Information Security & Data Privacy
Our Commitment to Data Privacy & Security
We understand that our customers trust us with their information, thereby Information Security & Data Privacy has always been fundamental to our business. We are committed to safeguard the personal and other confidential data pertaining to our business, clients and third parties and aim to protect it from any potential internal or external security threats or cyber-attacks.
Our various technology products and tech-based client services are supported by a well-defined and effective Information security and Data privacy management System framework to enable defense in depth. The framework encompasses policies, sub-policies, procedures, and organization wide controls targeted to ensure data is collected, processed, and shared lawfully while preserving privacy, confidentiality, integrity, and availability.
ISO Certification
We are an ISO/IEC 27001:2013 certified organization. Having this certification to ISO/IEC 27001:2013 standards, we demonstrate:
- Senior Management’s commitment to information security
- Established, documented, implemented, and maintained effective system and controls to safeguard Data
- Ability to continuously provide services that meet client SLA and applicable legal, statutory & regulatory requirements.
- Commitment to continual improvement.
Data Privacy
Our Data Privacy Framework is aligned to applicable compliances such as IT Act 2000 and EU- GDPR (as a processor) and addresses requirement of most of the privacy laws across the globe.
It is led by our Chief Information Security & Data Privacy officer in cooperation with representatives from various functions at ARS including IT and Legal. Our privacy framework is well-integrated with our ISMS and some key privacy controls have been defined below along with Data Security controls.
Data Privacy Principles
Whether you are an employee, a client, engaged with our client or us for any business purpose, we
Technical & Organizational Controls
Our mission is to protect the confidential data (personal/non-personal) and information assets from unauthorized access, use, disclosure, modification, or destruction.
These security measures are also designed to facilitate compliance with data protection requirements, privacy by design and by default and applicable regulatory and contractual requirement.
Key information security controls which are aligned to organization policies & sub-policies:
Information Classification
Data and information assets are classified as per their sensitivity.
Risk Management
Risk assessment is done, mitigation strategy and treatment are planned, and implemented accordingly.
IT Security
Systems & Network Security controls
Systems & Network Security controls are applied such as System Hardening, Patch Management, VPN Connectivity, Firewall, Intrusion Detection and Prevention System, Patch Management, End Point Protection, Anti-virus, Data Leak Prevention, VAPT of systems, servers, applications, networking devices and applications and Log Management.
Communication Security controls
Communication Security controls such as Encryption (Data at rest and transit, SSL/TLS, SSH, Message digest)
Application Security
Application security practices including secure SDLC process, security scanning and IP based restriction. Other data security and access management practices are as per controls described in this section.
Access Management
Access Management controls such as access role-based access, password protection, multi-factor authentication and principle of least privileges. Masking of personal data wherever not needed. Periodic and need basis access review and reconciliation.
Log Management
Log Management-Logs are stored at secure place. All accesses to the applications are logged in a secure platform and/or application specific database down to the activity level.
Human Resource Security
Personnel Security practices include controls such as background check of employees/staff, signing of Non-disclosure and Privacy agreement, Code of conduct, Acceptable Use Policy and going through a formal Induction program for briefing on important policies and processes. Roles, responsibilities, and authorities are defined, segregation of duties is addressed.
Physical Security
There are multiple controls to safeguard facilities, equipment and resources from any unauthorized access, damage, or harm (such as fire, theft, visitor etc.). There are multiple controls including 24/7 perimeter security with power backup, CCTV, Security guards, biometric & access cards, lockers to keep documents, Shredding bins, visitor management, material in & out management, , Fire detections, Fire mitigation, Fire fighters, Drills, Emergency Response team and preventive maintenance of equipment.
Change Management
Change Management policy & procedure are followed for changes including process, systems, applications, configuration, or infrastructure changes.
Third Party Controls
Third Party Controls include vendor due diligence, Risk assessment,
Signing NDA, DPA, Contract, Code of conduct, SOW. Further controls include Information security and privacy awareness, ongoing performance monitoring and annual audits and adequacy controls for any cross-border data transfer.
Record Keeping, Data Retention & Destruction
Data Inventory, Data flow diagrams and records of processing are kept. AuthBridge retains different category of data as per the time periods defined in the AuthBridge’s Data Retention Policy. Customer data is retained as per the retention period agreed through the customer contract. Data is destroyed using the appropriate technique to ensure its adequate and secure destruction.
Business Continuity Management
Business Continuity Management is ensured through highly resilient and redundant architecture, regular and systematic on-site & off-site backups for all business-critical applications and servers as per the defined frequencies. Processes are designed to minimize human dependencies; critical roles are identified, and backups are created. Periodic testing of business continuity & disaster recovery plans is conducted, and continual improvement actions are taken.
Privacy By Design
ARS takes proactive approach to ensure safeguarding and protection of personal data. We use Privacy By design principles while creating any application/software and during entire product, project management and services development life cycles, from classifying data at its point of collection through properly destroying that data at the end of its life cycle. Foundational concepts of Privacy by Design into our projects and products include controls not limited to data flow maps, minimization, risk assessment, purpose -specification , limitation and use, retention, security and access control.
Awareness
Employees play pivotal role in the success of security & privacy controls. Keeping them aware about threats to data privacy and information security is an ongoing and dynamic process at AuthBridge. We have an information security and privacy awareness policy- training are imparted at the time of joining, at regular intervals for all the employees and on need basis. Also, other trainings like GDPR awareness, Business Continuity & Disaster Recovery Management, Incident management, Change Management, Fire-fighter are imparted to respective stakeholders at the regular intervals.
Incident Management
Though AuthBridge has the best possible controls to protect privacy of your Personal Data from any security incident, however, to respond to any such incident/breach, we have an Incident Management Policy and aligned procedure implemented. It’s a thought through step by step approach consisting of preparation, detection & reporting, analysis, containment, eradication, recovery, and lesson learnt.
Monitoring of controls
No system can be improved unless monitored. There is ongoing monitoring for security controls to validate effectiveness and monitoring of events to respond quickly. Some of the monitoring controls include Log review of systems, servers, networking devices, applications, Internet traffic and Network analysis for any anomaly or suspicious behavior.
Dashboard for different schedules such as back-up, patch updates, VAPT, changes etc. There are regular internal audits and frequent external security audits for security & privacy. Based on the findings out of all these monitoring, audits and testing and periodic risk assessment, corrective action plans are made, and actions are taken.
Our Team
CISO & Privacy Officer
Information Security Manager
Privacy Analyst
IT Security Manager & Security analysts
IT Security Manager & Security analysts
For any further query, mark mail at compliance@authbridge.com
