iDEx
Policies
Indium is committed to protecting the privacy of internal and external stakeholders and ensures control on collection, use, disclosure, and disposal of their information. This policy applies to all the personal data captured by Indium which needs to be safeguarded.
Indium is committed to providing access based on need to know. These rights shall be continuously reviewed for suitability and appropriate action will be taken.
An individual privileged user account must be created for administrator.
Admin will have advanced permissions that are necessary for the system administration .
Confidential unique ID is a must to access Indium systems and applications.
Indium shall allow tele-working of employees by implementing appropriate controls and ensuring that the information security interests of Indium and its clients are taken care adequately. Indium ensures the smooth flow of business when employee is not physically present in the organisation. In such situation of home office setup, Indium’s proprietary properties and customer information accessible during teleworking are monitored through MDM and DLP solutions to alert the system for any data leakage. Remote access to the network must be secured by two factor authentications.
Secure coding practices must be incorporated into all life cycle stages of an application development process. Employees must understand the security requirements of the customer by following secure coding practices like :
An individual privileged user account must be created for administrator.
We secure data transfer through appropriate encryption methods in a secured SDLC environment.
We are Implementing secure coding practices through OWASP, CERT, SANS etc. guidelines.
Employees are empowered and educated to report security weakness, threats, and events to the ISMS mail (i.e) isms.compliance@indiumsoft.com. Indium provides the guidance for timely reporting of security incidents such as computer viruses, unauthorized user activity, suspected compromise of data, physical break-in etc. to contain or limit the exposure to loss and mitigate the harmful effects of security incidents to Incident management team and IT team.
Indium focuses on reducing the risk of unauthorised access of sensitive information by safeguarding it in both physical and digital format.
A device must be logged off or protected by password mechanism once you are away.
Confidential hardcopies must be removed from printers/faxes immediately.
Papers/any device that has Indium/Client data should not be left unattended.
Indium focuses on protection of information assets against loss of confidentiality, integrity and availability caused by malicious program/software. (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). It applies to all computers that are connected to Indium cloud infrastructure via a standard network connection, wireless connection, modem connection or VPN connection. Employees must ensure AV is installed and enabled with updated patches in their assets. No employees, contractor or vendor should attempt to destroy or remove a virus, or any evidence of that virus from the affected system without direction from Indium’s IT department.
Indium ensures the proper disposal and destruction of media storing confidential information. Customer data, internal data, personal data etc which are no longer necessary shall be entitled to data destruction process.
The physical data are shredded in shredder machine, when no longer necessary for business
The data will be wiped-off once moved to a storage unit and then sent to scrap.
The data are stored in cloud servers are deleted with the Project Manager approval.
Indium's Backup Policy prioritizes the management of data retention, recoverability, and the protection of information assets against loss or disaster. The backup frequency will be tailored to meet the organization's obligations to customers and regulatory authorities. The objective of this policy is to establish uniform guidelines for backup management to guarantee the availability of backups when required. All data stored on Indium servers, email servers, network servers, web servers, firewalls, and remote access servers will undergo backup procedures.
Indium ensures the awareness on Information security through different training modes which include, but are not limited to, classroom trainings, online training, posters, computer wallpapers, newsletters, quizzes, contests, focused meetings and events consistent with the Information Security Standard.
All new joiners must attend the security awareness training within 30 days of joining.
For existing employees, refresher security awareness training shall be completed on yearly basis.
