Access Control Policy

1.0 Introduction

This IT Policy outlines the rules relating to authorising, monitoring and controlling access to Jagran New Media accounts, information and information systems. It also provides guidelines that Jagran New Media uses to administer these policies, with the correct procedure to follow. Jagran New Media keeps the IT policy current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the IT policy or to add new procedures. Any suggestions or feedback on the policies and procedures specified in this document are welcome.

2.0 Scope

This policy applies to any person or systems that are granted or that grant access to accounts, information or information systems owned or operated by Jagran New Media

3.0 Objectives

The stated aim of this policy is to ensure that, by having the appropriate access controls in place, correct information is accessible to authorized personnel at the right time and that access to information is appropriately managed and periodically audited.

4.0 Responsibilities

All personnel (e.g. employees, third-parties) at Jagran New Media must adhere to relevant Information Security and Access Control policies and procedures.

All account holders must:

• Use their account and access only in accordance with the Jagran New Media Code of Practice.
• Secure their credentials in line with Jagran New Media’s password guidance.
• Be accountable for the systems, services and data within their control.
• Transfer services and data prior to vacating a role referring to the Jagran New Media Leaving Process

Management must:

• Only sponsor (HOD/ HR Team) access requests that have:
  • A documented request (written or email)
  • Sufficient and appropriate justification, based on the requester’s business need
  • Document all access request sponsorships

Asset owners must:

• Review access to their assets at periodic intervals and investigate any risk factors that may be there. The review periods will be based on the risk rating of a given asset.

Access administrators must:

• Only grant access requests that have:
  • A documented request (written or email)
  • Sufficient and appropriate justification, as confirmed by the HOD/ HR
  • Documented sponsorship and necessary approval from the designated personnel
• Document all access granted

5.0 Access Control Implementation

• The following headings outline the principles around how access is managed at Jagran New Media:

5.1 Identity Management

• Formal user registration and de-registration processes are implemented to enable the assignment of identities and accounts on an individual basis.
• This ensures accountability for all actions taken by all personnel and associate account users.

5.2 Authentication Management

• Secure authentication controls have been put in place to manage all access to account, service and platform.

5.3 Access Governance

• A formal user access governance process has been implemented to allow or revoke access to all user types to systems and information assets under the control of the Organisation.
• This access provisioning is based on the following principles:
  • Access changes for employees are primarily managed through the Organisation’s Onboarding, Movement & Exit processes.
  • All extra requests for or changes to access are documented and tracked.
  • All access requests or changes require documented justification.
  • Justification will be based on a simple risk assessment and the business need and will be confirmed by the request sponsor e.g. HOD or HR Spoc.
  • Requisite sponsorship & due approval is available and documented for all access requests or changes.
  • All access changes granted by administrators are documented and tracked.
  • Reviews of access are performed by relevant asset owners periodically.
  • These principles are account type, service, application and system agnostic.

5.4 Access Reviews

• Access to assets, services and systems is reviewed at periodic intervals. How often these reviews are conducted depends on the identified risk pertaining to a given asset and access.
• The relevant personnel are advised to measure the risk relating to each individual asset and assign a risk rating in line with the single asset risk assessment process, as per the Information Security Risk Management policy.
• In case an access anomaly is identified in an access review, it is classified as a likely incident and investigated by the relevant asset owner and information security team.

5.5 Access in Special Circumstances

• It is recognized that there may be special circumstances where extra or privileged access may be needed. For all cases, access to an account, the information contained within an account or information pertaining to the activity of an account, is carefully restricted and must only be executed with the necessary authorisation and checks in place.

---

Password Management Policy

Responsible Office: Information Technology

1.0 Purpose

• This policy describes Jagran New Media’s requirements for acceptable password selection and maintenance. It outlines recommendations for creating and using passwords in ways that heighten security of the password and reduce the risk of password theft or misuse. Because of the use of weak passwords, rise in the number of automated password-cracking programs, and the prevalence of malicious hackers and spammers, they are very often also the weakest link in securing data. Therefore, it is necessary that passwords follow the policy guidelines listed below.

2.0 Scope

• This policy applies to anyone accessing systems that hold or transmit Jagran New Media’s data. Systems include, but are not limited to personal computers, laptops, Issued cell phones etc., as well as the organisation’s electronic services, systems and servers. Departmental resources and centrally-managed resources are duly covered under this policy.

3.0 Policy

• All passwords (e.g., Server, Database, email, web, desktop computer, laptop, mobile device, etc.) should be strong passwords and should follow the guidelines below. As a thumb rule, length, complexity and frequency of changes will increase a password’s strength. Greater risks require a heightened level of protection. Stronger passwords made as such with additional security measures including multi-factor authentication must be used in such situations.

Except where it is technically infeasible, all passwords must meet the following guidelines:

• At least eight (8) alphanumeric characters.
• At least two (2) non-alphabetic characters and at least three (3) alphabetic characters.
• At least one (1) alphabetic character must be upper-case and at least one (1) must be lower-case.
• Passwords must not consist of a single word in any dictionary, language, slang, dialect, jargon, etc.
• Passwords must not consist of easily guessed or obtained personal information, names of family members, pets, etc.
• It is acceptable to use passphrases consisting of three or more dictionary words joined by non-alphabetic characters. 
• Credit card numbers or any other personal or fiscally useful information must never be used as a user ID or password so that identity theft can be prevented.
• All passwords are considered Private information and should be handled according to the Organisation’s Safeguarding Sensitive and Confidential Information Policy. As such, they must never be written down or stored online unless adequately secured.
• Passwords must not be entered into email messages or other forms of electronic communication.
• Passwords for various systems (Including Laptops, Desktops, Services, Servers, Databases and applications have an “aging” feature that mandates a password change after every six months after the last password change. Users, Employees are required to abide by such password aging policies.
• Passwords must not be shared with anyone, including the administrative or IT personnel. Some exceptions may be allowed with the written consent of the designated individual and must have a primary responsible contact person. 
• Shared passwords used to protect network devices will need a designated individual to be responsible for the maintenance of those passwords, and the said individual will ensure that only authorized personnel can access the passwords.
• If a password is suspected of being compromised, it should be changed immediately and the incident reported to the organisation’s IT Help Desk.
• It is recommended that password cracking or guessing be performed periodically or at random by IT Security with support from the authorized system administrator. In case a password is guessed or cracked during one of these security checks, it will be incumbent upon the password owner to change it immediately.

3.1 Server Administrator Passwords

• Furthermore, the following guidelines apply to server administrator passwords, except where technically and/or administratively infeasible
• Server passwords must be changed in concurrence with related personnel changes.
  • IT Security must be informed in case an account or password is suspected to have been compromised and passwords in question must be changed immediately.
  • Attempts to guess a password should be limited to ten incorrect guesses. As the next step, access should be locked for at least ten minutes, unless a local system administrator intercedes.
  • Consistent and easily understandable responses should be provided for failed attempts. These include simple error messages such as “Access denied”. Such standard responses minimize clues that could result from hacker attacks.
  • Failed attempts should be logged, unless such action results in the display of the failed password. As a best practice, these logs are recommended to be retained for at least 30 days. It is expected that that administrators regularly inspect these logs and look out for any irregularities such as suspected attacks.

---

Data Retention and Destruction Policy

1.0 Overview and Purpose

• The purpose of this policy is to ensure that necessary records and documents of Jagran New Media are adequately protected and maintained and that records which are no longer needed for organisational purposes are discarded at the right time. Another important objective of this policy is to aid the employees in understanding their obligations in retaining and destroying either physical (paper) or electronic documents – including email, text files, digital images, videos and other files, PDF documents, and all Office or other formatted files or paper documents.

2.0 Scope

• This policy applies to all employees, staff, contractors, partners, and other personnel who are responsible for owning, sharing & usage of records and documents in either paper or electronic formats.

3.0 Policy

• This policy defines the Organisation’s data retention and destruction schedule for both paper and electronic records. The IT Administrator is responsible for the administration of this policy and the implementation of processes and procedures to ensure that the Data Retention Schedule is implemented within Organisation and document handling processes. 
• The Administrator is also authorized to; make modifications to the Record Retention Schedule as needed to ensure that it is in compliance with laws; ensure the appropriate categorization of documents and records on behalf of the Organisation; annually review the policy; and monitor compliance with this policy. This policy applies to all physical (paper) and electronic records generated in the course of the Organisation’s operations, including both original documents and reproductions.

4.0 Data and Document Destruction

• In accordance with applicable laws and the Organisation’s Data Classification Policy, any documents containing personal or confidential information should be destroyed so that the information cannot be practically read or reconstructed. 
• For physical (paper) documents, this means that personal or confidential data should be destroyed with a cross-cut shredder. 
• For electronic documents, confidential data should be destroyed with the required software or physically such that the information cannot be practically read or reconstructed.

---

Data Encryption Policy

1.0 Overview and Purpose

This policy outlines the rules relating the implementation of effective encryption policies and processes. The objective of an encryption policy is to encrypt data when necessary. For example, IPSec and SSL are not helpful in protecting data stored on a disk or in a database but do provide encryption when data travels across a network. In the same way, encrypted fields in a database are not helpful in protecting information as it is accessed across the network.

2.0 Scope

• This policy covers Jagran New Media’s all information, systems, networks, and other information assets to ensure adequate controls are in place to ensure the confidentiality, integrity and availability of Organisation’s data. 
• These critical assets must be managed and controlled to protect the Organisation from loss due to misuse, disclosure, fraud, or destruction.
• This policy applies to all company employees, temporary employees, contractors, consultants, vendors, service providers, partners, affiliates, third parties or any other person or entity authorized to utilize the Organisation’s information resources. 
• This includes all information systems, hardware, software, data, media, and paper files inside the Organisation and any approved third-party facilities.
• This policy also pertains to all systems, networks, and users connected to the Organisation’s resources through any means, including but not limited to local access, leased lines, wireless access points, or any other telecommunications device, through either private or public networks. 
• It also applies to all third-party local and remote connections as well as non-company assets involved in the storage, processing, or transmission of Organisation’s information or data.

3.0 Policy

• Cryptographic controls are utilized for sensitive information classified by the Organisation as {PROTECTED} or {RESTRICTED} including, but not limited to: Personally Identifiable Information (PII), Protected Health Information (PHI), passwords, intellectual property, budget or contract proposals, legal correspondence and research and development information.
• All encryption mechanisms utilized by the Organisation must be authorized by the appropriate authority. Users must not attempt to utilize any form of cryptography, including, but not limited to, encryption, digital signatures, and digital certificates, which has not been approved and installed/implemented by designated personnel/ staff
• All encryption keys must be managed using the provided key management system. All encryption keys must be made secure by the key management system and it should provide only limited access to company personnel. At least two administrators must be provided master keys and privileged access to the key management system. As a security measure, the keys generated by the key management system should be hard to decipher must not be easily discernible. When keys are transmitted to third party users, the encryption key must be transmitted over a different communication channel than the data that has been encrypted. All key recovery operations must be authorized and all activities must be logged by the key management system. All logged activities must also be periodically reviewed by the IT Administrator of the Organisation.
• Network Encryption: All sensitive information classified by our company as PROTECTED or RESTRICTED including, but not limited to, PII, PHI, passwords, and research and development information, must be encrypted when transmitted either inside or outside of the Organisation. This includes transmission of information via email or other communication channels. Remote management activities for our company, such as contractors accessing our network remotely, must consistently employ session encryption. 
• Remote access procedures are to be defined such as using VPN to access corporate systems while teleworking.
• Hard Disk Encryption: All sensitive information classified by the Organisation as PROTECTED or RESTRICTED including, but not limited to PII, PHI, and passwords must be encrypted. It is recommended that hardware encryption must be utilized over software encryption when feasible.

4.0 Compliance

• All users are required to sign the Organisation’s Acceptable Use Policy and acknowledge they understand and will abide by the standards and individual responsibilities it defines. All and any changes to the Acceptable Use Policy are duly communicated to all staff, contractors and other third parties well in time.
• Any user, employee or staff found to be abusing the privilege of using the corporate assets and access to business systems, or not complying with any of these policies, is subject to necessary disciplinary action which may include termination of employment.

---

INCIDENT RESPONSE POLICY

1.0 Purpose

• The purpose of this policy is to ensure proper investigation and response of computer security incidents and Data Breaches by clearly defining IT roles and responsibilities. 

2.0 Scope

• This policy applies to information systems, regardless of ownership or location, used to store, process, transmit or access Jagran New Media’s Data as well as all personnel including employees, temporary workers, contractors, those employed by contracted entities and others authorized to access enterprise assets and information resources. 

3.0 Policy

• The Information Technology (IT) Team detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incidents.
• It directs the recovery, containment and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The team coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party.
• In the course of conducting security incident investigations, the team is authorized to monitor relevant IT resources and retrieve communications and other relevant records of specific users of Organisation’s IT resources, including login session data and individual communications without the need for notice or additional approval and in accordance to the Monitoring of IT Resources Policy.
• Any external disclosure of information regarding information security incidents must be reviewed and approved by the IT Administrator & higher management as appropriate.
• The Team coordinates with law enforcement and government agencies for relevant Information Sharing and Analysis in the identification and investigation of security incidents. 

4.0 Responsibilities

• All employees, staff, consultants, vendors of the Organisation are responsible for promptly reporting any suspected or confirmed security incident involving Organisation’s Data or an associated information system, even if they may have contributed intentionally or unintentionally to the event or incident. 
• Reports are to be made to the Information Security Office, +91-8375846199, 011-30651100 or support@jagrannewmedia.com. Employees of the Organisation must cooperate with incident investigations, and must not interfere, obstruct, prevent, retaliate against, or dissuade others from reporting an incident or cooperating with an investigation.
• Information Security Administrators are responsible for unit procedures to train users to recognize and report information security incidents.