INFORMATION AND CYBER SECURITY POLICY V1.1

Similar documents
DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Data Protection Agreement

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

DATA PROCESSING ADDENDUM

H 7789 S T A T E O F R H O D E I S L A N D

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

PCI Compliance and Payment Card Processing Policy

Cyber Risk Proposal Form

March 1. HIPAA Privacy Policy

Title CIHI Submission: 2014 Prescribed Entity Review

HOW TO REGISTER ON THE OECD ESOURCING PORTAL

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Cyber ERM Proposal Form

4.1 Risk Assessment and Treatment Assessing Security Risks

Privacy and Data Breach Protection Modular application form

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

AonLine Service Agreement Effective July 19, By logging into AonLine, user agrees to these terms and conditions (T&C):

Cyber, Data Risk and Media Insurance Application form

TERMS AND CONDITIONS OF USE

Lystable SaaS Terms of Use

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

Credit Card Handling Security Standards

Kalo SaaS Terms of Use

ARE YOU HIP WITH HIPAA?

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

SPECIAL CONDITIONS ( SPECIAL CONDITIONS ) FOR BUSINESS NETVIGATOR SERVICE ( BNS )

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

IT Risk in Credit Unions - Thematic Review Findings

FOR COMMENT PERIOD NOT YET APPROVED AS NEW STANDARD

HIPAA Compliance Guide

Chesapeake Regional Information System for Our Patients, Inc. ( CRISP ) HIE Participation Agreement (HIE and Direct Service)

APPENDIX VIII EXAMINATIONS OF EBT SERVICE ORGANIZATIONS

1 Security 101 for Covered Entities

South Carolina General Assembly 122nd Session,

Principles. Bison Transport will implement policies and procedures to give effect to this policy, including:

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

Data Processing Appendix

Bitwise ( Wifi ) Internet Customer Agreement

DATA PROCESSING ADDENDUM FOR CUSTOMERS AND USER OF AEROHIVE PRODUCTS AND SERVICES. Version May 2018

GLOBAL CODE OF CONDUCT AND ETHICS

Albany State University Telecommunications Policy for Wireless Devices

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

CLOUDINARY DATA PROCESSING ADDENDUM

The Province of British Columbia. Privacy Protection Measures

IDEXX - DATA PROTECTION AGREEMENT

PRIVACY IMPACT ASSESSMENT

Contingent Worker Code of Conduct

Information security policy

Application for Online Access to Motor Vehicle Records

Penn Wisp LLC. TERMS OF SERVICE April 15, 2015

Eastern Iowa Mental Health and Disability Services. HIPAA Policies and Procedures Manual

MentorcliQ Data Processing Agreement

Cyber & Privacy Liability and Technology E&0

Cyber Security Insurance Proposal Form

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

TERMS 1. OUR PRODUCTS AND SERVICES 2. INFORMATION SERVICES 3. INSTALLED SOFTWARE

EU Data Processing Addendum

DATA PROCESSING ADDENDUM

Supplier Code of Conduct

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

ANTI-FRAUD CODE CONTENTS INTRODUCTION GOAL CORPORATE REFERENCE FRAMEWORK CONCEPTUAL FRAMEWORK ACTION FRAMEWORK GOVERNANCE STRUCTURE

MANITOBA OMBUDSMAN PRACTICE NOTE

THIRD-PARTY MANAGEMENT OF INFORMATION RESOURCES

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

CODE OF BUSINESS CONDUCT FOR THE LIFETIME HEALTHCARE COMPANIES

Permitted Mobile Banking Transfers Mobile Deposit Capture

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

U.S. Eagle Federal Credit Union Mobile Banking Agreement

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph.

CBSA PRIVACY POLICY. Canadian Business Strategy Association Page 1

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

MEMORANDUM OF UNDERSTANDING for DATA SHARING BETWEEN DISTRICT AND SCCOE

The Allied Group Privacy Shield Policy

and legally represented by Antoniou Antoni, as a legally

SCCCI Personal Data Protection Policy

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

DATA HANDLING AGREEMENT

SureRent 2020 Private Landlord Tenant Screening Application Package

TERMS OF USE AGREEMENT

Lloyds Steels Industries Limited. Internal Financial Control Framework

Managing E-Commerce Risks

THE HARTFORD CYBERCHOICE 2.09 SM

DATA PROTECTION ADDENDUM

T E R M S A N D C O N D I T I O N S

HIPAA Privacy & Security. Transportation Providers 2017

SCHEDULE A TERMS AND CONDITIONS

NATIONAL PAYMENT AND SETTLEMENT SYSTEMS DIVISION

Info. Sec. Organization / Structure (cont.)

Code of Ethics for Directors

1) Introduction 4 2) Definition.4 3) Objective..4 4) Classification of Insurance Frauds..5 5) Fraud Monitoring and its Control..6

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

A GUIDE TO CYBER RISKS COVER

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

YOUNGEVITY INTERNATIONAL, INC. And Subsidiaries. Code of Business Conduct and Ethics Adopted by the Board of Directors Effective May 1, 2014

TERMS & CONDITIONS FOR INTERNET BANKING SERVICES

Privacy and Security Standards

TORONTO PORT AUTHORITY CODE OF BUSINESS CONDUCT AND ETHICS. November 29, 2005

Transcription:

Future Generali 1 INFORMATION AND CYBER SECURITY V1.1

Future Generali 2 Revision History Revision / Version No. 1.0 1.1 Rollout Date Location of change 14-07- 2017 Mumbai 25.04.20 18 Thane Changed by Original Samir Kolwalkar, Reviewed by CISO Approved by Information Steering Committee The Board Description of revision Original - References Added as per observation provided by Cyber Security Audit - Added Annexure for approval from the Board

Future Generali 3 Definitions & Abbreviations Title Description IT Information Technology FG Non-Life Future Generali Non-Life Company Cyber-attack Any type of offensive maneuver employed by an individual / Attacker / Anonymous that target computer information systems, infrastructure, computer networks, and/or personal computer devices that steals, alters or destroys information by means of malicious act or makes the systems unreachable / inaccessible Information assets Computer hardware, disc, Email, web, application servers, Computer systems, application software, software, etc. System Software including: operating systems, database management systems, and backup and restore software, communications protocols, and so forth. Application Software: used by the various departments within the company, including custom written software applications, products, and software packages. Communications Network hardware and software including: routers, routing tables, modems, multiplexers, switches, firewalls, private lines, and associated network management software and tools Documents developed (Physical or Electronic) for business in any form Users All employees and contractors who use the computer systems, networks, and information resources as business partners, and individuals who are granted access to the network for the business purposes of the company

Future Generali 4 Vendor & Service Providers DRP IRDAI Third-party Endpoint ISC CISO Suppliers who supplied product or responsible for providing service Disaster Recovery Plan Insurance Regulatory and Development Authority of India Third-party refers to vendors, consultants and business partners doing business with the company, and other partners that have a need to exchange information with the company. Company provided Desktops, Laptops and Tabs Information Security Committee Chief Information Security Officer

Future Generali 5 1. INTRODUCTION The Confidentiality, Integrity, Availability and Privacy of information are of great importance to the Company and its operation. Failure in any of these areas can result in disruption to the services and loss of confidence of our customers. Cyber-attacks and Cyber-crimes are becoming more and more common, sensitive information is stolen at much faster rate. Cyber-attacks may impact the Company s operations significantly or may damage reputation on account of leakage of sensitive information. The security of our information assets is therefore regarded as fundamental to the success of the business.

Future Generali 6 2. OBJECTIVE The purpose of this policy is to state the intention and commitment towards the protecting and safeguarding customer s interest through adoption of right process and technology by employees. This is a formal and high-level document describing the objective, basic principles and requirements on Information Security at FG Non-Life. This policy document contains an extract from the Security Policies along with a brief description of the various policies and processes that are set in the organization to provide high-level understanding towards security requirements and commitments. The policy objectives are achieved through the implementation of Information Security Policy, which includes security standards, procedures and guidelines developed in accordance with ISO27001, sector best practices, Cyber Security Guidelines of IRDAI and other Company Policies.

Future Generali 7 3. SCOPE & APPLICABILITY The policy provides the minimum standards for IT Risk and Information Security for Future Generali Non-Life offices, IT operations, Computer systems, Information assets, Employees, Contractors, Temporary staff, Vendors and Suppliers.

Future Generali 8 4. STATEMENT The management of FG Non-Life is committed to the development, implementation and continual improvement of Information Security practices for which following shall be done: The Management has established Information Security policy The Management provides adequate support by involvement of Senior management team Apportionment of individuals who are suitably qualified and experienced with specific expertise as required to perform a designated role. To provide directions and support to the individuals contributing to the effectiveness of the security program Encourages continual improvement through the actions, resulted from periodic monitoring and measurement including Internal & External audits Identifying and sponsoring the requirement of resources through the management review meetings and takes necessary actions Management Principles: FG Non-Life has identified Management Principles to govern the Security Program. Need-to-Know and Need-to-do Basis: All information will be shared, viewed, entered and used by all the stakeholders only based on the principle of Need-to- Do and Need-to-Know. Segregation of Duties: At no point of time any activity on information assets will be permitted to specific roles or persons, by design that would result into conflict of interests.

Future Generali 9 Individual Accountability: Current modern world is driven by technologies; a significant level of information processing power and capabilities reside with individuals and Company empowers them more to carry out business transactions effectively. While FG Non-Life shall provide the necessary infrastructure, directions, guidelines, policies, procedures, instructions and formal or informal training, it will be the responsibility of an individual to abide by the same. Individuals will be held accountable for the set of actions performed by them outside the permissible organizational framework. Principle of proportionality: All organizational stakeholders shall have different levels of authority, responsibility and accountability, the information accesses, information rights. Information processing capabilities will follow the principles of proportionality while managing the systems. In case of any defaults, security breaches or system misuses for any intentional or unintentional purpose, individual liabilities and responsibilities will be decided on the principle of proportionality. Adherence to Law of Land: FG Non-Life operates into diverse geographies within India. FG Non-Life recognizes the supremacy of law of the land in which it operates. Information Collection, Processing, Transmission, Storage and any other system of Information Management forms part of this legal framework. FG Non-Life shall take all the necessary steps to ensure that it adheres to the law of the land at all the time.

Future Generali 10 Security Goal: FG Non-Life is committed to safeguard the confidentiality, integrity and availability of all information assets of the company to ensure that regulatory, operational and contractual requirements are fulfilled. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Integrity: The property of safeguarding the accuracy and completeness of assets Availability: The property of being accessible and usable upon demand by an authorized entity The overall goals for information security at FG Non-Life are: Ensure compliance with current laws, regulations and guidelines Comply with requirements for confidentiality, integrity and availability for employees, customers and interested parties Establish controls for protecting FG Non-Life s information and information systems against theft, abuse, Cyber-attacks, disrupt and other forms of harm and loss Motivate employees and interested parties to maintain the responsibility for, ownership of and knowledge about information security, to minimize the risk of security incidents Ensure that external service providers comply with FG Non-Life s information security needs and requirements Ensure flexibility and an acceptable level of security for accessing information systems outside FG Non-Life premises Data Privacy Protection, Personal and Health information of the individual is not made available or disclosed to unauthorized individuals

Future Generali 11 Organizational roles responsibilities and authorities: Company has well defined structure, roles and responsibilities allocation to provide leadership guidance and governance required for accomplishing Security Program. The Board shall be responsible for the overall framework to information and cyber security policy and strategy and the information and cyber security assurance program. Information Security Committee (ISC) has been formed by a senior level executive with a reporting line to the Board to take overall responsibility for the information security governance framework. Members for ISC includes functional heads from Operations, Information Technology, Legal, Compliance, Finance, HR, Enterprise Risk Management, and Internal Audit. Roles and responsibilities of ISC has been defined and documented. Governance Structure Information Security Committee Chief Information Security Officer Information Security Administrator Administration and Implementation Users

Future Generali 12 CISO is responsible for articulating Information and Cyber Security policy for the Organization and provide necessary advice and support in implementation of Information and Cyber Security policies. CISO shall be responsible proposing the policy to ISC. Each Functional head, Business heads, shall be responsible for implementing the Security policy within their areas of responsibility and for ensuring the adherence of their staff to the policy. Company has identified following in specifics: External Parties Insurance Regulatory Body IRDA Financial institutions Banks, Payment Gateways External customers Needs and expectations 1. Adherence to statutory and regulatory requirements 1. Adherence to Agreements / Contractual Requirements 2. Adherence to delivery commitment 1. Adherence to delivery commitment 2. Adherence to Data Privacy and Data Security Outsourced vendors and Partners 1. Adherence to Service delivery commitments 2. Adherence to Agreements/Contractual Requirements Internal Parties Human Resources / Human Capital Needs and expectations 1. Continuity of employment 2. Motivated Work Culture 3. Drive for Good Governance

Future Generali 13 4. Opportunities for advancement Finance 1. Approval for security initiatives 2. Adherence to payment terms and Conditions 1. Identify and select vendors at best rate 2. Adherence to delivery commitment Procurement Learning & Development Risk Management 3. Identify Terms and Conditions 1. Prepare training module and disseminate 1. Establish link between IT risks to Enterprise Risk 2. Establish link between IT DRP to Business Continuity Internal Audit Administration Legal & Compliance 1. Check adherence to set processes and policies 1. Providing Safe Working Conditions and wellequipped office Infrastructure with Security controls 1. Adherence to statutory and regulatory requirements It must be ensured that business information, inclusive of the computing systems is protected from inappropriate access, disclosure or modification. Information, as an asset, should be protected just as any other company asset and therefore to safeguard its value, FG Non-Life via this policy has mandated for its employees to go through the Policy documents, understand, accept and practice the rules and regulations that have been defined. It is the Company s policy to:

Future Generali 14 Ensure that information is accessible only to those authorized to have access Safeguard the accuracy and completeness of information and processing methods Ensure that authorized users have access to information and associated assets when required To identify organizational assets, define appropriate protection and responsibilities Establish and maintain formal, documented procedures for performing information risk assessments To update IT infrastructure with the supported, tested and reasonably latest OS and database patches including security patches and upgradation patches Ensure that information it manages shall be secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information Define an information classification scheme describing classes and how information of a particular class should be managed (stored, accessed, transmitted, shared, and disposed of) Meet all information security requirements under appropriate regulations, legislation, organization policies and contractual obligations Develop Business Continuity, Cyber Crisis Management and Incident Response plans for IT and business processes, which shall be maintained and tested on a regular basis Confidentiality, Integrity and Availability requirements of all business systems are to be ensured by vendor, third party staff working on behalf of the organization Promote this policy and raise awareness of information security Provide appropriate information security training for our staff and third-party contractors To connect only authorized devices, Authorized devices include PCs and workstations owned by company that comply with the configuration guidelines of the company

Future Generali 15 To ensure a secure method of connectivity provided between the company and all third-part companies and other entities required to electronically exchange information with company for approved business purpose System Administrators, network administrators, and security administrators will have full access to host systems, routers, switches, firewalls and other security devices as required to fulfill their respective duties. Right to inspect any data stored on computer system, or telecommunication systems, or transmitted or received via the Company s networks, in the course of investigating security incidents, or safeguarding against security threats. Computer networks and systems outside of the Company is considered as insecure Security shall be considered during the design of any IT components and Application deployment Identification and implementation of adequate controls to secure Endpoints against prevailing threats To establish suitable Data backup and retention policy To prevent unauthorized physical access, damage and interference to the organization s information and information processing facilities Identification and management of information security requirements and associated processes for information systems projects To establish logging and monitoring capabilities to detect security events in timely manner To perform formal checks through Internal Audit program User Responsibilities: This section establishes a high-level usage policy for the computer systems, networks and information resources.

Future Generali 16 Acceptable Use: Company has defined the Acceptable Usage policy. User accounts on company computer systems are to be used only for business of the company and not to be used for personal activities. Unauthorized use of the system may be in violation of the law, constitutes theft and can be punishable by law. Therefore, unauthorized use of the company computing system and facilities may constitute grounds for either civil or criminal prosecution. Users are personally responsible for protecting all confidential information used and/or stored on their accounts. Users are prohibited from making unauthorized copies of such confidential information and/or distributing it to unauthorized persons outside of the company. Users shall not engage in activity with the intent to: harass other users; degrade the performance of the system; divert system resources to their own use; or gain access to company systems for which they do not have authorization. Users will be responsible for all transactions occurring during Logon sessions initiated by use of the User s password and ID. Users shall not logon to a computer and then allow another individual to use the computer or otherwise share access to the computer systems. Users shall not attach unauthorized devices on their computers, unless they have specific authorization. Users shall not download unauthorized software onto their computers. Users are required to report any weaknesses in the company computer security, any incidents of misuse or violation of security policy to their immediate supervisor / IT Security / IT Helpdesk.

Future Generali 17 Use of the Internet: The company will provide Internet access to users for business-related purposes such as obtaining useful business information and relevant technical and business topics. The Internet service shall not be used for transmitting, retrieving or storing any communications of a discriminatory or harassing nature or which are derogatory to any individual or group, obscene or pornographic, or defamatory or threatening in nature for chain letters or any other purpose which is illegal or for personal gain. Monitoring Use of Computer Systems: The company has the right to monitor electronic information created and/or communicated by users using company s computer systems and networks, including e- mail messages and usage of the Internet. Users should be aware that the company may monitor usage, including, but not limited to, patterns of usage of the Internet, and electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with company policy. Access Control: A fundamental component of Security Policy is controlling access to the critical information assets that require protection from unauthorized disclosure or modification. Access controls exist at various layers of the system, including the network. Access

Future Generali 18 control is implemented by logon ID and password. At the application and database level, other access control methods shall be implemented to further restrict access. Employee Login account shall be deactivated as soon as possible upon employee termination or exit. Exception Management: ISC shall review and approve the exceptions to the Information Security Policy. Any significant risk shall be reported to the Board. Operational level exceptions can be approved by respective Business owner in consultation with CISO. If the requirement differs from the guideline due to applicable laws, and regulations, the exception shall be reviewed and approved by the Board. Security Incident Handling Procedures: This policy provides guidelines and procedures for handling security incidents. The term security incident is defined as any irregular or adverse event that threatens the security, integrity, or availability of the information resources on any part of the company network. Employees, who believe their terminal or computer systems have been subjected to a security incident, or has otherwise been improperly accessed or used, should report the situation to ITSecurity / ITHelpdesk / Supervisor immediately. Adherence to this policy will help to protect the Company, Employees, and Customers from information security threats, whether internal or external, deliberate or accidental. We at FG Non-Life are committed for good information security practices for our stakeholders, employees and customers. It is recognized that detailed policies and procedures are required, and the Company is committed to implementing these in full.

Future Generali 19 Communication: Information Security policy shall be communicated to all Users of the company. Compliance: Compliance to the Security Policies and Guidelines is mandatory. All users using the information technology resources of the Company must ensure that they understand the policies and guidelines and comply with the same. Disciplinary Action: Every user of FG Non-Life s information systems shall comply with information security policies. The company takes the issue of security seriously. Violation of policy and of relevant security requirements will therefore constitute a breach of trust between the user and FG Non-Life and may have consequences for employment or contractual relationships. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the Security Policy, prior violations history, regulations, laws and all other relevant information. The Company may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s). Review: Information Security policies shall be reviewed every 12 months or sooner as necessary by the CISO to ensure that it remains up-to-date in the light of relevant legislation, organizational procedures or contractual obligations.

Future Generali 20 References: - ISMS Manual - IT Security Policy - IT Compliance Management Policy - Network Security Policy Annexure I: Approval from The Board

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback