Information Security Management System
Information Security Policy
To create an environment that maintains Confidentiality, Integrity, Availability and Privacy of Stack, its customers and other stakeholder’s information & assets.”
In line with the company policy, the information security management system is integrated with the organizations’ processes and overall management structure and the Top Management is committed to implementing these in full by:
- Applying risk management process by giving confidence to
interested parties that risks are adequately managed. - Constant maintenance and evaluation for Continual Improvement
- Communicating the importance of effective information security management
- Information security is deemed to safeguard three main objectives
-
-
-
- Confidentiality – data and information assets must be confines to people authorized to access and not be disclosed to others
- Integrity – Keeping the data intact, complete and accurate and IT systems operational
- Availability – an objective indicating that information or system is at disposal of authorized users when needed
- Privacy – to comply with data protection requirements and privacy practices.
-
-
-
Vendor management process
-
Information gathering
The Purchase Team will initiate the process of selection of vendors by sending an e-mail to the prospective vendors to gather relevant security related information. Once the information is gathered the team will determine the vendor risk criteria’s and select applicable questions from the vendor assessment questionnaire.
The Purchase Team evaluates the terms and conditions and selects a supplier based on a combination of business and security requirements. The process of selection and de-listing of vendors is done by Purchase Team.
-
Risk Assessment
After determining the risk criteria for vendors, the purchase team in consultation with the CISO will perform the vendor risk assessment. Resolve or respond to any queries raised by the CISO on the assessment questionnaire. The Risk Assessment is done in order to identify gaps and to determine the risk level for a vendor. All suppliers in the list shall be evaluated and any risks identified shall be mitigated by the vendor before they are termed as approved vendors. If the vendor does not mitigate the risks identified during the initial risk assessment, then the vendor shall not be onboarded.
Also, all suppliers in the Vendor list are assessed once in a year. Any supplier found unsatisfactory shall be de-listed from the list, if the vendor does not meet the business and/or information security requirements of StackStudio.
-
Vendor Security Assessment
Security audit is done based on the criteria’s mentioned in the Vendor Security Audit checklist. The vendor continues to
be an approved vendor if the checklist questions are answered and responded with evidences to satisfactory level to meet the security requirements of StackStudio. Once the supplier is audited and approved, same is updated as an approved vendor in the List of Vendors.
-
Remediation
Based on the findings identified in the vendor security audit, remediation in terms of Developing Mitigation Plans within 30 to 90 days are to be created by the vendors. In case of failure, follow-up to be done with the vendors for Mitigation Plans.
-
Validation
This is the last step in vendor management process where the findings closure evidences sent by the vendors are validated and in some cases on site validations would be done depending upon the requirements. Based on the effectiveness of the mitigation actions implemented the closure of the findings to be done