The purpose of Secure Development Policy is to specify procedures for ensuring security is part of the product development life cycle.
Secure Development Policy applies to all the software that are developed by
along with Information Security Manager (ISM) is responsible to execute and implement physical and logical access control procedures mentioned in this document.
4.1 Development lifecycle4.1.1 All product developments go through the following phases:
d) Testing in SIT and UAT
e) Deployment in production
4.1.2 Planning, Initiation/Requirements Analysis Phase
a) Product manager identifies the business problem and writes a PRD after user interviews and feature validation. Next comes project scheduling, capacity planning, cost estimation, and feasibility assessment along with the engineering team.
b) Any Customer data at rest is encrypted as per the Encryption method defined in the cryptographic controls policy.
a) Developers begin the actual development of the product after they understand the requirements of the end-users. Security considerations are taken into account regarding the sensitive data of the users.
a) Dedicated QA team conducts risk assessments and tests for the security and functionality of the system.
b) Testing environments, SIT and UAT, are only available via VPN access.
a) Production environment only available via VPN access.
b) Only select senior backend developers have access to production environments.
4.1.6 Security and protection over public networks
a) Customer data is protected in accordance with the access controls defined and in line with the requirements defined in the PRD.
b) Endpoints are always authenticated to ensure authorized access and happens over secure SSL connection.
5.1 Exceptions shall not be universal but shall be agreed on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions or legal reasons existing at any point of time.
5.2 All exception requests shall be submitted to (CTO). These shall be submitted through an email and be approved by (CTO).
6.1 reserves all rights and is the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, stored into any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDS, DVD’s), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
6.2. For any clarifications related to this Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team at dpo@.com
7.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for
7.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.
7.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of
7.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the rights to alter or amend any clause in this document at any time as per its discretion.