Bharti Infratel Limited. Policy Abridged Bharti Infratel Third Party Security

Transcription

1 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party

2 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party Abridged Bharti Infratel Third Party Policy Version 1.0

3 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party Document Control Document No. : 40 Document Name : Policy Abridged Bharti Infratel Third Party Policy-ISBC-40- V1 Version : 1.0 Date of Release : 30 th October 2012 Name Function / Designation Signature Prepared by Mr. Rajesh Mittal Information Management Representative Process Owner Mr. Prashant Veer Singh Chief Information Officer Reviewed by Mr. Prashant Veer Singh Chief Information Officer Mr. Devender Singh Rawat Chief Executive Officer Document Change Approvals Version No. Revision Date Nature of Change Date Approved Approved by

4 IIndex 1. Bharti Infratel Third-party Policy (BITSP - 001) Introduction Scope Policy Statement and Objective Disciplinary Measures for Non-Compliance Exceptions Information Organisation Policy (BITSP 002) Introduction Policy Statement and Objective Sub-Contractors Asset Management Policy (BITSP 003) Introduction Policy Statement and Objective Asset Register Asset Management Responsibilities Information Asset Classification Human Resources Policy (BITSP - 004) Introduction Policy Statement and Objective During Recruitment During Employment Termination or Change of Employment Responsibility Physical and Environmental Policy (BITSP 005) Introduction Policy Statement and Objective Secure Areas Equipment Communication and Operations Management Policy (BITSP 006) Introduction Policy Statement and Objective Operational Procedures and Responsibilities Sub-Contractor Service Delivery Management System Planning and Acceptance Protection against Malicious and Mobile Code Back-up... 33

5 6.8. Network Management Media Handling Exchange of Information Electronic Commerce Services Monitoring Access Control Policy (BITSP 007) Introduction Policy Statement and Objective User Access Management User Responsibilities Network Access Control Operating System Access Control Application and Information Access Control Mobile Computing and Teleworking Information Systems Acquisition, Development & Maintenance Policy (BITSP 008) Introduction Policy Statement and Objective Requirements of Information System Correct Processing in Application Cryptographic Controls of System Files in Development and Support Processes Technical Vulnerability Management Information Incident Management Policy (BITSP 009) Introduction Policy Statement and Objective Incident Identification Reporting Information Events and Weakness Incident Response, Recovery and Improvements Business Continuity Management Policy (BITSP 010) Introduction Policy Statement and Objective Information Aspects of Business Continuity Management Compliance Policy (BITSP 011) Introduction Policy Statement and Objective Compliance with Legal Requirements... 67

6 11.4. Information Systems Audit Considerations... 70

7 1. Bharti Infratel Third-party Policy (BITSP - 001) 1.1. Introduction In a rapidly expanding telecom and telecom passive infrastructure market, it is almost impossible to deliver services to customers and value to stakeholders without the collaboration of third parties. Today, third parties are extended members of the value chain of Bharti Infratel Limited (hereafter referred to as Bharti Infratel). This calls for improving Bharti Infratel s relationship with third parties, particularly in the area of information security. Given the potential for increased information security lapses from the part of third parties, a stringent Bharti Infratel Third-party Policy (hereafter referred to as the BITSP in this document) is framed to help Bharti Infratel insulate itself from the risks that are likely to arise from such relationships. The foundation on which the BITSP is based is trust but verify stringently. Accordingly, there is a need to involve information security before, during and after the relationships with third parties are established and to impose strict security standards and practices on third parties involved with Bharti Infratel Information Policy (BIISP). There is also a need to ensure that these third parties communicate the effectiveness of their information security controls by obtaining security certifications such as ISO 27001:2005 and/or by having an independent body review their information security and privacy practices against BIISP.

8 1.2. Scope The Bharti Infratel Third-party Policy (BITSP) is applicable to all Third-parties providing services to Bharti Infratel. Definition of Third-party : For the purposes of this document, a Third-party is a service provider/vendor who associates with Bharti Infratel and is involved in handling, managing, storing, processing and transmitting information of Bharti Infratel. The Third-Party could be a service provider/vendor as mentioned below but not limited to:- Diesel Filler Vendors (for e.g. Pratap, Perigreen etc.); Physical Vendor (for e.g. CheckMate etc.); Equipment Suppliers (for e.g. Mahindra, ACME, & Bluestar etc.); IT Equipment Suppliers (for e.g. AGC, Lenovo, & Sony etc.); IT Services Vendor (for e.g. IBM, AES, & AGC Networks etc.); Site Builtup Services Vendor (for e.g. TVSICS, Emerson, & Punj Lloyd etc.); Liasioning Services Vendor ( for e.g. TVSICS etc.); Non-conventional Energy Suppliers (for e.g AST, KMR, & OMC etc.); Management Consulting/ Manpower Service Provider (for e.g. Adecco,E&Y, Protiviti etc.); Office Admin Services (for e.g. CBRE etc.); Equipment Services Vendor like AMCs This definition also includes all sub-contractors, consultants and/or representatives of the Thirdparty. The BITSP is applicable across all geographies where information of Bharti Infratel is processed and/or stored by Third-party. Policy Owner The owner of the BITSP is the Chief Information Officer (hereinafter referred to as CISO in this document).

9 1.3. Policy Statement and Objective of information assets used by Third-parties for providing services to Bharti Infratel is of paramount importance and Confidentiality, Integrity and Availability of these shall be maintained at all times by the Third-parties concerned through controls commensurate with the asset value. The objectives of this policy are to: Provide the Third-party with an approach and directives for implementing information security of all information assets used by them for providing services to Bharti Infratel; and Ensure that the Third-party adheres to all provisions of the Third-party Policy Disciplinary Measures for Non-Compliance Non-compliance with the BITSP is ground for disciplinary actions up to and including termination of the contract Exceptions The BITSP is intended to be the statement of information security requirements that need to be met by the Third-party. However, in case a Third-party perceives difficulty in adhering to any of the controls, exceptions for an individual control may be requested by the Third-party. Exceptions are applicable only if approved by the CISO.

10 2. Information Organisation Policy (BITSP 002) 2.1. Introduction The Third-party is required to ensure that they have an Information Organisation structure in place along with mutually-agreed responsibilities, authority and relationships to maintain information security requirements as per the BITSP Policy Statement and Objective The Third-party shall ensure that they have an Information Organisation in place to implement the provisions of the Third-party Policy Management Commitment to Information Control Statement: The Management of the Third-party shall be committed to implement and adhere to the information security requirements of Bharti Infratel. Explanatory Notes: The Management of the Third-party is required to extend its full co-operation and support to the information security requirements of Bharti Infratel and also ensure that all its employees working for/at Bharti Infratel respect and adhere to the BITSP Information Co-ordination Control Statement: A suitable management body to co-ordinate and maintain information security activities in Bharti Infratel shall be nominated. Explanatory Notes: It is recommended that the Third-party ensures that all its functions such as HR, Administration, Information Technology (IT), IAG, Legal and others willingly co-operate and coordinate with Bharti Infratel to satisfy the latter s information security needs. The Third-party is required to nominate a SPOC to interface with Bharti Infratel for all its information security activities. The SPOC is required to communicate to its team that caters to Bharti Infratel the relevant sections of the BITSP. The CISO of Bharti Infratel and the Third-party SPOC shall coordinate with each other for the implementation of BITSP and address any security-related issues Responsibility for Information Control Statement: The Information responsibilities of all employees working for Bharti Infratel shall be defined and communicated. Explanatory Notes: The Third-party shall ensure that the information security responsibilities of third-party are identified, documented and communicated to its employees providing services to

11 Bharti Infratel. The employees of the third-party are required to understand their security roles and responsibilities that they need to practise in their day-to-day operations in Bharti Infratel Authorisation Process for Information Processing Facilities Control Statement: An authorisation process for new information processing facilities shall be implemented by the Third-party. Explanatory Notes: Third-party shall ensure that they obtain an authorisation from the appropriate authority of Bharti Infratel for obtaining access to information systems and/ or processing facilities of Bharti Infratel. Similarly, all new information processing facilities used for providing services to Bharti Infratel shall be set up only after receiving approvals from the relevant management of third-party. Personal computing devices that are not allowed into the Bharti Infratel and / or Third-party facility shall be communicated to the third-party employees, and visitors. It shall be ensured that these devices are not brought inside the facility without proper authorisation. In case these devices are brought inside the facility and are required to connect to Bharti Infratel network, it shall be ensured that an appropriate authorisation is obtained from Bharti Infratel. Any laptop or other information processing units owned by the Third-party could introduce new vulnerabilities and therefore, controls like antivirus update, personal firewall software and other relevant desktop/laptop security software is required to be configured on the system before connecting it to Bharti Infratel network. The Information processing facility like an offshore development centre of the Third-party, which needs to connect to Bharti Infratel network shall require approval from Bharti Infratel before permitting access Confidentiality & Non-Disclosure Agreements Control Statement: A Non-Disclosure Agreement with Bharti Infratel shall be signed. Explanatory Notes: The Non-Disclosure Agreement mandates that the Third-party shall not disclose any information related to Bharti Infratel which is identified as Restricted, Confidential or Internal to Bharti Infratel. The Third-party shall ensure that they read, accept and sign the Non- Disclosure Agreement provided by Bharti Infratel Contact with Local Authorities Control Statement: Appropriate contacts with all relevant local authorities shall be established and maintained.

12 Explanatory Notes: The Third-party is required to ensure that appropriate contacts are established with all local authorities such as Fire, Police, Hospital(s), Ambulance and the other authorities/services which need to be contacted in case of an emergency. An individual shall be identified (preferably from the Admin function) and assigned with the responsibility to maintain all such contacts Contact with Special Interest Groups Control Statement: Appropriate contacts with relevant special interest groups shall be established and maintained. Explanatory Notes: The Third-party shall establish and maintain contacts with special interest groups to ensure that the understanding of the information security environment is current, including updates on security advisories, vulnerabilities and patches. The IT security function of the Third-party should subscribe to these groups and, based on the periodic updates received; they shall take initiatives to analyse and resolve the security. It should be ensured that the contacts with these forums/groups are for only receiving the alerts; users should not post any queries to such forums revealing details of information assets or network of Bharti Infratel Independent Review of Information Control Statement: An independent review of information security should be conducted to assess the compliance with BITSP. Explanatory Notes: An independent review should be conducted on a yearly basis to assess the compliance of Third-party towards BITSP. Bharti Infratel reserves the right to audit the Third-party. The independent review should be conducted by a reputed audit organisation. It is recommended that the Third-party obtains audit certification/verification from the auditors. The Third-party may need to share the audit report with Bharti Infratel if required. If, during the audit, it is found that the Third-party is not compliant with the directions stated in the BITSP, actions as stated in the clause for non-compliance shall be applicable Sub-Contractors Identification of Risk Related to Sub-contractor Control Statement: All threats and risk related to sub-contractors shall be identified and mitigated. Explanatory Notes: The Third-party shall conduct a Risk Assessment and ensure that all risks due to sub-contractor access to Bharti Infratel information assets are identified, measured and mitigated appropriately before providing access to Bharti Infratel information assets. The Risk Assessment

13 report is required to be shared with the CISO of Bharti Infratel prior to providing access to information and/or information-processing facilities to the sub-contractor Addressing when Dealing with Customers Control Statement: Appropriate security controls shall be addressed when dealing with customers. Explanatory Notes: Controls shall be in place so that information assets or Information processing environment used for providing services to Bharti Infratel are physically and logically segregated from other customers. Specific approval is required to be taken from CISO for any exception to this Addressing in Sub-contractor Agreements Control Statement: Agreements with the sub-contractors, who are involved in providing services to Bharti Infratel, shall cover information security requirements as applicable in the BITSP. Explanatory Note: Agreements with the sub-contractors who are engaged by Third party and are involved in accessing, processing, communicating or managing the information of Bharti Infratel shall cover all information security requirements in accordance with the BITSP. Additionally, the Third-party should ensure that their sub-contractors access the information assets of Bharti Infratel only after signing a formal contract and a Non-Disclosure agreement with them. The Third-party is also required to ensure that Intellectual Property Rights are honoured by all its sub-contractors. Such contracts and Non-Disclosure agreements entered with sub-contractors shall be shared with Bharti Infratel in case required by Bharti Infratel.

14 3. Asset Management Policy (BITSP 003) 3.1. Introduction All information assets deployed for providing services to Bharti Infratel by the Third-party shall be provided comprehensive protection. The Third-party, being the owner and/ or custodian of the information assets and associated processing facilities, shall be responsible for implementing the controls defined in this policy to maintain confidentiality, integrity and availability of these information assets Policy Statement and Objective Identification, classification and CIA valuation of information assets including the identification of asset owner and custodian are extremely important to design and implement the required controls for the protection of the assets. The objectives of the policy are to ensure that: All information assets used by Third-party in providing services to Bharti Infratel have been identified and designated owner and custodian appointed by the Third-party; All information assets are classified based on their criticality to the business; and All information assets receive an appropriate level of protection by implementing relevant controls Asset Register Third-party shall create and maintain asset registers for all information assets belonging to them that are deployed to provide services to Bharti Infratel. The asset register is required to contain, at a minimum, the following information about the assets: The identification and location of assets; The name of business function, process or function that uses this asset; The type and classification of asset; The Asset Owner, Custodian and User; and The Confidentiality, Integrity and Availability ratings of the asset Asset Management Responsibilities The responsibility for implementing appropriate security controls to identify, classify and protect the assets is required to be defined.

15 3.4.1 Inventory of Assets Control Statement: Information assets owned by the Third-party shall be identified and an inventory of these assets shall be documented and maintained. Explanatory Notes: An inventory of all important assets is required to be maintained by the Thirdparty. Such an inventory shall include all necessary information, including type of asset, asset owner, asset custodian, asset location (office location) and criticality value in order to recover from a disaster. This Inventory is required to be maintained in accordance with the Asset Management Procedure laid down by Bharti Infratel Ownership of Assets Control Statement: Information assets that are used to provide services to Bharti Infratel shall have a designated owner from the Third-party. Explanatory Notes: Assets owned by the Third-party and used to process information of Bharti Infratel is required to be owned by a designated individual belonging to the Third-party. The asset owner shall be responsible for the following: Ensuring that the assets are appropriately classified as per the Classification Guidelines (Refer BITSP - section 3.5.1); Ensuring that assets are correctly entered in the Asset Register as per a formal Asset Management Procedure; Defining and reviewing periodically the access rights to their respective assets Acceptable Use of Assets Control Statement: Third-party shall develop and implement Rules for the acceptable use of information assets that are used to provide services to Bharti Infratel. Explanatory Notes: The Third-party is required to ensure that its employees adhere to the acceptable use of assets as developed by them Information Asset Classification The information assets have different degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. The information classification criteria shall be used by the Third-party to classify the information assets used to provide services to Bharti Infratel. Information Assets that are owned by Bharti Infratel are classified by Bharti Infratel and third-party have to handle them based on the classification level.

16 3.5.1 Classification Guidelines Control Statement: All information assets shall be classified in terms of its value, sensitivity, and criticality to Bharti Infratel. Explanatory Notes: Important information assets shall be assigned an asset criticality rating as per guidelines laid down in the Asset Management Procedure, to assess the relative importance of such assets to Bharti Infratel and to determine the level of security measures to be implemented for their protection. The information assets shall be classified in terms of its sensitivity and criticality to the business of Bharti Infratel, into one of the following categories: Restricted: This classification applies to the most critical business information, which is intended strictly for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact the Bharti Infratel business, its stockholders, its business partners, and/ or its customers leading to the legal and financial repercussions and adverse public opinion. The information that some people would consider to be private is included in this classification. Examples: Critical Servers, Critical Passive Infrastructure devices, System Access Controls, System Passwords, Technology related Documents, Engineering documents, etc. Confidential: This classification applies to the sensitive business information, which is intended for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact Bharti Infratel business, its stockholders, its business partners, its employees, and/or its customers. Examples: System configuration procedures, internal audit reports which comprise the collective experience, knowledge, skill, and information of Bharti Infratel. Public: This classification applies to the information, which has been explicitly approved by the Bharti Infratel management for release to the public. By definition, there is no such thing as unauthorised disclosure of this information and it may be freely disseminated without potential harm. Examples: advertisements, and published press releases. Internal: This classification applies to the information, which is specifically meant for internal use within Bharti Infratel. While its unauthorised disclosure is against the policy, it is not expected to seriously or adversely impact business of Bharti Infratel, its employees, customers, stockholders & business partners. Examples: Telephone directory, training materials and manuals, internal staff circulars.

17 3.5.2 Information Asset Labelling and Handling Control Statement: The Third-party shall follow the procedures for information asset labelling and handling for all information assets that are used to provide services to Bharti Infratel. Explanatory Notes: All information assets are required to be labelled by the Third-party and maintained as per a formal Information Labelling and Handling Guideline. These assets shall be labelled (marked) using the classification scheme only to indicate the level of sensitivity of the information. This may exclude public information.

18 4. Human Resources Policy (BITSP - 004) 4.1. Introduction The Human Resource Policy defines the controls that are required to be implemented and maintained during the recruitment process, employment process and termination or change of employment to ensure the protection of information assets that are used to provide services to Bharti Infratel from human error, misuse, theft or fraud Policy Statement and Objective All employees of the Third-party with access to the information assets of Bharti Infratel shall understand their responsibilities for the comprehensive protection of information and processing facilities of Bharti Infratel. The objectives of this policy are to: Ensure that appropriate security controls are followed at the time of recruitment by the Third-party. Ensure that the Third-party employees understand their responsibilities and roles regarding information security in Bharti Infratel; Reduce the risks of human error, theft, fraud or misuse of the information assets; and Ensure that employees are aware of information security threats and concerns and are equipped to support the BITSP in the course of their work. Failure to adhere to information security responsibilities may entail appropriate disciplinary action During Recruitment The Human Resources function of Third party shall ensure that security responsibilities are defined and addressed prior to employment in adequate job descriptions and in terms and conditions of employment. It is strongly recommended that background verification checks are conducted for the employees who will provide services to Bharti Infratel Roles and Responsibilities Control Statement: The security roles and responsibilities of employees shall be defined and documented. Explanatory Notes: It is required that HR function of the Third-party define and document and communicate the security roles and responsibilities of its employees to ensure that they

19 Act in accordance with the BITSP; Protect assets from unauthorised access, disclosure, modification and destruction; and Execute specific security processes and activities Screening Control Statement: Background verification checks shall be carried out for the employees who will provide services to Bharti Infratel. Explanatory Notes: It is required that the Third-party carries out background verification checks for employees who have access to Bharti Infratel information systems and processing facilities. They are also recommended to provide an evidence of the same to Bharti Infratel Terms and Conditions of Employment Control Statement: The Third-party shall ensure that their employees read and accept the terms and conditions of employment, which shall reflect the information security requirements of Bharti Infratel as specified in the BITSP. Explanatory Notes: Before deployed in Bharti Infratel for providing the services as per contract, third-party is required to define terms and conditions of employment and communicate them to its employees. Terms and conditions are required to include the following: Sign a confidentiality agreement which may hold them liable for any unauthorised disclosure, modification and/or destruction of information, information systems and/or processing facilities of Bharti Infratel; Legal responsibilities and rights; The responsibility for handling information as per its level of classification; The responsibility for exhibiting due diligence while handling information received from external parties and protecting its confidentiality and integrity; The actions to be taken, if any employee disregards the information security requirements of Bharti Infratel During Employment HR function and concerned personnel of the Third-party are required to take appropriate actions to ensure that:

20 The employees are duly informed of their information security responsibilities to maintain a reasonable level of security for information assets and processing facilities used to provide services to Bharti Infratel; and An adequate level of awareness, education and training on the information security is provided to all employees Management Responsibilities Control Statement: The Management of the Third-party should require its employees to adhere to information security requirements in accordance with the BITSP. Explanatory Notes: It is recommended that the Management of the Third-party should ensure that its employees providing services to Bharti Infratel apply security in adherence to the BITSP. The Management of Third-party should ensure that: Employees are properly communicated regarding their roles and responsibilities towards information security in Bharti Infratel. Employees achieve a level of awareness on security in proportion to their roles. Employees attend the information security awareness training program before deploying them in Bharti Infratel premises. Employees have appropriate skills and qualifications required to do the job for Bharti Infratel Information Awareness, Education and Training Control Statement: Employees providing services to Bharti Infratel should receive appropriate awareness training and regular updates on the BITSP and information security, as relevant to their job. Explanatory Notes: The Third-party shall ensure that all employees receive formal training in Information Awareness. Inputs and updates for this will be provided by Bharti Infratel to the Third-party as and when they become available. The Third-party should ensure that they update their employees as and when these are made available Disciplinary Process Control Statement: A disciplinary process for information security violations shall be established, and documented. Employees shall be communicated of the disciplinary process. Explanatory Notes: A formal disciplinary process is required to commence against the BITSP after verification that a security breach/violation has occurred involving an employee.

21 The Third-party is required to ensure that its employees are made aware of the formal disciplinary process which may be initiated, if they violate the BITSP or commit/participate in any kind of security breach Termination or Change of Employment Responsibility Adequate security measures are required to be taken by the Third-party when employees undergo role transformation within the Third-party organisation, or withdraw from Bharti Infratel project, or resign from the Third-party organisation. It is required to be ensured that the access rights provided to such employees on information, information assets and/or processing facilities are reduced/changed/revoked depending on the situation Return of Assets Control Statement: The Third-party s employees shall return all assets in their possession, used to provide services to Bharti Infratel, upon termination of their employment. Explanatory Notes: All Third-party s employees are required return of all previously-issued software, documents, equipments, laptops, PDA, access cards, manuals, and information stored on electronic media which are used to provide services to Bharti Infratel Removal of Access Rights Control Statement: The access rights of employees shall be revoked at the time of termination or changed when the current role of the employee changes. Explanatory Notes: Access rights to information and information-processing facilities held by employees of the Third-party is required to be revoked upon termination or withdrawn from Bharti Infratel project. It is required that all passwords for active accounts that a departing employee has known are forcefully changed with immediate effect. In case of change of role of a Third-party employee, BITSP is required to revise and adjust the access rights as appropriate.

22 5. Physical and Environmental Policy (BITSP 005) 5.1. Introduction The Physical and Environmental Policy defines the appropriate controls to maintain the required physical and environmental security of information assets and information-processing facilities that are used to provide services to Bharti Infratel Policy Statement and Objective Assets and facilities, which house information of Bharti Infratel, shall be protected from unauthorised physical access and environmental threats. All physical access and movement of information systems shall be monitored and reviewed. The objectives of the policy are to: Prevent unauthorised physical access, damage, and interference to information assets; Critical and sensitive information systems located at Third-party location and used to provide services to Bharti Infratel are recommended to be protected by defined security perimeters parameters, with appropriate security barriers and entry controls; Protect assets by implementing environmental controls to prevent damage from environmental threats; and Regularly conduct preventive maintenance for infrastructural equipment to ensure faultless services Secure Areas An adequate level of security shall be provided to the facilities and office locations housing information assets used to provide services to Bharti Infratel Physical Perimeter Control Statement: The Third-party shall ensure that a physical security perimeter is defined and implemented for office locations and facility, housing information assets that are used to provide services to Bharti Infratel. Explanatory Notes: The Third-party is required to ensure that a physical security perimeter is used to secure all such facilities where the information systems that are used to provide services to Bharti Infratel are hosted. Physical security perimeters such as a wall, card-controlled entry gates and/or manned reception desks should be used to secure the facility.

23 5.3.2 Physical Entry Controls Control Statement: Secure areas within the facility of the Third-party shall be protected by appropriate entry controls to ensure authorised access. Explanatory Notes: Third-party is recommended to ensure that only authorised persons are provided access to secure areas (areas hosting information systems/ equipment). Access to all such areas should be controlled, recorded and monitored by the Third-party. The secure areas shall have physical security check points Securing Offices, Rooms and Facilities Control Statement: Physical security controls for offices, rooms and facilities should be designed and applied. Explanatory Notes: The Third-party is recommended to ensure that offices, rooms and facilities that store critical information of Bharti Infratel are secured. The following is recommended to be considered: Relevant safety regulations and standards are implemented; Key facilities should be sited securely so as to avoid access by the public; and Where applicable, buildings should be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building identifying the presence of information processing activities that are used to provide services to Bharti Infratel Protection against External and Environmental Threats Control Statement: Protection against damage from natural and man-made disasters shall be designed and implemented. Explanatory Notes: Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of environmental, natural or man-made disaster is required to be designed and applied. It should be considered that: Adequate air-conditioning and humidity-control systems are implemented to support information systems and equipment that are used to provide services to Bharti Infratel; Fire suppression systems are installed wherever applicable; Hazardous, combustible material and stationery items are stored at a secure distance from the secure area. Adequate power supply controls are implemented to ensure continuous power supply at the facilities being used to provide services to Bharti Infratel;

24 Fallback equipment and back-up media are sited at a different location to ensure continuity of business operations Working in Secure Areas Control Statement: Guidelines for working in secure areas shall be designed and implemented. Explanatory Notes: BITSP is required to ensure the following guidelines: Personnel should be aware of the existence of, or activities within, a secure area only on a need-to-know basis; Unsupervised working in secure areas is required to be avoided to prevent opportunities for malicious activities; Vacant secure areas is required to be physically locked and periodically checked; Photographic, video, audio or other recording equipment, such as cameras in mobile devices, shall not be allowed in restricted areas, unless authorised by the management of the Third-party Public Access, Delivery and Loading Areas Control Statement: All loading and un-loading areas shall be isolated from information-processing facilities that are used for providing services to Bharti Infratel. Explanatory Notes: Entry points in the Third-party s location such as delivery and loading areas and other points where unauthorised personnel may enter are required to be controlled and isolated from information-processing facilities to avoid unauthorised access Equipment controls shall be implemented to prevent loss, damage, theft of any equipment, compromise of information systems and interruption to the services provided to Bharti Infratel by the Third-party. Equipment hereinafter refers to as systems that are used to store and process information of Bharti Infratel. They include, but are not limited to, laptops, desktops, servers, and network devices Equipment-Siting and Protection Control Statement: All equipment used to provide services to Bharti Infratel, shall be sited and protected to reduce risks from environmental threats and hazards and opportunities of unauthorised access. Explanatory Notes: All equipment used to provide services to Bharti Infratel is required to shall be protected against environmental threats and unauthorised access. It is required to ensure that:

25 The equipment are appropriately located and security controls put in place to reduce risk of potential threats (e.g., theft, fire, explosive, smoke, flooding, dust, vibrations, chemical effects, electrical supply interference) to their incessant use; Appropriate controls such as for temperature and humidity are implemented for the safety of the equipment. Guidelines for eating, drinking and smoking in the proximity of any equipment shall be established. All equipment that process sensitive data of Bharti Infratel shall be positioned in such way to restrict the viewing angle in order to reduce the risk of information being viewed by unauthorised personnel Supporting Utilities Control Statement: All equipment used to provide services to Bharti Infratel shall be protected from power failures and other disruptions caused by failure of supporting utilities. Explanatory Notes: The Third-party is required to ensure that: All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and air-conditioning are in appropriate condition for the systems being used to provide services to Bharti Infratel. Uninterruptible Power Supply (UPS) systems and generators are installed to support controlled shutdown or continued functioning of equipment being used to provide services to Bharti Infratel. An alarm system to highlight any malfunctioning of any of the supporting utilities is installed. Adequate contacts are in place with vendors to provide services whenever there is an emergency Cabling Control Statement: Power and telecommunication network cables shall be protected from damage or interception. Explanatory Notes: In places where Bharti Infratel information assets are housed for maintenance, third-party is required to identify and mark network cables and their corresponding terminals being used to provide services to Bharti Infratel. Third-party is required to segregate power cables from the communication cables through a separate conduit to prevent any interference.

26 5.4.4 Equipment Maintenance Control Statement: All equipment shall be appropriately maintained to ensure their continued availability and integrity. Explanatory Notes: All equipments that are used for providing services to Bharti Infratel are required to be maintained in accordance with the supplier s recommended service intervals and specifications. A preventive maintenance exercise for all equipment being used to provide services to Bharti Infratel are required to conducted at scheduled intervals ensuring their continued availability and integrity. The Third Party shall ensure that appropriate controls are applied to prevent any information leakage or destruction when equipment is scheduled for preventive maintenance of Equipment Off-premises Control Statement: shall be applied to off-site equipment taking into account different risks outside the premises. Explanatory Notes: All equipments being used for Bharti Infratel (e.g. tower, backup media, and laptops) are required to receive the appropriate level of protection against physical and environmental threats. The equipments that are used for providing services to Bharti Infratel and are installed outside the Third-party s premises are to be monitored at regular intervals. The Third-party is required to ensure that the information asset of Bharti Infratel is not taken out without an authorised gate pass signed by concerned authorised personnel Secure Disposal and Re-use of Equipment Control Statement: The equipment containing information of Bharti Infratel shall be disposed of in a secure manner. Explanatory Notes: Equipments like OSS and data switches containing information like the configuration parameters for Bharti Infratel are required to be erased and/ or disposed in a secure manner. If equipments are un-repairable, they shall be physically destroyed. In case of re-use of such equipments, third-party shall ensure that they erase/ format all information parameters used for Bharti Infratel Removal of Property Control Statement: The equipment, information or any software shall not be taken off-site without prior authorisation. Explanatory Notes: Any equipment, information system, storage device or software having information that belongs to Bharti Infratel shall not be taken outside the Third-party s premises

27 without prior authorisation from the management of the Third-party. Gate-pass shall be used as a means to prevent any unauthorised removal of property.

28 6. Communication and Operations Management Policy (BITSP 006) 6.1. Introduction The Communication and Operations Management Policy establishes appropriate controls, including development of operating procedures, monitoring user-activities, and deploying appropriate technology to prevent unauthorised access, misuse or failure of the information systems and equipment and to ensure confidentiality, integrity and availability of information that is processed by, or stored in, the information systems/equipment Policy Statement and Objective The Third-party shall ensure that all defined procedures are followed and implemented to ensure secure and correct operations. The objectives of the policy are to: Develop documented operation procedures for the information systems and computing devices used to provide services to Bharti Infratel; Ensure protection of information during its transmission through communication networks; Protect integrity of software and information against the malicious codes; Develop an appropriate backup strategy and monitoring plan for protecting integrity and availability of information; Have appropriate controls over storage media to prevent its damage and/or theft; and Maintain security during the information exchange with other organisations Operational Procedures and Responsibilities Documented Operating Procedure Control Statement: Standard operating procedures pertaining to all system activities shall be documented, maintained and followed. Explanatory Notes: Procedures are required to be in place, to ensure that activities performed for day-to-day system operations are carried out in a secure manner. Third party is required to document all Operating Procedures to maintain confidentiality, integrity and availability of that specific platform or application. The Third-party is required to ensure that procedures are made available to all their employees who are involved in the respective operations and processes for

29 Bharti Infratel. All system and application administrators shall ensure that operating procedures are kept up-to-date in accordance with any system changes. The procedures are required to include, but not limited to, the following: Any automated or scheduled processes that are running on the system or application associated with Bharti Infratel information; Day-to-day operational tasks that need to be performed by the operator; The actions performed when an error or an exceptional condition occurs, including listed contact details for people that may be required to assist or that may have a dependency on that service; The actions required for start-up, restart or shutdown of the system or application associated with Bharti Infratel information; The actions performed for system or application backup; The actions performed for system or application recovery or restoration; The actions performed for handling of information; for example, backup tapes or disposal of output (such as printed output) from failed runs of automated processes; and Management of audit trail and system log information Change Management Control Statement: A formal Change Management Process shall be developed and implemented for carrying out changes to information systems associated with Bharti Infratel. Explanatory Notes: To ensure that the security of the systems/environments is not compromised, Third party is required to manage the change(s) in the production systems/environment of assets used to provide services to Bharti Infratel. Third-party shall ensure that: a. Change control is required to be applied to all security aspects of the production applications and infrastructure associated with Bharti Infratel. b. All Third-party service providers are required to manage the change(s) to the systems and services supplied to Bharti Infratel. c. All approved changes are required to be tested in a test setup prior to implementing them on the production systems.

30 6.3.3 Patch Management Control Statement: A formal Patch Management Process shall be developed and implemented for applying patches to the information systems associated with Bharti Infratel. Explanatory Notes: Third party is required to apply the patches to the systems being used to provide services to Bharti Infratel in a timely manner to ensure that the systems are running at their optimum level and the threat from vulnerabilities and malicious agents are reduced to an acceptable level Segregation of Duties Control Statement: Duties and areas of responsibility should be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of assets. Explanatory Notes: Third party is recommended to implement segregation of duties so that no one user has the opportunity to subvert any security control associated with Bharti Infratel information. Any one employee of Third-party should not be responsible for more than one of the following duties, at any given point of time: data entry, computer operation, network management, system administration, systems development, change management, security administration, security audit, security monitoring. Where segregation of duties is not possible or practical, the process is recommended to include compensating controls such as monitoring of activities, maintenance and review of audit trails and management supervision. Collusion shall be removed from the design and deployment architecture of the compensating control Separation of Development, Test, and Operational Facilities Control Statement: Development, test and operational facilities which are used to provide services to Bharti Infratel shall be separated to reduce the risk of unauthorised access or changes to the operational system. Explanatory Notes: The development and production facilities/environments used to provide services to Bharti Infratel is required to be physically and/or logically separated. a. Development and Operational software is required to run on different systems. b. Compilers, editors, and other development tools or system utilities shall not be accessible from operational systems when not required. c. Sensitive data shall not be copied into test environment for testing purpose. d. A formal Change Management Process is required to be followed for implementing any changes to the development, test and operational facilities.

31 6.4. Sub-Contractor Service Delivery Management In the course of providing services to Bharti Infratel, the Third-party may outsource some services to a Sub-contractor. When using the services of a Sub-contractor, the Third-party shall ensure that agreed service delivery levels are met and security controls are adhered to by the Sub-contractor. The Third-party shall monitor and review the services of its sub-contractor on an ongoing basis to ensure that services offered to Bharti Infratel are supported without any interruption Service Delivery Control Statement: Appropriate security controls, service definitions and delivery levels included in the Sub-contractor service delivery agreement shall be implemented, operated and maintained. Explanatory Notes: Service delivery by a Sub-contractor is required to include the agreed security arrangements, service definitions, and other aspects of service management. The Third-party is required to ensure that the Sub-contractor maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels to Bharti Infratel are maintained Monitoring and Review of Sub-contractor Services Control Statement: A documented process shall be established to ensure the services, reports and evidences provided by the Sub-contractors who are involved in providing services to Bharti Infratel are monitored and reviewed on defined periodic basis. Explanatory Notes: Third-party is required to monitor and review sub-contractor services to ensure that the BITSP is being adhered to and that information security incidents and problems are managed properly. Audits to assess compliance of the Sub-contractor s services with the agreed contract shall be conducted on a periodic basis. The responsibility of managing the relationship with a Subcontractor of the Third-party is required to be assigned to a designated individual or service management team Managing Changes to Sub-contractor Services Control Statement: A documented procedure to control changes pertaining to a Sub-contractor s services shall be implemented. Explanatory Statement: The Third-party is required to ensure that all changes pertaining to the Sub-contractor s services are maintained, agreed and documented. Services to Bharti Infratel shall not be disrupted due to any changes in service levels between the Third-party and its Subcontractor.