InfoSec Policy Version 6
Transcript of InfoSec Policy Version 6
InfoSec Policy
Version 6.16
Document: InfoSec Policy
Current version: 6.16
Prepared By: InfoSec Team
Reviewed By: Vaibhav Patkar – AVP
Approved By: Anurana Saluja - VP - InfoSec
Current version date: May 10, 2020
Modification History
No Description of creation / Change Date of Creation / Change Version No.
1 Policy Review / No update February 14, 2006 1.0
2 Policy Review Verbiage Update April 04, 2007 2.0
3 Policy review / No update April 25, 2007 3.0
4 Policy and document update June 07, 2007 4.0
5 Policy and document update June 02, 2008 5.0
6 Policy and document update June 09, 2009 6.1
7 Policy and document update January 27, 2010 6.2
8 Policy and document update June 13, 2011 6.3
9 Policy and document update February 11, 2012 6.4
10 Policy and document update January 8, 2013 6.5
11 Policy and document update December 11, 2013 6.6
12 Added section on Privacy April 15, 2014 6.7
13 Modified section – Incident Management, Business Continuity, Software Control policies
June 30, 2015 6.8
14 Added section on - Mobile Policy & Third Party / Supplier Security
Oct 20, 2015 6.9
15
Modified Goals and Review section to bring in more clarity about risk assessments and its periodicity and about NTP Servers
May 19, 2016
6.10
16
Modified sections – Internet Firewall Policy, Sensitive Information Handling Policy, Payment Card Industry PCI DSS Policy
November 2, 2016
6.11
17 Modified Mobile Policy Section April 19, 2017 6.12
18 Addition of overall information security Responsibilities and ownership point
May 10, 2017 6.13
19 Minor changes in Privacy, Physical Security, Software Control and Backup policies
May 09, 2018 6.14
20 Added Sutherland new logo in the Document. No other change made.
May 09, 2019 6.15
21 No changes
May 10, 2020 6.16
Internal Use only Page 2 of 61
Sutherland Global Services is committed to safeguard its data and client data by providing adequate
protection to its Information assets. In order to safeguard the data appropriately and adequately,
the InfoSec Policy is developed, based on the industry best information security practices and in
alignment with ISO 27001, HIPAA and PCI DSS Standard. InfoSec Policy of Sutherland is aimed to
guide and to provide appropriate level of protection to Information assets and also assures the best
possible protection to the data. I approve the policy.
Sd/- Doug Gilbert
CTO - Sutherland Global Services
Internal Use only Page 3 of 61
Table of Contents
INTRODUCTION ...................................................................................4 ORGANIZATIONAL SECURITY POLICY .....................................................6
A1. INFORMATION SENSITIVITY CLASSIFICATION ...............................9 A2. COMPLYING WITH LEGAL & POLICY REQUIREMENTS ..................... 11 A3. SENSITIVE INFORMATION HANDLING POLICY .............................. 12
A4. HUMAN RESOURCES PERSONNEL PRACTICES POLICY..................... 14 A5. PRIVACY POLICY....................................................................... 16 A6. THIRD PARTY / SUPPLIER ACCESS POLICY ................................... 17
B1. PHYSICAL SECURITY POLICY ...................................................... 20 B2. PROCESSING INFORMATION & DOCUMENTS ................................. 25
B3. HELP DESK & RECEPTIONIST ...................................................... 28
B4. INCIDENT RESPONSE POLICY ..................................................... 30 B5. TERMINATION POLICY ............................................................... 31 B6. BUSINESS CONTINUITY POLICY .................................................. 32 C1. PASSWORD MANAGEMENT POLICY .............................................. 34
C2. VIRTUAL PRIVATE NETWORK USAGE POLICY ................................ 36
C3. INTERNET FIREWALL POLICY ..................................................... 38 C4. SOFTWARE CONTROL POLICY ..................................................... 41 C5. REMOTE ACCESS POLICIES ......................................................... 44
C6. BACKUP AND RESTORATION POLICIES ........................................ 45 C7. SECURE DATA TRANSFER POLICY ................................................ 47 C8. ACCEPTABLE ENCRYPTION POLICY .............................................. 48
C9. LAPTOP POLICY ........................................................................ 49 C10. MOBILE POLICY ..................................................................... 51
C11. DOCUMENT SCANNER COPY ..................................................... 54 C12. PAYMENT CARD INDUSTRY PCI DSS POLICY .............................. 55 C13. PRIVILEGED ACCOUNT POLICY ................................................ 57
C14. VULNERABILITY ANALYSIS POLICY .......................................... 58 C15. SECURITY MONITORING & LOG MANAGEMENT POLICY................ 59
C16. ANNEXURE ............................................................................ 60
C17. DEFINITIONS ........................................................................ 61
Internal Use only Page 4 of 61
INTRODUCTION
This document provides guidance for network administrators and management personnel on how to address security issues within the Sutherland domain. This handbook is a guide to computer sec ur ity policies and procedures for Sutherland and its group companies across all their locations. This guide lists issues and factors that Sutherland must consider in terms of policies addressable in various Security headings. It makes a number of recommendations and provides discussions of relevant areas.
Purpose
This document is a formal statement of the rules by which people who are given access to Sutherland’s technology and information assets must abide.
The main purpose of this document is to inform administrators and managers of their obligatory requirements for protecting technology and information assets. The document specifies the mechanisms through whic h these requirements can be met. In addition, the document provides a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy.
Audience The audiences for this document are network administrators and decision makers (typically "Senior Management") of Sutherland. For brevity, we will use the term "administrator" throughout this document to refer to system and network administrators. The focus of this document is on the policies and procedures that need to be in place to support the technical security features of Sutherland IT and related infrastructure and Logical domain.
Management Technical Operational
INFOSEC documentation Account management Media controls
Roles and responsibilities Identification and authentication
Education training and awareness
Contingency planning Auditing Physical environment
Configuration management Maintenance Personal security
BCP / DR Networking connectivity Access control
System assurance
Malicious code protection
Responsibilities
Overall security of information flowing within Sutherland lies with Global Head of Information Security. As a Head, he is responsible for implementing and maintaining information security controls in Sutherland. He shall assign specific responsibilities to his team members for maintaining the security posture of the organization. To coordinate the Information Security Globally across company business units, Sutherland has established two categories, at least one of which applies to each manager or administrator. These categories are Owner and/or Custodian. These categories define general responsibilities with respect to information security.
Internal Use only Page 5 of 61
Owner Responsibilities
Information Owners are the Department Managers, Senior Management, or their delegates within Sutherland who bear responsibility for the acquisition, development, and maintenance of production applications which process Sutherland information. Production applications are computer programs which regularly provide reports in support of decision making and other business activities. All production application system information must have a designated Owner. For each type of information, Owners designate the relevant sensitivity classification, designate the appropriate level of criticality, define which users will be granted access, as well as approve requests for various ways in which the information will be utilized.
Custodian Responsibilities
Custodians are in physical or logical possession of either Sutherland information or information that has been entrusted to Sutherland. While Information Technology Department staff members clearly are Custodians, local system administrators are also Custodians. Whenever information is maintained only on a pe rsonal computer, the User is necessarily also the Custodian. Each type of production application system information must have one or more designated Custodians. Custodians are responsible for safeguarding the information, including implementing access control systems to prevent inappropriate disclosure, and making back-ups so that critical information will not be lost. Custodians are also required to implement, operate, and maintain the security measures defined by information Owners.
Internal Use only Page 6 of 61
ORGANIZATIONAL SECURITY POLICY
Applicability
Every associate at Sutherland -- no matter what their status (employee, contractor, consultant, temporary, and all categories of personnel other than visitors) must comply with the information security policies found in this and related information security documents.
This policy applies to all computer and network systems owned by and/or administered by Sutherland. This policy is also applicable to all employee, contractor, consultant and temporary employees who are involved in Sutherland information and Information assets. Similarly, this policy applies to all platforms (operating systems), all computer sizes (personal computers through mainframes), and all application systems (whether developed in-house or purchased from third parties).
Objectives
• Protection of the proprietary documents, customer information, credit car d information, other Personally Identifiable Information (PII) like Social Security Number, Driving License Number, Telephone Number, Email IDs, customer or 3 rd party provided data or information, any Hardware, software that is in possession of Sutherland
• Secure handling of the code during its processing in the Sutherland software premises. • Protection of information provided by customers like knowledgebase but not l imite d to, produc t
ideas/processes/ methods generated or refined within Sutherland while work ing with various programs or with various customer data
• To provide confidence to the customers where information needs to be handled, processed or developed.
Goals
To identify through appropriate risk assessment to understand the vulnerabilities and the threats that may expose them to risk.
To manage the risks to an acceptable level through the design, implementation level and maintenance level of a formal information security management system.
The risk assessment activities to be conduct on annual basis and after any significant changes in the environment.
To comply with legislation including, but not limited to:
• Local Companies act and other local regulations specific to the Country operations • Indian IT ACT 2000 and its subsequent amendments in 2008 • Employment act of the respective to Countries • Privacy Acts of the respective Countries • GLBA Act • HIPAA Act • GDPR Regulations
To comply with customer contract conditions.
To comply with applicable standards/Frameworks like ISO 27001, ISO 15000, COBIT©, Sarbanes-Oxley, NIST, SANS, PCI-DSS etc
Internal Use only Page 7 of 61
Specific Policies
All security policies, which will constitute the policy manual, will be categorized under three sections;
A) Management Policies B) Operational Policies C) Technical Policies
Consistent Information Handling
Sutherland information, and information which has been entrusted to associates, must be prote cted in a manner commensurate with its sensitivity and criticality. Security measures must be employed regardless of the media on which information is stored (paper, overhead transparency, computer bits, etc.), the syste ms which process it (personal computers, firewalls, voice mail systems, etc.), or the methods by which it is moved (electronic mail, face-to-face conversation, etc.). Information must also be consistently protected no matte r what its stage in the life cycle from origination to destruction.
Personal Use
Sutherland information systems are intended to be used for business purposes only. Incidental per sonal use is permissible if the use:
A) Does not consume more than a trivial amount of resources that could otherwise be used for business purposes,
B) Does not interfere with associate productivity, and C) Does not preempt any business activity.
Permissible incidental use of an electronic mail system would, for example, involve se nding a me ssage to schedule a luncheon. Other types of personal use require the permission of a department manager . Use of Sutherland information systems for chain letters, charitable solicitations, political campaign material, religious work, and any other non-business use is prohibited. Non-permissible personal use, for example, would be sending legally defined non-public information (such as credit card data or bank account information) even if it is the personal information of the employee.
Incident Reporting
All personnel have a responsibility for reporting perceived and actual security incidents.
Structure of InfoSec policies
Objective
Policy
Policy statement
Enforcement zone
Enforcement responsibility
Table (wherever applicable)
Review
Risk Assessment and other policies are reviewed and approved by Sutherland Management on yearly basis and in case of influencing changes to ensure it remains appropriate for the business and Sutherland’s ability to serve its customers.
Internal Use only Page 9 of 61
A1.INFORMATION SENSITIVITY CLASSIFICATION
Objective
To ensure that information receives an appropriate level of protection.
Policy
All information, data and documents must be classified according to their level of confidentiality, sensitivity, value, criticality and legal requirements.
Policy Statement
Reasons for Classification To assist in the appropriate handling of information, a sensitivity classification hierarchy must be used throughout Sutherland. This hierarchy provides a shorthand way of referring to sensitivity, and can be used to simplify information security decisions and minimize information security costs. One important intention of a sensitivity classification system is to provide consistent handling of the information, no matte r what form it takes, no matter where it goes, and no matter who possesses it. For this reason, it is important to maintain the labels reflecting sensitivity classification categories. Sutherland uses three sensitivity classification categories. All valuable, sensitive or critical business information shall be assigned to a classification category by the designated information owner or delegate.
Public: This information has been specifically approved for public release by Public Relations/communications Department or Marketing Department managers. Unauthorized disclosure of this information will not cause problems for Sutherland, its customers, or its business partners. Example : marketing brochures and material posted to the Sutherland Internet web page. Disclosure of Suthe rland information to the public requires the existence of this label, the specific permission of the information owner, or long-standing practice of publicly distributing this information.
Internal Use Only: This information is intended for use within Sutherland, and in some cases within associated organizations, such as Sutherland business partners. Unauthorized disclosure of this information to outsiders may be against laws and regulations, or may cause problems for Sutherland, its customers, or its business partners. Example: the Sutherland telephone book, internal policies / procedures, and most internal electronic mail messages.
Confidential: This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access. Unauthorized disclosure of this information to people without a business need for access may be against laws and regulations, or may cause significant problems for Sutherland, its customers, or its business partners. Example: customer transaction account information and associate performance evaluation records, merger/acquisition plans, and legal information protected by client/attorney privilege.
A subset of Sutherland Global Services Confidential information is "Sutherland Global Services Third Party Confidential" information. This is confidential information belonging or pertaining to another corporation or individual which has been entrusted to Sutherland Global Services by that company under non-disclosure agreements and other contracts. Examples of this type of information include everything from joint development efforts to vendor lists, customer orders, and supplier information etc.
Internal Use only Page 10 of 61
Data Classification Policies Clearly mark both printed materials and media storage containing Confidential or Internal information to show the appropriate data classification
Information Disclosure Confidential information, which is company information that could cause substantial harm if obtained by unauthorized persons, may be delivered only to a trusted person who is authorized to re ceive it. Private information, which is personal information about an employee or employees that, if disclosed, could be used to harm employees or the company, may be delivered only to a trusted person who is authorized to receive it. Internal information is information to be shared only within the Sutherland or with other trusted persons who have signed a NDA. Files or other electronic data shall not be transferred to any removable media unless the requester is a trusted person whose identity has been verified and who has a need to have such data in such format All personnel shall protect the confidentiality, maintain the integrity of the company Information stored on their computer systems, disks, tapes, paper, manuals (and the ilk)
Miscellaneous Whenever Sutherland employee changes positions or is given increased or decreased job responsibilities, the employee’s manager will notify Sutherland Global Service Desk (GSD) of the change in the employee’s responsibilities so that the appropriate security profile can be assigned. Whenever a contractor who has been issued a computer account has completed his or her assignment, or when the contract expires, the manager responsible will immediately notify the Sutherland GSD to disable the contractor’s computer accounts, including any accounts used for database access, dial-up or inte rnet access from remote locations. Identification badges must be color coded to indicate whether the badge holder is an employee, contractor, temporary, visitor or intern.
Enforcement zone
All Secure Premises of Sutherland Global Services
Enforcement responsibility
Admin, HR, GTI
Table (wherever applicable)
Internal Use only Page 11 of 61
A2.COMPLYING WITH LEGAL & POLICY REQUIREMENTS
Objective
To comply with any law, statutory, regulatory or contractual obligations as well as to meet any security requirements.
Policy
Sutherland will take all possible steps to comply with legal and statutory requirements and also comply with conditions stipulated in contractual agreement, MSA, SOW, etc. of Sutherland’ clients.
Policy statement
Persons responsible for Human Resources Management are to ensure that all employees are fully aware of their legal responsibilities with respect to their use of computer based information systems and data. Suc h responsibilities are to be included within key staff documentation such as Terms and Co nditions of employment and the Organization’s Code of Conduct. Persons responsible for Human Resources Management are to prepare guidelines to ensure that all employees are aware of the key aspects of Copyright, Designs and IT Act/ legislation (or its equivalent), in so far as these requirements impact on their duties. The organization will maintain a suitable archiving and record retention timelines. All employees are required to fully comply with the organization’s Information Security policies. The monitoring of such compliance is the responsibility of management. All employees are to be aware that evidence of Information Security incidents must be formally re corded and retained and passed on to the appointed Information Security Officer.
Enforcement zone
All Secure Premises of Sutherland Global Services
Enforcement responsibility
Table (wherever applicable)
Internal Use only Page 12 of 61
Objective
A3.SENSITIVE INFORMATION HANDLING POLICY
To safeguard the sensitive data in any form handled by Sutherland against unauthorized disclosures, alterations or misuse by adopting industry best practices in security standards.
Policy
Data pertaining to Sutherland’s client or corporate Sutherland data shall be protected against unauthorized disclosure, alteration or misuse.
Policy Statement
Sensitive information and work area
Sensitive work area is any area within Sutherland where employees are exposed to sensitive information. Sensitive information may be a client data, customer’s Credit card (CC) numbers, or other Personally Identifiable Information (PII) like Social Security Number (SSN), Driving License Number, Telephone Number, Email IDs, corporate data, etc., which on disclosure can lead to unfavorable condition s to Sutherland and its clients.
Sutherland’s sensitive work area shall be adequately protected and monitored. General practices mentioned as below shall be implemented and monitored periodically in those areas declared as sensitive work area Best practices on sensitive work area • Sensitive work areas shall have a separate access control door controlled by access cards • Only authorized personnel shall be allowed inside the sensitive area • Items such as paper, pen, pencil, CDs, Floppies, USBs, DVDs, memory cards, mobile phone s, table t
computers, wearable computers (ex. smartwatches, Google Glass etc.), bags, food items, re cording equipment and cameras shall not be allowed inside the sensitive area
• Security guards or other authorized personnel shall conduct checking of employees, visitors or vendors as and when required with visual / physical / electronic means
• A sensitive work area shall be in a separate VLAN, which shall not be accessible from outside and access to that VLAN shall be controlled
• A sensitive work area shall be continuously monitored by CCTV • Recordings of CCTV shall be kept for 30 days or as required by regulatory authorities/clients and shall
be reviewed periodically
• Employees working in a sensitive area shall NOT have access to printe rs. If required by client for executing the work, such printouts taken during the shift hours shall be shredded at the end of the shift on the same business day which will be monitored by the Team Manager / Supervisor and also security guard if posted
• Shredding bins or cross cut shredder shall be placed in the sensitive areas for hard copy documents to be shredded
• All the data in the electronic media used in the sensitive area shall be de gaussed or destroyed as appropriate, after its usage
• Storage devices moved from the sensitive areas or program shall be wiped using sanitizing software • Print screen facility shall be disabled in all Desktops/PC’s in the sensitive work area • Sensitive work area shall have software, hardware or applications / programs which are approved by
the respective clients • Access to outbound mails shall be denied to all the employees who are working in sensitive areas • Outbound email access is provided only the specific employees based on the need and with c lient and
specific internal approvals
Internal Use only Page 13 of 61
• Internet access shall not be allowed to all personnel who work in sensitive work areas. Exception c an be only those sites which need to be accessed based on client requirement. The list needs to be specified by client.
• Workstations in sensitive work areas shall not have CD drives, floppy drives, USB drives etc • Sutherland recommends Thin Clients to be used on the process floor to minimize the infractions • Team Lead’s or other designated personnel shall monitor the sensitive area activities • Sensitive information handling(Credit card numbers, CVV numbers, SSN numbers and other
sensitive information’s related to customer/client) shall be closely monitored • USB ports to be configured in such a way that mass storage devices are disabled • All inbound and outbound calls shall be recorded for specific duration and ensured such recording
is available for select persons on need basis • Encryption shall be used on voice recording of the sensitive work areas • Strong data encryption and other adequate safeguards shall be used if client sensitive data is stored
in Sutherland’s network
• Viewing of encrypted data in clear form needs a special approval / authentication whic h will be logged with user name, time, purpose etc (purpose will be entered by the user before requesting for such information)
• CVV numbers of Credit cards (CC) shall not be stored in the data base or any other storage locations • Indicators like crediting the same CC number, multiple credits for same customer, e tc shall be
watched • Security of data in transit shall be ensured by using IPSEC, SSL or similar encrypted transmissions
and using 3DES, AES or similar encryption mechanisms
Employee hiring, monitoring and training Prior to joining sensitive information handling program, HR and the respective program shall e nsure that the employee has undergone and cleared appropriate background checks with respect to loc al regulations and applicable customer guidelines and has a good character.
Enforcement zone
All Sensitive work areas of Sutherland Global Services locations
Enforcement responsibility
Admin, HR, GTI
Table (wherever applicable)
Internal Use only Page 14 of 61
A4.HUMAN RESOURCES PERSONNEL PRACTICES POLICY
Objective
To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
Policy
All employees, contractors and third party users must comply with the Information Security Policies of the organization. Any Information Security incidents resulting from non-compliance will result in imme diate disciplinary action.
Policy Statement
Positions of special trust or responsibility
Individual positions shall be analyzed to determine the potential vulnerabilities associated with work in those positions. In some cases it may be appropriate for Sutherland to designate classes of employment as being positions of special trust or responsibility. It may also be appropriate to designate locations as sensitive and require appropriate procedures and safeguards for all employees whose duties include access to those areas.
Non – Disclosure Agreements
Management shall use non-disclosure agreements to document the acceptance by employees and contractors of special information security requirements as defined by agency standards and risk management decisions.
1. All persons occupying positions of special trust or responsibility; a. Shall acknowledge, by signing a non-disclosure agreement, that their duties will bring the m
into contact with information or information resources that are of value to the Sutherland and that require protection,
b. Shall be required to uphold the policies and procedures adopted to safeguard the information and associated resources that may be entrusted to them, or that they may come into contact with, and,
c. Shall be required to agree to report violations of policies or procedures to their supervisor , their Information Security Function, or other person designated by the Management.
2. Copies of non-disclosure agreements shall be maintained in employee or contract files, and the
agreements shall be updated at least annually. A discussion of the terms of the agreement shall be conducted with new employees upon hiring, and with terminating employees.
3. In addition to persons occupying positions of special trust or responsibility or occupying positions
in sensitive locations, Sutherland management shall require other information processing users to sign non-disclosure agreements in accordance with this requirement.
Security awareness and training
Management shall provide an ongoing awareness and training program in information security and in the protection of Sutherland information resources for all personnel whose duties bring them into contact with confidential or sensitive information resources. Security training sessions for these personnel shall be held at least annually. Further, awareness and training in security shall not be limited to formal training sessions, but shall include periodic briefings and continual reinforcement of the value of security consciousness in all employees whose duties bring them into contact with confidential or sensitive information resources.
Internal Use only Page 15 of 61
Guidelines 1. New Employee Orientation. Each new employee shall be required to attend an orientation which suitably
explains the Sutherland security policies and procedures. After the orientation, each employee shall sign an acknowledgment of having attended the orientation and understands the security requirements. Ne w employees are also directed to the intranet site where all the security policies are stored so they can access the same whenever required.
2. Security Refresher Training Requirements. Annual security awareness training programs shall address information security requirements and their importance to the organization in terms of Sutherland operations and the activities of personnel. Examples of topics include:
• public access to information; • policy against using company resources for personal purposes; • disposal of confidential documents; • protecting passwords; • message authentication and data encryption; • privacy and confidentiality; • copyright protection and the use of copyright material; • work habits in relation to security; and, • Personal safety.
3. Security Awareness. Creating awareness about the importance of information security is an ongoing activity emphasizing the need for measures to prevent, detect and correct any informatio n security challenges and threats. Information security awareness programs shall include:
• distributing copies of the company’s security policies/brochures and obtaining a physical or electronic signed acknowledgment from each employee;
• scheduling online / classroom based training classes; • using bulletin boards, newsletters, and posters to focus attention on the importance of
information security; • sending advisories to all employees for awareness of security issues • incorporating security awareness in the performance rating process; • providing a visible, continuing example of management adherence to security policies and
procedures; and, • taking disciplinary action in the event of security infractions.
4. Seminars, workshops and Conferences. Seminars can be an effective method of training the sec ur ity
professionals. They provide an opportunity for open dialogue on a particular subject with both instructors and other participants. Seminars frequently focus on a single subject, such as communications or physical security. This focus allows in depth study of the subject matter. Conferences are an effective means of acquiring information about security. They bring together a variety of security professionals and vendors marketing security related products. Conferences provide a variety of views and expose security team to new perspectives; hence are recommended for attendance for Sutherland security workforce a minimum of once a year.
Enforcement zone
All work areas of Sutherland Global Services
Enforcement responsibility
HR
Table (wherever applicable)
Internal Use only Page 16 of 61
Objective
A5.PRIVACY POLICY
To ensure that all employees, contractors and third party users are aware of Privacy requirements, sensitive data not limiting to social security number, credit card number (CC), CVV, Personal Health Information (PHI), Personally Identified Information (PII) and its subsequent protection mechanism in the c ourse of the ir normal work. Additionally, to ensure adherence to privacy regulations such as European Union’s (EU) Global Data Protection Regulations (GDPR) and privacy laws of countries that Sutherland operates in
Policy
All employees, contractors and third party will maintain physical, electronic, and procedural safeguards that are required to comply with applicable data protection and privacy laws.
Policy Statement
Adherence to Privacy
• All personal information shall be classified as confidential and protected through its life cycle with appropriate controls.
• Access controls to be put in place and access to such information shall be restricted by default and access to be provided only on a need to know basis.
• Any sensitive authentication data after authorization (even if encrypted), shall not be stored. (Sensitive data includes CVV, Track data and PIN data).
• Primary account numbers (PANs) shall be masked when displaying cardholder data, except for those with a legitimate business need to see full PAN).
• Personal Information cannot be shared with third parties unless prior consent is obtained or access, use, preservation or disclosure of such information is reasonably necessary to
(a) satisfy any applicable law, regulation, legal process or enforceable governmental request,
(b) enforce applicable Terms of Service, including investigation of potential violations thereof,
(c)detect, prevent, or otherwise address fraud, security or technical issues, or
(d) protect against imminent harm to the rights, property or safety of Sutherland and its employees or the public as required or permitted by law.
• Privacy Policy Statement as required by applicable law will be published wherever Sutherland collects such information from the public.
• Appropriate security measures such as encryption, anonymization shall be applied wherever is needed and / or per customer needs
• Any unauthorized access to such information will be treated as a Security Incident.
Enforcement zone
All work areas of Sutherland Global Services locations
Enforcement responsibility
InfoSec
Table (wherever applicable)
Internal Use only Page 17 of 61
A6.THIRD PARTY / SUPPLIER ACCESS POLICY
Objective To safeguard the Sutherland information assets in any form handled by Sutherland Third Party against unauthorized disclosures, alterations or misuse by adopting industry best practices.
Policy All suppliers, contractors and third party will maintain physical, electronic, and procedural safeguards that are required to comply with applicable Sutherland Information Security Policies including applicable data protection and privacy laws.
Policy Statement
Organizational Security Access should be given to third parties only on an “as needed” basis. Risks need to be considered for both: a) Physical access (for example, to offices, computer rooms, computer equipment, filing cabinets); b) Logical access (for example, to databases, information systems).
Reasons for Access Sutherland departments managing third party access are responsible for justifying the access being requested. Where Sutherland has a business need to connect to a third party location or non-Suther land party needs to connect to Sutherland to access secured information or services, a security risk assessment should be completed to identify security requirements and needed controls. The assessment should take into account the type of access required, the value of the information, the controls and security measures employed by the third party organization, and the implications of this access to the security of Sutherland.
On site Contractors On site contractors may include: a) Hardware and software maintenance and support; b) Cleaning, catering, security guards and other outsourced support services; c) Students, interns, and other casual short term appointments; d) Consultants. Third party contracts should reflect all security requirements resulting from third party access or internal controls. An example would be the use of non-disclosure agreement/confidentiality agreement. Appropriate controls and a signed contract defining the terms for access or connections must be in place before a third party is granted access to information and / or information processing facilities.
Security Requirements in Third Party Contracts Access to Sutherland information assets by third parties should be based on a signed, formal and valid contract containing, or referring to, all appropriate security requirements ensuring compliance with Sutherland’s security policies and standards.
The Sutherland business unit and the third party provider must implement the security controls as defined in the contract and agree to be audited regarding adherence to that contract. A signed non-disclosure, license, consulting, technology transfer, or other appropriate agreement or legal sanction must be in place to govern all Sutherland private information to be made available to a third party.
In all such cases, the local Legal Department assigned to the relevant Sutherland business unit should be consulted for instructions and guidance for marking or otherwise identifying the classified information to be transferred and for accomplishing the actual transfer of the information.
Enforcement zone
Internal Use only Page 18 of 61
Refer table
Enforcement responsibility Refer table
Applicable ISO clause ISO 27001:2013 - A.15.1.1
Table
Policy Statement Enforcement zone Enforcement Responsibility
Organizational Security
All access to Network/Logical Resources
Systems/Network Administrator, Line of Business. Information Security Team and HR.
Physical Resources Physical Security Personnel, Line of Business a HR
Reasons for Access
All access to Network/ Logical Resources
Systems/Network Administrator, Physical Security Personnel, Line of Business. Informati Security Team and HR.
Physical Resources Physical Security Personnel, Line of Business. and HR.
On site contractors
Network Logical Resources Systems/Network Administrator, Line of Business. Information Security Team and HR.
Physical Resources Physical Security Personnel, Line of Business and HR
Security Requirements in Third Party contracts
Third Party Contracts Procurement/Contracting and Compliance Teams
Internal Use only Page 20 of 61
B1.PHYSICAL SECURITY POLICY
Objective
To prevent unauthorized physical access, damage and or interference to the organization’s premises and information.
Policy
The physical infrastructure shall be protected from natural and human threats to the extent possible. The protection mechanisms shall be ensured to adequately cover the facility, information resources, human life and provide adequate warning to relevant personnel. Physical security systems shall also be designed to provide adequate warning to relevant personnel. The policy shall provide guidance to prevent unauthorized entry to the restricted work area and to ensure confidentiality, integrity and availability of information resources.
Policy statement
Perimeter and Building security • Entry to the premises shall be controlled through Badge, gates, Security guard and Access
Card. • The perimeter of the building shall be patrolled by the security guards regularly in applicable
locations • Uniformed security guards shall be stationed 24/7 at the entrance at applicable locations • The UPS / Diesel generator rooms and other sensitive area shall be monitored by CCTV /
security guards. • Security guards will maintain a log of any significant events occurring during the day and
the same would be reported to Information Security team on a weekly basis.
• The roof is locked to prevent unauthorized entry of personnel through HVAC or other areas in applicable locations. The key to the top floor shall be maintained by the security guards and the access shall be granted based on approval. Key register shall be maintained by Security guards and shall be reviewed by Facilities Manager/ Security Supervisor on a weekly basis.
• The vehicles entering into Sutherland premises shall be checked for objectionable materials • No personal belongings shall be brought in the in the production area • Tailgating or piggybacking shall be prohibited (i.e. one person/vehicle follows another
closely through the door/gate, even though the person/vehicle does not have the necessary authorization)
Equipment and facility access • Visitors shall be required to enter their details in a visitor logbooks / registers kept at
premises entrance • Details include name, time in, time out, and person to be seen, in order to gain entry to the
Sutherland facility.
• Visitors shall be escorted to and from their destination by an employee • Laptop register would be maintained at the entrance. • Laptop pass shall be provided to the employees who have been assigned laptops • The employees need to display their laptop pass while entering in the premises where
government regulations apply
• Canteen / Pantry area and reception area are designated as general areas, program floors are designated as sensitive areas and Computer / server rooms / data center are designated as highly restricted areas
• If the employees did not bring the laptop pass, they would be requested to enter the declaration for electronic items.
Internal Use only Page 21 of 61
• Items such as packages, briefcases, and tool boxes carried into or removed from a computing facility shall be inspected at applicable locations. If feasible, such items shall be retained at the premises entrance.
• Access to tape, disk, and documentation libraries shall be restricted exclusively to those employees whose responsibility is the maintenance of those libraries.
• Identification badges shall contain only photographs, badge numbers, and sufficient information to associate them with their owner.
• A manager shall notify the respective ER immediately when a person is no longer allowe d access to the computer facility or when such action is impending.
• Laptop shall be secured in safe place when not attended. • Production area shall not be installed with printer. If installed, the paper c olor shall be
different. • All employees are prohibited to bring in and use their personal electronic items such as but
not limited to laptop, tablet, mobile phones, portable gaming console, portable media player, wearables (for e.g. smartwatches, Google glasses etc) and the likes while inside the Sutherland premises except for common areas designated by the company.
• No photograph should be clicked of sensitive and highly restricted areas in the c ompany premises using personal devices.
Electrical Consideration
• Uninterruptible power systems shall be installed in computer facilities that proce ss data that is critical. Consideration of the use of Uninterruptible power systems is especially important if the computer facility receives its electrical power from a single electrical power substation or if the electrical power is subject to high voltage spikes or other irregularities
• Computing facility shall be equipped with emergency lighting systems. • The devices for controlling environmental threats are provided with UPS and DG powe r
supply so that they are functional during power outages. A register to be maintaine d to note the number of hours that UPS or DG set had been used.
Identity Cards
• Every employee in the company shall be provided with an identity card which has employee name, employee number and where applicable company name and blood group details
• An access card shall also be provided to the employee to access the specific area depending the job responsibilities
• Every employee shall display his/her identity card on his/her self while in office premises • Specific identity cards shall be provided to visitors, vendor team members, contractors etc
to identify them • An employee can question any employee not wearing identity card in office premises and
report to Security guard about the same for further action • Security Guards shall be instructed to take appropriate actions in case any individual not
wearing any type of card in the office premises
• ID cards which act as identification when shown to control staff and /or grant access to the company premises when used with access control systems will be issued to the employees and employees of external companies working for the company by offices author ized to issue these.
Storage: The holder is obliged to be solely responsible, both at work and at home, for keeping the ID in such a way as to minimize as far as possible the risk of theft or abuse by unauthorized individuals. Use: The ID card is destined exclusively for use by the holder and grants solely the holder access. It is not transferable. Non-Sutherland staff access: If employees are allowed to provide non-company staff access with their own ID, the ID holder must be in no doubt of the non-company permission to attain access. An up-to-date list of vendor personnel would be maintained by the relevant team. The cards issued to the vendors would be reviewed on a monthly basis.
Internal Use only Page 22 of 61
Access Doors
Reconciliation of total number of cards with the number of cards issued to the employees, vendors, visitors shall be carried out by the relevant team. Loss: The issuing office shall be informed without delay about the loss of an ID card. If, after receiving a new ID, the lost ID is found, this must be returned to the issuing office for destruction. Respective finance department shall be informed for recovery of the amount of the lost ID card as needed. Forgot to bring cards: If the employees has forgotten to bring the access card, the temporary pass to e nte r the premises would be provided. It does not include the electronic access card. The employee who forgot to bring the access card would be escorted the production floor by his / he r Supervisor. Non-employees (Visitor, Vendor, Clients, etc) shall not enter the company facility without undergoing relevant checks. This can be done via technical systems (e.g. electronic access) or through personal checks (e.g. guards)
• All access doors to the Sutherland/ Network Room/ shall be locked using a card-key system for entry.
• During non-working hours, the Sutherland/ Network Room and Disaster Recovery are as shall be protected against intrusion with appropriate surveillance alarm systems or the use of security guards.
• Access to rest rooms, utility rooms, and other unmonitored rooms in the vic inity of the facility shall be restricted as necessary to protect the facility.
• Entry and exit doors shall have adequate locking devices. Special consideration shall be given to protecting doors that are obscured from view, such as parking lot exits or emergency doors
• Electronically controlled doors shall be able to receive power from the building emergency power circuit
• Wherever possible and practical, AntiPass technology to be used to restrict tailgating incidents
Backup Media Handling
• Backup media shall be stored in locked safes or locked rooms which are fireproof or have fire suppression
• Regular backups (at least once per month) shall be stored off site. • Backups shall only be transported by secure methods
Environmental Controls • Adequate lighting would be provided around the facility to monitor the movement of
people and material. • Temperature and Humidity: The Datacenter temperature shall be maintained between 18
degree Celsius and 23 degree Celsius and the humidity range shall be maintained between 45% and 50%. Temperature and humidity monitoring logs would be maintained by security guards and reviewed by admin on a weekly basis.
• Sunlight: The server room shall not be subjected to direct sunlight. • Air-conditioning: The heating and cooling shall be serviced at regular inte rvals and the
optimum temperature shall be maintained. • CCTV
o Camera surveillance can be useful in the visual monitoring of a location. The CCTV tapes shall be maintained for 30 days.
o Apart from the regular monitoring, the CCTV logs shall be reviewed on a regular basis
o CCTV cameras shall be installed on strategic places including entry / exit of sensitive areas to capture the faces
o CCTV system shall pick and synchronize its time with Network Time Server settings o A manual methodology to be followed in case NTP synchronization is not feasible
Internal Use only Page 23 of 61
• Eating, smoking and drinking shall be prohibited in the processing facility / sensitive areas. • Regular housekeeping shall be carried out in production floor and datacenter.
Courier/Posts • A register for the official couriers would be maintained by the admin team • The receipt of courier shall be signed by the receiver.
Fire alarm system • The building shall have an adequate number of fire exits. • The trash containers are properly covered and of metal construction. • Audible fire enunciators (flashers, alarms) shall be located so that every office space can
see and hear them • Emergency exit bar shall be fitted in the fire exit doors wherever possible. • Smoke detectors shall be installed in data centers.
Using Secure Storage • Sensitive or valuable material and equipment must be stored securely and according to the
classification status of the information being stored. Other Media Handling
• All removable electronic devices (e.g. but not limited to Floppy, HDD, and USB) shall only be used where absolutely necessary.
• All disks shall be classified and the classification level shall be written on the disks Fire Protection
• Fire detection and alarm system engineering and design shall be in accordance with all state and local building code regulations and be installed by someone duly l ic ensed by local Government.
• Gas based suppression system shall be installed in Datacenter. • Fire detection systems shall include ionization, smoke, and/or temperature sensors located
under raised floors, in ceilings or dropped ceilings, in attic areas, and in air c onditioning ducts
• Fire detection systems shall have a battery powered backup. The battery shall be sufficiently large to maintain the fire detection system in full operation for a period 4 hours in standby and five minutes in alarm.
Water Protection • Adequate drainage shall be provided under raised floors. Water can collect in these are as
from pipes that have burst in the ceiling or from any of the floors above. • Plastic sheets that can be used to cover equipment, magnetic tape, and critical forms shall
be used. Suppression of a fire on upper floors can result in water damage on lower floors. Emergency plan Emergency plan for the following needs to be maintained:
• Bomb • Fire • Floor • Earthquake • Explosion • Loss of utility service • Civil disorder • The emergency plan shall be tested on a yearly basis. • Separate evacuation plan shall exist for physically challenged person
General Policies • Personal belongings such as Mobile phones (with or without camera), PDAs (Personal digital
assistants), Pen drives, floppy disks, external hard disks, other removal medias, still/movie cameras, MP3 players, iPod, etc shall not be brought or allowed inside the program floor
• Food or beverages are not allowed in the computer facility. • Smoking is prohibited in all Sutherland facilities. • Terminals, while unattended, shall be protected from unauthorized use. Terminal devic es
shall never be left logged on while unattended.
• Terminals shall be installed where they are not readily accessible to personnel not authorized to use them and shall be positioned in such a manner that minimizes
Internal Use only Page 24 of 61
unauthorized viewing of the screen. Facing the screen away from doorways and windows will enhance visual protection.
• Protection of company assets at alternate work site is just as important as it is at his/ he r own worksite. At the alternate worksite reasonable precautions shall be taken to protec t company information, hardware and software from theft, damage or misuse.
Enforcement zone
All Sutherland Global Services location
Enforcement responsibility
Admin
Table
Policy Statement Enforcement zone Enforcement Responsibility
Equipment and facility access
All Secure Premises of Sutherland Administrative Officer/Security Guard /User / Administrative/Facility Officer/Employees
Electrical Consideration All Secure Premises of Sutherland Administrative Officer
Access Doors Sutherland / Network Room Site leader/Administrative officer
Backup Media Handling Sutherland / Network Room Backup Administrator
Using Secure Storage Sutherland / Network Room Administrative Officer / Systems / Network
Other Media Handling All Sutherland Computing Zones Systems / Network Administrator Fire Protection Sutherland/ Network Room Administrative Officer Water Protection Sutherland/ Network Room Administrative Officer
General Policies All program zones of Sutherland Admin/Systems Administrator/Program managers/Floor managers
Internal Use only Page 25 of 61
Objective
B2.PROCESSING INFORMATION & DOCUMENTS
To provide a high degree of access control and a range of privilege restrictions
Policy
The network must be designed and configured to deliver high performance and reliability to meet the needs of the business whilst providing a high degree of access control and a range of privilege restrictions.
System hardware, operating and application software, the networks and communication systems must all be adequately configured and safeguarded against both physical attack and unauthorized network intrusion.
Policy statement
Segregation of Duties To work effectively and appropriately, conflicting activities shall not be assigned to a spe c ific te ams or individuals. Global Technology Infrastructure (GTI) team thus shall comprise of various teams where each team works based on their objective and focuses towards an incident free uninterrupted network infrastructure. Some of the major teams under GTI are as follows.
• Network Engineering Team – Looks after implementing and proper working of the networks
• Global Network Operations Team (GNOC) – Monitoring and supporting the global network
• Server Team – Supporting the servers across various geos
• Deskside Team – Supporting desktops at locations across geos
• InfoSec Team – Supporting Information Security, risk and compliance activities across geos
• BCP Team – Supporting business continuity requirements across geos
• Global Service Desk (GSD) Team – Supporting helpdesk activities with phone / email / web across geos
• Global Software Infrastructure (GSI) Team – Supporting internal software requirements across geos
• IT Security Team – Supporting and managing antivirus and desktop patch management across geos
Systems Operations & Administration • For authorized personnel, the appropriate data and information must be made available on a need
to know basis; for all other persons, access to such data and information is prohibited with appropriate technical control required to supplement the enforcement of this policy.
• Wherever applicable, modification to network configuration / server administrative changes shall be conducted using two factor authentication
• System documentation is a requirement for all the organization’s information systems. Such documentation must be kept up-to-date and be available for relevant teams.
• Error logs must be properly reviewed and managed by qualified staff. • Operational audit logs are to be reviewed regularly by trained staff and discrepancies reported to
the owner of the information system. • Only qualified and authorized staff or approved third party technicians/engineers may re pair
information system hardware/software/configuration faults. Backup Recovery & Archiving
• Information system owners shall ensure that adequate back up and system recovery procedures are in place.
• Information and data stored on Laptop or portable computers shall be backed up regularly. It is the responsibility of the user to ensure that this takes place on a regular basis. The backed up data shall also be periodically tested.
• Backup of the organization’s data files and the ability to recover such data is a top priority. Functional Owner is responsible for ensuring that the frequency of such backup operations and the procedures for recovery meet the needs of the business.
Internal Use only Page 26 of 61
• The storage media used for the archiving of information shall be appropriate to its expected longevity. The format in which the data is stored shall be carefully considered, especially whe re proprietary formats are involved.
• Functional Owner shall ensure that safeguards are in place to protect the integrity of data fi le s during the recovery and restoration of data files; especially where such files may re plac e more recent files.
Document Handling • Hard copies of sensitive or classified material shall be protected and handled ac c ording to the
distribution and authorization levels specified for those documents. • All employees to be aware of the risk of breaching confidentiality associated with the photocopying
(duplication) of sensitive documents. Authorization from the document owner shall be obtained where documents are classified as Confidential or above.
• All information used for, or by the organization, shall be filed appropriately and according to its classification.
• The designated owners of documents which contain sensitive information are responsible for ensuring that the measures taken to protect their confidentiality, integrity and availability, during and after transportation / transmission, are adequate and appropriate.
• All documents of a sensitive or confidential nature shall be shredded when no longer required. The document owner shall authorize or initiate this destruction.
Securing Data • Persons responsible for Human Resources Management are to ensure that all employees are fully
aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within the organization and to external parties.
• Information relating to the clients and third party contracts of the organization is confidential, and must be protected and safeguarded from unauthorized access and disclosure.
• Data classified as Confidential shall be protected against unauthorized or accidental changes, and may only be deleted with the proper authority.
• Information classified as Confidential shall never be sent to a network printer without there being an authorized person to retrieve it and hence safeguard its confidentiality during and after printing.
Other Information Handling & Processing • Employees must enable screen savers with lock on the organization’s PCs, laptops and
workstations and shall be automatically enabled whenever the workstation, laptop and PCs are idle for 15 minutes.
• The use of photocopiers or duplicators for personal use is discouraged. In exc eptions, specific permission may be given by the employee's immediate supervisor or manager.
• Sutherland expects all employees to operate a clear desk policy, i.e., Clear desktop/Clear sc reen policy (no files personal or official to be stored on the system desktop). Having bags, paper, pe n, any writing material, notepads, etc. in the vicinity of employees’ desk in the production floor is prohibited.
• Employees traveling on business are responsible for the security of information in their custody. • At the time that every employee, consultant and contractor terminates his/ her relationship with
the company, all company property shall be returned. This includes portable c ompute rs (and associated paraphernalia), books and manuals (and the ilk), keys, Access cards, outstanding loans etc
Software Maintenance & Upgrade • Patches to resolve software bugs may only be applied where verified as necessary and with domain
expert authorization. They must be from a reputable source and are to be thoroughly tested before use.
• The decision whether to upgrade software is only to be taken after consideration of the associated risks of the upgrade and weighing these against the anticipated benefits and necessity for such change.
• Necessary upgrades to the Operating System of any of the Sutherland’s computer systems must have the associated risks identified and be carefully planned, incorporating tested fallback procedures. All such upgrades being undertaken as a formal project.
Internal Use only Page 27 of 61
• Operating Systems shall be regularly monitored and all required 'housekeeping' routines adhered to.
• Software faults are to be formally recorded and reported to those responsible for software support / maintenance.
• All Parting individuals (employee and contractor) shall also inform the c ompany management about all the privileges that they possess on computer systems of the Organization (granted as a part of their job responsibility) as also any other special privileges that they have been granted.
Enfoncement zone
Refer table
Enforcement responsibility
Refer table
Table
Policy Statement Enforcement zone Enforcement Responsibility
Systems Operations & Administration
All Computing Zones of Sutherland, Critical Computing/ Network Equipment at Sutherland
Administrative Officer / Systems Administrator/ Systems Manager, Sutherland Management / Systems Administrator/ Systems Manager
Backup Recovery & Archiving
All Computing Zones of Sutherland, Sutherland/ Network Room
Information Owner / Systems Administrator, Sutherland management
Document Handling Sutherland/ Network Room, All Secure Premise of Sutherland
Administrative Officer / Sutherland Management/ Sutherland/ Network Room Manager, Information Owner / User / Sutherland Management/ Systems Manager
Securing Data All Secure Premise of Sutherland HR Manager / Sutherland Management, Information Owner / Systems Administrator, Administrative Officer / Network Room Manager
Other Information Handling & Processing
All servers / desktops / laptops of Sutherland, All Secure Premise of Sutherland, All Secure data of Sutherland with employees, All Sutherland facilities
User / System Administrator/ System Mangers,Sutherland Management, Administrative Officer
Software Maintenance & Upgrade
All operating system, applications and other software used by Sutherland, All operating systems used by Sutherland, All Computing Zones of Sutherland
Domain expert / System Administrator, Systems Administrator/ Systems Manage Administrative Officer
Internal Use only Page 28 of 61
Objective
B3.HELP DESK & RECEPTIONIST
To prevent unauthorized, unintended disclosure of information and rendering services which can be exploited to the compromise of confidentiality, integrity and availability of Sutherland
Policy
Help desk (Global Service Desk team (GSD)) personnel and Receptionist personnel shall give ne cessary services and disclose information to only eligible persons upon approval from authorized person. The level of confidentiality shall be maintained as required.
Policy statement
Help Desk Procedures
• Help desk personnel must not divulge details or instructions regarding remote access, including external network access points or dial-up numbers, unless the requester has be en ver ifie d as authorized to receive internal information and verified as authorized to connect to the corporate network as an external user
• The password to a user account may be reset only at the request of the account holder and after verifying his/her credentials
• All requests to increase a user’s privileges or access rights shall be approve d in wr iting by the account holder’s manager. When the change is made, a confirmation shall be sent to the requesting manager via intra-company mail
• A request to create a new account for an employee, contractor or other authorized person shall be made either in writing and signed by the employee’s manager HR. These requests shall also be verified by sending a confirmation of the request through intra-company mail
• New passwords shall be handled as company confidential information, delivered by secure methods including in person or asking the employee to meet /call the Sutherland GSD
• Prior to disabling a user’s account, Sutherland GSD shall require positive ve r ification that the request was made by authorized personnel.
• Personnel employed in Sutherland who have privileged accounts shall not execute any commands or run any application programs at the request of any unauthorized person
• No privileged account shall be created or system privileges granted to any account unless authorized by the System Administrator
• A request to reset a password to a privileged account shall be approved by the system manager or administrator responsible for the computer on which the account exists. The new password must be delivered in person or any other secure means.
• Guest accounts on any computer systems or related networked devices shall be disabled or removed
Receptionist
• Disclosure of information in the internal company directory shall be limited to employees of the
company
• Receptionist shall not provide direct telephone numbers for the company help desk, compute rs operations or systems administrator personnel without verifying that the requester has a legitimate need to contact these groups. The receptionist, when transferring a call to these groups, must announce the caller’s name.
• PC in reception area shall be locked when not in use. The monitor screen shall not face the visitor and the users of such PC shall not have administrator privileges. Each individual using that PC has to have a separate login ID
Internal Use only Page 29 of 61
Enforcement zone
Refer table
Enforcement responsibility
Refer table
Applicable ISO clause
Table
Policy Statement Enforcement zone Enforcement Responsibility
Help Desk All secure premises of Sutherland, Employees of Sutherland
Systems Administrator, Systems Manager
Receptionist All secure premises of Sutherland Security Officer / Sutherland Management
Internal Use only Page 30 of 61
Objective
B4.INCIDENT RESPONSE POLICY
Define Sutherland responsibilities and requirements for dealing with security incidents. Its goal is to establish a framework for the company to respond quickly, decisively, and appropriately to limit the impact of an adverse event on company members and information resources. The policy is also intended to facilitate timely correction of any damage caused by an incident and provide for effective investigation and follow-up actions.
Policy
Procedures will be established and widely communicated for the reporting of security incidents and suspected security weaknesses in the organization’s business operations and information processing systems. Mechanisms shall be in place to monitor and learn from those incidents.
Policy statement
• A Sutherland Incident Response Team (IRT) will be implemented. By approving this polic y, the board grants the IRT authority to act and make decisions as necessary to appropriately respond to an incident.
• Sutherland IRT members have defined roles and responsibilities, which are outlined in the Incident Response Procedures. These responsibilities will take priority over normal duties in the event of a security incident.
• An event classification system, which defines incidents by their level of severity, will be used to manage the incident response process and provide guidance for escalation.
• Whenever a security incident of a physical or electronic nature is suspec ted or c onfirmed, all parties covered by this policy are expected to follow appropriate procedures and instructions given by the IRT.
• Sutherland shall adopt the six phase approach for handling information security incidents
o Communications o Identification o Containment o Eradication o Recovery o Lessons learnt
Enforcement zone
All Secure Premises and network resources of Sutherland
Enforcement responsibility
VP - Information Security, IRT members
Table (wherever applicable)
Internal Use only Page 31 of 61
Objective
B5.TERMINATION POLICY
To restrict any unauthorized access or use of the terminated employee accounts (physical or logical) by the terminated employee himself or by some other persons
Policy
All physical and logical accesses of employee shall be revoked or disabled immediately upon employee is declared terminated by the Human Resource (HR) department.
Policy statement
Communication
• Upon an employee is declared as terminated, within an hour, the HR personnel / HR System shall send an email communication (Termination Mail) to Program/Department head of terminated employee, Admin department, Access Card in-charge, GTI facility in-charge, GSD, Finance, InfoSec team
• The communication mail shall contain the employee details like Employee Name, Employee ID, Access Card #, NT ID, date and time of termination and ticket number details raised for disabling of Access card and NT ID’s
• Reason of termination need not be communicated in this email, this shall be communicated separately to concerned stakeholders including InfoSec in the loop
Action
• Upon receipt of the termination mail from HR, Access Card and GSD shall confirm back to the same mail stating the disabling of the accounts within an hour upon receipt of the mail communication from HR
• On NT account disabling, the ticket details shall be recorded in the Active Directory. • Other than Access reader, GSD and without a proper approved ticket, no other person shall
enable or activate the physical or logical access of terminated employee
Recording and Follow-up HR personnel keep a track of termination mail and escalate to GSD stakeholder and Facility stakeholder if no action is taken within 2 hours of termination communication sent.
Enforcement zone
All Sutherland facilities
Enforcement responsibility
Human Resource
Table (wherever applicable)
Internal Use only Page 32 of 61
Objective
B6.BUSINESS CONTINUITY POLICY
To handle any disruption in the services provide to Sutherland’s client in a planned and systematic manner and ensuring continuity of operations.
Policy
To continue business operations during any event that affect normal business operations.
Policy statement
• Sutherland Management shall prepare, periodically update, and regularly test the Business Continuity Plan to allow all critical computer and communication systems to be available in the event of a major loss such as a flood, earthquake, or tornado etc.
• In order to quickly re-establish the current computing environment following a disaster, BCP / GTI team shall prepare an annual inventory of production information systems. This inventory shall indicate all existing production hardware, software, and communications links.
• Specific and defined Sutherland teams shall be responsible for conducting business impact analysis.
• Sutherland Business and GTI teams shall agree on the support levels that will be provided in the event of a disaster and/or emergency. These levels must appear in continuity planning documents or client service agreements.
• Sutherland Business Continuity Plan shall be kept current. • Computer and communication system (as part of continuity plan) shall be tested at re gular
intervals to assure that they are still relevant and effective. Each such test must be followed by a brief report to top management detailing the results of the test and any remedial actions that will be taken.
• Sutherland shall test its program level business continuity plan at least once in a year
Enforcement zone
All Sutherland facilities
Enforcement responsibility
BCP Team Members
Table (wherever applicable)
Internal Use only Page 34 of 61
Objective
C1. PASSWORD MANAGEMENT POLICY
To prevent unauthorized access to Sutherland network
Policy
All users shall have a unique identifier (user ID) for their personal and sole use for access to all computing services. The user ID must not be used by anyone else and associated passwords shall not be shared with any other person for any reason
Password management procedures shall be put into place to ensure the implementation of the requirement of the Information Security Policy and to assist users in complying with best practice guidelines.
Access to the Sutherland Network and Shared Resources will be controlled by Passwords and user logon IDs which will be unique to each user.
Policy statement
1. Passwords shall consist of a minimum of eight characters that contain one character from any of the three of the following categories.
• Uppercase letters • Lowercase letters • Numbers • Special characters
2. All non-trivial passwords used shall meet the following criteria. • The password shall not be equal to the user ID. • The password shall not be a dictionary word. • The password shall neither wholly nor predominantly composed of the user's ID, owner's
name, birth date, PAN number, family member or pet names, names spelled backwards or other personal information about the user. Also passwords shall not c onsist of any contractor name, division or branch name, name of any automobile or sports te am, or repetitive or keyboard patterns (e.g., "abc#abc#", "1234", "qwer", "mnbvc", or "aaa#aaaa").
• The password shall not be a word found in a dictionary of any language or a dic tionary word with numbers appended or prepended to it.
• The password shall not be the name of a vendor product or a nickname for a product • The upper limit of the password length may vary depending on the Application.
3. Passwords shall be reset and sent when a user forgets his or her password, when evidence exists that a password was compromised, or when management believes a password reset is in the best interests of system security. The process will ensure that the following is accomplished by the help desk prior to a password reset.
• Confirmation of the name, date of birth and address, of the user needing reset. • Provides positive identification of the user ID owner. • Assigns, at the user's request, a new strong password. • Ensures that the user during first sign-on changes the password
4. The process used by account management for generating and assigning the initial password for each user ID shall accomplish the following:
• Removal of all vendor-supplied passwords. • Assignment of strong initial user passwords
5. Each individual shall be held accountable for: • Providing protection against loss or disclosure of passwords in his or her possession. • All activity that occurs as a result of deliberately revealing his or her user ID and password
6. Passwords shall be changed within 42 days. Most systems can enforce password change with an automatic expiration and prevent repeated or reused passwords.
Internal Use only Page 35 of 61
7. Further, the last 24 passwords to the same user ID shall not be accepted/ allowed. 8. User accounts shall be frozen after 5 failed logon attempts. All erroneous password entries will be
recorded in an audit log for later inspection and action, as necessary. 9. Idle time-out will happen after 15 minutes of inactivity and require the password to be re-entered.
Sessions time out will happen after 30min of inactivity and will require the password to be re - entered
10. Successful logon shall display the Disclaimer/banner of the details of the logged in user which shall include the last successful logged in time of the same user
11. NT Logon IDs shall be disabled after 3 days of continuous non-activity 12. Employees, consultants and contractors are prohibited from sharing passwords or log -in IDs or
otherwise giving others access to any company system for which they are not the data stewards or system administrators with appropriate authority. Users are responsible for any activity conducted with their computer accounts and are responsible for the security of their passwords
Enforcement zone
Refer table
Enforcement responsibility
Refer table
Table
Policy Statement
Enforcement zone Enforcement Responsibility
1. All access to the Network Resources from Trusted Domains
Network / Application Administrator
2. All access to the Network Resources from Trusted Domains
User
3. All access to the SGL Domain Computing Resources from Trusted Domains
Network/ System/ Application Administrator
4. All access to the Network Resources from Trusted or Untrusted Domains
Network Administrator
5. All Sutherland managed Network Applications and Appliances accessed from trusted or Untrusted domains
Network/ System/ Application Administrator
6. All SGL Desktop Computing Resources accessed from Trusted Domains
Network/ Application Administrator
7. All SGL Computing systems including shared Applications accessed from Trusted or Untrusted Domains
Systems/ Application Administrator
8. All Network Resources including shared Applications accessed from Trusted or Untrusted Domains
Network/ Systems/ Application Administrator
Internal Use only Page 36 of 61
Objective
C2. VIRTUAL PRIVATE NETWORK USAGE POLICY
To provide Access control to the organization’s network through robust identification and authentication techniques Low - Medium For all Virtual Private Connections over the Internet, Sutherland firewalls shall operate in the Trusted Link mode, encrypting VPN traffic but not requiring the use of firewall proxies for VPN traffic. Medium - High Virtual Private Networks between sites shall not use the Internet to carry time critical traffic. Where the level of reliability typically provided by the Internet is not sufficient to guarantee the re quired le ve l of service to users, other means of interconnection must be used. High
• When the Internet is used to provide Virtual Private Network connections between sites, me ans of rapidly providing backup connections shall be maintained to return service in the event of an Internet outage or denial of service.
• When creating Virtual Private Networks ensure that the security policies in use at each site shall be equivalent. A VPN essentially creates one large network out of what were previously multiple independent networks. The security of the VPN will essentially fall to that of the lowest common denominator - if one LAN allows unprotected dial-up access, all resources on the VPN are potentially at risk.
• The establishment of Virtual Private Networks (VPNs) over the Internet between companies (clients) networks shall require written approval of the Sutherland manager. Adding networks to an existing VPN shall also require written approval of the Sutherland manager.
• A review and update of the security policies in use at each site to be connected to the VPN shall be performed before operation is authorized.
Trusted Links - The firewall/similar device shall encrypt all traffic destined for the remote host or network and decrypts all traffic it receives from. Traffic flows between hosts in a Trusted VPN relationship freely, as if there were no firewalls in between. The traffic is effectively routed by the firewalls involved, bypassing the proxies and thus not requiring any authentication at the firewall itself. Any two hosts who are part of a VPN Trusted Link have full network connectivity between them, and may communicate using any TCP/IP services that they support.
Private Links - The traffic shall be encrypted between the firewall and the remote host or network just as it is for the Trusted Link. However, traffic from remote hosts in a Private Link relationship shall not be freely routed, but must be proxied/ screened by the firewall and connections authenticated there as dictated by the firewall's usual proxy access policies. This relationship provides authentication of the network sourc e of the traffic and confidentiality for the data, but the two networks maintain distinct ne twork se c ur ity perimeters, and only services which the firewall is configured to proxy can be used through it.
Pass-through Links - Pass-through links are used to forward the encrypted traffic be tween hosts on
opposite sides of the firewall who are members of their own VPN peer relationship. This allows a fire wall situated between two other VPN peers to be configured to route that encrypted data across. The intermediate firewall does not decrypt this traffic, nor does it need to know the encryption ke y use d, it merely needs to know the addresses of the hosts on both sides of the link so it knows to allow the encrypted packets to pass. This pass-through arrangement means that the intermediate firewall is simply used as a router for this type of traffic.
Policy
Remote access to the organization’s network and resources will only be permitted providing that authorized users are authenticated, data is encrypted across the network and privileges are restricted.
Internal Use only Page 37 of 61
Policy Statement
1. All policies associated with the Remote Access Policies (where appropriate) shall be applicable to VPN in addition to these policies
2. Company defined VPN clients may only be used on the computing devices initiating the tunnel 3. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not
allowed access to Sutherland internal networks using their connectivity 4. VPN users will be automatically disconnected from Sutherland’s network after thirty minute s of
inactivity. 5. The VPN concentrator is limited to an absolute connection time of 24 hours. (user has to re -login
to the network after 24 Hours) 6. When actively connected to the corporate network, VPNs will force all traffic to and from the PC
over the VPN tunnel: all other traffic will be dropped. (Split tunneling shall be disabled in the configuration)
7. Only company provided assets shall have the VPN clients and initiate the VPN tunnel to the company network
8. VPN logs shall be periodically checked and verified by an authorized personnel 9. All tunnels shall be terminated before the Firewall and the Intrusion Detection/ Protection system
to enable these devices are able to examine the decrypted data 10. VPN device configurations shall be backed up and maintained in safe custody with access provided
only to authorized personnel 11. Patches and upgrades shall be performed to the VPN device as defined and provisioned by the
respective vendor
Enforcement zone
Refer table
Enforcement responsibility
Refer table
Table
Policy Statement
Enforcement zone Enforcement Responsibility
1. Access to all secure and trusted zones of Sutherland
Network Manager
2. Access to all secure and trusted zones of Sutherland
Network Manager
3. Access to all secure and trusted zones of Sutherland
Users
4. Access to all secure and trusted zones of Sutherland
Users
5. Access to all secure and trusted zones of Sutherland
Network Manager
6. Access to all secure and trusted zones of Sutherland
Network Manager
7 to 11 Access to all secure and trusted zones of Sutherland
Network Manager
Internal Use only Page 38 of 61
Objective
C3. INTERNET FIREWALL POLICY
The network must be segregated into separate logical domains with routing and access controls operating between the domains. Appropriately configured firewalls shall be used to protect the networks supporting the organization’s business systems.
A firewall is a safeguard one can use to control access between a trusted network and a less trusted one. A firewall serves as the gatekeeper between the Un-trusted Internet and the more trusted internal networks.
The main function of a firewall is to centralize access control. If outsiders or remote users can access the internal networks without going through the firewall, its effectiveness is diluted.
The policy statements here are addressed for various Firewall key considerations. Some state ments are specific to the firewall type. The rest are generic and are applicable to all types of firewalls.
Policy
Firewall will be used to secure the Sutherland network from the Internet and Sutherland will follow the best practices for firewall hardening
Policy statement
Application Gateways • Security Administrator shall ensure that Application level firewalls be configured such that out -
bound network traffic appears as if the traffic had originated from the firewall (i.e. only the firewall is visible to outside networks).
• Security Administrator shall ensure that direct access to network services on the internal network is not allowed. All incoming requests for different network services such as Telnet, FTP, HTTP etc., regardless of which host on the internal network shall be the final destination, must go through the appropriate proxy on the firewall.
Firewall Architecture • Security / Network Administrator shall ensure that routing by the firewall is disabled for a dual -
homed firewall so that IP packets from one network are not directly routed from one network to the other.
• Security / Network Administrator shall ensure that a screened subnet is de ployed by adding a perimeter network in order to separate the internal network from the external. This assures that if there is a successful attack on the bastion host, the attacker is restricted to the perimeter network by the screening router that is connected between the internal and perimeter network.
• For any systems hosting Sutherland critical applications, or providing access to sensitive or confidential information, Security / Network Administrator shall ensure that internal firewalls or filtering Routers are used to provide strong access control and support for auditing and logging. These controls shall be used to segment the internal network to support the access policies developed by the designated owners of information.
Firewall Administration • Two firewall administrators (one primary and secondary) shall be designated by the Head of GTI
(or other manager,) and shall be responsible for the upkeep of the firewall. • The primary administrator shall make changes to the firewall and the secondary shall only do so in
the absence of the former so that there is no simultaneous or contradictory access to the firewall. • Each firewall administrator shall provide their home phone number, cellular phone number and
other numbers or codes in which they can be contacted when support is required.
• An individual who is assigned the task of firewall administration shall have a good hands-on experience with networking concepts, design, and implementation so that the firewall is
Internal Use only Page 39 of 61
configured correctly and administered properly. Firewall administrators shall re ceive pe riodic training on the firewalls in use and in network security principles and practices.
• Head of GTI/Sutherland Management shall ensure that firewall administration is performed via two-factor authentication. Access shall be limited only to firewall administrator and backup administrators. Only the firewall administrator and backup administrators shall be given user accounts on Sutherland firewall. Any modification of the firewall system software shall be done by the firewall administrator or backup administrator and requires approval of the Network Services Manager
• The firewall (system software, configuration data, database files, etc.) shall be backed up (and after every change) so that in case of system failure, data and configuration files c an be recove red. Backup files shall be stored securely on a read-only media so that data in storage is not ove r - written inadvertently and locked up so that the media is only accessible to the appropriate personnel
Physical Security of Firewall • Sutherland management shall ensure that Sutherland firewall be located in a controlled
environment, with access limited to the Chief Security Officer, the firewall administrator, and the backup firewall administrator.
• Head of GTI / Sutherland Management shall ensure that the room in which the firewall is to be physically located shall be equipped with heat, air-conditioner, and smoke alarms to assure the proper working order of the room. The placement and recharge status of the fire extinguishe rs shall be checked on a regular basis. If uninterruptible power service shall be available to any Internet-connected systems, such service shall be provided to the firewall as well.
Incident Handling • Network Manager shall ensure that the firewall be configured to log all reports on daily, weekly,
and monthly basis so that the network activity can be analyzed when needed. • Network Manager shall ensure that firewall logs be examined on a bi-weekly basis to determine if
attacks have been detected. • The firewall administrator shall be notified at any time of any security alarm by email, mobile or
other means so that he may immediately respond to such alarm. Service Restoration
• In case of a firewall break-in, the administrator(s) are responsible for reconfiguring the firewall to address any vulnerabilities that were exploited. The firewall shall be restored to the state it was before the break-in so that the network is not left wide open. While the restoration is going on, the backup firewall shall be deployed.
Firewall Upgrades • The firewall administrator shall evaluate each new release of the firewall software to determine if
an upgrade is required. All security patches recommended by the firewall vendor shall be implemented within 24 hours of the Change Management Request.
• Hardware and software components shall be obtained from a list of vendor -recommended sources. Any firewall specific upgrades shall be obtained from the vendor. The use of virus checked CDROM or FTP to a vendor's site shall be an appropriate method.
• The administrator(s) shall monitor the vendor's firewall mailing list or maintain some other form of contact with the vendor to be aware of all required upgrades. Before an upgrade of any of the firewall component, the firewall administrator shall verify with the vendor that an upgrade is required. After any upgrade the firewall shall be tested to verify proper operation prior to going operational.
Configuration • Network Manager shall ensure that firewalls shall fail to a configuration that denies all services,
and require a firewall administrator to re-enable services after a failure.
• Network admin shall ensure that source routing shall be disabled on all firewalls and external Routers
• Network admin shall ensure that the firewall shall not accept traffic on its external interfaces that appear to be coming from internal network addresses
• Network admin shall ensure that the firewall shall provide detailed audit logs of all sessions so that these logs can be reviewed for any anomalies
Internal Use only Page 40 of 61
• Network admin shall ensure that Secure media shall be used to store log reports such that access to this media is restricted to only authorized personnel
• Network admin shall ensure that the firewall shall be configured to implement transparency for all outbound services. Unless approved by the Head of GTI, all in-bound services shall be intercepted and processed by the firewall
• Network admin shall ensure that the firewall shall be configured to deny all services not expressly permitted and shall be regularly audited and monitored to detect intrusions or misuse.
Services Policies
1. FTP FTP access from internal networks to external networks shall be denied by default
unless there is a documented and approved business justification. FTP access from external to internal shall be through DMZ hosts only, with strong authentication and a chroot environment for named accounts. In all cases anonymous FTP is proscribed. In all appropriate data transfer cases SFTP is preferred
2. Telnet Telnet, being an insecure protocol, is proscribed
3. Rlogin Rservices are inherently insecure and are proscribed in all cases. There is never any justification for their use
4. UNIX Rservices All WWW servers intended for access by external users shall be hosted outside Sutherland firewall. No inbound HTTP shall be allowed through Sutherland firewall unless stated.
5. SSL Secure Sockets Layer sessions using client side certificates shall be required when SSL sessions are to be passed through Sutherland firewall. All SSL enabled services shall be configured to use TLS 1.1 or 1.2 or better
6. POP3 Currently there is no Business requirements for the use of POP 3 as there are no users that access their mails from the outside
7. NNTP No external access shall be allowed to the NNTP server
8. Real Audio There is currently no business requirement for supporting streaming audio sessions through Sutherland firewall. Any business units requiring such support shall contact the Chief Security Officer for authorization of this service.
9. finger Finger, being an insecure protocol, is proscribed. There is never any justification for finger services
10. gopher There is no business justification for gopher services
11. whois The use of whois services is limited to authorized members of the Sutherland network and systems teams (GTI) for diagnostic purposes. Unless business justification exists the use of whois shall not be allowed
12. SQL, Oracle, MySQL or any RDBMS
Where Sutherland user wishes to access any databases, they shall never be provided access to from the outside and hence shall never be permitted to be accessed from the external untrusted network
13. Other, such as NFS
Access to any other service not mentioned above shall be denied in both direction so that only Internet services we have the need for and we know about are allowed and all others are denied
Enforcement zone
All perimeter Security Equipment in the Sutherland Network Room
Enforcement responsibility
GTI
No Services Policy Statement
Internal Use only Page 41 of 61
Objective
C4. SOFTWARE CONTROL POLICY
To ensure that Sutherland employees do not load or install unapproved software onto the organization’s PCs, laptops and workstations.
All Systems operations are subject to risk of introducing viruses, damaging the configuration of the computer, or violating software-licensing agreements.
Organizations need to protect themselves with different levels of mechanisms depending on the sensitivity to these risks. This policy will provide Sutherland with procedures to address several diffe rent se curity challenges like Virus and Trojan horse Prevention, Detection and Removal, Controlling Interactive Software (Java, ActiveX) and Software Licensing
Each challenge can be categorized according to the following criteria:
Control who initiates the activity, and how easily can it be determined that software has been imported
Threat type executable program, macro, applet, violation of licensing agreement
Cleansing Action Scanning, refusal of service, control of permissions, auditing, deletion. When importing software onto a computer one runs the risk of getting additional or different functionality than one bargained for. The importation may occur as a direct action, or as a hidden side-effect which is not readily visible
Examples of direct action are:
File Transfer utilizing FTP to transfer a file to a computer
Reading E-mail causing a message which has been transferred to a computer to be read, or using a tool (e.g., Word) to read an attachment
Downloading software, from a floppy disk or over the network can spawn indirect action. Some hidden side- effect examples include reading a Web page which downloads a Java applet to your computer executing an application such as Microsoft Word, and opening a file infected with a Word Macro Virus. Viruses imported on floppy disks or infected vendor media will continue to be a major threat. This section address the same. The security service policy for viruses has three aspects:
Prevention Policies which prevent the introduction of viruses into a computing environment
Detection Determination that an executable, boot record, or data file is contaminated with a virus
Removal Deletion of the virus from the infected computing system may require reinstallation of the OS from the ground up, deleting files, or deleting the virus from an infe cte d file.
There are various factors that are important in determining the level of security concern for virus infection of a computer. Viruses are most prevalent and can affect operating systems like DOS, Windows and e ve n UNIX and LINUX.
Configuration changes resulting from exposure to the Internet, exposure to mail, or receipt of fi le s from external sources are more at risk for contamination.
The greater the value of the computer or data on the computer, the greate r the c once rn shall be for ensuring that virus policy as well as implementation procedures are in place. The cost of re moval of the virus from the computing environment must be considered within your organization as well as from
Internal Use only Page 42 of 61
customers you may have infected. Cost may not always be identified as monetary; company reputation and other considerations are just as important
Policy
Other than authorized and approved by Sutherland, download, installation and usage of any kind of software including freeware, shareware and trial versions in Sutherland network is proscribed and Sutherland shall take appropriate measures to protect the Sutherland network arising from the viruses, Trojans and other malicious contents.
Policy statement
• Local desktop team shall ensure that only required software and applications installed in the workstations / laptops before handing over for usage
• A list of approved software and applications shall be maintained for each program
• Workstations / laptops shall be configured to pick up updated applicable software and application patches from centralized repository at fixed intervals and whenever they are pushed
• IT Security team shall be responsible for maintaining antivirus software in Sutherland
• Local desktop team shall ensure the appropriate version of enterprise class antivirus installed in the workstations / laptops before handing over for usage
• Any software or data imported onto a computer (from floppy disk, e-mail, or file transfer) shall be scanned by Antivirus before being used.
• Workstations / laptops shall be configured to pick up updated antivirus signatures from centralized repository in fixed intervals and whenever they are pushed
• Antivirus software shall be activated on demand whenever any file is been accessed
• User shall not have any administrative rights on their workstations / laptops
• User shall not have rights to interrupt any virus scan in progress
• Only relevant team members can install the required software / application on user workstation
/laptop after formal approval in place • User shall ensure to inform any different or out of the ordinary system behavior to the Global
Service Desk (GSD) • User / Desktop Team / Server Team shall ensure to immediately disconnect, a workstations /
laptop / server that is infected or thought to be infected, from network to re duce the r isk of spreading a virus.
• Virus scanning logs shall be recorded, reported and examined by appropriate teams
• Users shall inform GSD of any virus that is detected, configuration change or different behavior of a computer or applications.
• IT Security team shall ensure that all incoming and outgoing mail and files scanned for viruses. Virus checking will be performed if applicable at firewalls that control access to networks. This will allow centralized virus scanning for the entire organization, and reduce overhead by simultaneously scanning incoming messages that have multiple destinations. It also allows for centralized administration of the virus scanning software, limiting the locations on which the latest virus scanning software needs to be maintained.
• Virus scanning results shall be logged, automatically collected, and audited by the system administration staff.
• Sutherland shall install legal software procured via official channels and an inve ntory shall b e maintained for correct representation of the software assets procured and installed in the organization
• Employee must not acquire, possess, trade or use hardware or software tools that could be employed to evaluate, circumvent or compromise the information security systems or asse ts of the Organization or any External Organization
• Only software approved by Sutherland and Sutherland’s customers shall be installed. • Freeware / shareware software shall not be installed in Sutherland systems
• In case if freeware / shareware is required to be installed then its End User Legal Agreement (EULA) would be reviewed by Sutherland Legal team and post their approval and InfoSec te am’s Risk Assessment, decision shall be taken about the installation
Internal Use only Page 43 of 61
• If there is any requirement for downloading freeware / shareware software then Sutherland legal team shall be involved to review End User Level Agreement (EULA) and based on their recommendation decision can be taken
• InfoSec team will conduct a Risk Assessment on concerned freeware / shareware software post go ahead from Legal and once it is accepted by Business / Service Delivery Head, procurement and installation of the same shall be worked out
• Any software that is not approved by InfoSec shall not be used
• Violation of this policy may result in disciplinary action. • Sutherland allows the reproduction of copyrighted material only to the extent legally considered
“fair use” or with the permission of either the author/ publisher
• Sutherland Management shall hold the right to deal with any disagreement and non-co-operation
in this regard. Failure to follow these policies may result in appropriate action according to
company standards.
Enforcement zone
All servers, desktops and Laptops in trusted domain, On the Trusted and Untrusted Domain boundaries and any transit points between them within the Sutherland/ Network Room, All servers, desktops and Laptops in Sutherland/ Network Room
Enforcement responsibility
User / Server team / IT Security Team
Table
Internal Use only Page 44 of 61
Objective
C5. REMOTE ACCESS POLICIES
For enabling the smooth operations, Sutherland has provided Remote Access to the Sutherland network from external network for few limited Sutherland employees. Connecting to the internal network through internet can be exploited in many ways if not properly secured. Strict security measures shall be implemented and practiced to safeguard Sutherland arising from remote access vulnerabilities
Policy
Remote access to the Sutherland network shall be controlled and Sutherland will take all appropriate steps to safeguard the Sutherland network arising from remote access vulnerabilities
Policy statement
• Remote access controls shall be provided with sufficient safeguards through robust identification, authentication and encryption of the traffic
• Secure remote access must be strictly controlled
• Control will be enforced via two factor based authentication with 256-bit AES (Advanced Encryption Standard) / 3DES (Data Encryption Standard) encryption
• The sole use of user-id and password may prove ineffective in some cases and hence another component shall be used
• Remote access users shall be provided with pre-defined restricted access for the purposes of their access
• Wireless traffic must be encrypted in accordance with acceptable encryption standards. • All wireless LAN access must use corporate-approved vendor products and security configurations. • Wireless networks will be segmented and treated as a “foreign/untrusted network” from a security
standpoint. A firewall, router/switch VLAN technology, or similar technology will be employed to provide this segmentation.
• All wireless implementation shall be restricted with MAC address. • The SSID shall be configured so that it does not contain any identifying information about the
organization, such as the company name, division title, employee name, or product identifier. • Third party remote access will be provided only if the risk of information access is minimal. The
access shall be subjected to the InfoSec approval. • Third parties who have been provided with remote access shall sign an appropr iate ly de fined
agreement with the company to provide for confidentiality of all information accessed by the m and maintaining the integrity of such information as accessed by them
• During remote access only the required client resources alone would be given access
• The information provided as a part of the dial in numbers and dial in access methods/ manuals are considered confidential information of the company and shall not be revealed to any pe rson/ persons other than those that are provided with such facility
• The phone lines through which such remote access is provided shall be scanned periodically and a report shall be provided
• Remote access devices receiving incoming calls shall not be connected to Servers or any storage device
• Logs generated by remote access shall be monitored periodically and appropriate action be taken
Enforcement zone
Access to all secure and trusted zones of Sutherland
Enforcement responsibility
Systems Manager and Systems Administrator
Table(wherever applicable)
Internal Use only Page 45 of 61
Objective
C6. BACKUP AND RESTORATION POLICIES
To maintain the integrity and availability of information and information processing facilities, back-up copies of information and software shall be taken and tested regularly in ac c ordance with the agreed backup policy.
Machines or systems are vulnerable for failure at any moment irrespective of the security level or maintenance provided which can lead to the compromise of Confidentiality, Integrity or Availability. Data residing in a system is also vulnerable for loss despite of best security features provided through syste ms crashes, Hard disk failure, Virus attacks, etc. Organizations must have planned backup procedures to overcome such havoc situations to restore the lost data and continue the business.
Policy
Critical data residing in Sutherland network shall be backed-up regularly and those backups shall be protected appropriately and adequately.
Policy statement
• Backup and restoration of the Organizations data forms a critical part of the Organizations ac tivities and forms one of the top priorities. The Organization is responsible to determine and define frequency of such backup and recovery operations as also to test the data and the media involved as pe r the needs of the business
• Information owners shall ensure that there are sufficient information backup and system re cove ry procedures
• Information stored on portable or laptop computers shall be backed up periodically and with a defined schedule. It is the responsibility of the user to ensure that this happens
• The storage media used for the archiving of the data must be considered for its appropriate longevity, scalability and investment protection. Special consideration must be given where data is stored in any proprietary form
• Backup storage shall be on media in Sutherland premises or Co-locations or Sutherland c ontracte d service providers who may provide the services in the cloud infrastructure
• Data archiving shall meet any business and legal or regulatory requirements as ac c eptable by the Organization
• Organization shall take steps to ensure that the integrity of data is adequately protected when attempting recovery and restoration operations. Special consideration shall be given when the recovery operations replace existing and more recent files
• Adequate capacity planning for all backed up and restored data shall be considered be fore suc h is accomplished
• Backup periodicity shall be as follows a. Daily -- Incremental b. Weekly – Full c. Monthly – Full
• Backup media recycling shall be based on following cycle a. Each day previous week’s same day tape to be used b. Each month previous year’s same month tape to be used
• Adequate protection shall be considered when storing and transporting of backup data • Backup Media shall be checked by performing at least one test case for restoration • Per PCI guidelines, data / logs on PCI specific servers shall be stored 3 months on the servers and on
backup media for an year
Enforcement zone
Refer table 7
Internal Use only Page 46 of 61
Enforcement responsibility
Refer table 7
Table 7
Policy Statement
Enforcement zone Enforcement Responsibility
1. All trusted zones of Sutherland System Administrator/ Network Administrator 2. All trusted zones of Sutherland System Administrator 3. All trusted zones of Sutherland System Administrator 4. All trusted zones of Sutherland System Administrator/ Network Administrator 5. All trusted zones of Sutherland System Administrator/ Network Administrator 6. All trusted zones of Sutherland System Administrator/ Network Administrator 7. All trusted zones of Sutherland System Administrator/ Network Administrator 8. All trusted zones of Sutherland System Administrator/ Network Administrator 9. All trusted zones of Sutherland System Administrator/ Network Administrator
Internal Use only Page 47 of 61
Objective
C7. SECURE DATA TRANSFER POLICY
To ensure that client and/or customer data is transferred in a safe and secure manner consistent with the Sutherland Global Services Information Sensitivity policy.
Policy
Data of any sort that could potentially contain private, confidential or proprietary information shall only be transmitted in the following methods.
• SFTP
• FTP with data pre-encrypted before transmission
• Encrypted and signed email with an acceptable standards compliant client.
Data that does not contain information as defined above may be placed on a dedicated FTP server. Access shall be allowed only to a dedicated directory and any subdirectories within with a dedicated login for the client/program. This is commonly known as a “chroot” environment
Policy statement
• Data that will be transferred on an ad-hoc basis shall be placed on an SFTP only server with a dedicated login for the client/program
• Generic login id shall not be provided
• Access shall be allowed only to a dedicated directory and any subdirectories
• SFTP server shall not be used as a storage repository
• Sensitive or confidential data that can only be sent via email shall be encrypted and signed with a dedicated OpenPGP compliant key as per the Sutherland Acceptable Encryption Policy. The user is required to provide a copy of this key to GTI for backup purposes.
Enforcement zone
Enforcement responsibility
Table
Internal Use only Page 48 of 61
Objective
C8. ACCEPTABLE ENCRYPTION POLICY
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.
Policy
Sutherland data shall be adequately secured and protected from unauthorized disclosure and alteration
Policy statement
Algorithms
• Proven, standard, open and peer reviewed algorithms such as AES, Blowfish, RSA, RC5 and IDEA shall be used as the basis for encryption technologies.
• Symmetric cryptosystem key lengths shall be at least 128 bits. • Asymmetric crypto-system keys shall be of a length that yields adequate strength. • Sutherland Global Services’ key length requirements shall be reviewed annually and upgraded as
technology allows
• Sutherland shall use 256-bit AES / 3DES encryption mechanism for voice and data where applicable.
Proprietary encryption algorithms
• The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by GTI.
• Be aware that the export of encryption technologies is restricted by the U.S. Government. • Residents of countries other than the United States shall make themselves aware of the encryption
technology laws of the country in which they reside.
Enforcement zone
All users with access to Sutherland's corporate network.
Enforcement responsibility
Table
Internal Use only Page 49 of 61
Objective
C9. LAPTOP POLICY
To safeguard the laptop, and the data residing in the laptop and Sutherland network
Policy
All laptops issued by Sutherland are used within the acceptable usage policy of Sutherland and they are adequately safeguarded from unauthorized access, use, physical damage or other activities which c ould affect the Confidentiality, Integrity and Availability of data residing in the laptop or in the Sutherland network. Bringing in of personal laptops (not Sutherland provided) by the employees inside Suther land premises is prohibited.
Policy statement
User shall ensure that laptop:
• Is intended for official purposes only. Limited personal usage of laptop is permissible so long as it does not affect Sutherland business.
• Is not shared with any other person without proper approval and without business reasons
• Is adequately protected from dust, liquid, excessive heat , radiation or any other external factors which could affect or damage the laptop or data residing in it
Users shall ensure that
• No critical business information is stored in the local hard disk of laptops unless otherwise it is specifically required by the business and the hard disk is encrypted. Critical business information shall be stored in Sutherland network share only.
• Adequate precaution is always taken to protect the laptop against theft or damage
• They carry the laptop as hand luggage while travelling by any mode of transport
• They shall not leave the laptop unattended especially during travelling and keep out of vie w of casual onlookers,
• The users shall not open or try to do maintenance of laptops on their own. They shall raise a ticket with GSD on account of facing any issues in laptop
Users shall ensure the following technology controls (can check with GTI if they are not too sure)
• Not to install / download / store / run / play unauthorized software, music or video files, games in the laptop.
• Not to alter any network, laptop configuration or attach any additional equipment without prior approval from the GTI
• Accessing Internet by laptop from any network (company or outside network) shall be subjected to the Internet Usage Policy of Sutherland
Users shall ensure the following to protect data residing in the laptop
• Adequate care to the laptop and the data residing in it against any unauthorized access or alterations
• Shall not transfer / copy the data from laptop to any other external source other than Sutherland network. If any Exceptions are required, these should have the specific approval of the Business heads of the respective Geos.
Internal Use only Page 50 of 61
Loss of Laptop – User action
• User to inform local Admin/HR/GTI/Finance/Legal team regarding the loss of Laptop for initiating appropriate action.
Upon Separation / Termination – User action
• User shall return the laptop and related accessories to GTI
GTI responsibilities as owner of laptop
GTI to ensure that
• Monthly backup of the data stored in all the laptops is taken to ensure Continuity of Business in the case of loss of Laptop
• Data stored in the laptop is encrypted as per the encryption policy of Sutherland.
• Laptop inventory is updated with all relevant information
• USB ports are configured in such a way that mass storage devices are disabled.
• The integrated webcam should be disabled or should be procured without the integrated webcam.
Enforcement Zone
Laptops issued by Sutherland. Laptop in this policy refers to any Laptop which is issued by and is the property of Sutherland
Enforcement Responsibility
GTI, User
Table
Internal Use only Page 51 of 61
Objective
C10. MOBILE POLICY
To establish & maintain rules and guidelines for usage of Portable Computing Devices and Mobile Phones.
Policy
The purpose of this Mobile Device Usage policy is to establish the rules and guidelines for the use and security of Portable Computing Devices and Mobile Phones. These rules are nece ssary to c omply with applicable laws and regulations and to preserve the confidentiality, integrity, availability & security of ePHI (Electronic Personal Health Information), PII (Personally Identifiable Information) and othe r non -public information (collectively referred to as “sensitive information”).
Policy statement
Every user of Portable Computing Devices and Mobile Phones at Sutherland must exercise reasonable care as outlined herein to protect Sutherland sensitive information. Protection of sensitive information against physical theft or loss, electronic invasion, or unintentional exposure is provided through a variety of means, which include user care and a combination of technical protections.
The use of unprotected Mobile Devices to access or store sensitive information is prohibited regardless of whether such equipment is owned or managed by Sutherland.
Sutherland employees who possess Mobile Devices are expected to secure them whenever they are le ft unattended. In the event a Sutherland owned or managed Mobile Device is lost or stolen, the theft or loss must be reported immediately to the Information Security and the respective local Facilities Management departments.
Employees’ personal mobile devices are not allowed to be used on the operating or producti on floor or other work areas without the authorization and approval of the Service Delivery Head and Information Security/Compliance Departments.
Sensitive Areas are defined as production floor environment or other such areas (training facilities, labs etc.) where employees are accessing / processing sensitive data.
It is the policy of Sutherland that:
• Mobile phones and unauthorized portable mobile devices are not to be carried onto sensitive areas (e.g. production floor) EXCEPT Sutherland Director and above ONLY of that specific client program, who require to spend time on the floor, yet need to be connected to clients.
• Mobile Devices having Sutherland information shall be kept physically secure at all times. • All Sutherland employees who use Mobile Devices covered under this policy shall immediately
report thefts and/or actual or suspected compromise of mobile computing devices immediately to their Supervisor and Information Security team.
• Sutherland data stored on Sutherland mobile phones, or employee personal devices, shall be electronically erased remotely upon notification that the phone or device has be e n lost or stolen
• Only approved employees shall access Sutherland email over mobile devices-- all requests to access email over mobile devices must be approved by the respective Business Unit Head and InfoSec Department based on the actual need and in accordance with Client proscriptions or limitations.
• Only Mobile Devices as controlled by this policy are used for accessing Sutherland business applications (including email).
• As a first line of defense, all Mobile Devices accessing Sutherland information shall be configured with passcodes to access the device.
Internal Use only Page 52 of 61
• The creation of any photograph, image, video, voice or other recording of an y doc ument, record, computer or device screen which includes information subject to this Policy, without approval from InfoSec shall be prohibited.
• The storage of information subject to this Policy on Mobile Devices is prohibite d, inc luding voice messages, voice notes, email, instant messages, web pages and electronic documents, photographs, images and videos, unless authorized by InfoSec.
• Sutherland employees with access to email over mobile devices shall adhere to the Acceptable Use and Mobile Device policies.
• Only approved Mobile Devices shall be allowed to access Sutherland wireless network. • Ownership of Mobile Devices provided by Sutherland will reside with Suther land and the
assigned employee must return the Mobile Device when their employment ends. • All Sutherland employees, who have assigned Mobile Devices, are responsible for the devices
physical security and must ensure adequate protection against theft, unauthorized access and breaches of confidentiality at all times.
• If a personally owned Mobile Device is approved to receive Sutherland email, the employe e shall adhere to all the guidelines set forth in this policy and acknowledging that at any point Sutherland may elect to terminate access and completely delete all Sutherland information on the device.
• Sutherland shall not responsible for the loss of any personal data as a result of this process.
Asset Inventory
• GTI to ensure that Mobile assets (Portable Computing Devices) inventory is maintained and ke pt
updated with the relevant information.
• GTI to ensure that the inventory of all mobile devices authorized and being used to access
Sutherland applications (including email) is maintained and kept updated with the relevant
information.
• Applicable Facilities (or other local) department to ensure that Sutherland Mobile assets
(Sutherland issued Mobile Phones) inventory is maintained and kept updated with the re levant
information. Applicable Facilities (or other local) department to ensure that Suthe r land Mobile
assets (Sutherland issued Mobile SIM cards) inventory is maintained and kept updated with the
relevant information.
Enforcement Zone
Mobile Devices in this policy refer to –
- Mobiles issued by Sutherland
- Mobiles used by Sutherland employees, contractors or partners (mobile devices whether owned
by Sutherland or not) to access any Sutherland applications (including email)
In summary, nobody is allowed to carry mobile phones into sensitive areas (e.g. production floor) EXCEPT Sutherland Director and above ONLY of that specific client program, who require to spend time on the floor yet need to be connected to clients.
All other agents, support personnel on floors and program managers (Team Manager to Sr. Account Manager) are to use ONLY Sutherland procured shift phones without camera and data storage capabilities.
The mobile phone usage in sensitive areas is to be guided by the below approval matrix. The same is to be reviewed annually to keep it aligned with customer security requirements and overall risks to sensitive information handled in Sutherland processing facilities.
Internal Use only Page 53 of 61
Table 8
Approval Matrix
Enforcement Responsibility
GTI, Service Delivery, Facilities, Users
Approval Matrix for Mobile Phone Usage in Sutherland Designations
(SD & Support) Type of Phone Allowed Authorization Approval Notification
Associate None Not Applicable Not Applicable Not Applicable
Consultant / Specialist None Not Applicable Not Applicable Not Applicable
Sr. Specialist / Sr. Consultant
None Not Applicable Not Applicable Not Applicable
Lead / Subject Matter Expert
None Not Applicable Not Applicable Not Applicable
Team Manager / Associate Manager
Sutherland provided shift Phone (without camera & data storage features) only on need basis
Site Level Business Unit/Function Head
Informa ti on Security
InfoSec, Compliance, GTI & Physical Security
Sr. Team Manager / Sr. Associate Manager
Sutherland provided shift Phone (without camera & data storage features) only on need basis
Site Level Business Unit/Function Head
Informa ti on Security
InfoSec, Compliance, GTI & Physical Security
Account Manager / Manager
Sutherland provided shift
Phone (without camera &
data storage features) only on need basis
Site Level Business Unit/Function Head
Informa ti on Security
InfoSec, Compliance, GTI & Physical Security
Sr. Account Manager / Sr. Manager
Sutherland provided shift Phone (without camera &
data storage features) only on need basis
Site Level Business Unit/Function Head
Informa ti on Security
InfoSec, Compliance, GTI & Physical Security
Business Director / Director
Any Mobile Phone Not Applicable Information Security
InfoSec, Compliance, GTI & Physical Security
Sr. Business Director / Sr. Director
Any Mobile Phone Not Applicable Information Security
InfoSec, Compliance, GTI & Physical Security
Associate Vice President
Any Mobile Phone Not Applicable Not Applicable InfoSec, Compliance, GTI & Physical Security
Vice President Any Mobile Phone Not Applicable Not Applicable InfoSec, Compliance, GTI & Physical Security
Sr. Vice President & Above
Any Mobile Phone Not Applicable Not Applicable InfoSec, Compliance, GTI & Physical Security
Internal Use only Page 54 of 61
Objective
C11. DOCUMENT SCANNER COPY
To protect Sutherland and its client’s sensitive information/data from confidentiality breac h through a document scanner. A document scanner can be used to scan any document, save it, print it and even some of them has the capability to work as a FAX machine
Policy
All document scanners shall be controlled against unauthorized use
Policy statement
Procurement
• Document scanners shall be procured or issued to any department/program only when it is essential and justified by business reason
• Document scanner shall have only basic scanning feature and no other additional features such as scanner with printer, Photo copy, Fax, etc.
Location of installation and Physical Access
• Document scanners shall not be installed in any production floors
• Document scanners shall be installed in a place where physical access is restricted
Logical Access
• Access to document scanner shall be restricted to authorized persons
• Such accesses shall be approved by Department L6 or above based on the business justification
Ownership
• A person from the Department/Program shall be identified as owner and he shall be responsible for the document scanner
• The owner shall maintain a list of persons who has been given access to the document scanner
Enforcement Zone
All Sutherland locations
Enforcement Responsibility
GITP, GTI, Program/Department
Table
Internal Use only Page 55 of 61
Objective
C12. PAYMENT CARD INDUSTRY PCI DSS POLICY
To safeguard the sensitive data in any form handled by Sutherland against unauthorized disclosures, alterations or misuse by adopting industry best practices in security standards
Policy
Data pertaining to Sutherland’s client or corporate Sutherland data shall be protected against unauthorized disclosure, alteration or misuse
Policy statement
Physical Controls • Sensitive work areas shall have a separate access control door controlled by access cards
• Only authorized personnel shall be allowed inside the sensitive area
• Security guards shall conduct checking of employees, visitors or vendors as and when required
Technological Controls • A sensitive work area shall be in a separate VLAN, which should not be accessible from outside and
access to that VLAN shall be controlled
• Employees working in a sensitive area shall NOT have access to printers. • All the data in the electronic media used in the sensitive area will be degaussed or destroyed as
appropriate, after its usage
• Storage devices moved from the sensitive areas or program will be wiped using sanitizing software
• Print screen facility shall be disabled in all Desktops/PC’s at the sensitive work area
• Sensitive work area shall have software, hardware or programs which are approved by clients
• Access to outbound mails shall be denied to employees who are working in sensitive areas
• Internet access shall not be allowed to all personnel who work in sensitive work areas. Exception can be only those sites which need to be accessed based on client requirement. The list needs to be specified by client.
• Workstation in sensitive work areas shall not have CD drives, floppy drives, USB drives, etc
• Strong data encryption and other adequate safeguards shall be used if client sensitive data is stored in Sutherland’s network
• Security of data in transit shall be ensured by using IPSEC, SSL or similar encrypted transmissions and using 3DES, AES or similar encryption mechanisms
• Call recordings containing credit card shall be encrypted and access for listening the same shall be provided only to selected people based on their job requirements
• No calls containing credit card data shall be downloaded to any media unless with valid legal or forensics purposes
Other controls
• Items such as paper, pen, pencil, CDs, Floppies, USBs, DVDs, memory cards, mobile phones, tablet computers, wearable computers (ex. smartwatches, Google Glass, etc.),phone to connect outside, bags, food items, recording equipment, camera shall not be allowed inside the sensitive area
• A sensitive work area shall be continuously monitored by CCTV. Recordings of CCTV shall be kept for 30 days or as required by regulatory authorities/clients and shall be reviewed periodically
• Team Lead’s or other designated personnel shall monitor the sensitive area activities
• Sensitive information handling (Credit card numbers, CVV numbers, SSN numbers and other sensitive information’s related to customer/client) shall not be stored in the desktops/laptops
• All the inbound and outbound calls shall be recorded for specific duration and ensured such recording is available for select persons on need basis
• Indicators like crediting the same CC number, multiple credits for same customer, etc shall be watched
Internal Use only Page 56 of 61
Employee hiring, monitoring and training Prior to joining sensitive information handling program, HR and the respective program shall ensure that the employee has undergone appropriate background check and has good character
Enforcement Zone
All Sutherland programs where Credit card information is handled
Enforcement Responsibility
GTI, Program/Department
Table
Internal Use only Page 57 of 61
Objective
C13. PRIVILEGED ACCOUNT POLICY
Privileged or powerful accounts including administrative accounts available in servers, operating systems and applications have to be controlled, managed and monitored against unauthorized use.
Policy
All types of privileged accounts at Sutherland Global Services (Sutherland) which are needed to manage the IT devices or applications such as Servers, Firewall, Routers, Switches and other network devices, IT applications, databases, mail servers etc shall be appropriately controlled, monitored, managed and reviewed on a periodic basis.
Policy statement
Identification
• All types of privileged accounts (such accounts which are not used for regular operations) for all IT devices shall be identified and documented.
• Activities which can be performed using such accounts shall be clearly identified and documented along with the employee name who is authorized to have access to such accounts.
• Roles and Responsibilities of employees shall be clearly defined and documented who will have access to privileged accounts
Approval
• All request for access to privileged account shall be logged in Service Now ticketing system
• The request shall be reviewed and approved by appropriate level of GTI employees and by InfoSec. • The employee name shall be updated in the Privileged Account Details by GTI – SPOC at each
location. General
• Regular activities shall not be performed using privileged accounts
• Privileged account passwords must be complex, hard to crack or guess, must not be shared, written down, typed or sent via mail
• Back up accounts for all Privileged Accounts shall be kept in a sealed cover and stored in a highly secured box/vault with restricted access
• Passwords for Privileged account passwords shall be force changed every 90 days
• Separated employee access shall be removed immediately
• Maintenance accounts created for vendors shall be immediately disabled after the purpose for which it is created.
• The details of accesses shall be maintained in Privileged Account Details
Monitoring and Review
• Privileged account shall be monitored by GTI-SPOC every month, which will be reviewed by InfoSec every quarter
• All activities performed under privileged account shall be logged and reviewed by InfoSec on a quarterly basis.
Enforcement Zone
All Information Technology Devices, Applications
Enforcement Responsibility
GTI, InfoSec
Table
Internal Use only Page 58 of 61
Objective
C14. VULNERABILITY ANALYSIS POLICY
Vulnerabilities in IT devices and applications have to be identified and fixed accordingly to eliminate the possibility of exploiting those vulnerabilities
Policy
Vulnerability Analysis (VA) on systems connected to program VLAN, and servers shall be conducted on a periodical basis and appropriate corrective and preventive actions shall be taken
Policy statement
General
• InfoSec team and / or designated third party consultants shall conduct VA at Sutherland
• VA conducted internally other than by InfoSec team, shall carry the acceptance from the InfoSec team
• Only tools or methods approved by InfoSec team shall be used for conducting the VA at Sutherland
• VA tools shall have the latest industry patches
• VA shall be conducted every Six months covering all Sutherland Geographies
• Random servers shall be selected for conducting VA across the geographies
Conducting VA
• VA shall be conducted based on the VA schedule prepared by InfoSec
• Ad hoc request for carrying out VA shall be approved by L6 and above shall be communicated to InfoSec
• Scheduled/Ad hoc VA is approved by Head of InfoSec and communicated to GTI and respective stakeholders.
Enforcement Zone
Production systems and critical servers
Enforcement Responsibility
InfoSec Team
Table
Internal Use only Page 59 of 61
C15. SECURITY MONITORING & LOG MANAGEMENT POLICY
Objective
To monitor the logs of the critical devices in Sutherland infrastructure and to take appropriate ac tion on any anomaly found to protect Sutherland and its client’s sensitive information/data from confidentiality breach.
Policy
General
• Sutherland shall deploy tools on its critical devices for monitoring the status and health of them
• Some of the critical devices would be firewalls, Routers, Layer 3 switches, c r itic al se rvers and
databases etc
• All the server and network devices shall pickup their time with internally hosted Ne twork Time
Server (NTP) which is synchronized with externally hosted NTP server base d on International
Atomic Time or UTC. If there are more than one NTP server in the environment the n the time
servers shall peer with each other to keep accurate time
• Log files of critical systems shall be reviewed on a regular basis for signs of compromise or
vulnerability to exploitation:
• Sutherland shall depute a special team to monitor the tools
• This team shall conduct following activities
o Process, analyze, correlate and report on log data from critical devices on a regular
basis. o Assist in incident management process. o Assist in implementation of security controls. o Monitor configurations of critical devices and recommend changes if needed. o Threat modeling and vulnerability analysis for systems. o Troubleshoot problems related to security standards & policies.
o Network security design review.
• Any security violation shall be addressed by the Incident Management Team
•
Policy statement
General
Enforcement Zone
All Sutherland locations
Enforcement Responsibility
InfoSec, GTI,
Table
Internal Use only Page 60 of 61
C16. ANNEXURE
Laptop Usage Acknowledgment
• The Sutherland’s laptop is intended only for official purposes
• Users shall ensure that the laptop is not shared with any other person
• Users shall adequately protect the laptop from environmental threats such as dust, any liquid, excessive heat, and radiation with suitable measures
• Users shall not keep the laptop unattended and unlocked
• Users shall carry the laptop as hand luggage while traveling
• If Laptop is kept in a car or in hotel room or other area/places that are out of Sutherland facility , it shall be placed out of view of casual onlookers
• Users shall ensure that Antivirus software is up to date in the laptop
• Users shall not install/download unauthorized software or banned software, music or video files, games in the laptop
• Users shall not alter any network, laptop configuration or attach any additional equipment without prior approval from the GTI
• Users shall provide great care to the laptop and the data residing in it against unauthorized access or alterations
• Users shall not transfer/copy the data in the laptop to any other external source
• Information stored on laptops must be backed up periodically and with defined schedule. It is the responsibility of the user to ensure that this is done
I have read all the points stated above and hereby agree to follow the above mentioned statements
Signature:
Name:
Employee ID:
Date:
Note: Non Compliance to the above will be dealt with in accordance with Sutherland corporate policies
including HR and InfoSec.
Internal Use only Page 61 of 61
C17. DEFINITIONS
The word “Company” here refers to Sutherland Global Services Ltd (abbreviated as Sutherland)
For the purposes of this guide, a "site" is any set or Subset of Sutherland that owns or manages computers or network-related resources. These resources may include host computers that user use, Routers, terminal servers, PCs or other devices that have access to the Internet/Intranet/Extranet. A site may be an end user of Network services or a service provider such as a mid- level network. However, most of the focus of this guide is on those end users of Network services of Sutherland.
The Network is a collection of resources linked by a common set of technical protocols which make it possible for users of Sutherland to communicate with, or use the services located on, any of the other networks (e.g. Internet)
The term "administrator" is used to cover all those people who are responsible for the day-to-day operation of system and network resources. This may be a number of individuals or an organization.
The term "security administrator" is used to cover all those people who are responsible for the security of information and information technology. This function may be combined with administrator (above).
The term "Management" refers to those people of Company site who set or approve policy. These are often (but not always) the people who own the resources.
The term "Associate" refers to those people of who are directly employed by the company and/ are working for the company in the form of a contract / any external person that is directly paid by the company and is using the Information/ Information and the information processing facility of the company.
The term "Visitor" refers to those people who visit the Information Processing facility of the company, but do not use the Information or the Information processing components of the facility
The term "Marketing Department" refers to the department which is involved in communicating/ authorizing for communication any information that the company management believes may be divulge d to the public
The term "trusted domain" broadly can be classified as an area that is completely under company control and not controlled by third party/ service provider
The term "secure areas" broadly can be classified as all regions and areas where this information security policy needs to be implemented and needs access control to the facility/ the control of the relevant policy
The term "Functional Manager" refers to those people of Company site who control or manage any specific area or division of the organization. Sample examples (but not restricted to) include a HR Manage r is a functional manager for the HR function. The term "Removable Media" refers to all data storage media that may be plugged out of the computing system without the personnel requiring any physical disassembling of the computing system (elec tronic gadgets).