Information Security Policy and Practices
Effective from: May 21, 2022
Creesync Software Technologies Pvt Ltd. (herein referred to as Creesync in this document) is committed to ensuring the Confidentiality, Integrity, and Availability (CIA) and provide comprehensive protection to its information assets against the consequences of confidentiality breaches, failures of integrity and/ or interruptions to their availability. To provide adequate protection for information assets Creesync will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized persons as and when required.
This document details Cressync’s policies to ensure the protection of its information assets, and to allow the use, access, and disclosure of such information in accordance with appropriate standards, laws, and regulations.
All workforce members, customers, and third parties who use Creesync’s information processing facilities are required to comply with the Information Security policy of Cressync.
Cressync is committed to complying with all applicable regulations and law of the land in all locations and countries related to its operations and information processing.
The key regulation that is complied with includes laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.
The scope of this policy covers all information assets owned or provided by Creesync, whether they reside on the corporate network or elsewhere.
Information Security policies apply to all business functions of Creesync which include:
|Finance & Accounts||Marketing|
|Customer Success Management|
The Information Security policies apply to any person (employees, consultants, customers, and third parties), who accesses and uses Creesync’s information systems.
Creesync has established, implemented, maintained, and continually improved the Information Security Practices within the context of its overall business activities and risks it may face in accordance with the requirements of the ISO 27001:2013 standard. The processes used are based on the Plan, Do, Check, and Act (PDCA) model.
- Plan (Establish the ISMS)
Creesync has established policies, related processes, objectives, and procedures relevant for managing risks and improving information security to deliver results in accordance with its overall policies and objectives. The Plan phase includes:
- Establishing the ISMS
- Defining the scope of ISMS
- Defining an ISMS manual
- Defining a systematic approach to risk assessment
- Identifying risks
- Assessing the risks
- Identifying and evaluating options for the treatment or risks
- Selecting control objectives
- Preparing a statement of applicability
- Do (Implement and operate the ISMS)
Creesync has adopted and implemented procedures and processes to ensure compliance and adherence to the ISMS framework. Creesync management made all the necessary resources available to ensure implementation and operation according to the ISMS. The Do phase includes:
- Formulating a risk treatment plan
- Implementing the risk treatment plan
- Implementing controls
- Implementing training and awareness programs
- Managing operations
- Managing resources
- Implementing procedures and other controls for incident handling
- Check (Monitor and review the ISMS)
The compliance team ensures regular and continuous monitoring by conducting periodic assessments, reviews, and audits of the Information Security policy of Creesync. The Check phase includes:
- Executing monitoring procedures and other controls
- Undertaking regular reviews of the effectiveness of ISMS
- Reviewing the risk of residual risk and acceptable risk
- Conducting internal ISMS audits
- Undertaking management review of ISMS
- Recording actions and events that could have an impact on the effectiveness or performance of ISMS
- ACT (Maintain and improve the ISMS)
Continual improvement in the effectiveness of ISMS at Creesync is demonstrated through the use of Security Policy, Security Objective, Audit Results, Analysis of Data, Corrective and Preventive Actions, and Management Review. The Act phase includes:
- Maintaining and improving the ISMS
- Implementing identified improvements
- Taking appropriate corrective actions and preventive actions
- Communicating the results & actions, and agreeing with all interested parties
- Ensuring that the improvements help achieve their intended objective
4. Leadership and Commitment
Creesync is committed to security. The top management has constituted Creesync Corporate Security and Compliance Team, which is responsible for defining and improving the ISMS.
The top management has demonstrated leadership and commitment with respect to the information security management system by:
- Ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of Creesync
- Ensuring integration of ISMS requirements into Creesync’s processes
- Ensuring that the resources needed for ISMS are available
- Communicating the importance of effective information security management and of conforming to the information security management system requirements
- Ensuring that ISMS achieves its intended outcome(s)
- Directing and supporting persons to contribute to the effectiveness of ISMS
- Promoting continual improvement
- Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility
The following is the information security management policy statement adopted by Creesync:
“Creesync is committed to ensuring integrity, confidentiality, availability, and security of its physical and information assets at all times for serving the needs and expectations of its interested parties both within organization and from external parties including clients, suppliers, regulatory, and governmental departments in line with its vision, mission, and values while meeting all legal, statutory, regulatory, and contractual requirements. Creesync’s information systems and the information and data they contain are fundamental for its daily operations and future success. Creesync will develop, implement, maintain, and continually improve policies, procedures, and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available to authorized persons as and when required.”
The Information Security measures include:
5.1. Governance and Organization Structure
- Creesync has established a Corporate Security and Compliance Team (CSC) made up of key personnel whose responsibility is to identify areas of security and compliance concern across Creesync and act as the first line of defense in enhancing the appropriate security and compliance posture. This team reports to the Founders.
- The team comprises the workforce who are knowledgeable in legal cross-regulation, policy, products, and IT, and are interested in ensuring five of the trust principles—confidentiality, integrity, availability, privacy, and security—with regard to data protection by law, compliance, and standards across Creesync. The Founders have assigned the responsibilities and authority to Data Protection Officer for overseeing and maintaining information security and compliance as per the standard and industry best practices.
- The governance of these programs is performed by the Corporate Security and Compliance Committee, consisting of executives and other department heads from across Creesync.
5.2. Personnel Security
- Creesync has established personnel security requirements, including security roles and responsibilities for third-party providers, and monitors provider compliance.
- Creesync screens individuals requiring access to critical and production environment information and information systems before authorizing access. The only workforce with the highest clearance has access to our data center data. Workforce access is logged, and passwords are strictly regulated. We follow as needed basis access principles to production data to only a select few of these workforces who need such access to provide support and troubleshooting.
- As per the established process, on termination of individual employment, Creesync terminates information system access, conducts exit interviews, retrieves all organizational information system-related property, and provides appropriate personnel with access to official records created by the terminated workforce that are stored on organizational information systems.
- Creesync has developed a world-class practice for managing security and data protection risk.
- Awareness and Training
- All workforce members complete an annual information security and privacy awareness and training program.
- As part of this program, additional role-based training is provided to the workforce, before they start handling sensitive and confidential information.
- Information Security and Compliance Training Guide is provided as a quick reference guide to workforce members.
- Training logs identifying the training class, attendee, and date are kept by the HR department.
5.3. Information Asset Management
- Creesync has established a formal Asset Management policy; and the process is necessary to facilitate effective management, control, and maintenance of the assets/information to its operations environment by classifying assets as per the functionality or criticality.
- This policy to identify, classify, label, and handle Information Assets of Creesync, and to apply protection mechanisms commensurate with the level of confidentiality and sensitivity.
- The confidentiality and sensitivity of information will be maintained through an Information Asset classification scheme. The level of security to be accorded to the information of Creesync depends directly on the classification level of the asset, which is associated with that information.
- The Information Asset Inventory must contain the following information as a minimum:
- Information Asset Identification
- Information Asset Description
- Information Asset Location
- Information Asset Owner/Custodian
- Information Asset Classification
- Information at Creesync
Creesync information may include, but is not limited to:
- All proprietary information that belongs to Creesync such as user manuals, training materials, operating and support procedures, business continuity plans, and audit trails.
- Personnel information relating to employees of Creesync.
- All client information & product research-related data held by Creesync.
- All software assets such as application software, system software, development tools, and utilities.
- All physical assets, such as computer equipment, communications equipment, removable media, and equipment relating to facilities.
- People assets.
- Intangibles asset such as the reputation and image of Creesync.
5.4. Access Control
The access controls required to meet the security objectives of the Information Security policy. Access control management is paramount to protecting Creesync information resources and requires implementation of controls and continuous oversight to restrict access.
Confidentiality, Integrity, and Availability (CIA) are fundamental aspects of protection of systems and information, and are achieved through logical, physical, and procedural controls. It is vital for the protection of systems and information authorized users who have access to Creesync systems and information are aware of and understand how their actions may affect security and privacy.
The policy is organized into the following key sections which map directly to the ISO 27001 Access Control Domain security objectives:
- Business Requirements for Access Control
- User Access Management
- User Responsibilities
- Application and Application Access Control
- Mobile Computing and Teleworking
- Access control is established by imposing standards for protection at the operating system level, at the Application level, and at the Database level. Access to Creesync computer systems will be based on the principles of “least privilege” and “need to know” and must be administered to ensure that appropriate level of access control is applied to users as well as system support personnel to protect Creesync information systems.
- Administrative (also known as “root”) access to systems is limited to Workforce Members who have a legitimate business need for this type of access. Administrative access to network devices is logged.
- All access to Creesync systems and services are reviewed by CSC and updated on a quarterly basis to assure proper authorizations are in place commensurate with job functions.
- Access to electronically stored records containing personal information will be electronically limited to those workforces having an authorized and unique login ID assigned.
- Where practical, all visitors who are expected to access areas other than common space or are granted access to office space containing personal information should be required to sign in at a designated reception area where they will be assigned a visitor’s ID or guest badge unless escorted at all times. Visitors are required to wear said visitor ID in a plainly visible location on their body unless escorted at all times.
- Where practical, all visitors are restricted from areas where files containing personal information are stored. Alternatively, visitors must be escorted or accompanied by an approved person in any area where files containing personal information are stored.
- Cleaning personnel (or others after normal business hours and not also authorized to have access to personal information) are not to have access to areas where files containing personal information are stored.
- All computers with an Internet connection or any computer that stores or processes personal information must have a recently updated version of software providing virus, anti-spyware, and anti-malware protection, installed and active at all times.
- Password Management: We have processes designed to enforce minimum password requirements for Creesync Service. We currently enforce the following requirements and security standards for end user passwords on Creesync Service:
- Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
- Multiple sign-ins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force sign-in, but not long enough to prevent legitimate users from being unable to use the application.
- Email-based password reset links are sent only to a user’s pre-registered email address with a temporary link.
- Creesync prevents reuse of recently-used passwords.
5.5. Physical and Environmental Security
Our data centers are hosted in some of the most secure facilities available today in locations and use industry best practices that are protected from physical and logical attacks as well as from natural disasters, such as earthquakes, fires, and floods. Physical security measures for these data centers include intrusion protection measures and security guards. We rely on third-party attestations of their physical security.
5.6. Operational Security
- Creesync has established a formal policy and process for the requirements and key information security considerations for information technology operations, including the definition of standard operating procedures, change management, configuration management, release management, information backup, and restoration and cloud computing.
There are a number of controls in place to achieve the protection of data, information, and information system:
- Operational Procedure and Responsibilities
- Change Management
- Information Backup
- Logging and Monitoring
- Risk Management:
- Creesync has established and implemented robust Risk Management Procedure and Process in place and conduct periodic risk assessments for the organization using the baseline methodology based on ISO 27001 standard framework with cross-reference to industry best practices.
- Creesync is not willing to accept any risk that might damage customer trust. In addition, any risks that threaten to make us non-compliant to regulations and standard.
- The possible values of existing risk acceptance/treatment/transfer level of residual risk post calculation are:
Risk Treatment Plan involves prioritizing, evaluating, and implementing appropriate controls as per the risk computation. A treatment plan shall be prepared for each identified risk as per the risk assessment performed where existing risk rating is greater than 2.
5.7. Communication Security
Creesync has deployed an information technology network to facilitate its business and make it more efficient for various risks. And establish management direction, principles, and standard requirement to ensure that the appropriate protection of information on its networks maintained and sustained. Few controls which in place to achieve the protection of exchanged information from interception, copying, modification, misrouting, and destruction as follow:
- Network Controls: Creesync monitors and updates its communication technologies periodically with the goal of providing network security as per industry best practices cryptographic techniques are used to protect the confidentiality, integrity, and authenticity of sensitive and confidential information. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
- Infrastructure Controls: Creesync uses security monitoring tools on the production servers hosting the Creesync product service. Notifications from these tools are sent to the Creesync Security Team so that they can take appropriate action.
- Secure Communication: All data transmissions to Creesync services are encrypted using TLS protocols, and we use certificates issued by SHA 256 based CA ensuring that our users have a secure connection from their browsers to our service. We use the latest and updated cipher suites Creesync Products are always communicated via HTTPS using Transport Layer Security (TLS), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
- Creesync Product is always connected to the web-app via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
- Retention and disposal guidelines for all business correspondence including messages, in accordance with the defined standard.
- Segregation of the network if needed shall be done by establishing V-LAN/ DMZ architecture. In either case, Testing, Production and Development environment shall be segregated as well.
- Agreements have been established for the secure transfer of business information to external parties (such as customers, suppliers, and other interested parties).
- The roles and responsibilities for management of network security shall be clearly defined, communicated and reviewed on a regular basis to ensure optimum operative effectiveness and necessary segregation of duties shall be done to attain the said objective.
5.8. System Acquisition, Development, and Maintenance
Creesync has established Software Development Lifecycle adopted for planning, requirement analysis, design, development, testing and maintenance of the product Farzicom. There are controls which in place to achieve the information security and data protection requirements as follow:
- Creesync product security practices are measured using industry standard and methodologies security models. Creesync follows Agile methodologies for feature delivery and Scrum is used for new feature delivery. The SDLC for the Creesync Product services includes many activities to enhance security and privacy posture:
- Defining security and privacy requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, 3rd party security vulnerability assessments and Pen Test)
- Creesync Product designs, reviews, and tests the software using applicable OWASP and CIS standards.
- We use Definition of Done (DoD) to maintain the quality of deliverables, A clear and consistent Definition of Done is an effort to create an objective framework for quality. DoD provides a clear guideline to the team and to the stakeholders around exactly what needs to be done for each Story, Sprint, Release, and Task to ensure a consistent and sustainable quality of deliverables. It ensures transparency and quality fit for the purpose of the product and organization
- Creesync Product code is stored in the Github’s system hosted by most secure data centers facilities. Creesync adopts a strict, least access privileges principle for providing access to the code. Commits to production code are strictly reviewed, and approval is restricted to just two people (Chief Technical Officer and Lead Engineer), after passing Unit Testing and QA in Test and Staging.
- Manual source code analysis on security-sensitive areas of code
- The Creesync development team is trained on Open Web Security Application Project (OWASP) Secure Coding Practices and uses industry best practices for building secure apps.
Creesync takes the security of its systems seriously and values the security community. The responsible disclosure of security and privacy vulnerabilities helps Creesync in ensuring the security and privacy of its users. Bugs can be reported through email at firstname.lastname@example.org.
5.9. Third-Party Supplier
- Creesync provides essential services and business functions which rely on IT solutions and applications contracted by third-party suppliers, which may be primary or subcontractors.
- Creesync maintains the integrity and accuracy of its information to meet its goals and obligations, both to the business and to people. To ensure this, it is essential that information is secured in line with professional best practices as well as statutory, regulatory, and contractual requirements that maintain confidentiality, integrity, and availability of all information assets.
- Creesync has established and put in place a procurement process so that contracts and dealings between Creesync and third-party suppliers have acceptable levels of data protection and information security in place to protect information (such as personal & company data) and maintain the confidentiality, availability, and integrity of information and are fit for purpose. Information security requirement will vary according to the type of contractual relationship with each supplier. There are a few controls in place to achieve protection of data, information, and information system as follows:
- Information security and controls should be formally documented in a contractual agreement which may be part of or an addendum to the main commercial service contract.
- Separate Non-Disclosure Agreement should be used where a more specific level of control over confidentiality is required.
- Appropriate due diligence must be exercised in the selection and approval of new supplier before the contract is agreed.
- The information security provisions in place at existing suppliers (where due diligence was not undertaken as part of initial selection) must be clearly understood and improved where necessary.
- Access to Creesync, information should be limited wherever possible according to clear business needs.
- Basic information security principles such as least privilege, separation of duties, and defense in depth should be applied.
- Creesync will have the Rights to Audit the information security and privacy practices of the supplier and/or the subcontractor.
- Supplier access to Creesync information resources is granted solely for the work contracted and for no other purpose.
- The supplier must comply with all applicable data protection regulation, best practice standards, and agreements.
- On termination of a supplier or supplier employee from the contract for any reason, the supplier will ensure that all sensitive and confidential information is collected and returned to Creesync or destroyed within 24 hours.
- The security of information is fundamental to Creesync’s compliance with data protection legislation and a key focus in its ISO 27001 risk assessment, procurement, and management strategy.
Before contracting with a third-party supplier, it is incumbent upon Creesync to exercise due diligence in reaching as much understanding as possible of the information security approach and controls the company has in place. It is important that the documented “supplier due to diligence assessment” procedure is followed so that all the required information is collected and an informed assessment can be made.
All Creesync contracts will clearly define each party’s data protection and information security responsibilities toward the other by detailing the parties to the contract, effective date, functions or services being provided (such as defined service levels), liabilities, limitations on use of subcontractors and other commercial/legal matters normal to any contract.
The processing must be governed by a contract in writing between the controller and the processor, setting out the following:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data and categories of data subjects involved
- Obligations and rights of the controller and processor
5.10. Reporting Security and Privacy Breaches
- Creesync has a Security Incident Response Plan designed to promptly and systematically respond to security, privacy, and availability incidents that may arise. The incident response plan is tested and refined on a regular basis. Security Incident Response Policy & Procedure has become an important component of Creesync Information Security programs.
- The primary focus of the plan is detecting, analyzing, prioritizing, and handling security incidents.
- Creesync follows policies and procedures to detect, respond to, and otherwise address security incidents including procedures to:
- Identify and respond to suspected or known security incidents followed by mitigating their harmful effects and documenting these incidents along with their outcomes.
- Restore the availability or access to Customer Personnel.
- Retrieve data in a timely manner.
- Notice: Creesync agrees to provide a prompt written notice within the time frame required under Applicable Data Protection Law(s) to a customer’s Designated POC if it knows or suspects that a security incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for the customer to comply with its own notification obligations to regulatory authorities or individuals affected by the security incident.
- Under no circumstances should a user attempt to resolve any security and privacy breach on their own without first consulting the Creesync. Users may attempt to resolve security and privacy breaches only under the instruction of, and with the express permission of Creesync.
5.11. Business Contingency and Disaster Recovery
- Creesync has established a formal business contingency management (BCM) plan and a Disaster Recovery Plan (DRP) to minimize downtime of the critical business process, and recovery within required and agreed business timescales in the event of a disaster. Creesync has also created a clearly defined framework for the ongoing management of the BCM activities and provide guidelines for the development, testing, maintenance, and implementation of business continuity plans.
- Creesync defined two categories of systems from the disaster recovery perspective:
- Critical Systems: These systems host application servers and database servers or are required for the functioning of systems that host application servers and database servers. These systems, if unavailable, affect the availability of data and must be restored, or have a backup process to restore these, immediately on becoming unavailable.
- Non-Critical Systems: These systems include the ones that are not considered most critical. These systems, while they may affect the performance and overall security of critical systems, do not prevent critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.
- Backup: To prevent data loss due to human error, our application databases are backed up every day in an automated fashion and have point in time recovery
- Data Replication: Our customer and application databases are timely replicated on backup servers.
- Location: We store customer data in a secure data center at an offsite location in Mumbai. We use Google cloud’s data centers.
- Internet Redundancy: Creesync is connected through multiple Tier-1 ISPs. So, if anyone fails or experiences a delay, you can still reliably get to your applications and information.
- DRP is tested on a half-yearly basis; and the results are documented, and revisions are made, as necessary.
- Creesync is committed to and conducts its business activities lawfully and in a manner that is consistent with its compliance obligations. The Legal and Regulatory Compliance establishes the overarching principles and commitment to action for Creesync with respect to achieving compliance by:
- Identifying a clear compliance framework within which Creesync operates.
- Promoting a consistent, rigorous, and comprehensive approach to compliance throughout Creesync.
- Developing and maintaining practices that facilitate and monitor compliance within Creesync.
- Seeking to ensure standards of good corporate governance, ethics, and community expectations.
- Engendering a culture of compliance where every person within Creesync accepts personal responsibility for compliance, and acts ethically and with integrity.
- Creesync has been identifying all relevant regulatory and legislative requirements as per its contractual requirements and organization’s operational requirements and defining, documenting, and updating it on a regular basis.
- All records, as mandated by statutory/legal/regulatory authorities in India or of foreign origin, for which Creesync is responsible for compliance, will be protected from intentional or unintentional damage through natural causes.
- The retention limit of statutory records will be as mandated by the applicable legislation. However, for business records/documents, the business group heads and or HODs shall determine the retention limit with justification.
- Creesync will always seek to protect the privacy of the personal information of its customers, employees, and third parties with whom Creesync has signed the third-party agreement. Divulging of facts will be done only in keeping with statutory/contractual/regulatory/legal requirements. Such information will always be protected from getting misused, leaked, or falsified or traded with any interested party knowingly or unknowingly.
- Where logs are required to be maintained as per contractual/regulatory/statutory/legal requirement, these will be maintained for a specified duration.
- Data or records that are no longer required for business, legal, and/or regulatory purpose will be disposed of securely.
- Legal restrictions on the use of assets in respect of which there are IPRs (such as copyright, software license, trademarks, design rights, and others) will be complied with.
- Intellectual Property Rights of software programs, documentation and other information generated by or provided by Creesync users, consultants, and contractors for the benefit of Creesync, will be the property of Creesync.
- Intellectual Property Rights will be included in all contracts.
- Relevant statutory, regulatory, and contractual requirements for Creesync ’s information assets will be defined explicitly. Such requirements will include, but are not limited to:
- Information Technology Laws (IT Act 2008/2011 Amended)
- Software Licensing Requirements
- Intellectual Property Rights (IPR) Laws
- Labor and General Employment Laws
- Health and Safety Laws
- Environmental Laws
- As part of the information security audits by independent consultants or body, the appropriate confidentiality and non-disclosure agreements will be signed with them. And any access granted to the external shall be restricted immediately after completion of the audit.
- Compliance requirements are used to enforce a minimum level of security and privacy within Creesync. These are by no means a “finish line” for security and privacy. The primary compliance standards will be:
- ISO 27001:2013
- Information Security Program: Creesync agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data, Employee and third-parties data, as required by the Applicable Data Protection Law(s). Further, Creesync agrees to regularly test, assess, and evaluate the effectiveness of its Information Security Program to ensure the security of the Processing. Creesync has comprehensive privacy and security assessments and certifications performed by regulatory or third parties. Such certifications include ISO 27001: 2013 certifications.
- Any workforce member found to have violated this policy may be subject to disciplinary and/or legal action.