Information Security & Data Privacy at AuthBridge

Our Commitment to Data Privacy & Security

We understand that our customers trust us with their information, thereby Information Security & Data Privacy has always been fundamental to our business. We are committed to safeguard the personal and other confidential data pertaining to our business, clients and third parties and aim to protect it from any potential internal or external security threats or cyber-attacks.

Our various technology products and tech-based client services are supported by a well-defined and effective Information security and Data privacy management System framework to enable defense in depth. The framework encompasses policies, sub-policies, procedures, and organization wide controls targeted to ensure data is collected, processed, and shared lawfully while preserving privacy, confidentiality, integrity, and availability.

Policies

The below given management policies drive our Information security & Privacy. These policies further have subsequent sub-policies, procedures and controls implemented organization wide-

Iso Certification Image

ISO Certification

We are an ISO/IEC 27001:2013 certified organization. Having this certification to ISO/IEC 27001:2013 standards, we demonstrate:

  • Senior Management’s commitment to information security
  • Established, documented, implemented, and maintained effective system and controls to safeguard Data
  • Ability to continuously provide services that meet client SLA and applicable legal, statutory & regulatory requirements.
  • Commitment to continual improvement.

Data Privacy

Our Data Privacy Framework is aligned to applicable compliances such as IT Act 2000 and EU- GDPR (as a processor) and addresses requirement of most of the privacy laws across the globe.

It is led by our Chief Information Security & Data Privacy officer in cooperation with representatives from various functions at ARS including IT and Legal. Our privacy framework is well-integrated with our ISMS and some key privacy controls have been defined below along with Data Security controls.

Data Privacy img

Data Privacy Principles

Whether you are an employee, a client, engaged with our client or us for any business purpose, we

Dashboard-icon Process, store, and disclose personal data only for legitimate business purposes.
Implement purpose limitation and use any data for the purpose it has been shared and collected for. Dashboard-icon
Dashboard-icon implement data minimization and collect only minimum required data as needed for the agreed purpose.
Implement Storage limitation- store data as per requirement and agreement with client. Dashboard-icon
Dashboard-icon Support our clients in execution of applicable individual rights (or of EU Data Subject).
Keep transparency and provide notice and consent as applicable before collecting and processing it. Dashboard-icon

Technical & Organizational Controls

Our mission is to protect the confidential data (personal/non-personal) and information assets from unauthorized access, use, disclosure, modification, or destruction.

These security measures are also designed to facilitate compliance with data protection requirements, privacy by design and by default and applicable regulatory and contractual requirement.

Lock icon

Key information security controls which are aligned to organization policies & sub-policies:

  • Information Classification

    Data and information assets are classified as per their sensitivity.

  • Risk Management

    Risk assessment is done, mitigation strategy and treatment are planned, and implemented accordingly.

  • IT Security

    • Policy icon Systems & Network Security controls

      Systems & Network Security controls are applied such as System Hardening, Patch Management, VPN Connectivity, Firewall, Intrusion Detection and Prevention System, Patch Management, End Point Protection, Anti-virus, Data Leak Prevention, VAPT of systems, servers, applications, networking devices and applications and Log Management.

    • Policy icon Communication Security controls

      Communication Security controls such as Encryption (Data at rest and transit, SSL/TLS, SSH, Message digest)

    • Policy icon Application Security

      Application security practices including secure SDLC process, security scanning and IP based restriction. Other data security and access management practices are as per controls described in this section.

    • Policy icon Access Management

      Access Management controls such as access role-based access, password protection, multi-factor authentication and principle of least privileges. Masking of personal data wherever not needed. Periodic and need basis access review and reconciliation.

    • Policy icon Log Management

      Log Management-Logs are stored at secure place. All accesses to the applications are logged in a secure platform and/or application specific database down to the activity level.

  • Human Resource Security

    Personnel Security practices include controls such as background check of employees/staff, signing of Non-disclosure and Privacy agreement, Code of conduct, Acceptable Use Policy and going through a formal Induction program for briefing on important policies and processes. Roles, responsibilities, and authorities are defined, segregation of duties is addressed.

  • Physical Security

    There are multiple controls to safeguard facilities, equipment and resources from any unauthorized access, damage, or harm (such as fire, theft, visitor etc.). There are multiple controls including 24/7 perimeter security with power backup, CCTV, Security guards, biometric & access cards, lockers to keep documents, Shredding bins, visitor management, material in & out management, , Fire detections, Fire mitigation, Fire fighters, Drills, Emergency Response team and preventive maintenance of equipment.

  • Change Management

    Change Management policy & procedure are followed for changes including process, systems, applications, configuration, or infrastructure changes.

  • Third Party Controls

    Third Party Controls include vendor due diligence, Risk assessment,
    Signing NDA, DPA, Contract, Code of conduct, SOW. Further controls include Information security and privacy awareness, ongoing performance monitoring and annual audits and adequacy controls for any cross-border data transfer.

  • Record Keeping, Data Retention & Destruction

    Data Inventory, Data flow diagrams and records of processing are kept. AuthBridge retains different category of data as per the time periods defined in the AuthBridge’s Data Retention Policy. Customer data is retained as per the retention period agreed through the customer contract. Data is destroyed using the appropriate technique to ensure its adequate and secure destruction.

  • Business Continuity Management

    Business Continuity Management is ensured through highly resilient and redundant architecture, regular and systematic on-site & off-site backups for all business-critical applications and servers as per the defined frequencies. Processes are designed to minimize human dependencies; critical roles are identified, and backups are created. Periodic testing of business continuity & disaster recovery plans is conducted, and continual improvement actions are taken.

  • Privacy By Design

    ARS takes proactive approach to ensure safeguarding and protection of personal data. We use Privacy By design principles while creating any application/software and during entire product, project management and services development life cycles, from classifying data at its point of collection through properly destroying that data at the end of its life cycle. Foundational concepts of Privacy by Design into our projects and products include controls not limited to data flow maps, minimization, risk assessment, purpose -specification , limitation and use, retention, security and access control.

  • Awareness

    Employees play pivotal role in the success of security & privacy controls. Keeping them aware about threats to data privacy and information security is an ongoing and dynamic process at AuthBridge. We have an information security and privacy awareness policy- training are imparted at the time of joining, at regular intervals for all the employees and on need basis. Also, other trainings like GDPR awareness, Business Continuity & Disaster Recovery Management, Incident management, Change Management, Fire-fighter are imparted to respective stakeholders at the regular intervals.

  • Incident Management

    Though AuthBridge has the best possible controls to protect privacy of your Personal Data from any security incident, however, to respond to any such incident/breach, we have an Incident Management Policy and aligned procedure implemented. It’s a thought through step by step approach consisting of preparation, detection & reporting, analysis, containment, eradication, recovery, and lesson learnt.

Monitoring of controls

Monitoring control img

No system can be improved unless monitored. There is ongoing monitoring for security controls to validate effectiveness and monitoring of events to respond quickly. Some of the monitoring controls include Log review of systems, servers, networking devices, applications, Internet traffic and Network analysis for any anomaly or suspicious behavior.

Dashboard for different schedules such as back-up, patch updates, VAPT, changes etc. There are regular internal audits and frequent external security audits for security & privacy. Based on the findings out of all these monitoring, audits and testing and periodic risk assessment, corrective action plans are made, and actions are taken.

Our Team

  • Neelam Singh, Chief Information
    Security & Privacy Officer
  • Information Security Manager
  • Privacy Analyst
  • IT Team – IT Security
    Manager & Security analysts
  • Legal

For any further query, mark mail at compliance@authbridge.com