Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
:::J;)
From
UNITED INDIA INSURANCE COMPANY LIMITED
To IT-2
We refer to the Note placed before our Board Meeting on 10.2.2018 and wish to
inform you as under:
Board perused the note as well as the Cyber Security Policy annexed to the note and
after discussion passed the following resolution as recommended by the
1.T.Committee:
RESOLVED THAT approval be and is hereby given for the Cyber Security Policy as
per annexure to the note.
~\}~~-
(S VENKA TARAMAN)
COMPANY SECRETARY
CYBER SECURITY POLICY
CIN: U93090TN1938GOI000108
Internal Cyber Security Policy
DOCUMENT SUMMARY
AUTHORS IT DEPARTMENT
REVISION HISTORY
Table of Contents
1. Introduction ........................................................................................................................................................4
2. Purpose ...............................................................................................................................................................4
3. Scope ..................................................................................................................................................................4
4. Coverage .............................................................................................................................................................4
5. Authority.............................................................................................................................................................4
1. Introduction
Information Security Policy Manual and Procedures in accordance with ISO 27001:2005 standard for the
Company was approved by CMD on 25th March, 2011. Now we are in the process of migration to the
latest ISO 27001:2013 standard for which we have sought the recommendations of Information Security
Consultant. The Information Security Policy and Procedures with ISO 27001:2013 standard shall be filed
with the concerned Authorities for approval before implementation. All Information assets of the UIIC
are governed under Information Security Policy and Cyber Security policy draws its references from the
Information Security Policy of the UIIC.
The Cyber Security Policy deals with set of measures, activities, tools and tasks ensuring protection of
UIIC’s cyberspace against cyber threats and cyberspace vulnerabilities. It means that in Cyber Security,
we are dealing only with threats via cyberspace (not threats for Cyberspace such as physical disasters to
Data centre, non-availability of electric power, direct sabotage, stealing tablet or Smartphone).
2. Purpose
The Purpose of Cyber Security Policy is to provide guidance and direction to combat cyber threats given
the level of complexity of business and acceptable levels of risk, specific to UIIC.
The specific objectives of the Cyber Security Policy are outlined as 5 domains of this policy:
3. Scope
The policy shall be applicable to employees, customers, vendors, contractors, sub-contractors, external
parties and any other third party with whom the Company interacts or has dealings.
4. Coverage
The Information Systems covered by the policy include all assets like people, processes, data,
information, software, hardware, and communication networks etc., operated by the UIIC, whether used
in DC /DR site, Head office, Learning centre, Regional offices and all operating offices. It includes services
that are contracted or outsourced to other parties but operated for the Company.
5. Authority
The Cyber Security Policy shall be issued after approval by the Board of Directors of United India
Insurance Co.Ltd. The Cyber Security Policy document is strictly for internal circulation among the
employees of UIIC only. The discretion for making this policy document available in full or in part to any
other party rests with the Chief Information Security Officer.
Central Desktop Management System (CDMS) software actively manages (inventory, track, and correct) all
hardware devices on the network so that only authorized devices are given access, and unauthorized and
unmanaged devices are identified and prevented from gaining access / Installation and Execution.
Measures to prevent execution of unauthorised software
Maintaining up to date inventory of Software by implementing CDMS and updating regularly.
CDMS has control over installation of software/applications on end-user PCs, workstations,
servers etc.
Continuously monitor and update the patches based on the Vendors (System Software,
Application Software, Firewall, Servers, Switches, etc.)
Secure Configurations for Hardware and Software on Servers, Network / security devices,
Workstations etc. : Implementation of Central Desktop Management System (CDMS)
software to establish, implement and actively manage (track, reporting, correct) the security
configuration of servers and workstations through rigorous configuration management and
change control process in order to prevent attackers from exploiting vulnerable services and
settings
10.2 Environmental Controls
UIIC has implemented Physical and Environmental Security Policy & Procedure vide Information Security
Policies & Procedures adopted by UIIC such as Visitor management process, equipment security,
restricted access to Data centre and ambience within Data centre .
functionality features like to cure/clean a virus file/mail, quarantine a virus mail/file, and delete
a virus mail/file.
The solution scans both inbound and outbound mails for inappropriate content and private
data. The solution scans all mails both inbound and outbound mails passing through the
messaging system and cure for infections in documents attached to email messages and
folders.
The solution provides the capability to define blacklist/white list senders, domains at the global
level for the whole messaging system to reduce SPAM and VIRUS mails.
UIIC shall have a documented and well-practiced Removable Media Management process.
UIIC has centralised policy in CDMS to whitelist/blacklist/restrict the removable media use
through Active Directory
Removable media is scanned by Anti-Virus Software for malware/virus prior to providing
read/write access.
Use of Removable devices & medias are not permitted in UIIC unless specifically authorized
for defined use and duration of use
10.10 Advanced Real-time Threat Defence and Management
Check point firewall(FW4800) is placed in the network to monitor incoming and outgoing
traffic
Intrusion Detection System (IDS) and Intrusion Preventive systems (IPS) enabled in the
firewall
Anti bot and antimalware enabled & protect from wide range of threat.
Access control list has been implemented effectively
Intrusion Detection/prevention Systems gather and analyse information from various areas
within a computer or a network to identify possible security breaches, which include both
intrusions from outside and inside the organization. These systems detect the occurrence of
anomalies or cyber security incidents at UIIC, enabling timely responses to a cyber-attack and
the potential to limit or contain the impact of the attack.
Network Behaviour Anomaly Detection Tools continuously monitors the network for unusual
events or trends. These devices track critical network characteristics in real time and generate
an alarm if an anomalous event is detected that could indicate the presence of a threat, such
as larger than normal traffic volume to the website or bandwidth usage.
Enter into contractual agreements via the Internet; e.g. enter into binding contracts on behalf
of the company over the Internet
Use the company logos or the company materials in any web page or Internet posting unless
it has been approved, in advance, by the company management
Use software files, images, or other information downloaded from the Internet that has not
been released for free public use
If a business need exists, then protective methods and software must be installed on the
user’s work-station to prevent hackers to get access to the data on the user’s work-station
Introduce material considered indecent, offensive, or is related to the production, use,
storage, or transmission of sexually explicit or offensive items on the company network or
systems
Attempt to gain illegal access to remote systems on the Internet
Attempt to inappropriately telnet to or port scan remote systems on the Internet
Use or possess Internet scanning or security vulnerability assessment tools without the
permission of the Information security head.
Post material in violation of copyright law
Establish Internet or other external network connections that could allow other company
users to gain access into company systems and information assets.