Information Security Policy
This policy outlines the information technology and information security policies and procedures of Onsolve. It aims to ensure that the organization’s information systems and data are protected and that compliance with relevant laws, regulations, and industry standards is maintained.
- Access Control
Access to information systems and data is granted based on the principle of least privilege.
Only authorized personnel can access systems, networks, and data.
Access to information systems and data is managed through a central access management system.
Access to information systems and data is granted based on job function and need-to-know.
- Data Protection
All data is classified based on sensitivity, confidentiality, and criticality.
All data is encrypted both in transit and at rest.
Backups of all data are taken regularly and stored offsite.
Disposal of data is done in a secure manner that meets legal and regulatory requirements.
- System Security
All systems are protected by firewalls and intrusion detection and prevention systems.
All systems are regularly patched and updated.
Antivirus software is installed and updated on all systems.
All systems are regularly audited to ensure compliance.
- IT Infrastructure Security Standards
External hosting: policy that hosting of IT infrastructure, files and email is to be conducted by a specialist third party IT hosting service provider.
- Incident Response
All incidents are reported immediately to the IT department.
An incident response plan is in place that outlines procedures for incident investigation and response.
All incidents are documented and reported to senior management.
- Vendor Management
All third-party vendors providing IT services are selected based on their security and compliance credentials.
All third-party vendors providing IT services are managed through a vendor management system.
All third-party vendors providing IT services are audited regularly to ensure compliance.
- Physical Security
Physical access to data centers and other critical infrastructure is strictly controlled.
Environmental controls are in place to ensure the safety and availability of critical systems.
Disaster recovery plans are in place that ensures the availability of critical systems in the event of a disruptive event.
- Data Property
Email and other computer files made on Onsolve computer systems are considered Onsolve property. They shouldn’t be regarded as private and may be searched whenever necessary for legal or other business-related reasons.
- IT Assets
Webmail access is limited to C panel users and Gmail users.
Only valid business needs are allowed to use file-sharing websites like Box. On the grounds that it is exclusively used for the public data classification, a predetermined list of employees has been “White listed” to permit access. The IT specialist is required to maintain the File Sharing whitelist continuously, and it is checked for accuracy on a quarterly basis.
The computers and network of Onsolve shouldn’t be accessible to former employees. Immediately after they stop working for the organization, access should be terminated. The Termination Checklist is utilized in this process. Employees on leave of absence can use resources at the managers’ discretion.
Onsolve complies with all relevant laws, regulations, and industry standards related to IT and information security.
Compliance is monitored regularly, and necessary action is taken to ensure compliance.
- Business Continuity
A business continuity plan is in place that ensures the availability of critical systems in the event of a security breach, natural disaster, or other disruptive event.
This policy is reviewed and updated regularly to ensure that it remains relevant and effective in the face of evolving threats and technologies.