Bharti Infratel Limited. Policy Abridged Bharti Infratel Third Party Security

Transcription

1 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party

2 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party Abridged Bharti Infratel Third Party Policy Version 1.0

3 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party Document Control Document No. : 40 Document Name : Policy Abridged Bharti Infratel Third Party Policy-ISBC-40- V1 Version : 1.0 Date of Release : 30 th October 2012 Name Function / Designation Signature Prepared by Mr. Rajesh Mittal Information Management Representative Process Owner Mr. Prashant Veer Singh Chief Information Officer Reviewed by Mr. Prashant Veer Singh Chief Information Officer Mr. Devender Singh Rawat Chief Executive Officer Document Change Approvals Version No. Revision Date Nature of Change Date Approved Approved by

4 IIndex 1. Bharti Infratel Third-party Policy (BITSP - 001) Introduction Scope Policy Statement and Objective Disciplinary Measures for Non-Compliance Exceptions Information Organisation Policy (BITSP 002) Introduction Policy Statement and Objective Sub-Contractors Asset Management Policy (BITSP 003) Introduction Policy Statement and Objective Asset Register Asset Management Responsibilities Information Asset Classification Human Resources Policy (BITSP - 004) Introduction Policy Statement and Objective During Recruitment During Employment Termination or Change of Employment Responsibility Physical and Environmental Policy (BITSP 005) Introduction Policy Statement and Objective Secure Areas Equipment Communication and Operations Management Policy (BITSP 006) Introduction Policy Statement and Objective Operational Procedures and Responsibilities Sub-Contractor Service Delivery Management System Planning and Acceptance Protection against Malicious and Mobile Code Back-up... 33

5 6.8. Network Management Media Handling Exchange of Information Electronic Commerce Services Monitoring Access Control Policy (BITSP 007) Introduction Policy Statement and Objective User Access Management User Responsibilities Network Access Control Operating System Access Control Application and Information Access Control Mobile Computing and Teleworking Information Systems Acquisition, Development & Maintenance Policy (BITSP 008) Introduction Policy Statement and Objective Requirements of Information System Correct Processing in Application Cryptographic Controls of System Files in Development and Support Processes Technical Vulnerability Management Information Incident Management Policy (BITSP 009) Introduction Policy Statement and Objective Incident Identification Reporting Information Events and Weakness Incident Response, Recovery and Improvements Business Continuity Management Policy (BITSP 010) Introduction Policy Statement and Objective Information Aspects of Business Continuity Management Compliance Policy (BITSP 011) Introduction Policy Statement and Objective Compliance with Legal Requirements... 67

6 11.4. Information Systems Audit Considerations... 70

7 1. Bharti Infratel Third-party Policy (BITSP - 001) 1.1. Introduction In a rapidly expanding telecom and telecom passive infrastructure market, it is almost impossible to deliver services to customers and value to stakeholders without the collaboration of third parties. Today, third parties are extended members of the value chain of Bharti Infratel Limited (hereafter referred to as Bharti Infratel). This calls for improving Bharti Infratel s relationship with third parties, particularly in the area of information security. Given the potential for increased information security lapses from the part of third parties, a stringent Bharti Infratel Third-party Policy (hereafter referred to as the BITSP in this document) is framed to help Bharti Infratel insulate itself from the risks that are likely to arise from such relationships. The foundation on which the BITSP is based is trust but verify stringently. Accordingly, there is a need to involve information security before, during and after the relationships with third parties are established and to impose strict security standards and practices on third parties involved with Bharti Infratel Information Policy (BIISP). There is also a need to ensure that these third parties communicate the effectiveness of their information security controls by obtaining security certifications such as ISO 27001:2005 and/or by having an independent body review their information security and privacy practices against BIISP.

8 1.2. Scope The Bharti Infratel Third-party Policy (BITSP) is applicable to all Third-parties providing services to Bharti Infratel. Definition of Third-party : For the purposes of this document, a Third-party is a service provider/vendor who associates with Bharti Infratel and is involved in handling, managing, storing, processing and transmitting information of Bharti Infratel. The Third-Party could be a service provider/vendor as mentioned below but not limited to:- Diesel Filler Vendors (for e.g. Pratap, Perigreen etc.); Physical Vendor (for e.g. CheckMate etc.); Equipment Suppliers (for e.g. Mahindra, ACME, & Bluestar etc.); IT Equipment Suppliers (for e.g. AGC, Lenovo, & Sony etc.); IT Services Vendor (for e.g. IBM, AES, & AGC Networks etc.); Site Builtup Services Vendor (for e.g. TVSICS, Emerson, & Punj Lloyd etc.); Liasioning Services Vendor ( for e.g. TVSICS etc.); Non-conventional Energy Suppliers (for e.g AST, KMR, & OMC etc.); Management Consulting/ Manpower Service Provider (for e.g. Adecco,E&Y, Protiviti etc.); Office Admin Services (for e.g. CBRE etc.); Equipment Services Vendor like AMCs This definition also includes all sub-contractors, consultants and/or representatives of the Thirdparty. The BITSP is applicable across all geographies where information of Bharti Infratel is processed and/or stored by Third-party. Policy Owner The owner of the BITSP is the Chief Information Officer (hereinafter referred to as CISO in this document).

9 1.3. Policy Statement and Objective of information assets used by Third-parties for providing services to Bharti Infratel is of paramount importance and Confidentiality, Integrity and Availability of these shall be maintained at all times by the Third-parties concerned through controls commensurate with the asset value. The objectives of this policy are to: Provide the Third-party with an approach and directives for implementing information security of all information assets used by them for providing services to Bharti Infratel; and Ensure that the Third-party adheres to all provisions of the Third-party Policy Disciplinary Measures for Non-Compliance Non-compliance with the BITSP is ground for disciplinary actions up to and including termination of the contract Exceptions The BITSP is intended to be the statement of information security requirements that need to be met by the Third-party. However, in case a Third-party perceives difficulty in adhering to any of the controls, exceptions for an individual control may be requested by the Third-party. Exceptions are applicable only if approved by the CISO.

10 2. Information Organisation Policy (BITSP 002) 2.1. Introduction The Third-party is required to ensure that they have an Information Organisation structure in place along with mutually-agreed responsibilities, authority and relationships to maintain information security requirements as per the BITSP Policy Statement and Objective The Third-party shall ensure that they have an Information Organisation in place to implement the provisions of the Third-party Policy Management Commitment to Information Control Statement: The Management of the Third-party shall be committed to implement and adhere to the information security requirements of Bharti Infratel. Explanatory Notes: The Management of the Third-party is required to extend its full co-operation and support to the information security requirements of Bharti Infratel and also ensure that all its employees working for/at Bharti Infratel respect and adhere to the BITSP Information Co-ordination Control Statement: A suitable management body to co-ordinate and maintain information security activities in Bharti Infratel shall be nominated. Explanatory Notes: It is recommended that the Third-party ensures that all its functions such as HR, Administration, Information Technology (IT), IAG, Legal and others willingly co-operate and coordinate with Bharti Infratel to satisfy the latter s information security needs. The Third-party is required to nominate a SPOC to interface with Bharti Infratel for all its information security activities. The SPOC is required to communicate to its team that caters to Bharti Infratel the relevant sections of the BITSP. The CISO of Bharti Infratel and the Third-party SPOC shall coordinate with each other for the implementation of BITSP and address any security-related issues Responsibility for Information Control Statement: The Information responsibilities of all employees working for Bharti Infratel shall be defined and communicated. Explanatory Notes: The Third-party shall ensure that the information security responsibilities of third-party are identified, documented and communicated to its employees providing services to

11 Bharti Infratel. The employees of the third-party are required to understand their security roles and responsibilities that they need to practise in their day-to-day operations in Bharti Infratel Authorisation Process for Information Processing Facilities Control Statement: An authorisation process for new information processing facilities shall be implemented by the Third-party. Explanatory Notes: Third-party shall ensure that they obtain an authorisation from the appropriate authority of Bharti Infratel for obtaining access to information systems and/ or processing facilities of Bharti Infratel. Similarly, all new information processing facilities used for providing services to Bharti Infratel shall be set up only after receiving approvals from the relevant management of third-party. Personal computing devices that are not allowed into the Bharti Infratel and / or Third-party facility shall be communicated to the third-party employees, and visitors. It shall be ensured that these devices are not brought inside the facility without proper authorisation. In case these devices are brought inside the facility and are required to connect to Bharti Infratel network, it shall be ensured that an appropriate authorisation is obtained from Bharti Infratel. Any laptop or other information processing units owned by the Third-party could introduce new vulnerabilities and therefore, controls like antivirus update, personal firewall software and other relevant desktop/laptop security software is required to be configured on the system before connecting it to Bharti Infratel network. The Information processing facility like an offshore development centre of the Third-party, which needs to connect to Bharti Infratel network shall require approval from Bharti Infratel before permitting access Confidentiality & Non-Disclosure Agreements Control Statement: A Non-Disclosure Agreement with Bharti Infratel shall be signed. Explanatory Notes: The Non-Disclosure Agreement mandates that the Third-party shall not disclose any information related to Bharti Infratel which is identified as Restricted, Confidential or Internal to Bharti Infratel. The Third-party shall ensure that they read, accept and sign the Non- Disclosure Agreement provided by Bharti Infratel Contact with Local Authorities Control Statement: Appropriate contacts with all relevant local authorities shall be established and maintained.

12 Explanatory Notes: The Third-party is required to ensure that appropriate contacts are established with all local authorities such as Fire, Police, Hospital(s), Ambulance and the other authorities/services which need to be contacted in case of an emergency. An individual shall be identified (preferably from the Admin function) and assigned with the responsibility to maintain all such contacts Contact with Special Interest Groups Control Statement: Appropriate contacts with relevant special interest groups shall be established and maintained. Explanatory Notes: The Third-party shall establish and maintain contacts with special interest groups to ensure that the understanding of the information security environment is current, including updates on security advisories, vulnerabilities and patches. The IT security function of the Third-party should subscribe to these groups and, based on the periodic updates received; they shall take initiatives to analyse and resolve the security. It should be ensured that the contacts with these forums/groups are for only receiving the alerts; users should not post any queries to such forums revealing details of information assets or network of Bharti Infratel Independent Review of Information Control Statement: An independent review of information security should be conducted to assess the compliance with BITSP. Explanatory Notes: An independent review should be conducted on a yearly basis to assess the compliance of Third-party towards BITSP. Bharti Infratel reserves the right to audit the Third-party. The independent review should be conducted by a reputed audit organisation. It is recommended that the Third-party obtains audit certification/verification from the auditors. The Third-party may need to share the audit report with Bharti Infratel if required. If, during the audit, it is found that the Third-party is not compliant with the directions stated in the BITSP, actions as stated in the clause for non-compliance shall be applicable Sub-Contractors Identification of Risk Related to Sub-contractor Control Statement: All threats and risk related to sub-contractors shall be identified and mitigated. Explanatory Notes: The Third-party shall conduct a Risk Assessment and ensure that all risks due to sub-contractor access to Bharti Infratel information assets are identified, measured and mitigated appropriately before providing access to Bharti Infratel information assets. The Risk Assessment

13 report is required to be shared with the CISO of Bharti Infratel prior to providing access to information and/or information-processing facilities to the sub-contractor Addressing when Dealing with Customers Control Statement: Appropriate security controls shall be addressed when dealing with customers. Explanatory Notes: Controls shall be in place so that information assets or Information processing environment used for providing services to Bharti Infratel are physically and logically segregated from other customers. Specific approval is required to be taken from CISO for any exception to this Addressing in Sub-contractor Agreements Control Statement: Agreements with the sub-contractors, who are involved in providing services to Bharti Infratel, shall cover information security requirements as applicable in the BITSP. Explanatory Note: Agreements with the sub-contractors who are engaged by Third party and are involved in accessing, processing, communicating or managing the information of Bharti Infratel shall cover all information security requirements in accordance with the BITSP. Additionally, the Third-party should ensure that their sub-contractors access the information assets of Bharti Infratel only after signing a formal contract and a Non-Disclosure agreement with them. The Third-party is also required to ensure that Intellectual Property Rights are honoured by all its sub-contractors. Such contracts and Non-Disclosure agreements entered with sub-contractors shall be shared with Bharti Infratel in case required by Bharti Infratel.

14 3. Asset Management Policy (BITSP 003) 3.1. Introduction All information assets deployed for providing services to Bharti Infratel by the Third-party shall be provided comprehensive protection. The Third-party, being the owner and/ or custodian of the information assets and associated processing facilities, shall be responsible for implementing the controls defined in this policy to maintain confidentiality, integrity and availability of these information assets Policy Statement and Objective Identification, classification and CIA valuation of information assets including the identification of asset owner and custodian are extremely important to design and implement the required controls for the protection of the assets. The objectives of the policy are to ensure that: All information assets used by Third-party in providing services to Bharti Infratel have been identified and designated owner and custodian appointed by the Third-party; All information assets are classified based on their criticality to the business; and All information assets receive an appropriate level of protection by implementing relevant controls Asset Register Third-party shall create and maintain asset registers for all information assets belonging to them that are deployed to provide services to Bharti Infratel. The asset register is required to contain, at a minimum, the following information about the assets: The identification and location of assets; The name of business function, process or function that uses this asset; The type and classification of asset; The Asset Owner, Custodian and User; and The Confidentiality, Integrity and Availability ratings of the asset Asset Management Responsibilities The responsibility for implementing appropriate security controls to identify, classify and protect the assets is required to be defined.

15 3.4.1 Inventory of Assets Control Statement: Information assets owned by the Third-party shall be identified and an inventory of these assets shall be documented and maintained. Explanatory Notes: An inventory of all important assets is required to be maintained by the Thirdparty. Such an inventory shall include all necessary information, including type of asset, asset owner, asset custodian, asset location (office location) and criticality value in order to recover from a disaster. This Inventory is required to be maintained in accordance with the Asset Management Procedure laid down by Bharti Infratel Ownership of Assets Control Statement: Information assets that are used to provide services to Bharti Infratel shall have a designated owner from the Third-party. Explanatory Notes: Assets owned by the Third-party and used to process information of Bharti Infratel is required to be owned by a designated individual belonging to the Third-party. The asset owner shall be responsible for the following: Ensuring that the assets are appropriately classified as per the Classification Guidelines (Refer BITSP - section 3.5.1); Ensuring that assets are correctly entered in the Asset Register as per a formal Asset Management Procedure; Defining and reviewing periodically the access rights to their respective assets Acceptable Use of Assets Control Statement: Third-party shall develop and implement Rules for the acceptable use of information assets that are used to provide services to Bharti Infratel. Explanatory Notes: The Third-party is required to ensure that its employees adhere to the acceptable use of assets as developed by them Information Asset Classification The information assets have different degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. The information classification criteria shall be used by the Third-party to classify the information assets used to provide services to Bharti Infratel. Information Assets that are owned by Bharti Infratel are classified by Bharti Infratel and third-party have to handle them based on the classification level.

16 3.5.1 Classification Guidelines Control Statement: All information assets shall be classified in terms of its value, sensitivity, and criticality to Bharti Infratel. Explanatory Notes: Important information assets shall be assigned an asset criticality rating as per guidelines laid down in the Asset Management Procedure, to assess the relative importance of such assets to Bharti Infratel and to determine the level of security measures to be implemented for their protection. The information assets shall be classified in terms of its sensitivity and criticality to the business of Bharti Infratel, into one of the following categories: Restricted: This classification applies to the most critical business information, which is intended strictly for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact the Bharti Infratel business, its stockholders, its business partners, and/ or its customers leading to the legal and financial repercussions and adverse public opinion. The information that some people would consider to be private is included in this classification. Examples: Critical Servers, Critical Passive Infrastructure devices, System Access Controls, System Passwords, Technology related Documents, Engineering documents, etc. Confidential: This classification applies to the sensitive business information, which is intended for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact Bharti Infratel business, its stockholders, its business partners, its employees, and/or its customers. Examples: System configuration procedures, internal audit reports which comprise the collective experience, knowledge, skill, and information of Bharti Infratel. Public: This classification applies to the information, which has been explicitly approved by the Bharti Infratel management for release to the public. By definition, there is no such thing as unauthorised disclosure of this information and it may be freely disseminated without potential harm. Examples: advertisements, and published press releases. Internal: This classification applies to the information, which is specifically meant for internal use within Bharti Infratel. While its unauthorised disclosure is against the policy, it is not expected to seriously or adversely impact business of Bharti Infratel, its employees, customers, stockholders & business partners. Examples: Telephone directory, training materials and manuals, internal staff circulars.

17 3.5.2 Information Asset Labelling and Handling Control Statement: The Third-party shall follow the procedures for information asset labelling and handling for all information assets that are used to provide services to Bharti Infratel. Explanatory Notes: All information assets are required to be labelled by the Third-party and maintained as per a formal Information Labelling and Handling Guideline. These assets shall be labelled (marked) using the classification scheme only to indicate the level of sensitivity of the information. This may exclude public information.

18 4. Human Resources Policy (BITSP - 004) 4.1. Introduction The Human Resource Policy defines the controls that are required to be implemented and maintained during the recruitment process, employment process and termination or change of employment to ensure the protection of information assets that are used to provide services to Bharti Infratel from human error, misuse, theft or fraud Policy Statement and Objective All employees of the Third-party with access to the information assets of Bharti Infratel shall understand their responsibilities for the comprehensive protection of information and processing facilities of Bharti Infratel. The objectives of this policy are to: Ensure that appropriate security controls are followed at the time of recruitment by the Third-party. Ensure that the Third-party employees understand their responsibilities and roles regarding information security in Bharti Infratel; Reduce the risks of human error, theft, fraud or misuse of the information assets; and Ensure that employees are aware of information security threats and concerns and are equipped to support the BITSP in the course of their work. Failure to adhere to information security responsibilities may entail appropriate disciplinary action During Recruitment The Human Resources function of Third party shall ensure that security responsibilities are defined and addressed prior to employment in adequate job descriptions and in terms and conditions of employment. It is strongly recommended that background verification checks are conducted for the employees who will provide services to Bharti Infratel Roles and Responsibilities Control Statement: The security roles and responsibilities of employees shall be defined and documented. Explanatory Notes: It is required that HR function of the Third-party define and document and communicate the security roles and responsibilities of its employees to ensure that they

19 Act in accordance with the BITSP; Protect assets from unauthorised access, disclosure, modification and destruction; and Execute specific security processes and activities Screening Control Statement: Background verification checks shall be carried out for the employees who will provide services to Bharti Infratel. Explanatory Notes: It is required that the Third-party carries out background verification checks for employees who have access to Bharti Infratel information systems and processing facilities. They are also recommended to provide an evidence of the same to Bharti Infratel Terms and Conditions of Employment Control Statement: The Third-party shall ensure that their employees read and accept the terms and conditions of employment, which shall reflect the information security requirements of Bharti Infratel as specified in the BITSP. Explanatory Notes: Before deployed in Bharti Infratel for providing the services as per contract, third-party is required to define terms and conditions of employment and communicate them to its employees. Terms and conditions are required to include the following: Sign a confidentiality agreement which may hold them liable for any unauthorised disclosure, modification and/or destruction of information, information systems and/or processing facilities of Bharti Infratel; Legal responsibilities and rights; The responsibility for handling information as per its level of classification; The responsibility for exhibiting due diligence while handling information received from external parties and protecting its confidentiality and integrity; The actions to be taken, if any employee disregards the information security requirements of Bharti Infratel During Employment HR function and concerned personnel of the Third-party are required to take appropriate actions to ensure that:

20 The employees are duly informed of their information security responsibilities to maintain a reasonable level of security for information assets and processing facilities used to provide services to Bharti Infratel; and An adequate level of awareness, education and training on the information security is provided to all employees Management Responsibilities Control Statement: The Management of the Third-party should require its employees to adhere to information security requirements in accordance with the BITSP. Explanatory Notes: It is recommended that the Management of the Third-party should ensure that its employees providing services to Bharti Infratel apply security in adherence to the BITSP. The Management of Third-party should ensure that: Employees are properly communicated regarding their roles and responsibilities towards information security in Bharti Infratel. Employees achieve a level of awareness on security in proportion to their roles. Employees attend the information security awareness training program before deploying them in Bharti Infratel premises. Employees have appropriate skills and qualifications required to do the job for Bharti Infratel Information Awareness, Education and Training Control Statement: Employees providing services to Bharti Infratel should receive appropriate awareness training and regular updates on the BITSP and information security, as relevant to their job. Explanatory Notes: The Third-party shall ensure that all employees receive formal training in Information Awareness. Inputs and updates for this will be provided by Bharti Infratel to the Third-party as and when they become available. The Third-party should ensure that they update their employees as and when these are made available Disciplinary Process Control Statement: A disciplinary process for information security violations shall be established, and documented. Employees shall be communicated of the disciplinary process. Explanatory Notes: A formal disciplinary process is required to commence against the BITSP after verification that a security breach/violation has occurred involving an employee.

21 The Third-party is required to ensure that its employees are made aware of the formal disciplinary process which may be initiated, if they violate the BITSP or commit/participate in any kind of security breach Termination or Change of Employment Responsibility Adequate security measures are required to be taken by the Third-party when employees undergo role transformation within the Third-party organisation, or withdraw from Bharti Infratel project, or resign from the Third-party organisation. It is required to be ensured that the access rights provided to such employees on information, information assets and/or processing facilities are reduced/changed/revoked depending on the situation Return of Assets Control Statement: The Third-party s employees shall return all assets in their possession, used to provide services to Bharti Infratel, upon termination of their employment. Explanatory Notes: All Third-party s employees are required return of all previously-issued software, documents, equipments, laptops, PDA, access cards, manuals, and information stored on electronic media which are used to provide services to Bharti Infratel Removal of Access Rights Control Statement: The access rights of employees shall be revoked at the time of termination or changed when the current role of the employee changes. Explanatory Notes: Access rights to information and information-processing facilities held by employees of the Third-party is required to be revoked upon termination or withdrawn from Bharti Infratel project. It is required that all passwords for active accounts that a departing employee has known are forcefully changed with immediate effect. In case of change of role of a Third-party employee, BITSP is required to revise and adjust the access rights as appropriate.

22 5. Physical and Environmental Policy (BITSP 005) 5.1. Introduction The Physical and Environmental Policy defines the appropriate controls to maintain the required physical and environmental security of information assets and information-processing facilities that are used to provide services to Bharti Infratel Policy Statement and Objective Assets and facilities, which house information of Bharti Infratel, shall be protected from unauthorised physical access and environmental threats. All physical access and movement of information systems shall be monitored and reviewed. The objectives of the policy are to: Prevent unauthorised physical access, damage, and interference to information assets; Critical and sensitive information systems located at Third-party location and used to provide services to Bharti Infratel are recommended to be protected by defined security perimeters parameters, with appropriate security barriers and entry controls; Protect assets by implementing environmental controls to prevent damage from environmental threats; and Regularly conduct preventive maintenance for infrastructural equipment to ensure faultless services Secure Areas An adequate level of security shall be provided to the facilities and office locations housing information assets used to provide services to Bharti Infratel Physical Perimeter Control Statement: The Third-party shall ensure that a physical security perimeter is defined and implemented for office locations and facility, housing information assets that are used to provide services to Bharti Infratel. Explanatory Notes: The Third-party is required to ensure that a physical security perimeter is used to secure all such facilities where the information systems that are used to provide services to Bharti Infratel are hosted. Physical security perimeters such as a wall, card-controlled entry gates and/or manned reception desks should be used to secure the facility.

23 5.3.2 Physical Entry Controls Control Statement: Secure areas within the facility of the Third-party shall be protected by appropriate entry controls to ensure authorised access. Explanatory Notes: Third-party is recommended to ensure that only authorised persons are provided access to secure areas (areas hosting information systems/ equipment). Access to all such areas should be controlled, recorded and monitored by the Third-party. The secure areas shall have physical security check points Securing Offices, Rooms and Facilities Control Statement: Physical security controls for offices, rooms and facilities should be designed and applied. Explanatory Notes: The Third-party is recommended to ensure that offices, rooms and facilities that store critical information of Bharti Infratel are secured. The following is recommended to be considered: Relevant safety regulations and standards are implemented; Key facilities should be sited securely so as to avoid access by the public; and Where applicable, buildings should be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building identifying the presence of information processing activities that are used to provide services to Bharti Infratel Protection against External and Environmental Threats Control Statement: Protection against damage from natural and man-made disasters shall be designed and implemented. Explanatory Notes: Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of environmental, natural or man-made disaster is required to be designed and applied. It should be considered that: Adequate air-conditioning and humidity-control systems are implemented to support information systems and equipment that are used to provide services to Bharti Infratel; Fire suppression systems are installed wherever applicable; Hazardous, combustible material and stationery items are stored at a secure distance from the secure area. Adequate power supply controls are implemented to ensure continuous power supply at the facilities being used to provide services to Bharti Infratel;

24 Fallback equipment and back-up media are sited at a different location to ensure continuity of business operations Working in Secure Areas Control Statement: Guidelines for working in secure areas shall be designed and implemented. Explanatory Notes: BITSP is required to ensure the following guidelines: Personnel should be aware of the existence of, or activities within, a secure area only on a need-to-know basis; Unsupervised working in secure areas is required to be avoided to prevent opportunities for malicious activities; Vacant secure areas is required to be physically locked and periodically checked; Photographic, video, audio or other recording equipment, such as cameras in mobile devices, shall not be allowed in restricted areas, unless authorised by the management of the Third-party Public Access, Delivery and Loading Areas Control Statement: All loading and un-loading areas shall be isolated from information-processing facilities that are used for providing services to Bharti Infratel. Explanatory Notes: Entry points in the Third-party s location such as delivery and loading areas and other points where unauthorised personnel may enter are required to be controlled and isolated from information-processing facilities to avoid unauthorised access Equipment controls shall be implemented to prevent loss, damage, theft of any equipment, compromise of information systems and interruption to the services provided to Bharti Infratel by the Third-party. Equipment hereinafter refers to as systems that are used to store and process information of Bharti Infratel. They include, but are not limited to, laptops, desktops, servers, and network devices Equipment-Siting and Protection Control Statement: All equipment used to provide services to Bharti Infratel, shall be sited and protected to reduce risks from environmental threats and hazards and opportunities of unauthorised access. Explanatory Notes: All equipment used to provide services to Bharti Infratel is required to shall be protected against environmental threats and unauthorised access. It is required to ensure that:

25 The equipment are appropriately located and security controls put in place to reduce risk of potential threats (e.g., theft, fire, explosive, smoke, flooding, dust, vibrations, chemical effects, electrical supply interference) to their incessant use; Appropriate controls such as for temperature and humidity are implemented for the safety of the equipment. Guidelines for eating, drinking and smoking in the proximity of any equipment shall be established. All equipment that process sensitive data of Bharti Infratel shall be positioned in such way to restrict the viewing angle in order to reduce the risk of information being viewed by unauthorised personnel Supporting Utilities Control Statement: All equipment used to provide services to Bharti Infratel shall be protected from power failures and other disruptions caused by failure of supporting utilities. Explanatory Notes: The Third-party is required to ensure that: All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and air-conditioning are in appropriate condition for the systems being used to provide services to Bharti Infratel. Uninterruptible Power Supply (UPS) systems and generators are installed to support controlled shutdown or continued functioning of equipment being used to provide services to Bharti Infratel. An alarm system to highlight any malfunctioning of any of the supporting utilities is installed. Adequate contacts are in place with vendors to provide services whenever there is an emergency Cabling Control Statement: Power and telecommunication network cables shall be protected from damage or interception. Explanatory Notes: In places where Bharti Infratel information assets are housed for maintenance, third-party is required to identify and mark network cables and their corresponding terminals being used to provide services to Bharti Infratel. Third-party is required to segregate power cables from the communication cables through a separate conduit to prevent any interference.

26 5.4.4 Equipment Maintenance Control Statement: All equipment shall be appropriately maintained to ensure their continued availability and integrity. Explanatory Notes: All equipments that are used for providing services to Bharti Infratel are required to be maintained in accordance with the supplier s recommended service intervals and specifications. A preventive maintenance exercise for all equipment being used to provide services to Bharti Infratel are required to conducted at scheduled intervals ensuring their continued availability and integrity. The Third Party shall ensure that appropriate controls are applied to prevent any information leakage or destruction when equipment is scheduled for preventive maintenance of Equipment Off-premises Control Statement: shall be applied to off-site equipment taking into account different risks outside the premises. Explanatory Notes: All equipments being used for Bharti Infratel (e.g. tower, backup media, and laptops) are required to receive the appropriate level of protection against physical and environmental threats. The equipments that are used for providing services to Bharti Infratel and are installed outside the Third-party s premises are to be monitored at regular intervals. The Third-party is required to ensure that the information asset of Bharti Infratel is not taken out without an authorised gate pass signed by concerned authorised personnel Secure Disposal and Re-use of Equipment Control Statement: The equipment containing information of Bharti Infratel shall be disposed of in a secure manner. Explanatory Notes: Equipments like OSS and data switches containing information like the configuration parameters for Bharti Infratel are required to be erased and/ or disposed in a secure manner. If equipments are un-repairable, they shall be physically destroyed. In case of re-use of such equipments, third-party shall ensure that they erase/ format all information parameters used for Bharti Infratel Removal of Property Control Statement: The equipment, information or any software shall not be taken off-site without prior authorisation. Explanatory Notes: Any equipment, information system, storage device or software having information that belongs to Bharti Infratel shall not be taken outside the Third-party s premises

27 without prior authorisation from the management of the Third-party. Gate-pass shall be used as a means to prevent any unauthorised removal of property.

28 6. Communication and Operations Management Policy (BITSP 006) 6.1. Introduction The Communication and Operations Management Policy establishes appropriate controls, including development of operating procedures, monitoring user-activities, and deploying appropriate technology to prevent unauthorised access, misuse or failure of the information systems and equipment and to ensure confidentiality, integrity and availability of information that is processed by, or stored in, the information systems/equipment Policy Statement and Objective The Third-party shall ensure that all defined procedures are followed and implemented to ensure secure and correct operations. The objectives of the policy are to: Develop documented operation procedures for the information systems and computing devices used to provide services to Bharti Infratel; Ensure protection of information during its transmission through communication networks; Protect integrity of software and information against the malicious codes; Develop an appropriate backup strategy and monitoring plan for protecting integrity and availability of information; Have appropriate controls over storage media to prevent its damage and/or theft; and Maintain security during the information exchange with other organisations Operational Procedures and Responsibilities Documented Operating Procedure Control Statement: Standard operating procedures pertaining to all system activities shall be documented, maintained and followed. Explanatory Notes: Procedures are required to be in place, to ensure that activities performed for day-to-day system operations are carried out in a secure manner. Third party is required to document all Operating Procedures to maintain confidentiality, integrity and availability of that specific platform or application. The Third-party is required to ensure that procedures are made available to all their employees who are involved in the respective operations and processes for

29 Bharti Infratel. All system and application administrators shall ensure that operating procedures are kept up-to-date in accordance with any system changes. The procedures are required to include, but not limited to, the following: Any automated or scheduled processes that are running on the system or application associated with Bharti Infratel information; Day-to-day operational tasks that need to be performed by the operator; The actions performed when an error or an exceptional condition occurs, including listed contact details for people that may be required to assist or that may have a dependency on that service; The actions required for start-up, restart or shutdown of the system or application associated with Bharti Infratel information; The actions performed for system or application backup; The actions performed for system or application recovery or restoration; The actions performed for handling of information; for example, backup tapes or disposal of output (such as printed output) from failed runs of automated processes; and Management of audit trail and system log information Change Management Control Statement: A formal Change Management Process shall be developed and implemented for carrying out changes to information systems associated with Bharti Infratel. Explanatory Notes: To ensure that the security of the systems/environments is not compromised, Third party is required to manage the change(s) in the production systems/environment of assets used to provide services to Bharti Infratel. Third-party shall ensure that: a. Change control is required to be applied to all security aspects of the production applications and infrastructure associated with Bharti Infratel. b. All Third-party service providers are required to manage the change(s) to the systems and services supplied to Bharti Infratel. c. All approved changes are required to be tested in a test setup prior to implementing them on the production systems.

30 6.3.3 Patch Management Control Statement: A formal Patch Management Process shall be developed and implemented for applying patches to the information systems associated with Bharti Infratel. Explanatory Notes: Third party is required to apply the patches to the systems being used to provide services to Bharti Infratel in a timely manner to ensure that the systems are running at their optimum level and the threat from vulnerabilities and malicious agents are reduced to an acceptable level Segregation of Duties Control Statement: Duties and areas of responsibility should be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of assets. Explanatory Notes: Third party is recommended to implement segregation of duties so that no one user has the opportunity to subvert any security control associated with Bharti Infratel information. Any one employee of Third-party should not be responsible for more than one of the following duties, at any given point of time: data entry, computer operation, network management, system administration, systems development, change management, security administration, security audit, security monitoring. Where segregation of duties is not possible or practical, the process is recommended to include compensating controls such as monitoring of activities, maintenance and review of audit trails and management supervision. Collusion shall be removed from the design and deployment architecture of the compensating control Separation of Development, Test, and Operational Facilities Control Statement: Development, test and operational facilities which are used to provide services to Bharti Infratel shall be separated to reduce the risk of unauthorised access or changes to the operational system. Explanatory Notes: The development and production facilities/environments used to provide services to Bharti Infratel is required to be physically and/or logically separated. a. Development and Operational software is required to run on different systems. b. Compilers, editors, and other development tools or system utilities shall not be accessible from operational systems when not required. c. Sensitive data shall not be copied into test environment for testing purpose. d. A formal Change Management Process is required to be followed for implementing any changes to the development, test and operational facilities.

31 6.4. Sub-Contractor Service Delivery Management In the course of providing services to Bharti Infratel, the Third-party may outsource some services to a Sub-contractor. When using the services of a Sub-contractor, the Third-party shall ensure that agreed service delivery levels are met and security controls are adhered to by the Sub-contractor. The Third-party shall monitor and review the services of its sub-contractor on an ongoing basis to ensure that services offered to Bharti Infratel are supported without any interruption Service Delivery Control Statement: Appropriate security controls, service definitions and delivery levels included in the Sub-contractor service delivery agreement shall be implemented, operated and maintained. Explanatory Notes: Service delivery by a Sub-contractor is required to include the agreed security arrangements, service definitions, and other aspects of service management. The Third-party is required to ensure that the Sub-contractor maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels to Bharti Infratel are maintained Monitoring and Review of Sub-contractor Services Control Statement: A documented process shall be established to ensure the services, reports and evidences provided by the Sub-contractors who are involved in providing services to Bharti Infratel are monitored and reviewed on defined periodic basis. Explanatory Notes: Third-party is required to monitor and review sub-contractor services to ensure that the BITSP is being adhered to and that information security incidents and problems are managed properly. Audits to assess compliance of the Sub-contractor s services with the agreed contract shall be conducted on a periodic basis. The responsibility of managing the relationship with a Subcontractor of the Third-party is required to be assigned to a designated individual or service management team Managing Changes to Sub-contractor Services Control Statement: A documented procedure to control changes pertaining to a Sub-contractor s services shall be implemented. Explanatory Statement: The Third-party is required to ensure that all changes pertaining to the Sub-contractor s services are maintained, agreed and documented. Services to Bharti Infratel shall not be disrupted due to any changes in service levels between the Third-party and its Subcontractor.

32 6.5. System Planning and Acceptance Capacity-Management Control Statement: Resource utilisation shall be monitored and projections shall be made for the future capacity requirements to ensure adequate system performance. Explanatory Notes: The Third-party is required to ensure that the capacity of systems used to provide services to Bharti Infratel is monitored on a periodic basis. Capacity planning shall be carried out by the Third-party to ensure future capacity requirements and enhancements. This is required for security-related logging, analysis and exception-reporting for the systems being used to provide services to Bharti Infratel. The system/application administrator shall monitor capacity utilisation and project future capacity requirements to ensure that adequate processing power and storage are available for systems that are used to provide services to Bharti Infratel System-Acceptance Control Statement: Acceptance criteria for new information systems, upgrades and new versions shall be defined and followed. Explanatory Notes: The acceptance criteria for new information systems, upgrades and new versions of system/software are required to be followed by the Third-party for any new system that is deployed to provide services to Bharti Infratel. The following is recommended to be considered prior to formal acceptance: a. Performance and computer capacity requirements; b. Error recovery and restart procedures, c. Contingency plans; d. Agreed set of security controls in place; e. Effective manual procedures; f. Evidence that installation of the new system shall not adversely affect existing systems; g. Training in the operation or use of new systems; and h. Ease of use, as this affects user performance and avoids human error Protection against Malicious and Mobile Code Controls Against Malicious Code Control Statement: Appropriate controls for detection, prevention and recovery of the information systems against malicious code shall be developed and implemented.

33 Explanatory Notes: Malicious codes are codes which are capable of creating malfunctions in the system. They may be something like virus, Trojan horse, worms, adware, spyware and backdoor. The Third-party is required to design and implement prevention, detection and recovery controls for malicious codes on all information systems associated with Bharti Infratel. The implemented controls are required to address the latest vulnerabilities and insecurities that can bring the system down or result in information disclosure, destruction or modification Controls Against Mobile Code Control Statement: Only authorised mobile codes shall be allowed to execute the information systems and network environment. Explanatory Notes: Mobile code is a software code like ActiveX or java code which transfers from one computer to another computer and then executes automatically and performs a specific function with little or no user interaction. Third party is required to allow only authorised codes to be executed. Appropriate safeguards are required to be implemented in the information systems to prevent the execution of unauthorised mobile code Back-up Information Back-up Control Statement: Information back-up shall be performed as per a formal Back-up Procedure approved by Bharti Infratel. Explanatory Notes: The information of Bharti Infratel which is managed by the Third-party is required to be backed up in accordance with a Back-up Procedure. Restoration-testing is required to be conducted for the backed up data at regular intervals as defined by Bharti Infratel and logs for backup/restoration shall be stored with restricted access. Log analysis shall be carried out for all failed backup and restorations and corrective actions shall be taken Network Management Development and implementation of network management controls is required to manage and maintain the security of information effectively. These controls shall be applied to networking devices such as switches and routers and any network-attached host or system Network Controls Control Statement: The Third-party shall ensure the security of the networks being used to provide services to Bharti Infratel.

34 Explanatory Notes: The Third-party is required to design and implement appropriate network controls to safeguard information of Bharti Infratel. Controls shall also be implemented to maintain the availability of network services and computers connected. Operational responsibility for managing the network is required to be segregated from that of system management. Responsibility for managing remote equipment shall be established. Appropriate logging and monitoring shall be applied to enable recording of security-relevant actions Wireless Local Area Network (WLAN) Control Statement: A wireless infrastructure system to provide services to Bharti Infratel should be designed, deployed and maintained taking into account the appropriate information security requirements. Explanatory Notes: The following measures are recommended to be implemented for the Wireless Local Area Network (hereinafter referred to as WLAN) security by the Third-party: a. WLAN should be separated from the wired LAN by implementing a firewall; b. All wireless communication devices should be configured appropriately, including secure configuration of Access Points and wireless client devices such as laptops/workstations; c. A strong key management system is recommended to be implemented for the authentication of clients connecting to the WLAN associated with Bharti Infratel; d. Appropriate physical and environmental security controls should be implemented to protect wireless access points against theft and damage; and e. A wireless intrusion detection system is recommended to be deployed to identify and respond to rogue access points, intruders, poorly configured wireless access points, attacks and misuse directed over the WLAN associated with Bharti Infratel Firewall Control Statement: A firewall management standard and procedure shall be established and implemented in all firewalls used to provide services to Bharti Infratel. Explanatory Notes: A Firewall segments the network based on risk levels. The information systems with similar risk levels shall be put into one segment. For example, if the firewall is segregating the internal network from the Internet there shall be a minimum of three segments - one for Internet, one for internal network and one for systems that are accessed from both (the internal network and the Internet), called the de-militarized zone. The following controls shall be ensured: a. An updated, reviewed and approved network diagram with all connections to and from the firewall shall be documented;

35 b. A documented list of services and ports required to be enabled shall be available; c. An operation procedure for firewall policy changes, performance monitoring, firewall backup and firewall change control shall be documented; and d. Audit and logging shall be enabled on the firewall to ensure that all critical accesses and changes to firewall configuration and policy are tracked. These logs shall be regularly reviewed by the firewall administrator of Network Services Control Statement: The network services that are enabled shall be securely configured and services that are not required for the business shall be disabled. Explanatory Notes: The network services that are required for the business shall be identified and documented. Non-essential services shall be disabled on all information systems. The services found to be vulnerable shall be fixed by implementing alternative mitigation controls on the information systems. a. arrangements necessary for particular services, such as security features, service levels, and management requirements, shall be identified. The Third-party shall ensure that these measures are implemented stringently to maintain security and availability of network services. b. Network services may include the provision of private network services, value-added services and managed security solutions like firewall and intrusion detection/prevention systems. c. The security features of network services shall include the following: i. Technology applied for security of network services, such as authentication, encryption, and network connection controls; ii. iii. Technical parameters required for secured connection with the network services in accordance with security and network connection rules; and Procedures for network service usage to restrict access to network services or applications, where necessary. d. Changes to the security of network services in Bharti Infratel shall follow the steps/measures enumerated in a formal Change Management Process.

36 6.9. Media Handling Management of Removable Media Control Statement: A formal Removable Media Management Guideline shall be developed and implemented for any media containing information of Bharti Infratel. Explanatory Notes: The Third-party shall ensure that they develop and implement the Removable Media Management Guideline. The developed procedure shall include re-use, storage availability, registration and authorisation of removable media Disposal of Media Control Statement: All media containing information of Bharti Infratel shall be disposed off as per a formal Media Disposal Procedure. Explanatory Notes: Devices containing information of Bharti Infratel is required to be disposed in a secure manner. The devices like magnetic media, optical media are required to be physically destroyed. The Third-party personnel are required to ensure the disposal of media as per a formal Media Disposal Procedure. When a magnetic media has to be reused, it shall be degaussed to eradicate all information and make it non-retrievable. All print media like hardcopies shall be disposed off using shredders. Disposal shall be done by authorised users only Information Handling Procedures Control Statement: The Third-party shall implement and follow an Information Labelling and Handling Guidelines to ensure that information pertinent to Bharti Infratel is handled accordingly. Explanatory Notes: The Information Labelling and Handling Guidelines shall be developed and implemented to handle information on media pertinent to Bharti Infratel. Access restrictions shall be implemented to prevent access to information of Bharti Infratel by unauthorized personnel of System-Documentation Control Statement: The Third-party shall ensure that system-documentation of systems used to provide services to Bharti Infratel shall be protected against unauthorised access. Explanatory Notes: Appropriate security measures shall be implemented by the Third-party to maintain the security of the system-documentation for all information systems used to provide services to Bharti Infratel. To secure system-documentation, the following shall be considered: a. System-documentation shall be stored securely;

37 b. The distribution list for system-documentation shall be limited to those personnel who require it on a need-to-know basis. c. System-documentation held on a public network, or supplied via a public network, shall be protected appropriately. d. All system documentations are required to be classified as per the Asset Management Policy and handled as per a formal Information labelling and handling guideline Exchange of Information Information Exchange Policies and Procedures Control Statement: Formal exchange policies, procedures and controls shall be put in place to protect the exchange of information through the use of various types of communication facilities. Explanatory Notes: Appropriate security controls should be implemented for exchange of business information or software assets between the Third-party, sub-contractors and Bharti Infratel. The following shall be considered: a. Policy or guidelines outlining acceptable use of electronic communication facilities; b. Ensuring that sensitive or critical information of Bharti Infratel is not left unattended on printing facilities (copiers, printers or facsimile machines), as these may be accessed by unauthorised personnel; and c. Reminding the personnel that they shall take appropriate precautions not to reveal sensitive information inadvertently, as being overheard or intercepted when making a phone call, by: i. People in their immediate vicinity, particularly when using mobile phones; ii. iii. Wiretapping and other forms of eavesdropping through physical access to the phone handset or the phone line, or using scanning receivers; and People at the recipient s end Exchange Agreements Control Statement: The Third-party shall ensure that they maintain appropriate information exchange agreements with the sub-contractors who are involved in providing services to Bharti Infratel. Explanatory Notes: Agreements shall be made between the Third-party and sub-contractor or customers. The exchange agreements shall include, but not limited, to the following: a. Procedures for notifying the sender of transmission, dispatch and receipt;

38 b. Procedures to ensure traceability and non-repudiation; c. Courier-identification standards; and d. Responsibilities and liabilities in the event of information security incidents, such as loss of data Physical Media in Transit Control Statement: Media containing sensitive information of Bharti Infratel shall be protected against unauthorised access, misuse or corruption during transportation within and beyond the physical boundaries. Explanatory Notes: The documents and removable media carrying information of Bharti Infratel (other than the information classified as Public ) shall be transported using only authorised courier agency. These courier agencies are required to sign a Non-Disclosure Agreement with the thirdparty. All Third-party employees carrying media are required to ensure its protection during transit Electronic Messaging Control Statement: The Third-party shall ensure that the information of Bharti Infratel is protected appropriately while using electronic messaging facilities. Explanatory Notes: Bharti Infratel recognises the importance of the electronic mail system for business operations and understands that the system of the Third-party may contain information of Bharti Infratel. The Third-party shall ensure that its system is not vulnerable to unauthorised access, modification and/or misuse and shall implement relevant security guidelines (applicable to their organisation), consisting of appropriate security measures in order to protect information of Bharti Infratel Business Information Systems Control Statement: Appropriate security controls shall be developed and implemented to protect the information processed through the interconnection of business information systems. Explanatory Notes: Business Information systems are opportunities for faster dissemination and sharing of business information using a combination of documents, computers, mobile communication, mails, voice mail and other means. The consideration given to the security and business implications of interconnecting Bharti Infratel and Third-party network shall include the following: a. Vulnerabilities of information in business communication systems, e.g., recording phone calls or conference calls, confidentiality of calls, storage of facsimiles, opening mail, distribution of mail;

39 b. Appropriate controls to manage information sharing; and c. Restricting access to information relating to selected individuals, e.g., personnel working on sensitive projects Electronic Commerce Services Electronic Commerce Control Statement: The Third-party shall ensure that the information involved in electronic commerce passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorised disclosure and/or modification. Explanatory Notes: The Third-party shall ensure that the information involved in electronic commerce is secured and the following controls are followed: a. An appropriate authentication mechanism shall be implemented in the applications facilitating the online transaction and secure web services; b. Prior to the online transaction, it shall be ensured that that trading partners are fully informed of their authorisations; and c. The confidentiality and integrity of any order, transactions, payment information, delivery address details and confirmation of receipts shall be maintained only through secure channel On-Line Transactions Control Statement: Appropriate controls shall be applied to protect the Information involved in online transactions. Explanatory Notes: The Third-party shall ensure that incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay are prevented in on-line transactions related to Bharti Infratel. The communications path between all involved parties for online transaction shall be set up using secure protocol like Secure Socket Layer (SSL) Publicly Available Systems Control Statement: Information published on a publicly-available system shall be protected from unauthorised modification. Explanatory Notes: Adequate security controls shall be put in place to ensure confidentiality, integrity and availability for information related to Bharti Infratel information contained in publicly-available systems of third-party. The publicly available systems owned by the Third-party

40 shall be tested against vulnerabilities and it shall be ensured that the identified vulnerabilities are fixed prior to publishing the information in such systems Monitoring Audit Logging Control Statement: The audit logs recording user activities, exceptions and security events shall be appropriately enabled and stored. Explanatory Notes: The Third-party should ensure that the audit logs are enabled on critical systems and stored for a reasonable period as decided by Bharti Infratel in the contract. In accordance with the business requirement, user activities, exceptions and security events should be recorded. Access control monitoring of the systems related to Bharti Infratel shall be done periodically. The logs shall be monitored and analysed for any possible unauthorised use of information systems. Privacy protection measures shall be taken for audit logs for these systems. It shall be ensured that the system administrators do not have permissions to erase or de-activate logs of their own activities Monitoring System Use Control Statement: The utilisation of information systems that are used to provide services to Bharti Infratel shall be monitored and controlled. Explanatory Notes: The results of the monitoring activities are required to be reviewed at regular intervals by the Third-party. The intervals shall be decided as per criticality of the information systems and a consolidated report for all reviewed monitoring activities shall be prepared. An appropriate tool for storing and monitoring the logs shall be implemented by the Third-party. Log storing and monitoring shall cover the following: a. Authorised access; b. All privileged operations; c. Unauthorised access attempts; and d. Changes to, or attempts to change, system security settings and controls Protection of Log Information Control Statement: Logging facilities and log information shall be protected against tampering and unauthorised access. Explanatory Notes: The log information of systems/equipments/network devices used to provide services to Bharti Infratel shall be protected against unauthorised access, alterations and

41 operational problems. The Third-party shall ensure that access to logs shall be provided only on a need-to-know and need-to-have basis. Appropriate controls shall be implemented to prevent: a. Alterations to the message types that are recorded; b. Log files being edited or deleted; and c. Storage capacity of the logging media being exceeded Administrator and Operator Logs Control Statement: System administrator and system operator activities shall be logged. Explanatory Notes: The information systems being used to provide services to Bharti Infratel are required to be configured in such a way that the system administrator and system operator activities are logged and are secure from unauthorised modification. The system administrator and system operator shall not have rights to access administrator and operator logs. The logs shall be reviewed by an independent person so as to identify any malpractices happening Fault Logging Control Statement: Fault logging shall be enabled, analysed, and appropriate action shall be taken on fault-logging. Explanatory Notes: The Third-party are required to maintain logs of all the faults related to the data processing problems and communication systems that are used to provide services to Bharti Infratel. The Third-party shall ensure that such issues are corrected as per the Service Level Agreement (hereinafter referred to as the SLA). The Third-party shall also ensure that root-cause analysis is carried out to prevent any reoccurrence of faults Clock Synchronisation Control Statement: The clock time of critical systems that are used to provide services to Bharti Infratel should be synchronised with an accurate time source. Explanatory Notes: Systems/equipment being used to provide services to Bharti Infratel shall be synchronised with a Network Time Protocol server. The clock time shall be identical across all systems used to provide services to Bharti Infratel.

42 7. Access Control Policy (BITSP 007) 7.1. Introduction The Access Control Policy defines the appropriate access controls that need to be put in place by the Third-party to prevent unauthorised access to information systems that are used to provide services to Bharti Infratel Policy Statement and Objective Access to information assets that are used to provide services to Bharti Infratel shall be controlled, based on the business and security requirements and commensurate with asset classification. The Objectives of Access Control Policy are to: a. Control the access to information, information systems and processing facilities as per business requirement of Bharti Infratel; b. Prevent unauthorised access to information systems, networked services, operating systems and information held in application systems associated with Bharti Infratel information; c. Ensure that security controls are in place while using the mobile computing and teleworking facilities associated with Bharti Infratel information; and d. Ensure that information access controls are implemented to meet relevant legislation, contractual and statutory requirements User Access Management Procedures shall be developed to control the allocation of access rights to information systems and services. The Third-party shall ensure that the procedures cover all stages in the life-cycle of user access, from the initial registration of new users in Bharti Infratel to the final de-registration of users who no longer require access to information systems and services. Special attention shall be given, where appropriate, to the need to control allocation of privileged access rights, which allow users to override system controls Access Control Policy Control Statement: Access control shall be implemented and applied to all information systems/ equipments/ network devices that are used to provide services to Bharti Infratel. Explanatory Notes: Access control rules and rights for each user or group of users shall be clearly stated. Access controls are both logical and physical, and these shall be considered together to

43 prevent any unauthorised access to information assets that are used to provide services to Bharti Infratel User Registration Control Statement: Formal user registration and de-registration procedure shall be implemented for granting and revoking access to all information systems and services that are used to provide services to Bharti Infratel. Explanatory Notes: Procedures for user registration and de-registration are required to be defined, documented and implemented for granting access to information systems that are used to provide services to Bharti Infratel. These procedures shall include the following: a. All users shall have a unique user ID based on a standard naming convention, for accessing information systems; b. Appropriate authorisation shall be obtained prior to creating the user IDs; c. An audit trail shall be kept for all requests for addition, modification or deletion of user accounts/ IDs and access rights; d. User accounts shall be reviewed at regular intervals, at least quarterly for sensitive systems and half-yearly for the other systems, to identify and facilitate removal/ deactivation of inactive accounts or accounts that have not been used for a long duration; e. The Application Administrator must be responsible for implementing access control as defined by the Application owner. f. The results of user account reviews, including subsequent actions, shall be documented to provide an audit trail; and g. "Guest" accounts and other default accounts shipped with software/ applications shall be disabled or their passwords changed from the default value, in case there is a justified business requirement for using these accounts Privilege Management Control Statement: Privileged user access associated with the operating system, database management system and applications that are used to provide services to Bharti Infratel have to be identified, allocated and controlled by the Third-party. Explanatory Notes: Privilege accounts have administrator access on the system. The creation and allocation of privilege user accounts/ids on information systems that are used to provide services to Bharti Infratel shall be controlled through a formal authorisation process. The authorisation process shall consider the following:

44 a. The privilege associated with each system (e.g. operating systems, databases, applications etc.) and their corresponding users are identified; b. The privileges are allocated to individuals on a need-to-have basis. The authorisation process for access c. Third-party shall approve the usage of group privilege user ids if required. Accountability shall be ensured for group privilege user ids that are used to access information of Bharti Infratel Password Management Control Statement: Allocation of passwords for systems that are used to provide services to Bharti Infratel shall be controlled through a formal Password Management Process. Explanatory Notes: Passwords shall be distributed to the users in a secure manner. The following controls relating to password management should be implemented: a. Users should be forced to change their password during the first log-on and after 45 days of each password change. However, users shall receive password change warning 15 days prior to its expiry; b. Passwords should have combination of alpha-numeric characters and a minimum length of eight characters; c. Passwords should have a minimum age of one day; d. Passwords for all user and privilege accounts should expire after 45 days from its last change, with the exception of accounts used by services; password for privilege accounts should have lesser period to change the password e. A record of five previous passwords should be maintained to prevent the re-use of these passwords; f. A maximum of three successive login failures should result in account lockout; g. A locked out user should not be able to login until the account is unlocked by the system administrator or by the user himself, using the Password Reset solution; h. Passwords should not be displayed in clear text when it is being keyed in or otherwise; i. Support procedures should be in place to deal with forgotten passwords and account lockouts; j. User password resets should be performed only when requested by the individual to whom the user ID is assigned, after verification of their identity by a defined procedure;

45 k. When passwords are reset, users should be forced to change their password to a password of their choice on the first use after the reset; l. Default accounts should be disabled and/or the associated default passwords shall be changed immediately; m. A secure Password List should be maintained for all critical accounts. Only authorised individuals should have access to this Password List ; and n. Passwords should not be coded into logon scripts, batch programs or any other executable files when user authentication or authorisation is required to complete a function Review of User Access Rights Control Statement: User access rights on systems used to provide services to Bharti Infratel shall be reviewed at regular intervals, using a formal process. Explanatory Notes: The review of access rights shall consider the following: a. User access rights are reviewed at regular intervals, for e.g., a period of three months and after any change in status of employment, such as promotion, demotion or termination; b. Whenever the user is moving from one employment to another within the Third-party s organisation, user access rights are to be reviewed and re-allocated; c. Authorisations for special privileged access rights are reviewed at more frequent intervals, for e.g., every month; d. Privilege allocations are checked at regular intervals to ensure that unauthorised privileges have not been obtained; and e. Changes to privileged accounts are logged for periodic reviews User Responsibilities All employees of Third-party with access to information systems and facilities that are used to provide services to Bharti Infratel should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment. A clear desk and clear screen policy shall be implemented at all locations and functions of Bharti Infratel Password Use Control Statement: The Third-party shall ensure that their employees follow good security practices for the selection and use of passwords for systems that are used to provide services to Bharti Infratel.

46 Explanatory Notes: The Third-party shall ensure that users with access to information or information systems that are used to provide services to Bharti Infratel shall be advised for the following: a. Keeping the passwords confidential and avoiding the recording of passwords, unless this can be stored securely and the method of storing approved; b. Changing passwords whenever there is any indication of possible system or password compromise; c. Choosing quality password which is easy to remember but difficult to guess; and d. Changing passwords at regular intervals or based on the number of accesses (passwords for privileged accounts shall be changed more frequently than normal passwords) Unattended User Equipment Control Statement: The Third-party shall ensure that unattended information systems that are used to provide services to Bharti Infratel shall not be left unattended. Explanatory Notes: Appropriate technical controls shall be applied to ensure that the information systems are locked after a specified duration of inactivity (the duration should be kept as low as possible). Employees of the Third-party shall be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. The Third-party shall ensure that its employees: Terminate active sessions when finished, or implement an appropriate locking mechanism, for e.g., a password-protected screen saver; Log-off office PCs and servers and network devices when the session is finished (i.e., not just switch off); and Use the key lock or an equivalent control to secure PC terminals from unauthorised use Clear desk and Clear Screen Policy Control Statement: A clear desk policy for papers and removable storage media containing information of Bharti Infratel and a clear screen policy for information processing units that are used to provide services to Bharti Infratel shall be developed and implemented. Explanatory Notes: Critical information on paper and removable media containing information of Bharti Infratel are required be locked inside the drawers after office hours or when the office is vacated by the user. Information systems that are used to process, manage and/ or store information of Bharti Infratel are required to be turned off or logged off when the users are away from their systems.

47 7.5. Network Access Control Appropriate controls for user access to networks and network services shall be applied. The controls shall ensure that: Appropriate interfaces are in place to segregate Bharti Infratel network and the networks owned by other organisations and public networks; Appropriate authentication mechanisms are applied for the users and equipment; and Control of user access to the information services is enforced Policy on Use of Network Services Control Statement: The Third-party shall ensure that its employees are provided the least access privileges to the services which are necessary to perform the job. Explanatory Notes: The Third-party shall ensure that its users shall be provided with access to the services only on a need-to-have basis. An authorisation process shall be developed and followed to ensure that only users who are authorised can access the respective network segments and services. These services are required to be reviewed at regular intervals. Virtual Local Area Networks (hereinafter referred to as VLAN) should be created to segregate the networks being used to provide services to Bharti Infratel User Authentication for External Connection Control Statement: The Third-party shall ensure that adequate security controls are implemented to authenticate users for external connections to systems that are used to provide services to Bharti Infratel. Explanatory Notes: The Third-party shall ensure that: a. Remote access connections to networks being used to provide services to Bharti Infratel are provided only to authorised users. This shall be authorised by Bharti Infratel; b. Secure channels like Virtual Private Networks shall be implemented. c. Modems connected to the end user workstations/laptops are configured to reject all incoming traffic initiated from other external sources; and d. Only approved remote control software is used in the network for external connections, if required.

48 7.5.3 Equipment Identification in Network Control Statement: Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment. Explanatory Notes: Equipment identification shall be used, if it is important that the communication can only be initiated from a specific location or equipment. An identifier shall be used to indicate whether this equipment is permitted to be connected to the network used to provide services to Bharti Infratel Remote Diagnostic and Configuration Port Protection Control Statement: Physical and logical access to diagnostic and configuration ports shall be controlled on systems/network devices that are used to provide services to Bharti Infratel. Explanatory Notes: Ports, services and similar facilities enabled on the computers or networks that are not specifically required for the business of Bharti Infratel shall be disabled or removed. Access to diagnostic and configuration ports shall include the use of a key lock and supporting procedures to control access to the port. These ports shall be used after appropriate approval and at the time of diagnostic or configuration support only Segregation in Network Control Statement: The Third-party shall ensure that segregation in network is implemented to prevent any unauthorised access to systems in the network used to provide services to Bharti Infratel. Explanatory Notes: The security of networks associated with information that belongs to Bharti Infratel should be divided into separate physical and/ or logical network domains. A graduated set of controls shall be applied in different logical network domains to further segregate the network s security environments. The Third-party shall ensure that they segregate the network used for Bharti Infratel from the rest of its network Network Connection Control Control Statement: The Third-party should ensure that, in case of shared networks (shared with public network); the capability of the users to connect to the network used to provide services to Bharti Infratel shall be restricted. Explanatory Notes: The Third-party should ensure that the connection capability of users is restricted through firewalls. FTP downloads and uploads from the Internet shall be permitted only for business use and only after approval from Bharti Infratel.

49 The only exclusion to this is when fault logs are required to be sent to suppliers for repairs and/or diagnostics of systems Network Routing Control Control Statement: Routing controls should be implemented for networks to ensure that computer connections and information flows are as per the Access Control Policy of BITSP. Explanatory Notes: Network routing controls are based on positive source and destination addresschecking mechanisms. The Third-party shall ensure that they implement network routing controls to prevent any unauthorised access to information systems that provide services to Bharti Infratel Operating System Access Control Adequate security controls shall be implemented on the information systems that are used to provide services to Bharti Infratel to restrict access to authorised users only. The controls shall authenticate authorised users as per Access Control Policy and record the successful and failed system authentication attempts Secure Log-on Procedure Control Statement: The Third-party shall ensure that access to operating systems that are used to provide services to Bharti Infratel are controlled by a secure log-on procedure. Explanatory Notes: The operating systems that are used to provide services to Bharti Infratel information are recommended be controlled by secure log-on procedure. The log-on procedure shall not disclose any version or configuration information about the system. The remote log-on procedure, if applicable and authorised, is recommended to be designed with encryption of password during its transmission User Identification and Authentication Control Statement: The Third-party shall ensure that its employees who have access to the information systems that are used to provide services to Bharti Infratel shall be assigned a unique login ID for accessing those information systems. A suitable authentication mechanism shall be used to allow authorised users to access the information systems. Explanatory Notes: The Third-party shall ensure that unique user id is assigned to each user who needs to access the information systems that are used to provide services to Bharti Infratel. An authentication system is required to be implemented to identify the user. As an exception, group/shared ID may be used but an approval shall be obtained from Bharti Infratel. Additional compensating controls shall be established in this case.

50 The authentication methods alternative to passwords, such as cryptographic means, smart cards, tokens or biometric means shall be used appropriately Password Management System Control Statement: The system for managing passwords shall be interactive and capable of implementing quality passwords on systems/network devices that are used to provide services to Bharti Infratel. Explanatory Notes: As passwords are the principal means of validating a user s authority on a system, a system that ensures the use of quality passwords shall be identified and implemented by the Third-party Use of System Utilities Control Statement: The use of utility programs shall be restricted and tightly controlled. Explanatory Notes: Utility programs are those programs which are capable of changing configuration parameters on the system. Access to such utilities shall be restricted only to authorised personnel. A formal Change Management Process shall be followed before using utilities that might be capable of overriding system parameters Session Time-Out Control Statement: Inactive sessions of applications and systems shall shut down after a defined period of inactivity. Explanatory Notes: All information systems that are used to provide services to Bharti Infratel are required to have a time-out facility to clear the session screen and also, possibly later, close both application and network sessions after a defined period of inactivity. The sessions shall be shut down to prevent access by unauthorised persons and the possibility of denial of service attacks. The terminal time-out shall be configured for all the terminals connected to critical systems Limitation of Connection Time Control Statement: Restrictions on connection times shall be configured on high-risk applications/systems that are used to provide services to Bharti Infratel. Explanatory Notes: The applications and information systems that are catering to sensitive information of Bharti Infratel shall have restrictions on connection times as an additional security control. The following shall be considered: a. Using predetermined time slots, for e.g., for batch file transmissions, or regular interactive sessions of short duration;

51 b. Restricting connection times to normal office hours if there is no requirement for overtime or extended hours of operation; c. Considering re-authentication at timed intervals Application and Information Access Control Logical access to the application software that is used to provide services to Bharti Infratel information shall be restricted to authorised users only. Appropriate security controls shall be used to restrict access to application systems Information Access Restriction Control Statement: The Third-party shall ensure that access to information and functional application systems by users and support personnel is restricted. Explanatory Notes: Access to application systems shall be restricted to users who require them. The system administrator or the person performing the equivalent role shall maintain the updated user access matrix detailing privileges assigned to them Sensitive System Isolation Control Statement: Sensitive systems that are used to provide services to Bharti Infratel shall have a dedicated (isolated) computing environment. Explanatory Notes: The application systems hosting sensitive information of Bharti Infratel shall not be hosted on a shared server. All such application systems are required to be identified and hosted on an isolated dedicated server by the Third-party Mobile Computing and Teleworking Mobile computing and communication Control Statement: Appropriate security measures shall be adopted to protect against the risks of using mobile computing and communication facilities. Explanatory Notes: Mobile computing devices include laptops, handheld computing devices like PDA, blackberry and palmtops. The Third-party shall ensure that only authorized users have access to such mobile computing devices that are used to provide services to Bharti Infratel. The employees shall take special care of the mobile computing resources to prevent any compromise of business information of Bharti Infratel.

52 7.8.2 Teleworking Control Statement: An authorisation process shall be established and implemented for endorsing teleworking requests. Explanatory Notes: Teleworking means working from a remote site, in the sense that the Thirdparty may connect to the network (containing information of Bharti Infratel) from an outside site through internet or any other remote connectivity. Adequate teleworking security process shall be established and implemented. At a minimum, the following should be addressed: a. Use of two-factor authentication for authenticating the users of teleworking solutions; b. Secure teleworking solutions for enabling users to remotely access information assets; c. Physical security for all teleworking sites/devices.

53 8. Information Systems Acquisition, Development & Maintenance Policy (BITSP 008) 8.1. Introduction Bharti Infratel extends its information security requirements to the software developed by the Third-party for providing services to Bharti Infratel. The Third-party shall ensure that information security is integrated to information system acquisition, development and maintenance processes. The security requirements shall be identified and agreed prior to the development and/ or implementation of information systems. This methodology ensures that the software shall be adequately documented and tested before it is used for critical information processing Policy Statement and Objective The purpose of this policy is to ensure that the Third-party addresses confidentiality, Integrity and availability of all Information assets and Information Processing facilities during their complete lifecycle and integrate security requirements in Information System Acquisition, Development and Maintenance Processes. The objectives of this policy are to: a. Strengthen the confidentiality, integrity and availability of applications developed by the Third-party; b. Ensure that information security is an integral part of information systems, right from the requirement phase and shall be incorporated in the design phase consequently; and c. Maintain the information security of application-system software and information during its lifecycle Requirements of Information System Requirements Analysis and Specification Control Statement: The Third-party shall ensure that security requirements are established for the development of new systems and for carrying out enhancements to existing systems. Explanatory Notes: The Third-party is required to ensure that they consider appropriate automated controls while designing the information systems that are used to provide services to Bharti Infratel. All new application systems developed/to be deployed by the Third-party to provide services to Bharti Infratel shall be formally reviewed for compliance with the security policy before being

54 deployed in the production environment. The development, testing, operations and maintenance teams of the Third-party shall be trained on security aspects of application development and maintenance Correct Processing in Application It is very crucial that correct processing is undertaken to prevent error, loss, unauthorised modification or misuse of information in applications. This can be done by implementing security controls at the data input stage, internal processing stage and, finally, at the output stage Input Data Validation Control Statement: Appropriate security controls shall be built into the applications to validate the data entered in the application system. Explanatory Notes: System requirements specification shall include controls in the application for the input data provided. Periodic reviews of the content of key fields or data files to confirm their validity and integrity shall be conducted by the Third-party. Procedures for responding to validation errors and defining the responsibilities of personnel involved in the data input process shall be documented by the Third-party Control of Internal Processing Control Statement: Validation checks shall be incorporated into the applications developed to provide services to Bharti Infratel, to detect any corruption of information through processing errors or deliberate acts. Explanatory Notes: Risk associated to processing facilities shall be minimised by considering security controls in the design and implementation phase of applications development and deployment. Specific security controls that are required to be incorporated in this stage are as follows: a. Session or batch controls, to reconcile data file balances after transaction updates; b. Balancing controls, to check opening balances against previous closing balances, namely: i. Run-to-run controls; ii. iii. File update totals; Program-to-program controls; c. Validation of system-generated input data; d. Checks on the integrity, authenticity or any other security feature of data or software downloaded, or uploaded, between central and remote computers;

55 e. Hash totals of records and files; f. Checks to ensure that application programs are run at the correct time; g. Checks to ensure that programs are run in the correct order and terminate in case of a failure, and that further processing is halted until the problem is resolved; h. Creating a log of the activities involved in the processing Message Integrity Control Statement: The requirements for ensuring authenticity and protecting message integrity in application shall be identified and appropriate controls identified and implemented. Explanatory Notes: The validity of the message integrity shall be protected by appropriate encryption management for developing applications that will be used to provide services to Bharti Infratel. It deals with methods that ensure that the contents of a message have not been tampered and/ or altered. Message integrity protection requirements shall be identified by Third-party in the applications and information systems and the controls for integrity shall be implemented. An assessment of security risks shall be carried out by Third-party to determine if message integrity is required. Appropriate method of message integrity check shall be identified as per the risk assessment results Output Data Validation Control Statement: Data output from an application shall be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. Explanatory Notes: During the development stage of application systems, data generated from the application system after processing of the stored information shall be validated to ensure that output is correct and appropriate Cryptographic Controls Policy on Use of Cryptographic Controls Control Statement: Use of cryptographic controls for the protection of information shall be implemented. Explanatory Notes: The appropriate cryptographic controls shall be applied to protect information assets which require stringent security. Examples of cryptographic controls are public and private key cryptosystems. Third-party shall define and deploy the procedures for maintenance of the keys.

56 8.5.2 Key Management Control Statement: The key management procedures shall be put in place to support the use of cryptographic techniques. Explanatory Notes: Wherever required, the appropriate encryption controls shall be implemented by Third-party to protect the confidentiality and integrity of information on the applications/ systems that are used to provide services to Bharti Infratel. The encryption type and other implementation details shall be decided by Third-party after taking into account relevant legislative and regulatory requirements. The access to sensitive commands pertaining to encryption key data on the devices shall be restricted to key administrators only. The activities of the users having access to such sensitive commands shall be appropriately logged and monitored periodically of System Files Control of Operational Software Control Statement: The procedures shall be put in place to control the installation of software on operational systems. The controls to implement software on operational systems to minimise the risk of corruption of operational systems shall be deployed. Explanatory Notes: Applications and operating system software shall only be implemented after extensive and successful testing. All tests shall be carried out on separate systems and the tests results shall be documented for the tests on usability, security, effects on other systems and userfriendliness. Third-party shall ensure that all corresponding program source libraries have been updated. The modifications to the operational environment shall be logged and previous versions shall be maintained for contingency/ roll back purpose. The operational systems shall only hold executable code Protection of System Test Data Control Statement: The third-party shall ensure that test data is selected carefully and is protected and controlled. Explanatory Notes: The test data that has classified information of Bharti Infratel shall be secured and controlled appropriately in the testing environment and the Third-party shall ensure that this information is not leaked outside. The Third-party shall ensure that the test data is secured and sanitised during testing. Testing reports shall be documented and maintained till the new application stabilises. These reports shall be stored securely and available to authorised personnel of third-party.

57 8.6.3 Access Control to Program Source Code Control Statement: The access to program source code of operational systems that are used to provide services to Bharti Infratel shall be restricted. Explanatory Notes: Third-party shall identify program librarians to maintain source libraries of operational application systems in configuration management database. All source codes shall be stored in a secure environment. All updates or issue of program sources to developers shall be carried out through an authorised request. Configuration changes to program source codes shall be made through configuration management process to prevent any unauthorised and unintentional changes. Previous versions of source programs shall be archived, with a clear indication of the precise dates and times when they were operational, together with all supporting software, job control, data definitions and procedures in Development and Support Processes Change Control Procedure Control Statement: The changes to application systems shall be carried out in a controlled manner as per a formal Change Management Process developed by the Third-party. Explanatory Notes: A formal Change Management Process is required to be developed and implemented for all changes pertinent to Bharti Infratel applications and systems. The Third-party shall ensure: a. The recording of changes in change request forms and approval of change requests; b. That impact assessment due to the change is being carried out; c. The documentation of changes is being carried out; and d. The changes shall not be carried out in production environment directly; all changes shall be applied to development/ test environment Technical Review of Applications after Operating System Changes Control Statement: When operating systems are upgraded, business critical applications shall be reviewed and tested to ensure there is no adverse impact on operations and security of applications that are used to provide services to Bharti Infratel. Explanatory Notes: A review of application control and integrity procedures shall be done to ensure that they have not been compromised by the operating system changes. Third-party shall

58 ensure that notification of operating system change is provided in time to allow appropriate test being done Restrictions on Changes to Software Packages Control Statement: The vendor supplied software packages shall not be modified as far as possible without consulting the vendor. Explanatory Notes: Third-party shall ensure that vendor supplied software packages are not changed. If changes are essential, then original software shall be retained and changes could be applied to a clearly identified copy. In such cases, changes shall be carried out only by authorised users. The Risk factors like vendor s continued support for maintenance of the application before making any change to the software and compromise of built-in controls shall be considered before making changes Information Leakage Control Statement: The risks related to information leakage shall be prevented for systems that are used to provide services to Bharti Infratel. Explanatory Notes: The following controls shall be considered for preventing information leakage. a. Scanning of outbound media and communications for hidden information; b. Making use of systems and software that are considered to be of high integrity, e.g. using evaluated products; c. Regular monitoring of personnel and system activities, where permitted under existing legislation or regulation; and d. Monitoring resource usage in computer systems Outsourced Software Development Control Statement: Third-party shall ensure the monitoring and review of further outsourced software development. Explanatory Notes: For the customised (not off the shelf/ standard offerings) software developed by Third-party s sub-contractor, the arrangements pertaining to licensing, code ownership and the intellectual property rights shall be documented in the contract between Third-party and its subcontractor. As per the applicability, the contract shall also include at a minimum, Third-party s and/ or Bharti Infratel right to audit quality and accuracy of software development and testing work carried out by the sub-contractor vendor. Such software code shall also have escrow arrangements.

59 8.8. Technical Vulnerability Management Control of Technical Vulnerabilities Control Statement: Timely information about technical vulnerabilities shall be obtained for the information systems that are used to provide services to Bharti Infratel and timely & appropriate measures shall be taken to address the associated risk. Explanatory Notes: All technical vulnerabilities of information systems that are used to provide services to Bharti Infratel shall be identified and documented. Appropriate measures shall be taken to address the associated risk. Timelines shall be defined to respond to technical vulnerabilities observed in the system. Third-party shall define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, and any coordination responsibilities required. All patch management shall be followed using a formal Patch Management Process.

60 9. Information Incident Management Policy (BITSP 009) 9.1. Introduction The Information Incident Management Policy provides directions to develop and implement the information security incident management process for networks and computers, improving user security awareness, early detection and mitigation of security incidents and suggesting the actions that can be taken to reduce the risk due to security incidents Policy Statement and Objective All security breaches or attempts to breach and all identified security weaknesses in information systems and processing facilities that are used to provide services to Bharti Infratel information shall be reported. The information security incident management process shall ensure that all reported security breaches or weaknesses are responded to promptly and appropriate actions taken to prevent reoccurrence. The objective of this policy is to: a. To develop proactive measures to minimise the impact of any Incident on information systems and processing facilities associated with the information; b. To create the awareness among users of Third-party and encourage them to report the security weaknesses and/ or incident that they identify/notice; c. Enable the proactive management of problems by capturing data that can be used to analyse trends and problems areas, thereby preventing the security incidents to occur; and d. Learning from the incidents and continually improving Incident Identification a. A security incident is the act of violating an explicit or implied security policy. The actions that may be classified as incidents are, but not limited to, the following: i. Attempts to gain unauthorised access to a system or its data; masquerading, spoofing as authorised users; ii. iii. iv. Unwanted disruption or denial of service; The unauthorised use of a system for the processing or storage of data by authorised/ unauthorised users; The changes to the system hardware, firmware or software characteristics and data without the application/ information system owner's knowledge;

61 v. The existence of unknown user accounts; vi. vii. viii. ix. Information system failures; Malicious code; Denial of service; Errors resulting from incomplete or inaccurate business data (for example, invalid input, failed processes); x. Breaches of confidentiality and integrity; and /or xi. Misuse of information systems Reporting Information Events and Weakness Reporting Information Events Control Statement: Information security events within Third-party organisation for those information assets that are used to provide services to Bharti Infratel shall be reported to incident management team within Third-party. Explanatory Notes: Third-party shall ensure that they have an incident management team in place to respond to information security incidents pertaining to information asset of Bharti Infratel. This team shall submit security incidents reports to Bharti Infratel on request. A formal Information Incident Management Process shall be developed and implemented within Third-party organisation. The process shall include the incident reporting, incident response, escalation and incident resolution pertinent to Bharti Infratel information. The Third-party employees shall be made aware of their responsibilities regarding information security incident management Reporting Information Weaknesses Control Statement: Third-party shall ensure that their employees note and report any observed or suspected security weaknesses in systems or services that are used to provide services to Bharti Infratel. Explanatory Notes: All employees of Third-party shall report the information security weaknesses to their Incident Management Team. The users shall not attempt to prove the suspected security weaknesses. In addition to this, users shall not test the existence of vulnerability in any information system used to provide services to Bharti Infratel.

62 9.5. Incident Response, Recovery and Improvements Responsibilities and Procedures Control Statement: The responsibilities and supporting procedures shall be established to ensure a quick, effective and orderly response to information security incidents. Explanatory Notes: The responsibilities shall be identified and defined within Third-party organisation to ensure a quick, efficient and systematic response to information security incident. The procedures shall be established to handle the different types of information security incidents. A formal review process shall be conducted after the recovery from incident has been completed (within two weeks). A feedback mechanism shall be available to identify improvements to the incident handling process. The audit trails and similar evidence shall be collected during the whole incident handling process - from the initial incident report to the incident follow-up. The audit trails shall be used for the following: a. Internal problem analysis (or root cause analysis) of how the incident occurred; b. As forensic evidence in relation to a potential contract breach or regulatory requirement or in the event of civil or criminal proceedings and shall include the following types of logs: i. Communication log; ii. iii. Incident survey, containment land eradication logs; and Raw data, as in. actual system logs; c. Retention of incident reports and logs shall be in accordance with the legal and regulatory requirements; and d. The incident handling procedures shall be regularly reviewed and tested to establish their ongoing effectiveness Learning from Information Incidents Control Statement: The information gained from the evaluation of information security incidents shall be used to reduce the recurrence of the security incidents. Explanatory Notes: Third-party shall ensure that there are mechanisms in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. The information gained from the evaluation of information security incidents should be used to identify recurring or high impact incidents.

63 9.5.3 Collection of Evidence Control Statement: Third-party shall ensure that they collect sufficient amount of evidence during the incident analysis phase. Explanatory Notes: Third-party shall ensure that the evidence is collected in a manner that does not destroy its evidentiary value. While collecting the evidences, the following shall be considered by Third-party: a. Applicability of evidence: The evidence can be used in court; and b. Weightage of evidence: The quality and completeness of the evidence.

64 10. Business Continuity Management Policy (BITSP 010) Introduction Bharti Infratel recognises the criticality and need of its business and understands the importance of the availability of its information, information systems and processing facilities. The dependency of Bharti Infratel business on Third-party induces to develop and maintain the business continuity plans by Third-party to ensure timely resumption of essential operations in case of disasters pertinent to Bharti Infratel business Policy Statement and Objective Information systems shall be planned for the continuity of operations in the event of disasters. A documented Business Continuity Management Plan shall be maintained, tested and updated by Third-party, for systems that are critical and are used to provide services to Bharti Infratel. The objectives of this policy are to a. To identify the critical business processes and to integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities; b. To strengthen the continuity of services offered to Bharti Infratel in case of any disaster; and c. To provide a disaster recovery plan to understand the current state, mitigating risks and planning for recovery Information Aspects of Business Continuity Management Third-party shall ensure that Business Impact Analysis (BIA) is carried out for all the business processes to assess the consequences of disasters, security failures, loss of services and service availability to Bharti Infratel. The business continuity management shall include the controls required for the identification and mitigation of risks, in addition to the general risks assessment process to limit the consequences of damaging incidents, and ensure that information required for the business processes is readily available to serve Bharti Infratel Including Information in the Business Continuity Management Process Control Statement: A business continuity management process should be developed for the processes and facilities that are used to provide services to Bharti Infratel. It should include the information security requirements of Bharti Infratel.

65 Explanatory Notes: The business continuity plan developed by Third-party should include the risk assessment, prioritisation and treatment for the critical services to Bharti Infratel. The business continuity management process shall be able to identify the impact of interruptions caused by information security incidents on business Business Continuity and Risk Assessment Control Statement: Events that can cause interruptions to business processes pertinent to Bharti Infratel should be identified, along with the probability and impact on business continuity. Explanatory Notes: A risk assessment should be executed for all applicable assets required for business continuity, considering all the events that can cause disruption to the Third-party services to Bharti Infratel. The considered threats/ events that shall be included are man-made error/ disaster, natural disaster and technical failure Developing and Implementing Continuity Plans including information security Control Statement: Plans shall be developed and implemented to maintain and restore the operations and ensure the availability of services that are used to provide further services to Bharti Infratel at the required level and time scales. Explanatory Notes: The business continuity management plans shall be developed and implemented by Third-party to maintain and restore operations and ensure the availability of services, considering the recovery time objective (RTO), recovery point objective (RPO) and information security requirements for the critical applications/ business processes along with the acceptable loss of information and services to Bharti Infratel Business Continuity Planning Framework Control Objective: A business continuity planning framework shall be developed to ensure all plans are consistent, to constantly address information security requirements. Explanatory Notes: The controls that are required to ensure the availability of information and information systems being used to provide services to Bharti Infratel shall be identified. A consolidated and consistent approach for the continuity of all important business processes, applications and Information processing facilities shall be included in business continuity planning framework Testing, Maintaining and Re-assessing Business Continuity Plans Control Statement: Business continuity plans should be tested and updated as per the test plan. Explanatory Notes: Each Third-party shall ensure that: a. The developed business continuity plan is tested in defined intervals;

66 b. The developed business continuity plan is effective; c. The relevant controls with their corresponding roles and responsibilities are maintained, working and known to the concerned individual of the BCP team; d. The effectiveness of business continuity plans is measured and reviewed; and e. The test results are presented to Bharti Infratel on request.

67 11. Compliance Policy (BITSP 011) Introduction The Compliance Policy provides the compliance requirements of Bharti Infratel from its Third-party. Third-party shall ensure that effective arrangements to comply with statutory, regulatory and contractual requirements are implemented in their organisation pertaining to information assets that are used to provide services to Bharti Infratel Policy Statement and Objective A compliance culture shall be that helps the organisation to prevent breaches of any law, regulatory requirements and helps in complying with the organisation security policies and standards. The objectives of this policy are to: a. Avoid breaches of any law, statutory, regulatory or contractual obligations, and security requirements; b. Ensure that Third-party employees and their sub-contractor users are aware of regulatory and contractual security requirements which may have an impact on their responsibilities towards Bharti Infratel; c. Assist in complying with the organisation security policies; and d. Maximize the effectiveness of and to minimize interference to/from the information systems audit process Compliance with Legal Requirements Identification of Applicable Legislation Control Statement: All relevant statutory, regulatory and contractual requirements and the approach to meet these requirements shall be defined, documented and kept up to date. Explanatory Notes: A list of all relevant statutory, regulatory and contractual requirements shall be maintained by Third-party Intellectual Property Rights (IPR) Control Statement: Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products that are used to provide services to Bharti Infratel.

68 Explanatory Notes: Third-party shall ensure the following: a. Acquiring software only through reputable sources; b. Maintaining proof of ownership of licenses of software procured to provide services to Bharti Infratel; and c. Carrying out checks that only authorised and licensed software are used to provide services to Bharti Infratel. d. Bharti Infratel reserves the right to audit the Third-party for all/ any authorised and/ or licensed software used to provide services to Bharti Infratel Protection of Organisational Records Control Statement: The organisational records pertinent to Bharti Infratel shall be prevented from loss, damage and falsification in accordance with the relevant legislative, regulatory and contractual requirements. Explanatory Notes: The mechanism used for the storage and handling of records pertinent to Bharti Infratel, shall ensure clear identification of records and the retention period as defined by national or regional legislation or regulations. a. The records pertinent to Bharti Infratel shall be retained and stored as per the Control of Record Procedure; b. Information Labelling and Handling Guidelines and Media Disposal Procedure shall be applicable to records pertinent to Bharti Infratel; c. The review period and review rights of Bharti Infratel institutionalised records shall be defined; and d. The backup of records pertinent to Bharti Infratel shall adhere to the Back-up Procedure Data Protection and Privacy of Personal Information Control Statement: The data protection and privacy as required in relevant legislation, regulations, and, if applicable, contractual clauses shall be ensured. Explanatory Notes: A data protection and privacy policy shall be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information of Bharti Infratel s customers. Third-party shall ensure that they adhere to the Bharti Infratel information security policy for protecting personal information of Bharti Infratel s customers.

69 Prevention of Misuse of Information Processing Facilities Control Statement: The appropriate access controls shall be implemented to prevent the users from misusing the information systems and/ or facilities that are used to provide services to Bharti Infratel. Explanatory Notes: Third-party shall ensure that their users are prevented from misusing the information processing systems/ facility that is used to provide services to Bharti Infratel. Adequate detection and monitoring controls shall be implemented to prevent any misuse on the information systems/ facilities Regulation of Cryptographic Controls Control Statement: The appropriate cryptographic controls in compliance with the relevant agreements, laws, and regulations shall be identified and applied. Explanatory Notes: Legal advice shall be sought to ensure compliance with national laws and regulations. The appropriate procedure for compliance assurance shall be documented and maintained by Legal function Compliance with BITSP Control Statement: Third-party shall ensure compliance with the BITSP. Explanatory Notes: Third-party shall ensure compliance with the BITSP. Bharti Infratel reserves the right to audit the third-party as per the controls of BITSP applicable to them. Third-party shall ensure that they implement all those controls applicable to them. Non-compliance to the BITSP may subject to penalty charges as mentioned in the business contract Technical Compliance Checking Control Statement: Information systems shall be regularly checked for compliance with security standards. Explanatory Notes: The technical compliance checking shall cover the penetration testing and vulnerability assessments of systems/ network devices that are used to provide services to Bharti Infratel information. All identified vulnerabilities shall be analysed and fixed within a definite timeframe. Bharti Infratel reserves the right to review the vulnerability closure report and / or conduct technical compliance checking on third-party network.

70 11.4. Information Systems Audit Considerations Information Systems Audit Controls Control Statement: Third-party shall ensure that the audit requirements and activities involving checks on operational systems shall be carefully planned and agreed to minimise the risk of disruptions to services pertinent to Bharti Infratel. Explanatory Notes: The audit activities involving checks on operational systems shall be carefully planned as they may result in service disruption and in turn affect the services for Bharti Infratel. Third-party shall ensure checks shall only allow read-only access Protection of Information Systems Audit Tools Control Statement: Third-party shall ensure that the information system audit tools are protected to prevent their misuse. Explanatory Notes: Information system audit tools shall be separated from the development and operational systems. An authorisation process shall be developed to allow access to the audit tools. Third-party shall ensure that they provide adequate controls to prevent audit tools from running in the environment that carries information of Bharti Infratel.