Services

ISMS Policy

1. Purpose
To protect personal data which will have information on living individuals who can be identified from the data.

2. Scope of Applicability
All computing equipment and workstations present within the operational areas.

3. Policy Statement
Id          Policy
03.01    Confidentiality will be maintained on personal data handled.

4. Objectives

  • Production personnel dealing with personal data will not have facility to store data locally.
  • No laptops, Mobile Devices are allowed in production bays dealing with personal data.
  • Aggressive production targets are set, so that focus of production personnel is on operations and cannot remember any data handled.
  • Operations are continuously monitored through supervisors, through software and through video cameras to prevent misuse.
  • Personal data is retained/ backed up only as required by customer.
  • Educates all Softurites that they understand the importance of privacy protection and handle personal information properly
  • Takes proper safety management measures by striving to prevent any privacy protection inadequacies such as unauthorized access as well as personal data loss, corruption, falsification, and leak
  • Exercises adequate supervision so that personal information safety can be properly managed when we outsource the handling of personal information. Signs off NDA with the vendor and individual handling the employee personal data (for the Background verification check)
  • Institutes the privacy protection procedures including the disclosure and correction of personal information.
  • Softura recorded video sessions are stored encrypted and protected from unauthorized access.
  • There is a strict auditing monitor who has access to the session information.
  • Only permitted users that have access to the Softura Web Console can view sessions and search in the user activity database
  • Data are classified as
  1. Public – Company details made available even outside the Organization. Eg: Information in website / Linked in
  2. Internal – Details within the Organization. Eg: Process documents, lessons learnt, best practices
  3. Confidential – Information in a project/ department. E.g.: Requirements document, test data
  4. Restricted – Details shared in small group/ one to one basis. E.g: Payslip, Performance appraisal, etc.
  • SOFTURA strictly protects personal information of its monitored subjects.
  1. Users that are being recorded can get a notification that they are being recorded so that they can limit the usage of personal applications.
  2. Personal applications can be scoped out of monitoring.
  3. Restricting the recording to activity logs only: This provides visibility into what users are doing (including search, alert and report) without taking screenshots. It allows for example to know that a user accessed his bank account, but without details about the account.
  4. Sessions review can be restricted to specific roles and users.
  5. Key logging can be configured so that passwords will not be recorded. Information is also hashed and cannot be decrypted.

5. Summary of Responsibilities
Any projects dealing with personal data and HR department

6. Violation of Policy
Senior management and operations personnel involved in the project dealing with personal data.

7. Reference to Standard:
ISO 27001:2013

8. Review and Approval
This policy is approved by, has full support of and is reviewed quarterly by the senior executive management of Softura.

Purpose

To protect personal data which will have information on living individuals who can be identified from the data.

Scope of Applicability

All computing equipment and workstations present within the operational areas.

Policy Statement

Confidentiality, Integrity, and Availability of Information will be ensured by continually implementing appropriate controls based on risk assessments of External and Internal Interested parties considering business (strategic, operational, and technical), statutory, legal, regulatory. and contractual requirements. The risks would be monitored, and appropriate controls would be implemented by continually improving the same.

Objectives

  • Production personnel dealing with personal data will not have facility to store data locally.
  • No laptops, Mobile Devices are allowed in production bays dealing with personal data.
  • Aggressive production targets are set, so that focus of production personnel is on operations and cannot remember any data handled.
  • Operations are continuously monitored through supervisors, through software and through video cameras to prevent misuse.
  • Statutory, legal, regulatory, and contractual requirements shall be addressed.
  • Personal data is retained/ backed up only as required by customer.
  • Interruptions to availability of the information shall be minimized through business continuity procedures institutionalized.
  • Educates all Softurites that they understand the importance of data security, privacy protection and handle personal information properly.
  • Takes proper safety management measures by striving to prevent any privacy protection inadequacies such as unauthorized access as well as personal data loss, corruption, falsification, and leak.
  • Exercises adequate supervision so that personal information safety can be properly managed when we outsource the handling of personal information. Signs off NDA with the vendor and individual handling the employee personal data (for the Background verification check)
  • Risks within the scope of applicability shall be managed based on their exposure.
  • Institutes the privacy protection procedures including the disclosure and correction of personal information.
  • Softura recorded video sessions are stored encrypted and protected from unauthorized access.
  • Information security breaches shall be addressed with incident management and data privacy breach process.
  • There is a strict auditing monitor who has access to the session information.
  • Data are classified as
    1. Public – Company details made available even outside the Organization. E.g.: Information in website / Linked in
    2. Internal – Details within the Organization. E.g.: Process documents, lessons learnt, best practices.
    3. Confidential – Information in a project/ department. E.g.: Requirements document, test data
    4. Private/ Sensitive – Details shared in small group/ one to one basis. E.g.: Payslip, Performance appraisal, etc.
  • SOFTURA strictly protects personal information of its monitored subjects.
    1. Users that are being recorded can get a notification that they are being recorded so that they can limit the usage of personal applications.
    2. Personal applications can be scoped out of monitoring.
    3. Restricting the recording to activity logs only: This provides visibility into what users are doing (including search, alert, and report) without taking screenshots. It allows for example to know that a user accessed his bank account, but without details about the account.
    4. Sessions review can be restricted to specific roles and users.
    5. Key logging can be configured so that passwords will not be recorded. Information is also hashed and cannot be decrypted.

Review and Approval

We may update our Information Security Policy from time to time consistent to applicable standards, legal, statutory, regulatory requirements. Policy changes are effective immediately after they are posted on our official website. The review and approval authority lies with CISO and Senior management of Softura.

Continual Improvement

Softura is committed to the continual improvement of our Information Security Management System (ISMS) to ensure its suitability, adequacy, and effectiveness. This commitment is achieved through:

  • Regular Reviews and Audits: Conducting periodic internal audits and management reviews to identify areas for improvement.
  • Risk Assessments: Ongoing risk assessments and treatment plans to address new and emerging threats.
  • Feedback Mechanisms: Collecting and analyzing feedback from employees, customers, and other stakeholders to identify opportunities for enhancement
  • Corrective and Preventive Actions: Implementing corrective and preventive actions to address nonconformities and prevent their recurrence.
  • Training and Awareness: Providing continuous training and awareness programs to ensure all personnel are knowledgeable about information security practices.
  • Performance Monitoring: Monitoring and measuring the performance of the ISMS against established objectives and metrics.
© 2024 Softura - All Rights Reserved
cross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram