Information Security Policy (ISP)
1. Purpose
The purpose of this Information Security Policy (ISP) is to define mandatory security requirements to protect Gunav Technologies’ information assets from unauthorized access, disclosure, modification, misuse, loss, or destruction.
This policy ensures that all personnel are adequately trained, assessed, authorized, and monitored before accessing company or client information systems.
2. Scope
This policy applies to all individuals associated with Gunav Technologies, including but not limited to:
Permanent and temporary employees
Interns and trainees
Contractors and consultants
Third-party service providers
The policy covers all information assets, systems, networks, cloud platforms, applications, and endpoints used for company business.
3. Mandatory Security Training & Onboarding
Training Distribution
HR will distribute official Information Security Training Video Modules via company email upon joining.
Personnel must complete the full training series before attempting the assessment.
Training Timeline
Mandatory training must be completed within 7 calendar days from the official joining date.
Access Restriction
Until training completion and assessment clearance are verified: - No project allocation is permitted - System access remains restricted
Any non-compliance or delay will be escalated to the Director.
4. Examination & Competency Assessment (MCQ)
Assessment Format
Formal MCQ-based examination designed and reviewed in coordination with the company’s External Security Advisor.
Passing Criteria
Minimum required passing score: 80%.
Retake Policy
Individuals scoring below 80% must re-study training materials and retake the examination.
No project work or system access is allowed until the required score is achieved.
5. HR Certification & Project Allocation
The onboarding security process is considered complete only after:
The individual achieves a score of 80% or higher, and
HR issues a formal confirmation email to the employee and the respective Project Lead.
Strict Rule: Project Managers and Team Leads must not assign tasks, credentials, or system access without documented HR confirmation.
6. Technical Security Controls
VPN Usage
VPN usage is mandatory for all remote access, server connections, and cloud administration activities.
Password Management
Use of the company-mandated Password Management Application is compulsory.
Password reuse and manual credential storage are strictly prohibited.
Secure Credential Sharing
All credentials must be shared using the approved Secure Vault feature.
Credentials must allow login without revealing plaintext passwords.
Endpoint Security
Automatic Microsoft Updates must be enabled on all approved workstations.
Security patches must be applied within 48 hours of release.
7. Data Classification & Handling
Prohibition of Local Storage
Storing company or client data on the following is strictly prohibited:
Local hard drives
Personal laptops
External storage devices (USBs, portable drives)
All work must be performed and stored only within approved cloud environments or secure company servers.
Data Classification
Information is classified as: - Public - Internal - Confidential - Highly Confidential
Access is granted strictly on a Need-to-Know and role-based basis.
8. Continuous Learning & Mandatory Seminars
Attendance at all company-mandated security seminars, workshops, and awareness sessions is compulsory.
Personnel unable to attend must:
View the session recording, and
Submit a written summary to HR
This is required to maintain active security clearance.
9. Personnel Offboarding & Exit Clearance
Access Revocation
All system access (Email, VPN, Cloud Services, Secure Vaults, Internal Tools) will be revoked within 24 hours of the individual’s last working day.
Mandatory Exit Declaration
Before separation, all individuals must sign a Security Exit Clearance Form confirming: - No company or client data has been retained, copied, or transferred - All temporary files, caches, and local data (if any) have been permanently cleared
10. Incident Reporting
All personnel must immediately report any suspected or actual: - Data breaches - Phishing or social engineering attempts - Malware infections - Lost or stolen devices
Reports must be submitted without delay to HR and the Director.
11. Roles & Responsibilities
Director
Provides strategic oversight and ensures consultation with External Security Advisors.
HR Department
Manages training distribution
Tracks assessments and certifications
Maintains compliance records
Oversees exit clearances
All Personnel
Comply with this policy
Safeguard credentials
Follow secure data-handling practices
Adhere strictly to the No Local Storage requirement
12. Compliance & Enforcement
Failure to comply with this policy may result in: - Suspension or revocation of system access - Disciplinary action - Termination of employment or contract - Legal action where applicable
13. Vendor & Third-Party Risk Management Policy
All vendors, partners, contractors, and third parties who access Gunav Technologies’ systems, networks, or information assets must comply with company-defined security requirements.
Mandatory Requirements
Third parties must access systems strictly on a need-to-know basis
Access must be approved, documented, and time-bound
Security obligations must be contractually enforced through agreements or NDAs
Any third party found violating security requirements may have access immediately revoked and may be subject to contractual penalties or termination.
14. Access Control & Password Management Policy
Access to company systems, applications, and data shall be strictly controlled and formally authorized.
Access Control
Access rights must be role-based and approved by management
Privileged access shall be limited to authorized personnel only
Access must be reviewed periodically and revoked upon role change or exit
Password & Authentication Controls
Strong authentication mechanisms must be used at all times
Password sharing outside approved secure vaults is strictly prohibited
Compromised credentials must be reported and reset immediately
Violation of access control rules will result in immediate disciplinary action.
15. Business Continuity & Disaster Recovery Policy
Gunav Technologies shall maintain documented and tested Business Continuity and Disaster Recovery controls to ensure uninterrupted operations.
Mandatory Controls
Critical systems and data must be backed up regularly
Recovery procedures must be documented and periodically tested
Personnel must follow defined recovery instructions during incidents
Failure to adhere to continuity or recovery procedures during incidents will be treated as a policy violation.
16. Data Privacy & Data Protection Policy
All personal, sensitive, and confidential information handled by Gunav Technologies must be processed in accordance with applicable data protection and privacy laws.
Mandatory Data Protection Rules
Personal data must be accessed only for authorized business purposes
Data must be protected against unauthorized access, disclosure, or misuse
Personnel must follow approved data handling, retention, and disposal procedures
Any misuse or unauthorized disclosure of personal data may lead to disciplinary and legal consequences.
17. Information Security Incident Response Policy
All information security incidents must be identified, reported, and managed immediately in accordance with company-defined incident response procedures.
Incident Handling Requirements
Suspected or confirmed incidents must be reported without delay
Personnel must cooperate fully during investigations
Unauthorized attempts to conceal or delay reporting are strictly prohibited
Failure to report or properly respond to incidents will be considered a serious breach of this policy.