OFB Tech Private Limited

Information Security Policy

----------------------------------------------------------------------------
Version-1.0
Aug-2021
Document Control

This document is the property of OFB Tech Private Limited , no one is allowed to reproduce it in part or full
without written consent of CIO/ IT Head. Be aware if you are reading an unstamped hardcopy of this
document, it is to be considered uncontrolled. It is advised that the version of the document in the repository
be matched with the unstamped hardcopy before using it.

Document Release History

Sr. Version Release Prepared Reviewed Approved By

Reasons for New Release
No No. Date By By
Sanjeev Manish Bhuvan
1 1.0 3 Aug 21 Policy creation
Kumar Bhaskar Gupta
Table of Contents
1. Introduction __________________________________________________________ 4
2. Objective. ___________________________________________________________ 4
3. Scope. ____________________________________________________________ 4
4. Information Security Policy Responsibilities ______________________________________ 5
5. Information Security Principles ________________________________________________________________ 6
6. Information Security Organization Structure _______________________________________________ 7
7. Information Classification _______________________________________________________________________ 8
8. Risk Assessment ___________________________________________________________________________________ 11
9. Security Awareness Program ____________________________________________ 11
10. Formal Acknowledgement Information Security policies _____________________________ 11
11. Reporting of Incidents _____________________________________________________________________________ 12
12. Employee Screening and Background Checks ________________________________________________ 12
13. Third Party Services Provider Contractual Requirement __________________________________ 12
14. . Exceptions ___________________________________________________________________________________________ 12
15. Policy Violation _________________________________________________________________________________ 15
16. Policy Review ________________________________________________________________________________________ 14
17. References and Related Documents _____________________________________________________________ 16

1. Introduction

The Information Security Policy defines the process/approach of OFB Tech Private Limited towards establishing
and implementing information security measures, adopting the industry best practices/regulations such as the
ISO 27001 security standard and other relevant laws/regulations.

OFB Tech Private Limited is committed to ensuring the Confidentiality, Integrity, and Availability (CIA) and
provide comprehensive protection to its information assets against the consequences of confidentiality
breaches, failures of integrity and/or interruptions to their availability. To provide adequate protection for
information assets, OFB Tech Private Limited will implement procedures and controls at all levels to protect
the confidentiality and integrity of information stored and processed on its systems and ensure that
information is available only to authorized persons as and when required.

2. Objective

We understand the dynamic nature of our business; in response we are committed to continually improving
our processes to uphold information security. The overall objective of OFB Tech Pvt. Ltd. is to ensure
protection of its information systems against unauthorized disclosures, unauthorized changes, and damage
or destruction. The specific information security objectives of OFB Tech Pvt. Ltd. are:
● To identify all information assets that directly or indirectly impact OFB Tech Pvt. Ltd. operations, to
understand their vulnerabilities and the threats that may expose them to risk through appropriate risk
assessment.
● To manage the identified risks to an acceptable level through the design, implementation, and
maintenance of a formal Information Security Management System (ISMS). Management accepts the
identified residual risk based on risk assessment methodology and ensures that the business requirements
are met.
● To comply with applicable laws, regulations and contractual obligations pertaining to information
security and data privacy, for its client data and internal data directly or indirectly impacting the client
data.
● To raise awareness of information security in OFB Tech Pvt. Ltd.
● To implement mechanisms to ensure that all breaches and suspected weaknesses of information security
are reported and investigated, to be followed by adequate remedial action.
● To maintain and continually improve the established Information Security Management System by
monitoring, analyzing and implementing appropriate actions on the findings.
● To establish, test and maintain Business Continuity Plans.

3. Scope

This policy is applicable to all the information assets and locations of OFB Tech Pvt. Ltd. An information asset
is a piece of information, stored and/or processed in any form, which is recognized as having value to the
business.
Examples of information assets are software, physical assets, intangible assets, services, people, or
information assets that are physically or electronically stored, processed and/or transmitted by any of these
assets.

This policy is applicable to all employees and third parties’ staff of OFB Tech Pvt. Ltd. The term ‘third-party
staff’ includes all the employees, agents, consultants, and representatives of all third parties who are, in any
way, accessing, processing, storing, transmitting, modifying, or disposing any of OFB Tech Pvt. Ltd.’s
information assets. The Information Security Policy must be published and disseminated to all relevant
system users (including Vendors, Contractors, and Business partners).

4. Information Security Policy Responsibilities

Following are the responsibilities of roles involved in the implementation of Information security
policy and/or those responsible for overseeing the implementation of this process.

Information Technology Steering Committee (ITSP): The Committee is responsible for approving the
Information Security Policy and sub policies and related procedures including any subsequent modifications to
the same.

Chief Information Security Officer (CISO): The CISO is responsible for ensuring that policies are implemented
and are current and reflect the requirements of OFB Tech Pvt. Ltd. The CISO is also responsible for overseeing
the following:
● Establish, document, and distribute security policies and procedures.
● Monitor and analyze security alerts and information and distribute to appropriate personnel.
● Establish, document, and distribute security incident response and escalation procedures to
ensure timely and effective handling of all situations.

The CISO is responsible for maintaining the ISMS security policy, providing support for its implementation
and communicating both the policy and its importance to interested parties by emails, posters & other
awareness method.

All Employees: It is the responsibility of all employees and third-party staff to read, understand and abide by
this policy and its principles.
5. Information Security Principles

The following information security principles provide overarching governance for the security and
management of information at OFB Tech Pvt. Ltd.

1. Know your information – classify it: Information should be classified according to an appropriate level
of confidentiality, integrity, and availability.

2. Handle and Protect information appropriately: Protection of the organization’s information assets from
all threats, whether internal or external; deliberate or accidental shall be ensured. Employees with
particular responsibilities for information must ensure the classification of that information; must handle
that information in accordance with its classification level; and must abide by any contractual
requirements, policies, procedures or systems for meeting those responsibilities.

3. Be aware of the regulations and OFB Tech Pvt. Ltd.’s commitments: OFB Tech Pvt. Ltd. should comply
with relevant legislative, regulatory, and contractual requirements of security and privacy defined by its
geographical footprints as well as its customer’s footprints.

4. Promise the availability of information for authorized use: Information should be both secure and
available to those with a legitimate need for access.

5. Protect the confidentiality of information: The accesses to information should be provided on need-to-
know basis and periodically assessed for its relevance. Confidentiality of data belonging to OFB Tech
Private Limited, and their customers and stakeholders is maintained, and controls are in place to prevent
unauthorized disclosure or use.

6. Preserve the integrity of information: Information should be accurate, consistent, and complete
throughout its life cycle. Integrity of data and data processing operations and their protection from
unauthorized use, modification, substitution, insertion or deletion.

7. Identify vulnerabilities and plan ahead: Understand vulnerabilities and the threats that may expose
them to risk through appropriate risk assessment and managed to an acceptable level through risk
mitigation plan. Management accepts the identified residual risk based on risk assessment methodology
and ensures that the business requirements are met.

8. Be transparent to disclose incidents: All employees encouraged to report information security incidents
including breaches to this policy.

9. Security depends on us: Security is everyone’s responsibility and even seemingly harmless behavior, or
small mistakes can have big consequences in today’s dynamic environment.

10. Security awareness is a continuous exercise and should include all stakeholders.

11. Review, Review, Review: Information security provisions and the policies that guide it will be regularly
reviewed using self-reviews, annual internal audits and third-party audits.
12. There is nothing better than best practices: Best practices like ISO27001, NIST cybersecurity framework
help us to continually improve our security and privacy posture.

13. Balance functionality and assurance: Strive to achieve balance between security, and functionality and
make security and privacy an enabler for the business.

6. Information Security Organization Structure

The Organizational structure at OFB Tech Pvt. Ltd. for information security shall consist of following roles. For
detailed roles and responsibilities, refer to OFB Tech Pvt. Ltd.’s Security roles, responsibilities and authorities
document.

Information Security Organization Chart:

• Information Technology Steering Committee – It consists of the following:

-CTO

-CISO

-HR Head

-Operation Head

-Legal & Finance Head

● Allocation of Information Security Responsibilities

 CISO shall ensure that the information security responsibilities of employees in their functions are
identified, documented, and communicated to them.

● Segregation of Duties (SOD)

Segregation of Duties (SOD) shall be implemented throughout OFB Tech Pvt. Ltd. Conflicting duties and
areas of responsibilities shall be segregated to reduce the opportunity of unauthorized or unintentional
modification.

• Authorization Process for Information Processing Facilities

Access to information processing facilities shall be allowed only after receiving the necessary approvals
from OFB Tech Pvt. Ltd. and after following defined procedure. No personal computing/storage devices,
such as laptops, USB pen drives, external hard disk drives, data cards, modems, mobile phones as modem
(GPRS), etc. shall be physically or logically connected to network or to any information asset of OFB Tech
Pvt. Ltd. prior to authorization.

• Contact with Authorities

Contacts with law enforcement authorities, fire department, emergency services and service providers
shall be maintained by the HR and Admin Department. The contact details of these agencies should be
maintained and displayed at appropriate places that are accessible to users.

• Confidentiality Agreements

Requirements for confidentiality or non-disclosure agreements reflecting the Organization’s need for
protection of information shall be identified and regularly reviewed.

• Contact with Special Interest Group

Relevant personnel shall maintain appropriate contact with special interest groups and authorized
information security forums for receiving and distributing updates on new vulnerabilities, security and
continuity threats, regulations and/ or risks pertaining to the industry and to the services that are provided
by OFB Tech Pvt. Ltd.
7. Information Classification

Data and information classification are the conscious decision to assign a level of sensitivity to data as it is
being created, amended, enhanced, stored or transmitted. The classification of the data should determine
the extent to which the data needs to be controlled/secured and is also indicative of its value in terms of
Business Assets.
The term Business Assets, for the purpose of the scope of this policy, refers to any information upon which
the organization places a measurable value. By implication, the information is NOT in the public domain and
would result in loss, damage or even business collapse, was the information to be lost, stolen, corrupted or
in any way compromised.

● Proper access controls and privilege levels are to be set before accessing sensitive information by any
user internally. Media containing sensitive data shall only be distributed to the authorized in-house
employees.
● All applications and network hardware equipment which are accessible to the external parties and which
transmit or deal with sensitive information should be protected by strong access control and
authentication mechanisms.
● Media containing sensitive data must not be handed over to any external entity or third party unless
authorized by the management with proper business justification.

The following provides a summary of the information classification levels that have been adopted by OFB
Tech Pvt. Ltd. and which underpin the 12 principles of information security defined in this policy.

Computer output, regardless of media, which is classified in accordance with this classification scheme will
be marked on the top and bottom of each page and/or on each output screen with the appropriate
classification, except for the General classification, when it is created by the system.
 Asset Classification Definition
Strictly Confidential Highly sensitive information where unauthorized disclosure could cause
exceptional damage to OFB Tech Private Limited This classification applies to
strategic & sensitive business information, which is most critical and intended
strictly for use within OFB Tech Private Limited Its unauthorized disclosure
could seriously and adversely impact OFB Tech Private Limited its stockholders,
its business partners, and/or its customers leading to legal and financial
repercussions and adverse public opinion. Examples: Merger and acquisition
plans, Business plans, trade secrets, customer data, information security data,
dealer pricing strategy, Strategy Documents.
Confidential Its unauthorized disclosure could adversely impact OFB Tech Private Limited its
stockholders, its business partners, its employees, and/or its customers.
Information that some people would consider to be private is included in this
classification. Examples: Employee performance evaluations, CTC details,
internal audit reports, short-term marketing plans, analyses of competitive
products / services, credit card data etc.
Internal No loss of reputation or embarrassment to the OFB Tech Private Limited will
result from disclosure, but OFB Tech Private Limited may suffer inconvenience.
In addition, external parties may find this information useful as a stepping
stone to gather more sensitive information Examples: OFB Tech
Financial Services Pvt Ltd telephone directory, training materials, and manuals.
Public This classification applies to information, which has been explicitly approved by
OFB Tech Private Limited management for release to the public. By definition,
there is no such thing as unauthorized disclosure of this information, and it may
be freely disseminated without potential harm. Examples: Service brochures,
advertisements, job opening announcements, and published press releases.

For more details refer to Asset Management policy.

8. Risk Assessment

The organization will carry out a Risk Assessment that would identify major strategic developments in the
industry, emerging threats & vulnerabilities to business and IT assets of the company, identify remediation
actions and report these results in a formal risk assessment document. The Risk Assessment will be carried
out annually or at earlier intervals (quarter) as per the recommendation of the IT Steering Committee or in
view of increase in business volume and velocity.

Action will be undertaken against these remediation suggestions and an action taken report (ATR) will be
reviewed periodically to ensure effective risk closure.

9. Security Awareness Program

● A formal security awareness program should be implemented to make all employees, management,
stakeholders of the Information Technology risks & controls, importance of Information Security,
cyber resilience objectives at OFB Tech Private Limited.

● Provide security awareness to employees upon hire, during induction, and at least annually (for
example, by letters, posters, memos, meetings, and promotions).

10. Formal Acknowledgement Information Security policies

The organization should require employees to acknowledge in writing that they have read and understood the
OFB Tech Private Limited, security policy and procedures including NDA’s.

Measures for violation of policies and process will be taken with reference to NDA (Non Dis-closure agreement
(HR policy).
11. Reporting of Incidents

In case end users observe any unfamiliar activity on their workstation, they shall immediately disconnect the
system from the network by pulling out the LAN cable / disabling Wi-Fi network and report the incident to the
IT helpdesk or their immediate supervisor. Similarly, all physical security incidents and Non-IT security incidents
shall be logged / informed to the CISO.

● Report any unfamiliar activity on servers/desktops/applications by registering a report on IT Helpdesk

by email ([email protected]/[email protected]) or verbal communication.
● Report any security incident (Non-IT or related to physical security) on to the Function Head or incident
management team or support Team. (email: - [email protected]/[email protected])

Incident monitoring aims to manage, support and resolution of bugs, request which is reported by end user,
supplier, Customer.

Process
Incident, Bugs and request for new requirement should be raised at [email protected] which is mail based
as well as ticketing based. Ticket is automatically created on Redmine. All issues are tracked on Redmine and
closed within TAT which is maximum for 3. All issues has been define by it severity Level and assigned to people
whose is production support.

OFB Tech uses the following severity level definitions to classify all support request:

Severity level

1. Immediate (Severity Level 1)

An Issue that results in a critical business impact for a Production System, may be assigned to
an Issue where end user and customer experiences
i) a complete or substantial loss of service when using a Production System
ii) real or perceived data loss or data corruption making an essential part of the Production
iii) the inability to use application within a Production System.

2. High (Severity Level 2)

An Issue that results in a high business impact for a Production System, may be assigned to an end user
and customer experiences

(i) the functionality of the system is adversely affected, but can be circumvented
(ii) certain functions within the system are disabled, but the system remains operable,
(iii) a complete or substantial loss of service when using the System.

3. Normal (Severity Level 3)

An Issue that results in a medium business impact for a Production system, may be assigned to
an Issue where customer experiences
(i) partial non-critical functionality loss and the Issue has no significant effect on the usability of
the system, or
 (ii) Time-sensitive Issue important to long-term productivity that is not causing an immediate
work stoppage.

4. Low (Severity Level 4)

An Issue that results in a minimal business impact for a Production System, may be assigned to
an Issue with no impact to quality, performance, or functionality of the system, or cases of general
information requests, such as usage and configuration.

12. Employee Screening and Background Checks

The current employees and the potential employees in the company would be screened through a defined
procedure to minimize the risk of attacks from internal sources.

13. Third Party Services Provider Contractual Requirement

If confidential information is shared with service providers, then contractually the following is required:
a) Service providers must adhere to the OFB Tech Private Limited , Compliance requirements.
b) Agreement that includes an acknowledgement that the service provider is responsible for the
security of information that the provider possesses

Third-Party Risk Assessment

1. Establishing ownership: Ownership for third-party risk management should be centralized, rather
than dispersed among multiple owners and other stakeholders.
2. Evaluating Risks: Third-party relationship should be evaluated in terms of quantified information,
integrity, technology and financial risks.
3. Monitoring: The program should provide for ongoing risk measurement and monitoring,
performance measurement and monitoring, incident tracking, and evaluation of the value received
from each relationship.


14. Exceptions

This policy is intended to be a statement of information security requirements that need to be met at OFB
Tech Pvt. Ltd. However, exceptions against individual controls in specific policy domains shall be formally
documented, which will include, at minimum, the following:
• Justification for the exception.
• Risk due to the exception.
• The mitigation controls to manage the risk.
• The validity period of the exception; and
• Details of assets on which the exception is applicable.
The exception request, validation and management shall be done, and exception must be reviewed by
appropriate level of management and approved by CISO
15. Policy Violation

● All employees and third parties are required to comply with the information security policies. Non-
compliance with the information security policies is grounds for disciplinary action.
● Disciplinary procedures as per the Employee Disciplinary Policy shall be invoked to deal with such
non-compliances.

16. Policy Review

This policy (including all sub-policies and provisions) shall be reviewed at the time of any major change(s) in
the existing business environment affecting policies and procedures or at least once every year, whichever is
earlier. This document shall be reviewed by the CISO and approved by the IT Steering Committee. The
reviews shall be carried out for assessing the following:
● Impact on the risk profile due to, but not limited to, the changes in information assets, people,
deployed technology/ architecture, vendors, and strategic partners, regulatory and/ or legal and/ or
contractual requirements; and
● The effectiveness of the policies
As a result of the reviews, additional policies may be issued and/ or existing policies may be updated, as
required. These additions and modifications will be incorporated into the policies. Policies that are identified
as redundant shall be withdrawn.
17. References and Related Documents

● ISO 27001:2013
● ISO 27002:2013
● IT Act 2000 (as amended in 2008)

Supporting policies have been developed to strengthen and reinforce this policy statement. These policies
further mandate the implementation of information security controls and are typically structured to address
the specific processes and procedures of the ISMS. Following are the supporting information security policies
and documents:
1. Information Security Roles, Responsibilities and Authorities.
2. Asset Management Policies and Procedures
3. ISMS Labelling Policy, Information Handling, and Information Classification
4. Backup and Restoration Policy & Procedures
5. Access Control Policy
6. Incident Management Policy
7. Change Management Policy
8. Physical Security Policy
9. Acceptable Usage Policy
10. Mobile Devices Policy
11. Teleworking Policy
12. Cryptography Policy
13. Operational Security Policy
14. Operational Procedure for Processing and Handling of Key Client Organizational Data and
Information
15. Network Security Policy
16. Email Policy
17. Capacity Management Policy
18. Password Management Policy
19. SDLC Policy
20. Software Policy
21. Information Security in Project Management
22. Patch Management Policy
23. Employee Disciplinary Policy
24. Human Resources Security Policy
25. Code of Conduct
26. Information Security Awareness, Education and Training Policy
27. Risk Management Policy
28. Data Retention and Disposal policy
29. Media Handling Policy
 30. Anti-Virus Policy
31. Business Continuity Policy
32. Logging and Monitoring Policy
33. Vulnerability Management Policy
34. Data Privacy Policy
35. Internal Audit Policy
36. Supplier Relationship Management Policy
37. Vulnerability Management Policy
38. Legal Compliance Policy

All employees and any third parties authorized to access OFB Tech Pvt. Ltd.’s network or computing facilities
are required to familiarize themselves with these supporting documents and to adhere to them in the working
environment. These policies are published together on company’s share drive or on need-to-know basis.

---------------------------------------------------End of the document----------------------------------------------------------