Skip to content

Security Policy

The Information Security Policy provides an integrated set of protection measures that must be uniformly applied across PAYzz to ensure a secure operating environment for its business operations.

 

Customer Information, organizational information, supporting IT systems, processes, and people that are generating, storing, and retrieving information are important assets of PAYzz. The availability, integrity, and confidentiality of information are essential in building and maintaining our competitive edge, cash flow, profitability, legal compliance, and respected company image.
 

This Information Security Policy addresses the information security requirements of:
 

  • Confidentiality: Protecting sensitive information from disclosure to unauthorized individuals or systems;
  • Integrity: Safeguarding the accuracy, completeness, and timeliness of information;
  • Availability: Ensuring that information and vital services are accessible to authorized users when required
     

Other principles and security requirements such as Authenticity, Non-repudiation, Identification, Authorization, Accountability, and audit ability are also addressed in this policy.
 

Scope

  • This policy applies to all employees, contractors, partners, and Interns/Trainees working in PAYzz. Third-party service providers providing hosting services or wherein data is held outside PAYzz premises, shall also comply with this policy.
  • Scope of this Information security Policy is the Information stored, communicated, and processed within PAYzz and PAYzz’s data across outsourced locations.


Objectives
 

The objective of the Information Security Policy is to provide PAYzz, an approach to managing information risks and directives for the protection of information assets to all units, and those contracted to provide services.


Responsibility
 

To avoid conflict of interest formulation of policy and implementation/compliance to the policy to remain segregated. Therefore, the Information Risk Management Department (IRMD) will be the owner of the Information Security (IS) Policy and Implementation responsibility rests with IT Security Department under the IT department.
 

The Chief Information Security Officer (CISO) is responsible for articulating the IS Policy that PAYzz uses to protect the information assets apart from coordinating the security-related Issues within the organization as well as relevant external agencies.
 

The CISO shall not be a member of the IT department and shall be a member of the Risk department.

All the employees and external parties as defined in policy are responsible to ensure the confidentiality, integrity, and availability of the PAYzz information assets.

 

Information Risk Management Department (IRMD)

 

IRMD gives recommendations regarding the Information Security risk and is responsible for the maintenance/review of the IS Policy and also for formulating/review of all sub-policies derived from IS Policy.

 

Policy Exceptions
 

Refer to the Exception handling procedure.

 

Periodic Review  
 

The policy shall be reviewed every year or at the time of any major change in the existing IT environment affecting policy and procedures, by CISO and placed to Board for approval.

 

This policy will remain in force until the next review/revision.

 

Policy Compliance Check

 

Compliance review of IS policy should be carried out by Internal/External auditors on a periodic basis. Inspection & Audit Division is responsible for monitoring compliance with IS Policy. The compliance report should be placed by IAD to the Audit Committee of the Board.

 

Information Security Governance
 

Information security governance consists of leadership, organizational structures, and processes that protect information and mitigation of growing information security threats

 

Critical outcomes of information security governance include:
 

  • Alignment of information security with business strategy to support organizational objectives
  • Management and mitigation of risks and reduction of potential impacts on information resources to an acceptable level
  • Management of the performance of information security by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
  • Optimization of information security investments in support of organizational Objectives

 

It is important to consider the organizational necessity and benefits of information security governance. They include increased predictability and the reduction of uncertainty in business operations, a level of assurance that critical decisions are not based on faulty information, enabling efficient and effective risk management, protection from the increasing potential for legal liability, process improvement, reduced losses from security-related events and prevention of catastrophic consequences and improved reputation in the market and among customers.
 

Management Responsibility  
 

  • Approve policies related to the information security function
  • Ownership for implementation of board-approved information security policy
  • Ownership for establishing necessary organizational processes for information security
  • Ownership for providing necessary resources for successful information security
  • Ownership for establishing a structure for the implementation of an information security program

Organization Structure
 

Information security organization shall comprise of the following

 

  • Information Security Committee (ISC)
  • Chief Information Security Officer (CISO)
  • Chief Risk Officer (CRO)
  • Chief Technology Officer (CTO)
  • IT Security operations
  • Internal Audit

 

The Information Security Organization is divided into 3 sections
 

Executive Management

Implementing effective security governance and defining the strategic security objectives of an organization can be a complex task. As with any other major initiative, it must have leadership and ongoing support from executive management to succeed.

 

Governance

Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise resources are used responsibly.

 

Implementer

Ensuring that initiatives and existing operations adhere to policies is an area that the implementer is expected to manage.

 

Roles and Responsibilities

The roles and responsibilities of the Information Security Organization members are as follows

 

Information Security Committee (ISC)

 

Members from Internal Audit, HR, Legal, Finance, and other departments should be called for the ISC meeting on a need basis
 

The ISC roles and responsibilities shall be as follows
 

  • Developing and facilitating the implementation of information security policies, and procedures to ensure that all identified risks are managed within a PAYzz risk appetite.
  • Approving and monitoring major information security projects and the status of information security plans and budgets, establishing priorities, and approving procedures.
  • Supporting the development and implementation of a PAYzz-wide information security management program
  • Reviewing the position of security incidents and various information security assessments and monitoring activities across the PAYzz
  • Reviewing the status of security awareness programs
  • Assessing new developments or issues relating to information security
  • Requirement for generating effective metrics for measuring the performance of security control
  • Reporting to the Board of Directors on information security activities
  • Conducting regular ISC meetings (at least quarterly) and maintenance of MOM


     

Information Security Officer (CISO)
 

  • Establishing, implementing, monitoring, reviewing, maintaining, and improving Information Security Management System (ISMS)
  • Reviewing the security policies/procedures and suggesting improvements
  • Coordinating the ISC meetings
  • Providing consultative inputs to the ISC on security requirements
  • Coordinating information Security initiatives in the organization
  • Driving and monitoring the ISC directives in the organization
  • Updating ISC about IS initiatives, issues, and incidents
  • Facilitating and Conducting risk assessments of Information Assets used and recommending mitigation controls
  • Promote security awareness amongst employees, customers, and partners.

 

Information Asset Owner
 

Information asset owners shall be allocated to each information asset and shall ensure that security processes associated with these assets are established. For data and IT systems, they are called application owners. The asset owner or the application owner is usually the business owner. Each application should have an application owner (asset owner) who will typically be part of the concerned business function that uses the application.

 

Responsibilities would include, but not be limited to:
 

  • Assigning initial information classification and periodically reviewing the classification to ensure it still meets business needs under the guidance of the Information Risk Management department (IRMD);
  • Ensuring security controls are in place, as recommended by IRMD;
  • Reviewing and ensuring currency of the access rights associated with information assets they own;
  • Determining access criteria and backup requirements for the information assets/applications they own.
     

An information asset owner may delegate authority for the operation and protection of assets under their responsibility to an asset custodian. However, it will remain the responsibility of the asset owner to accept risk and to take appropriate steps to ensure that delegated authority is being responsibly applied

 

  IT Security Function
 

The IT Security is responsible for the execution of Information Risk policies, framework, guidelines, and control processes
 

The responsibilities of IT Security include, but are not limited to:
 

  • Enable Information Security controls
  • Define IT security procedures and guidelines in line with the IS Policies
  • Provide Security Architecture
  • Implement and monitor the operational effectiveness of mandatory IT controls
  • Analysis of Security incidences, both internal and external, and arriving at Lessons learned

     

  Technology Infrastructure Service Providers
 

  • Infrastructure services shall be provided by strategic outsourced partners with Service Level agreements. The service providers are custodians of IT assets on behalf of PAYzz and are responsible for the implementation and operation of the infrastructure as appropriate to meet the Confidentiality, Integrity, and Availability ratings specified by PAYzz.
  • Develop Standard Operating Procedures (SOPs), and Security Guidelines for the assets managed.
  • Manage IT assets as per PAYzz-approved policies and procedures.
     

Application Developers

 

Application systems (including both business applications and generic supporting software, e.g., middle-ware, databases) may be developed and maintained by an internal IT function or by a third party. These parties are responsible for ensuring that systems are developed and maintained, incorporating user requirements and information security requirements that are in adherence to PAYzz Policies for Information Risk. They are also responsible, in conjunction with the provider of the underlying technology infrastructure, for ensuring that information risk is adequately managed in development and test environments and reporting to PAYzz IT Security.

 

User Manager
 

The user manager is the immediate manager or supervisor of an employee. He has the ultimate responsibility for all user IDs and information assets owned by PAYzz employees. In the case of non-employee individuals such as contractors, consultants, etc., this manager is responsible for the activity and for the PAYzz assets used by these individuals. He/she is usually the manager responsible for hiring the outside contractor.

  End Users

 

  • End Users are responsible for the following with regard to information security:
  • Responsible and accountable for activities associated with an assigned account, as well as assigned equipment and removable media;
  • Protect the secrecy of passwords and Business Information.
  • Report known or suspected security incidents

 

 

Audit Team

Conduct information Security audits to check compliance against Policies and procedures.

  Policies, Procedures, and Guidelines
 

At PAYzz considering the security requirements, Information Security policies have been framed based on a series of security principles. All the Information Security policies and their need have been addressed below:

 

1. Asset Management Policy
 

Information assets shall be accounted for and have a nominated asset owner. Owners shall be identified and cataloged for all information assets and the responsibility for maintenance of appropriated controls shall be assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains accountable for the proper protection of the assets

 

2. Information Risk management Procedure
 

Detailed risk assessments for Information risks (e.g., application risk assessment, infra risk assessment) shall be undertaken in order to identify pertinent threats, the extent of vulnerability to those threats, the likelihood, and the potential impact should a threat mature as a result of the vulnerability. This assessment shall determine acceptable, transferable, and avoidable risks and the risk that shall be reduced by risk treatments (control mechanisms).

 

3. Data Classification Policy
 

To ensure that Confidentiality, integrity, and availability of information is maintained, a data classification scheme has been designed. The level of security to be provided to the information will depend directly on the classification of the data

 

4. Acceptable IT Usage Policy
 

This Policy has been prepared and implemented to ensure that all the users and staff at PAYzz are aware of their responsibilities towards the IT Resources of PAYzz. This Policy details the end users are aware of their responsibilities and the acceptable use of the IT Resources of PAYzz.

 

5. Access Control Policy


Data must have sufficient granularity to allow the appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized. The Access Control Policy addresses this need.

 

6. E-mail Security Policy
 

PAYzz shall implement effective systems and procedures to ensure that e-mails are used as an efficient mode of business communication and implement control procedures so that the e-mail facility is not misused by the users. It also needs to be ensured that e-mail service and operations remain secure, and efficient while communicating within the intranet as well as through the internet. The Email Security Policy of PAYzz addresses this.

 

7. Internet & Intranet Security Policy
 

PAYzz should utilize the Internet as an important resource for information and knowledge to carry on the business more efficiently. Users must also understand that any connection to the Internet offers an opportunity for unauthorized users to view or access corporate information. Towards this direction, PAYzz has developed systems & procedures to ensure that the Internet is used only for business purposes in a secure manner, (without endangering the security of PAYzz’s network) with a uniform code of conduct.


 

8. Password Security Policy


The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change All Application software in PAYzz will have to comply with minimum password standards as specified in this document.


 

9. Information Security (IS) Incident Management Policy
 

Incident management is required and needs to be established to ensure a quick, effective, and orderly response to security incidents. Such a policy would vary in scope depending on the sensitivity and size of the information systems being managed. A companywide incident management policy has been established for all systems.



 

10. Change Management Policy
 

Changes to information technology facilities and systems should be controlled in order to ensure that changes made to a production component are applied in a secure and consistent manner.


 

11. Application Security Policy
 

It may be required to develop and maintain software, applications, and add-on modules from time to time. Proper procedures, access controls, and security requirements need to be addressed throughout the entire process. The application security policy has been framed to address these needs.


 

12. Operating System Security Policy
 

PAYzz shall protect its operating system resources by providing security at a level that is appropriate for the nature of the data being processed. The operating system security policy has been framed for achieving this. PAYzz shall protect all business data, related application systems, and operating systems software from unauthorized or illegal access. Access to the operating system must be restricted to those people who need access to perform their duties.


 

13. Network Security Policy
 

Appropriate controls should be established to ensure the security of data in private and public networks, and the protection of connected services from unauthorized access. PAYzz’s Network infrastructure needs to be protected from unauthorized access. A range of security controls is required in computer networks to protect these environments. Considering the above, the network security policy has been framed for PAYzz.

Ref: ISMS-Network Security Policy
 

14. Anti-Virus Policy
 

Viruses, Trojans, Worms, etc., are malicious programs called malware and can corrupt or destroy data or may spread confidential information to unauthorized recipients, resulting in loss of Confidentiality, Integrity, and availability of the information. Malware detection and prevention measures as appropriate need to be implemented. The basis of protection against Malware should be founded on good security awareness and appropriate system access controls. The Anti-Virus policy has been framed on the above grounds.


 

15. Backup & Recovery Policy
 

In order to safeguard information and computing resources from various business and environmental threats, systems and procedures have been developed for the backup of all business data, related application systems, and operating systems software on a scheduled basis and in a standardized manner across PAYzz. The backup and recovery procedures must be automated wherever possible using the system features and be monitored regularly. The backup & recovery policy that has been framed for PAYzz considers these points.


 

16. Log and Audit Trail Policy
 

The log and audit trail policy addresses the framework for logging & auditing operating system events, application events, database events in the local area network, and network events.

17. Mobile Computing Policy
 

The mobile computing policy applies to all PAYzz employees and staff provided with a company laptop or portable electronic device. It is the employees’ responsibility for the proper care and use of the laptop computer / PED (Portable Electronic Device), data, and accompanying software while using the same.


18. Version Control Policy
 

The version control policy of PAYzz addresses implementing, managing, and controlling the changes in versions of application systems, and customized add-on modules, network and operating system software, interfaces, and utilities. This Policy is aimed at ensuring uniformity in versions running across PAYzz and would involve maintaining up-to-date documentation for the entire version change process.
 

19. Data Archival Policy
 

Proper data management will facilitate and improve the retrieval, evaluation, use, and storage of critical and related information. The purpose of the data archival policy for PAYzz is to address the proper archival of all its project-related data as per the client’s requirement to support its high-quality research service and also to ensure the availability, integrity, and confidentiality of the data.

 

20. Encryption Policy
 

In the current environment of increasingly open and interconnected systems and networks, network and data information security are essential. This policy describes cryptography as a tool for satisfying a wide spectrum of Information Security Management System (ISMS) needs and requirements.
 

21. Wireless Security Policy
 

Wireless Local Area Networks (LANs) form part of PAYzz’s corporate network infrastructure. In order to protect the business needs of PAYzz, the wireless network must meet the same level of security employed by the rest of the infrastructure. 
 

This policy is to ensure that the deployment of wireless networking is controlled and managed in a centralized way to provide functionality and optimum levels of service whilst maintaining network security.


 

22. Data Migration Policy
 

Sometimes, a need may arise to migrate data from one system/database to another. This typically occurs during the replacement of existing applications/databases. This policy outlines the care to be taken during such migrations of data.
 

23. Security Awareness
 

All employees of PAYzz and, where relevant, contractors and third-party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant to their job function

24. Security monitoring
 

As per Cyber Security, a Security Operations Center shall be established for security monitoring of logs of critical IT Assets


 

25. Hardware Acquisition & Maintenance
 

These procedures and methods should delineate the various aspects of the procurement cycle while ensuring that hardware is of the required quality and meets the desired business objectives. Hardware, being a very important resource, should be maintained and supported systematically during its lifetime.
 

26. HR Security Guidelines
 

To ensure that employees, contractors, and third-party users understand their responsibilities to reduce the risk of theft, fraud or misuse of facilities, controls shall be implemented


 

27. Data Security
 

Physical, Technical, and Organizational Security Measures
 

Appropriate physical, technical, and organizational security procedures that restrict access to and disclosure of personal data within PAYzz are implemented. PAYzz uses encryption, firewalls, and other technology and security procedures to help protect the accuracy and security of sensitive personal information and prevent unauthorized access or improper use.

PAYzz adapts RBI best practice guidelines for Physical, Technical, and Organizational measures to ensure the security of personal data including the prevention of alteration, loss, damage, unauthorized processing, or access.
 

28. Remote Access Policy
 

The purpose of this policy is to define standards for connecting to the PAYzz network from any host. These standards are designed to minimize the potential exposure to PAYzz from damages that may result from the unauthorized use of PAYzz resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical PAYzz internal systems, etc.


 

29. Exception Handling Procedure
 

Information security policies and procedures constitute controls for protecting Information assets. While every attempt should be made to comply with the policies and procedures there could be exceptions. The exception handling procedure should be followed for taking exceptions to the Information Security Policy.


 

30. Physical & Environmental Security

To prevent unauthorized physical access, damage, and interference to the organization’s premises and information, critical or sensitive information processing facilities shall be housed in a secure area, protected by secure parameters, with appropriate entry controls.
 


 

31. Desktop Security Guidelines

The objective of desktop security guidelines is to provide a secure computing environment where data is processed. All desktops on the Local Area Network (LAN) shall be configured as per these guidelines. These guidelines are also applicable to Laptops provided by PAYzz to its employees/partner employees for official use.


 

32. License Management Guidelines
 

PAYzz uses operating systems, applications, and database software that is under a license agreement and limits the use of the software to specific machines. Copies of such software are limited to backups only. It is important to have control on the use of software on computers.


 

33. Patch Management procedure
 

A Patch Management process needs to be in place to address technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising.


 

34. Asset Security Testing Procedure
 

With the rapid use of Information Technology for processing financial data and its use in day-to-business processes, evaluation of Information Security measures and implementation of effective security monitoring controls have been identified as key requirements as per PAYzz Information security policies.


 

35. Effective Measurement
 

This document defines the metrics for the collection and analysis of meaningful and quantifiable data to measure the effectiveness of the ISMS implementation. Metrics are to identify areas of improvement and formulate security strategies for continuously improving the security processes for the PAYzz.
 

36. Database Security Procedure
 

In accordance with the Information Security Policy, all databases owned by PAYzz must be adequately protected to ensure the confidentiality, integrity, availability, and accountability of such systems. Databases normally provide a data storage mechanism as a back-end to an application that provides access to the data. In addition to electronic data storage, databases typically are associated with management systems that organize data into a collection of schemes, tables, queries, reports, views, and other objects.


 

37. Data Sanitization Guidelines
 

Data Sanitization is the process of protecting sensitive information in non-production databases from inappropriate visibility. After sanitization, the database remains perfectly usable - the look and feel are preserved - but the information content is secure. Data Sanitization establishes a relationship between technology and the expectation of privacy in the collection and sharing of personally identifiable information.
 

38. Key Management Procedure
 

Key management is the set of techniques and procedures supporting the establishment and maintenance of cryptographic key relationships between authorized parties within PAYzz and its business partners, regulatory entities, etc. Ref: ISMS-Key Management Procedure.
 

39. Information Security Guidelines for Branches
 

This is an IT best practice guideline document that shall be followed at Branch locations to ensure secure information processing and handling, defined in line with Regulatory guidelines and PAYzz Information security policies

 

40. Online PAY Channels Security - ATM, Internet PAYzz, Mobile & IVR PAYzz


The implementation of the appropriate authentication method and security controls should be based on an assessment of the risks posed and considering customer acceptance, ease of use, reliable performance, scalability to accommodate growth, and interoperability with other systems.
 

41. New Technology Adoption
 

  • Introduction of new technology and deployment of application & Infrastructure shall go through Risk assessment and sign-off process before implementation in production.
  • Procedures and guidelines for new technologies such as cloud computing, Social PAYzz etc. shall be developed.
  • The risks associated with the adoption of new & emerging technologies shall be assessed and approved.
     

42. Cloud computing
 

Cloud computing requirements shall be assessed in detail for data security, privacy, legal requirements, sustainability of the provider, service levels, geographical location of data storage and processing, including trans-border data flows, business continuity requirements, log retention, data retention, audit trails, etc., during the risk assessment process.
 

43. Social media
 

  • Usage of social media within PAYzz’s network is restricted unless approved specifically.
  • Employees are personally responsible for the content they publish online, whether in a blog, social computing site, or, any other form of user-generated media.
  • Employees are not authorized to publish or discuss the following on social media
  • PAYzz’s confidential or other proprietary information
  • To cite or reference Customers, partners or suppliers without their approval
  • To use PAYzz’s logos or trademarks unless approved to do so.
     

44. Compliance

Compliance with Regulatory requirements

 

  • Compliance with statutory, regulatory, and contractual requirements such as Information
  • Technology (IT) Act 2008, directives and recommendations given by Reserve PAYzz of India shall be ensured
  • Compliance with terms/conditions and license requirements for the usage of copyrighted software or any other proprietary information/material shall be maintained
  • Cross-borderer movement of data shall be in accordance with legal and regulatory requirements
  • Records shall be retained and managed based on legal and regulatory requirements

 

Compliance with Information Security policy and procedures
 

  • Information processing facilities shall be used as per the information security policy and acceptable usage policy
  • While PAYzz respects the privacy of its employees it reserves the right to audit and/or monitor the activities of its employees and information stored, processed, transmitted, or handled on any assets/devices/services used by the employee
  • Exception to security policy and procedure shall be approved through the exception management process
  • Policy exceptions shall be reviewed at least annually and as deemed necessary based on security risks envisaged, emerging threats, etc.
  • Violations or any attempted violations of security policies and procedures shall result in disciplinary actions

 

Information Systems Audit
 

  • Audits shall be conducted to ensure compliance with the information security policies, procedures and guidelines
  • The use of information systems audit tools shall be controlled and authorized to prevent any possible misuse of tools.