This policy provides direction to ensure that the appropriate level of physical and logical access control is applied to protect the information from unauthorized access, modification, disclosure or destruction to ensure that information remains accurate, confidential, and is available when required.
This Policy and Procedures apply to all the applications, personnel, systems and facilities of
along with Information Security Manager (ISM) is responsible to execute and implement physical and logical access control procedures mentioned in this document.
4.1. All electronic information and systems shall have necessary and appropriate system access controls with secure remote access technology for all authorized employees, contractors, and third parties with established cybersecurity and data protection practices.
4.2. Risk assessment and business impact analyses are to be conducted with operational resilience programs including requirements for remote access security.
4.3. The access to specific functionalities in information systems and the level of access required at the granular level to read, modify & update, deletion should be identified and documented. These requirements should be translated into system profiles for the different classes of users. The remote access requirements should be identified in coordination with the . Authentication rules, roles-based access, and encryption should be considered in remote access procedures.
4.4. Remote access security plans and procedures shall be reviewed periodically, updated, and tested.
4.5. Describe the network access rules in place for employees at
4.6. Two-factor authentication is to be used as an extra layer of security whenever possible for remote access.
4.7. Connection procedure and the use of VPN should be specified.
4.8. Password requirements should be set and rules made known to all employees.
4.9. Supply and support of end user devices
4.10. Describe the types of information and services that can be accessed remotely.
4.11. Describe the restrictions on the use of own devices to access company information
4.12. Use of alternative work sites and procedures
4.13. Describe backup and media storage procedures at
4.14. Describe System ownership and return procedure at
5.1. Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.
5.2. All exception requests shall be submitted to (CTO). These shall be submitted through an email and be approved by (CTO)
6.1. reserves all rights and is the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
6.2. For any clarifications related to this Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team at dpo@.com
7.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for
7.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.
7.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of
7.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.