Purpose
To protect personal data which will have information on living individuals who can be identified from the data.
Scope of Applicability
All computing equipment and workstations present within the operational areas.
Policy Statement
Confidentiality, Integrity, and Availability of Information will be ensured by continually implementing appropriate controls based on risk assessments of External and Internal Interested parties considering business (strategic, operational, and technical), statutory, legal, regulatory. and contractual requirements. The risks would be monitored, and appropriate controls would be implemented by continually improving the same.
Objectives
- Production personnel dealing with personal data will not have facility to store data locally.
- No laptops, Mobile Devices are allowed in production bays dealing with personal data.
- Aggressive production targets are set, so that focus of production personnel is on operations and cannot remember any data handled.
- Operations are continuously monitored through supervisors, through software and through video cameras to prevent misuse.
- Statutory, legal, regulatory, and contractual requirements shall be addressed.
- Personal data is retained/ backed up only as required by customer.
- Interruptions to availability of the information shall be minimized through business continuity procedures institutionalized.
- Educates all Softurites that they understand the importance of data security, privacy protection and handle personal information properly.
- Takes proper safety management measures by striving to prevent any privacy protection inadequacies such as unauthorized access as well as personal data loss, corruption, falsification, and leak.
- Exercises adequate supervision so that personal information safety can be properly managed when we outsource the handling of personal information. Signs off NDA with the vendor and individual handling the employee personal data (for the Background verification check)
- Risks within the scope of applicability shall be managed based on their exposure.
- Institutes the privacy protection procedures including the disclosure and correction of personal information.
- Softura recorded video sessions are stored encrypted and protected from unauthorized access.
- Information security breaches shall be addressed with incident management and data privacy breach process.
- There is a strict auditing monitor who has access to the session information.
- Data are classified as
- Public – Company details made available even outside the Organization. E.g.: Information in website / Linked in
- Internal – Details within the Organization. E.g.: Process documents, lessons learnt, best practices.
- Confidential – Information in a project/ department. E.g.: Requirements document, test data
- Private/ Sensitive – Details shared in small group/ one to one basis. E.g.: Payslip, Performance appraisal, etc.
- SOFTURA strictly protects personal information of its monitored subjects.
- Users that are being recorded can get a notification that they are being recorded so that they can limit the usage of personal applications.
- Personal applications can be scoped out of monitoring.
- Restricting the recording to activity logs only: This provides visibility into what users are doing (including search, alert, and report) without taking screenshots. It allows for example to know that a user accessed his bank account, but without details about the account.
- Sessions review can be restricted to specific roles and users.
- Key logging can be configured so that passwords will not be recorded. Information is also hashed and cannot be decrypted.
Review and Approval
We may update our Information Security Policy from time to time consistent to applicable standards, legal, statutory, regulatory requirements. Policy changes are effective immediately after they are posted on our official website. The review and approval authority lies with CISO and Senior management of Softura.
