Future Generali 1 INFORMATION AND CYBER SECURITY V1.1
Future Generali 2 Revision History Revision / Version No. 1.0 1.1 Rollout Date Location of change 14-07- 2017 Mumbai 25.04.20 18 Thane Changed by Original Samir Kolwalkar, Reviewed by CISO Approved by Information Steering Committee The Board Description of revision Original - References Added as per observation provided by Cyber Security Audit - Added Annexure for approval from the Board
Future Generali 3 Definitions & Abbreviations Title Description IT Information Technology FG Non-Life Future Generali Non-Life Company Cyber-attack Any type of offensive maneuver employed by an individual / Attacker / Anonymous that target computer information systems, infrastructure, computer networks, and/or personal computer devices that steals, alters or destroys information by means of malicious act or makes the systems unreachable / inaccessible Information assets Computer hardware, disc, Email, web, application servers, Computer systems, application software, software, etc. System Software including: operating systems, database management systems, and backup and restore software, communications protocols, and so forth. Application Software: used by the various departments within the company, including custom written software applications, products, and software packages. Communications Network hardware and software including: routers, routing tables, modems, multiplexers, switches, firewalls, private lines, and associated network management software and tools Documents developed (Physical or Electronic) for business in any form Users All employees and contractors who use the computer systems, networks, and information resources as business partners, and individuals who are granted access to the network for the business purposes of the company
Future Generali 4 Vendor & Service Providers DRP IRDAI Third-party Endpoint ISC CISO Suppliers who supplied product or responsible for providing service Disaster Recovery Plan Insurance Regulatory and Development Authority of India Third-party refers to vendors, consultants and business partners doing business with the company, and other partners that have a need to exchange information with the company. Company provided Desktops, Laptops and Tabs Information Security Committee Chief Information Security Officer
Future Generali 5 1. INTRODUCTION The Confidentiality, Integrity, Availability and Privacy of information are of great importance to the Company and its operation. Failure in any of these areas can result in disruption to the services and loss of confidence of our customers. Cyber-attacks and Cyber-crimes are becoming more and more common, sensitive information is stolen at much faster rate. Cyber-attacks may impact the Company s operations significantly or may damage reputation on account of leakage of sensitive information. The security of our information assets is therefore regarded as fundamental to the success of the business.
Future Generali 6 2. OBJECTIVE The purpose of this policy is to state the intention and commitment towards the protecting and safeguarding customer s interest through adoption of right process and technology by employees. This is a formal and high-level document describing the objective, basic principles and requirements on Information Security at FG Non-Life. This policy document contains an extract from the Security Policies along with a brief description of the various policies and processes that are set in the organization to provide high-level understanding towards security requirements and commitments. The policy objectives are achieved through the implementation of Information Security Policy, which includes security standards, procedures and guidelines developed in accordance with ISO27001, sector best practices, Cyber Security Guidelines of IRDAI and other Company Policies.
Future Generali 7 3. SCOPE & APPLICABILITY The policy provides the minimum standards for IT Risk and Information Security for Future Generali Non-Life offices, IT operations, Computer systems, Information assets, Employees, Contractors, Temporary staff, Vendors and Suppliers.
Future Generali 8 4. STATEMENT The management of FG Non-Life is committed to the development, implementation and continual improvement of Information Security practices for which following shall be done: The Management has established Information Security policy The Management provides adequate support by involvement of Senior management team Apportionment of individuals who are suitably qualified and experienced with specific expertise as required to perform a designated role. To provide directions and support to the individuals contributing to the effectiveness of the security program Encourages continual improvement through the actions, resulted from periodic monitoring and measurement including Internal & External audits Identifying and sponsoring the requirement of resources through the management review meetings and takes necessary actions Management Principles: FG Non-Life has identified Management Principles to govern the Security Program. Need-to-Know and Need-to-do Basis: All information will be shared, viewed, entered and used by all the stakeholders only based on the principle of Need-to- Do and Need-to-Know. Segregation of Duties: At no point of time any activity on information assets will be permitted to specific roles or persons, by design that would result into conflict of interests.
Future Generali 9 Individual Accountability: Current modern world is driven by technologies; a significant level of information processing power and capabilities reside with individuals and Company empowers them more to carry out business transactions effectively. While FG Non-Life shall provide the necessary infrastructure, directions, guidelines, policies, procedures, instructions and formal or informal training, it will be the responsibility of an individual to abide by the same. Individuals will be held accountable for the set of actions performed by them outside the permissible organizational framework. Principle of proportionality: All organizational stakeholders shall have different levels of authority, responsibility and accountability, the information accesses, information rights. Information processing capabilities will follow the principles of proportionality while managing the systems. In case of any defaults, security breaches or system misuses for any intentional or unintentional purpose, individual liabilities and responsibilities will be decided on the principle of proportionality. Adherence to Law of Land: FG Non-Life operates into diverse geographies within India. FG Non-Life recognizes the supremacy of law of the land in which it operates. Information Collection, Processing, Transmission, Storage and any other system of Information Management forms part of this legal framework. FG Non-Life shall take all the necessary steps to ensure that it adheres to the law of the land at all the time.
Future Generali 10 Security Goal: FG Non-Life is committed to safeguard the confidentiality, integrity and availability of all information assets of the company to ensure that regulatory, operational and contractual requirements are fulfilled. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Integrity: The property of safeguarding the accuracy and completeness of assets Availability: The property of being accessible and usable upon demand by an authorized entity The overall goals for information security at FG Non-Life are: Ensure compliance with current laws, regulations and guidelines Comply with requirements for confidentiality, integrity and availability for employees, customers and interested parties Establish controls for protecting FG Non-Life s information and information systems against theft, abuse, Cyber-attacks, disrupt and other forms of harm and loss Motivate employees and interested parties to maintain the responsibility for, ownership of and knowledge about information security, to minimize the risk of security incidents Ensure that external service providers comply with FG Non-Life s information security needs and requirements Ensure flexibility and an acceptable level of security for accessing information systems outside FG Non-Life premises Data Privacy Protection, Personal and Health information of the individual is not made available or disclosed to unauthorized individuals
Future Generali 11 Organizational roles responsibilities and authorities: Company has well defined structure, roles and responsibilities allocation to provide leadership guidance and governance required for accomplishing Security Program. The Board shall be responsible for the overall framework to information and cyber security policy and strategy and the information and cyber security assurance program. Information Security Committee (ISC) has been formed by a senior level executive with a reporting line to the Board to take overall responsibility for the information security governance framework. Members for ISC includes functional heads from Operations, Information Technology, Legal, Compliance, Finance, HR, Enterprise Risk Management, and Internal Audit. Roles and responsibilities of ISC has been defined and documented. Governance Structure Information Security Committee Chief Information Security Officer Information Security Administrator Administration and Implementation Users
Future Generali 12 CISO is responsible for articulating Information and Cyber Security policy for the Organization and provide necessary advice and support in implementation of Information and Cyber Security policies. CISO shall be responsible proposing the policy to ISC. Each Functional head, Business heads, shall be responsible for implementing the Security policy within their areas of responsibility and for ensuring the adherence of their staff to the policy. Company has identified following in specifics: External Parties Insurance Regulatory Body IRDA Financial institutions Banks, Payment Gateways External customers Needs and expectations 1. Adherence to statutory and regulatory requirements 1. Adherence to Agreements / Contractual Requirements 2. Adherence to delivery commitment 1. Adherence to delivery commitment 2. Adherence to Data Privacy and Data Security Outsourced vendors and Partners 1. Adherence to Service delivery commitments 2. Adherence to Agreements/Contractual Requirements Internal Parties Human Resources / Human Capital Needs and expectations 1. Continuity of employment 2. Motivated Work Culture 3. Drive for Good Governance
Future Generali 13 4. Opportunities for advancement Finance 1. Approval for security initiatives 2. Adherence to payment terms and Conditions 1. Identify and select vendors at best rate 2. Adherence to delivery commitment Procurement Learning & Development Risk Management 3. Identify Terms and Conditions 1. Prepare training module and disseminate 1. Establish link between IT risks to Enterprise Risk 2. Establish link between IT DRP to Business Continuity Internal Audit Administration Legal & Compliance 1. Check adherence to set processes and policies 1. Providing Safe Working Conditions and wellequipped office Infrastructure with Security controls 1. Adherence to statutory and regulatory requirements It must be ensured that business information, inclusive of the computing systems is protected from inappropriate access, disclosure or modification. Information, as an asset, should be protected just as any other company asset and therefore to safeguard its value, FG Non-Life via this policy has mandated for its employees to go through the Policy documents, understand, accept and practice the rules and regulations that have been defined. It is the Company s policy to:
Future Generali 14 Ensure that information is accessible only to those authorized to have access Safeguard the accuracy and completeness of information and processing methods Ensure that authorized users have access to information and associated assets when required To identify organizational assets, define appropriate protection and responsibilities Establish and maintain formal, documented procedures for performing information risk assessments To update IT infrastructure with the supported, tested and reasonably latest OS and database patches including security patches and upgradation patches Ensure that information it manages shall be secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information Define an information classification scheme describing classes and how information of a particular class should be managed (stored, accessed, transmitted, shared, and disposed of) Meet all information security requirements under appropriate regulations, legislation, organization policies and contractual obligations Develop Business Continuity, Cyber Crisis Management and Incident Response plans for IT and business processes, which shall be maintained and tested on a regular basis Confidentiality, Integrity and Availability requirements of all business systems are to be ensured by vendor, third party staff working on behalf of the organization Promote this policy and raise awareness of information security Provide appropriate information security training for our staff and third-party contractors To connect only authorized devices, Authorized devices include PCs and workstations owned by company that comply with the configuration guidelines of the company
Future Generali 15 To ensure a secure method of connectivity provided between the company and all third-part companies and other entities required to electronically exchange information with company for approved business purpose System Administrators, network administrators, and security administrators will have full access to host systems, routers, switches, firewalls and other security devices as required to fulfill their respective duties. Right to inspect any data stored on computer system, or telecommunication systems, or transmitted or received via the Company s networks, in the course of investigating security incidents, or safeguarding against security threats. Computer networks and systems outside of the Company is considered as insecure Security shall be considered during the design of any IT components and Application deployment Identification and implementation of adequate controls to secure Endpoints against prevailing threats To establish suitable Data backup and retention policy To prevent unauthorized physical access, damage and interference to the organization s information and information processing facilities Identification and management of information security requirements and associated processes for information systems projects To establish logging and monitoring capabilities to detect security events in timely manner To perform formal checks through Internal Audit program User Responsibilities: This section establishes a high-level usage policy for the computer systems, networks and information resources.
Future Generali 16 Acceptable Use: Company has defined the Acceptable Usage policy. User accounts on company computer systems are to be used only for business of the company and not to be used for personal activities. Unauthorized use of the system may be in violation of the law, constitutes theft and can be punishable by law. Therefore, unauthorized use of the company computing system and facilities may constitute grounds for either civil or criminal prosecution. Users are personally responsible for protecting all confidential information used and/or stored on their accounts. Users are prohibited from making unauthorized copies of such confidential information and/or distributing it to unauthorized persons outside of the company. Users shall not engage in activity with the intent to: harass other users; degrade the performance of the system; divert system resources to their own use; or gain access to company systems for which they do not have authorization. Users will be responsible for all transactions occurring during Logon sessions initiated by use of the User s password and ID. Users shall not logon to a computer and then allow another individual to use the computer or otherwise share access to the computer systems. Users shall not attach unauthorized devices on their computers, unless they have specific authorization. Users shall not download unauthorized software onto their computers. Users are required to report any weaknesses in the company computer security, any incidents of misuse or violation of security policy to their immediate supervisor / IT Security / IT Helpdesk.
Future Generali 17 Use of the Internet: The company will provide Internet access to users for business-related purposes such as obtaining useful business information and relevant technical and business topics. The Internet service shall not be used for transmitting, retrieving or storing any communications of a discriminatory or harassing nature or which are derogatory to any individual or group, obscene or pornographic, or defamatory or threatening in nature for chain letters or any other purpose which is illegal or for personal gain. Monitoring Use of Computer Systems: The company has the right to monitor electronic information created and/or communicated by users using company s computer systems and networks, including e- mail messages and usage of the Internet. Users should be aware that the company may monitor usage, including, but not limited to, patterns of usage of the Internet, and electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with company policy. Access Control: A fundamental component of Security Policy is controlling access to the critical information assets that require protection from unauthorized disclosure or modification. Access controls exist at various layers of the system, including the network. Access
Future Generali 18 control is implemented by logon ID and password. At the application and database level, other access control methods shall be implemented to further restrict access. Employee Login account shall be deactivated as soon as possible upon employee termination or exit. Exception Management: ISC shall review and approve the exceptions to the Information Security Policy. Any significant risk shall be reported to the Board. Operational level exceptions can be approved by respective Business owner in consultation with CISO. If the requirement differs from the guideline due to applicable laws, and regulations, the exception shall be reviewed and approved by the Board. Security Incident Handling Procedures: This policy provides guidelines and procedures for handling security incidents. The term security incident is defined as any irregular or adverse event that threatens the security, integrity, or availability of the information resources on any part of the company network. Employees, who believe their terminal or computer systems have been subjected to a security incident, or has otherwise been improperly accessed or used, should report the situation to ITSecurity / ITHelpdesk / Supervisor immediately. Adherence to this policy will help to protect the Company, Employees, and Customers from information security threats, whether internal or external, deliberate or accidental. We at FG Non-Life are committed for good information security practices for our stakeholders, employees and customers. It is recognized that detailed policies and procedures are required, and the Company is committed to implementing these in full.
Future Generali 19 Communication: Information Security policy shall be communicated to all Users of the company. Compliance: Compliance to the Security Policies and Guidelines is mandatory. All users using the information technology resources of the Company must ensure that they understand the policies and guidelines and comply with the same. Disciplinary Action: Every user of FG Non-Life s information systems shall comply with information security policies. The company takes the issue of security seriously. Violation of policy and of relevant security requirements will therefore constitute a breach of trust between the user and FG Non-Life and may have consequences for employment or contractual relationships. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the Security Policy, prior violations history, regulations, laws and all other relevant information. The Company may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s). Review: Information Security policies shall be reviewed every 12 months or sooner as necessary by the CISO to ensure that it remains up-to-date in the light of relevant legislation, organizational procedures or contractual obligations.
Future Generali 20 References: - ISMS Manual - IT Security Policy - IT Compliance Management Policy - Network Security Policy Annexure I: Approval from The Board