Compliance

INFORMATION SECURITY POLICY OVERVIEW

Temple City Technologies has the following specific policies to safeguard information system assets:

1. Acceptable use policy (AUP):

Outlines the constraints an employee must agree to use a corporate computer and/or network

2. Access control policy (ACP):

Outlines access controls to an organization's data and information systems

3. Change management policy:

Refers to the formal process for making changes to IT, software development and security

4. Information security policy:

High-level policy that covers a large number of security controls

5. Incident response (IR) policy:

An organized approach to how the organization will manage and remediate an incident

6. Remote access policy:

Outlines acceptable methods of remotely connecting to internal networks

7. Email/communication policy:

Outlines how employees can use the business's chosen electronic communication channel such as email, slack or social media

8. Disaster recovery policy:

Outlines the organization's cybersecurity and IT teams input into an overall business continuity plan

9. Business continuity plan (BCP):

Coordinates efforts across the organization and is used in the event of a disaster to restore the business to a working order

10. Data classification policy:

Outlines how your organization classifies its data

11. IT operations and administration policy:

Outlines how all departments and IT work together to meet compliance and security requirements.

12. SaaS and cloud policy:

Provides the organization with clear cloud and SaaS adoption guidelines, this helps mitigate third party and fourth-party risk

13. Identity access and management (IAM) policy:

Outlines how IT administrators authorize systems and applications to the right employees and how employees create passwords to comply with security standards

14. Data security policy:

Outlines the technical requirements and acceptable minimum standards for data security to comply with relevant laws and regulations

15. Privacy regulations:

Outlines how the organization complies with government-enforced regulations such as GDPR that are designed to protect customer privacy

16. Personal and mobile devices policy:

Outlines if employees are allowed to use personal devices to access company infrastructure and how to reduce the risk of exposure from employee-owned assets

PRIVACY POLICY

Temple City Technologies has the following specific policies to safeguard information system assets:

1. Acceptable use policy (AUP):
  1. 1. Only use devices approved by Temple city technologies (P) Ltd. (TCT) to connect to resources belonging to TCT or its clients
  2. 2. Company email id to be used primarily for official use. Some personal use is permitted as long as it does not conflict with any of TCT’s business interests or add strain to server resources
  3. 3. Use of the assets to browse and download from websites with malware content is prohibited and may result in punitive actions
  4. 4. Use of assets should not circumvent any control systems implemented by TCT to log and monitor access to assets
2. Access control policy (ACP):
  1. 1. Users should only use their assigned ids to access resources needed for carrying out their work
  2. 2. Passwords need to be complex to prevent hacking and needs to changed by the users periodically as required by the sensitivity of the resource or application accessed
  3. 3. Access credentials like passwords, biometrics should be encrypted and stored
  4. 4. No user access to any backup data or archives unless requested and provided by TCT Security Management
  5. 5. All Work from home devices should comply with TCT’s access control policies.
  6. 6. All remote access endpoints would be properly protected using firewalls and malware protection.
  7. 7. All Work from home devices should comply with TCT’s access control policies.
  8. 8. All network connections for Work at Home scenarios should be communicated to TCT security management along with the provider and the type of connections
  9. 9. Users should ensure end to end encryption for all connections outside the office premises
  10. 10. Users would be responsible for all activities logged using their access credentials
3. Change management policy:
  1. 1. Change management policy relates all changes related to hardware, operating systems and applications
  2. 2. All user hardware changes (devices like laptops, modems and network assets) need to be communicated to TCT security management and recorded against the user
  3. 3. Application changes are logged in separately for individual applications by the project managers and documented as per guidelines for that application
4. Information security policy:
  1. 1. The infosec policy is based on Information Integrity, Availability and Confidentiality
  2. 2. Users need to familiarize themselves with the TCT’s Information Security Policy and guidelines by participating in the Information Security training sessions periodically at TCT
  3. 3. The information security policy comprises of all the individual policies governing the information assets of TCT and its clients
5. Incident response (IR) policy:
  1. 1. In case of a security breach that is identified by any employee or user, the same needs to be communicated to the immediate supervisor or the TCT security manager who will document it immediately with relevant detail of nature of impact, time
  2. 2. The incident report has to be completed and archived by the TCT security manager with closing notes
6. Remote access policy:
  1. 1.All remote access endpoints would be properly protected using firewalls and malware protection.
  2. 2.All Work from home devices should comply with TCT’s access control policies.
  3. 3.All network connections for Work at Home scenarios should be communicated to TCT security management along with the provider and the type of connections
  4. 4.Users should not use access modes not authorized by TCT Security Manager
  5. 5.Users should ensure end to end encryption for all connections outside the office premises
  6. 6.Users would be responsible for all activities logged using their access credentials
7. Email/communication policy:
  1. 1.All official communications within TCT or to Clients would be from official email ids assigned to users
  2. 2.Users will not communicate to email ids not officially belonging to clients or TCT users excepting some personal emails as per the next guideline.
  3. 3.Company email id to be used primarily for official use. Some personal use is permitted as long as it does not conflict with any of TCT’s business interests or add strain to server resources
  4. 4.No social media access is permitted for personal use unless it is for research relating to a project at hand
8. Disaster recovery policy:
  1. 1.Refer TCT Disaster Recovery policy documentation.
9. Business continuity plan (BCP):
  1. 1.Refer TCT Business Continuity policy documentation.
10. Data classification policy:
  1. 1. Data is classified as
    1. 1.Confidential
    2. 2.Internal
    3. 3.Public
  2. 2. This would reflected in each application design and would be related to the Business Continuity plan and Data protection
11. SaaS and cloud policy:
  1. 1.Refer individual Cloud Policy specific to application.
12. Identity access and management (IAM) policy:
  1. 1.Refer IAM Policy and the guideline 2 above.
13. Data security policy:
  1. 1.Refer TCT Data Security Policy along with Application specific Data.
14. Privacy regulations:
    1. Personally identifiable Data includes but not limited to:
    2. Email Id
    3. First name and last name
    4. Phone number
    5. Address
  1. 1.Temple city technologies (P) Ltd. (TCT) does not collect or retain personally identifiable data from any of its clients unless the data is made available to TCT by the clients.
  2. 2.The data made available to TCT will not be retained or shared with any third parties excluding any data that may are part of API request payloads that are consumed as part of customer application’s workflow.
  3. 3.Wherever possible, Personally identifiable data should not stored in local stores without encryption
  4. 4.Wherever possible, Personally identifiable data should not be part of any reports and download documents.
  5. 5.No hardcopy should be printed out of any document with personally identifiable data without express approval from TCT Security manager.
  6. 6.Report any access violation and suspicious emails (phishing, mails from unknown email ids and emails with suspicious attachments/ links) to TCT Security manager.
15. Personal and mobile devices policy:
  1. 1. No Personal or mobile devices are authorized to access Information resources of TCT or its clients.