Information Transfer Policy
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 08-01-2020 | 1.4 | Approved | Internal | AMS DOC | AMS-SP-06 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 17-05-2015 | 1.0 | Initial Version | Praveen | Premanand | Premanand | |
| 24-03-2016 | 1.1 | Reviewed and no change required | ||||
| 31-07-2017 | 1.1 | Reviewed and no change required | ||||
| 10-08-2017 | 1.2 | Replaced shall with will | ||||
| 25-03-2019 | 1.3 | Reviewed and no change required | Praveen | |||
| 24-12-2019 | 1.4 | Changes made as per the standard Document | Usha | Shaila | Suresh Kumar B V | 08-01-2020 |
| Acronym | Expanded Form |
|---|---|
Purpose
To protect the transfer of information belongs to ASL and its customers through the use of all type of communication facilities.
ISO27001 Control Reference
A.13.2.1 Information transfer policies and procedures
A.13.2.2 Agreements on information transfer
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or non-disclosure agreements
Applicability
This policy applies to any confidential/restricted information that is exchanged through electronic mail, voice, facsimile and video.
Transferred information will be protected from interception, copying, modification misrouting and destruction. (Ref: Network control policy and communication security process)
Apply methods for detection and protections against malicious code that may be transmitted through use of electronic communications.
Protecting communicated sensitive electronic information that is in form of an attachment.
Controls and restrictions associated with the sending and forwarding of emails to external email addresses
Formulate a guideline for Acceptable Use of electronic communication facilities. (Ref: Acceptable Usage policy)
Procedures for wireless communications (hand held communication devices like smart phone), taking into account particular risks involved.
Use of cryptographic techniques to protect the confidentiality, integrity and authenticity of information wherever possible.
Employee, contractor, and any other user's responsibilities not to compromise the organization, e.g. through defamation, harassment, impersonation, forwarding of chain letters unauthorized purchasing.
Retention and disposal guidelines for all business correspondence including messages, in accordance with applicable rules and regulations of Republic of India and other countries with direct business relations (e.g., Malaysia).
Not leaving sensitive or critical information on printing facilities, e.g. copiers, printers and facsimile machines, as these may be accessed by unauthorized personnel.
Restricting software downloading from internet.
Acceptable Usage policy of assets will be applied consistently with this policy.
Agreements on information transfer
Agreements are established for information exchange and software (e.g., Tender wizard, Auction wizard, and/or other developed applications.) between external parties and ASL.
Prior to the transfer of information with external organization, a formal and an appropriate SLA with an adequate level of security controls shall be defined. This agreement shall cover, but not be limited to:
Management responsibilities
Manual and electronic exchanges
Sensitivity of the critical information being exchanged
Protection requirements.
Notification requirements
Packaging and transmission standards.
Courier identification.
Responsibilities and liabilities.
Data and software ownership
Protection responsibilities and measures.
Encryption requirements.
The following security conditions can also be considered while considering exchange agreements:
Management responsibilities for controlling and notifying transmission, dispatch and receipt
Procedures for notifying sender of transmission, dispatch and receipt
Procedure to ensure traceability and non-repudiation
Follow a prescribed minimum technical standard for packaging and transmission (if needed)
Responsibilities and liabilities in event of information security incidents, such as loss of data
Use of an agreed labeling system for sensitive or critical information, ensuring that the meaning of labels is immediately understood and that information is appropriately protected
Ownership and responsibilities for data protection, copyright, and software license compliance
The security content of any agreement should reflect the sensitivity of the business information involved.
Agreements may be manual or electronic, and may take the form of formal contract or conditions of employment.
Confidentiality or Non-disclosure agreements
Requirements for confidentiality or non-disclosure agreements reflecting the organizations needs for the protection of information are identified, regularly reviewed and documented.
Confidentiality or NDA are addressing the requirement to protect confidential information using legally enforceable terms and are applicable to external parties and employees of the organization. Elements are selected and added in consideration of the type of the other party and its permissible access or handling of confidential information. To identify requirements for confidentiality or non-disclosure agreements the following are considered
The information to be protected are defined
Expected duration of an agreement including cases where confidentiality might need to be maintained indefinitely.
Actions to be taken when agreement is terminated
Responsibilities and actions of signatories to avoid unauthorized information disclosure
Ownership of information , trade secrets and intellectual property, and how this relates to the protection of confidential information
The permitted use of confidential information and rights of the signatory to use information
The right to audit and monitor activities that involve confidential information
Process for notification and reporting of unauthorized disclosure or confidential information leakage
Terms for information to be returned or destroyed at agreement cessation
Expected actions to be taken in case of breach of agreement
By complying all applicable laws and regulations for the jurisdiction
By complying organization information security requirements
The requirements for confidentiality and non-disclosure agreements are to be reviewed periodically and when changes occur that influence these requirements.
Electronic Messaging
ASL has taken the following considerations for electronic messaging:
Protecting messages from unauthorized access, modification or denial of service commensurate classification scheme (Ref: information classification policy). Protections are implemented at server and gateway levels of information processing systems.
Ensuring correct addressing and transportation of message.
Reliability and availability of the service
Legal considerations -- where ever applicable electronic signatures are being used for transferring the information through electronic medium.
Use of external public services such as blogs, instant messaging, social networking or file sharing are prohibited , however on un avoidable conditions these medium can be used after obtaining senior management approval.
Authentication methodology is stringent to control the access from public networks.