Information Security Policy

1. Introduction

This policy outlines the information technology and information security policies and procedures of Onsolve. It aims to ensure that the organization’s information systems and data are protected and that compliance with relevant laws, regulations, and industry standards is maintained.

2. Access Control

Access to information systems and data is granted based on the principle of least privilege. 

Only authorized personnel can access systems, networks, and data.

 Access to information systems and data is managed through a central access management system.

 Access to information systems and data is granted based on job function and need-to-know.

3. Data Protection

All data is classified based on sensitivity, confidentiality, and criticality. 

 All data is encrypted both in transit and at rest. 

 Backups of all data are taken regularly and stored offsite. 

 Disposal of data is done in a secure manner that meets legal and regulatory requirements.

4. System Security

All systems are protected by firewalls and intrusion detection and prevention systems. 

All systems are regularly patched and updated. 

Antivirus software is installed and updated on all systems. 

All systems are regularly audited to ensure compliance.

5. IT Infrastructure Security Standards

 External hosting: policy that hosting of IT infrastructure, files and email is to be conducted by a specialist third party IT hosting service provider. 

6. Incident Response

All incidents are reported immediately to the IT department. 

 An incident response plan is in place that outlines procedures for incident investigation and response. 

 All incidents are documented and reported to senior management.

7. Vendor Management

 All third-party vendors providing IT services are selected based on their security and compliance credentials. 

 All third-party vendors providing IT services are managed through a vendor management system. 

All third-party vendors providing IT services are audited regularly to ensure compliance.

8. Physical Security

 Physical access to data centers and other critical infrastructure is strictly controlled. 

Environmental controls are in place to ensure the safety and availability of critical systems. 

Disaster recovery plans are in place that ensures the availability of critical systems in the event of a disruptive event.

9. Data Property

Email and other computer files made on Onsolve computer systems are considered Onsolve property. They shouldn’t be regarded as private and may be searched whenever necessary for legal or other business-related reasons.

10. IT Assets

Webmail access is limited to C panel users and Gmail users.

Only valid business needs are allowed to use file-sharing websites like Box. On the grounds that it is exclusively used for the public data classification, a predetermined list of employees has been “White listed” to permit access. The IT specialist is required to maintain the File Sharing whitelist continuously, and it is checked for accuracy on a quarterly basis.

The computers and network of Onsolve shouldn’t be accessible to former employees. Immediately after they stop working for the organization, access should be terminated. The Termination Checklist is utilized in this process. Employees on leave of absence can use resources at the managers’ discretion.

11. Compliance

Onsolve complies with all relevant laws, regulations, and industry standards related to IT and information security. 

 Compliance is monitored regularly, and necessary action is taken to ensure compliance.

12. Business Continuity

A business continuity plan is in place that ensures the availability of critical systems in the event of a security breach, natural disaster, or other disruptive event.

13. Conclusion

This policy is reviewed and updated regularly to ensure that it remains relevant and effective in the face of evolving threats and technologies.