This policy covers safe use of sensitive information (passwords, financial information such as bank account, biometric information, IT security audit information & outcomes, cybercrime issues shared by people to us, employees information etc.) collected, received, possessed, stored, deal and handled by DR CBS Cyber Security Services LLP and applies to all employees, vendors, clients and stakeholders operating and using computer, computer system & computer resources on behalf of the organization.
4.1: Personal sensitive information for us :
a. Passwords and other credentials like license keys of software.
b. Financial information like bank account number, credit debit card no. or other payment instrument detail.
c. Biometric information.
d. IT security audit information (like IT infrastructure details, audit outcomes, reports and other business information) of auditee organization.
e. Personal information (like name, parents name, address, email, mobile no., chats, snapshots and other evidences) shared by people on official mail of organization or written documents to get help in case of cyber emergency.
f. Personal details like name, parents name, mobile no., email, address etc. of participants collected in training and awareness programs and.
g. Any other business communication and information through mail and other communication medium.
4.2: The purpose of collect, receive possess, store, deal and handle the personal sensitive data or information of any person, stakeholders or organization is for following organization’s services.
a. Information Technology (IT) Audit.
b. Cybercrime Prevention Through Awareness.
c. Training Regarding Investigation of Cyber Crimes.
d. Secure Software Development.
4.3: We may retain your personal sensitive Information as long as there is a business requirement, or if otherwise required under applicable lawful contract.
4.4: We at DR CBS Cyber Security Services LLP do not sell & share your Personal sensitive Information with any of third parties without seeking your prior permission.
4.5: Disclosure: When required, DR CBS Cyber Security Services LLP may disclose Personal sensitive Information to external law enforcement bodies or regulatory authorities, in order to comply with legal obligations. For it, law enforcement bodies or regulatory authorities shall send a request in writing to DR CBS Cyber Security Services LLP, stating clearly the purpose of seeking such information. The agency shall also state that the information so obtained shall not be published or shared with any other person.
4.6: We adopt appropriate and reasonable security practices and procedures that include administrative, physical security and technical controls in order to safeguard your personal sensitive Information as per guidelines and various security controls enumerated in different Information Security Management Standards (ISMS).
4.7: We maintain non-disclosure agreements (NDA) from employee to maintain confidentiality, integrity and availability of sensitive information of our stakeholders.
4.8: DR CBS Cyber Security Services LLP may change and review periodically or when the need arises, and the same will be made available on the website (www.drcbscyber.com). But our commitment to protect the privacy of stakeholders will continue to remain.
- Policy Compliance:
a. Compliance Measurement: The management will verify compliance to this policy through various methods.
b. Non-Compliance: An employee found to have violated this policy may be subject to stricted disciplinary action.
i. ISO 27001:2013: Cl.5.2, Cl.7.4
ISO 27001:2013; A.8.2, A.13.2.1, A.13.2.2, A.13.2.4, A.18.1.1, A.18.2.1, A.18.2.2
ii. Information Technology (I.T. Act) Security Guidelines: 2.a, 3, 5.2, 5.3, 7
iii. The Information technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, IT Act 2000
iv. Cyber security Framework: RS.CO
v. COBIT 5: PO6.5
vi. ITIL (As per ISO 27001 standards)
i. ISO 27001:2013:Cl.5.2, A.18.2.1, A.18.2.2, Sch. II.2. IT Act, Policy should be documented, reviewed, communicated and available to all employees and interested parties.
ii. The Information technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, IT Act 2000, collect, receive possess, store, deal and handle private sensitive information and reasonable security practices to it.
iii. Information Technology (IT Act) Security Guidelines: Security and Control to sensitive information.
iv. The Information technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, IT Act 2000: Disclosure of sensitive information to law enforcement agencies and government agencies, ISO 27001:2013: A.18.1.