Compliance Policy
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 22-01-2020 | 2.4 | Approved | Internal | AMS DOC | AMS-SP-15 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 28-06-2011 | 1.00 | Initial Version | ||||
| 09-04-2012 | 1.1 | Cover Page, Document Identification changed from ISMS 15 to IMS-SP-15, Included Standardized Header & Footer | ||||
| 25-02-2015 | 2.0 | Review as part of ISMS transition | Premanand | Premanand | ||
| 30-03-2016 | 2.1 | Minor Changes done as part of review | ||||
| 21-07-2017 | 2.2 | Annual Review No Changes | ||||
| 25-03-2019 | 2.3 | Annual Review No Changes | Ramanujan | |||
| 08-01-2020 | 2.4 | Revised to be inline with industry best practices | Usha | Shaila | Suresh Kumar | 22-01-2020 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
Purpose
- The purpose of this framework document is to identify and comply with applicable legal, statutory and regulatory requirements contractual obligations, intellectual property rights, and Information Security Policies and Procedures of ASL.
ISO27001 Reference
- A.18 Compliance
Compliance with Legal and Contractual Requirements
Objective: To avoid beaches of any law, statutory, regulatory or contractual obligation, and of any security requirements.
ASL will consider any to statutory, regulatory, and contractual security requirements during the design, operation, use, management of information systems.
Advice on specific legal requirements will be sought from the organization's legal advisors, or suitably qualified legal practitioners.
Identification of Applicable Legislation
Relevant statutory, regulatory, and contractual requirements for all the information system processing facilities will be documented.Compliance management will be reviewed on an annual basis.
The BD/CRM team will review the Information Technology Act 2000 of India and other applicable legislations and will ensure that the IT operations comply with the applicable sections of Information Technology Act. Also, controls will be enforced to prevent violation of the Indian Copyright Act 1957.
The Statutory and Regulatory Acts will contain the details of all applicable legislation and the required compliance.
Intellectual Property rights (IPR)
ASL will implement appropriate procedures to ensure compliance with legislative, regulatory and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.
Every proprietary software application system will have a license agreement, which typically limits the use of application to specified machines or creation of the backup copies. Also, controls will be enforced to prevent violation of the Indian Copyright Act 1957.
ASL will enforce the following controls:
Publish software copyright compliance policy defining the legal usage of the software.
Acquiring software only through known and reputable sources, to ensure that copyright is not violated
Standard procedures will be followed for acquisition of software products.
Awareness will be developed among the staff for using only legal copies of software.Disciplinary action will be taken against all the users breaching these policies.
Maintaining asset register and licenses of the software products.
Head - IT will maintain proof and evidence of ownership of the software licenses
CISO team will audit the usage of licenses and implementation controls to ensure that maximum number of licenses permitted is not exceeded.
Head-IT will carry out regular checks to ensure that only authorized software and licensed products are installed.
Any software for evaluation will be obtained with the approval of Head - IT and Function Head. The evaluation will be performed as per the evaluation license terms of condition set forth by the vendor.
In-house developed software will display the ownership of such software.
The Acceptable Usage Policy details the requirements for end user compliance towards IPR of ASL.
Protection of Organizational Records
ASL will protect important records from loss, destruction and falsification in accordance with regulatory, contractual and business requirements.
Records will be classified into record types such as accounting records, database records, etc., and will be stored based on their retention period and type of storage media.
Retention schedule will be prepared to identify the essential record types and the period for which they will be retained.
Records will be destroyed in a safe and secure manner on completion of their retention period.
The Procedure for Information Classification and Handling and Procedure for Safeguarding Organizational Records detail the controls to be adopted for securing the records and recording their respective retention timeframe.
Data protection and Privacy of Personal Information
All employees are required to comply with ASL's Information Security Policies. Additional data protection controls will be implemented based on specific requirements.
Employees having access to Network/Server rooms, Production Servers and other restricted/secure areas/information are required to sign an Privilege Access Agreement at the time of gaining the access to such areas.
Employees having access to confidential and personal information of employees are required to sign an Agreement for Privilege Access Agreement at the time of gaining the access to such information.
The Acceptable Usage Policy details the requirements for the authorized use of information processing facilities at ASL.
Regulation of Cryptographic Controls
Cryptographic controls will be used in compliance with all relevant agreements, laws, and regulations.
Restrictions on import and/or export of computer hardware and software for performing, designing cryptographic functions, restrictions on usage of encryption, methods of access by countries will be considered for verifying compliance.
Information Security Reviews
Objective: To ensure compliance of systems with organizational security policies and standards.
The security of information systems will be regularly reviewed.
Such reviews will be performed against the appropriate security policies and the technical platforms and information systems should be audited for compliance with applicable security implementation standards and documented security controls.
Independent review of information security
- An independent review is necessary to ensure the continuing suitability, adequacy and effectiveness of ASL's approach to managing information security. The review will include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives. Such a review should be carried out through internal audits or an external third-party organization specializing in such reviews. Individuals carrying out these reviews will have the appropriate skills and experience. The results of the independent review will be recorded and reported to the management. These records will be maintained. If the independent review identifies inadequacies in the approach or implementation of information security, e.g. documented objectives and requirements are not met or not compliant with the direction for information security stated in the information security policies, management will consider corrective actions. Procedure for Information Security Review and Audit details the controls to be adopted.
Compliance with Security Policy and Standards
All employees and third party users should comply with ASL's Information Security Policies. The managers will ensure that all employees and third party users within their area of responsibility comply with ASL's Information Security Policies, procedures and standards.
The Acceptable Usage Policy details the requirements for end user compliance towards Security Policies and Procedures of ASL.
Technical Compliance Checking
Technical compliance check will be regularly carried out, which involves examination of operational systems to ensure that hardware and software controls have been correctly implemented.
Head IT will be responsible for developing and executing periodic technical compliance checks as per Procedure for Information Security Review and Audit. The procedure will define scope and frequency of review for technical compliance of the system.
Technical compliance checks such as penetration tests and vulnerability assessments will be conducted by independent external experts at least once a year.
The results of the technical compliance checks are used to detect any vulnerability in the system and effectiveness of controls in preventing unauthorized access due to these vulnerabilities.