The Information Security Policy provides an integrated set of protection measures that must be uniformly applied across PAYzz to ensure a secure operating environment for its business operations.
Customer Information, organizational information, supporting IT systems, processes, and people that are generating, storing, and retrieving information are important assets of PAYzz. The availability, integrity, and confidentiality of information are essential in building and maintaining our competitive edge, cash flow, profitability, legal compliance, and respected company image.
This Information Security Policy addresses the information security requirements of:
Other principles and security requirements such as Authenticity, Non-repudiation, Identification, Authorization, Accountability, and audit ability are also addressed in this policy.
Scope
Objectives
The objective of the Information Security Policy is to provide PAYzz, an approach to managing information risks and directives for the protection of information assets to all units, and those contracted to provide services.
Responsibility
To avoid conflict of interest formulation of policy and implementation/compliance to the policy to remain segregated. Therefore, the Information Risk Management Department (IRMD) will be the owner of the Information Security (IS) Policy and Implementation responsibility rests with IT Security Department under the IT department.
The Chief Information Security Officer (CISO) is responsible for articulating the IS Policy that PAYzz uses to protect the information assets apart from coordinating the security-related Issues within the organization as well as relevant external agencies.
The CISO shall not be a member of the IT department and shall be a member of the Risk department.
All the employees and external parties as defined in policy are responsible to ensure the confidentiality, integrity, and availability of the PAYzz information assets.
Information Risk Management Department (IRMD)
IRMD gives recommendations regarding the Information Security risk and is responsible for the maintenance/review of the IS Policy and also for formulating/review of all sub-policies derived from IS Policy.
Policy Exceptions
Refer to the Exception handling procedure.
Periodic Review
The policy shall be reviewed every year or at the time of any major change in the existing IT environment affecting policy and procedures, by CISO and placed to Board for approval.
This policy will remain in force until the next review/revision.
Policy Compliance Check
Compliance review of IS policy should be carried out by Internal/External auditors on a periodic basis. Inspection & Audit Division is responsible for monitoring compliance with IS Policy. The compliance report should be placed by IAD to the Audit Committee of the Board.
Information Security Governance
Information security governance consists of leadership, organizational structures, and processes that protect information and mitigation of growing information security threats
Critical outcomes of information security governance include:
It is important to consider the organizational necessity and benefits of information security governance. They include increased predictability and the reduction of uncertainty in business operations, a level of assurance that critical decisions are not based on faulty information, enabling efficient and effective risk management, protection from the increasing potential for legal liability, process improvement, reduced losses from security-related events and prevention of catastrophic consequences and improved reputation in the market and among customers.
Management Responsibility
Organization Structure
Information security organization shall comprise of the following
The Information Security Organization is divided into 3 sections
Executive Management
Implementing effective security governance and defining the strategic security objectives of an organization can be a complex task. As with any other major initiative, it must have leadership and ongoing support from executive management to succeed.
Governance
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise resources are used responsibly.
Implementer
Ensuring that initiatives and existing operations adhere to policies is an area that the implementer is expected to manage.
Roles and Responsibilities
The roles and responsibilities of the Information Security Organization members are as follows
Information Security Committee (ISC)
Members from Internal Audit, HR, Legal, Finance, and other departments should be called for the ISC meeting on a need basis
The ISC roles and responsibilities shall be as follows
Information Security Officer (CISO)
Information Asset Owner
Information asset owners shall be allocated to each information asset and shall ensure that security processes associated with these assets are established. For data and IT systems, they are called application owners. The asset owner or the application owner is usually the business owner. Each application should have an application owner (asset owner) who will typically be part of the concerned business function that uses the application.
Responsibilities would include, but not be limited to:
An information asset owner may delegate authority for the operation and protection of assets under their responsibility to an asset custodian. However, it will remain the responsibility of the asset owner to accept risk and to take appropriate steps to ensure that delegated authority is being responsibly applied
IT Security Function
The IT Security is responsible for the execution of Information Risk policies, framework, guidelines, and control processes
The responsibilities of IT Security include, but are not limited to:
Technology Infrastructure Service Providers
Application Developers
Application systems (including both business applications and generic supporting software, e.g., middle-ware, databases) may be developed and maintained by an internal IT function or by a third party. These parties are responsible for ensuring that systems are developed and maintained, incorporating user requirements and information security requirements that are in adherence to PAYzz Policies for Information Risk. They are also responsible, in conjunction with the provider of the underlying technology infrastructure, for ensuring that information risk is adequately managed in development and test environments and reporting to PAYzz IT Security.
User Manager
The user manager is the immediate manager or supervisor of an employee. He has the ultimate responsibility for all user IDs and information assets owned by PAYzz employees. In the case of non-employee individuals such as contractors, consultants, etc., this manager is responsible for the activity and for the PAYzz assets used by these individuals. He/she is usually the manager responsible for hiring the outside contractor.
End Users
Audit Team
Conduct information Security audits to check compliance against Policies and procedures.
Policies, Procedures, and Guidelines
At PAYzz considering the security requirements, Information Security policies have been framed based on a series of security principles. All the Information Security policies and their need have been addressed below:
1. Asset Management Policy
Information assets shall be accounted for and have a nominated asset owner. Owners shall be identified and cataloged for all information assets and the responsibility for maintenance of appropriated controls shall be assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains accountable for the proper protection of the assets
2. Information Risk management Procedure
Detailed risk assessments for Information risks (e.g., application risk assessment, infra risk assessment) shall be undertaken in order to identify pertinent threats, the extent of vulnerability to those threats, the likelihood, and the potential impact should a threat mature as a result of the vulnerability. This assessment shall determine acceptable, transferable, and avoidable risks and the risk that shall be reduced by risk treatments (control mechanisms).
3. Data Classification Policy
To ensure that Confidentiality, integrity, and availability of information is maintained, a data classification scheme has been designed. The level of security to be provided to the information will depend directly on the classification of the data
4. Acceptable IT Usage Policy
This Policy has been prepared and implemented to ensure that all the users and staff at PAYzz are aware of their responsibilities towards the IT Resources of PAYzz. This Policy details the end users are aware of their responsibilities and the acceptable use of the IT Resources of PAYzz.
5. Access Control Policy
Data must have sufficient granularity to allow the appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized. The Access Control Policy addresses this need.
6. E-mail Security Policy
PAYzz shall implement effective systems and procedures to ensure that e-mails are used as an efficient mode of business communication and implement control procedures so that the e-mail facility is not misused by the users. It also needs to be ensured that e-mail service and operations remain secure, and efficient while communicating within the intranet as well as through the internet. The Email Security Policy of PAYzz addresses this.
7. Internet & Intranet Security Policy
PAYzz should utilize the Internet as an important resource for information and knowledge to carry on the business more efficiently. Users must also understand that any connection to the Internet offers an opportunity for unauthorized users to view or access corporate information. Towards this direction, PAYzz has developed systems & procedures to ensure that the Internet is used only for business purposes in a secure manner, (without endangering the security of PAYzz’s network) with a uniform code of conduct.
8. Password Security Policy
The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change All Application software in PAYzz will have to comply with minimum password standards as specified in this document.
9. Information Security (IS) Incident Management Policy
Incident management is required and needs to be established to ensure a quick, effective, and orderly response to security incidents. Such a policy would vary in scope depending on the sensitivity and size of the information systems being managed. A companywide incident management policy has been established for all systems.
10. Change Management Policy
Changes to information technology facilities and systems should be controlled in order to ensure that changes made to a production component are applied in a secure and consistent manner.
11. Application Security Policy
It may be required to develop and maintain software, applications, and add-on modules from time to time. Proper procedures, access controls, and security requirements need to be addressed throughout the entire process. The application security policy has been framed to address these needs.
12. Operating System Security Policy
PAYzz shall protect its operating system resources by providing security at a level that is appropriate for the nature of the data being processed. The operating system security policy has been framed for achieving this. PAYzz shall protect all business data, related application systems, and operating systems software from unauthorized or illegal access. Access to the operating system must be restricted to those people who need access to perform their duties.
13. Network Security Policy
Appropriate controls should be established to ensure the security of data in private and public networks, and the protection of connected services from unauthorized access. PAYzz’s Network infrastructure needs to be protected from unauthorized access. A range of security controls is required in computer networks to protect these environments. Considering the above, the network security policy has been framed for PAYzz.
Ref: ISMS-Network Security Policy
14. Anti-Virus Policy
Viruses, Trojans, Worms, etc., are malicious programs called malware and can corrupt or destroy data or may spread confidential information to unauthorized recipients, resulting in loss of Confidentiality, Integrity, and availability of the information. Malware detection and prevention measures as appropriate need to be implemented. The basis of protection against Malware should be founded on good security awareness and appropriate system access controls. The Anti-Virus policy has been framed on the above grounds.
15. Backup & Recovery Policy
In order to safeguard information and computing resources from various business and environmental threats, systems and procedures have been developed for the backup of all business data, related application systems, and operating systems software on a scheduled basis and in a standardized manner across PAYzz. The backup and recovery procedures must be automated wherever possible using the system features and be monitored regularly. The backup & recovery policy that has been framed for PAYzz considers these points.
16. Log and Audit Trail Policy
The log and audit trail policy addresses the framework for logging & auditing operating system events, application events, database events in the local area network, and network events.
17. Mobile Computing Policy
The mobile computing policy applies to all PAYzz employees and staff provided with a company laptop or portable electronic device. It is the employees’ responsibility for the proper care and use of the laptop computer / PED (Portable Electronic Device), data, and accompanying software while using the same.
18. Version Control Policy
The version control policy of PAYzz addresses implementing, managing, and controlling the changes in versions of application systems, and customized add-on modules, network and operating system software, interfaces, and utilities. This Policy is aimed at ensuring uniformity in versions running across PAYzz and would involve maintaining up-to-date documentation for the entire version change process.
19. Data Archival Policy
Proper data management will facilitate and improve the retrieval, evaluation, use, and storage of critical and related information. The purpose of the data archival policy for PAYzz is to address the proper archival of all its project-related data as per the client’s requirement to support its high-quality research service and also to ensure the availability, integrity, and confidentiality of the data.
20. Encryption Policy
In the current environment of increasingly open and interconnected systems and networks, network and data information security are essential. This policy describes cryptography as a tool for satisfying a wide spectrum of Information Security Management System (ISMS) needs and requirements.
21. Wireless Security Policy
Wireless Local Area Networks (LANs) form part of PAYzz’s corporate network infrastructure. In order to protect the business needs of PAYzz, the wireless network must meet the same level of security employed by the rest of the infrastructure.
This policy is to ensure that the deployment of wireless networking is controlled and managed in a centralized way to provide functionality and optimum levels of service whilst maintaining network security.
22. Data Migration Policy
Sometimes, a need may arise to migrate data from one system/database to another. This typically occurs during the replacement of existing applications/databases. This policy outlines the care to be taken during such migrations of data.
23. Security Awareness
All employees of PAYzz and, where relevant, contractors and third-party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant to their job function
24. Security monitoring
As per Cyber Security, a Security Operations Center shall be established for security monitoring of logs of critical IT Assets
25. Hardware Acquisition & Maintenance
These procedures and methods should delineate the various aspects of the procurement cycle while ensuring that hardware is of the required quality and meets the desired business objectives. Hardware, being a very important resource, should be maintained and supported systematically during its lifetime.
26. HR Security Guidelines
To ensure that employees, contractors, and third-party users understand their responsibilities to reduce the risk of theft, fraud or misuse of facilities, controls shall be implemented
27. Data Security
Physical, Technical, and Organizational Security Measures
Appropriate physical, technical, and organizational security procedures that restrict access to and disclosure of personal data within PAYzz are implemented. PAYzz uses encryption, firewalls, and other technology and security procedures to help protect the accuracy and security of sensitive personal information and prevent unauthorized access or improper use.
PAYzz adapts RBI best practice guidelines for Physical, Technical, and Organizational measures to ensure the security of personal data including the prevention of alteration, loss, damage, unauthorized processing, or access.
28. Remote Access Policy
The purpose of this policy is to define standards for connecting to the PAYzz network from any host. These standards are designed to minimize the potential exposure to PAYzz from damages that may result from the unauthorized use of PAYzz resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical PAYzz internal systems, etc.
29. Exception Handling Procedure
Information security policies and procedures constitute controls for protecting Information assets. While every attempt should be made to comply with the policies and procedures there could be exceptions. The exception handling procedure should be followed for taking exceptions to the Information Security Policy.
30. Physical & Environmental Security
To prevent unauthorized physical access, damage, and interference to the organization’s premises and information, critical or sensitive information processing facilities shall be housed in a secure area, protected by secure parameters, with appropriate entry controls.
31. Desktop Security Guidelines
The objective of desktop security guidelines is to provide a secure computing environment where data is processed. All desktops on the Local Area Network (LAN) shall be configured as per these guidelines. These guidelines are also applicable to Laptops provided by PAYzz to its employees/partner employees for official use.
32. License Management Guidelines
PAYzz uses operating systems, applications, and database software that is under a license agreement and limits the use of the software to specific machines. Copies of such software are limited to backups only. It is important to have control on the use of software on computers.
33. Patch Management procedure
A Patch Management process needs to be in place to address technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising.
34. Asset Security Testing Procedure
With the rapid use of Information Technology for processing financial data and its use in day-to-business processes, evaluation of Information Security measures and implementation of effective security monitoring controls have been identified as key requirements as per PAYzz Information security policies.
35. Effective Measurement
This document defines the metrics for the collection and analysis of meaningful and quantifiable data to measure the effectiveness of the ISMS implementation. Metrics are to identify areas of improvement and formulate security strategies for continuously improving the security processes for the PAYzz.
36. Database Security Procedure
In accordance with the Information Security Policy, all databases owned by PAYzz must be adequately protected to ensure the confidentiality, integrity, availability, and accountability of such systems. Databases normally provide a data storage mechanism as a back-end to an application that provides access to the data. In addition to electronic data storage, databases typically are associated with management systems that organize data into a collection of schemes, tables, queries, reports, views, and other objects.
37. Data Sanitization Guidelines
Data Sanitization is the process of protecting sensitive information in non-production databases from inappropriate visibility. After sanitization, the database remains perfectly usable - the look and feel are preserved - but the information content is secure. Data Sanitization establishes a relationship between technology and the expectation of privacy in the collection and sharing of personally identifiable information.
38. Key Management Procedure
Key management is the set of techniques and procedures supporting the establishment and maintenance of cryptographic key relationships between authorized parties within PAYzz and its business partners, regulatory entities, etc. Ref: ISMS-Key Management Procedure.
39. Information Security Guidelines for Branches
This is an IT best practice guideline document that shall be followed at Branch locations to ensure secure information processing and handling, defined in line with Regulatory guidelines and PAYzz Information security policies
40. Online PAY Channels Security - ATM, Internet PAYzz, Mobile & IVR PAYzz
The implementation of the appropriate authentication method and security controls should be based on an assessment of the risks posed and considering customer acceptance, ease of use, reliable performance, scalability to accommodate growth, and interoperability with other systems.
41. New Technology Adoption
42. Cloud computing
Cloud computing requirements shall be assessed in detail for data security, privacy, legal requirements, sustainability of the provider, service levels, geographical location of data storage and processing, including trans-border data flows, business continuity requirements, log retention, data retention, audit trails, etc., during the risk assessment process.
43. Social media
44. Compliance
Compliance with Regulatory requirements
Compliance with Information Security policy and procedures
Information Systems Audit