Raphacure shall implement adequate security policies, procedures, and controls to protect confidentiality, maintain integrity, and ensure the availability of information stored, processed and transmitted through its information systems. This Information Security Policy (hereinafter referred to as the ‘Policy’) is a key component of overall information security management framework and should be considered alongside more detailed and organisational specific information security documentation including, system level security policies, security guidance protocols or procedures. Implementation of this policy will ensure adequate information security for our personnel.
The objective of this policy is to protect Raphacure information resources from accidental or intentional unauthorized access, modification or damage, either via internal or external threat by enforcing appropriate controls with following objectives:
It also deals with the safeguarding of necessary resources and associated capabilities. Raphacure is committed to review and evaluate the performance of ISMS to improve it on a continual basis to protect – business and organisational information. Its information systems comply with relevant laws and regulations, recognized international standards such as ISO 27001:2013 on Information Security Management System and are committed to comply with the customers’ information security needs and reviewing them on a continual basis.
The scope of Raphacure ISMS and the security policy contained in this document has been established which includes Raphacure employees, information, data and information systems such as software, hardware, firmware, storage and transmission media, the information in physical and electronic form and computer networks used by Raphacure. The Information Security Management System is applicable for primary care and urgent response services. This security policy applies to personnel who access Raphacure information or use Raphacure information systems. Personnel is defined as all employees, contractors and sub-contractors and onsite third-party vendors accessing Raphacure resources.
The scope of ISMS is applicable to their office location “38/3, 6th cross, VIBGYOR High School Road, opp Thomas Square, HSR Extention, Reliable Tranquil Layout, Bengaluru 560102, Karnataka, India”
It is the responsibility of the below teams/functions to implement and maintain the controls defined in this policy.
5. Policy Statements
This document represents the official mandate from Raphacure for its users of information and information assets so as to ensure confidentiality, integrity, and availability of the information assets in reference with the compliance requirements from regulatory agencies and relevant legal requirements.
Following are policy statements from individual domains:
5.1. Organisation of Information Security
Information security of the organisation shall be in place to ensure the security of the systems on an ongoing basis and to support and sustain Raphacure business vision.
5.2. Human Resource Security
Personnel at all levels shall understand their responsibilities towards information security and are suitable for the roles for which they are considered. This includes security responsibilities in job definitions, user training and responding to security incidents and malfunction of information assets.
5.3. Asset Management
All assets associated with information and information processing facilities shall be identified and documented to indicate the ownership and importance, and shall be classified, used and protected in accordance with criticality and sensitivity.
5.4. Access Control
Access to information shall be controlled in order to avoid unauthorized access and at the same time provides access to authorized users.
5.5. Physical and Environmental Security
The organisation shall protect and minimize disruptions to office premises and equipment (IT and non-IT) from physical and environmental threats like theft, vandalism, natural disaster, man-made catastrophes and accidental damage which may lead to disruption of business operations.
5.6. Operations Security
Responsibilities and procedures for the management of the information systems’ environment shall be established to avoid the occurrence of a security incident, operational error or unauthorized access to information by protecting against data loss, malware attack and exploitation using technical vulnerabilities.
5.7. Communications Security
There shall be network security controls implemented for internal or external networks in order to protect business information from unauthorized access and enable effective usage of various networking, communications and computing facilities.
5.8. Incident Management
Information security events and behavior associated with information and/or systems need to be reported and responded appropriately to minimize the damage due to incidents.
5.9. Change Management
The scope of change management includes all operating systems and applications in distributed systems environments. It applies to a wide range of change efforts, from the introduction of a new product or system, which has broad external and/or internal impacts, to a simple modification of an internal program with no or little visibility. Each change affecting activities, regardless of scope, must be integrated into the production environment in a systematic and controlled manner.
5.10. Acceptable Usage
There shall be guidance available for acceptable and appropriate use of information assets by all staff.
The organisation shall ensure proper and effective use of cryptography controls to protect the confidentiality, authenticity and/or integrity of information. These controls include encryption, digital signatures, SSL and HTTPS communication and proprietary compression.
5.12. Backup and Restoration
The organisation shall maintain backup and media security as per the business requirements.
5.13. Supplier relationship
The organisation shall require suppliers (outsourcing vendors, agents, third-parties) who have access to information, to maintain due confidentiality and adopt such security procedures as advised by the organisation from time to time. Supplier’s access to assets shall be restricted to the information that they require in completing the contracted work.
5.14. Systems acquisition, Development
Appropriate security controls shall be defined for all new information systems, and enhancements to the existing information systems. The Information Security Team shall be involved in the relevant stages of the System Development Life Cycle (SDLC) to ensure that security controls requirements are defined and adhered to for new information systems or enhancements to existing ones.
5.15. E-waste Management
The lifecycle of all IT assets spanning from acquisition to disposal shall be managed in a manner which conforms to sound environmental norms.
5.16. Business Continuity Management
Adequate processes shall be in place to develop, maintain and test the plan for business continuity management to ensure availability of the organisation’s services.
All relevant statutory and regulatory requirements, which the organisation has to comply with, shall be explicitly defined, documented, and kept up to date. All relevant information security requirements shall be incorporated in contractual documents. Privacy and protection of personally identifiable information shall be ensured as per relevant laws, and regulations.
5.18. Information Security in Project Management
The organisation shall devise controls to embed information security and privacy in Project Management Life Cycle. Information Security controls shall be taken into consideration for all the organisation’s projects to achieve confidentiality, integrity and availability of information or resources during and after the project.
5.19. Information Security Risk Management
A risk management framework shall be established to manage the overall security exposure of the organisation.
6. Security Awareness
The organisation shall ensure that people using and managing information (including the senior management, middle management, end users, third-party consultants, and customers) must be adequately trained and made aware of all related aspects to improve the overall security posture of the organisation.
7. Policy Framework
The Information Security Policy is supported by information security procedures and guidelines which provide necessary actions to adhere to these security policies. The information security procedures shall be derived from the policy statements and provide the details of necessary actions to achieve the objectives of the policy statement.
8. Policy Review and Approval
The information security policy shall be reviewed on an annual basis to ensure that it remains updated at all times. Changes to the policy will have to be agreed with the concerned stakeholders, and thereafter, the authorization will be provided by the responsible teams.
9. Disciplinary Actions for Violations to the Policy
While Raphacure would like to respect the privacy of its personnel, it reserves the right to audit and/or monitor their activities and information stored, processed, transmitted or handled by them using Raphacure information systems. Raphacure expects its personnel to comply with information security policies. If any personnel is found to be in breach of the security policies and procedures, appropriate disciplinary action should be taken. The disciplinary action shall be proportionate to the severity of the breach. In case of violations that may result in disclosure, unavailability or alteration of ‘Confidential’ information, the employee shall be directly reprimanded and his/her service may be terminated.
Disciplinary actions for Information Security breach are:
Disciplinary actions could include:
All instances of a security breach or non-compliance to the policy shall be reported to the Information Security Team (IST). Depending upon the severity of the breach, the Information Security Team shall further report it to senior management for further action. Violations including suspected violations shall be investigated and may recommend disciplinary action in accordance with the Raphacure code of conduct, policies or applicable laws.
10. Handling Exceptions and Deviations
Approval for exceptions or deviations from the policies, wherever warranted, will be provided only by the Information Security Officer (ISO). There shall be a business justification required for any exceptions/deviations to this policy with approval from the department head. For any major deviations, ISO will take approval from concerned stakeholders.
11. Management Review Meeting
Raphacure shall review and evaluate the performance of information security management system (ISMS) to improve it on a continual basis to protect – business and organisational information on a yearly basis.