Isms Userhandbook[1]

8/8/2019 Isms Userhandbook[1]

1/19

INFORMATION SECURITY - USER HANDBOOK

Author: Sriram C N Signature: --------------------Date: 19/02/2007

Reviewer: Amarnath S Y Signature: --------------------Date: 19/02/2007

Approver: Amarnath S Y Signature: --------------------Date: 19/02/2007

ISMS/GDL/04

Version: 2.1

Document Classification: Internal

COPYRIGHT NOTICE

Copyright 2007 POLARIS SOFTWARE LAB LIMITED

All rights reserved.


2/19

Information Security User handbook

Internal to PSL Page 2 of 19 ISMS/GDL/04 Ver 2.1

Revision History

Version

No.

Change

ReferenceNo.

Author Published

Date

Sections

Changed

Description of

changes

1.0 1 Amarnath .SY 15/03/2004 - Initial release1.1 2 Amarnath .SY 31/03/2004 Sec. 9 Incident reporting

included. Updatedbased on the stage 1assessmentrecommendations.

1.2 3 Amarnath .SY 15/05/2004 Sec. 7.1 Mobile computingassets updated.

1.3 4 Chandran S 05/03/2005 Policy & other

changes based onFeedback

1.4 5 Amarnath SY 06/10/2005 Section 7.4 wasadded.

2.0 6 Ramkumar S 23/03/2006 3.2. g2.1 7 Sriram C N 19/02/2007 General review


3/19



Information Security Policy

Protect information assets of Polaris and its clients to ensure Confidentiality,

Integrity and Availability, based on business expectations.

- Arun Jain, CEO

Please note ISMS manual is available on our Empower site ( Refer:

http://pslqms.polaris.co.in/Manuals/ISManual.doc)


4/19



Table of contents

1.0 Objectives and Ethics ................................................................................................ 51.1Security Objectives ................................................................................................. 5

1.2Security Ethics ........................................................................................................ 52.0 Information Security Prerequisites ............................................................................. 63.0 Access to Information Systems ................................................................................ 7

3.1 User Identification .................................................................................................. 73.2 Passwords ............................................................................................................ 73.3 Workstation / Laptop Security ................................................................................ 93.4Security practices ................................................................................................... 93.5 Physical Access ..................................................................................................... 93.6 Other forms of information exchange .................................................................. 10

4.0 Computer Viruses .................................................................................................... 115.0 Software Use ........................................................................................................... 126.0 Internet and E-mail .................................................................................................. 13

6.1 Internet ................................................................................................................ 136.2 E-mail Usage ....................................................................................................... 14

7.0 Security of Information Systems Assets .................................................................. 157.1 Mobile Computing Assets .................................................................................... 157.2 Computer Media Handling and Security .............................................................. 167.3 Clear Desk and Clear Screen Policy .................................................................... 167.4Protection of Personal Information........................................................................ 17

8.0 Security Violations & Disciplinary Action ................................................................. 189.0 Reporting Computer Incidents ................................................................................. 19


5/19



1.0 Objectives and Ethics

1.1 Security Objectives

The Objectives of Information Security are to ensure:

CONFIDENTIALITY: To prevent unauthorized disclosure of information stored or processedon Polaris s information systems.

INTEGRITY: To prevent the accidental or unauthorized deliberate alteration ofinformation.

AVAILABILITY: To prevent the accidental or unauthorized deliberate destruction ordeletion of information necessary to operations.

1.2 Security Ethics

It is ethical:

As an associate, to clarify prevailing rules.

As an associate, to respect the Polariss possessions, working hours, andresources, and make sure they are used correctly.

To protect sensitive information.

Not to accept local internal norms that conflict with Polaris values even to thebenefit of Polaris.

It is unethicalto:

Actively study information one has gained access to by mistake.

Spread information that can in some way hurt others.

Actively hide ones identity.

Appropriate authority or rights in excess of those granted.

Make private statements or publish private material in the name of Polaris.


6/19



2.0 Information Security Prerequisites

a. Upon joining Polaris, associates will be required to sign appropriate undertakingsbefore they can access any of Polariss information assets.

The undertakings shall be for Confidentiality or non-disclosure agreements. Acceptable Use of computing resources.

b. Associates will also undergo security awareness orientation session coveringinformation security issues such as the correct use of information processingfacilities, logon procedures, software privileges, etc.

c. As users of Polariss information systems, associates shall:

Ensure that information and data are used solely for purposes specifiedfor use. Use the information system resources of Polaris for legitimate business

purposes only and not for any personal gain. Promptly report any suspected breach of security policy that comes to

their knowledge.

Additionally, information assets shall not be used to Degrade system performance. Deprive an authorized user access to a resource. Obtain extra resources, beyond those allocated.

Circumvent computer security or gain access to a system for which anassociate has no authorization. Harass other associates or any other person.

d. Upon transfer, retirement or separation of employment, associates should notethat it is in their best interest to intimate their reporting Managers of all accessprivileges that they have on the systems of Polaris and to hand over anyprivileged information, media and electronic authentication devices, tokens, ifany.


7/19



3.0 Access to Information Systems

3.1 User Identification

a. The level of access granted and the activities that can be performed on authorizedsystems would vary from associate to associate and would typically be role-based to enable associates to perform their day-to-day functions effectively.

b. Associates will be assigned an identification code (user-ID) and password by ITto enable them to gain access to the information systems resources of Polaris.Associates should change the password upon first logon into systems.

c. The user-id would remain unique to each associate and it will be theresponsibility of every associate to maintain the confidentiality of his / her user-IDand password.

d. Information systems resource usage is monitored regularly by the IT formonitoring system performance, capacities, inappropriate access, etc.

e. Associates should remember that they are accountable for all actions committedon the systems of Polaris with their user-id and password. It is therefore essentialthat user-IDs and passwords are never shared and any suspected passwordcompromise is reported promptly to the Systems Administrator.

3.2 Passwords

While user-IDs identify associates to the system, passwords are a mechanism forauthenticating them to the system. It is therefore essential that password confidentialitybe maintained at all times. The following points should be borne in mind for passworduse:

a. Associates will be assigned a password at the time of user-id creation and will becommunicated to the associate by IT. It will be the responsibility of the associateto change this password after first log-in. Associates should not share or disclosepasswords. In case such an event occurs due to accident or some operationalrequirement the associate should immediately change passwords.

b. The passwords selected by associates should be sufficiently long (minimum 8characters).

c. The password should contain at least a combination of any three of the following: One upper case letter One lower case letter One numeric One special character

d. The time and effort required to guess a longer password is obviously more thanthat required for breaking a shorter password.


8/19



e. Associates should change the passwords once in 45 days. Frequent passwordchange prevents unauthorized associates from gaining access to an associateaccount.

f. History of password files would be maintained by the system. Associates cannot

reuse the last 9 passwords when they change the password.

g. Associates should note that, user accounts would be disabled by the systemafter 5 unsuccessful attempts. If the system prompts that your account has beendisabled despite the correct password being entered, you should promptly reportthe matter to the IT help Desk who will in turn coordinate with the concernedSecurity Administrator / Systems Administrator, as there is a very high probabilitythat your account was being hacked.

h. To ensure that passwords are difficult to guess, associates should note thefollowing tips:

Passwords should not contain consecutive identical characters or all-numericor all-alphabetical groups.

Passwords should not be based on anything that somebody else could easilyguess or obtain using collateral information like: Names, telephone numbers and date of birth. Passwords relating to one's personal life. Common dictionary words. Technical words relating to the computer systems environment at Polaris. Famous dates such as Government holidays, Festivals,

Social/International Event days. Passwords relating to one's personal life in reversed order. Names of prominent individuals.

i. Additionally, to ensure that passwords are secure, associates should note that,passwords are never stored in readable format in batch files, log-in scripts,terminal function keys, files on local hard drives, "yellow stickers" or any otherlocations where they can be easily discovered.


9/19



3.3 Workstation / Laptop Security

a. Associates are responsible for their PC / Laptop and should not, Install unauthorized software (shareware, freeware, remote access software,

dial out applications, Internet access applications, etc.); and

Share folders or disk drives on PCs or laptops unless share level accesscontrols have been enabled on the folder or disk drive.

b. Associates should log out of their active sessions on completion of work toprevent unauthorised persons carrying out any activity in the associatesabsence. Additionally, password protected screen savers should be enabled toprotect workstation and laptop terminals that are left unattended.

c. Associates should periodically delete confidential information from the local harddisk that is no longer needed or move it to a secure location on the server ofPolaris to reduce the chances of confidential information falling into wrong hands.

d. Polaris will view any attempts to breach information security seriously and theerring associate will be subjected to strict disciplinary action specified later in thisbook.

3.4 Security practices

Associates should not:

Use another associate's user-ID to gain access to computer resources.

Attempt to access any data or programs contained on the systems of Polaris forwhich they do not have authorization or explicit consent. Use any system utilities unless authorized to do so. Assign system, application, and file privileges to other associates unless

expressly authorized. Attempt to prove a suspected weakness; any action in testing the weakness

would be viewed as a potential misuse of the system.

3.5 Physical Access

a. It is mandatory for all associates, visitors and contract personnel to wear theiridentification badges within the facility all the time in a visible manner. Associates

are encouraged to politely question unescorted strangers not wearing visibleidentification and to challenge / report to Security about persons moving about insuspicious manner or performing suspicious activity.

b. The Data Centres, server rooms, communications rooms and other identifiedsecured rooms at Polaris are restricted areas and access to these rooms isreserved for associates working in these areas. Unauthorised entry to theseareas is strictly prohibited and will be viewed seriously as a security breach.


10/19



3.6 Other forms of information exchange

Associates shall be conscious of disclosing confidential information in conversations orother forms of communication. This shall include:

Do not discuss confidential PSL information in public places through any meanssuch as cellular / Cordless phones, oral communication.

Do not leave confidential information in voicemails / printer spools/printers or anypublic places.


11/19



4.0 Computer Viruses

Software and computation processing facilities are vulnerable to the introduction ofviruses. Virus can be of any type which affects the IS resources and can cause damage

to the information to any extent. Viruses may affect the stability of the computer systemand may contribute to the damage or loss of valuable business information.

A computer virus is a program designed to replicate and spread on its own, generallywithout a users knowledge. Computer viruses spread by attaching themselves toanother program such as word processing or spreadsheet programs or to the bootsector of a diskette. When an infected file is executed or the computer is started froman infected disk, the virus itself is executed. Often it stays in memory, waiting to infectthe next disk that is accessed. Many viruses perform trigger events; for example, theymight display a message on a certain date or delete files after the infected program isrun a certain number of times. While some of these trigger events are benign, otherscan be very costly and cause significant damage.

E-mail attachments are the biggest source of viruses, while diskettes are the typicalcarrier for boot-sector viruses.

All associates should follow the guidelines prescribed below to ensure that viruses arekept out of the systems at Polaris and that any suspected virus activity is detected andreported promptly:

All personal computers have been configured to scan hard disks as part of the

re-boot process. The virus-scanning program should never be bypassed orotherwise skipped. Scan all removable disks (floppies and CDs) wherever it is allowed, before use

preferably on a separate isolated workstation. Scan all information or files down-loaded from the Internet and all mail

attachments received from outsiders. Ensure that all demo disks are write-protected and scanned before use. Do not use disks containing unauthorized data and programs from outside e.g.

disks containing games, software utilities, etc., In the event of an actual or suspected virus attack,

Isolate the suspect diskettes.

Do not use the virus-infected personal computers. Inform IT help desk immediately. Await clearance from IT help desk before the Infected systems can be used.


12/19



5.0 Software Use

Polaris follows a strict policy of using only authorized and licensed software on itssystems. As a general rule the IT will do all software procurement and installation. This

ensures that the software is procured from approved suppliers, meets quality standards,and functional requirements, is adequately tested prior to use and is installed accordingto prescribed configurations on users machines. Associates are strictly prohibited frominstalling any software on their machines unless explicit approval has been obtainedfrom the IT.

a. Associates requirement of the software shall be sent to IT who will arrange for itsacquisition and installation.

b. Software installed on Polaris systems shall be used for business purposes only.

c. Associates shall not Use unlicensed software, shareware, public domain software or pirated

software on the computer equipment of Polaris. Make copies of software and / or information lying on the systems at Polaris

unless specifically authorized to do so like backup purposes, for carrying outon laptops etc

Download, install or run security programs or utilities that reveal weaknessesin the security of a system in the computing systems of Polaris.

d. IT shall perform periodic reviews of software usage on PSL PC's, laptops, and

servers to ensure all computer resources are in compliance with licensingagreements. All software found in violation shall be removed immediately.Associates responsible for loading and/or using non-compliant software will besubject to disciplinary actions by Management.


13/19



6.0 Internet and E-mail

6.1 Internet

The Internet is a world wide public network of computers that contains millions of pagesof information and provides file storage and electronic mail services. Associates maybe provided with access to the Internet through the computer network to assist them inthe performance of their jobs. All associates have a responsibility to use the Internetaccess in a professional, lawful and ethical manner.

Associates accessing the Internet should not use IT resources of Polaris to do so unlessexpressly permitted and Polaris provided such facility through secured channels.Further, Polaris is not responsible for material viewed or downloaded by associatesfrom the Internet.

a. Associates should be aware of the following risks posed by the Internet: Confidentiality of information is not assured. Information sent over the Internet could be accessed and publicized by

anyone, which may disclose the important information of Polaris. Additionally, many web sites employ technologies (e.g. cookies, Java applets,

ActiveX components) designed to enable interactivity, track user preferences,or gather personal information (for e.g., information such as users credit cardnumber, PIN number for the bank account, users favorites, the sites visited,the information browsed etc., can be tracked) without the users knowledge.

Reliability of information is not assured. Information sent over the Internet is not guaranteed that the recipient receives

the same. Internet e-mail should not be used as a reliable source of information

transmission. There should be no expectation of privacy of data or informationas well as assurance that information has been properly transmitted oractually received by the intended recipient.

b. Internet must be used only for Polaris related purposes if expressly permitted touse the same through Polaris resources. Usage of Polaris resources and Internetconnectivity for private use, especially, including but not limited to, personalentertainment, personal business or profit, and publishing personal opinions, isstrictly forbidden.

c. Associates shall acquire the work-related software from external sources via theInternet, only with appropriate and prior approval of IT.

d. To ensure security and avoid the spread of viruses, associates should access theInternet only through the network of Polaris. Bypassing the Polaris computernetwork security by accessing the Internet directly by modem or other means isstrictly prohibited.

e. Associates will not deliberately perform acts that waste computer resources orunfairly monopolise resources to the exclusion of others by spending excessive

amounts of time on the Internet, playing games, engaging in online chat groups,


14/19



uploading or downloading large files, or otherwise creating unnecessary loads onnetwork traffic associated with non-business-related uses of the Internet.

f. Internet access of the associates through Polaris network may be subjected tomonitoring and review as and when required.

g. Polaris has/reserves the right to utilise software that makes it possible to identifyand block access to Internet sites containing sexually explicit or other materialdeemed inappropriate in the workplace. Attempts made to bypass such controlswould be considered violations of security policy.

6.2 E-mail Usage

a. Polaris has installed an e-mail system (Lotus Notes) to facilitate bettercommunication between associates within the organisation and with business

partners. Polaris maintains its e-mail system solely for conducting its business.Associates should remember that information and messages stored in thesesystems would be treated in the same manner as work-related information andmessages. Hence associates should not assume privacy of the mails being sent.

Polaris has a right to review e-mail boxes. E-mail messages should be considered to be the same as formal, written

organization memoranda. Common Mail ID shall be created and used for the purpose of receiving and

sending business mails. All mails need to be stored within a structured filing system like paper

documents and should not be deleted. Polaris may disclose contents of e-mail to either internally or, where

necessary, to external parties without the associates permission. Associates are not permitted to read another associate's e-mail without that

individual's permission. However, support personnel are granted reasonablelicense to examine incorrect addressed mail in the "dead mails" database.

b. Associates shall not:

Transmit or store offensive material.

Transmit information sensitive in nature to unauthorized people or toauthorized people without appropriate security. Compromise the security of information contained on Polaris systems. Use the e-mail system to create, send, receive, or store any materials that

infringe the copyright or other intellectual property right of either the Polaris orany third party.

Send fraudulent, harassing or obscene messages and / or materials. Use the e-mail for purposes that could reasonably be expected to directly or

indirectly cause strain on any computing facilities, or interference with others'use of the e-mail system (e.g. attaching or sending large files to multiplerecipients, mail bombing and sending or forwarding chain mails).


15/19



7.0 Security of Information Systems Assets

Information Systems Assets should be physically protected from security threats andenvironmental hazards. Protection is necessary to reduce the risk of unauthorized

access to information and to protect against loss or damage. Information SystemsAssets include computer hardware and software, databases, communicationequipment, operating documentation, etc.

7.1 Mobile Computing Assets

Associates who are entrusted with Laptops and other portable information systems ofthe Polaris should be aware of the following guidelines:

a. Associates who use laptops and connected to office network shall maintain thebusiness information on their respective corporate common storage areas.

b. Associates shall ensure that Confidential and Private & Confidentialinformation are stored on laptops based on business need only. Internalauditors shall carry out audits at regular intervals and any deviation foundduring audits shall be treated as violation of security policy.

c. Associates shall ensure to backup the business information created or modifiedwhile on tour, from laptops on to their respective lotus notes file cabinets atregular intervals.

d. Associates shall ensure that Laptops are physically secured at all times. When

they are not secured by the physical presence of the associates, they shouldbe left in a secure area.

e. Associates shall ensure that laptops are not checked in as luggage, whiletravelling. It should always be hand carried in a briefcase or a laptop carryingcase.

f. Associates shall ensure that laptops are never left unattended in cars or atairports.

g. Associates who travel with a laptop or other PSL equipment or information,

including briefcases shall be cautious and keep the items with them at all times.

h. Associates should not leave laptops in hotel rooms. The hotel should be askedwhether they could secure the laptop, else the laptop should be locked insideluggage and kept out of sight. If the laptop has a removable hard drive, itshould be removed and secured in another location.

i. Associates should not add Zip drives and Tape Backups to laptops unlessauthorized by business unit manager.

j. IT shall ensure that laptops shall have sufficient identification information to

facilitate gate security personnel to identify the laptop as the property of Polaris.


16/19



k. Confidential and Private & Confidential information stored on laptops shall beencrypted.

7.2 Computer Media Handling and Security

Associates should be aware of the following operating procedures to protect computermedia (tapes, disks, cassettes) and input / output data from damage, theft andunauthorized access:

a. All associates shall ensure that all media, including paper and digital media, shallbe stored in a secure manner. This includes physical security to prevent theft,and environmental control to prevent media degradation.

b. Respective Information owner shall authorize, prior to any computer medialeaving the organizations facilities.

c. Information owners shall ensure that media containing sensitive corporateinformation should be accounted for with an audit log. If the media's content is nolonger required it should be erased prior to removal from site.

d. All associates shall ensure that the Information with the classification ofConfidential or Private & Confidential shall be shredded or incinerated afterthe expiry of retention time.

7.3 Clear Desk and Clear Screen Policy

A clear desk policy for papers and removable storage media and a clear screen policyfor information processing facilities should be followed in order to reduce the risks ofunauthorized access, loss of and damage to information during and outside normalworking hours.

a. Where appropriate, paper and computer media should be stored in suitablelocked cabinets and / or other forms of security furniture when not in use,especially outside working hours.

b. Private & Confidential and Confidential information should be locked away(ideally in a fire-resistant safe or cabinet) when not required, especially when the

office is vacated.

c. Personal computers and computer terminals and printers should not be leftlogged on when unattended and should be protected by key locks, passwords orscreen savers when not in use.

d. Incoming and outgoing mail points and unattended fax and telex machines shouldbe protected.

e. Private & Confidential and Confidential information when printed should becleared from printers immediately.


17/19



7.4 Protection of Personal Information

Personal information, which is received by Polaris or which can become known byPolaris in connection with the business, and which emanates either from the client, the

client's customers, or any other informant.

Personal information includes information concerning individuals such as name, age,birth date, gender, address, phone number, mail address, place of employment, numberof credit card and information for which the individual specified can be identified by oneitem or a combination of two or more of items as described above.

Associates at the minimum comply with the following controls:

Personal Information may not be reproduced, copied or recorded except asnecessary to conduct the business

Upon closure of Project, in accordance with the instructions of the client, return ordelete or destroy, any component including the Personal Information in any form.


18/19



8.0 Security Violations & Disciplinary Action

a. Acts constituting security violations include but are not limited to the following:

Non-compliance with the requirements of Information Security policies. Exposing the Polaris to actual or potential monetary loss through the

compromise of security. Disclosure of confidential Polaris information or unauthorized use of the

same. Usage of hardware, software or information for unauthorized or illegal

purposes which may include violation of any law, regulation or reportingrequirements of any law enforcement or government body.

Trying to circumvent any Information Security control policies / procedures /controls put in place by Polaris.

b. Associates should promptly bring to the notice of the IT help desk / Admin /Reporting Manager any violation or suspected violation of the informationsecurity at Polaris.

Associates will be subject to investigation and disciplinary action if they arefound breaching the information security guidelines of Polaris as per thedisciplinary procedures of the organisation.


19/19


9.0 Reporting Computer Incidents

Associates should report any suspected or actual computer incidents immediately torespective local IT support team. For incidents other than computer incidents,

associates should report to respective local Administration department.

Examples of Incident Category:

Technical Non- Technical

IP Spoofing TheftMail Spoofing Physical DamageVirus/Trojan/Worm Attack Piggy BaggingWeb Defacement Impersonation

Password Attack Social Engineering

Sniffing FraudDOS/DDOS AttackSQL InjectionMen in Middle AttackDNS AttackPing attackMail SPAM/Junk MailsSoftware PiracySoftware theft/unauthorized access

The associate should provide the following while reporting an incident:

Associate Name Date & Time Details of the affected Machine (e.g. Hostname, etc.,) Function (e.g. desktop, server etc.) Attack Source (internal / external, if known) Any other relevant detail.

Documents

Isms Userhandbook[1]