ISMS Policies

Information security Policy

1. Purpose

The purpose of this policy is to achieve our security objective to enable an environment in which Integra Global employees can share information and work co-operatively amongst themselves, and with customers, suppliers, and other stakeholders, with an assurance of safety, availability, integrity, and confidentiality. All functions across the organization, and all individual Integra Global employees, shall comply with this policy in their practices and processes to achieve this objective.

2. Objective

To protect the intellectual property rights of customer and Integra, the senior management has formulated a security policy statement as mentioned below.

“At Integra, the protection of customer information, employee information, and vendor information along with all other company assets including hardware, software, physical, and intangible assets is highly valued and accorded the highest degree of importance as we understand this is fundamental to the success, growth, and continuity of our business.

In this regard, we have established information security management system in accordance with the ISO 27001 standard to ensure that the information we hold and are responsible for is safeguarded where necessary against inappropriate disclosure; ensure it is accurate, timely and attributable; and is available to those who should be able to access it for business purposes.

As the business needs change, we understand that our information security management system must be continually updated and improved with relevant changes to ensure its suitability. Hence, we are continuously setting and renewing information security objectives by regularly reviewing our processes and systems.”

It is the policy of our company to ensure:

  1. Information is only accessible to authorized persons from within or outside Integra Global.
  2. Confidentiality of information is maintained.
  3. Integrity of information is maintained throughout the process.
  4. Business continuity plans are established, maintained, and tested.
  5. All personnel are trained on information security and are informed that compliance with the policy is mandatory.
  6. All breaches of information security and suspected weaknesses are reported and investigated.
  7. Procedures are established to support the policy, including virus control measures, passwords, and continuity plans.
  8. Business requirements for availability of information and systems are met.
  9. All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments.

3. Scope

The security policies and standards in this policy apply to all staff of Integra, contractors, consultants, temporary employees, etc. The policy applies to all computer and network systems owned by and/oradministered within Integra. This includes all platforms (operating systems), all computer & servers and all applications and data (whether developed in-house or purchased from third parties) contained on those systems.

Company is made up of departments:

  • Information Security Management Group (ISMG)
  • Operations
  • IT support (ITS)
  • Human Resources Management (HRM)
  • Physical security
  • Human Resources
  • Accounts and Administration

Integra Global services include

  1. Construction takeoff and Accounting
  2. Data entry and Data Processing
  3. Contracts Read
  4. Medical Coding and Billing

Location

No.1, Palsun Towers, 1st St, Sivananda Colony, Tatabad, Rear end of KVB Bank, Coimbatore, Tamil Nadu 641012.

Assets and Technology

This ISMS covers the following:

    -Information Assets which covers

  • Management system documentation
  • Operational or support procedures
  • Records of operations
  • Continuity plans

- Paper documents which covers contracts, guidelines and company documentation.

- Software Assets which covers application software, system software, and utilities.

- Physical Assets which covers computer, communications equipment, and electronic and magnetic media (disks).

- Information processing facility.

- Services which covers:

  • IT Security Services
  • Physical security

- Company image and reputation

- People which is the staff of Company

- Discussion rooms and conference room.

- Electrical equipment

-Front office security personnel.

4. Reference

Standard: ISO 27001:2022 Information Security Management System

Controls: A.5,A 5.1.1,A 5.1.2,A.6,A.7,A.8

Security Requirements

4.1. Confidentiality, integrity, and availability requirements for information and information processing assets are determined by the sections below and policies and procedures are established:

4.1.1. Legal, contractual, and business requirements.

4.1.2. Threats from the environment of the information assets.

4.2. Information is classified in accordance with the Information Classification Guideline IGS/ICG/023. This policy takes into account the confidentiality, integrity and availability requirements of information, and specifies the guidelines for selection of security controls appropriate to the manner in which the information is stored, transmitted and processed.

5. Legislative and Contractual requirements

5.1. The storage, transmission, and sharing of information is performed in compliance with the international regulations and national laws applicable in India where the information is stored, or the locations between which it is transmitted.

5.2. All customer information is considered confidential and processed on a need-to-know and least privilege basis. Any other controls that have been agreed upon with the customer are applied in processing that customer’s information documented in the respective process sheet.

5.3. Personal information on Integra Global employees or any third party is gathered with their consent, and used only for the purpose for which it has been collected and for which the person’s concurrence has been obtained.

5.4. Proprietary information belonging to Integra Global, customers, clients, suppliers or anyone else that Integra Global interacts with are protected.

5.5. Intellectual property rights are respected.

5.6. Only authorized and licensed software are installed on computers.

5.7. No software is being used in any way that violates the conditions of use specified by its owner/OEM Provider.

5.8. Information is retained for the period of time necessitated by legal, contractual or business requirements. They are destroyed at the end of this period if the law or a contract requires that it be destroyed; otherwise it may be preserved for a longer time if there is a business reason to do so.

5.9. All associations with suppliers and contractors for outsourced work involves a contract in which security requirements are incorporated.

5.10. All Integra Global employees, suppliers and contractors sign a nondisclosure agreement and agree to abide by the security and use policies of Integra Global facilities. These policies may change from time to time.

5.11. Information Security policies and practices are reviewed regularly for adequacy.

5.12. A guideline document, is established for effective adherence to legal requirements.

6. Security Awareness

6.1. Every Integra Global employee is trained to be familiar with this policy. Training is provided on security objectives and on their roles and responsibilities for security as scheduled by HRM.

6.2. Policies and any changes to policies, for acceptable use of information assets in Integra Global, are disseminated to all Integra Global employees.

6.3. Policies and any changes to policies applicable to third parties, for acceptable use of information assets in Integra Global, are communicated to the third parties who are given 

access to Integra Global information resources.

6.4. Procedures for Human Resource security policy IGS/HRSP/021 are established.

7. Protection of Information Processing Assets

7.1. All Integra Global computers and network devices are protected against viruses, Trojans, and threats due to vulnerabilities in software as per IT Infrastructure & Anti-virus policy, IGS/IT/AVP/003.

7.2. Documented procedures for Critical Infrastructure Maintenance policy, IGS/CIMP/013 is established.

7.3. All connections to external networks are protected so that traffic to or from these networks is allowed strictly on a need-to-know and least privilege basis.

7.4. Systems and services provided by Integra Global does not violate customers’ or Integra Global security.

7.5. Any new technologies or application systems, developed internally or purchased, are reviewed for functionality, confidentiality, integrity, availability and cost effectiveness before deployment. Risk Management procedure in accordance with the IGS/RMPR/039 is performed at every stage of a system’s life cycle.

7.6. Configuration standards and operating procedures, that meet business, legal and security requirements, are formulated and adhered to for all information processing assets.

7.7. Appropriate measures are taken to allow suppliers and third parties access to Integra Global information and information processing assets on a strictly need-to-know and least privilege basis.

7.8. Information and information processing assets are organization property, and the organization reserves the right to monitor, inspect, track, intercept or stop usage of such resources by an individual, with or without cited reasons. This includes, but is not limited to, usage of e-mail, contents of email, Internet usage, desktops and laptops.

8. Physical and Environmental Security

8.1. Appropriate physical access controls are implemented in all areas to restrict access to authorized personnel only. This is done based on identified risks and operational requirements.

8.2. Processes to track physical assets and monitor their movement are implemented.

8.3. Protection is provisioned against hazards like fire, floods, and lightning, for the security of buildings, and the personnel and information processing assets stored therein.

8.4. Environmental controls to maintain temperature and humidity levels, power supply stability are implemented.

8.5. Procedures for maintenance of information processing facility are established as part of

Critical Infrastructure Maintenance policy, IGS/CIMP/013.

9. Personnel

9.1. Appropriate measures are taken for assurance that personnel deployed to fill various roles, whether they are Integra Global employees or contractors, are qualified for their responsibilities and are of high integrity.

9.2. Procedures for Human Resource Security Policy IGS/HRSP/021 are established.

9.3. Appropriate training is provided to all Integra Global employees in their responsibilities as users of information or owners of assets.

9.4. Users (Integra Global employees or third party users) are given access to resources on a need-to-know and least privilege basis. Such access granted to an individual shall be revoked when it is no longer required, for example, when a Integra Global employee leaves the organization, or when the individual’s job responsibilities are changed or due to prolong leave of absence.

10.Business Continuity

10.1. Business continuity measures are put in place, Business Continuity and Disaster Recovery plan, IGS/BCDRP/006/2 so that business processes can be restored when a disruption in availability of assets occurs e.g. due to technical bugs, failure of components, failure of essential services, loss of personnel, or major disasters like earthquakes, fire or floods.

10.2 Assets have:

  • Protection to minimize risks associated with them.
  • Associated disaster recovery and business continuity plans to minimize the cost and duration of disruption to business processes in the event of damage, failure, corruption, lack of availability or loss.

10.3. Disaster Recovery and Business Continuity plans are tested regularly as applicable.

10.4. Asset owners shall ensure that their assets are suitably protected and covered with appropriate DR & BC Plans.

10.5. The highest priority in all DR plans is given to the protection of human life.

11. Incident Handling

11.1. All incidents are reported as per the Incident Management plan.

11.2. When a security incident is reported, the following essential activities will be performed:

  • The root cause of the breach is identified and resolved.
  • Measures are taken to prevent recurrence of the incident.
  • Audit trails and log records and other appropriate information are preserved.
  • The service is brought back on line.

11.3. A documented procedure Incident Management plan, IGS/IMP/022 is established.

12. Consequences of Security Policy Violations

Unauthorized use, or alteration of information assets, or any violation of the Security Policy or standards of acceptable use of Integra Global assets and facilities, or their use in any way that violates Integra Global business goals or values, are a serious offence and Integra Global takes disciplinary or legal action, including termination of employment, against such offenders.

13. Information Security Roles and Responsibilities

13.1. The top management of Integra Global, with the assistance of the ISMG:

13.1.1. Reviews and approves information security policy and overall security responsibilities.

13.1.2. Monitors significant changes in the exposure of information assets to major threats.

13.1.3. Reviews security incidents.

13.1.4. The ISMG conducts an independent review of ISMS carried out minimum once in a year and provide recommendations to top management.

13.1.5. Approves major initiatives to enhance information security.

13.2. The ISMG has overall responsibility for information security. It performs the following activities in the discharge of this responsibility, with the assistance of :

(a) CEO, Head(s) -Ops, HOD-Admin, HOD-IT, HOD-BD, HOD-HRM (ISMG Comprises of heads of all functions).

(b) Where necessary and appropriate, security representatives from the affected departments and practices, and

(c) where necessary and appropriate, expert security advice from individuals or organizations outside Integra Global.

13.2.1. Defined roles and responsibilities for information security across the organization, in co-operation with security representatives from each department / practice unit. Where necessary, the principle of segregation of responsibilities is adopted to reduce the risk of deliberate or accidental misuse of information or IT assets.

13.2.2. Identified controls and co-ordinate their implementation, in cooperation with security representatives from the affected departments / practice units.

13.2.3. Periodically assesses the adequacy of information security implementation across the organization as part of ISMS audit and information security reviews.

13.2.4. Periodically audits departments and practices for compliance with security policies and procedure as per ISMS Audit policy, IGS/ISMSAP/025.

13.2.5. Promotes information security throughout the organization.

13.2.6. Handles security incidents as per procedure Incident Management plan, IGS/IMP/022 is established.

13.3. The protection of an asset:

13.3.1. Ensures that adequate measures are taken to protect the asset in accordance with the policies approved by the Management, legal and contractual obligations, and business requirements.

13.3.2. Conveys the following information to all users of the assets:

13.3.3. The sensitivity and criticality of the asset.

13.3.4. Any special precautions they must take in the use and protection of the asset.

14.4. Every Integra Global employee:

13.4.1. Protects and preserves Integra Global assets and ensures that they are used only for the benefit and furtherance of the goals of Integra Global.

13.4.2. Complies with this Information Security Policy and acceptable use policies of Information Assets.

13.4.3. Complies with Integra Global Business Conduct policies, with Integra Global security policies, and with the location owner’s security policies when they are at non- Integra Global locations.

13.4.4. Ensures that all personnel under their supervisory control understand and discharge their responsibilities for Information Security.

13.4.5. Ensures that all third parties with whom they have the responsibility of interfacing have been informed of and complies with Integra Global security requirements.

13.4.6. Notes and reports Information Security incidents or variances from established standards and procedures to the asset owners.

13.4.7. Promptly initiates appropriate corrective action for variances that are within their areas of control.

13.4.8. Supports the investigation and follow-up of Information Security incidents.

14. Contact with authorities and external groups

14.1.1. Integra Global contacts authorities when there is a breach of security and requirement of assistance is imminent.

14.1.2. In the event of an accident or incident where Integra Global requires assistance from fire it is sought as per fire drill procedure.

14.1.3. When Integra Global finds it necessary to involve external agencies or interest group such activities are initiated.

14.1.4. ISMS review is done using external agency to ensure impartiality and effectiveness with adequate competence.