DATAMATICS GLOBAL SERVICES LTD
IT Policy
Datamatics Global Services Ltd. (formerly known as Datamatics Technologies Ltd.) belongs to one of India's largest Information Technology organizations, the Datamatics Group of Companies, established in 1975 by Dr. L. S. Kanodia.
DGSL is in the business of software development and Knowledge Management (KM) wherein state of art applications are developed to cater customer’s need.Equally DGSL needs data supplied by customer to be stored passively in conventional form and in people's mind into knowledge and renders it public, actionable, useful and explicit. Corporations worldwide are reshaping individual business functions to facilitate both the need and the ability to unlock the business potential in corporations through comprehensive IT technology propositions enabling clients to enhance shareholder value.
To ensure these IT technologies functions and adheres global standards, certain IT and information security policies are strictly followed by DGSL. These are as under,
Information Back-up Policy
Incremental Back-up
Incremental back-up of all servers is taken on a daily basis (Monday to Friday) on digital linear tape (DLT) media. The cassettes are recycled on a monthly basis, thus ensuring minimum twenty generations are maintained. The cassettes are stored in fire-proof safes.
Full Back-up
Full back-up of the servers is taken on a weekly basis on DLT cassettes. These cassettes are be recycled after every four weeks. However, in each month, the first week’s cassettes are retained for six months. These cassettes are stored off-site in another Datamatics location.
Whenever confidential information is to be backed-up, the information owner provides instruction to encrypt the information before sending back-up request to Operations department.
Viruses and Malicious Control policy
A two-tier protection level is followed to prevent the attacks from viruses and other malicious codes.
- As a perimeter wide we have Symantec Antivirus installed at our Network gateways. This will check for viruses coming from Internet traffic. It will scan for HTTP, FTP and SMTP. For mail scanning Symantec mail security software is installed on mail server, which scans all mails for checking virus. It will check for
the updated signature on daily basis so that the latest signatures are available to reduce the impact of the malicious code.
- As a second layer protection all the desktops/servers are loaded with Symantec antivirus software. These desktops are connecting to Symantec Antivirus Server (KCSAV) to check for any updates.
In case of an unfortunate virus attack, the machines that have got infected and found vulnerable are detached from the network and cleaned.
Internet Browsing Access Policy
Users are provided with internet access from a browsing area. Care is taken that the browsing area is on logically separate network and has no access to internal production network. Alternatively an internet access is also provided to the user for business purpose through proxy server or direct internet access through Firewall. This is purely based upon the approval from his/her department head wherein user needs to fill in user registration form mentioning all necessary details.
Helpdesk facility for Users
Helpdesk is basically an in-house support for PC related queries & problems.
User can log a complaint for malfunction of a PC or any other queries related to computer operations in online complaint register. Constant monitoring of the online register helps Operations engineer, at site to attend and solve the problems timely. Operations engineer will attend the respective call against this online register. After attending a call engineer will close the call by giving a proper solution to the user. If call is not closed due to some problems it will be escalated to Operations Manager.
Policy on reporting Security Incident
User can raise a security incident against concern Dept. when he feels an incident which causes a security breach & business impact.
Concerned department head upon receiving notification will resolve and close security incident.
Desktop Management Policy
Desktop workstations and servers form a significant part of our network and information-security strategy because of the sensitive information often stored on workstations and their connection to the rest of the networked servers.
Upon purchasing of desktop workstations and servers these are tested to ensure it’s functioning. Necessary form (Procurement Verification Form) has been filled up by concern person to check material received against purchase request. Thereafter they are configured and deployed. While configuration care is taken to ensure that these equipments satisfy our organization's security requirements.
User Access Management Policy
As a part of security policy for networked systems only authorized users will have access to the computers/servers. To enforce this, systems are configured to authenticate a prospective user that they are authorized for. This is implemented in following way as per the requirements. A boot time or BIOS password are provided to the systems so that users cannot change the system settings. All the guest account on the systems will be disabled. Password of administrative accounts will be kept in accordance with the password policy and known to Operations engineers.
A process of user registration is followed where by he will receive the appropriate rights to the respective systems. Access rights depend on the requirement of the projects and kind of work employee is going to perform. A user has to fill up a registration form which has the information of his requirement approved by his concerned superior.
System Management Policy
Securing Server Workstations & Planning and Executing Deployment of Server Workstations.
Implementation of this for Server is same as Desktop.
Installation of the Operating system & other softwares on Server differs from desktop configurations. Normally Servers are loaded with OS with Server edition e.g. Microsoft Windows 2000 Server, subsequent softwares related to
Server requirement are loaded thereafter depending on Project requirement.
Operations will stay informed of vendors' security-related updates to their products, which may be called updates, upgrades, patches, service packs or hot fixes. Whenever an update is released, operations will evaluate it, determine if it is applicable to organization's computers, and if so, install it.
Operations engineer will personally go and install the update in all concern servers by downloading it from internet. He will also update the server patch checklist to keep the track of the updates present on the respected server at the given time. When the new server is being deployed or installed, these security patches are installed over the internet.
NETWORK MANAGEMENT
Network Integration / Implementation
Networks at all the Datamatics site will be strategically similar. This helps in integrating the networks at different sites. Firewalls are in place at each of the site to see that all the sites are not compromised for vulnerability if any occurred at one of the site. Static routes as well as dynamic routing are used to force the network traffic in accordance to the requirement and avoid congestion.
The details of the links are kept at the respected sites. The details consist of name of the service provider, contact number, type of link, and its destination. Static routes are used on these routers to enforce the path the network traffic needs to follow. The traffic on these links are monitored through PRTG software.
Due care is taken when Cisco routers are configured. Latest running configuration is taken into account before making any changes. Cisco IOS are evaluated and upgraded as per the needs.
The access, to and from, these links are through SGS (Symantec Gateway Server Firewall Management
Firewall is managed from a dedicated workstation. A User ID is created in such a way that the person with specific User ID on specific workstation is able to access the Firewall. Further the management of the firewall can be done only after providing the authorized password.
Any new polices or changes in the original one are first evaluated. The request for any change or addition in policies will come through a Firewall Access Policy Form approved by the concerned functional head. The requirements of new rules are studied and its implications are thought. The required changes are then implemented by the Site Operations manger. Operations Manager shall maintain the configuration document for Firewalls and Routers. Whenever any new changes are performed necessary configuration files are updated. For any
upgradation /changes in device require a Change request form has to be filled
Indicating the purpose and it has to be approved by functional head.
Baselines for configurations are not done as all the parameters of networking equipments are dynamic and are subject to change. These includes bandwidth,
ip addresses, static routes , encapsulation etc.
Customer data security is taken care of by password protection and control systems. The user must change the passwords every 45days. If a machine is inactive for 3 minutes, the screen saver is activated, which is password protected. If a login fails thrice, a user must contact the systems administrator who restores rights only upon confirmation of user identification.
Network and System Security
Datamatics Network uses a dual level perimeter security. Cisco router access lists restricts access to our networks at level one while Symantec Gateway Security firewall secures the network perimeter at level-2. Over and above this, access to a server within the trusted network is allowed using secure logins from VeriSign.
Entry to our networks from the Internet or a leased connectivity is through one of Cisco 26xx, 36xx or 47xx series routers. Symantec Gateway security on secured Linux, secures the access path of the incoming user. Users entering our network from an un-trusted public domain network like the Internet get in through an encrypted VPN through VPN enabled Cisco router. The checkpoint VPN-1 module enables connectivity for our mobile users. A third module, checkpoint Floodgate, monitors and controls the bandwidth of our incoming traffic.
Network & System Security tools
- Symantec Gateway Security UTM Server
- Symantec anti-virus for desktops
- VPN connectivity for clients (as required)
- All Desktops are protected with system password and screen saver password.
- All Servers are protected with administrative password, screen saver passwords.
Separate servers are used for various projects and access to which is restricted by system administrator and is subjected to authorization by Project Manager as required to the individuals in that group. These rights are reviewed periodically by Operations .
DMZ and the trusted network are located behind the firewall. DMZ caters to our email, FTP and web servers, which are NATted for additional security. Incoming and outgoing HTTP / FTP / www traffic and email content is scanned using SGS UTM for viruses / Trojans / worms / backdoors / malicious content, etc. A very powerful intrusion detection system armed with the latest hack patterns is implemented to check for internal and external hacker threats and attacks.
Password Policy:
Do’s to be followed while using passwords are as under.
•Passwords should contain both upper and lower case characters (e.g., A-Z, a-z).
•Passwords should have digits and punctuation characters as well as letters (e.g., 0-9, !@#$%^&*()_+|~-=\{}[]:”;’>?,./)
•Password should be changed after every 45 days.
•Do ensure that password becomes automatically unusable after the expiry period.
A list of “don’ts” while using the password is as under.
•Don’t reveal a password over the phone to ANYONE.
•Don’t reveal a password in an email message.
•Don’t talk about a password in front of others.
•Don’t hint at the format of a password (e.g., “my family name”).
•Don’t reveal a password on questionnaires or security forms.
•Don’t share a password with family members.
•Don’t reveal a password to co-workers while on leave or vacation.
•Don’t use password as any word in any language, slang, dialect, jargon, etc.
•Don’t write down or store password on-line.
All desktops as well as servers should have screen saver enabled after 3 minutes with password.
Access Control Policy:
User access to DGSL’s computing facilities shall be granted as below:
- User can have access to his/her machine.
- User can have access to common network resources on the network.
- User can have access to the servers defined by his/her group head.
- System Administrator shall have super user rights.
DGSL accounts are to be used only for the purpose for which they are authorized and are not to be used for non-DGSL related activities. Misuse of DGSL’s computing facilities shall be treated as a disciplinary matter.
- All generally available systems such as web servers and FTP servers shall be placed behind suitable firewalls. Firewalls shall be configured so that local machines shall not be accessible from the Internet.
- Access to DGSL data servers shall be provided to authorize users only. The access rights shall be periodically reviewed and deleted when found not necessary or when the concerned person is shifted from the project.
- Each user will be assigned a unique User ID. Passwords shall be governed by a password use policy.
- Users upon user ID creation will be given a minimum privileges that enable him to conduct basic functions such as running installed applications on his/her machine, storage /deletion of data on local machine.
- Users shall be responsible for protecting any information used and/or stored on/in their DGSL user accounts.
- Users shall not attempt to access any data or programs contained on DGSL systems for which they do not have authorization or explicit consent of the owner of the data/program, department head.
- Users shall not make unauthorized copies of copyrighted software, except as permitted by law or by the owner of the copyright.
- Users shall not purposely engage in activity with the intent to:
- Harass other users;
- Degrade the performance of systems;
- Deprive an authorized DGSL user access to a DGSL resource;
- Obtain extra resources, beyond those allocated;
- Circumvent DGSL computer security measures or gain access to a DGSL system for which proper authorization has not been given.
- Electronic communication facilities such as Email, access to Internet, etc are for authorized DGSL use only. Fraudulent, harassing or obscene messages and/or materials
Shall not be accessed / sent from, to or stored on DGSL systems. Users shall not download, install or run security programs or utilities, which reveal weaknesses in the security of a system. For example, users shall not run password-cracking programs on DGSL systems.
Firewall Access Policy:
Internal hosts that are accessible externally must be fully patched to mitigate the potential for comprise.
Any internal hosts that are accessible externally will be regularly scanned by Datamtics for vulnerabilities.
Datamtics will provide following services for its servers for external communications
1. HTTP or HTTPS
2. FTP
3, Email (SMTP )
4. DNS
All outbound packets are allowed to travel outside, and inbound packets are allowed inside the firewall only if they can be determined to be responses to outbound requests.
All inbound packets from unknown hosts outside the firewall or destined for un-qualified hosts inside firewall are restricted.
Packet known to be from authenticated hosts or users outside the firewall are allowed inside the firewall.
IT Policy
ConfidentialPage 1 of 6