Professional Documents
Culture Documents
Teleworking Policy
Document Number Applicable Standards Version Issue Date Status
IS-1.090 PCI-3.2 1.2 March 23, 2020 Final
Contents:
Page 1 of 9
INTERNAL USE ONLY
IBEX Information Security
Teleworking Policy
1.1 Purpose
The purpose of this policy is to outline the policies for providing teleworking facilities to all stakeholders.
The guidelines documented in the policy shall govern usage of IBEX network and services for performing
work from outside IBEX facilities. This policy with all its annexures and in conjunction with below policies
is to be understood and acknowledged by all stakeholders.
• IBEX Information Security Policy available on BPO Core (Self Service → Documents/Policies → Information
Security) & Intranet
• IBEX Acceptable Use Policy available on BPO Core (Self Service → Documents/Policies → Information
Security) & Intranet
1.2 Scope
This policy applies to all IBEX employees, contractors and third-party personnel authorized to utilize IBEX
resources for performing work from outside IBEX facilities. IBEX reserves the right to make amends to this
policy unilaterally as deemed necessary at any time with or without a prior notice.
1.3 Policy
Eligibility & Authorization
• All IBEX employees, clients and third-party vendors with a valid business need to access
IBEX network and systems remotely shall be provided remote access VPN to IBEX network
on need to know business.
• Users shall also be granted access to IBEX resources such as emails and publicly hosted
application without provision of VPN access.
• The need to access IBEX network over VPN shall be backed by their job responsibilities,
legitimate contractual requirements or covered by “Statement of Work” approved by
IBEX.
• IBEX IT Security team shall approve or reject the VPN requests after evaluating the
legitimacy and validity of the business need.
• VPN access to IBEX network shall be provided on temporary basis. This access shall be
revoked at any time when the legitimacy or validity of the need might seem to no longer
exist. Also, if the device is observed to cause disruption to IBEX network and its services
or is observed to spread malicious traffic, the VPN access shall be revoked without prior
notice.
• Only company provided assets shall be allowed to connect remotely to IBEX network.
Exceptions to this clause are required to be approved by IT Security after evaluation of a
valid and legitimate business need. Please refer to sectional “Personal devices” for more
details.
• Access to IBEX network over VPN shall be provided on need to know basis and principle
of least privilege.
Page 2 of 9
INTERNAL USE ONLY
IBEX Information Security
• User actions and network traffic shall be monitored and logged when performing
teleworking over VPN.
due precautions.
• All systems must be locked manually when leaving them unattended.
Personal devices
Under some circumstances, when IBEX management has invoked Business Continuity Plan (BCP), some
employees might be allowed to use personal devices for teleworking. Employees might be granted VPN
access to IBEX infrastructure through VPN or secure Virtual Desktop Infrastructure (VDI) over public
cloud on employee’s personal devices depending upon the business need. Since these devices are not
managed by IBEX, therefore the responsibility of securing these devices physically and logically rest on
the employees. Moreover, any IBEX data that might be allowed to be stored on personal devices
remains IBEX property and employees are responsible for security of that data. Since personal devices
are not managed by IBEX, therefore their access to IBEX network and data shall remain restricted to
the maximum extent possible as compared to access provided on IBEX provided devices.
• Personal devices must be adequately secured prior to attempting access to IBEX online hosted
applications or remote network access via VPN.
• All end of support software or software that are not procured from official vendors must be
removed.
• Any tools that can interfere or are designed to circumvent security controls must not be installed.
Existing tools must be removed.
• Devices used for connecting to IBEX VPN must not be shared with anyone else other than they
employee.
• Access to VDI should be restricted to authorized users only. Sharing VDI credentials with
unauthorized users or attempting to perform non-business related work using VDI is strictly
prohibited.
• Transmission (downloading) or storage of sensitive data including but not limited to IBEX
confidential data, customer PII, PCI and PHI data is prohibited when performing teleworking.
Downloading IBEX emails on local systems is also prohibited.
1.4 Enforcement
Adherence to this policy through various methods, including but not limited to; video monitoring, business
tool reports, internal and external audits, and inspection of logs shall be enforced. Any suspicious activity
or misuse of access and tools will be reported to ServiceDesk and further escalated to IT Security or
Compliance Management as deemed necessary. Any employee found to have violated this policy may be
subject to disciplinary action, up to and including immediate termination of employment.
Page 4 of 9
INTERNAL USE ONLY
IBEX Information Security
Page 5 of 9
INTERNAL USE ONLY
IBEX Information Security
Page 6 of 9
INTERNAL USE ONLY
IBEX Information Security
Password Use
Users shall be responsible for selection, use and management of their password as a means to control
access to the systems. Users shall not share their passwords with anyone and shall be responsible to
maintain the confidentiality of passwords.
Class Examples
Uppercase letters A, B, C
Lowercase letters a, b, c
Numerals 0, 1, 2
Page 7 of 9
INTERNAL USE ONLY
IBEX Information Security
Page 8 of 9
INTERNAL USE ONLY
IBEX Information Security
Added Annexure C –
1.2 3/23/2020 Muqeet Kamal Mubsshar Ismail
Password Policy
Page 9 of 9
INTERNAL USE ONLY