ISMS_Policy_A.18.1.3-18.1.4_Data and Privacy Protection Policy

1         Purpose

To protect personal data which will have information on living individuals who can be identified from the data.

2         Scope of Applicability

All computing equipment and workstations present within the operational areas.

3         Policy Statement

Id

Policy

03.01

Confidentiality will be maintained on personal data handled.

4         Objectives

  • Production personnel dealing with personal data will not have facility to store data locally.
  • No laptops, Mobile Devices are allowed in production bays dealing with personal data.
  • Aggressive production targets are set, so that focus of production personnel is on operations and cannot remember any data handled.
  • Operations are continuously monitored through supervisors, through software and through video cameras to prevent misuse.
  • Personal data is retained/ backed up only as required by customer.
  • Educates all Softurites that they understand the importance of privacy protection and handle personal information properly
  • Takes proper safety management measures by striving to prevent any privacy protection inadequacies such as unauthorized access as well as personal data loss, corruption, falsification, and leak
  • Exercises adequate supervision so that personal information safety can be properly managed when we outsource the handling of personal information. Signs off NDA with the vendor and individual handling the employee personal data (for the Background verification check)
  • Institutes the privacy protection procedures including the disclosure and correction of personal information.
  • Softura recorded video sessions are stored encrypted and protected from unauthorized access. There is a strict auditing monitor who has access to the session information.
  • Only permitted users that have access to the Softura Web Console can view sessions and search in the user activity database
  • Data are classified as
    • Public – Company details made available even outside the Organization. Eg: Information in website / Linked in
    • Internal – Details within the Organization. Eg: Process documents, lessons learnt, best practices
    • Confidential – Information in a project/ department. E.g.: Requirements document, test data
    • Restricted – Details shared in small group/ one to one basis. E.g: Payslip, Performance appraisal, etc.
  • SOFTURA strictly protects personal information of its monitored subjects.
    • Users that are being recorded can get a notification that they are being recorded so that they can limit the usage of personal applications.
    • Personal applications can be scoped out of monitoring.
    • Restricting the recording to activity logs only: This provides visibility into what users are doing (including search, alert and report) without taking screenshots. It allows for example to know that a user accessed his bank account, but without details about the account.
    • Sessions review can be restricted to specific roles and users.
    • Key logging can be configured so that passwords will not be recorded. Information is also hashed and cannot be decrypted.

5         Summary of Responsibilities

Any projects dealing with personal data and HR department

6         Violation of Policy

Senior management and operations personnel involved in the project dealing with personal data.

7         Reference to Standard:

ISO 27001:2013

8         Review and Approval

This policy is approved by, has full support of and is reviewed quarterly by the senior executive management of Softura.

Close Menu