In today’s digital world, a new technological breakthrough happens almost daily. With a breakthrough, new threats sit at the corner waiting. There’s one word that must be at the top of mind for any organization: SECURITY. Based on business risks and business continuity assurance required by aQb Solutions Pvt. Ltd., each of the 14 sections from Annex A of the ISO 27001:2013 standard has been applied. The followings are the controls of Annex. A and the details of implementation have been described below.
Information security policies – Organizations are exposed to uncertainties, sometimes it’s negative to the organization. Managing uncertainties is not an easy task. Therefore, the organization must understand the potential impact of various IT security-related threats. To counter that, at aQb information security is reviewed at planned intervals. It is checked in case of any changes happen to be sure of their effectiveness. A management review meeting is held annually and security policies are discussed in meeting as well.
Organization of information security – From employees to third party users, the responsibility of information security has been clearly explained. Everybody is aware of their security roles. Duties and areas of responsibility have been separated to minimize misunderstanding and unauthorised access.
Human resources security – Newly employed people are vulnerable. What is less important to them can be something useful for someone. To solve that our employees are given training and regular updates in organizational policies and procedures, as per their job function. Employee files are encrypted and proper security measures have been put in place.
Asset Management – An asset is an item of value. An asset can be a computer device to a flash drive. At aQb, employees are instructed to use only the asset of the company’s. No third party assets are accepted. Use of USB flash drives or HDD is not allowed. Whenever someone needs to use flash drives or HDD are to be logged with name, time & flash drive’s number.
Access control – In other words access control means granting authorized users to have access to a service that unauthorized people can’t. To control & ensure authorized user access every device has been set with Password Management Systems. Devices are kept locked while leaving for lunch breaks. Employees are given passwords to their devices when they join. When an employee leaves the company, a new password is set.
Even, we have separate enclosure for each client work, with all these securities.
Cryptography – Cryptography uses complex mathematics and algorithms for encryption. Security perimeters (card controlled entry gates or manned reception desks) are used to protect areas that contain information and information processing facilities. Every employee’s biometric data has been stored in the biometric door lock device. While coming into the office, fingerprint authentication is required.
Physical and environmental security –The term physical and environmental security refers to measures taken to protect systems, buildings, etc. At aQb equipment, information or software taking off-site is not allowed.
Operational security –Before installing any software, it is reviewed by the management team & protected by admin rights. All systems are installed with anti-virus & firewall to protected against malware. In such an occurrence, the investigation process shall take place.
Communications security – The network is managed and controlled to protect the information in systems and applications. The network is protected by a firewall. A proper format of agreements has been established to address if a secure transfer of business information between the organization and external parties takes place.
System acquisition, development and maintenance – Business-critical applications are reviewed and tested When operating platforms are changed to ensure there is no adverse impact on organizational operations or security.
Supplier relationships – Suppliers may not know much about information security. So, when they visit aQb they’re briefed about information security requirements. During the visit a non-disclosure agreement is signed by the supplier with the name, time of visit & an ID number is logged.
Information security incident management – If employees aren’t trained, in case of an incident it may feel like everything is going haywire. They may not report to the person they’re supposed to report. Worse if the concerned person doesn’t know what his or her role is. So aQb has trained employees’ management responsibilities and procedures. So that everyone knows what to do, who to report in case of an information security incident.
Information security aspects of business continuity management – Information security continuity is embedded in the organization’s business continuity management systems. aQb has established, implemented and maintain processes, procedures and controls to ensure the required level of continuity for information security and has obtained ISO …..through BSI and strictly follows the process.