpose

This policy establishes security requirements to reduce the risks of human error, theft, fraud or misuse of the Tapal Tea’s information assets and other operational facilities.

Scope

This policy applies to all users of information assets including the Tapal Tea’s employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.

Information Security function in consultation with Manager Human Resources, shall resolve any conflicts arising from this Policy.

Policy Statement

Personnel at all levels are required to contribute to maintaining a high level of information security. Security is one of the prime objectives of the Tapal Tea where staff members are to be active agents and is an integral part of everyone’s job profile and objectives.

This document lays out the Tapal Tea information security policies relating to the Tapal Tea’s employees, employees of temporary employment agencies, vendors and contractor personnel. It includes security in job definitions, user training, and responding to security incidents and malfunctions.

Prior to Employment

Screening

Hiring and Background checks shall be performed on all new employees, as per HR policy. Hiring process will also be done by HR in accordance with their own policy.
Background verification checks on all candidates for employment, contractors, and third-party users shall be carried out. These checks shall be commensurate with relevant laws, regulations and the level of position under consideration which may include the criminal record checks.
The Human Resources personnel shall communicate policies concerning the and handling of secure and confidential information to the new employees.
Information provided by personnel at the time of recruiting must be subjected to HR verification procedures, including credit and criminal record checks etc.
All departmental heads are responsible for the performance and conduct of the personnel reporting to them. The departmental heads should monitor performance and conduct of each of their staff, as well as to assess their impact on the security of the information resources to which the staff has access. For e.g. bi-annually review of Access Control List (ACL), regularly/ review of system generated activity logs etc.
All candidates’ PII (Personally. Identifiable Information) data that includes their salary information, medical records and other PII (Personally. Identifiable Information) is to be treated as strictly confidential and made available to only properly authorized persons.

Terms and Conditions of employment

All job roles and responsibilities must be formally documented and signed off. It must include general as well as specific responsibilities for implementing, maintaining, or ensuring compliance to the Tapal Tea Information Security Policies.
In case of any doubt or need of any clarification employees must seek guidance from their immediate line management.
At the time of orientation of new employee Acceptable Use Policy (AUP) will be shared.
All Employees are responsible to protect Tapal Tea information assets from unauthorized access, disclosure, modification, destruction, or interference.
Employees must report any significant breach of IS Policy to line management & Human Resource Department / Information Security.

During Employment

Management Responsibilities

Non-disclosure Agreements

Confidentiality or non-disclosure agreements should address the Tapal Tea requirement to protect confidential information using legally enforceable terms and comply with all applicable laws and regulations issued by regulatory institutions.
Users are required not to disclose Tapal Tea’s information. For this reason, all users of the Tapal Tea Information Assets will be required to accept non-disclosure obligations.
All users will be required to re-affirm their non-disclosure obligations by signing the code of conduct, which contains a section on non-disclosure affirmation.
If any changes occur in the requirements of confidentiality and non-disclosure, these should be incorporated in IS policies.

Third Party Staff

Third party users who are given access to sensitive information shall abide by the confidentiality and/or non-disclosure agreement.
Background verification applied to contractors and third party shall be of the same type and scope as applied to Tapal Tea staff, where applicable.
The requirement for third parties and their staff to comply with relevant aspects of IS Policy must be documented in the contract and must be applied to the work.
Where contractors are provided through an agency, the contract between Tapal Tea and agency must clearly specify the agency’s responsibility to follow Tapal Tea standards for background verification checks. Management must ensure that all obligations to comply with relevant aspects of IS Policy are transferred and communicated appropriately.
Impact of the non-availability of access to the third party, when required, should be assessed to avoid undesirable consequences.

Information Security awareness, education, and training

Each employee must be provided with information security awareness trainings. Training shall be a continuous process and may be carried out annually or a pre-determined scheduled or in major technological change communicated to all employees from time to time.
Training need identification process should be applied. Details of training and certificates (if any) issued during the training must be documented and maintained in each personnel profile.
Managers in business departments and personnel with privileged system or having sensitive business functions access must receive customized training explaining their vital roles for ensuring awareness among all users and specific information security training for system / database / application administrators.
Staff should be trained in the accurate use of information processing facilities (e.g. log-on procedure, passwords, use of software packages etc.) so that any security mechanisms included in them are used properly and securely.
The security awareness training may include but not limited to:

Information on known threats.
The employee responsibilities with regard to security and confidentiality of information and information assets.
Details of whom to contact for information security guidance.
Details of proper communication channel for reporting information security incidents.
Correct use of information processing facilities e.g. log-on procedure, use of licensed software packages and information on the security awareness.

Information Security awareness training shall be provided to new employees.

Disciplinary Process

The ER department, with due coordination of Information technology including Information Security will initiate disciplinary actions for violation of Information Security Policies and will take appropriate action against any user found to be violating the law or information breach as per severity of the situation.
The disciplinary process shall not be commenced without prior verification / collection of evidence that a security breach has occurred.
The formal disciplinary process shall ensure correct and fair treatment for employees who are suspected of committing breaches of security.
The formal disciplinary process shall provide for a graduated response that takes into consideration factors such as:

The nature and gravity of the breach and its impact on business.
Whether or not this is a first or repeated offence.
Critical information breach
Whether or not the convicted staff was properly trained for allowed use.
Relevant legislation.
Business contracts; and
In serious cases of misconduct, the process shall allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the premises, if necessary.

Termination and Change of Employment

Termination and change of employment responsibilities

Once termination has taken effect, line management must specifically confirm with all relevant departments (e.g. Security Administrator, Premise security etc.) that all access to information, systems and premises has already been terminated.
If changes in responsibilities of employee, contract or third-party staff arise, line management must notify Employee Relationship department and Information technology Department to modify logical / Physical access rights
The respective HOD / in-charge shall be responsible for transfer and documentation of user knowledge that is important to ongoing operations.
Employee or third-party employee shall be responsible and accountable for information breach even after the end of employment (included in NDA).

Asset Management

Purpose

The Tapal Tea is committed to protect its information assets (including people, procedures, data and information, software, hardware, and networking elements). In order to determine the level of protection required, the information assets are required to be identified and classified.

Information asset classification determines the relative sensitivity and criticality of information assets, which provide the basis for protection efforts, business continuity planning, and access control. It provides a basis to establish proportionality between the level of Information Security control and the asset value in order to avoid the cost of overprotecting or the risk of under protecting information assets.

This policy defines the criteria for the identification and classification of the Tapal Tea’s Information Assets.

Scope

This Policy covers all Information Systems environments operated by the Tapal Tea. The term “Information Systems environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (Including but not limited to; Desktop/Laptop/Smart Phones, network devices, wireless devices and printers), software, and information.

Policy Statement

This policy document addresses security issues related to information assets about information asset inventory, information asset classification, handling and labelling of information assets.

Responsibility of Asset

Inventory of Assets

The Tapal Tea shall maintain an inventory of all IT assets. Each IT asset shall be identified individually and collectively. The following details shall be maintained, including but not limited to:
- Asset code
- Serial number
- Asset Type
- Asset Value
- CIA values
- Asset Custodian
- Asset Owner
- Location (Office)
- Department
- City
- Purchase Date
- End of Life
IT in coordination with Head of Department/Asset custodian shall identify the criticality of assets to include it in the asset inventory.
All assets shall have identified information owners who shall be responsible for the protection of assets based on its criticality.
The IT assets inventory shall be updated periodically for any change to the assets.
External assets (other than Tapal’s facilities) shall be identified, tracked, inventoried and categorized based on their relative importance to Tapal. Associated details (e.g., ownership, business purpose, criticality, classification of the data) shall also be documented.
Inventory list shall be maintained by Information Technology Department and Annually reviewed.
Tapal Tea shall adequately protect critical information system assets from unauthorized access, misuse or fraudulent modification.
The Information assets inventory will be categorized into two major classes, i.e. IT based assets and Non-IT Based assets.

IT Based assets

Hardware
Software
Network equipment

The information asset inventory for the above type of assets will be maintained according to the criteria mentioned below:

Asset identification (Serial Tags) and Asset description

Asset unique identification number
Asset location
Asset owner / designation
Asset custodian

Asset classification (Please refer Annexure - “B” for complete grid).

Non- IT based assets

People
Procedures, Flow charts and diagrams, SOPs, Manuals
Data and Information

Ownership of Assets

Each asset must have a nominated owner and custodian.
Information technology in coordination with asset custodian shall be responsible for all steps in the lifecycle of the asset which include but are not limited to:

Ensuring that assets are inventoried
Ensuring that assets are classified and protected as per the guidelines
Defining and reviewing, access restrictions on the assets
Ensuring appropriate handling and destruction of the asset

Return of Assets

On termination of employees, contractors and third-party staff, ER / HR will inform the IT Department for the take-over of assets (e.g. equipment, Laptop accessories, software, official documents, mobile computing devices, manuals etc.). Once all the assets are returned, the HR department is intimated of the same after which the clearance letter is issued to the moved-out employee.
In case Employee has not returned any asset or IT accessory, deductions will be made from the final pay cheque.
If at the time of leaving the Tapal Tea, staff request to purchase Tapal Tea (Private) Limited equipment in use, request should be processed as per General Laptop policy. However, it is essential that release of that equipment, which contain Tapal Tea (Private) Limited data or other information, should be removed, and released with the prior approval of IT Department, who will ensure that no compromise on data integrity be allowed.
Sell/Buy back is only allowed after formal approval.

Information Classification

Classification of Information

Information must be classified in term of its value, legal requirements, sensitivity, and criticality to Tapal Tea (Private) Limited’s business requirements and strategy. The classification of any information stored or processed in an application should be reviewed annually by Business Heads / owners of that application. Owner shall reclassify the information asset when its value has changed.
The information asset classification scheme shall consider:

Breach of Confidentiality - The property that information is made available or disclosed to unauthorized individuals, entities, or processes.
Loss of Integrity - The property of safeguarding the accuracy and completeness of assets (information/data).
Impact of unavailability - The property of not being accessible and usable upon demand by an authorized entity.

Asset owner in the consultation with Information Technology shall classify assets based on categories listed below. Information that is not classified will be considered as public.

Classification

Description

Confidential/High

Disclosure has a serious impact on long term strategic objectives or puts the survival of the organization at risk

Restricted/medium

Disclosure has a significant short-term impact on operations or tactical objectives.

In addition, Personal Identifiable Information would also be classified as restricted information

Internal/low

Disclosure causes minor embarrassment or minor operational inconvenience

Public

Disclosure causes no harm

The classification of information and systems must dictate what level of security protection needs to be applied to protect that information.
Data contained within an information system (master data, data under process, etc.) and the output from information system assets will also derive its classification label based on the Tapal Tea (Private) Limited’s asset classification scheme.
The Information Security function shall assist information owners (Business Heads) in the asset classification process to ensure that all Tapal Tea’s information-related assets are appropriately classified. However, the prime responsibility for asset classification shall remain with the designated information asset owner.
The asset classification scheme must be updated for any change to information systems asset inventory.

Labelling of Information

All information assets shall be labelled physically or electronically in accordance with their asset classification scheme. Information that is classified as public shall not be labelled to reduce workloads.
All critical documents shall be labelled at the bottom of the document. If a document is physically transferred from one place to another, the envelope shall mention its classification and intended destination.

Handling of assets

All kinds of asset must be stored in a safe and secure environment, in accordance with manufactures’ specifications and requirements and shall be according to classification of information.
Controls over the storage and handling of information should be consistent with the classification label assigned to the information.
Personnel who are not employees of Tapal Tea, or contractors shall not be able to identify critical business information assets by their labels.

Acceptable use of information and other associated assets

Introduction of unauthorized copies of licensed software & hardware (piracy/copyright & patent infringement) to organization information resources and the copying of such material shall be prohibited. Further, prohibition on installation of cracked software should be ensured.
Only IT nominated staff shall be allowed to install any kind of software on the user’s system. User shall not be given the authority to install software.
Introduction of freeware and shareware and other type of software whether downloaded from the internet or obtained through any other media to Tapal Tea information systems shall be subject to a formal evaluation and approval process prior to its installation.
Discourage, Receiving, printing, transmitting, or otherwise disseminating proprietary data, business strategies, secrets of Tapal Tea or other confidential information in violation of Tapal Tea policies or proprietary agreements.
Downloading inappropriate material such as executable files, music files, or video files for personal use shall be strictly discourage..
Games are not permitted and shall be removed from all systems.
Introduction of destructive programs (e.g., viruses, self-replicating code) in order to cause intentional damage, interfere with others, gain unauthorized access, or inhibit Tapal Tea environment access are prohibited.
Only applications approved or whitelisted by IT function shall be installed on operational systems.
Usage of Tapal Tea information systems to store, process, download or transmit data that can be construed as biased (politically, religiously, racially, ethnically, etc.) or supportive of harassment shall be strictly prohibited.
Use of open source/ free file transfer tools for official business purposes shall only be exercised after appropriate approval from relevant business partner/ line manager.

Media Handling

Management of removable media

Media (e.g., USB drives, SSD drives, hard disks, hardcopy documents etc.) must be controlled and physically protected to prevent interruptions to business activities and damage to critical business information assets.
Removable computer media (where applicable) must be registered, duly managed and controlled and their movement must be appropriately monitored and logged.
If the contents of a removable media are not required by the organization, they shall be removed and made unrecoverable.

Disposal of media

Tapal Tea (Private) Limited shall establish secure practices and procedures for secure and safe disposal (sell/write off of obsolete or faulty equipment) and destruction of sensitive information in both paper and electronic media.
Media containing all type information (including sensitive and non-sensitive with aggregative effect) should be disposed of (sell/write off) securely and should be logged. Adequate controls should be ensured while outsourcing disposal (sell/write off) of media.
Papers containing critical information shall be shredded (as required) and critical media shall be crashed.
The previous contents of any re-usable media must be completely erased/Wiped.

Physical media transfer

Transport mechanism or couriers to be used by Tapal Tea (Private) Limited shall be authorized by the management at appropriate level and a list of couriers should be maintained and agreed with the management.
All employees including contractors and third party must ensure that confidential or sensitive information or media containing it must be transported, using physically secure containers and secure methods of carriage, involving authorized and approved agents (e.g. courier).
Confidential or sensitive information that is reproduced in hard copy form, to dispatch or distribute, either internally or externally, must be physically protected.
Confidential or sensitive information may be encrypted if possible before transfer.
All transfer of critical physical media shall be logged to maintain an audit trail by IT department. The logs shall at least include the identification of content of the media, protection applied, number of transit custodians.

Access Control Policy

Purpose

The purpose of this policy is to establish security requirements for access to the information resources of Tapal Tea. Effective implementation of this policy will minimize unauthorized access to Tapal Tea’s proprietary information systems.

Scope

This policy applies to all employees of Tapal Tea and consultants, contractors and vendors employees, who have access to the Company’s IS Systems.

This Policy covers all Information Systems environments operated by the Tapal Tea. The term “IT environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.

Policy Statement

This policy addresses business requirement for controls related to user access & responsibilities in accessing information systems.

Business requirements of Access Control

Access Control Policy

Access to Tapal Tea (Private) Limited’s information and system resources must be based on each individual’s role and responsibilities. All such access must be authorized by the Departmental Head in coordination with/Application Owner or their delegate who is responsible for the system, application or data.
There shall be a proper segregation of access controls between access request, access authorization and access administration.
Access controls should be defined in terms of job roles.
The access shall be based on the principle of least privileges and need to know.
Access to critical business information assets and activation of user accounts for contractors, consultants, temporary workers, external auditors, internal auditors or vendor personnel must only be in effect when the individual is actively performing service for the Organization.
All new system/application accounts must require and be assigned a password that is generated randomly and must be changed at first login. New user accounts and passwords must be issued to users in a secure manner.
Vendor shall not be provided access to the production environment under normal circumstances. Access to production environment shall only be provided in case of emergency or any exception but with the following controls:

Audit logs should be made.
Audit logs should be monitored by relevant stakeholders.
All activities should be signed off and retained with the consent of Head of Department.

User accounts must be attributable to a single individual. Generic / shared user accounts should not be used. If necessary, then individual should be held accountable for generic user activities.
All exceptions against the policy such as usage of generic account, login required of service account, services required for business purposes, system limitation, password controls etc. should be submitted to IT Steering Committee for approval with appropriate business justification. Further, documents with respect to all exceptions should be maintained for record purposes.

Access to network and network services

Access to the Tapal Tea’s networks and network services must be specifically authorized.
Access to networks and network services (for example, telnet, ftp, etc.) will be controlled on the basis of business and security requirements, and access control rules defined for each network.

These rules at a minimum will take into account the following: -

Security requirements of the Organization’s network or network service(s)
An identified business requirement for the user to have access to the Organization’s network or network service
The user’s security classification and the security classification of the network / network service (Asset Classification Policy)
Legal and/or contractual obligation to restrict or protect access to assets

Purchase, downloading, or installation of hardware, software, or network data monitoring tools, including sniffers and packet data filters, are prohibited unless the activity is registered with and approved by Hod IT.

Identity and Access Management

User registration and Deregistration

All access requests (new or modification) shall be made by the users using centralized access management system / form or via an email.
The user’s access rights shall be documented and describe what assets and systems the user is allowed to access.
Temporary staff or staff filling a temporary role must not be lent an existing user ID of users; a new account should be created and suspended as per formal procedure.
All users of information resources must have a unique User ID which shall be approved by the management at appropriate level.
A formal record of all registered users shall be maintained. This record shall be checked periodically for unused, redundant, or expired user accesses or accounts, or incorrect privileges.
Redundant user IDs shall be disabled, redundant user IDs shall never be reissued.

Access Rights

The level of access granted shall be appropriate to the business purpose and shall be consistent with Tapal Tea (Private) Limited’s policy.
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
The level of access granted shall be appropriate to the business purpose and shall be consistent with the segregation of duties.
A central record of access rights granted to all users to access information systems and services shall be maintained by IT department and shall be periodically checked for unused, redundant, or expired user accesses or accounts, or incorrect privileges.
Access rights shall be immediately blocked for users who have changed roles.
Access to third parties on Tapal Tea’s information shall not be provided until, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement.
Users will be held responsible for all activities performed with their User IDs. User IDs must not be utilized by anyone but the individuals to whom they have been issued. Users must not allow others to perform any activity with their User IDs.
Accounts that are inactive for a maximum period of 90 days must be disabled after verification from the Departmental Head and/or HR Department for a valid cause.
Under no circumstance terminated employees must be allowed to access information assets, once he/she is terminated. All items belonging to Tapal Tea (Private) Limited must be collected (laptop, computer, smartphone, USB, software, manuals, etc if applicable.

Management of privileged access rights

The creation and use of privileged accounts shall be kept to a minimum.
Privileges shall be granted after formal authorization in the form of a centralized access management mechanism by the GM IT.
An authorization process and a record of all privileges allocated shall be maintained. Privileged (administrative) access rights shall not be granted until the authorization process is complete.
The privileged access rights associated with each system or process (OS, DB and applications) shall be identified.
Changes to privileged accounts should be logged for periodic review.
Generic ID must only be used for specific purposes with ownership of ID formally documented and approved. Where possible, use of generic ID should be restricted to specified workstations or servers.

Management of secret authentication information of users

Initial passwords must be communicated to the user securely i.e. User ID can be sent to requestor, but the requestor must call the administrator, who after verifying that caller is indeed the requestor, shall divulge the password.
Password must not be communicated or stored in clear text.
The system should prevent the selection of easy to guess passwords (including user own ID, organization name, words present in the dictionary and encyclopaedia, etc.) if possible, filters must be applied to prevent users from selecting these passwords.
Employees are advised to follow best password practices stated in the Password Management policy.

Review of user access rights

Review of special privileged User IDs (e.g., Administrators, users/groups with special rights) must be reviewed by the Information technology function on bi-annually.
Activity logs of privileged users (including system start-up and stop, I/O device attachment/ detachment, processes) must be maintained and reviewed on a bi-annually basis by the Information Security function.
Bi-annually, IT Department should send Access Control Lists to the respective Business Heads (or delegates) for their review to assess users’ access rights.
Any amendment in the access rights will be done by the IT Department on Department Head’s formal request.

Removal or adjustment of access rights

Once notice of termination has been given or upon acceptance of resignation of the staff, line management must notify Human Resources department to revoke access rights of information systems (e.g. emails, O/S & applications), Tapal Tea (Private) Limited’s premises and accessible assets.
Upon resignation the accesses shall be revoked on last working day.
Line management must take-over the High Privilege ID passwords (Domain, administrator and other password driven controls), security keys of fireproof cabinets, confidential files, electronic, security keys, control devices, controller keys (if any), pre-defined parameters for combination of locks, as per staff exit procedure, from the departing employees, contractors and third party staff.
Physical access of the departing staff, contractor or third-party staff must be immediately removed from the information processing facilities.
Once termination has taken effect, line management must specifically confirm with all relevant departments (e.g. Security Administrator, Premise security etc.) that all access to information, systems and premises has already been terminated.
If changes in responsibilities of employee, contract or third-party staff arise, line management must notify Human Resource department to modify logical / Physical access rights.

System and application access control

Information access restriction

Tapal Tea (Private) Limited management shall ensure that sensitive applications / systems are specifically identified through the risk assessment process based on information classification. Sensitive applications and systems shall be logically and physically segregated where information requirements dictate special handling and protection. Wherever possible and practical, for critical systems or for users/systems where access is only required during business hours, active sessions shall be limited to a specified timeframe.

Secure log-on procedures

Display a general notice warning / banner that the computer shall only be accessed by authorized users.
Access to operating/application systems should use secure log-on mechanisms; the system/application must not provide any help to the user during the log-on process that could aid an unauthorized user.
On un-successful log-on, system must not reveal which part of the log-on data is invalid.
Passwords shall not be transmitted in clear text over a network.

Password management system

At a minimum, all system access will be authenticated by passwords.
Each staff must have a unique User ID (name based/personnel ID) in the context of a specific system/application.
User ID’s and passwords must be allocated to an individual and must not be shared. However, there is an exception in case of ERP or Core Business Application, where the number of users in each department are more than the user ID’s created, for cost saving purposes business owners have shared the user IDs between users with almost same functions and working on shifts for same job. Any entry that bears financial impact can be traced with the help of a report which identifies machine name and IP. In this way risk has been minimized.
Newly issued password must expire on first log -on, forcing user to change his initial password, where applicable.
IT manager must ensure that newly issued passwords must be unique and random.
Passwords must never be displayed on the screen in a readable form when being entered.
For verification purpose while changing the password, user must be prompted to re-enter the password.
User must be forced to change passwords at a maximum every 90 days on individual applications with 5 grace attempts., where applicable.
IT Manager must follow the “Account Reactivation Procedure” when dealing with the user request for lock or forgotten passwords.
Passwords must not be shared even with IS service desk / Support staff or Security / IT manager or senior management. However, to address specific conditions the password used may immediately be changed with prior permission of line management.
New passwords must be at least 2 characters different than the previous password, where applicable.
Passwords must not be hard coded e.g. in batch files, scripts and others.

Password Standard

Password length must be 8 or greater alpha-numeric characters and must be case sensitive.
Password shall contain both upper- and lower-case characters (e.g., a-z, A-Z).
Password shall have digits and punctuation characters as well as letters e.g., 0-9, @#$%^&*()_+|~-=\`{}[]:";'<>?,./).
The user must not be permitted to change their password to any of the last 12 passwords they had (if this is not possible then it should be the maximum supported in a particular environment).
Password must be changed immediately when compromised by disclosure or possible disclosure.
The user account should be locked after 5 consecutive unsuccessful log-on attempts, locked accounts will be unlocked automatically after a certain time period. (where applicable)

Password Standard

Requirement

Standard Users
(AD/General Systems)

Privileged Users

SAP Systems
(as per new SAP guidance)

Minimum Length

8 characters

12 characters

15 characters

Uppercase Letters

Required

Minimum 1

Lowercase Letters

Required

Minimum 1

Numeric Digits

Required

Minimum 1

Special Characters

Required

Minimum 1

Password Expiry

90 days

Password History

Last 12 remembered

Last 5 remembered

Last 15 remembered

Minimum Time Before Change

Not enforced

1 day

Minimum Character Difference

At least 2 characters

At least 1 character

Max Idle (Inactive) Time

N/A

7 days (initial), 90 days (productive users)

Failed Attempts Before Lockout

5 attempts

3 to end session, 6 to lock user

Auto Unlock

After grace period (if applicable)

After grace period

Disabled (login/failed_user_auto_unlock = 0)

Password for Privilege IDs

Password length for privilege IDs must be 12, or greater alphanumeric characters, wherever applicable.
Privilege ID’s owner must not be permitted to change password to any of the last 5 passwords, wherever applicable.
Privilege ID’s password should be kept in sealed envelope or should be prevented with software envelopes (if applicable) within fireproof locker under custody of GM IT / Information Security and could be used under logged control in case ID holder is unavailable/forgotten password.
The privilege accounts shall be locked after 5 consecutive unsuccessful log-on attempts.

Use of privileged utility programs

Information Technology management shall ensure that all utility programs, having the capability of overriding system and application controls, are identified and catalogued. Installation of such utilities shall be forbidden, unless explicitly authorized by IT Manager, with clear requirements. Access to such utility programs shall be granted only for a specific duration to authorized personnel.
System utilities should not be available to users who have access to applications on systems where segregation of duties is required.

Access control to program source code

Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) shall be strictly controlled, in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes.
Modified source code can be deposited into the library as a new version of the source code. However, overwriting or modification of existing source code in the library is strictly prohibited.
Implement version controls to ensure that only authorized programs are migrated to quarantine and production environments.
Archive old versions of source codes with a clear indication of the precise date, time and all necessary information.
Establish a secured library or quarantine area for program pending migration to the production environment, which are accessible by the personnel, who have performed the migration process.
Only the designated and authorized source code librarian (and no other person) should have “write” access to the source code library. An audit log should be maintained of all accesses to program source libraries.
An audit log of all accesses to program source libraries shall be maintained by authorized resource and reviewed by Senior Manager Systems and Application.

Physical and Environmental Security

Purpose

This policy establishes guidelines to prevent unauthorized access and interference to the Company’s premises and information assets. It also suggests guidelines to build security controls to prevent damage from physical security threats and environmental hazards.

Scope

Policy Statement

Physical and environmental security protects information and information systems facilities from physical and environmental threats. Physical access to information processing areas and their supporting infrastructure (communications, power, and environmental) must be controlled to prevent, detect, and minimize the effects of unintended access to these areas.

This policy document addresses issues related to physical security perimeter, physical entry controls, working conditions, securing offices, data centres, equipment security and general clear desk / clear screen controls.

Secure Areas

Physical Security Perimeter

The strength and complexity of security perimeter applied to Tapal Tea premises must be consistent with value of the information and other assets contained there, based on the results of the risk assessment.
Access to premises, buildings and areas should be justified, authorized, logged and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.
When premises are unoccupied, all lockable doors, windows and openings in the premises must be closed and locked.

Physical Entry Controls

All employees, employees of temporary employment agencies, vendors and contractor personnel and other visitors entering the Tapal Tea’s premises are required to wear the company supplied identification cards.
All Tapal Tea staff accessing secure area must wear company provided I.D. Cards, and they should be encouraged to challenge unescorted strangers and anyone not wearing visible identification.
Details of all visitors should be recorded in a visitors log at the entrance, and they should be given a visitor’s pass upon depositing a valid Identification Card.
Physical access to the Tapal Tea’s information systems facilities is to be restricted to authorized persons only. Authorization to enter restricted facilities is to be granted only when there is a business or technical reason for the person to enter the premises. Authorization to enter such facilities is to be only issued by the GM IT or his delegate.
Access to sensitive or critical information processing facilities outside normal working hours must be specifically authorized and logged.
Physical access rights must be revoked immediately, if any, upon termination/ resignation of employees or completion of a consultation or vendor agreement.

Securing Offices, Rooms and Facilities

All source media for operating system software, applications, backup tapes/devices, documentation and license keys must be clearly labelled and stored in a software library (preferably within a fireproof cabinet) in a restricted access zone with access for authorized personnel only.
Adequate intrusion detection controls e.g. burglar alarm, motion detector etc., and safety devices, fire alarm, smoke detector, close circuit televisions etc. must be placed in all offices, and switch rooms , depending on the nature and criticality of information assets present.

Protecting Against External and Environmental Threats

The server rooms shall be equipped with supporting infrastructure (e.g. air conditioning systems and security alarm systems, automatic emergency lighting where applicable); they must have an enable, consistent electrical power supply that is free from surges and interference (e.g. UPS) and stable water supply to prevent damages to equipment or fire suppression from acting effectively.
Smoke detectors shall be installed throughout the information processing facility to detect fire incidents timely. The detectors shall produce an audible alarm when activated.
Fall-back equipment and backup-media must be available at a sufficient distant location to avoid damage from a disaster affecting the main site.
Smoke detectors and fire extinguishers shall be tested periodically (at least bi-annually) in line with local fire insurance policy and local regulations.
Telecommunications equipment should be appropriately protected

Physical Security Monitoring:

Organization is committed to continuously monitor its secure premises to detect and prevent unauthorized physical access. This monitoring will be in place to safeguard sensitive areas and information.
Monitoring systems will be configured to provide real-time alerts for any unusual or unauthorized activities. These alerts will be promptly investigated and addressed by designated personnel.
Tapal Tea’s IT Department’s surveillance CCTV and DVR System should be maintained by IT Department and Administration Department.
A dedicated team will be established to centrally monitor and manage physical security incidents.
Regular security assessments and audits will be conducted to evaluate the effectiveness of physical security monitoring measures.

Equipment

Equipment Security

Equipment critical to the operation of IT infrastructure, must not be moved from its location unless authorized.
Equipment should be protected from power failures and electrical anomalies.
Electrical supply must conform to the manufacturer’s specifications for each piece of equipment.

Equipment Maintenance

Equipment preventive maintenance should be in accordance with the supplier’s recommended service intervals and specifications.
Tapal Tea shall ensure when equipment is scheduled for maintenance, it is essential to establish protocols to safeguard any sensitive data or information stored within or accessed by that equipment.
Assurance shall be made that only authorised personnel are subjected to carry out repairs and maintenance of equipment under the supervision of Head of relevant department.
Records should be kept for all suspected or actual faults, and all preventive and corrective maintenance.
All requirements imposed by insurance / SLA/ warranty policies should be complied with.

Security of Equipment off Premises

IT must keep a formal record of all equipment taken offsite with details of the equipment.
An approval should be provided to all employees, contractors and third-party users who are responsible to take equipment off premises.
Time limits for equipment removal should be set and returns checked for compliance.
Adequate insurance cover should be in place to protect valuable equipment off-site. (If applicable)

Unattended User Equipment

Unattended systems must be set to lockout after fifteen (15) minutes of inactivity and terminate active sessions. The time-out delay should reflect the security risks of the systems / applications.
Workstations must be locked/secured with password prior to being left unattended

Clear Desk and Clear Screen

The Tapal Tea should promote clear desk and clear screen standard. These standards could at a minimum, include the following:

Users shall ensure all confidential information on paper and electronic media such as tapes, CDs, USB are stored in locked cabinets when not in use, especially after working hours.
Sensitive or critical business information should be locked away (ideally in a fire-resistant safe or cabinet) when not required, especially when the office is vacated.
Laptops must be either locked in a drawer or cabinet.
Personal computers and computer terminals shall not be left logged on when unattended and should be protected by passwords or other access controls when not in use.
IT shall ensure that all the desktops, terminals and laptops at Tapal Tea are protected with password enabled Lock.

Supporting utilities

Tapal Tea is committed to ensuring uninterrupted availability of supporting utilities essential for the operation of its information processing facilities. This includes power supply, heating, cooling, and other utilities necessary for maintaining optimal facility conditions.
Monitoring systems and alarms will be implemented to provide real-time notifications of deviations or disruptions in supporting utilities. This proactive approach enables prompt intervention and mitigation measures.
Supporting utilities will be integrated into the Tapal Tea’s business continuity and disaster recovery plans. These plans will outline strategies for maintaining operations during utility failures and restoring normalcy efficiently.
Power conditioning equipment, such as surge protectors and voltage regulators, will be employed to safeguard information processing facilities from power-related disruptions. Backup power sources, such as generators and uninterruptible power supplies (UPS), will ensure continuous operations.

Cabling security

Power and telecommunications lines into information processing facilities must be protected from interception or damage.
Clearly identifiable cable and equipment markings should be used to minimize handling errors, such as accidental patching of wrong network cables.

Secure Disposal or Re-use of equipment

Media containing all type information (including sensitive and non-sensitive with aggregative effect) should be disposed of securely and should be logged.
Adequate controls should be ensured while outsourcing disposal of media.
The previous contents of any re-usable media must be completely erased.
Labels and markings that could identify the organization or asset owner should be removed prior to disposal, even when donating to charity.
The organization or designated function should evaluate risks to decide whether items should be physically destroyed or discarded to prevent negligent disposal.
The organization shall encrypt data, if necessary, to minimize the risk of disclosing confidential data before disposal.
If organization is utilizing overwriting tools, they should ensure compatibility with the storage media's technology for secure disposal.
Record disposal in doc Reference: “Data Retention and Disposal Guidelines” sheet.

Operation Security

Purpose

The purpose of this policy document is to ensure the right and secure operation of information processing facilities; to minimize risk due to system failures and to safeguard the integrity of information processing facilities and software. This policy also suggests guidelines to ensure secure IT and network operations and exchange of information within the Company and externally.

Scope

This policy applies to all users of information assets including the Tapal Tea employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.

Policy Statement

Operations management is an important function that has a significant impact on information security. Therefore, a documented policy covering operational procedures, segregation of duties, backup and media handling, monitoring and guidelines on exchange of information, is required.

Operation Procedure and Responsibilities

Documented operating procedures.

Operating procedures must exist for all aspects of managing the operational environment.
The respective In-Charge / Department Head shall be owner of its respective operating procedures and shall follow these procedures in their department.
Operating procedures must describe the correct execution of activities.
The manual shall contain but not limited to:

Enterprise architecture of overall IT application and network setup.
System setup and installation instructions
Application & Database setup and installation instructions
Application of security patches on Operating system/ Application / Database
Description of equipment being used
System restart and recovery procedures for use in the event of system failure
Management of audit-trail and system log information
Backup of operational / administrative information
The handling of errors and exception conditions.
Details of support contacts in the event of unexpected operational or technical difficulties.

The secure disposal of output from failed processing runs.

Security of System Documentation

Tapal Tea Pvt Limited should ensure that complete and updated system documentation of such applications is available and are secured against unauthorized access.
System documentation must be protected from unauthorized access and stored in secure place.
Access to system documentation shall be on need-to-know basis and authorized by the Manager Information technology.
The system or application owner must authorize or approve distribution lists for system documentation relevant to his/her department. System documentation may include sensitive or confidential department information e.g. master data required for testing. This list must be restricted to a minimum number of parties.
Valid documentation that supports the Tapal Tea’s departments, and which is used by programming, operations, and user personnel, must be developed, maintained, and protected. Access to this documentation must be restricted to personnel performing official duties.
Maintain the type and level of documentation for each project phase including business case, project requests, feasibility studies, project strategy, project plans, testing plans and lesson learned documentation etc.
Establish system documentation including system concept narratives, data flow charts and database architecture and specifications.
Define roles and responsibilities of administrators to ensure that all changes to system, application and configuration documentation are made according to prescribed standards.
Formulate procedures on system development and all related documentation including development, testing, trainings, production, operational administration and user manuals.

Change Management

All changes to the Tapal Tea’s information systems environment must be documented, reviewed, authorized, tested (testing environment) prior to being made operational in the production environment. The term “changes to the Tapal Tea’s information systems will include but is not limited to the following:

CHANGES TO

}

Hardware (Servers / Infrastructure) and their configurations
Operating systems and operating system configurations
Application software programs and application software configurations
Database configurations
Network and communication device configurations

At a minimum, the following requirements must be adhered to when significant changes are being made to the production environment:

Risk and impact analysis of the change request should be performed in relation to existing infrastructure, network, up-stream and downstream systems. Further, risk assessment must be performed to identify potential impacts of the change on business operations and interdependent systems.
Time frame for the approval process must be established.
Approval must be documented.
Documentation supporting the change must at a minimum reflect the:

proposed change
management’s approval
details of the changes to be performed, and
the eventual outcome

Responsibilities and accountability for changes must be identified.
A Change Advisory Board (CAB) must be formed. At minimum, following representation should be considered:

General Manager IT (Head of IT)
Business Analyst Manager (SAP)

Chief Finance Officer (where applicable)
Senior Manager IT Infrastructure
IT Business Partner

Representatives from IT Department and CAB must be additionally involved in reviewing proposed changes and in the decision-making process.
Principles regarding segregating duties must be followed (i.e. developers must not be permitted to access production data, modify systems, or move software to the production environment).
An appropriate mechanism to verify changes and to ensure that no unauthorized changes have been made.
Version Control Systems should be followed and properly documented for every step and change made in the system.
Roll back / fall back & back - out procedures should be identified and documented to revert to a former version of the system or application if a problem is encountered during or after the deployment, where applicable.
Alternative recovery options should be established to address situations where a change does not allow the Tapal Tea to revert to a prior status for future need.
Where practical, changes to computer environment / operations parameters must be carried out in a test environment before migrating to the production.
The impending change should adequately be tested and ensure that it is accepted by users prior to the migration of the changed modules to the production system. Test plans for the impending change should be developed and documented appropriately. Further, test results with user signoffs prior to the migration should be obtained.
Emergency changes procedures must be established and in cases where emergency changes are carried out, they must be documented and go through post review and approval.
The logging facility should be enabled to record activities that are performed during the migration process..
Post implementation reviews of application and other systems operations at certain frequency must be conducted to ensure that only authorized changes have been made.
Change management responsibilities for changes in Cloud services and processes shall depend on the Cloud service models

Patching Management

All service packs, security patches and fixes must be applied as soon as they become available.
Tapal Tea shall establish procedures to test patches in a segregated environment, and to install them when appropriate. The procedures shall include the identification, categorization, prioritization of security patches and their testing processes.
All other servers must have critical security patches applied as soon as they become available and have passed the system acceptance testing. All other patches must be applied as appropriate. There must be a full record of when and which patches have been applied.
Upon need or request of business user or IT, patches will be incorporated in system through a systematic way. The patch/enhancement is first implemented on Dev/QA environment which is then reviewed in accordance with the change management policy and then it is implemented on the Production server with whole trail being documented through a centralized change management mechanism.
Secure configuration of hardware, operating systems, software, applications, databases and servers with all unnecessary services and programs disabled or removed.

Configuration management

Procedures or automated tools must be available for detecting configuration changes to a system and for generating alerts as appropriate.
Management must adopt latest technical standards and develop baselines to configure each component accordingly.
Adequate documentation of all configurations and settings of operating systems, software, databases, and servers.
Where applicable, a centralized configuration repository should be maintained for Production and DR site, consist of software, hardware, and network configuration confirmation.
All configuration changes by Application / System / Database Administrator must be verified against current standards and for appropriate levels of approval.
Audit log containing components that records change history, must be maintained by management for ready reference, where applicable.
Baseline secure configuration of servers, applications, databases, and network devices shall be documented and updated periodically based on new threats, vulnerabilities, or introduction of new software/hardware versions. Baseline configuration should be aligned with organisation’s information security policy.
All unnecessary services and programs should be disabled or removed.
Organisation may consider following for secure templates:
1. Minimize privileged access identities.
2. Disable unnecessary and unused identities and functions.
3. Restrict access to powerful utilities and host perimeters.
4. Enforce Clock synchronization.
5. Change vendor default authentication information immediately after installation.
6. Implement time-out facilities for inactive computing devices.
7. Ensure compliance with license requirements.
Monitor configurations using system management tools regularly.
Address deviations through automatic enforcement or manual corrective actions.

Capacity management

The Sr. Manager IT Operations / Sr. Systems Manager / GM IT with the help of team shall be responsible for identifying new and ongoing activity and their capacity requirements regarding their relevant area.
The Sr. Manager IT Operations / Sr. Systems Manager / GM IT with the help of team shall ensure that system tuning and monitoring is applied, ensuring the availability and efficiency of systems.
The Sr. Manager IT Operations / Sr. Systems Manager / GM IT with the help of team in collaboration with respective technical lead shall project future capacity requirements taking into account new business and system requirements and current and projected trends in the Tapal Tea (Private) Limited’s information processing capabilities.
The Tapal Tea (Private) Limited shall initiate capacity planning to address internal factors (growth, mergers, acquisitions, new product lines and the implementation of new technologies) and external factors (shift in customer preferences, competitor capability or regulatory or market requirements).
Procedures should be in place to monitor the future capacity requirements of the information systems and key personnel.
Capacity planning shall be closely integrated with the budgeting and strategic planning processes. It shall also address personnel issues including staff size, appropriate training and staff succession plans.
Capacity management requirements must be documented on a standard format and agreed with Business Head, Information Security Function & Information technology Department for all new developments before they go live in the production environment.
Capacity requirements must be outlined in anticipation of the demand of these resources before servers (application, database, file, web etc.) and network infrastructure are placed into the production environment. At a minimum, the following should be determined when planning capacity requirements:

Storage requirements
Peak and off-peak usage requirements
Procurement of resources for long lead time
Scalability of the resource in meeting unexpected demands
Capacity utilization monitoring, and
Trend documentation and analysis

During the formal risk analysis process when the system is being developed or changed, the Departmental Head in collaboration with GM Information Technology must determine the need for, and extent of, resilient facilities and features.

Separation of development, testing and operational environments

Development and test environments must be completely segregated from production environments.
Any changes to the operational system shall only be allowed after successful User Acceptance Testing (UAT) and final approval by Business Owner and GM Information Technology.
Compilers, editors and other development tools or system utilities shall not be installed on operational/production systems.
Development, test and production environments must be logically as well as physically separated and a formal documented process must be in place to manage the migration of application code, changes or additions in system from one environment to another.
The test environment should emulate the production system environment, configurationally, as closely as possible.

Protection from malware

Controls against malware

Anti-malware software must be installed and maintained on all workstations and servers and provided on appropriate points on the network. The software must be from an established vendor with consistent results in recognizing and removing malware.
Periodic review of all business-critical systems must be conducted to identify all software running on the systems. Any unauthorized files or software must be formally investigated and if appropriate be deleted and reported to respective Head of Department.
To protect systems from malware, users must not:

Install software from any external source including the internet, CD / DVD-ROMs, USB memory sticks etc. on their workstation.
Add their personal screensavers, desktop images, photos or utilities to the workstation / terminals.

All workstation software must be approved and installed by Information technology in accordance with the IS Policy.
Malware can be introduced through hoax emails and users must be vigilant to guard against this. Users must not forward emails that claim to be warnings these are often chain emails. Users must report the email to the Information technology service desk.
All files received should be checked for malware at the point of entry onto the network.

Backup

Information Backup

Backup frequency must be determined in line with the classification of information. It must specify the type of backup required (full, partial, incremental, differential, and real-time) and the requirements of the Business Continuity and Disaster Recovery Plan for each application.
Backup copies must be retained in accordance with legal, regulatory and Tapal Tea (Private) Limited requirements.
Each application must have a documented backup strategy. E.g. making both on-site and off-site backups and its transfer to off-site location. Backup storage at off-site must be kept in physical secured locations i.e. protected from fire, water, dust etc.
The details of the planned backup schedule for each business application must include the retention period for backup or archived information and the retention period must be consistent with legal, regulatory and company’s requirements.
All copies of executable code must be considered as sensitive information and must be backed up to off- site storage.
All media contained backup information must be maintained with the information content, backup cycle, backup serial identifier, backup date and classification of the information content.
System programs and configuration information must be included in backups as well as data.
Confidential information on backup media must be encrypted or otherwise normal backup media be physically secured to prevent interception.
All long-term backup media must be refreshed within the expected working life of the media; backed up information must be transferred to new copies of the relevant media or alternative, long lifetime media.
System and application software backup shall be performed before system upgrades and/or maintenance.

Backup of Licensed Software

Backup copies of purchased software must be in accordance with the vendor’s licensing agreement. Unauthorized copying of purchased commercial software is considered software piracy and is a violation of copyright law and Tapal Tea (Private) Limited policy.
Backup copies of purchased commercial software must not be used on any computer outside of those in the original license, with the exception of contingency testing / disaster recovery.

Backup Rotation

Rotation logs must be kept indicating date and time backup was sent offsite, expected onsite return date and name of person transporting the backup. Only approved and authorized personnel shall be used, and notification and receipt of backup must be provided, especially if the service is performed by a third party.

Recovery Testing

Restoration procedures must be documented and formally tested to ensure that they are completed within the time allotted as per the operational procedures for recovery.
Backup recovery testing should be done to the restoration machine rather than the machine that created the backup (to ensure there is no specific fault with the disk write system on the machine being backed up).

Logging and Monitoring

Event logging

Audit Logging

Error logging should be enabled on critical business systems.
User activity logs must be monitored regularly by Information Security function.
User password change must be recorded in the logs.
Frequency for the review of security logs depend on the risk assessment of the information systems and relevant legal requirement.
Security logs of all critical information systems must be stored at an off-site location regularly if applicable.
Audit logs should be archived as per business, regulatory and contract requirements.
Off-line storage logs must be retained for a period consistent with relevant local legal and regulatory requirements and business/operational needs.

Fault Logging

The Tapal Tea (Private) Limited may create users’ service desk to ensure that they perform their job functions in an efficient and effective manner. The Service Desk may record and track incoming problem reports, being handled by live operators or automated systems. Further, Tapal Tea (Private) Limited may also define Key performance indicators (KPI) for the resolution of different problems / issues.
Users must report all incidents to IT service desk / Support in which the system is unable to function as required.
Information Security in collaboration with Information Technology should review the log of all faults reported by users to ensure that the faults have been satisfactorily resolved.
Corrective measures should be reviewed to ensure that security controls have not been compromised and the action taken is fully authorized.

Protection of log information

Controls should aim to protect against unauthorized changes to log information and operational problems with the logging facility including:

Alterations to the message types that are recorded.
Storage capacity of the log file media being modified, resulting in either the failure to record events or over-writing of past recorded events.

All security activities and events recorded in a security log must have date, time stamps and terminal identity on them at the time of log-in and log-off.
Information system must be logged as evidence of unauthorized or unusual use that include, at a minimum, the following:

Unsuccessful login
Attempt to login outside of working hours
Failed attempt to access controlled files, directories or other resources
DB Tables Accessed/ Altered/ Dropped/ Created
Changes to system configuration
Use of privileges
Use of system utilities and application
System Driven Approvals (For e.g. approval of gate passes)
Deactivation of audit logging / trail.

Administrator and operator logs

System / Database Administrators must not be allowed to erase or de-activate logs of their own activities. These files should be marked as read-only.
Adequate logging and monitoring of systems and user activities to detect irregularities and secure protection of logs from manipulation.
Security logs must be reviewed regularly by reviewer independent of users who perform the activity such as users, administrators, developers and support functions.

Clock synchronization

Procedure should be in place to check information-processing system’s clock with Local Standard Time, if applicable.
Privilege to set or re-set system time should be restricted.
Processes must be in place to ensure the accuracy of clocks used to put timestamps on security log entries.
Any variation in time shall be reported to GM of Information technology and Information Security Officer.

Monitoring activities

The equipment, services and technology used to access the internet are the property of organisations and the company reserves the right to monitor and examine internet traffic and access data that is composed, sent, or received through its online connections.

All sites and downloads may be monitored and/or blocked by organisation’s if they are deemed to be harmful and/or not productive to business.
Any employee found misusing internet facility will have to face disciplinary action as deemed appropriate by the management.
The company shall evaluate and implement appropriate controls relative to the complexity of their network. Further, the company shall deploy an effective mechanism to monitor security policy violations and typical activities on their network.
Information Security function, along with the Network Infrastructure team, will monitor the activities over the network for any unusual occurrences, system alerts or failure of system.
Capacity, uptime, and quality of the Tapal Tea’s networks should be sufficiently monitored to ensure reliable operation and availability. Monitoring technology resources for capacity planning include but not limited to platform processing speed, core storage for each platform's central processing unit, data storage, and voice/data communication bandwidth etc.
Following shall be monitored but not limited to: Inbound and outbound traffic, system and application traffic, access to systems, servers, networking equipment, monitoring system, critical applications, critical or admin level system and configuration files, logs from security tools, event logs related to network and system activities.
Moreover, authorization before code being executed and tampering, use of resources, review utilization of system at normal and peak periods.

Control of Operational software

Installation of software on operational systems

Procedures should be implemented to control the installation of software on operational systems.
The updating of operational software, applications and program libraries should only be performed by trained administrators upon appropriate management authorization.
Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. Tapal Tea should consider the risks of relying on unsupported software.

Technical Vulnerability Management

Management of technical vulnerabilities

Tapal Tea (Private) Limited should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required.
All critical information systems assets vulnerabilities must be properly identified, classified and remediated according to the applicable regulations and Tapal Tea (Private) Limited’s policies.
Tapal Tea (Private) Limited shall perform vulnerability assessments to identify and assess security vulnerabilities in their systems and processes. Tapal Tea shall also perform subsequent validation test to assess that the gaps identified during VA have been properly filled in.
Information Security must ensure that publicly accessible systems are tested for vulnerabilities prior to being made available.
A timeline should be defined to react to notifications of potentially relevant technical vulnerabilities
Information Technology / Information Security must ensure that technical vulnerabilities, including vendor supplied patches, are classified using the rating system defined below. Operational groups are required to remediate technical vulnerabilities or install patches using the following schedules:

Critical: Threats that are actively impacting the environment. Must be implemented without delay using emergency change control procedures.
Important: No existing negative impacts on operating results. Must be implemented upon first available normal operational opportunities, typically within 7 days using normal change control procedures.
Operational: Enhancement patches that improve operations but are not required for fixing inaccurate data or process results. Must be implemented upon the next operational patch promotion schedule, typically within 30 days using normal change control procedures.

GM IT must ensure that vulnerability remediation efforts, including patch implementations, are coordinated and processed according to the change management policy, and Software Patching. This includes meeting all testing and documentation requirements.

Information Security must perform internal and external network vulnerability scans on an annual basis and after any significant change in the network.
Tapal Tea (Private) Limited shall carry out annual penetration tests to identify vulnerabilities that may affect their systems, networks, people or processes. Penetration tests on internal systems shall also be conducted at the time of major update and deployment of the software/system. These penetration tests must include network-layer penetration analysis, and application-layer penetration analysis (including associated databases)

Management shall ensure that all information systems are configured in a secure manner that can effectively block attack and reduce the threat of exploitation. Measures may include removal or uninstalling of the software or vulnerable services that are not needed on a system, which eliminates the vulnerability and other associated threats.

Restrictions on software installation

Management should define and enforce strict policy on installation of restricted software. A List of restricted software should be developed and maintained.
If there is business need, such software should only be installed after formal approval by Information Security / IT Department.

Information System Audit Considerations

Information systems audit controls

The Tapal Tea shall plan, manage and monitor rapidly changing technologies to enable them to deliver and support new products, services and delivery channels. These changes and the increasing reliance on technology make the IT audit coverage essential to an effective overall audit program.
An annual audit plan should be considered detailing IT audit's budgeting and planning processes including audit goals, schedules, staffing needs and reporting requirements.
Audit scope, requirements and activities involving checks on operational systems shall be carefully planned and agreed to minimize the risk of disruptions to business processes.
Appropriate measures should be taken when granting system access to the auditors such as restricting the access to read-only.

Protection of Information System during audit testing

Organization shall ensure the confidentiality of audit information during the testing and assessment process. All information collected, accessed, or generated during audits will be treated with the utmost confidentiality, and access will be restricted to authorized personnel only.
Access to audit data, including test results, observations, and supporting documentation, will be strictly controlled. Only authorized individuals directly involved in the audit process will have access to this information. Unauthorized access or sharing of audit data is strictly prohibited.
Test data generated during audit testing will be disposed of securely after the audit process is complete. Secure disposal methods, in compliance with the Tapal Tea's data retention and disposal policies, will be employed to prevent the inadvertent exposure of sensitive information.
Third-party entities engaged in audit testing will be required to sign non-disclosure agreements (NDAs) before accessing any sensitive information. These NDAs will establish legal obligations to maintain the confidentiality of audit-related data and prevent its unauthorized use or disclosure.
The scope of technical audit tests must be agreed upon and controlled to ensure relevance and appropriateness to the organization's security requirements.
Audit tests should primarily utilize read-only access to software and data. In cases where read-only access is unavailable, tests shall be executed by experienced administrators with necessary access rights, on behalf of the auditor.
Prior to granting access, the security requirements of devices (e.g., laptops, tablets) used to access systems must be established and verified, including antivirus and patching compliance.
Requests for special or additional processing, such as running audit tools, must be identified, evaluated, and agreed upon.
Audit tests that can affect system availability shall be scheduled and conducted outside regular business hours.
Assurance activities, including audit tests, on development and test systems shall be conducted cautiously to avoid compromising code integrity or sensitive information disclosure. Ensure the CIA protection of systems and source codes while audit testing.
All access for audit and test purposes must be monitored and logged to ensure accountability and traceability. Audit testing shall be performed under the supervision of competent resource.
Audit trails will be established to monitor and record access to audit information. Any unauthorized or suspicious activities related to audit data will be promptly investigated, and appropriate actions will be taken to mitigate risks and prevent future incidents.

Threat Intelligence

Threat intelligence is subjected for the awareness of Tapal Tea’s threat environment and identifying threat landscape to ensure prevention of confidentiality, processing integrity, availability, security, and privacy of sensitive customer data organisation holds on its own and on behalf of its affiliates.

Tapal Tea shall ensure Information about existing and emerging security threats on grounds of emerging information technologies is achieved and analysed to prevent or reduce impact of potential threats that can cause harm to organisation.
Threat can also be analysed based on Technical Vulnerability Management, whereas Special Interest Groups can also be considered in loop if suggestions are needed depending on the severity of threat.
While exercising threat intelligence, organisation shall ensure that information received by means of threat intelligence is:
- Relevant and is related to protection of organisation’s information.
- Insightful, and provides detailed information of threat landscape that is to be prevented.
- Able to provide situational awareness that is contextual for organisation or has prevalence to organisation with similar business objective as of organisation.
- Realistic and Actionable.

Information gathered by means of threat intelligence shall be analysed and used to optimize Tapal Tea’s risk profile.
If required, organisation shall share information identified from threat intelligence with other organisations.

Cryptography

The encryption method or technique must be approved by the Head of Compliance / Information Security Officer. The use of encryption is for business purpose only. Use of unauthorized encryption technique must be strictly prohibited.
Tapal Tea shall ensure encryption at network transmission as per the classification and sensitivity of the data.
The required level of protection of information using cryptography should be based on:
1. A risk assessment of the target information-set.
2. Applicability of relevant regulations (if any).
3. Country restrictions (if any).
4. Laws regarding trans-border flow of encrypted information.

Encryption methods and techniques must be considered for the following:

Use of encryption for protection of information transported by mobile or removable media devices or across communication line.
Where applicable Tapal Tea’s provided desktop / laptop / portables must also be secured by approved encryption method
Email carrying sensitive or confidential data must be encrypted.
A public facing website which offers e-commerce, digital / online facilities and have payment gateway (if any).
Employees connecting to corporate network form the remote location.

Since data encryption is important for protecting data stored or transmitted by the company to prevent damages, employees that purposely violate this policy may be subject to disciplinary action as deemed appropriate by the Management. Any employee aware of any violation of this policy is required to report it to their Line Manager / Information Security head.
Roles and responsibilities shall be defined for managing keys and implementation of cryptographic measures.
Following but not limited to shall be addressed to perform key management:

Key generation mechanisms shall be approved and protected.
Methods should be defined for public key certificate if applicable.
Changing and updating the keys shall subject to change management process.
Storage and distribution of keys shall be protected from unauthorize disclosure or modification.
Backups shall be taken after specified a period.
Revocation, disposal, and deletion of expired cryptographic keys shall be logged.
Incident management process shall be applied when addressing compromised keys.
Sensitive cryptographic information shall not be disclosed for legal purpose unless authorized.

Information deletion

Tapal Tea shall not retain sensitive information longer than necessary to reduce the risk of unintended disclosure.
IT department shall retain ownership of ex-employee’s data for one month.
Tapal Tea is subjected to retain information following guidelines, requirements set by statutory, or regulatory authority.
Information will be disposed when no longer required to prevent unnecessary, and unauthorized disclosure and to comply with legal, statutory, and regulatory requirements.
Select appropriate deletion methods aligned with business requirements, relevant laws, and regulations.
Record deletion results as evidence and obtain evidence from third-party service providers if they handle information deletion.
Disposal of information and related technologies is conducted in compliance with Data Retention and Disposal Policy.
Data Erasure Request from clients, customers, employee, and third party are entertained, following regulatory, statutory requirements/ obligations.
Logs of disposal are recorded including but not limited to the following information.
- Detail of information or related technology being disposed.
- Disposal requested by including reason for disposal.
- Consent/ approval of information owner/ Data subject/ Data principal
- Method of disposal
- Personnel responsible for disposal
Include information deletion requirements in third-party agreements to enforce deletion during and after termination of services.
Organisation shall configure systems to securely destroy information based on defined periods or subject access requests, delete obsolete versions, copies, and temporary files, and use approved, secure deletion software or services to permanently erase information, ensuring it cannot be recovered.
Organisation shall employ appropriate disposal mechanisms based on storage media type (e.g., degaussing for magnetic storage media).
Organisation shall verify if the deletion method provided by cloud service providers is acceptable and use it, accordingly, ensuring alignment with topic-specific policies.

For more refer to: Secure Disposal of equipment policy.

Data masking

Tapal Tea should use techniques such as data masking, pseudonymization or anonymization to hide or disguise data (PII) by unlinking it from individuals or sensitive information.
Additional data masking techniques shall be considered for robust security such as encryption, nulling or deleting characters, varying number, and dates, and substituting and hashing.
Following to be considered when implementation data masking techniques:

Not granting all users access to all data, therefore designing queries and masks to show only the minimum required data to the user.
Any legal or regulatory requirements (if applicable).

The following to be considered when using data masking, pseudonymization or anonymization:

Level of strength of data masking, pseudonymization or anonymization according to the usage of the processed data.
Access controls to the processed data.
Agreements or restrictions on usage of the processed data.
Prohibiting collating the processed data with other information to identify the PII principal.
Keeping track of providing and receiving the processed data.

Data leakage prevention

Tapal Tea is committed to define and implement preventive measures against sensitive data leakage and unauthorized disclosure. including but not limited to customer’s PII, and confidential records.

Tapal Tea shall identify and classify sensitive information to protect against unauthorised access.
Tapal Tea shall constantly monitor potential channels for data leakage such as emails, file transfers, mobile devices, and portable storage devices.
Tapal Tea shall take proactive steps to prevent information from leaking, like quarantining emails containing sensitive data.
Tapal Tea shall use DLP tools to identify and monitor sensitive information, especially in unstructured data on users' systems.
Tapal Tea shall use DLP tools to detect instances where sensitive information is shared outside trusted boundaries.
Tapal Tea shall enable measures to block user actions or network transmissions that might expose sensitive information, such as preventing copying database entries into spreadsheets.
Tapal Tea may restrict a user’s ability to copy and paste or upload data outside the Tapal Tea's control.
If data export is required, the data owner shall be allowed to approve the export and hold users accountable for their actions.
Tapal Tea shall ensure sensitive information in backups is safeguarded through encryption, access controls, and physical security of the storage media.
Awareness and Education of Employee, contractor, third-party vendor against confidentiality and privacy of Tapal Tea’s proprietary information.
Any Employee, contractor, third-party vendor found involved in Tapal Tea’s sensitive data leakage activity may subject to face disciplinary action.

Web filtering

Tapal Tea shall restrict its employees’ accessing websites that illegal information or are known to contain viruses and phishing material.
Tapal Tea shall restrict following websites but are not limited to: Gambling, streaming, entertainment, pornography, social media, online shopping, sports etc.
Tapal Tea shall block IP addresses or domains of website which lies in criteria mentioned above point.
Monitor footprints of its workforce accessing online resources.
Provide workforce awareness to contact IT/ IS function to raise security concerns over a potentially malicious accessible online resource/ website/ web application.
Establish exception criteria, where a known potentially vulnerable and restricted website needs to be accessed for official purpose or business needs.
Access to blocked websites may be granted to users with specific business needs.
Approval of Head of IT with recommendation of relevant Business Head shall be required to allow such websites access to specific users.

Application security Requirements

Tapal Tea shall identify type of classified information to be processed and stored by the application through risk assessment.
Tapal Tea shall segregate access and level of access to data and applications in the functions.
Protection against malicious attacks (DDOS and SQL injections) or unintentional disruptions shall be in place.
Tapal Tea shall protect application transaction data while being processed, transit, and at rest.
Tapal Tea shall identify requirements from business process and incorporate them such as transactional logging, monitoring, and non-repudiation requirements.
Where possible, input validation checks shall be implemented.
Automated controls shall be considered for application security.
Tapal Tea shall devise authorization processes associated with who can approve contents, issue, or sign key transactional documents.
There should be a proper segregation between systems (operating system and databases), network and application security administration.
Output controls shall be implemented to restrict the access to results and its authorization.
The security and controls analysis shall incorporate major aspects of infrastructure security, packaged application security and custom developed application security. It must focus on automated as well as manual controls as applicable.
This security and controls documentation must be justified, agreed, and documented as part of the overall business case for an information system.
In case of acquiring application, organization shall verify and evaluate that application security requirements are meeting business needs. Security requirements shall be addressed in the outsourcing contracts as per the outsource development policy.
Acquired or developed applications should process and store data as per the legal, statutory, and regulatory requirements in the jurisdiction.
User must avoid adding confidential information including PII in free text field across Tapal Tea’s system.
Secure development practices shall be opted for as per the topic specific policies of organization.
Security controls shall be applied to secure the confidentiality, integrity, availability and privacy of application and its data.
Activities of applications shall be logged where applicable.
For Applications offering transactional services between organization and interested parties, strong authentication and CIA protection controls should be applied to maintain the appropriate level of trust for both parties.
In case of acquiring or developing applications involving electronic ordering and payment protection must be applied (such as encryption) to the data and all the transactions. Data loss, duplication and non-repudiation prevention measures should be applied.
Mechanisms shall be defined for error message handling.

Transactional services:

Determine the level of trust required in each party's claimed identity during transactional services. Clearly define and implement identity verification processes to ensure a secure and trusted exchange of information.
Specify the required level of trust in the integrity of exchanged information. Implement mechanisms such as cyclic redundancy checks, hashing, and digital signatures to identify and prevent data integrity issues.
Clearly outline the authorization processes associated with the approval, issuance, or signing of key transactional documents. Specify roles and responsibilities to maintain a secure and controlled workflow.
Enforce measures to ensure the confidentiality and integrity of critical transactional documents, such as contracts related to tendering and contract processes. Implement mechanisms to prove dispatch and receipt and prevent non-repudiation issues.
Define and implement security measures to protect the confidentiality and integrity of transactional data, addressing components like orders, delivery address details, and confirmation of receipts.
Establish guidelines on how long to maintain the confidentiality of transactions. Define retention periods and procedures for secure data disposal when necessary.
Ensure compliance with insurance and other contractual requirements in transactional services. Define policies to meet these obligations and regularly review them for updates or changes in contractual agreements.

Electronic ordering and payment applications (If applicable):

Implement measures to ensure the confidentiality and integrity of order information. Utilize encryption and access controls to protect sensitive order details from unauthorized access or tampering.
Define and implement a secure verification process to authenticate payment information supplied by customers. Utilize industry-standard verification methods to ensure accuracy and prevent fraudulent transactions.
implement measures to prevent the loss or duplication of transaction information. Utilize transaction logging, error-checking mechanisms, and redundancy to ensure the accuracy and completeness of recorded transactions.
Store transaction details in a secure environment, such as an organizational intranet-based storage platform. Avoid retaining and exposing transaction information on electronic storage media directly accessible from the internet to minimize the risk of unauthorized access.
When utilizing a trusted authority for digital signatures or certificates, integrate robust security measures throughout the entire end-to-end management process. This includes secure issuance, maintenance, and validation of digital signatures or certificates.

User endpoint Devices

Tapal Tea shall:
1. determine the classification of data in the end-user device.
2. ensure all users end-point devices are centrally registered and keep the record of devices.
3. devise and communicate guidelines for physically securing the devices to prevent theft or unauthorized access.
4. specify the required software versions and ensure updates are applied regularly.
5. establish rules for connecting devices to external/public networks, especially when off-premises.
6. Ensure adequate access management of endpoint devices.
7. Identify requirement of and implement encryption on storage devices having critical/sensitive information.
8. implement measures to prevent and protect user end point devices against malicious software.
9. Equip security measures, if possible, to remotely disable, delete, or lock end-point devices in case of theft or loss.
10. Ensure backup of critical end point devices is exercised.
11. govern the use of removable devices and consider disabling physical ports like USB ports.
12. Monitor the use of web services, web applications and user behaviors.
13. Promote disk partitioning capabilities if supported by end user devices and encourage separation of Tapal Tea’s data and other associated assets.
Installation of software on operational systems shall be limited to official purposes and authorized by IT/IS function. Restriction on software installation shall be implemented for end-users.

User Responsibility:

Management shall ensure all users are aware of security requirements for protecting end point devices. User shall:

log off and close services when not in use.
protect devices physically from unauthorized access and logically with passwords when not in use.
Avoid or be vigilant while using devices in public spaces to prevent unauthorized access.
safeguard devices from theft.
User shall hide mobile devices during travel in a way that it is not visible.
For further details refer policy document:
1. 8. Physical and environmental security policy
2. 10. Organization of Information security Policy

Wireless Connection:

Organization shall set guidelines for configuring wireless connections on devices to minimize vulnerabilities.
Assurance shall be made that appropriate bandwidth is available for activities like backups or software updates.

Communication Security

Purpose

Scope

This policy applies to all users of information assets including the Company employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location.

This Policy covers all Information System environments operated by the company. The term “IT environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.

Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively other than the Tapal Tea’s Information Security policies. All users are required to read, understand and comply with the Information Security policies, procedures and relevant documentation.

Policy Statement

Communications security is an important function that has a significant impact on information security. Therefore, a documented policy covering, network security management and information transfer.

Network Security Management

Network Controls

IT Department shall oversee the network service to ensure that the required security controls are in place, and the defined service levels are met.
All external and internal network perimeters shall be hardened and configured in accordance with vendor specific hardening guidelines or international best practices (as per feasibility). All inbound and outbound points shall be protected by at least a firewall having IPS or IDS.
A mechanism shall be implemented for regular monitoring of breaches to network security policy of TAPAL.
IT Department along with dedicated partner shall monitor the activities over the network for any unusual occurrences, network alerts or failure of networks.
All systems that connect to TAPAL’s internal network shall be authenticated prior to being provided access to the network.
Systems connecting directly to internal network shall be restricted via security controls like port security and disabling unattended ports.
All network equipment shall be placed in a secure location. Core Network Equipment shall be placed in the Network Operation Centre (NOC) where access is restricted to authorized personnel only. Routers and Switches shall at least be placed in locked cabinets which are not accessible to unauthorized users.
Remote asset maintenance shall be performed using secure, authenticated network connections and communication channels.
Auditing and logging shall be enabled at all the network and security devices.
IT Department shall ensure that the current and last two levels of configurations (router and firewall) are stored in a secured manner to ensure recovery.
All network management passwords shall be changed as per password policy defined in “Access Control Policy”.
Logging and monitoring of all remote access communications must be exercised.
TAPAL shall consider more stringent controls such as Zero Trust Network Access to manage Remote Communications.
A Virtual Private Networking (VPN) must be used when Company remote endpoints connect remotely to the internal Tapal Tea Network.

Security of Network Services

The security features, service levels and management requirements, for network service provider shall be determined by GM IT in consultation with the Senior Manager IT Infrastructure and Information Security function.
The GM IT shall provide the final sign-off for security features, service levels and management requirements for network service provider.
Service Level Agreement shall be in place with vendors providing network services to minimize unscheduled downtime for all critical network infrastructure.
All the agreements shall be regularly monitored.

Segregation in networks

Tapal Tea’s information systems network shall be divided into logical segments based on the access requirements.
The criteria for division of networks shall also consider the relative cost and performance impact of incorporating suitable technology.
Segregation of networks should be based on the value and classification of information stored or processed in the network, levels of trust, or lines of business, in order to reduce the total impact of a service disruption.
Internal network shall be segregated from the external network with different perimeter security controls on each of the networks.
The connectivity between internal and external networks shall be controlled.
Guest Network shall be completely segregated, and password protected or other authentication mechanism from the internal network of Tapal.

Monitoring

The Company shall evaluate and implement appropriate controls relative to the complexity of their network. Further, the Company shall deploy an effective mechanism to monitor security policy violations and atypical activities on their network.
Information Security function, along with the Network Infrastructure team, will monitor the activities over the network for any unusual occurrences, system alerts or failure of system.
Capacity, uptime and quality of the Tapal Tea’s networks should be sufficiently monitored in order to ensure reliable operation and availability. Monitoring technology resources for capacity planning include but not limited to platform processing speed, core storage for each platform's central processing unit, data storage, and voice/data communication bandwidth etc.

Information Transfer

Information transfer policies and procedure

Exchange of Information and Software

To prevent loss, modification, destruction, or misuse of information, the Company’s departments must protect and control exchange of critical business information assets and software.
IT Department shall ensure that electronic communications are detected and protected against transmission of malware based on the guidelines provided in “policy: Controls against Malware”.
Tapal shall advise employees to take appropriate precautions to prevent breach of confidential information.

Information transfer services shall be compliant with relevant laws and regulations if applicable.

Agreement on information transfer

At a minimum, the following areas should be considered when establishing formal Information and Software Exchange agreements:

Exchange of critical business information assets with outside Tapal Tea. The department requiring this exchange should be responsible for the formal agreements.
Management responsibilities for controlling and notifying transmission, dispatch, and receipt.
These agreements must include both manual and electronic exchanges.
A labelling convention shall be included and agreed upon by both parties to ensure that labels are understood, and information is protected if applicable.
These agreements must reflect the sensitivity of the critical business information assets being exchanged and must describe any protection requirements which ensure traceability and non-repudiation.
These agreements at a minimum should specify management responsibilities, notification requirements, liabilities, data and software ownership, protection responsibilities and measures, and all encryption requirements and right to audit.

Electronic Messaging

Information involved in electronic messaging shall be appropriately protected. Security considerations for electronic messaging may include the following:

Protecting messages from unauthorized access, modification or denial of service
Ensuring correct addressing and transportation of the message
General reliability and availability of the service
Obtaining approval from relevant departmental head prior to using external public services such as instant messaging or file sharing
Stronger levels of authentication controlling access from publicly accessible networks.
In case of change of employment or termination, IT department will retain emails and data of leaver for 30 days. However, in case if period is to be extended, appropriate approval along with justification will be required from relevant personnel’s reporting manager before retention period.
TAPAL workforce is discouraged to use their personal mobile devices to perform sensitive business tasks or exercise confidential communications.
It is discouraged to use official communication channel for personal business or favors.
Employees must confirm the validity of any email content or information by any means, internal or external, by direct contact with the originator before any critical business decision is made based on the content.
Access to spread bulk emails is only provided to authorized departments, however in case if an individual requires access to share/ send bulk email for official purpose, HR team will be requested to grant approval after gaining valid justification.
Unnecessary attachments should not be sent via email. Where necessary attachment limit is restricted to 9 MB per email.

Monitoring

Tapal Tea may monitor the use and content of any email generated, stored or handled on its systems for the purpose of detecting infringements of its Information Security Policy.
Any employee found misusing the email facility will have to face disciplinary action as deemed appropriate by the management.

Email Disclaimer

Forwarding Email transmission from Tapal Tea must have a disclaimer statement with the prior approval of management stating that:

Confidentiality or non-disclosure agreements

Project Sponsor shall include non-Disclosure agreements in their contracts with contractors/third parties.
Project Sponsor shall document the following requirements in their confidentiality agreements:

Classification of information to be protected and its definition (e.g., confidential information)
Time duration of the agreement
Responsibilities of all parties’ post termination of the contract or agreement
Responsibilities and permitted use of information for all parties involved in the agreement to avoid unauthorized information disclosure
Information to be returned at agreement termination and its terms and conditions
Actions that shall be taken if there is a breach in agreement

Compliance shall ensure that confidentiality or non-disclosure agreements comply with all applicable laws and regulations.
Legal and Compliance department shall ensure the NDA comply with Tapal’s IS policies.

Information Security in Development

Purpose

A secure development policy serves as a guiding framework for software developers to systematically integrate security measures into the entire software development lifecycle. It ensures that security considerations are prioritized from the initial design phase through implementation, testing, and maintenance. This policy aims to mitigate vulnerabilities, reduce the risk of cyber threats, and safeguard sensitive data, ultimately enhancing the overall security posture of software systems.

Scope

It applies to all individuals involved in Tapal Tea’s development process, such as developers, testers, project managers, and stakeholders. Additionally, the policy may extend to third-party vendors or contractors who contribute to the development effort. The goal is to ensure that security measures are consistently integrated throughout the entire development process, regardless of the technology stack or specific project requirements.

Policy Statement

Tapal Tea’s secure development policy ensures that security is systematically integrated into all stages of the software development lifecycle to mitigate vulnerabilities, reduce cyber threats, and safeguard sensitive data.

Secure Development policy

Secure development life cycle

All development, testing, and production environments must be logically and physically separated to minimize the risk of unauthorized access and ensure the integrity of systems and data.
The organization shall incorporate security measures throughout the Software Development Lifecycle (SDLC) following established methodologies and coding guidelines for each programming language used.
Introduction of new systems and major changes to existing systems shall follow a formal process of documentation, specification, testing, quality control, and managed implementation; this process shall include a risk assessment, analysis of the impacts of changes, and specification of security controls needed; this process shall also ensure that existing security and control procedures are not compromised.
Security requirements must be integrated into the specification and design phases of all development projects to mitigate potential vulnerabilities from the outset.
Regular security checkpoints must be integrated into project milestones to assess adherence to security protocols and identify potential vulnerabilities.
Comprehensive system and security testing, including regression testing, code scans, and penetration tests, shall be conducted to identify and address vulnerabilities.
Secure coding guidelines, techniques and secure development methodology should be followed throughout software development cycle.
Developers must not have access to production environments for the purpose of support and emergency fixes, unless authorized and monitored.
All source code and configurations must be stored in secure repositories, and version control mechanisms must adhere to established security standards to prevent unauthorized access or alterations.
Release of changed versions of coded deliverables must occur only after successful testing and approval.
Automatic updates shall not be used on critical systems as some updates may cause critical applications to fail.
All emergency application code, configuration, database, or data changes undertaken under time pressure and before formal change control can be applied, must be retrospectively reviewed, and authorized after a successful resolution to the emergency has been achieved.
The development process shall be compliant with all the relevant policies and procedures to ensure high level of security in each phase of lifecycle.
When outsourcing development, the organization shall ensure suppliers adhere to the organization's secure development policies and practices to maintain the integrity and security of systems and data.
Developers shall undergo continuous training to enhance application security knowledge and skills, ensuring the ability to prevent, detect, and remediate vulnerabilities effectively.
All software development projects must consider licensing requirements and explore cost-effective solutions while avoiding potential licensing issues in the future.

Secure system architecture and engineering principles

Secure information system engineering procedures should be established, documented, and applied to in-house/ outsourced information system engineering activities based on security engineering principles / best practices. The established engineering procedures should be regularly reviewed.
Organisation shall apply security controls required to protect information and systems against identified threats or as per the requirement of the business process.
Organisation should identify the capabilities of security controls to prevent, detect or respond to security events.
Organisation shall identify and apply how individual security control work together to produce integrated set of controls.
Organisation should consider the security architecture principles such as security by design, defence in depth, and least privilege etc to elevate the standards of cybersecurity.
Secure system architecture and engineering principles shall consider.
1. The need to integrate technical and security architecture.
2. Components of security infrastructure (e.g., public key infrastructure (PKI), identity and access management (least privilege), data leakage prevention)
3. Maintenance, support, resource, and expenditure planning of the technology infrastructure should be in place. The security infrastructure can also be deployed as per industry best practices.
4. Security design reviews should be conducted. Documentation and approval for controls should be attained that does not meet the security requirements however they are applied due to business need after risk assessments.
In case of outsourcing, the organization should ensure that suppliers’ security engineering practices align with the organization’s needs.

Secure coding

Secure coding practices shall focus on preventing common vulnerabilities, such as injection attacks, cross-site scripting (XSS), and insecure authentication mechanisms. Code reviews and automated tools will be employed to identify and mitigate potential vulnerabilities, use of open-source software shall be discouraged.
A minimum secure baseline or secure coding principles shall be established, approved, and applied. Minimum baseline shall be reviewed and updated accordingly with changing threat landscape.
Secure coding principles shall be applied before coding, during coding and at the time of review and maintenance.
Organization shall build separate development environment for secure coding.
Secure coding shall begin at the design and architecture phase, ensuring that security requirements are considered and integrated into the software's core structure. This approach minimizes the introduction of security flaws during later development stages.
Secure coding principles shall be considered for new developments as well as for reuse scenarios.
Following considerations should be made during coding:
1. Consider using structured programming and secure programming techniques (e.g., pair programming, refactoring, peer review, security iterations and test-driven development)
2. Prevent using weak design techniques (e.g., the use of hard-coded passwords, unapproved code samples and unauthenticated web services).
3. Evaluate attack surface and the principle of least privilege.
4. Conduct analysis of common programming errors and document their mitigation.
System acceptance testing shall be performed as per the “Security testing in development and acceptance” policy.
In review and maintenance stage following considerations shall be made
1. Comprehensive code reviews and testing will be conducted at regular intervals throughout the development process. This practice helps identify and rectify security weaknesses and vulnerabilities before they become production issues.
2. Reported vulnerabilities, errors and attacks shall be securely handled and logged.
3. Access to source code shall be controlled and restricted.
4. After code has been made operational, updates should be securely packaged and deployed.
5. Prior to make any changes risks related to integrity of controls should be evaluated.
Following considerations shall be made prior to using external libraries:
1. Ensure that libraries are inventoried, updated and maintainable.
2. License, security, and history of external components.
3. They must be selected from authentic and reputable sources.
4. Ensure the long-term availability of pertaining resources.
Threat modelling will be integrated into the development process to identify potential security risks and prioritize their mitigation. This proactive approach helps address security concerns early in the development lifecycle.
Secure coding practices specific to programming language and techniques shall be used.
Structured programming techniques shall be used.
prior to modifying software package ensure following points as per applicability,

possible risks to the functionality of built in controls.
obtain consent form vendor.
the possibility of obtaining the required changes from the vendor as standard program updates.
the impact if the organization becomes responsible for the future maintenance of the software as a result of changes.
compatibility with other software in use.

Security testing in development and acceptance

For new information systems or changes to existing systems, Information Security, Head of IT, Business Heads and persons with systems or network responsibilities must ensure that the requirements and criteria for systems are clearly defined, agreed upon, documented, and tested.
Test plans shall be established based on predefined criteria, proportionate to the system's importance, nature, and potential impact of change. The test plan should include detailed schedules, expected inputs and outputs under various conditions, criteria for result evaluation, and decisions for further actions.
New information systems, upgrades, and versions shall undergo comprehensive testing, including security testing, as an integral part of the development process. Security testing should encompass user authentication, access restriction, cryptography usage, secure coding, and secure configurations i.e., operating systems, firewall and other security components.
IS function shall conduct system security testing using documented test plans encompassing user authentication, access restriction, secure coding, secure configurations and use of cryptography and all predetermined data or processing problems and business scenarios.
The criteria shall be introduced to perform changes and to facilitate the testing plan. The criteria should be based on schedule of testing activities, conditions, inputs, expected outputs, results evaluation and proceeding steps.
Applications that rely on externally supplied software and modules should be monitored and controlled to avoid unauthorized changes.
Automated tools such as code analysis and vulnerability scanners shall be leveraged to detect and verify the remediation of security-related defects.
In-house developments should undergo initial testing by the development team, followed by independent acceptance testing to ensure system functionality and security. Activities such as code review, vulnerability scanning, and penetration testing should be incorporated into the testing process.

Outsourced development

If development of application or infrastructure is being conducted by third party, the contract must be in line with applicable regulations, code ownership, intellectual property rights and supplier relationship policies.
Third party development environment must not be connected directly to the Organisations’ network and the contract must provide suitable assurances that the developed code must have been kept secure during development.
If third party software is being considered for critical business activity, the Organisation’s must license the software or legal binding from the third party.
Enforce contractual requirements for secure design, coding, and testing practices.
An escrow arrangement exists in cases where core applications are developed by vendors, but the source codes were not released to the Organisation’s. The third party must provide source code to a mutually agreed outside party who will hold the source code in escrow each time the source code is revised.
All documentation, which describes systems or systems procedures, must be reviewed by IT Department in conjunction with Information Security to ensure that confidential information is not being inadvertently disclosed, prior to being released to third parties.
Organisations should reserve the right to audit of the outsourced services on periodic basis or as and when required, to ensure the quality and accuracy of work done.
All outsourced source code must be subject to prior testing before being deployed to production environment considering security controls (i.e., malicious, or Trojan code etc.). test assurance reports from external developers must be reviewed. Testing responsibilities shall be defined in contracts.
Non-disclosure agreement shall be signed with service provider for outsourced development.
External developers must conduct thorough threat modelling where applicable, including data flow analysis, asset identification, and risk enumeration. This includes adherence to secure coding practices, evaluation of external dependencies, and continuous monitoring to ensure robust protection against potential threats throughout the development lifecycle.

Test information

Test information selection shall prioritize reliability of test results and ensure the confidentiality of operational data. Sensitive information, including personally identifiable information, shall not be copied into development, and testing environments.
Protection of test data shall be assured by the organisation whether development is in-house or on cloud.
Organization shall ensure that test information is selected based on its relevance and accuracy to accurately reflect real-world scenarios. The selection process will consider the organisation's operational context, risks, and security requirements to ensure comprehensive testing.
Approvals shall be required each time to use operational data in test environments. Operational data shall be securely wiped off from test environment.
Test information shall be treated with the same level of care as production data. Appropriate security controls will be implemented to protect test data from unauthorized access, disclosure, or manipulation. This includes access controls, encryption, and monitoring mechanisms.
The lifecycle of test information, including its creation, usage, retention, and disposal, will be managed in accordance with established information security policies and procedures. This includes defining retention periods and ensuring secure disposal methods.
Logging must capture the copying and use of operational information to maintain an audit trail.
Access to test information will be restricted to authorized individuals with a legitimate need for access. Access controls will be implemented based on the principle of least privilege, ensuring that individuals can access only the specific test data required for their tasks.
Test environments shall only include the minimum amount of data necessary for testing purposes. Personal and sensitive information will be masked whenever possible, reducing the risk associated with exposure during testing.
Test information will be transmitted and stored securely using approved encryption mechanisms and storage solutions. This safeguards test data against interception, unauthorized access, and potential breaches.

Information Security in Supplier Relationships

Purpose

The purpose of this policy is to follow, and implement IS Policy to avoid breaches from third party. By defining expectations, responsibilities, and standards, this policy promotes accountability, enhances communication, and drives efficiency while managing risks and fostering innovation

Scope

This Policy is applicable to all Tapal Tea’s suppliers, contracted employees and departments handling suppliers and contracted employees at all levels of sensitivity, including:

All employed by or working for or on behalf of Tapal Tea’s.
All other individuals and groups who have been granted access to Tapal Tea’s IT systems and information.

Policy Statement

Tapal Tea’s Information Security in Supplier Relationships Policy aims to safeguard organization's sensitive data and assets by establishing clear guidelines and standards for managing information security risks with suppliers. Tapal Tea prioritize the protection of confidential information, intellectual property, and customer data throughout the supply chain, requiring suppliers to adhere to stringent security measures, compliance with relevant regulations.

IS policy for Supplier Relationships

TAPAL shall Identify and documenting the types of suppliers, e.g., IT services, logistics utilities, financial services, IT infrastructure components, which the organisation will allow to access its information.
The following terms should be considered for inclusion in the agreements to satisfy the identified information security requirements:
1. A standardized process and lifecycle for managing supplier relationships.
2. Description of the information to be provided or accessed and methods of providing or accessing the information.
3. Legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured that they are met.
4. Rules of acceptable use of information, including unacceptable use if necessary.
5. Incident management requirements and procedures (especially notification and collaboration during incident remediation).
6. Relevant regulations for sub-contracting, including the controls and processes for services to meet critical functionality which need to be implemented.
7. Relevant agreement partners, including a contact person for information security / cybersecurity issues.
8. Defect resolution and conflict resolution processes.
9. Mitigation of risk associated with unavailability of services or supplier (i.e., services / components no longer available or supplier no longer in business).
10. Information sharing rules, in-case of any potential issues and compromises.
11. Assurance that critical components and their organization can be traced throughout the supply chain; and delivered product is functioning as expected without any unwanted features.
12. Annual audits of the services including the storage/processing sites against contractual agreements shall be carried out and shortfalls shall be addressed. In case if supplier does not allow auditing their environment, a SOC 2 audit report shall be submitted by supplier.
13. Supplier’s obligations to comply with the organization security requirements including cyber security.

Addressing information security within supplier agreements

There must be agreed and monitored SLAs between organisation and external service provider for functions being outsourced.
SLAs should contain references to the following criteria, where applicable:
1. The names/roles of Head of Business, Head of IT.
2. Ownership and duration of validity of the SLA.
3. Service availability (dates, times, response times).
4. Responsibilities for the security administration of the service including granting and withdrawal of access rights and covering cyber security aspects.
5. Adherence to (or deviation from) Organisation’s Policies or Standards.
6. Allocation and charging of costs of services and related expenses.
7. Service reporting mechanisms and processes including frequency of management reporting.
8. Responsibilities and liabilities associated with service provision.
9. Right to intellectual property, trademarks, and copyrights.
10. Non-disclosure agreement.
  1. Due diligence would be required handling organization sensitive, confidential, and/ or employee, customer personal data.
11. Disaster recovery process including backup and recovery of data.
12. Responsibility of third-party personnel should include the following:
  1. Hardware and software installation.
  2. Clear reporting structure agreed reporting formats.
  3. Acceptable and unacceptable level of service.
  4. Involvement of sub-contractors.
13. Indemnification for losses, damages, claims, costs, expenses, interest, awards, judgments, and penalties as a result of third party’s actions.
14. Clause for termination / renegotiation of the terms of the contract
In the terms and conditions of the agreement, organisation should reserve the right to inspect facilities, premises, and staff of the outsourced organisation periodic basis or as and when required, to ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly.
Organisation should consider risks pertaining to cybersecurity before onboarding the Third-party / Service Provider, also where possible, constraint, assumptions, and risk tolerance level should be recorded/ documented.
Wherever applicable, organisation must legally bind the outsourced organisation for an Escrow Agreement and appoint a mutually agreed designated Escrow Agent/Escrow Custodian for the management of Escrow Material i.e., the source code of vendor’s proprietary application, in an event where the hired outsourced organisation files for financial bankruptcy or litigation.
The outsourcing organisation bounded by Escrow agreement must adhere to the confidentiality and IS guidelines as laid down in organisation IS Policy.
On termination, at the end of the contract or at an agreed point in time information and /or asset will be returned by the third party to organisation. The return of assets and or information is the responsibility of the third party or the agency responsible for the contract.
A schedule of maintenance and/or support services for systems stating the hardware, software, technology, period, and exclusions / exceptions must be provided in the SLA, where applicable.

Managing information security in the information Technology (IT) supply chain

Following should be considered when managing information security in IT supply chain:

IT products shall be acquired from reputable sources.
Identify and define security related requirements applicable to IT product or service acquisition.
Requiring IT service providers to ensure that the organisation's security requirements are passed down the supply chain when subcontracting for components of the IT service delivered to the organisation.
Requiring IT product suppliers to ensure organisation’s security requirements are met throughout the supply chain if products include components purchased from other suppliers.
IT products suppliers provide information describing the implemented security functions of their product and the configuration required for its secure operation.
Implement a monitoring process and acceptable methods for validating that delivered IT products and services comply with stated security requirements.
Implement a process for identifying and documenting product or service components that are critical for maintaining functionality and therefore require increased attention, scrutiny and further follow up required when built outside of the organisation especially if the supplier outsources aspects of product or service components to other suppliers.
Ensure that the delivered IT products are functioning as expected without any unexpected or unwanted features.
Ensure that critical components and their origin can be traced throughout the supply chain.
Ensure that IT products achieve required security levels.
Implement specific processes for managing IT component life cycle and availability and associated security risks. This includes managing the risks of components no longer:
1. being available due to suppliers
2. being in business or suppliers
3. providing these components due to technology advancements.
Identification of an alternative supplier and the process to transfer software and competence to the alternative supplier should be considered.

Monitoring, review, and change management of supplier services

All SLAs would be subject to independent monitoring. Performance levels shall be monitored to verify compliance with the agreements.
While managing the changes in supplier services, following aspect should be considered:
1. Changes and enhancement to IT infrastructure
2. Risk or Business Impact Assessment pertaining to changes to ensure security of organization information and related technologies.
3. Use of new technologies
4. Adoption of new products or newer version / releases
5. New development tools and environments.
6. Changes to physical location and services facilities
7. Changes of suppliers.
8. Sub-contracting to another suppliers
Organization shall monitor changes made by suppliers in enhancement to the current services being offered, modifications or updates in suppliers’ policy and procedures, and new or changed controls to resolve information security incidents and to improve information security.
If required, organisation shall review service reports produced by the supplier and arrange regular progress meetings as required by the agreements.
Where possible and needed, organisation shall conduct audits of suppliers and contractors, in conjunction with review of independent auditor’s reports, if applicable and available and follow-up on issues identified.
Organisation and supplier shall exchange information regarding information security incidents and review those incidents as per the agreement.
Organisation shall review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered.
Organisation shall ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster.
Organisation shall evaluate regularly that the suppliers maintain adequate information security levels.
Organisation shall designate a separate individual or team who will be responsible for management of supplier relationships.

Information Security Incident Management

Purpose

Incident management is defined as the capability to effectively manage unanticipated disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits. Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as per business requirements.

The purpose of this policy is to reduce any potential business impact and risk of similar incident occurring, by responding to incidents in a manner allowing timely corrective action and to identify perpetrators of malicious acts and preserve sufficient evidence to prosecute them, if required.

Scope

This policy applies to all users of information assets including the Company’s employees, employees of temporary employment agencies, vendors and contractor personnel regardless of geographic location. If any user does not fully understand anything in this document, he/she should consult with IT or IS Function.

Policy Statement

In order to maintain business operations, the effects and impact of any security breach to the Company must be minimized. This policy provides guidelines on timely reporting of all vulnerabilities and security breaches, take measures to stop reoccurrence, and create staff awareness accordingly.

Management of information security incidents and improvements

Responsibilities and procedures

Tapal Tea shall develop and implement processes to ensure the timely identification of information security incidents.
Management shall establish and maintain incident escalation and notification processes to ensure that the appropriate stakeholders are involved in incident response management.
Tapal Tea shall establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
Assign clear and documented roles and responsibilities within IT in terms of desired outcomes.
Where a security incident has occurred that involves legal action (either civil or criminal) investigation of the nature, scope and causes of the incident must be undertaken that will preserve the evidentiary value of all information concerning the incident.
Tapal Tea shall maintain appropriate contacts with authorities, external groups or forums that handle issues related to information security incidents.
Establish and maintain integration among the incident response plan, disaster recovery plan and business continuity plan.

The network is monitored to detect potential cybersecurity events

IS department shall ensure that important events with potential cyber security implications are monitored.
Information security officer shall be responsible to identify security events and then report them to head of department for information and further action.

Reporting information security events

Tapal Tea should form organized, trained, and equipped teams to effectively respond to information security incidents in a timely manner.
All staff members, contractors and third parties’ staff must be made aware of how to identify a security breach and whom and how to contact in such an event.
All security events but not limited to listed as under, shall be reported to the Information Security function/ GM IT.:

Loss of service, equipment or facilities
System malfunctions or overloads
Non-compliance with policies or guidelines
Breaches of physical security arrangements
Uncontrolled system changes
Malfunctions of software or hardware
Access violations

Reporting information security weaknesses

Any security breach, security weakness and malfunction related to information assets must be formally reported to the Business Head or Information Security for further action.
Information security then after having clear understanding of the situation should formally report the matter to the General Manager IT, Legal Department and Manager HR / ER as quickly as possible.
Information security officer shall ensure that the reporting mechanism is easily accessible, available for reference and understood by personnel who have a role in incident management.

Assessment of and decision on information security events

Procedure should be in place to record details of incidents to identify recurring or high impact incidents.
Information Security function will lead the investigation and assess the severity of information security incident. Results of the assessment should be adequately documented and escalated to relevant stakeholders.
Prioritization must be set based upon severity of incident, following severity level must be considered:

Severity Level

Description

High

Threatened or limited actual loss of reputation or impact to Tapal Tea, core business processes, regulatory or settlement capabilities
Severe outage affecting one or multiple lines of business or locations
System is down - work around is available - however impact is severe, and resolution is needed for smooth functioning

Medium

Insignificant / minimal degradation to a key service, business process or:
More severe degradation or outage to a non-critical service, business process or location
System is up and running with degraded capability

Low

Small issue with localized scope, typically effecting one person.
Can either be tolerated or worked around for an extended period of time due to its limited impact.

Assessment and decision of information security event or incident shall be performed by the information security and IT.
Information gained from the evaluation of information security incidents should be maintained to strengthen areas of weak controls.

Response to incidents

Establish and maintain organization wide definition of, and severity hierarchy for, information security and IS incidents to allow accurate identification of and response to incidents.
Information Security shall conduct post incident reviews to determine the root cause of Information Security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
Information security event reporting method must be developed to support the reporting action, and to help the person reporting to remember all necessary actions in case of an information security event.
Incident Response activities and engagement with internal and external stakeholders shall be centrally coordinated by Information Security officer.
Service desk will resolve the incident, but final closure of incident should take place when initiating user confirm that incident is now resolved, and service is restored.
Conduct post incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
Test and review the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
All emergency action taken over incident should be documented accordingly in details and should be reviewed in orderly manner.
Notification of results after the issue stands closed must be provided to relevant stakeholders.

Learning from information security incidents

There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored.
Information Security will be required to analyse security incidents and identify proactive measures to be undertaken to avoid similar incidents in future, which shall be reported to the IT Steering Committee on periodic basis.
Lesson learnt document shall be developed and maintained for future reference.

Collection of evidence

Procedure should be developed for collecting sufficient evidence as soon as possible to achieve admissibility in court.
Where possible, a strong trail of evidence should be maintained including original paper document, computer media.
Information Security officer in coordination with legal/ Compliance shall obtain required evidence based on the guidelines of acceptable evidence as per the Laws of Pakistan.
Where a follow-up action against a person after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down.
Tapal Tea shall preserve necessary logs and evidence for forensic investigation in case it cannot be performed at the time of the incident.
Information Security officer shall assist a third party to perform forensic investigation of high-level incidents (if applicable).
The SLA & NDA with the third party shall be signed before forensic investigation as per the Supplier Policy (if applicable).

Information Sharing

Information shall be shared with relevant stakeholders on need-to-know basis. High level updates shall only be provided to business partners without disclosing the root-cause with the consent of the top management.
Information Security officer shall ensure that response plan includes guidelines on which information is to be shared with external stakeholders and internal stakeholders.
Information shall only be shared with personnel / entities with which Tapal Tea has agreed a legally binding Non-Disclosure Agreement or Confidentiality agreement.

Information Security aspects of Business Continuity Management (BCM)

Purpose

The goal to develop comprehensive Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP) shall be to minimize financial losses to the institution, serve customers with minimal disruptions and mitigate the negative effects of disruptions on business operations and to ensure its compliance with information security policies. This plan should be documented and tested to ensure the continuity of operations and availability of critical resources in the event of disaster.

Tapal Tea could face the suspension of critical operations due to natural disasters, terrorist attacks, environmental incidents, computer problems, and other causes and hence need to secure business continuity by formulating action plans in advance to ensure quick recovery. Business Continuity Planning (BCP) is a comprehensive enterprise-wide process that defines how Company responds to and recover from business disruptions in case of a disaster, enabling the Company to continue services to the customers and stakeholders alike.

Scope

This Policy covers all IT environments operated by the Tapal Tea. The term “IT environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. all computers / systems desktop, network devices, wireless devices), software, and information.

The scope of this policy covers availability of all critical resources being owned or managed by IT function and information systems to ensure the continuity of operations in case of disaster.

Policy Statement

Business Continuity Plan (BCP)/ disaster recovery plan (DRP) must be made available to all key persons to ensure Business continuity in the event of a loss of service or disaster. BCP and DRP must incorporate adequate level of controls to comply with the information security policies of the Company.

Information security continuity

Planning information security continuity

Tapal Tea shall develop a comprehensive business continuity plan (BCP) / Disaster recovery plan (DRP) as part of the business continuity planning process.
The DRP shall be based on the size and complexity of the Tapal Tea and shall be consistent with its overall business strategy.
Each business function must assign responsibilities to an appropriate level for the development of their (BCP) / (DRP). All the plans developed should have consistent information with business priorities clearly identified.
All IT information systems must go through a business impact analysis to prioritize critical business process and determine the adverse impact levels associated with the compromise of Tapal Tea’s information assets based on an assessment of the sensitivity and criticality of those technology assets.
Possible events that can cause potential disruptions should be identified and a risk-based approach must be adopted for the development of BCP/DRP which should not only be limited to information processing facilities but also include all business processes.
In case no formal process is made, Information Security Officer shall consider that Information Security requirements will remain the same in adverse conditions.

Implementing information security continuity

Tapal Tea shall ensure that an appropriate management structure i.e. Information Security Response Team shall be in place. Nominees of this committee or team, shall have necessary authority, experience, and competence, to mitigate and respond to disruptive events.
Responsible personnel shall be identified in coordination with Senior Manager Infrastructure and Business Continuity Management team to manage incidents and maintain information security continuity.
Information technology department shall ensure that response plans and recovery procedures detailing how a disruptive event will be managed is documented and approved.
IT department shall ensure that implemented information security controls (all relevant areas in IS policy) continue to effectively operate during an adverse condition.
The probable adverse impact of an Information Security breach must be analysed in terms of loss of integrity, availability and confidentiality and magnitude of impact must be defined as either low, medium or high.
BCP / DRP must be included in the systems development life cycle for all systems and applications that have been identified as important or critical, or that have a high availability requirement. Information owners are responsible for developing these plans in conjunction with Information Security and Information Technology.
Define system recovery, business resumption priorities and establish specific recovery objectives including Recovery Time Objectives (RTO) and Recovery Point Objective (RPO) for IT systems, applications and critical paths.
Invocation Procedures must be clearly defined in the Disaster Recovery Plan. Invocation Procedures must cater for incidents occurring both within normal office hours, and outside office hours with details of office and home contact numbers.
Involve the respective business unit heads/ unit heads while signing-off test results of DR-BCP drills.
Estimate maximum allowable downtime as well as the acceptable level of losses, associated with business functions and processes.

Verify, review and evaluate information security continuity

IT Department shall ensure that information security continuity is appropriately exercised and tested keeping in view information security and implemented controls.
IT Department’s relevant personnel should participate in the BCP/DR drills to ensure appropriate testing of information security continuity and contingency plans. The drills shall be performed annually.
If existing and applicable, BCP and DR plans shall be reviewed annually, and any update within the BCP & DRP and testing program should be based upon changes in business operations, audit recommendations and test results.
BCP / DRP must be tested prior to transferring systems and applications to the production environment. Once transferred to the production environment periodic tests and drills must be performed for critical systems (which are located in-house and offshore) and applications to ensure that defined recovery time and point objectives are met. Incremental tests must be performed for all other systems and applications. Test results must be provided to the Information Owner and made available to any compliance audit.
Manager IS Operation North as Disaster Recovery Manager, or any designated executive must be responsible for ensuring that Disaster Recovery Plans are in place for all sites. Appropriate training must be provided to all personnel (including business users) regarding agreed procedures and processes, including crisis management.
Business users shall be involved in the design and execution of comprehensive test cases to verify that recovered systems function properly.
Tapal Tea shall identify legal and regulatory requirements for its business functions and processes.
Tapal Tea’s response, resumption and recovery plans shall be subject to periodic review and testing. Tapal Tea shall also conduct exercises to test the ability of their staff and processes to respond to unfamiliar scenarios, with a view to achieve strong operational resilience.
A variety of techniques (wherever applicable) should be used in order to provide assurance that the plans will operate in real life. These should include:

Table-top testing of various scenarios (discussing the business recovery arrangements using example interruptions).
Simulations (particularly for training people in their post-incident/crisis management roles).
Technical recovery testing (ensuring information systems can be restored effectively).
Testing recovery at an alternate site (running business processes in parallel with recovery operations away from the main site).
Tests of supplier facilities and services (ensuring externally provided services and products will meet the contracted commitment).
Total shutdown/complete switchover of the primary site as well as component failure at the individual system or application cluster level. (Testing that the Tapal Tea, personnel, equipment, facilities, and processes can cope with interruptions or total shutdown of systems).

IT readiness for business continuity

Business continuity and IT continuity plans will be integrated to ensure that IT systems align with business needs and objectives.
Critical IT components that directly support business processes shall be identified. These components shall be prioritized for readiness planning, testing, and continuous improvement efforts.
Regular testing and simulation of IT readiness shall be conducted to ensure that systems can be restored and operational within the required timeframe.
Comprehensive data backup and recovery mechanisms will be implemented to ensure the availability and integrity of critical data during and after disruptions.
Organisation shall develop a procedure to identify critical systems and ensure availability.
Organisation shall develop BIA process that uses impact types and criteria which assess the impact overtime due to the disruption of business activities.
Maintain standby hardware, software and network components that are necessary for fast recovery.
Deploy replication, rapid backup, and recovery functionalities specifically tailored to individual systems or application clusters.
Achieve high systems availability (or near zero system downtime) for critical systems which is associated with maintaining adequate capacity, reliable performance, fast response time, scalability, and swift recovery capability.
Ensure adequate human resources are available and aware of their responsibilities to prepare for, mitigate, and respond to disruptions.
Regularly test and evaluate the effectiveness of Readiness or Continuity Planning through exercises and established procedures.
Record evidence of testing to mitigate errors occurred to avoid future similar errors and continual improvement.

Redundancies

Availability of information processing facilities

Keeping in view the size, nature and complexity of business operations and IT systems, Tapal Tea shall consider developing built-in redundancies to reduce single points of failure which can bring down the entire network.
The Tapal Tea shall maintain standby hardware, software and network components that are necessary for fast recovery.
Tapal Tea shall achieve high systems availability (or near zero system downtime) for critical systems which is associated with maintaining adequate capacity, reliable performance, fast response time, scalability, and swift recovery capability.
IT Department shall ensure that redundant information systems or contingent measures are in place for all critical information systems to guarantee availability as per business requirements.
DR site shall preferably be situated at a location with different geo-hazards.
IT Department shall test redundant information systems to ensure that the redundant infrastructure is appropriately working and will be able to support business processes in case the primary component fails.

Use of Cloud Services

Purpose

The purpose of this policy to help organisation navigate the complexities of cloud technology while prioritising security, compliance, and responsible usage.

Scope

This policy applies to all employees of Tapal Tea and consultants, contractors, vendors, and those who have access to the Tapal Tea’s cloud services outsourced externally as well as internal cloud service used for file sharing.

If any user does not fully understand anything in this document, he/she should consult with Information Security Team. Information Security Team shall resolve any conflicts arising from this Policy. Furthermore, any Exception to this policy will be approved by IT Steering Committee.

Policy Statement

Tapal Tea shall establish information security policy for the use of cloud services and communicate it to all relevant stakeholders.
Tapal Tea shall ensure all security requirements associated with the use of cloud services are identified.
Criteria for selection of cloud service and cloud service provider shall be established, documented, communicated, and approved by relevant stakeholders.
Tapal Tea shall define roles and responsibilities related to the use and management of cloud services.
Tapal Tea shall avoid and prohibit its personnel for storing their customer’s sensitive information over personal officially assigned systems.
Information Security roles and responsibilities for cloud service provider and organization (cloud service consumer) shall be identified.
Responsibilities for management of security controls for use and management of cloud service shall be identified, documented, communicated, and approved.
Tapal Tea shall devise procedures for managing controls, interfaces and changes when using multiple cloud services, especially from different providers.
Cloud service providers shall be evaluated for their security posture and compliance.
Tapal Tea shall establish procedure for handling information security incidents related to cloud services.
Cloud service provider shall be willing to provide support in case of an information security incident.
Tapal Tea shall devise strategies for changing or discontinuing for cloud services, including exit strategy.
Tapal Tea shall establish procedures to monitor, review, and evaluate ongoing cloud service(s) to manage information security risks.
Tapal Tea shall maintain regular communication with cloud service providers to exchange information on information security and report failures to commitments in agreements.
Cloud services usage will adhere to data protection and privacy regulations. Sensitive and personal data will be handled according to established requirements.
Service-level agreements (SLAs) and contracts with cloud service providers will include clear security requirements, expectations, and responsibilities. These agreements will ensure that security measures are well-defined and upheld.
Tapal Tea shall require advance notification from cloud service providers for significant changes affecting service delivery, infrastructure, or data processing/storing locations.
Undertake risk assessment to identify and manage risks associated with using cloud services.
SLA between cloud service provide and Tapal Tea shall include at least following provisions for protection of data and availability of service:

Service providers willingness to provide solutions based on industry accepted standards and in accordance with Tapal Tea’s information security requirements.
Management of access control.
Implementation of solution for malware protection.
Provision of support in the event of an incident in cloud service environment
Mutual consent between cloud service provider and Tapal Tea and assurance of compliance of Tapal Tea’s information security requirements in case of using sub-contractor for processing or storing Tapal Tea’s sensitive information.
Provision of data backups and configuration information and management of backups as required by Tapal Tea.

In case of internal cloud service provided by organization to its workforce:

Organization shall establish criteria and document and implement procedures for access to their internal cloud services for their relevant stakeholders on least privilege principle.
It shall be ensured that the use of internal cloud service policy and guidelines is communicated to all personnel including but not limited to Tapal’s workforce, contractors, and third-party service providers who have access to this cloud service.
Security guidelines and end-user responsibilities shall be communicated to access internal cloud services to all relevant stake holders.
Adequate monitoring control shall be in place to log and evaluate all activities over internal cloud.
Organization shall implement security measures to restrict access or discourage its workforce to access official cloud service with their personal systems or download official information to their personal system.

Compliance

Purpose

The purpose of this policy is to follow, and implement IS Policy to avoid breaches of any law, statutory, regulatory or contractual obligations and any security requirements.

Scope

This Policy covers all IT and IS environments operated by the Company. The term “IS environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g., all computers / systems desktop, network devices, wireless devices), software, and information.

Policy Statement

Tapal Tea’s information security policies and standards are rendered ineffective unless they are supported by ongoing compliance checks and monitoring. The Company may incur financial penalties or suffer damage to its brand reputation if it fails to comply with its legal, regulatory or contractual obligations.

Compliance with legal and contractual requirements

Identification of applicable legislation and contractual requirements

IT in consultation with legal/compliance department shall explicitly identify, define, document, and monitor all applicable information security legislative statutory, regulatory and contractual requirements of information systems.

Intellectual property rights

To ensure that copyright is not violated, Tapal Tea shall acquire software only through known and reputable sources.

Tapal Tea shall protect intellectual property rights by maintaining awareness of policies. Personnel shall be held accountable for their actions, if found responsible for any breach, disciplinary action shall be taken against all personnel involved.
IT Team shall maintain all information assets which require intellectual property rights protection in appropriate asset register as per Asset Management Policy.
Relevant department shall ensure that for all agreements with third parties’ responsibilities and license conditions shall be appropriately complied with.
Appropriate procedure shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software and products.
The following guidelines should be considered to protect any material that may be considered intellectual property:

Publishing an intellectual property rights compliance policy which defines the legal use of software, information, and products.
Acquiring software only through known and reputable sources, to ensure that copyright is not violated.
Maintaining awareness of policies to protect intellectual property rights, and giving notice of the intent to take disciplinary action against personnel breaching them
Maintaining proof and evidence of ownership of licenses, master disks, manuals etc.
Implementing controls to ensure that any maximum number of users permitted is not exceeded.
Carrying out checks that only authorized software and licensed products are installed.
Providing a policy for maintaining appropriate license conditions.
Providing a policy for disposing or transferring information or software to others.
Using appropriate audit tools.
Complying with terms and conditions for software and information obtained from public networks. Not duplicating, converting to another format or extracting from commercial recordings (film, audio, image) other than permitted by copyright law.
Not copying in full or in part, books, articles, reports or other documents, other than permitted by copyright law.

Protection of records

Protection of all records from loss, destruction, falsification, unauthorized access and unauthorized release shall be ensured in accordance with legislator, regulatory, contractual and business requirement.
Business data and correspondence should be categorized for the purpose of its protection, retention and destruction, consistent with statutory, regulatory and business requirements before it goes into production.
Appropriate measure must be adopted by the Process Owners to protect data from loss, destruction or falsification during, their retention period.
Business application data storage schedule must include the retention period of backup or archived information and the retention period must be consistent with local legal, regulatory, and Tapal Tea requirements.
Compliance Department in consultation with IT shall ensure identification of records and their retention periods as defined by applicable national or regional legislation or regulations via system of storage and handling. Destruction of records shall be permitted after that period if they are not required by the organization.
Management must ensure that applicable legislations are compiled by the Tapal Tea.

Privacy and protection of Personally Identifiable Information

Data of personally identifiable information cared of or owned by Tapal Tea must be handled by authorized personnel based on information classification policy.
Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personal information should be implemented.

Information security reviews

Independent review of information security

Information Security and its implementation (policies, procedure, and controls) should be managed and reviewed independently at planned intervals, or when significant changes occur. This may include internal audit or external third parties having appropriate skills and experience for conducting such reviews.
The results of independent review should be recorded and reported to the management, and this record should be maintained, and corrective actions shall be taken as per the results of independent review.

Compliance with security policies and standards

Compliance with IS Policy is mandatory for all employees including contractors and third parties.
IS Function shall monitor and review compliance with IS policies. Review shall be exercised at least annually.
Results of review must be maintained for audit purposes. If any non-compliance is found, it should be reported to the Management/ relevant stakeholders / GM IT for implementation of corrective controls.
Disciplinary action will be taken against those users who use information processing facilities for non- business purpose, for frauds, malicious activities, and breach of information. Terms of disciplinary action would be governed by the Human Resource policy.

Technical compliance review

Information system should be regularly reviewed for compliance with Tapal Tea’s Information Security policies by information security function.
Technical compliance review should involve examination of operational system to ensure that hardware and software controls have been correctly implemented.
Technical compliance review should only be carried out by the resources competent, and with technical expertise. if required in coordination with third-party.
A risk assessment process to describe and analyse the risks inherent in a given line of business for the determination of scope and frequency of audits.

Management of OpenAI

Purpose

To establish clear, secure, and ethical guidelines for using OpenAI within the organization, ensuring that employees leverage OpenAI’s capabilities responsibly while safeguarding organizational data. This policy aims to protect data confidentiality, prevent unauthorized disclosure of sensitive information, and mitigate potential security risks associated with AI interaction. By setting standards for permitted use, access controls, and incident management, this policy supports compliance with data protection regulations and reinforces the organization’s commitment to responsible AI usage, aligning with industry best practices for data security and integrity.

Scope

This policy applies to all employees, contractors, and third parties using OpenAI for work-related purposes. The policy governs OpenAI access, input, output handling, and any integration with organizational systems.

Policy Statement

Data Privacy and Confidentiality

Sensitive Data Restrictions: Users must refrain from providing any form of sensitive, confidential, or personally identifiable information into OpenAI under any circumstances. Sensitive data may include but not limit to:

General Data: Names, contact details, any client specific information that could lead to unauthorized disclosure, and sales information.
Financial Information: Tapal’s or client’s financial statements, payment records, or transactional details.
Proprietary Information: Trade secrets, internal business strategies, or any other information classified as proprietary.
Employee Information: Any employee’s information including but not limited to job roles, compensation details, etc.
1. Data Minimization: Input only information absolutely necessary to obtain OpenAI assistance. Avoid any input of detailed proprietary processes, confidential workflows, or specific project names. Where possible:

Paraphrase Information: Use general terms or anonymized descriptions when referring to sensitive projects or internal processes.
Limit Context: Keep context minimal to avoid unintentional exposure of company-specific details or confidential aspects of projects.
Avoid Sensitive Code or Algorithm: Refrain from providing any information specifically related to code snippets, algorithms, or business logic that could reveal organization’s proprietary information.

Access Control: Access to OpenAI shall be restricted to authorized employees only, determined by their roles and the necessity of OpenAI usage for their task. To enforce this:
1. Role based permissions: Assign OpenAI access based on clear criteria that align with job responsibilities and data sensitivity.
2. Data Handling Protocols: Users must follow established data handling protocols to ensure that OpenAI inputs and outputs are handled securely and do not inadvertently breach confidentiality.
3. Regular Access Reviews: Conduct periodic reviews of OpenAI access privileges to ensure that only those who require it for business purposes retain access, adjusting permissions as roles and needs change within the organization.

Prohibited Use Cases: To protect organization’s data and prevent misuse, the following activities are explicitly prohibited.
1. Handling Confidential or Sensitive Information: OpenAI must not be used to generate, process, or review any content containing confidential company data, such as:
  1. Internal Financial Information: Data pertaining to financial performance, budgets, or strategic financial plans should never be shared with or processed by OpenAI.
  2. Trade Secrets and Proprietary Processes: Avoid inputting information regarding unique processes, algorithms, project details, or intellectual property that could expose the organization’s competitive advantage.
  3. Employee or Client Personal Data: Any form of personally identifiable information (PII), such as names, addresses, email addresses, job titles, or personal identifiers of clients or employees, is strictly prohibited from being shared with OpenAI.
2. Regulated or Compliant Data: Sensitive data, such as personal health information (PHI), financial data, or any other legally protected data, must never be shared with OpenAI. Non-compliance could result in significant disciplinary action.
3. Developing Proprietary Code or Business Logic: Employees must not use OpenAI for coding, developing proprietary solutions, or discussing algorithms or specific business logic that constitutes the organization’s intellectual property
Bias Awareness Mitigation: All employee using OpenAI should receive training on potential biases in AI-Generated responses covering:
1. Understanding AI Bias: Familiarize users with the ways in which AI systems like OpenAI can inadvertently reflect societal biases present in their training data.
2. Identifying Bias in Response: Train employee to recognize biased language or perspective in OpenAI outputs, especially when discussing sensitive topics such as race, gender, culture, or socioeconomic status.
3. Real-Time Bias Detection: Encourage employee to critically assess each response for bias and adjust or disregard content that could conflict with the organization’s commitment to fairness and inclusivity.