PLEASE REVIEW THIS SECURITY POLICY CAREFULLY

Color Card Administrator. Corp- (CCA) The Security Policy aims to ensure CCA's information security and reduce the risk of damage by preventing security incidents and mitigating their potential impact. Maintaining the confidentiality, integrity, and availability of our information assets is one of the most important things we do to protect our business operations and our status in the professional community.
To fulfil our security goals, we implement comprehensive security systems spanning allCCA business, operational, and functional units. We establish granular security for all of our information assets and for improving our internal control systems. We are committed to building the infrastructure, expertise, and resources needed to meet industry standard information security needs. In all circumstances where we maintain customer information assets, we will carefully adhere to contractual requirements. We are certain that our efforts to secure client data provides us with a competitive advantage.

OBJECTIVES


  • To keep our CCA business operations activities secure.
  • To raise all employees' awareness of information security and data privacy.
  • To ensure the confidentiality and integrity of information assets.
  • To comply with laws, regulations, contracts, etc.

The following elements are included in our comprehensive security strategy:


  • Information Security Policy.
  • HR Security Policy.
  • Access Control Policy.
  • Information Asset Usage Policy.
  • Encryption Policy.
  • Policy on E-mail and Internet Security.
  • Information and Communications Technology Infrastructure Policy.
  • Operations Security Policy.
  • Data & Media Handling Policy.

INFORMATION SECURITY POLICY

Purpose

CCA's Information Security Policy protects personnel, assets, customer data, integrity, and reputation against security threats. Security concerns include breaches of confidentiality, integrity, and availability.

Scope


  • This policy applies to all CCA employees who interact with CCA's stored and processed information.
  • All CCA employees must obey the company's code of conduct and policies.

Goals for Information Security


  • Only authorized users can access information/information systems based on business needs, and information systems are used effectively and efficiently per CCA policy.
  • Information assets are safeguarded from damage, loss, inappropriate alteration, and unauthorized use or access.
  • Complying with all regulatory and legislative data collection, processing, transfer, storage, and disclosure requirements.
  • Information security should be part of the company's regular operations so that all employees understand their obligations.
  • Creating and enforcing information security standards and procedures.
  • To secure CCA's information systems from accidental/deliberate harm or destruction.

Policy Proclamation


  • CCA should detect security concerns and their respective priority, respond immediately and implement relevant, effective, culturally acceptable, and feasible protections.
  • All information, including third-party information, should be protected by security controls and handling processes.
  • Regularly monitoring policy compliance.
  • Periodically reviewing security measures protects the business.
  • Information assets should be preserved and managed to meet legal and ethical obligations.

HR SECURITY POLICY

Purpose

Human Resources policy addresses user mistakes, crime, forgery, or facility misuse hazards and helps provide a secure computing environment. Security duties should be handled during recruitment, incorporated in job descriptions and contracts, and monitored during and after employment/contract.

Scope

Human Resource Security Policy is vital for organizational information security. The organization should use cautious hiring methods, including background checks based on the categorization of information the applicant will handle and the expected dangers. This policy sets before-, during-, and after-employment rules.

Policy Proclamation

Before Employment

Ensure all employees understand their roles and responsibilities, including contractors and third parties.

Examination: Background checks on all job candidates must be proportional to company needs, the classification of information to be accessed, and identified hazards.

Employment terms: All personnel with access to secret information must sign a confidentiality or non-disclosure agreement.

During Employment

Ensure employees, contractors, and third parties know their information security duties.

Management Obligation: All employees must follow the organization's information security policies and procedures. Information security training: All employees must get applicable education, training, and organizational policies and procedures updates.

Procedures Regarding Discipline: There must be a structured, disclosed disciplinary mechanism for employees who violate information security.

After-employment

To preserve the company's interests when altering or terminating employment:


  • Resignation, suspension, or termination of any employee, contractor, or consultant must be reported immediately to IT. Access to information resources must be revoked depending on the notice period.
  • The Employer updates the exit case with pertinent details and notifies the applicable department to revoke the employee's access rights, privileges, and email accounts.
  • The employee must return all access, keys, and business cards on the last working day.
  • IT, admin, and HR must sign the clearance form on the employee's last day.
  • HR must make final payment only once the employee submits NOC (NOC).

ACCESS CONTROL POLICY

Purpose

All CCA employees and stakeholders have access to information assets for everyday work. Inappropriate use exposes CCA to dangers such as malware assaults, network compromise, legal concerns, financial loss, and reputation and business loss. This policy defines information system and computing resource access controls.

Scope

This policy covers CCA's operating systems, software, screensaver, databases, network device, and tools. Access control prevents internal and external invasions.

Policy Proclamation

Employee/IT Team Access Control


  • Information and business operations must be regulated based on business and security considerations.

  • Formal procedures should regulate access to information systems, networks, and services.

  • Remote access to CCA's networks must be approved on a least privileged basis, with access granted only to systems and resources with a stated business need.

  • Logical access controls must protect all sensitive computer-resident information to prevent unauthorized access, disclosure, alteration, or destruction.

  • Employees should follow Password Protection Policy and Clear Desk and Clear Screen Policy to secure CCA resources.

  • Users should revoke their physical access permissions when they quit the organization.

  • Only those with a genuine business need to know will be given access to sensitive information. Users' access profiles should be aligned with permitted business functionality.

  • When a user's role within the company changes or they leave the company, any necessary adjustments to their access privileges must be made without delay after receiving confirmation from the IT team.


User Access Control


  • The supervisor must email IT the new hire's full name and required details on the same day.

  • Logical access must follow the method and have documented clearance.

  • CCA personnel who need access to information systems and resources to do their jobs will be approved.

  • Before granting third-party contractors access to information systems, they should sign an NDA and undergo security training.

  • All user-id activities are the responsibility of the user. Their user ids shouldn't be shared. Employees can't exchange passwords.

  • IT will ensure the user is deregistered from related access products/services like AWS, VPN, AD, Email, etc.

  • After revoking user access, IT will email Supervisor.

  • When users leave, all CCA information system privileges must be revoked.


Governance of Authorization Permissions


  • All privileged access to systems must be limited to those who need it for their daily job function.

  • All default guest accounts must be disabled and given solid and random passwords.

  • Every 90 days, change the default administrator password.

Access rights review

Quarterly reconciliation:


  • User Logins

  • System Permissions

  • Every privilege accesses

  • Physical Access


Limiting Access to Information


  • The access control policy should restrict information and application system functions.

  • Read, write, delete, and execute access must be limited.


Review of Log Files to Track Access

Log Types

The types of logs listed below include, but are not limited to:


  • Server logs

  • Application logs

  • All Critical, error, and warning logs

  • Firewall access logs

  • Webserver access logs.

  • User internet activity logs.


Management Procedure for Logs


  • The IT Team will review all logs regularly.

  • The logs are kept for three months.

  • Any suspicious activity discovered in such logs will be investigated.

  • Log access should be restricted to read-only.

  • Keep audit logs safe from unauthorized changes.

  • The log contains user identification.

  • Date and time of the event.

  • Indication of success or failure.


Access Management to Source Code


  • The source code of a program should only be available to specific individuals.

  • The frequency of reviews of Git Code Commit access should be quarterly.

  • Only the development team and authorized personnel will access the Git Code Commit.

  • It is required that all modifications to the source code be recorded.

INFORMATION ASSET USAGE POLICY

Purpose

CCA gives specific employees access to information assets to support corporate tasks and satisfy customers as needed. Only specific employees and stakeholders have access to these information assets, which are crucial to everyday activities. CCA's provides access depending on the practical usage and protection of its data. Inappropriate use exposes CCA to dangers such as malware assaults, network compromise, legal concerns, financial loss, and reputation and business loss. This policy outlines the criteria for acceptable use of CCA's information assets to prevent inappropriate use.

Scope

This policy covers the appropriate use of CCA's information assets. CCA informational asset stakeholders must participate and promote information security.

Policy Proclamation

Ownership and Usage


  • CCA owns the data employees create on its systems.

  • CCA employees may monitor equipment, systems, browser histories, and network traffic for security and maintenance purposes.

  • CCA may audit networks and systems to guarantee policy compliance.


Confidentiality and Trade Secrets


  • Never disclose passwords or logins. User passwords and accounts are their responsibility.

  • Non-encrypted sensitive or confidential data must not be shared online.

  • CCA personnel must not disable antivirus software at any time. It won't be permitted if the systems have no antivirus and CCA's IT team wasn't informed.

ENCRYPTION POLICY

Purpose

The policy aims to increase the data's security, integrity, and confidentiality while lowering the possibility of unauthorized access, data loss, or data destruction.

Scope

Sensitive information that is either stored or sent must be encrypted in a manner consistent with the material's categorization and the company's changing security needs. Employees, Contractors, Vendors, and Others Authorized to Access or Use CCA's Information Processing are subject to this Policy.

Policy Proclamation


  • Organizations should apply appropriate cryptographic rules based on the latest worldwide standards to protect their sensitive data and comply with all applicable laws and regulations. Minimum AES 256-bit encryption should be supported.

  • Any confidential and sensitive information sent over a public network should be encrypted and transmitted through a VPN, SSH, or SSL/TLS tunnel.

  • Standards like IEEE 802.11i (WPA2) or industry best practices must be used to encrypt wireless (Wi-Fi) signals to access mobile computing devices or private networks.

  • Since it does not allow encrypted transmission, plain FTP should not be utilized on any Internet-facing systems or when transmitting sensitive information. Instead, use SFTP.

  • Strong cryptographic rule sets should be used to encrypt sensitive and confidential data stored in transit, at rest, on computers, removable media, portable devices, and networks.

  • Authorized users should be able to access and decode encrypted data using controls that match operational demands and data retention standards.

  • Digital signatures should be used if sending confidential information outside of a business, such as to customers, government, legal, or regulatory organizations.

  • Sensitive and payment card-related data should be stored, processed, and sent using the latest version of TLS and cryptographic solid protocols recognized by the industry. Both SSL v3.0 and early versions of TLS should be avoided.

POLICY ON E-MAIL AND INTERNET SECURITY

Purpose

This policy aims to help IT Team maximize security to defend CCA from incorrect email and internet configurations, practices, and controls.

Scope

This document outlines the email and Internet policies the IT staff, and other CCA email and internet users must follow to guarantee information security.

Policy Proclamation


  • All email accounts, mailboxes, and transfer connections must be utilized for CCA business. Occasional use of a personal email account on the Internet is allowed if it does not compromise CCA system resources or job productivity.

  • Non-authorized advertising, external business, spam, political campaigns, and other non-CCA uses are prohibited.

  • Using CCA email to send offensive, racist, obscene, or illegal messages is strictly prohibited.

  • Strong passwords safeguard business email identities. Identity management processes regulate password complexity and lifespan. Password-sharing is discouraged. User impersonation is forbidden.

  • The CCA limits attachment size. Automatically enforcing limits is preferable.

  • The integrity of incoming and outgoing emails requires virus and malware scanning technology installed on client computers and servers.

  • The information contained within corporate mailboxes should be archived centrally in areas where it can be backed up and handled by established company standards.

  • Email and Internet access at CCA come with the responsibility that users act professionally, within the law, and ethically when using CCA's computing tools.

  • If there is any suspicious or malicious behaviour, it should be reported to the IT team right once, and the relevant logs should be inspected regularly.

INFORMATION AND COMMUNICATIONS TECHNOLOGY INFRASTRUCTURE SECURITY POLICY

Purpose

This policy ensures compliance with laws, necessary controls, and ISO27001 best practices. To secure personal and sensitive information, the CCA maintains and utilises information marked PROTECT, RESTRICTED, or CONFIDENTIAL. To guarantee that any protection is appropriate to the information's sensitivity and the risks associated with its loss of integrity, availability, or confidentiality while meeting minimum statutory criteria.

Scope

This policy applies to IT personnel, contractors, vendors, and those authorized to access CCA information or equipment. This policy applies to remote sites where CCA information or equipment is stored.

Policy Proclamation


  • Multiple levels of network security and monitoring are needed.

  • CCA must install a network-level firewall to prevent unauthorized access and unwanted traffic.

  • CCA web apps must include an application-level firewall to avoid Layer 7 exploits.

  • Test and development systems must be on a distinct network from CCA's production systems.

  • All key metrics must be monitored with the tools, and aberrant or suspicious activity in the production environment must generate notifications.

  • CCA's network and server components must be redundant.

  • Use a reputable service provider to prevent DDoS attacks on CCA servers and keep CCA websites, applications, and APIs available and working.

  • All dev/test servers must be hardened (by disabling unused ports and accounts, removing default passwords, etc.).

  • To handle network-to-application layer attacks, CCA's ISPs must incorporate scrubbing, network routing, rate restriction, and filtering. This solution offers clean traffic, a reliable proxy, and rapid attack notification.

OPERATIONS SECURITY POLICY

Purpose

To ensure accurate and secure operations of information systems, malware and data loss are prevented, events are registered, compliance is monitored, operating system software is regulated, and the impact of audit activities on operational systems is minimised.

Scope

This policy applies to IT personnel, contractors, vendors, and those authorized to access CCA information or equipment. This policy applies to remote sites where CCA information or equipment is stored.

Policy Proclamation

Administrative Procedures and Obligations:

All information systems will have a baseline configuration. These baselines will show hardware, firmware, software specifications, relationships, and ownership.


  • Information system changes must be documented and authorized, systematically.

  • Users will have access to operational procedures.

  • Information system maintenance requires a change management request.

  • Resource capacity management will be implemented.

  • Testing environments will be separated from the leading network and facilities.


Endpoint Protection (Anti-Virus & Malware)

The CCA Information Systems must be protected from the Malicious Code by the Owners of the Information and the Services Owners. This can be accomplished by ensuring the following things:


  • The IT management-approved endpoint security software and configuration must be used on all CCA-owned and managed Information Resources.

  • Before connecting to a CCA Information Resource, independent contractors must utilize endpoint protection software and settings approved by IT management.

  • No tampering, sidestepping, or disabling of the endpoint security software is allowed.

  • All incoming and outgoing emails passing through the email gateway must be scanned for viruses by the CCA's guidelines for installing and using email virus protection software approved by IT management.

  • Web traffic must be monitored and controlled to prevent or identify visits to known or suspected harmful websites.

  • Before opening a file downloaded from the internet or an external storage device, a virus scan should be performed.

  • If an antivirus program detects a virus and fails to remove it must be reported to CCA IT Support immediately.


Backup

It is the responsibility of the owners of the information as well as the owners of the services to define and document the backup and recovery procedures that consider the requirements of confidentiality, integrity, and availability of information and information systems.
There are some standards that backup and recovery procedures need to follow.


  • Business Continuity Strategies for CCA Services.

  • A backup policy must be agreed upon to collect backup copies of necessary data, software, and other items and test them appropriately.

  • Requirements for records management the documentation for backup and recovery needs to include the following items:

  • Backup types.

  • Data backup scheduling

  • Managing backup media

  • Backup validation and Labelling.

Monitoring and logging


  • All essential system operations, including logging in and out of the system and making administrative adjustments, should be configured to be recorded in a log file within information systems.

  • Producing event logs that keep track of user activities, exceptions, malfunctions, and information security events must be done, and these records must be stored and examined on a consistent basis.

  • The appropriate level of protection will be given to these logging procedures and facilities.

  • All the clocks that are used by the logging and information processing systems will be synchronized in a suitable manner.

  • Using multiple forms of authentication to access private records

  • Logs of audits are backed up in facilities located off-site.


Patch Management


  • The CCA IT Security team is ultimately in charge of all operations and procedures related to patch management.

  • Frequent scans of all Information Resources are required to detect out-of-date information.

  • Every instance of outdated software must be assessed for its threat to CCA operations.

  • Suppose the CCA's Patch and Vulnerability Standard determines that a lack of implemented software upgrades poses an unacceptable risk to the organization's Information Resources. In that case, the organization must promptly address the issue.

  • All modifications to Information Resources, including software upgrades and configuration changes, must be tested.


Vulnerability Management


  • Scans for security flaws in the hosted applications should be run at least once every three months and again after any major changes are made to the network.

  • Failures found in vulnerability scans that are rated Critical or High will be fixed and retested until all threats are eliminated.

  • The hosted apps must undergo penetration testing at least once a year or when any significant environmental changes are made.

  • If a security audit reveals a vulnerability that could be exploited, the vulnerability must be patched, and the system will be retested.

  • Immediate action must be taken to remedy any vulnerabilities that may exist within CCA's applications to limit or reduce the impact on CCA's business operations.


Security Managers are obligated to create processes for identifying, evaluating, and remedying vulnerabilities that may affect information systems. These processes must include the following steps:


  • Maintaining vigilance over third-party information sources for newly discovered vulnerabilities.
  • Assessing the potential danger posed by vulnerabilities that have been made public.
  • Conducting tests and evaluations of potential solutions to mitigate or reduce the impact of vulnerabilities.
  • Putting preventative and remedial actions into effect to address the vulnerabilities.
  • Provide the Security Manager with an update on the progress in addressing vulnerabilities.


Remediation and Risk Reduction


  • Verify that the vulnerability has been correctly discovered and is given the appropriate amount of priority.

  • Include the concrete actions that will be taken to lessen the vulnerability's impact on the organisation.

  • Ensure that the required resources are accessible now or will be soon so that the vulnerability may be fixed or the risk can be reduced.

  • To completely address the vulnerability and identify key milestones in the remediation and risk reduction process.

  • Check to see that the timetable for fixing the problem or addressing the vulnerability can be met and allows for the necessary testing.

DATA & MEDIA HANDLING POLICY

Purpose

This policy protects significant and businesscritical CCA records from loss, destruction, and falsification in compliance with legislative, regulatory, contractual, and commercial obligations. All information must be appropriately classified according to this document's categorization, and adequate processes must be followed to protect different categories of data.

Scope

This policy applies to all data or information held by CCA, whether in printed or electronic format. It encompasses documents, spreadsheets, and other forms of paper and electronic data, and it should be followed by all CCA's employees and contractors.

Policy Proclamation

Each of the following four categories should be used to classify all data that the CCA owns, operates, creates, or maintains within its organization:


  • Public
  • Internal
  • Restricted
  • Confidential

The table below outlines who should access each type of information and how it should be stored, communicated, and disposed of.

Specifications about the classification of data and how it should be handled

Class Data Categorization
Public Internal Restricted Confidential
Definition Publicly viewable All CCA employees and contractors can see it, but outsiders can't. Have to have employees & contractors only. As a rule, they include private information that should be kept secret Restricted to authorized users due to the potential for harmful effects on the CCA Business
Release risk None Low Medium High
Restrictions No barriers to access. The public can get information quickly Within the CCA. The Freedom of Information Act may require release (FOIA) A select set of employees who require the information have access. Data protection exemptions from FOIA Authorized employees only. FOIA-restricted because of confidentially or business interests.
Data storage and protection It can be stored on any device and online. Copyright-restricted printing and copying are allowed. It should be saved on CCA network directories. Information sent to externally managed non-IS and mobile devices requires caution. Paper records shouldn't be discarded. Information should be secured and controlled within the CCA network. If necessary, send information to external or mobile devices using encryption. Paper records shouldn't be neglected. Only restricted CCA network zones and secure credentials should store information. When not needed, paper copies should be kept away.
Exchange of data No limitations Files can be shared and emailed internally. Only in restricted folders. When emailing, use proper encryption*. Everything that must be sent through the office's internal mail system should be placed in an envelope and taped shut. Must be sent electronically in a secure format. The internal delivery of hard copies of papers is strongly encouraged. External postage needs to be acknowledged
Data disposal There are no limits. To the extent practicable, please reuse and recycle The paper recycling bin can be used for the majority of paper documents. Dispose of electronic media when not needed. Paper documents should be shredded or thrown away in secure trash cans, while electronic media should be formatted or deleted. Documents printed on paper should be shredded, and all electronic media should be discarded permanently.
Data Illustrations Information found on the website in general Statements to the press Internal communication Policies and procedures of the organization Sensitive personal data-containing documents. The Human Resources Information. Employees' information. Reports, papers, and rules created for business purposes. The Financial data. Personal information stored in databases and spreadsheets Confidential business agreements Passwords Details regarding the security of information Confidential information protected by the law

THIRD-PARTY & VENDOR MANAGEMENT POLICY

Purpose

This policy provides CCA with a written and institutionalized method for managing legal agreement risk and directs employees responsible for establishing and managing Technology Contracts with third parties & vendors.

Scope

All CCA personnel responsible for negotiating or executing contracts for third parties and vendors on behalf of CCA are obligated to comply with this policy.

Policy Proclamation


  • Understand new vendors' and third parties service delivery procedures and risk assessments before onboarding.

  • Establish agreements requiring vendors and third parties to comply with CCA's confidentiality, availability, and integrity guarantees to clients.

  • Review the organization's process and security procedures to ensure their effectiveness.

ACCOUNTABILITY

Protecting your data is a fundamental right that CCA will never stop working to fulfil. As we always do, we plan to continue to put in a lot of effort to ensure the safety of your data.

Please contact Our IT Security Team if you have any more questions.