Page 1 of 1

Clear Desk & Clear Screen Policy Policy

1. Purpose

This policy provides direction to ensure that the appropriate level of physical and logical access control is applied to protect the information from unauthorized access, modification, disclosure or destruction to ensure that information remains accurate, confidential, and is available when required.

2. Business Priorities

This Policy and Procedures apply to all the applications, personnel, systems and facilities of

3. Execution Responsibilities

(CTO) along with Information Security Manager (ISM) is responsible to execute and implement physical and logical access control procedures mentioned in this document.

4. Clear Desk & Clear Screen Control Policy

4.1. All electronic information and systems shall have necessary and appropriate system access controls

4.2. Access rights should be defined based on ‘need-to-know’, ‘need-to-do’, ‘segregation of duties, and ‘individual accountability principles.

4.2.1 How does define Access Rights?

4.3. The access to specific functionalities in information systems and the level of access required at the granular level to read, modify & update, deletion should be identified and documented. These requirements should be translated into system profiles for the different classes of users. The access requirements should be identified in coordination with (CTO)

4.4. Employees should ensure assets such as laptops containing sensitive information are logged off or turned off when unattended or not in use.

4.5. Use of photocopiers only with authorised access

4.6. Removal of media after use.

4.7. Actions need to be applied depending on the level of sensitivity or criticality of the information.

5. Confidentiality of Information

5.1. Confidential information refers to information where unauthorized use, access and disclosure, loss or modification, and deletion can result in damages for the client’s company and its employees. Confidential information should strictly be accessed on a “need to know” basis only.

5.2. Internal use information needs to be protected for proprietary, ethical, and privacy considerations. The loss or deletion of such information can also result in financial losses or damage to a company’s reputation or violate an individual’s privacy rights or lead to legal action.

5.2.1 What is 's Standard Operating Procedure for Internal Information Use?

6. Application of Clear Desk & Clear Screen Policy

6.1. Restriction of the use of copy and printing facilities only to people with authorised access.

6.2. Deletion of media files after usage of copy and printing facilities

6.3. Use of locked areas containing sensitive information should be restricted to people with authorized access

6.4. Strict protection of information assets, systems, and devices as stipulated in the HR policy and User access management

6.5. Adoption of a paperless culture is strongly encouraged to limit the exposure of sensitive information

6.6. Disposal of information remaining in meeting rooms such as the practice of erasing whiteboard information and removal of all paper trails of sensitive information from meeting areas.

6.7 How does apply the Clear Desk & Clear Screen Policy?

7. Employee Awareness and Education

Training and awareness for all employees about the criticality of sensitive data and information as well as its storage and use.

Guidelines for this training in the onboarding of all new employees

Regular clean desk audits to ensure safe practices of all employees in maintaining good workplace hygiene with protecting and safeguarding sensitive information and locking of personal workstations when they leave the desk.

These audits should be practiced twice a year

7.1. Training and awareness for all employees about the criticality of sensitive data and information as well as its storage and use.

7.2. Guidelines for this training in the onboarding of all new employees

7.3. Regular clean desk audits to ensure safe practices of all employees in maintaining good workplace hygiene with protecting and safeguarding sensitive information and locking of personal workstations when they leave the desk.

7.4. These audits should be practiced twice a year

7.5 Do you have Employee Awareness Training for handling data?

8. Exceptions

Exceptions shall not be universal but shall be agreed on a case-to-case basis, upon official

request made by the information owner. These may arise, for example, because of local

circumstances, conditions or legal reasons existing at any point of time.

9. Disclaimer

9.1. reserve all rights and are the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.

For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team. At dpo@. .com

10. Enforcement

10.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for

10.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.

10.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of

10.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.