Security Measures as per Information Security Management System

Compliance
General Essentials (Yes/No) Remarks
Single entry and exit point
24x7x365 days physical security at Centres
Uninterrupted power supply for security Systems
CCTV monitoring/recording 24x7x365 days with 2 months recording
backup No
Fire Fighting Teams & Routine Fire Drills No
Periodic pest control No
Operating Systems with latest Version and Patches/ Firmware across
all machines (Desktop PCs / Laptops) Yes
Malware protection - Latest Anti-Virus S/W in all systems with Auto-
update of anti-virus signature files and regular “full scans”. Yes
Malware protection - Installation of File Integrity Monitoring (FIM)
software to protect your systems from new malware Yes
Asset Classification - Classification, Labelling, Inventory, Physical
verification, Ownership, Access rights of Assets and Information
maintained and periodically reviewed Yes
Asset Classification - Policy for acceptable use of company's Asset
and Information No
Asset Classification - Communication of Information handling
guidelines/Procedures to the employees during the induction training
and annual training No
Hardening of Desktop machines - Access Protection to the BIOS by a
non-default password No
Hardening of Desktop machines - Disabled unused ports Yes
Hardening of Desktop machines - Disabled USB ports Yes

Hardening of Desktop machines - Turning off booting from USB disk Yes
Hardening of Desktop machines - Disable and uninstall any
unnecessary programs, services, scripts, drivers, features,
subsystems, file systems, and web servers Yes
Software and Applications - Removal of unwanted software and
applications from the desktops, and install only software which is
required to carry-out work. Yes
Software and Applications - Operating system or software versions
which are officially supported by the corresponding vendor are
installed Yes

Software and Applications - Enable automatic updates via “Windows

Update” or Linux “yum auto-update” & use a secure browser No
Software and Applications - MAC address binding/mapping for
successful connection with service provider software Yes
Software and Applications - Enhance user privacy, use third-party
trackers, ad blockers and HTTPS-enforcing extensions for your
preferred browser No
Software and Applications - Deploy local intrusion detection system
(IDS; e.g. system integrity checkers). Yes

Software and Applications - Computer system support staff must

monitor for announced vulnerabilities in their hardware and software Yes
Software and Applications - Collection and storage of the information
should be minimal for the efficient and effective conduct of business
functions No
Access and control - Creation of named password-based user
accounts with secured password policy, which require changing of
password periodically Yes
Access and control - Maintain user accounts for active users only Yes
Access and control - Passwords shall be changed from the vendor
defaults No
Access and control - Restriction or disabling remote access using
privileged user accounts (Windows “Remote’ Assistance”,
“TeamViewer” as well as remote SSH connections) Yes
Access and control - Local Administrator Rights are generally
disallowed. Least Privilege Mode will be used, such that running as an
administrator is limited to those functions that actually require
administrator privileges Yes
Access and control - Password required to access any of the features
of the operating system Yes
Access and control - Account access will be logged Yes
Access and control - Logon banner will be displayed signifying
agreement to abide by Service Provider policies. Continued use
beyond the banner screen means concurrence Yes
Access and control - Disabling any guest or default user accounts that
could be used to login locally or remotely No
Access and control - Restrict access to shared folders Yes
Access and control - Retention of System level audit logs, Application
level audit logs, Network Level audit logs (e.g., firewall logs) showing
both general and privileged access Yes

Access and control - Enabling an automatic screen lock with password

protection and lock the screen whenever the PC is unattended No
Physical Security - Disabling remote out-of-band management or
protect it using a non-default password and make sure that you keep a
back-up copy of that password Yes

Physical Security - Protection of confidential data in physical format

store it under lock and key. The strength of the lock, and the
characteristics of the storage facility (passive fire-resistance, fire
alarms, fire suppression systems, break-enter alarms, humidity Yes
Secure media sanitization, disk and file system is used prior to transfer
of equipment. The level of sanitization will depend on the sensitivity of
information previously on the machine No

Media storing "Sensitive Data" is wiped, in whole or in relevant part,

once the data has become obsolete pursuant to archiving instructions Yes
Broken or defective secure media must be wiped unless repair is
possible and under the condition that the acting company has an
industry standard data protection policy in place. "Repair" also
includes replacement of digital media under warranty provided that the
acting company has an industry standard data destruction policy in
place No
Secure media must be physically destroyed independent of the
classification level of the data stored if wiping is not possible (and
repair failed) No
Tapes are exempt from wiping due to technical and logistical reasons.
However, they must be destroyed if they hold or have held "Sensitive
Data". Yes

Desktop Security - Full Disk encryption will be used to prevent

recovery in the event of desktop or laptop theft. File Encryption for non-
public files must be used in any case where full disk encryption is not
possible. This includes OS files, temporary Data, recycled files and the
windows registry even the paging and hibernation files are encrypted Yes
Desktop Security - Enable full disk encryption and maintain a back-up
copy of that password Yes
Desktop Security - Service provider information must have one or
more of the following protections applied unless stored on server: 1.
Be encrypted; have all personally identifiable information removed or
obfuscated (anonymized); OR 2. be sanitized (have all verifiable
information removed or obfuscated) No
Desktop Security - Access to confidential information stored on secure
at service provider must be controlled in proportion to the information's
sensitivity, and provided on a need to know basis No
Backups - Backup of critical data, with backups tested for readability
and protected to the same level as data that is in use Yes
Restricted area maintained for access and storage of Data in the
company building/premises Yes
No retention and automated deletion of customer data (or scanned
images if applicable) from local systems/PCs Yes
External VAPT on defined frequency on the IT setup No
External Information System Audit of the IT Systems executed by
Approved Scan Vendor (approved by CERT-In and/or PCI SSC if
applicable) on defined frequency Yes