Information Security Policy
Personiv has established a robust Information Security Policy to secure its Information Systems. It provides a framework to protect computers, networks and sensitive information from cyber-attacks. Information security policies also outline the action to be taken in order to preserve Personiv’s critical information and information processing facilities from unknown cyberattacks from various sources.
Personiv regularly provides awareness to its employees through training and updates on cybersecurity threats of consequence to Personiv, and how to handle them effectively. We ensure that every employee understands the importance of cybersecurity and complies with the policies, processes, and procedures in place. It is Personiv’s culture that every Employee is an Information Security partner.
TOP MANAGEMENT COMMITMENT
Cybersecurity measurements can’t be possible without Top Management’s support and commitment. It should ensure that necessary resources are provided and roles and responsibilities assigned, to ensure the cybersecurity. At Personiv, Top Management exhibits complete commitment in defending cyber-attacks by providing necessary support and resources. Personiv has assigned responsibility by appointing a Security officer to monitor security activities.
Top Management has set up a committee to oversee Information Security threat mitigation activities and it is headed by the Site head of the facility.
International Management systems such as ISO 27001 provides guidelines for Information Security. Personiv has implemented ISO 27001 for its facility by aiming to preserve the “Confidentiality”, “Integrity” and “Availability” of its critical and sensitive information and information processing facilities.
On the other hand, ISO 9001:2015 provides Standards & Guidelines for managing documented standard operating procedures for all activities within Personiv.
Regular Internal Audits are conducted by certified internal auditors to verify the system in order to be in conformance with management system requirements as well as, Personiv’s security requirements. Internal Audits provide enormous information about the effectiveness of the current processes, procedures as well as implementation and maintenance of the system.
Personiv conducts Vulnerability Scans/System audits to evaluate the system’s weaknesses and implements controls accordingly.
Personiv has a unique Talent acquisition policy and procedure to select employees to suit its requirements. This policy outlines clear expectations and rules to be followed while choosing candidates which includes screening and background verification.
PROCESSES & TECHNOLOGIES DEPLOYED
Subsequent to obtaining good knowledge on the dangers and responses, the next step is to incorporate actions, tasks, and rules into the daily running of the business, to limit both cybersecurity bargains from happening, and the degree to which they influence our business. Below are some of the tips and possibilities that make our organization cyber secured:
Personiv has appropriate network architecture that supports business requirements. It supports the organization to mitigate the risk arising from various threats.
Backups are used to recover lost, damaged or compromised information and the more up-to-date the backup, the quicker you can recover from the glitch. Backing up the assets and information protects us from losing information caused by accidental deletion, system failures, data corruption or theft. For performing a backup, we either utilize closed storage or an external storage center.
Our Operating systems are programmed to backup data at frequent intervals. Full system backups are used to restore computers when the operating system is compromised and you can’t get onto the system.
We conduct backups of all the files and folders daily using the RHA (Replication High Availability) Process. This is considered a good benchmark for all backups by international standards.
A well-established Backup & Recovery Policy and procedure is implemented at Personiv to ensure that backup activities are carried out as per the policy and schedule.
PATCH THE APPLICATIONS
Patching of Applications is one of many activities we do to reduce cyber risk, be it the patching of security vulnerabilities in security software, applications, and operating systems. As there are millions of attacks directed at businesses daily, as Hackers try to exploit vulnerabilities in the existing software, it helps us to keep software secured. New methods to exploit are being discovered daily. To battle against this, we recommend to regularly apply patches to all the applications that are used at Personiv.
MONITOR REMOTE INTERNET USAGE
When personal internet usage of the employees start choking the bandwidth meant for business purposes, employee internet monitoring functionality will help find out the user(s) responsible, the websites visited as well as the websites which consumed the bandwidth. Not visiting unintended sites for any personal use or clicking on any unintended links or sources is considered to be one of the most educated modes by the employees to not let any viruses or hackers steal our company data or get information on our data
MANAGEMENT OF REMOVABLE MEDIA
Removable media device is a key medium for any malware that will be injected into Personiv systems. Hence, it is completely restricted in all systems and controlled by an Antivirus application. Any activities related to the use of these removable media can be easily identified and reported by the system administrator.
There is no set mechanism for ensuring a secure system on the network since any security framework can be subverted or compromised, if not from outside then surely from within. Eventually to secure a system is to implement distinctive layers of cybersecurity so an attacker must compromise two or more systems to gain access to critical assets. The initial phase enforcing policies is to define the policies that will be enforced or implemented. Safety efforts often limit employees in their working practice and make some activities less convenient which results in a compulsion to increase security regulations. Network policies, along these lines, administer how a system ought to be implemented and configured to streamline employees’ tasks in ordinary conditions and also controls how to respond amid the event of abnormalities.
It is done by identifying different network segments with different security requirements while designing cybersecurity for the network. Some, on the other hand, will be openly accessible. Hence, to implement cybersecurity for different divisions or subdivisions, there are erect perimeters that can only be crossed by certain types of traffic in the form of Public network, Private network, and Semi-private network.
The limitations of such network segments are founded by devices such as a router, gateway, bridge, and switch which are capable of regulating and controlling the stream of packets into and out of the segment. Communication and monitoring devices are typically deployed in the network for various purposes and are being configured appropriately according to requirement and accessed on the ground of given privilege and profile of users. Also, there is an NDA signed by each employee to not disclose the details inside the perimeter. This merely takes care of the legal angle of any threat.
Internet access policies include automatically blocking all sites recognized as inappropriate (particularly social media websites) for every employee. In addition, web access is provided based on the requirement or nature of the process the employee is into. The Internet builds a system topology in itself and interfaces different significant resources of the organization, for instance, server, account sections, etc., are filtered and monitored appropriately.
VIRTUAL PRIVATE NETWORK
VPN provides a means to secure information while it goes over an untrusted network. VPN is entitled to be used for employees using organization owned systems only. All types of remote access are directed through VPN with a corporate-endorsement and standard operating systems along with suitable security patches. Access to the company PC from home by means of the web is not be permitted. To secure the system when VPN is utilized for remote access, the IT manager has to guarantee that sufficient assurance is executed over endpoints by applying L2TP with IPSec. Additionally, VPN vendors incorporate firewalling functionality in their client to filter traffic.
Communication ports either inbound or outbound at the workstation for pointless services is entirely in the blocked state apart from important services, for example, HTTP, HTTPS, etc. as it is being generally seen that ports open for few administrative activities are opened unnecessarily, that normally initiates the hacker to breach the system with ease. Such safety efforts are to be connected by the system administrator at Firewall end as the primary line of guard. Henceforth, a workstation that does straightforwardly convey to the web is limited to use and only authorized communication services or ports should be used in the inbound connection.
When a user connects to an insecure, open network, such as the Internet, and opens a large doorway for potential attacks, one of the best ways to defend against exploitation is to use firewalls. There are enforcement policies that are set and it varies by the type of firewall and resource deployment on the network as well. In the case of dedicated server access, an application proxy firewall is placed between the remote user and dedicated server to hide the identity of the server.
Secondly, if the requirement of traffic filtering based on source and destination IP/Port address, packet-filtering firewall placement is quite useful which augments the speed of transmission too. On the other hand, when speed is not a concern, state table (stateful inspection firewall) filters configuration at the network is made as an appropriate choice that dynamically validates the connection and forwards the packet. Moreover, NAT (Network Address Translation) is also employed as it complements the use of firewalls in providing an extra measure of security for the organization’s internal network, especially preventing DDOS or many SYN flooding attacks. Adding to the previous controls, a higher level of control is available by preventing an IP address from communicating with your server, IP packet filtering is being used.
INTRUSION DETECTION SYSTEM
Intrusion Detection System is housed for anomaly detection and monitoring of unauthorized access, with respect to the extraordinary line of safeguard where firewall or antivirus are not adequate.
IT Administrator continuously checks system and security log files for something suspicious. Additionally, use of Advance Antivirus which has inbuilt IDS/IPS capability, for inappropriate auditing rights, elevated privileges, incorrect groups, altered permission, registry change, inactive users and much more. In particular, IDS programming is designed on the highest point of an OS, yet organized capturing IDSs are growingly being deployed as a hardware application because of performance perspective.
Data that passes through many channels including a switch, routers on the network in decoded form, is vulnerable to many attacks such as spoofing, SYN flooding, sniffing, Data alteration, and session hijacking. Although, there is no control of the devices that the data might pass over, securing the sensitive data or communication channel from being data accessible to some extent is ensured. If we have some data that needs to transmit data over a network securely, then there are some cybersecurity initiatives that is a need to be taken to mitigate the risk of an attack:
- Authenticate the identity of people (and/or computers) who send packets
- Ensure that there is no data tampering
- Strictly limit data so it will not be read by any unauthorized individual between the user and the source.
The strength of a secret key or password is determined by a few limitations – like least length, password age, usage of special characters and reuse confinements – which decides the normal number of guesses an attacker or hacker must attempt to figure the secret key and simplicity with which the attacker or hacker can test the validity of the guessed password.
Instead of a traditional password, use a passphrase. While a standard password is 8 to 10 characters in length, a passphrase can be twice as long. A passphrase is generally stronger because it is more memorable than passwords thus reducing the need to write them down, since they are longer than a password, they make a phrase or quote dictionary attack almost impossible if the passphrase is all well-constructed.
Personiv has established a robust password management policy to regulate passwords used for logins and authentication. This will help users assign strong passwords that can’t be hacked easily.
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least once every three months which is the recommended change interval. User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user and will be managed centrally
PASSWORD PROTECTION STANDARDS
Personiv employees are not allowed to use the same passwords as Personiv accounts for other non-Personiv access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, Personiv employees are restricted to use the same password for various Personiv access needs.
Personiv employees are restricted to share their passwords with anyone, including administrators and supervisors under any circumstances. All passwords created must be treated as sensitive, Confidential Personiv information
Vendor-supplied defaults must be changed before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts :
- Personiv IT Operations must verify user identity before performing password resets with prior approval from a supervisor.
- Personiv employees are restricted to use group, shared, or generic accounts and passwords, or other authentication methods.
- Personiv employees are restricted to submit a new password that is the same as any of the last three passwords he or she has used.
- Personiv has limited repeated access attempts by locking out the user ID after five attempts.