These policy objectives are achieved through the implementation of our Information Security Management System, which includes security standards, procedures and guidelines developed in accordance with ISO/IEC 27001:2013.
Hubilo has established a formal human resource security policy which outlines security requirements during employment and termination.
The Human Resources (HR) team at Hubilo addresses information security during recruitment, employment and after termination or change of employment for all Hubilo employees, contract employees and third-party employees.
All Hubilo employees who shall have access to information in any form within the Hubilo and client environment are subject to background verification prior to being hired in accordance with applicable laws and regulations. The Human Resources department is responsible for executing all background checks. All information gathered during the background check is handled and protected in accordance with the applicable laws and regulations.
When contractors or third parties are being engaged and shall access confidential customer information, the HR ensures requirements for conducting background verifications for the applicable contractor/ third party personnel are included in the contract or compensating controls are included in the contract.
Information security responsibilities are communicated to all employees and contractors during the hiring/ contracting process by the HR manager. All employees and contractor agreements include the employee/ contractor’s and Hubilo’s responsibilities for information security, including the handling of information assets, handling of information received from clients, and the consequences of violating the information security policy.
Hubilo ensures that all employees and contractors follow information security in accordance with Hubilo’s information security policy.
All employees (full-time and part-time), and where relevant, contractors and third-party staff, receive appropriate awareness training in information security and regular updates of organizational policies and procedures relevant to their job functions.
Any information security incident or deviation from the defined information security practices is investigated and appropriate disciplinary action is taken by Hubilo.
Hubilo ensures that all the employees or contractors are aware of the confidentiality/ non-disclosure agreement (if applicable) and relevant aspects of the employee or contractor agreement that apply upon termination from Hubilo or transferring positions within Hubilo to protect customer information from disclosure.
• The access is given according to the role of the employee, employee’s job responsibility with respect to the asset assigned to the employee.
• Security requirements of business applications and systems such as authentication password.
• Segregation of access controls roles, consistency between access rights and information classification.
• Legal obligations are mentioned in case the access rights are violated; limitation of access to data or services is mentioned and tracked.
• Periodic review of access rights is conducted quarterly, where changes or removal of access rights is mentioned.
• As per organization’s requirement the privileges access rights are assigned on a need-to-know basis such that access is given to only one person at a time.
• As per the organization’s requirement and roles assigned to different teams, the teams shall have different test environments and if the teams have access to the same test environment then the access is revoked once the purpose of each team is fulfilled (test environment is password protected).
• Access control policy shall provide the detailed guidelines on user access management. A formal user registration and de-registration process is implemented to enable the access rights by Hubilo. Unique user ID is maintained and the same is disabled upon transfer or termination of employees.
• Hubilo shall ensure the allocation and use of privileged access rights are restricted.
• Privileged access rights are allocated to users on a need-to-know basis.
• An authorization process and a record of all privileges allocated is maintained.
• Privileged access rights shall not be granted until the authorization process is complete.
• Requirements for expiry of privileged access rights is defined.
• For generic administration user IDs, the confidentiality of secret authentication information is maintained when shared.
• Hubilo provides restricted access to its application systems and information contained within the application system. Logical access to software and information is limited to authorized users.
• Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
• Multiple sign-ins with the wrong username or password will result in a locked account, which will be disabled for a period to help prevent a brute-force sign-in, but not long enough to prevent legitimate users from being unable to use the application.
• Email-based password reset links are sent only to a user’s pre-registered email address with a temporary link.
Hubilo prevents reuse of recently used passwords.
• Identification and recording of significant changes.
• Planning and testing of changes
• Assessment of the potential impacts, including information security impacts, of such changes.
• Formal authorization and approval for proposed changes
• Verification that information security requirements have been met.
• Communication of change details to all relevant persons
• Fall-back procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.
Capacity Management: Hubilo monitors and tunes the use of resources and identifies capacity requirements to ensure the required system performance. System/ application/ network administrators monitor the capacity utilization, detect, and resolve problems timely, and project future capacity requirements to ensure that adequate processing infrastructure is available to meet business needs.
Separation of development, testing and operational environments: Development, testing, and operational environments are segregated at Hubilo to reduce the risks of unauthorized access or changes to the operational environment. The production environment is logically and physically separated from the development and test environments. The confidentiality of any production data used within the development and test environments (when applicable) is protected.
Protection from malware: To prevent exploitation by malicious code, Hubilo provides awareness training to all employees to make them aware of threats of installing unauthorized software on the computers. It is ensured that the anti-virus software is running the latest virus signatures and appropriate business continuity plans are drafted to ensure timely recovery of all IT systems due to a malicious code attack.
Backup: The employees are required to store company data on software such as SharePoint, project-specific drives, or source code version control system only. Backup of all mission critical servers is performed at regular intervals. Hubilo ensures that backup copies of information, software and system images are taken and tested regularly in accordance with an agreed backup policy.
Logging and Monitoring: Audit logs of critical servers are monitored with proper reporting in case of any accidental or intentional deletion or modification. Hubilo ensures that logging facilities and log information is protected against tampering and unauthorized access and System administrator and system operator activities are logged, and the logs protected and regularly reviewed.
Technical Vulnerabilities Management: Hubilo ensures that information about technical vulnerabilities of information systems is obtained in a timely fashion, the exposure to such vulnerabilities is evaluated and appropriate measures are taken to address the associated risk.
Hubilo identifies the associated risks and the actions to be taken once potential technical vulnerability identified, such action involves patching of vulnerable systems or applying other controls. Patches are tested and evaluated before they are installed to help ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls are considered. The technical vulnerability management process is regularly monitored and evaluated to help ensure its effectiveness and efficiency.
Hubilo Product is always connected to the web-app via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
• Hubilo services are secured using SSL certificates along with proper authentication mechanisms.
• Anonymous authentication is disabled.
• Access to the database is restricted and monitored.
• Security logs are monitored and backed up regularly.
• Periodic VAPT is performed on public facing services and all identified loopholes are mitigated.
• Security tools such as web application firewalls are used to protect against malicious attacks.
• Cross Site Scripting
• Data Validation
• Poor error handling
• Malformed input
• SQL injection
• Formal process for purchase requisition, vendor selection and purchase order is defined and implemented at Hubilo.
• Appropriate due diligence is exercised in the selection and approval of new suppliers before the contract is agreed.
• NDA is signed if the supplier is accessing
• Hubilo’s sensitive data.
• Third party service delivery agreement includes service definitions, security controls & arrangements and delivery levels. The service level agreement / contract is vetted by the Legal representative.
• Hubilo ensures that the supplier complies with all applicable data protection regulation, best practice standards.
• Third party service delivery is continuously monitored and reviewed by Hubilo’s
• Supplier access to Hubilo’s information resources is granted solely for the work contracted and for no other purpose.
• All Hubilo contracts clearly defines each party’s data protection and information security responsibilities toward the other by detailing the parties to the contract, effective date, functions, or services being provided (such as defined service levels), liabilities, limitations on use of subcontractors and other commercial/legal matters normal to any contract.
The processing is governed by a contract in writing between the controller and the processor, setting out the following:
• Subject matter and duration of the processing.
• Nature and purpose of the processing.
• Type of personal data and categories of data subjects involved.
• Obligations and rights of the controller and processor.
• Information Technology Laws (IT Act-2000)
• Software Licensing Requirements
• Intellectual Property Rights (IPR) Laws
• Labor and General Employment Laws
• Indian Company Act 2013
• Income Tax Act 1961
• As part of the information security audits by independent consultants or bodies, the appropriate confidentiality and non-disclosure agreements will be signed with them. And any access granted to the external shall be restricted immediately after completion of the audit.