xcPEP Information Security Policy

xcPEP Information Security Policy 

 

1. Introduction

This Information Security Policy outlines Advanced Structures India Private Limited's commitment to ensuring the confidentiality, integrity, and availability of all information assets related to our xcPEP SaaS platform. We recognize that robust information security is fundamental to trust and operational excellence. This policy is aligned with international best practices, including ISO 27001 principles, and applicable regulatory requirements.

2. Information Security Objectives

Our core objectives are:

  • To protect customer data and intellectual property from unauthorized access, use, disclosure, disruption, modification, or destruction.
  • To maintain the confidentiality, integrity, and availability of all systems and data related to xcPEP.
  • To ensure compliance with all relevant legal, regulatory, and contractual information security obligations.
  • To foster a security-aware culture among all employees and contractors.

3. Scope

This policy applies to all information assets, systems, applications, data, employees, contractors, and processes involved in the provision and management of the xcPEP service.

4. Roles and Responsibilities

  • Information Security Officer (ISO): Responsible for overseeing the development, implementation, and maintenance of the Information Security Management System (ISMS).
  • Management: Accountable for ensuring adequate resources are allocated to information security and that the policy is adhered to.
  • Employees and Contractors: Responsible for understanding and complying with this policy and related security procedures.

5. Risk Management

We employ a systematic framework for identifying, assessing, and treating information security riskson an ongoing basis. Regular risk assessments are conducted to identify potential threats and vulnerabilities to our information assets, and appropriate controls are implemented to mitigate these risks.

6. Access Control

  • Identity and Access Management (IAM): Access to systems and data is granted based on the principles of least privilege and need-to-know.
  • User Lifecycle Management: Strict procedures are in place for user registration, provisioning, de-provisioning, and modification of access rights.
  • Authentication: Mandatory Multi-Factor Authentication (MFA) is enforced for all administrative access, and highly recommended for all users. We enforce strong password policies, requiring complexity, regular rotation, and lockout mechanisms.
  • Authorization: Role-Based Access Control (RBAC) is implemented to define and enforce access permissions based on defined roles within the application and underlying systems. Access rights are regularly reviewed and audited.
  • Session Management: Secure session IDs are used, and configurable active and inactive session timeouts are enforced to prevent unauthorized access.

7. Cryptography

  • Data in Transit: All data communicated within the xcPEP platform and with external services is encrypted using industry-standard protocols (e.g., TLS 1.2 or higher for HTTPS, IPsec for VPN).
  • Data at Rest: All sensitive customer data and backups are encrypted at rest using strong encryption algorithms and AWS Key Management Service (KMS).
  • Key Management: Robust procedures are in place for the generation, storage, rotation, and revocation of cryptographic keys. Passwords are securely hashed with strong, salted algorithms.

8. Physical and Environmental Security

As our solution is hosted on AWS, we leverage AWS's comprehensive physical security controls for data centers. These include strict access controls, video surveillance, and environmental monitoring. Any physical locations managed directly by Advanced Structures India Private Limited also adhere to stringent physical security measures.

9. Operations Security

  • Malware Protection: Anti-virus and anti-malware solutions are deployed and regularly updated on all endpoints and servers.
  • Logging and Monitoring: Centralized logging systems capture security-relevant events, which are continuously monitored for suspicious activities. Detailed audit trails are maintained.
  • Vulnerability Management: Regular Vulnerability Assessment and Penetration Testing (VAPT) are conducted at least quarterly. Identified vulnerabilities are promptly remediated. Patch management procedures ensure systems are kept up-to-date with the latest security patches.
  • Configuration Management: Secure baseline configurations are enforced for all systems, and deviations are promptly detected and remediated.

10. Communications Security

  • Network Security: Robust network security controls, including perimeter firewalls, Web Application Firewalls (WAF), and Intrusion Detection/Prevention Systems (IDS/IPS), are deployed.
  • Network Segmentation: Our AWS environment utilizes Virtual Private Clouds (VPCs) and security groups to segment networks and isolate resources, limiting lateral movement in case of a breach.
  • Secure Channels: All network connectivity is limited through secure channels (e.g., HTTPS, SSH, secure file transfer protocols).
  • VPN Connectivity: For specific integrations requiring VPN, we adhere to IPsec protocols with robust encryption types and levels, and ensure connectivity is limited to necessary ports and IPs.

11. System Acquisition, Development, and Maintenance

  • Secure Software Development Lifecycle (SSDLC): Security is integrated into every phase of our software development lifecycle, from requirements gathering and design to coding, testing, and deployment.
  • Code Review: Mandatory security code reviews are conducted for all critical code changes.
  • Security Testing: Comprehensive security testing, including static and dynamic analysis, and VAPT, is performed throughout the development process.
  • Change Management: All changes to systems and applications are managed through a formal Change Management Policy.

12. Supplier Relationships

We conduct thorough due diligence on all third-party vendors and sub-processors to ensure they meet our stringent security requirements. Contractual agreements with suppliers include clauses on data protection and security obligations.

13. Information Security Incident Management

We have a defined Information Security Incident Management process to respond to and manage security incidents effectively. This includes containment, eradication, recovery, and post-incident analysis. Our Data Breach Notification Policy specifically outlines procedures for notifying affected parties.

14. Compliance

We regularly review our information security practices to ensure ongoing compliance with applicable laws, regulations (e.g., GDPR, local data protection laws), and industry standards such as ISO 27001. We undergo independent third-party assessments to validate our compliance posture.

15. Information Security Training and Awareness

All employees and contractors receive mandatory information security training upon hire and annually thereafter. This training covers security best practices, policy adherence, and their role in maintaining a secure environment.

16. Policy Review and Updates

This Information Security Policy is subject to regular review annually and will be updated as necessary to reflect changes in legal requirements, industry standards, and our operational environment.