Information Security Policy

1.0 Purpose

The purpose of this policy is to direct the design, implementation and management of an effective Information Security Program, which ensures that’s information assets are appropriately identified, recorded, and afforded suitable protection at all times. This document sets forth certain principles regarding the responsible use of information by and outlines the roles and responsibilities of personnel to protect the confidentiality, integrity, and availability of’s resources and data.

2.0 Scope

This policy covers’s information and information systems, including information and information systems used, managed, or operated by a contractor or other vendors and applicable to all employees, contractors, and other users of’s information and information systems.

3.0 Policy Statements

  • Implement and maintain the Information Security Program at
  • Continuously improve and align information security practices to global best practices and standards.
  • Information security policies shall be reviewed regularly. employees shall acknowledge their adherence to these information security policies and practices annually.
  • Security awareness training shall be provided regularly.
  • Internal assessments or audits of’s Information Security Program shall be performed periodically, and any gaps or findings shall be remediated promptly.
  • A risk assessment process for’s information assets shall be defined and followed. Risk reduction shall be carried out through the process of continuous improvement.
  •’s information asset inventories shall be reviewed and updated when a new asset is added and/or an existing asset is upgraded.
  • Business continuity plans (BCPs) and backup plans shall be reviewed and tested at least annually.
  • Roles and responsibilities shall be clearly defined and communicated to relevant individuals.
  • Information should be classified and handled according to its criticality and sensitivity as mandated by relevant legislative, regulatory and contractual requirements.
  • Appropriate contacts shall be maintained with relevant authorities, special interest groups or other specialist security forums.
  • As needed, the security incidents would be reported outside of by a designated person nominated by executive management.
  • Requirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information shall be identified, regularly reviewed and documented.
  • Prevention, detection, and recovery controls to protect against malware shall be implemented by, and these will be combined with appropriate user awareness.
  • An incident management process shall be established to correctly identify, contain, investigate, and remediate incidents that threaten the security or confidentiality of’s information assets.
  • shall develop and maintain a vendor management process for third-party vendor engagement and assessment.
  • Change and vulnerability management controls shall be established and implemented.

4.0 Roles and Responsibilities

4.1 Board of Directors

The Board of Directors shall be independent of management and provide oversight and direction for’s Information Security Program. Their responsibilities will include, but are not limited to:

  • Ascertaining that there is transparency regarding the significant risks facing
  • Obtaining assurance that management has established responsibilities, processes and technology for an effective Information Security Program.
  • Using the output of any Information Management Program assessment to assist in risk management decisions to secure’s information assets.
4.2 Executive Management

Executive Management shall provide directions and management support to employees with information security responsibilities at The Executive Management team shall report the overall information security and business continuity program to the’s Board.

Executive Management’s responsibilities shall include:

  • Defining and aligning the scope of the Information Security Program with’s business requirements and security best practices and standards.
  • Ensuring that information security responsibilities have been assigned and are sufficient to comply with the Information Security Program, including:
    - Overseeing the Information Security Program implementation and security improvement initiatives.
    - Preparing security awareness training material and conducting periodic information security training.
    - Planning and performing periodic Information Security Program assessments and communicating the results to Executive Management.
    - Performing analysis of security incidents and recommending, initiating or tracking corrective actions as applicable.
    - Identifying the subject matter expertise needed to improve information security defences.
  • Reviewing any reports of the Information Security Program implementation status or assessments.
  • Reporting the overall information security and business continuity program to’s Board.
  • Providing guidance and oversight for BCPs and Disaster Recovery Management for and approving the Disaster Recovery Action Plans documented for implementation.
  • Playing an active role during’s Risk Assessment exercises and defining risk mitigation strategies.
  • Approving’s information security policies and any changes to the policies and ensuring that the overall information security posture is aligned to business requirements and risks.
4.3 Chief Information Security Officer (CISO) has appointed a Chief Information Security Officer (CISO) from an executive team who is responsible for the organisation’s information and data security. CISO’s responsibilities include (but are not limited to):

  • Overall responsibility for implementing and ensuring information security in and providing leadership to the enterprise’s information security organisation.
  • Approving’s information security policies, as well as changes or amendments to policies to ensure overall information security posture, is aligned to business requirements and risks.
  • Monitoring continuous security improvements; reviewing and recommending applicable changes in the security policies and processes.
  • Managing and improving Business Continuity Planning (BCP) and Disaster Recovery (DR) preparedness of the organisation.
  • Convening with other members of executive management periodically and reporting on security risks and the organisation's security effectiveness.
  • Advising top management on the standards or best security practices to adopt at the organisational level.
  • Ensuring compliance with changing laws and applicable regulations.
  • Communicating the Information Security policies and security programs to the organisation through ongoing security training and awareness.
  • Partnering with business stakeholders across the company to raise awareness of risk management concerns.
4.4 Information Technology (IT) Security has appointed an IT Security Manager who is in charge of overseeing the organisation's security operations. The responsibilities of the IT Security Manager include (but are not limited to):

  • Managing the Security Operations team and developing policies and procedures for hiring new employees and developing new processes.
  • Monitoring compliance which includes internal, external, and regulatory compliance.
  • Ensuring internal and external cybersecurity risk management policies are understood and implemented by both vendors and employees. For law and regulation compliance, confirming that the organisation complies with industry regulations such as ISO, GDPR, SOX, PCI DSS, COPPA, etc.
  • Collaborating with various departments within the organisation to reduce risk by ensuring that technical controls and policies are implemented across the organisation.
4.4.1 Security Operations Team

The Security Operations team (as a part of the IT Security team) at is responsible for maintaining security monitoring tools and investigating suspicious activities. The Security Operations team's responsibilities shall include (but are not limited to):

  • Maintaining all security tools and technology to secure and monitor systems effectively and updating these tools regularly.
  • Monitoring all operations and infrastructure by reviewing alerts and logs to track the organisation's digital security impact.
  • Evaluating new technologies and assisting in the implementation of controls that reduce the risk of its operation.
  • Conducting continuous reviews of policies and controls to determine what needs to be improved or remediated.
  • Liaising with the Incident Management team to ensure that the incident response program is tested throughout the organisation and that employees understand their roles in the event of an incident.
4.5 Information Technology (IT) Operations has appointed a Chief Technology Officer (CTO) who is responsible for supervising the development and delivery of technology for external customers, vendors, and other clients to improve and expand the business. The IT Operations team responsibilities shall include (but are not limited to):

  • Creating technical requirements for the organisation's strategy to ensure alignment with its business goals.
  • Discovering and implementing new technologies that provide a competitive advantage.
  • Assisting departments in making profitable use of technology.
  • Monitoring the system infrastructure to ensure its functionality and efficiency.
  • Utilising stakeholder feedback to inform necessary technological improvements and adjustments.
4.6 Human Resources (HR)

The Human Resources team ensures that employees follow security policies designed to protect, its customers and employees. The HR team responsibilities shall include (but are not limited to):

  • Determining the skills and requirements for positions in information security.
  • Ensuring that employees and contractors are informed of their information security responsibilities and carry them out.
  • Providing information security management direction and support following business requirements and applicable laws and regulations.

5.0 Information Security Policies

This document, along with the rest of’s information security policies define the principles and terms of’s Information Security Program as well as the responsibilities of the users and employees in carrying out and adhering to the respective program requirements.

Violations of’s information security policies may result in corrective actions and the start of a disciplinary process.

6.0 Communication shall have dedicated communication channels to ensure incidents related personnel security or breach of policies are reported, evaluated and addressed.

Examples of incidents include, but are not limited to:

  • Breach of security policies
  • Discrimination or harassment of employees
  • Occupational Health and Safety hazards
  • Issues with the quality of work or performance
  • Inappropriate conduct in the workplace

Please see Appendix 1 for a list of contacts to report incidents.

Appendix 1 Person- Hrushikesh
Address- Mumbai, India
Health and Safety