Human Resource Policy
The purpose of Human Resource Policy is to specify procedures for building security awareness amongst personnel.
2. Scope and Applicability
Human Resource Policy shall address all the aspects, right from the time of pre-selection of the employee till the time the employee is relieved by the organization.
The scope of this procedure includes all full-time employees, third-party, as well as contract employees being given access to information and information processing facilities.
This policy has been designed to ensure that the security of the credit information, from employees, third party, as well as contract employees across the organization are minimized.
4.1.1 What is 's Background Check for all employees?
4.1.2 What is 's reference check for all employees?
4.1.3. Terms and Conditions of Employment
All employees of shall sign and agree to the terms and conditions of their employment contract. These terms and conditions shall state the organization’s as well as the employee’s responsibilities towards Information Security.
4.1.4 Confidentiality / Non-Disclosure Agreement
All employees of shall agree to abide by confidentiality / Non-disclosure as part of their terms of appointment.
4.2. Management Responsibilities
4.2.1. Information Security Manager (ISM) shall monitor/assign responsibility for monitoring - the performance and conduct of each, as well as to assess their impact on the security of the Information Assets to which the staff has access.
4.2.2. ISM shall be reporting to the who will be the ultimate responsibility holder for any and all matters regarding Information Security.
4.2.3 There is a designated Onboarding team, whose responsibility is to carry out the instructions sent by ISM and VP Engineering for all HR security-related matters.
4.2.4. Do you have a designated onboarding team to carry out HR security-related matters?
4.3 Allocation of Information Processing Assets and ID Creation
4.3.1. The employee/ user will be assigned with a laptop at the time of joining
4.3.2. The employee/ user cannot exchange the assigned laptop with any other user without informing the Onboarding team.
4.3.3. For any laptop replacement, if the troubleshooting is not successful then the user will be asked to fill out the replacement form and a new laptop of the same specification will be dispatched. The old laptop is to be returned to the IT team in good condition
4.3.4. For any laptop upgrade, necessary approval from the reporting manager to be submitted to the Onboarding team along with the replacement form, as per the assigned matrix upgrade will be considered.
4.3.5. In case of a loss of the laptop, the employee-user is to immediately report the loss, with all the relevant information relating to the loss, to the Onboarding team and the FIR has to be lodged by the employee. The cost of the asset will be borne by the employee.
4.3.6. The Employee ID/ Code is created when the employee completes all onboarding/ joining formalities on their date of joining. The IDs are generated based on the sequence of the codes created for existing employees.
4.3.7 What is 's process for allocation of assets and ID Creation?
4.4 Information Security Training and Awareness
All the employees of must undergo information security training during induction and refresher training at least once a year. ISM in coordination with People & Culture function should be responsible for conducting Information Security training programs.
All Information Security breaches shall be investigated and disciplinary action shall be taken on the employees who have committed violations.
4.6.1. All employees of shall return all of the organization’s assets in their possession upon termination of their employment, contract, or agreement.
4.6.2. Employee to acknowledge the email sent regarding Asset Recovery within 24hrs with the tentative date of dispatch and with the picture of the device
4.6.3. The maximum permitted time to return the laptop is two weeks from the date of the asset recovery communication. If an employee failed to return the assets, his/her FnF settlement will be put on hold
4.7 Removal of Access Rights
4.7.1. HR Team in coordination with the Onboarding team shall ensure that the access rights of all employees to information and information processing facilities are revoked on the day of termination of their employment, contract, or agreement, or adjusted upon change.
5. Human Resource Security Procedures
5.1. What is 's Personnel Screening Plan?
5.2. What is 's Background check process?
5.3 What is 's reference check process?
6. What is the adverse impact of a negative reference/background check?
7. What is 's User ID Creation process?
8. Training and Awareness
8.1. All employees of shall be trained in Information security at least once a year. This training should include legal responsibilities, business controls, as well as training in the correct use of information processing facilities.
8.2. In order to create consciousness about the policies, if any major change is done to the policies and procedures, the same shall be communicated to all the employees.
8.3. The training should be conducted through any of the modes such as classroom training, and web-based training.
8.4. All employees will be part of an ongoing counter phishing campaign to keep management up to date with the company’s training and awareness from a cyber security point of view.
8.5. What is the 's Employee Training and Awareness Plan?
9.1. What are the 's policies/ procedures on attendance?
10. Reporting of Violation
10.1. Any violations of policy are followed by a thorough investigation by the HR and IS team and the violations are classified in the level of severity and accordingly appropriate actions are taken by the committee.
10.2. Violation Classification:
Violations should be categorized into three levels as follows:
High Severity
Medium Severity
Low Severity
10.2.1. What is 's S.O.P for reporting violations of policy?
11.1. The steps in disciplinary action are followed by the assessment of the severity of the case. Disciplinary action can vary from sharing a warning letter to the termination of the employment depending on the severity of the offense.
12. Termination of Employment
12.1. What are the specifications for Termination of Employment?
13.1. Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.
13.2. All exception requests shall be submitted to (CTO). These shall be submitted through an email and be approved by (CTO).
14.1. reserves all rights and is the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
14.2. For any clarifications related to this Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team at dpo@.com
15.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for
15.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.
15.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of
15.4 Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.