ESIC
ESIC
bg_menuleft bg_menuright

PRIVACY POLICY

ACCESS CONTROL POLICY

    1.1 USER ACCESS TO INFORMATION, DATA AND APPLICATION
  • ESIC Datacenter/DR users must be granted access to information, data and applications strictly on a "need to access" and "need to know" basis.
  • Access control matrix shall be maintained for IT infrastructure and applications.
  • Access to information services must be controlled though unique User Ids, wherever possible, so that each user can be made accountable for their actions.
  • User access rights to applications and data must be assigned only by the application administrator, on receipt of a documented approval from the designated authority, as well as from CISO. All access requests must include the purpose for request of access and nature of access.
  • They must ensure that the level of access granted is appropriate to business requirements. Access is confirmed from CISO side for application.
  • If for any reason, a user’s access rights need to be modified or revoked, the concerned the designated authority must send an intimation of the same to the Application administrator. The application administrator shall then accordingly modify/revoke the access rights after approval from CISO.
  • Users must be required to re-authenticate themselves after a specific period of inactivity. All applications wherever possible shall use inactivity timeout of 5 minutes for sensitive applications.
  • All users must be granted, “Read” access to all information classified as “public”. Other rights to such information must be strictly reserved with the owner of such information.
  • Third party/Supplier access to IT infrastructure and applications shall be permitted after due authorization from Information Owner.
  • Sensitive Equipment and Servers shall be protected through physical and/or logical access controls.
  • Browsing Internet sites from production Servers other than those pertaining to OS & application updates shall be prohibited.
  • Physical and logical access to sensitive equipment and servers shall be reviewed quarterly. Access logs shall be monitored on a defined interval.
  • System Administrators shall monitor the systems to detect deviation from access control policy and report the violations as per the Security Incident Management policy.
  • Systems shall be configured to alert on exceptions, a network intrusion attempts and malware infection
  • Users shall not use any means to clear the logs or cache to delete the evidences of accessing network devices, servers, databases and applications.
  • To ensure the accuracy of the audit logs, IT infrastructure and applications shall have the clock synchronization.
  • Access to network and network services
  • Users shall not connect any new resources onto Network without getting prior documented approval from IT Management Group location manager.
  • Network connectivity from User Desktops and Laptops to Servers on backbone, DMZ and to the remote networks/systems shall be controlled and managed by IT management group.
  • ESIC network shall have the appropriate secured Gateways/Firewall to segregate Internal and External domain and also to isolate Customer networks.
  • Network Routing Controls shall be deployed by IT Management Group to control information flow in the network and to ensure that the Information access control policy is complied with.
  • Lab, Test and Development environments shall be logically segregated from the Production environment.
  • Operating systems and applications shall be configured to run only the required services and the access to such services shall be limited to intended use for the business unit.
  • System utilities shall be used only after formal validation or testing by IT Management Group.
  • Users shall be made aware of their responsibilities towards acceptable usage of resources granted to them by Information Asset/Risk Owners.
  • Users shall protect critical information (documents/media) under their possession, from unauthorized physical and logical access.
  • User registration and de-registration
  • User Account creation and deletion shall be followed as per User Access Control Procedure / Access Management.
  • All users should be granted access to the information systems and services through a formal user registration process, which includes approval of access rights from authorized personnel (Team Lead) before granting access.
  • All users should follow a formal de-registration process for revocation of access to all information systems and services, which should include automated or timely intimation and revocation of access rights. User access provisioning
  • Users shall be authenticated before accessing Servers, Network devices, Applications, Desktops, Laptops, mobile devices and managed technical devices such as Attendance readers, smart card readers etc.
  • User shall read and sign applicable customer specific Non-Disclosure Agreements (NDAs) along with any other associated agreements before being provided with any physical or logical access to a particular ESIC’s/ customer's work area, IT infrastructure and applications.
  • Management of privileged access rights
  • Access to information resources shall always be granted in office need, and least privilege principle. The following shall be considered before granting access:
  • Eligibility criteria before granting access.
  • List of facilities, systems, and data to which access needs to be granted.
  • Justification for granting various accesses based on business requirements.
  • Any special instructions from ESIC before granting access.
  • All contractual obligations regarding protection of (or access to) data and services.
  • Privileges associated with each type of information systems such as Operating System, Business Applications, Databases and Network Elements should be identified and documented.
  • Privileges should be allocated to individuals based on the requirements of their job function and role, on authorization from appropriate personnel. Additional privileges more than what is required for the job function should be allowed after getting approval from appropriate personnel..
  • Management of secret authentication information of users.
  • All User passwords should remain confidential and should not be shared, posted or otherwise divulged in any manner..
  • An initial password should be provided to the users securely during the user creation process and the system should be configured to force the users to change the initial password immediately after the first logon..
  • Appropriate procedures should be put in place for storing and management of administrative passwords for critical information systems..
  • The following password and account policy should be enforced for all user and administrative accounts on operating systems, applications, databases and all other information protected by password controls:.
  • Refer – Password Management Section (2.4).
  • Review of user access rights
  • Access control matrix shall be reviewed quarterly by the Information Security Officer/Information Risk Owner as required. Removal or adjustment of access rights.
  • User's access shall be disabled on the last working day on separation from the organization or movement to another role.
  • Guest accounts shall be removed on installation of systems.
  • Default system accounts provided by vendor/service provider shall be renamed.
  • User’s access to account on ESIC Shared sites, Shared network folders, portals shall be disabled on the last working day on separation from the organization or the access shall be revised/ revoked to remove project related access upon movement to another role or movement out of a customer account. User Responsibilities.
  • The cooperation of authorized users is required/essential for effective security.
  • Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords & the security of user equipment..
  • A clear desk and clear screen policy need to be implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities.
  • System and Application access control
  • Information access restriction
  • Operating systems and applications shall be configured to run only the required services and access limited to intended units use.
  • System utilities shall be used only after formal validation or testing by ESIC.
  • Access to the system and application shall be based on the unique identifier (e.g. UID, User ID).
  • Access to critical applications shall only be allowed through Intranet after carrying out information security risk assessment and formal authorization by Information owner.
  • Systems & Applications shall Re-authenticate user on defined minutes of idle session.
  • Designated System Administrators shall monitor the systems to detect deviation from access control policy and report the violations as defined in Security Incident Management procedure.
  • Systems shall be configured to alert on exceptions, and network management alarms.
  • Users shall not use any means to clear the logs or cache to delete the evidences of accessing network devices, servers, databases and applications.
  • To ensure the accuracy of the audit logs, IT infrastructure and applications shall have the clock synchronization built in.
  • All logs/record evidences will be stored as per the defined policy for each application. In case if necessary for legal, contractual or for security related incidents the specific logs can be stored for a longer duration.
  • Audit trail shall consist of user log-on failure, date, time, source IP address, login name. The audit logs shall be reviewed as per Log File Monitoring procedure.
  • All user access privileges and login access to be revoked as per the timelines circulated by Admin (Date is specified basis on which disabling is done) in case of employee separation from ESIC. For employees joining in, access will be provided with approval from manager, and every user will be provided with a user ID with limited access as needed by business.
  • Logical access to application software and information are restricted to authorized users.
  • Secure log-on procedures
  • The log-on process on any system shall display only the limited information about that system and its intended use.
  • Systems shall not permit the information of internal menu/applications, structure system/application identifiers until the log-on process is successful.
  • Systems shall have logon banner stating the system's use is meant only for authorized users and activities are monitored.
  • Systems shall not display help screen (automated), during the logon process.
  • Unsuccessful log-on attempts if any, shall be logged on the systems, monitored and reviewed at appropriate intervals.
  • Password management system
  • Refer – Password Management Section (2.4)
  • Use of privileged utility programs
  • For the use of system utilities following guidelines should be considered:
  • Use of identification, authentication, and authorization procedures for system utilities
  • Segregation of system utilities from applications software
  • Limitation of the use of system utilities to the minimum practical number of trusted, authorized users
  • Authorization for ad hoc use of systems utilities
  • Limitation of the availability of system utilities, e.g. for the duration of an authorized change
  • Logging of all use of system utilities
  • Defining and documenting of authorization levels for system utilities
  • Removal or disabling of all unnecessary software based utilities and system software
  • Not making system utilities available to users who have access to applications on systems where segregation of duties is required.
  • 1.2 ACCESS LOGS
  • Access Logs must be monitored and reviewed on a weekly basis. All access alerts shall be reviewed on a weekly basis and report submitted on a monthly basis. In case of breaches, Incident must be reported to Information Security Manager/CISO.
  • The recording of the name/ID of a user in the system’s logs shall be deemed as conclusive proof of the performance of the action associated with the transaction..
  • 1.3 MANAGING USER ID’S
  • User Ids must follow a standard naming convention for all computer systems to facilitate user identification. Naming conventions shall cover all end users, contractors, consultants and vendors.
  • The Application / System Administrators are responsible for identifying Inactive accounts or dormant accounts and disabling them.
  • If a user account has been inactive for more than 60 days, the system should automatically disable the account, wherever possible. The system administrator must reactivate the account only after receiving a written request from the user and approval regarding the same from DC/DR Technical Manager.
  • System Administrator must logon using their normal User Id when performing regular work duties rather than logging in as the Administrator. Use of Administrator profile must be limited to administrative activities only.
  • "Guest" accounts and other default accounts must be disabled on all servers and applications/databases, if not required other than valid business reasons.
  • 1.4 PASSWORD MANAGEMENT
  • Access to a majority of the computing resources shall be controlled using User-Ids and passwords for identification and authentication. Hence, it is necessary that all users adhere to the following guidelines relating to passwords:
  • The minimum length of passwords must be set as 8 alphanumeric characters.
  • Password shall not be created from personnel information like family names or pet names or birthdays or dictionary words.
  • A password expiration period of 45 days shall be set, so that users are forced to change their passwords at regular intervals.
  • The system must force the user to change the password at the time of the initial logon.
  • User Ids must be locked after 5 incorrect password attempts.
  • Default passwords, of all systems or applications must be changed.
  • A password history of last 4 passwords must be maintained.
  • All users must be made to sign an undertaking to keep passwords confidential and acknowledge liability for transactions done using their passwords. No user shall disclose passwords even to any system administrator or Helpdesk.
  • If passwords have been compromised, the user shall inform the system administrator immediately and change the password.
  • Passwords must never be displayed in clear text or stored in readable form in batch files in automatic login scripts or in other locations. Deactivation
  • Five consecutive invalid login attempts by users will automatically lock or deactivate the user account. In case of logins of privileged accounts, exceptions to lockouts should be documented and approved by the ESIC DC/DR Manager Re-activation
  • In case of a login account being de-activated, the administrator will reactivate the same on receipt of a request from the user with approval of Team Lead and intimation to ESIC DC Manager
  • During odd hours (late night hours / night shifts) the administrator will seek approval from team lead (who in turn will seek consent from the Operation Head over phone. He (the Admin) also will respond user mail request stating details of telephonic approval with intimation to Information security Manager. In case where telephonic approval could not be taken (due to unavailability of approving authority), the administrator will confirm authenticity of user mail either by speaking to user in person or calling user over phone. After such confirmation the administrator shall activate user account and respond the user mail request stating all details with intimation to Team lead /Information Security Manager as applicable.
  • 1.5 SECURING INFORMATION ON LAPTOPS AND DESKTOPS
  • All desktops and laptops shall have a power-on password when initially "booting-up" the system.
  • Floppy drives on all end-user machines must be disabled, wherever possible, to prevent copying of ESIC data for unauthorized use.
  • All desktops and Laptops must have up-to-date anti-virus software installed. The System Administrator or Help Desk must ensure that updated anti-virus software is installed in all Desktops and Laptops.
  • The folders or disk drives in individual desktops or laptops must not be shared unless appropriate access controls have been enabled on the folder or the disk drive. Sharing of any information classified as restricted or confidential is not permitted.
  • Necessary precautions should be taken by laptop users to ensure privacy and confidentiality of ESIC data contained in laptop hard disk.
  • Any removable media devices, such as CD Writers must not be provided for individual desktops or laptops unless authorized in writing by the immediate controlling authority.
  • 1.6 SECURITY OF UNATTENDED USER EQUIPMENT
  • It is the responsibility of the user of computer equipment to ensure that it is not logged in before leaving any equipment unattended.
  • Whenever a user leaves equipment unattended, it shall be secured with a screen saver with a password, wherever available auto log out/ off settings shall be used. Other locking mechanisms available shall also be utilized to protect any resources when they are unattended during or beyond working hours.
  • All active sessions should be terminated, when finished.
  • Inactive terminals must be set to a time out of 10 minutes.
  • 1.7 USE OF PRIVILEGED USER IDS
  • User ids with high-level access privileges must only be used for administrative activities or in the event of emergency.
  • Passwords of such user ids must be stored in sealed envelopes with CISO. This shall ensure that an authorized employee has access to this password, in the event that the concerned person cannot be reached during an emergency.
  • All emergency actions, which bypass normal access control procedures, must be logged and reported for immediate review by delegated authority.
  • In case of shared privileged user id, proper approval should be obtained from CISO with details of all users sharing user id. Accountability shall be ensured for usage of shared privileged user id.
  • 1.8 TELEWORKING
  • Remote access to the internal system i.e. an accessing an internal system from a different location through the Bank’s wide area network will be given strictly on a need basis and when it is absolutely necessary
  • Remote access control mechanisms will be separate and additional to internal network and application access mechanisms i.e. users will have to again authenticate themselves for required services after getting access to the internal network
  • Remote access will be permitted only for authorized users and under no circumstances will root/ admin/ super user or users with equivalent privileges be permitted remote access to the data centre’s IT systems
  • Accesses made via a remote connection will be logged and checked on regular basis
  • Remote access to business information across public network using mobile computing facilities should only take place after successful identification and authentication, and with suitable access control mechanisms in place like a VPN, IPSEC
  • Appropriate Authorization must be set for the teleworker in accordance with his job role
  • Access rights must be revoked when the teleworking activities are terminated
  • Appropriate Rules and guidance on family and visitor access to equipment and information must be set
  • 1.9 RESTRICTING USE OF SYSTEM UTILITIES
  • Access to system utilities must be restricted to authorized personnel in accordance with their business functions and business needs.
  • All unnecessary sensitive utilities must be removed from the system.
  • The use of all system utilities must be logged and regularly reviewed by Concerned IT team.
  • It must be ensured that normal users do not have access rights to use utilities. Any backend update to the data using SQL / similar utilities must do only after prior written approval.
  • System utilities should be separated from application software.
  • 1.10 APPLICATIONS & DATABASES
  • Database access control
  • Database commands and utilities will be restricted to database administrators only
  • Central Database Administrator will be responsible for maintaining a record of essential programs and utilities. Changes to these programs and utilities will be as per the Change Management Policy
  • All direct updates to the database will be controlled to ensure that such updates are authorized and logged
  • Access to information and application system functions by users and support personnel should be restricted in accordance with the access control policy and procedures.
  • The use of utility programs that are capable of overriding system and application controls should be restricted and tightly controlled
  • Restrictions on connection times should be used, as applicable; to provide additional security for all high-risk applications
  • No employee should have direct access to the database of any application system except administrator

DATA HANDLING & STORAGE POLICY

    2.1 DATA COLLECTION
  • Users shall collect information on need-to-know basis to discharge their official duties.
  • Designated authorities shall ensure that collection and usage of data within their domain is compliant with the ESIC ISMS policies.
  • 2.2 DATA ACCESS
  • Only authorized users shall access sensitive information; all authorisations shall be approved by designated authorities owning the data.
  • Where access to sensitive data has been authorised, user shall limit use of such data for the sole purpose of performing organisation’s business.
  • Users shall respect confidentiality and privacy of data they access, observe ethical restrictions and abide by applicable laws and policies.
  • Notification of user’s termination/ change of department for removal of access shall be intimated by respective HR and Department/ Functional Head.
  • 2.3 DATA HANDLING & DATA TRANSFER
  • Users shall ensure that adequate security measures are in place when sensitive data is transferred from one location to another.
  • Users shall protect business sensitive information against unauthorised access and shall not leave sensitive information unattended.
  • Sensitive information shall not be taken off-premises unless user is authorized to do so.
  • Sensitive data shall not be transmitted through electronic messaging even to other authorised users unless security methods, such as encryption, are employed.
  • Mobile devices such as Smart Phones, thumb drives or laptops containing business sensitive information shall be protected by use of encryption techniques.
  • Copying and Printing:
  • "Confidential" information must only be printed in owner's presence. The printouts must not be left without attention on the printer or near the Printer area.
  • Making additional copies of, or printing of extra copies of confidential information must not be done without the advance permission of the information owner. Each of the recipients must be informed that either further distribution or additional copying may take place only after the information owner's permission has been obtained.
  • If a copy machine jams or malfunctions when making copies of confidential information, the machine must not be left until all copies of the information are removed from the machine or destroyed beyond recognition using paper shredder(s).
  • All waste copies of confidential information that are generated in the course of copying, printing, scanning or otherwise handling such information, should be destroyed according to approved procedures.
  • Shipping and Handling:
  • Prior to sending any confidential information to a third party/supplier for copying, printing, formatting, or other handling, obtain a signed non-disclosure agreement from the third party.
  • ESIC DC / DR respect and safeguard the classified information, which has been entrusted to it by third parties. ESIC DC / DR personnel should not disclose this information to other third parties unless the originator of the information has provided advance approval of the disclosure, and unless the receiving party has signed an approved Non-Disclosure Agreement (NDA).
  • Confidential information in hardcopy form which is sent via courier should always be tracked with a reference number and should always be marked recipient "signature required."
  • All deliveries of confidential information should be conducted in a way that the recipient formally acknowledges the information has been received. Transmission by Fax and Phone:
  • If confidential information is to be sent by fax, the recipient should be notified of the time when it will be transmitted, and also have agreed that an authorized person will be present at the destination machine when the material is sent.
  • Confidential information should not be faxed via untrusted intermediaries (hotel staff, rented mailbox store staff, etc.).
  • Confidential information should not be discussed on speakerphones unless all participating parties first acknowledge that no unauthorized persons are in close proximity such that they might overhear the conversation.
  • Following steps should be followed while leaving voice mails of confidential nature to meet business needs:
  • Sender should add a line at start, indicating that the message is confidential
  • Sender should close the message by advising the recipient to delete the message immediately
  • Recipient should read/hear the message in closed room where is no possibility of unauthorized persons overhearing.
  • Recipient should delete the message immediately after taking note of the content.
  • To prevent unauthorized interception, Internet telephony, wireless microphones, walkie-talkies, radio local area networks (LANs), radio personal computer docking systems, and other unencrypted radio transmissions should not be used for the transmission of confidential information. Movement of Confidential Information:
  • Confidential information should be disclosed after the information owner's explicit authorization has been obtained. If an individual has been granted access to confidential information, this does not imply the authority to disclose it to other persons.
  • Confidential ESIC DC / DR/Customer information should not be read, discussed, or otherwise exposed on aircrafts, restaurants, public transportation, or in other public places.
  • Computers containing sensitive ESIC DC / DR/Customer information should not be checked in into airline luggage systems. These computers must remain in the possession of the traveler as hand luggage.
  • 2.4 STORAGE OF SENSITIVE DATA
  • Physical protection for all devices storing sensitive data shall be provided.
  • The storage devices and/or servers storing confidential information shall be regularly scanned, patched and back upped.
  • Users shall store critical business data on network drive hosted on managed server.
  • The business sensitive data shall be password protected and to the extent possible must employ encryption to protect data from unauthorized access.
  • Provision of storage space on a central file server shall be made for all employees during creation of user accounts.
  • 2.5 DATA RETENTION & DISPOSAL OF MEDIA RECORDS
  • Retention of Records Containing Restricted and Sensitive Data: Schedule describing retention period for all data type shall be maintained.
  • Archiving: Organisational records requiring retention by policy or law shall be archived to adhere to retention requirements.
  • Department/ Functional Heads shall determine retention requirements.
  • Off-site storage facilities for sensitive records shall be approved prior to creation.
  • Disposal:
  • Records shall be destroyed only at the end of their retention period.
  • All sensitive information shall be irretrievably destroyed prior to its disposal. For example: degaussing of magnetic media, shredding or incineration of paper assets.
  • 2.6 RESPONSIBILITY
  • Supervisory Personnel: Employees having supervisory responsibilities shall: Communicate this policy to personnel under their supervision.
  • Ensure appropriate security practices, consistent with this policy.
  • User Responsibilities: Users who are authorized to access and use sensitive data shall:
  • Access sensitive data on need-to basis for performing organization’s business.
  • Respect confidentiality and privacy of records.
  • Observe ethical restrictions that apply to data.
  • Abide by applicable laws or policies with respect to disclosure of information.
  • Compliance with this policy is the responsibility of all ESIC DC employees.
  • 2.7 COMPLIANCE
  • Compliance with this policy is the responsibility of all ESIC DC employees.

LEGAL COMPLIANCE POLICY

  • All relevant statutory, regulatory and contractual requirements shall be documented and kept updated by information owners.
  • Appropriate standards and procedures shall be defined and implemented by information owners to ensure compliance with legal/ contractual obligations on use of information with respect to intellectual property rights.
  • Third party contracts shall have security clauses clearly defined.
  • All important organizational information and records shall be protected from loss, destruction or falsification in accordance with the legal and contractual requirements.
  • All personal information shall be protected in accordance with the relevant legislations.
  • Users shall make use information processing facilities of ESIC Datacentre for business purposes only and shall be guided by Acceptable Usage Policy.
  • Advice on specific legal requirements shall be sought from the organization's Legal department.
  • Collection of evidence(s) in cases of action against a person or organization shall be on the basis of the relevant law and shall be as per advice of Legal department.

POINT OF CONTACT

  • For clarification or further information on this policy, contact Chief Information Security Officer/ Legal Department.

ENFORCEMENT

  • All users shall read and abide by this Legal Compliance Policy.
  • Any employee found in violation to this policy shall be subjected to disciplinary action as mentioned under Code of Conduct in Employee Handbook.
Last updated / Reviewed : 29/08/2016
DISCLAIMER: Content owned, maintained and updated by Employee's State Insurance Corporation. Copyright © 2010, ESIC, India. All Rights Reserved. Best viewed in 1024 x 768 pixels, Designed and Developed by ESIC, Release Version No.: V2.5.427. IP Address : 50. IP :