IT Policy Document
Access Control Policy
1.0 Introduction
This IT Policy outlines the rules relating to authorising, monitoring and controlling access to Jagran New Media accounts, information and information systems. It also provides guidelines that Jagran New Media uses to administer these policies, with the correct procedure to follow. Jagran New Media keeps the IT policy current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the IT policy or to add new procedures. Any suggestions or feedback on the policies and procedures specified in this document are welcome.
2.0 Scope
This
policy applies to any person or systems that are granted or that
grant access to accounts, information or information systems owned or
operated by Jagran New Media
3.0
Objectives
The
stated aim of this policy is to ensure that, by having the
appropriate access controls in place, correct information is
accessible to authorized personnel at the right time and that access
to information is appropriately managed and periodically audited.
4.0
Responsibilities
All
personnel (e.g. employees, third-parties) at Jagran New Media must
adhere to relevant Information Security and Access Control policies
and procedures.
All
account holders must:
-
Use
their account and access only in accordance with the Jagran New
Media Code of Practice.
-
Secure
their credentials in line with Jagran New Media’s password
guidance.
-
Be
accountable for the systems, services and data within their control.
-
Transfer
services and data prior to vacating a role referring to the Jagran
New Media Leaving Process
Management
must:
-
Only
sponsor (HOD/ HR Team) access requests that have:
-
A
documented request (written or email)
-
Sufficient
and appropriate justification, based on the requester’s business
need
-
Document
all access request sponsorships
Asset
owners must:
-
Review
access to their assets at periodic intervals and investigate any
risk factors that may be there. The review periods will be based on
the risk rating of a given asset.
Access
administrators must:
-
Only
grant access requests that have:
-
A
documented request (written or email)
-
Sufficient
and appropriate justification, as confirmed by the HOD/ HR
-
Documented
sponsorship and necessary approval from the designated personnel
-
Document
all access granted
5.0 Access Control Implementation
-
The
following headings outline the principles around how access is
managed at Jagran New Media:
5.1 Identity Management
-
Formal
user registration and de-registration processes are implemented to
enable the assignment of identities and accounts on an individual
basis.
-
This
ensures accountability for all actions taken by all personnel and
associate account users.
5.2 Authentication Management
-
Secure
authentication controls have been put in place to manage all access
to account, service and platform.
5.3 Access Governance
-
A
formal user access governance process has been implemented to allow
or revoke access to all user types to systems and information assets
under the control of the Organisation.
-
This
access provisioning is based on the following principles:
-
Access
changes for employees are primarily managed through the
Organisation’s Onboarding, Movement & Exit processes.
-
All
extra requests for or changes to access are documented and tracked.
-
All
access requests or changes require documented justification.
-
Justification
will be based on a simple risk assessment and the business need and
will be confirmed by the request sponsor e.g. HOD or HR Spoc.
-
Requisite
sponsorship & due approval is available and documented for all
access requests or changes.
-
All
access changes granted by administrators are documented and
tracked.
-
Reviews
of access are performed by relevant asset owners periodically.
-
These
principles are account type, service, application and system
agnostic.
5.4 Access Reviews
-
Access
to assets, services and systems is reviewed at periodic intervals.
How often these reviews are conducted depends on the identified risk
pertaining to a given asset and access.
-
The
relevant personnel are advised to measure the risk relating to each
individual asset and assign a risk rating in line with the single
asset risk assessment process, as per the Information Security Risk
Management policy.
-
In
case an access anomaly is identified in an access review, it is
classified as a likely incident and investigated by the relevant
asset owner and information security team.
5.5 Access in Special Circumstances
- It is recognized that there may be special circumstances where extra or privileged access may be needed. For all cases, access to an account, the information contained within an account or information pertaining to the activity of an account, is carefully restricted and must only be executed with the necessary authorisation and checks in place.
Password Management Policy
Responsible
Office: Information Technology
1.0
Purpose
-
This
policy describes Jagran New Media’s requirements for acceptable
password selection and maintenance. It outlines recommendations for
creating and using passwords in ways that heighten security of the
password and reduce the risk of password theft or misuse. Because of
the use of weak passwords, rise in the number of automated
password-cracking programs, and the prevalence of malicious hackers
and spammers, they are very often also the weakest link in securing
data. Therefore, it is necessary that passwords follow the policy
guidelines listed below.
2.0
Scope
-
This
policy applies to anyone accessing systems that hold or transmit
Jagran New Media’s data. Systems include, but are not limited to
personal computers, laptops, Issued cell phones etc., as well as the
organisation’s electronic services, systems and servers.
Departmental resources and centrally-managed resources are duly
covered under this policy.
3.0
Policy
-
All
passwords (e.g., Server, Database, email, web, desktop computer,
laptop, mobile device, etc.) should be strong passwords and should
follow the guidelines below. As a thumb rule, length, complexity and
frequency of changes will increase a password’s strength. Greater
risks require a heightened level of protection. Stronger passwords
made as such with additional security measures including
multi-factor authentication must be used in such situations.
Except
where it is technically infeasible, all passwords must meet the
following guidelines:
-
At
least eight (8) alphanumeric characters.
-
At
least two (2) non-alphabetic characters and at least three (3)
alphabetic characters.
-
At
least one (1) alphabetic character must be upper-case and at least
one (1) must be lower-case.
-
Passwords
must not consist of a single word in any dictionary, language,
slang, dialect, jargon, etc.
-
Passwords
must not consist of easily guessed or obtained personal information,
names of family members, pets, etc.
-
It
is acceptable to use passphrases consisting of three or more
dictionary words joined by non-alphabetic characters.
-
Credit
card numbers or any other personal or fiscally useful information
must never be used as a user ID or password so that identity theft
can be prevented.
-
All
passwords are considered Private information and should be handled
according to the Organisation’s Safeguarding Sensitive and
Confidential Information Policy. As such, they must never be written
down or stored online unless adequately secured.
-
Passwords
must not be entered into email messages or other forms of electronic
communication.
-
Passwords
for various systems (Including Laptops, Desktops, Services, Servers,
Databases and applications have an “aging” feature that mandates
a password change after every six months after the last password
change. Users, Employees are required to abide by such password
aging policies.
-
Passwords
must not be shared with anyone, including the administrative or IT
personnel. Some exceptions may be allowed with the written consent
of the designated individual and must have a primary responsible
contact person.
-
Shared
passwords used to protect network devices will need a designated
individual to be responsible for the maintenance of those passwords,
and the said individual will ensure that only authorized personnel
can access the passwords.
-
If
a password is suspected of being compromised, it should be changed
immediately and the incident reported to the organisation’s IT
Help Desk.
-
It
is recommended that password cracking or guessing be performed
periodically or at random by IT Security with support from the
authorized system administrator. In case a password is guessed or
cracked during one of these security checks, it will be incumbent
upon the password owner to change it immediately.
3.1
Server Administrator Passwords
- Furthermore, the following guidelines apply to server administrator passwords, except where technically and/or administratively infeasible
- Server passwords must be changed in concurrence with related personnel changes.
- IT Security must be informed in case an account or password is suspected to have been compromised and passwords in question must be changed immediately.
- Attempts to guess a password should be limited to ten incorrect guesses. As the next step, access should be locked for at least ten minutes, unless a local system administrator intercedes.
- Consistent and easily understandable responses should be provided for failed attempts. These include simple error messages such as “Access denied”. Such standard responses minimize clues that could result from hacker attacks.
- Failed attempts should be logged, unless such action results in the display of the failed password. As a best practice, these logs are recommended to be retained for at least 30 days. It is expected that that administrators regularly inspect these logs and look out for any irregularities such as suspected attacks.
Data Retention and Destruction Policy
1.0
Overview and Purpose
-
The
purpose of this policy is to ensure that necessary records and
documents of Jagran New Media are adequately protected and
maintained and that records which are no longer needed for
organisational purposes are discarded at the right time. Another
important objective of this policy is to aid the employees in
understanding their obligations in retaining and destroying either
physical (paper) or electronic documents – including email, text
files, digital images, videos and other files, PDF documents, and
all Office or other formatted files or paper documents.
2.0
Scope
-
This
policy applies to all employees, staff, contractors, partners, and
other personnel who are responsible for owning, sharing & usage
of records and documents in either paper or electronic formats.
3.0
Policy
-
This
policy defines the Organisation’s data retention and destruction
schedule for both paper and electronic records. The IT Administrator
is responsible for the administration of this policy and the
implementation of processes and procedures to ensure that the Data
Retention Schedule is implemented within Organisation and document
handling processes.
-
The
Administrator is also authorized to; make modifications to the
Record Retention Schedule as needed to ensure that it is in
compliance with laws; ensure the appropriate categorization of
documents and records on behalf of the Organisation; annually review
the policy; and monitor compliance with this policy. This policy
applies to all physical (paper) and electronic records generated in
the course of the Organisation’s operations, including both
original documents and reproductions.
4.0
Data and Document Destruction
- In accordance with applicable laws and the Organisation’s Data Classification Policy, any documents containing personal or confidential information should be destroyed so that the information cannot be practically read or reconstructed.
- For physical (paper) documents, this means that personal or confidential data should be destroyed with a cross-cut shredder.
- For electronic documents, confidential data should be destroyed with the required software or physically such that the information cannot be practically read or reconstructed.
Data Encryption Policy
1.0
Overview and Purpose
This
policy outlines the rules relating the implementation of effective
encryption policies and processes. The objective of an encryption
policy is to encrypt data when necessary. For example, IPSec and SSL
are not helpful in protecting data stored on a disk or in a database
but do provide encryption when data travels across a network. In the
same way, encrypted fields in a database are not helpful in
protecting information as it is accessed across the network.
2.0
Scope
-
This
policy covers Jagran New Media’s all information, systems,
networks, and other information assets to ensure adequate controls
are in place to ensure the confidentiality, integrity and
availability of Organisation’s data.
-
These
critical assets must be managed and controlled to protect the
Organisation from loss due to misuse, disclosure, fraud, or
destruction.
-
This
policy applies to all company employees, temporary employees,
contractors, consultants, vendors, service providers, partners,
affiliates, third parties or any other person or entity authorized
to utilize the Organisation’s information resources.
-
This
includes all information systems, hardware, software, data, media,
and paper files inside the Organisation and any approved third-party
facilities.
-
This
policy also pertains to all systems, networks, and users connected
to the Organisation’s resources through any means, including but
not limited to local access, leased lines, wireless access points,
or any other telecommunications device, through either private or
public networks.
-
It
also applies to all third-party local and remote connections as well
as non-company assets involved in the storage, processing, or
transmission of Organisation’s information or data.
3.0
Policy
-
Cryptographic
controls are utilized for sensitive information classified by the
Organisation as {PROTECTED} or {RESTRICTED} including, but not
limited to: Personally Identifiable Information (PII), Protected
Health Information (PHI), passwords, intellectual property, budget
or contract proposals, legal correspondence and research and
development information.
-
All
encryption mechanisms utilized by the Organisation must be
authorized by the appropriate authority. Users must not attempt to
utilize any form of cryptography, including, but not limited to,
encryption, digital signatures, and digital certificates, which has
not been approved and installed/implemented by designated personnel/
staff
-
All
encryption keys must be managed using the provided key management
system. All encryption keys must be made secure by the key
management system and it should provide only limited access to
company personnel. At least two administrators must be provided
master keys and privileged access to the key management system. As a
security measure, the keys generated by the key management system
should be hard to decipher must not be easily discernible. When keys
are transmitted to third party users, the encryption key must be
transmitted over a different communication channel than the data
that has been encrypted. All key recovery operations must be
authorized and all activities must be logged by the key management
system. All logged activities must also be periodically reviewed by
the IT Administrator of the Organisation.
-
Network
Encryption: All sensitive information classified by our company as
PROTECTED or RESTRICTED including, but not limited to, PII, PHI,
passwords, and research and development information, must be
encrypted when transmitted either inside or outside of the
Organisation. This includes transmission of information via email or
other communication channels. Remote management activities for our
company, such as contractors accessing our network remotely, must
consistently employ session encryption.
-
Remote
access procedures are to be defined such as using VPN to access
corporate systems while teleworking.
-
Hard
Disk Encryption: All sensitive information classified by the
Organisation as PROTECTED or RESTRICTED including, but not limited
to PII, PHI, and passwords must be encrypted. It is recommended that
hardware encryption must be utilized over software encryption when
feasible.
4.0
Compliance
- All users are required to sign the Organisation’s Acceptable Use Policy and acknowledge they understand and will abide by the standards and individual responsibilities it defines. All and any changes to the Acceptable Use Policy are duly communicated to all staff, contractors and other third parties well in time.
- Any user, employee or staff found to be abusing the privilege of using the corporate assets and access to business systems, or not complying with any of these policies, is subject to necessary disciplinary action which may include termination of employment.
INCIDENT RESPONSE POLICY
1.0
Purpose
-
The
purpose of this policy is to ensure proper investigation and
response of computer security incidents and Data Breaches by clearly
defining IT roles and responsibilities.
2.0
Scope
-
This
policy applies to information systems, regardless of ownership or
location, used to store, process, transmit or access Jagran New
Media’s Data as well as all personnel including employees,
temporary workers, contractors, those employed by contracted
entities and others authorized to access enterprise assets and
information resources.
3.0
Policy
-
The
Information Technology (IT) Team detects and investigates security
events to determine whether an incident has occurred, and the
extent, cause and damage of incidents.
-
It
directs the recovery, containment and remediation of security
incidents and may authorize and expedite changes to information
systems necessary to do so. The team coordinates response with
external parties when existing agreements place responsibility for
incident investigations on the external party.
-
In
the course of conducting security incident investigations, the team
is authorized to monitor relevant IT resources and retrieve
communications and other relevant records of specific users of
Organisation’s IT resources, including login session data and
individual communications without the need for notice or additional
approval and in accordance to the Monitoring of IT Resources Policy.
-
Any
external disclosure of information regarding information security
incidents must be reviewed and approved by the IT Administrator &
higher management as appropriate.
-
The
Team coordinates with law enforcement and government agencies for
relevant Information Sharing and Analysis in the identification and
investigation of security incidents.
4.0
Responsibilities
- All employees, staff, consultants, vendors of the Organisation are responsible for promptly reporting any suspected or confirmed security incident involving Organisation’s Data or an associated information system, even if they may have contributed intentionally or unintentionally to the event or incident.
- Reports are to be made to the Information Security Office, +91-8375846199, 011-30651100 or support@jagrannewmedia.com. Employees of the Organisation must cooperate with incident investigations, and must not interfere, obstruct, prevent, retaliate against, or dissuade others from reporting an incident or cooperating with an investigation.
- Information Security Administrators are responsible for unit procedures to train users to recognize and report information security incidents.