(.

:::J;)
From
UNITED INDIA INSURANCE COMPANY LIMITED
To IT-2

BOARD & SECRETARIAL DEPT. Dr.J S Dahiya

HEAD OFFICE General Manager
CHENNAI
Dept: Information Technology
Ref: HO:SEC:27:2018 Date: 10.2.2018

Re: Cyber Security Policy

We refer to the Note placed before our Board Meeting on 10.2.2018 and wish to
inform you as under:

Board perused the note as well as the Cyber Security Policy annexed to the note and
after discussion passed the following resolution as recommended by the
1.T.Committee:

RESOLVED THAT approval be and is hereby given for the Cyber Security Policy as
per annexure to the note.

~\}~~-
(S VENKA TARAMAN)
COMPANY SECRETARY
 CYBER SECURITY POLICY

United India insurance Company Limited

Address: 24, Whites Road, Chennai, Tamil Nadu 600014

CIN: U93090TN1938GOI000108
 Internal Cyber Security Policy

DOCUMENT SUMMARY

AUTHORS IT DEPARTMENT

DR. J S DAHIYA, GM & CISO

REVIEWED BY
GAURI VENKATESAN, DGM, IT

CURRENT VERSION 1.0

DATE OF CURRENT VERSION 10TH FEB, 2018

DATE OF ORIGINAL VERSION 10TH FEB, 2018

DOCUMENT CIRCULATION UIIC EMPLOYEES

OWNER DR. J S DAHIYA, GM & CISO

APPROVED BY UIIC BOARD

REVISION HISTORY

Version Revision Issue Date Changes

1 0 10th Feb, 2018 Initial Approved Draft

Document Ref. No. UIIC_ISMS_POL_17_003 Page 2 of 10

 Internal Cyber Security Policy

Table of Contents
1. Introduction ........................................................................................................................................................4

2. Purpose ...............................................................................................................................................................4

3. Scope ..................................................................................................................................................................4

4. Coverage .............................................................................................................................................................4

5. Authority.............................................................................................................................................................4

6. Guidelines/Plan for policy ..................................................................................................................................5

7. Review of the Cyber Security Policy ...................................................................................................................5

8. Management Direction for Cyber Security .........................................................................................................5

9. Cyber Security Awareness Among Employees ...................................................................................................5

10. Cyber Security Controls ..................................................................................................................................5

10.1 Inventory management of Critical Business IT Assets ................................................................................5

10.2 Environmental Controls ..............................................................................................................................6

10.3 Network Management and Security ..........................................................................................................6

10.4 Application Security Life Cycle (ASLC) ........................................................................................................6

10.5 Patch/Vulnerability & Change Management..............................................................................................7

10.6 User Access Control / Management ...........................................................................................................7

10.7 Secure mail and messaging solution ..........................................................................................................7

10.8 Vendor Risk Management ..........................................................................................................................8

10.9 Removable Media Management ................................................................................................................8

10.10 Advanced Real-time Threat Defence and Management ........................................................................8

10.11 Data Leak prevention strategy ...............................................................................................................9

10.12 Maintenance, Monitoring, and Analysis of Audit Logs...........................................................................9

10.13 Incident Response & Management ........................................................................................................9

11. General Use and Security of Internet Activities .............................................................................................9

11.1 Internet Rules of Behaviour........................................................................................................................9

11.2 Prohibitions on User Internet Activities .....................................................................................................9

Document Ref. No. UIIC_ISMS_POL_17_003 Page 3 of 10

 Internal Cyber Security Policy

1. Introduction
Information Security Policy Manual and Procedures in accordance with ISO 27001:2005 standard for the
Company was approved by CMD on 25th March, 2011. Now we are in the process of migration to the
latest ISO 27001:2013 standard for which we have sought the recommendations of Information Security
Consultant. The Information Security Policy and Procedures with ISO 27001:2013 standard shall be filed
with the concerned Authorities for approval before implementation. All Information assets of the UIIC
are governed under Information Security Policy and Cyber Security policy draws its references from the
Information Security Policy of the UIIC.

The Cyber Security Policy deals with set of measures, activities, tools and tasks ensuring protection of
UIIC’s cyberspace against cyber threats and cyberspace vulnerabilities. It means that in Cyber Security,
we are dealing only with threats via cyberspace (not threats for Cyberspace such as physical disasters to
Data centre, non-availability of electric power, direct sabotage, stealing tablet or Smartphone).

2. Purpose
The Purpose of Cyber Security Policy is to provide guidance and direction to combat cyber threats given
the level of complexity of business and acceptable levels of risk, specific to UIIC.

The specific objectives of the Cyber Security Policy are outlined as 5 domains of this policy:

1. Identify internal and external cyber security risks.

2. Protect organizational systems, assets, and data from identified cyber risks.
3. Detect system intrusions, data breaches and unauthorized access.
4. Respond to a potential cyber security event.
5. Recover from a cyber-security event by restoring normal operations and services.

3. Scope
The policy shall be applicable to employees, customers, vendors, contractors, sub-contractors, external
parties and any other third party with whom the Company interacts or has dealings.

4. Coverage
The Information Systems covered by the policy include all assets like people, processes, data,
information, software, hardware, and communication networks etc., operated by the UIIC, whether used
in DC /DR site, Head office, Learning centre, Regional offices and all operating offices. It includes services
that are contracted or outsourced to other parties but operated for the Company.

5. Authority
The Cyber Security Policy shall be issued after approval by the Board of Directors of United India
Insurance Co.Ltd. The Cyber Security Policy document is strictly for internal circulation among the
employees of UIIC only. The discretion for making this policy document available in full or in part to any
other party rests with the Chief Information Security Officer.

DEVIATION, VIOLATION, MISCONDUCT

Cyber Security Policy shall be adhered to and any deviation shall be dealt with appropriately. Deviation,
violation and misconduct with respect to Cyber security policy will be dealt as per latest CDA rules.

Document Ref. No. UIIC_ISMS_POL_17_003 Page 4 of 10

 Internal Cyber Security Policy

6. Guidelines/Plan for policy

Specific Framework/plans shall be issued/ reviewed periodically by the Information Security Committee
of the UIIC within the overall scope and coverage set out in the policy document for achieving the
objectives of the policy, which shall be properly documented and circulated.

7. Review of the Cyber Security Policy

This policy shall be reviewed at yearly intervals to make suitable changes/amendments considering the
technological changes or may be reviewed when there is a change in the technology implementation.

8. Management Direction for Cyber Security

Management shall actively support Cyber Security functions within UIIC through clear direction,
demonstrated commitment, explicit assignment, and acknowledgement of Cyber Security
responsibilities.
Management is committed to:
 Ensure that Cyber Security goals are in tune with business goals, are identified and meet UIIC’s
requirements, and are integrated in relevant processes.
 Formulate, Implement, Monitor, Review and Approve Cyber Security policy
 Periodically Review the effectiveness of the Cyber Security policy
 Support Cyber Security initiatives
 Provide the resources needed for Cyber Security
 Initiate plans and programs to maintain Cyber Security awareness
 Approve assignments of specific roles and responsibilities for Cyber Security across UIIC

9. Cyber Security Awareness Among Employees

All Persons shall be informed of the importance of Cyber Security through Information Security
Awareness Education program to create an environment of sound cyber security practices within the
UIIC.
 Cyber security awareness programme / training will be conducted for officers / employees
through induction training or as separate training programmes , and
 Cyber security awareness programme /training will be conducted by Learning Centre periodically.

10. Cyber Security Controls

10.1 Inventory management of Critical Business IT Assets

UIIC has done Assets and Information Classification and had submitted list of critical information
infrastructure assets to the NCIIPC (National Critical Information Infrastructure Protection Centre).

The same shall be periodically reviewed and updated.

Central Desktop Management System (CDMS) has been implemented to monitor

Authorized/Unauthorized Devices and Softwares in the UIIC as below:
 Inventory of Authorized and Unauthorized Devices

Document Ref. No. UIIC_ISMS_POL_17_003 Page 5 of 10

 Internal Cyber Security Policy

Central Desktop Management System (CDMS) software actively manages (inventory, track, and correct) all
hardware devices on the network so that only authorized devices are given access, and unauthorized and
unmanaged devices are identified and prevented from gaining access / Installation and Execution.
 Measures to prevent execution of unauthorised software
 Maintaining up to date inventory of Software by implementing CDMS and updating regularly.
 CDMS has control over installation of software/applications on end-user PCs, workstations,
servers etc.
 Continuously monitor and update the patches based on the Vendors (System Software,
Application Software, Firewall, Servers, Switches, etc.)
 Secure Configurations for Hardware and Software on Servers, Network / security devices,
Workstations etc. : Implementation of Central Desktop Management System (CDMS)
software to establish, implement and actively manage (track, reporting, correct) the security
configuration of servers and workstations through rigorous configuration management and
change control process in order to prevent attackers from exploiting vulnerable services and
settings
10.2 Environmental Controls
UIIC has implemented Physical and Environmental Security Policy & Procedure vide Information Security
Policies & Procedures adopted by UIIC such as Visitor management process, equipment security,
restricted access to Data centre and ambience within Data centre .

Mechanisms are in place to monitor breaches / compromise of environmental controls relating to

temperature, fire detection & suppression, smoke detectors, alarms, service availability alerts (power
supply, telecommunication, servers), access logs, etc and the same shall be ensured at all times.
Appropriate physical security measures shall be ensured to protect the critical assets of the UIIC, such
as Access control / Biometric systems, Door Lock & Key, CCTV surveillance, etc.

10.3 Network Management and Security

Dedicated NOC (Network Operations Centre) /SOC (Security Operations Centre) team with external
vendor support is handling UIIC’s Network infrastructure and service requests relating to network. The
following activities shall be practiced by the NOC/ SOC team.
 Periodical Vulnerability Assessment, Penetration testing (VAPT) of Network Devices in order
to identify vulnerabilities, remediate and minimize the window of opportunity for attackers.
 Secure Configurations for Network Devices such as Firewalls, Routers and Switches to be
established, implemented and actively managed (track, report on, correct) by NOC /SOC
team.
 Boundary Defense to detect/prevent/correct the flow of information transferring from
networks of different trust levels with a focus on security against damaging data.
 Maintain Barracuda Web Security Gateway 4.0 proxy server to make internet surfing safe in
UIIC network. It is having the features like Spyware & Virus Protection, Application Control,
Suspicious Activity Alerts, Advanced Threat Protection, Web 2.0 and Social Media Regulation
etc.

10.4 Application Security Life Cycle (ASLC)

Periodic Vulnerability assessment & Penetration testing shall be conducted for all applications developed
and running in the UIIC systems to identify the vulnerabilities and remediate for the same.

Document Ref. No. UIIC_ISMS_POL_17_003 Page 6 of 10

 Internal Cyber Security Policy

10.5 Patch/Vulnerability & Change Management

Automated patch management process for Servers and clients, Including OS Security patches. Manual
patch updation process for application softwares and Network devices shall be rigorously followed.
Periodic Vulnerability assessment & Penetration testing is conducted to identify the vulnerabilities and
remediate for the same.

Change management process shall be practiced as below,

 Change request raised by the Change requester including Change description
 Change shall be approved by his/her reporting Manager
 Change request shall be reviewed approved (YES/NO)
 Changes shall be tested in separate Testing Environment (UAT) before releasing to Production
(Live) Environment
 Impact Analysis & roll back plan shall be done, if Change request is approved
 If not approved, give Proper Justification on the same
 Change records shall be documented

10.6 User Access Control / Management

 UIIC has implemented Active Directory and centralized Desktop management solution for
authentication and authorization of users logging into UIIC systems.
 Roles based access is configured with strong password policy for all application, operating
systems, Databases, Network and Security devices, point of connectivity (Local/remote etc.)
 Providing of administrative rights to named users only and access rights on need to know
basis for specific duration when it is required.
 UIIC has provided secure channel access (SSL Encryption) to intermediary/ Bancassurance
portals, Customer Portals and Website. Remote Access is provided to designated employees
for accessing Core Insurance applications through VPN Tokens.

10.7 Secure mail and messaging solution

 Messaging solution supports Enhanced Simple Mail Transfer Protocol (ESMTP) facilitating
security authentication. Messaging Solution also provides SSL/TLS and MIME support for
encrypted communication.
 The messaging solution is capable to validate sender domain in DNS (Sender Policy Framework,
Domain-Keys). Messaging solution is protected from Denial of Service Attack, Distributed Denial
of Service Attack. The solution has a facility to use a PKI infrastructure to sign the messages
digitally as well as message encryption.
 The Gateway Antivirus & Antivirus solution provides Antispam, Antivirus and content filtering
protection for the SMTP gateway. The solution provides protection against all kinds of attacks
like but not limited to viruses, denial of Service(Dos), Trojan horses and worms including boot
sector, master boot sector, memory resident, macro etc. The solution provides the basic

Document Ref. No. UIIC_ISMS_POL_17_003 Page 7 of 10

 Internal Cyber Security Policy

functionality features like to cure/clean a virus file/mail, quarantine a virus mail/file, and delete
a virus mail/file.
 The solution scans both inbound and outbound mails for inappropriate content and private
data. The solution scans all mails both inbound and outbound mails passing through the
messaging system and cure for infections in documents attached to email messages and
folders.
 The solution provides the capability to define blacklist/white list senders, domains at the global
level for the whole messaging system to reduce SPAM and VIRUS mails.

10.8 Vendor Risk Management

 UIIC signs agreements and Non-Disclosure Agreement with their vendors
 UIIC shall ensure inclusion of clauses relating to security requirements arising out of vendor
related risks and measures for the mitigation of the same through Incident management.

10.9 Removable Media Management

 UIIC shall have a documented and well-practiced Removable Media Management process.
 UIIC has centralised policy in CDMS to whitelist/blacklist/restrict the removable media use
through Active Directory
 Removable media is scanned by Anti-Virus Software for malware/virus prior to providing
read/write access.
 Use of Removable devices & medias are not permitted in UIIC unless specifically authorized
for defined use and duration of use
10.10 Advanced Real-time Threat Defence and Management
 Check point firewall(FW4800) is placed in the network to monitor incoming and outgoing
traffic
 Intrusion Detection System (IDS) and Intrusion Preventive systems (IPS) enabled in the
firewall
 Anti bot and antimalware enabled & protect from wide range of threat.
 Access control list has been implemented effectively
 Intrusion Detection/prevention Systems gather and analyse information from various areas
within a computer or a network to identify possible security breaches, which include both
intrusions from outside and inside the organization. These systems detect the occurrence of
anomalies or cyber security incidents at UIIC, enabling timely responses to a cyber-attack and
the potential to limit or contain the impact of the attack.
 Network Behaviour Anomaly Detection Tools continuously monitors the network for unusual
events or trends. These devices track critical network characteristics in real time and generate
an alarm if an anomalous event is detected that could indicate the presence of a threat, such
as larger than normal traffic volume to the website or bandwidth usage.

Document Ref. No. UIIC_ISMS_POL_17_003 Page 8 of 10

 Internal Cyber Security Policy

10.11 Data Leak prevention strategy

UIIC has implemented Data Leak prevention (DLP) strategy through Trend Micro Office Scan
DLP tool by CDMS, which is a comprehensive data loss/leakage prevention strategy to
safeguard sensitive (including confidential) business and customer data/information.
10.12 Maintenance, Monitoring, and Analysis of Audit Logs
 UIIC has implemented log management process manually.
 Maintenance, Monitoring and Analysis of Audit Logs to collect, manage and analyse audit logs
of events that could help detect, understand or recover from an attack.
10.13 Incident Response & Management
 Cyber Security Management Plan (CCMP) has been formulated and Periodic review will be
done on incidents, root cause and corrective actions for Cyber security events.
 UIIC’s incident response plan shall also address communicating a data breach to internal
stakeholders, IRDAI, Law enforcement agencies and External Govt Security Agencies like Cert-
IN, and NCCIIPC.

11. General Use and Security of Internet Activities

11.1 Internet Rules of Behaviour

Using facilities or equipment to make abusive, unethical or "inappropriate" use of the Internet
will not be tolerated and may be considered grounds for disciplinary action, including termination
of employment. Examples of inappropriate employee Internet use include, but are not limited to,
the following:
 Conducting or participating in illegal activities, including gambling
 Accessing or downloading pornographic material
 Solicitations for any purpose which are not expressly approved by company management
 Revealing or publicizing proprietary or confidential information
 Representing personal opinions as those of the company
 Making or posting indecent remarks
 Uploading or downloading commercial software in violation of its copyright
 Uploading or mailing of company’s confidential documents without the
permission/authorization of the concerned parties.
 Downloading any software or electronic files without reasonable virus protection measures
in place
 Intentionally interfering with the normal operation of Internet gateway
11.2 Prohibitions on User Internet Activities
To prevent any appearance of inappropriate conduct on the Internet and to reduce risk to the
organization, employees shall not :

 Enter into contractual agreements via the Internet; e.g. enter into binding contracts on behalf
of the company over the Internet

Document Ref. No. UIIC_ISMS_POL_17_003 Page 9 of 10

 Internal Cyber Security Policy

 Use the company logos or the company materials in any web page or Internet posting unless
it has been approved, in advance, by the company management
 Use software files, images, or other information downloaded from the Internet that has not
been released for free public use
 If a business need exists, then protective methods and software must be installed on the
user’s work-station to prevent hackers to get access to the data on the user’s work-station
 Introduce material considered indecent, offensive, or is related to the production, use,
storage, or transmission of sexually explicit or offensive items on the company network or
systems
 Attempt to gain illegal access to remote systems on the Internet
 Attempt to inappropriately telnet to or port scan remote systems on the Internet
 Use or possess Internet scanning or security vulnerability assessment tools without the
permission of the Information security head.
 Post material in violation of copyright law
 Establish Internet or other external network connections that could allow other company
users to gain access into company systems and information assets.

Document Ref. No. UIIC_ISMS_POL_17_003 Page 10 of 10