PayU Fianance Security Policy
Security Table of Contents
Introduction
PayU Finance India Private Limited (“PayUFin”) shall implement adequate security policies, procedures, and controls to protect the confidentiality, maintain integrity, and ensure the availability of information stored, processed and transmitted through its information systems. This Information Security Policy is a key component of the overall information security management framework and should be considered alongside more detailed and organizational specific information security documentation including, system level security policies, security guidance protocols or procedures. Implementation of this policy will ensure adequate information security for our personnel. PayUFin adheres to all policies and procedures approved by the board of PayU Credit and is ISO 27001:2013 certified by BSI (British Standards Institution).
Objective
The objective of this policy is to protect PayUFin's information resources from accidental or intentional unauthorized access, modification or damage, either via internal or external threat by enforcing appropriate controls with following objectives
To ensure confidentiality , integrity and availability of information assets.
To ensure business continuity both in service production facilities and business in general.
To continuously analyze and identify information security risks relating to identified assets.
To maintain compliance and certification of ISO 27001:2013 standard.
To ensure all the members of staff have information security awareness.
Purpose
The Purpose of this document is to protect and prevent organisation from various threats, unauthorized disclosure, disruption, loss, access, use, or modification of organisation's information and its assets. This policy also aims to protect and follow the three principle of information security i.e. Confidentiality, Integrity and Availability.
Scope
The scope of PayUFin ISMS and the security policy contained in this document has been established to cover information, data and information systems such as software, hardware, firmware, storage and transmission media, the information in physical and electronic form and computer networks used by PayUFin. The Information Security Management System is applicable for PayUFin. This security policy applies to personnel who access PayUFin information or use PayUFin information systems. Personnel is defined as all employees, contractors and sub-contractors and onsite third-party vendors accessing PayUFin resources. The scope includes all the interested parties (internal and external) defined in the ISMS Roles and Responsibilities document. The scope of this ISMS helps us to identify the common internal and external issues pertaining to information security.
Responsibilities
It is the responsibility of the below teams/functions to implement and maintain the controls defined in this policy.
Information Security Team
Information Technology Team
Department Heads
Team Leaders
Employees
Third-Party
Policy
This document represents the official mandate from PayUFin for its users of information and information assets so as to ensure confidentiality, integrity, and availability of the information assets in reference with the compliance requirements from regulatory agencies and relevant legal requirements. Following are policy statements from individual domains:
Organization of Information Security
Information security of the organization shall be in place to ensure the security of the systems on an ongoing basis and to support and sustain PayUFin business vision. It provides a process and framework that will assess risk within and outside the organization by maintaining the security levels up to date.
Human Resource Security
This includes security responsibilities in job definitions, contracts, monitoring during the employment as well as at the time of ending the employment, user training and responding to security incidents and malfunction of information assets. This policy also aims to rule out the possible options that can cause human errors, theft, fraud, misuse of facilities and assets.
Asset Management
All assets associated with information and information processing facilities shall be identified and documented to indicate the ownership and importance, and shall be classified, used and protected in accordance with criticality and sensitivity.
Access Control
Access to information shall be controlled in order to avoid unauthorized access and at the same time provides access to authorized users. The access control will be followed on a need-to-know basis and depending upon the roles and responsibilities.
Physical and Environmental Security
The organization shall protect and minimize disruptions to office premises and equipment (IT and non-IT) from physical and environmental threats like theft, vandalism, natural disaster, man-made catastrophes and accidental damage which may lead to disruption of business operations.
Operations Security
Responsibilities and procedures for the management of the information systems’ environment shall be established to avoid the occurrence of a security incident, operational error or unauthorized access to information by protecting against data loss, malware attack and exploitation using technical vulnerabilities.
Communications Security
There shall be network security controls implemented for internal or external networks in order to protect business information from unauthorized access and enable effective usage of various networking, communications and computing facilities.
Incident Management
Information security events and behaviour associated with information and/or systems need to be reported and responded appropriately to minimise the damage due to incidents.
Change Management
The scope of change management includes all operating systems and applications in distributed systems environments. It applies to a wide range of change efforts, from the introduction of a new product or system, which has broad external and/or internal impacts, to a simple modification of an internal program with no or little visibility. Each change affecting activities, regardless of scope, must be integrated into the production environment in a systematic and controlled manner.
Acceptable Usage
There shall be guidance available for acceptable and appropriate use of information assets by all staff. It also helps in preventing data breach that may occur because of inappropriate use of an organization's assets.
Cryptography
The organisation shall ensure proper and effective use of cryptography controls to protect the confidentiality, authenticity and/or integrity of information. These controls include encryption, digital signatures, SSL and HTTPS communication and proprietary compression.
Backup and Restoration
The organisation shall maintain backup and media security as per the business requirements. As per the business requirements, the data backup shall be done in an incremental way and regularly. Periodic restoration and test of such data should be performed.
Supplier relationship
The organisation shall require suppliers (outsourcing vendors, agents, third-parties) who have access to information, to maintain due confidentiality and adopt such security procedures as advised by the organisation from time to time. Supplier’s access to assets shall be restricted to the information that they require in completing the contracted work.
Systems acquisition, Development
Appropriate security controls shall be defined for all new information systems, and enhancements to the existing information systems. The Information Security Team shall be involved in the relevant stages of the System Development Life Cycle (SDLC) to ensure that security controls requirements are defined and adhered to for new information systems or enhancements to existing ones.
E-waste Management
The lifecycle of all IT assets spanning from acquisition to disposal shall be managed in a manner which conforms to sound environmental norms.
Business Continuity Management
Adequate processes shall be in place to develop, maintain and test the plan for business continuity management to ensure availability of the organisation’s services.
Compliance
All relevant statutory and regulatory requirements, which the organisation has to comply with, shall be explicitly defined, documented, and kept up to date. All relevant information security requirements shall be incorporated in contractual documents. Privacy and protection of personally identifiable information shall be ensured as per relevant laws, and regulations.
Information Security in Project Management
The organisation shall devise controls to embed information security and privacy in Project Management Life Cycle. Information Security controls shall be taken into consideration for all the organisation’s projects to achieve confidentiality, integrity and availability of information or resources during and after the project.
Information Security Risk Management
A risk management framework shall be established to manage the overall security exposure of the organisation. Risk Assessment helps the organisation to identify the gaps and place a control over it to avoid data breach.