IBEX Information Security

Teleworking Policy
Document Number Applicable Standards Version Issue Date Status
IS-1.090 PCI-3.2 1.2 March 23, 2020 Final

Contents:

Teleworking Policy ........................................................................................................................................ 2

1.1 Purpose ............................................................................................................................................... 2

1.2 Scope ................................................................................................................................................... 2

1.3 Policy ................................................................................................................................................... 2

Eligibility & Authorization ......................................................................................................................... 2

Checks prior to accessing IBEX data or network remotely ...................................................................... 3

Considerations during teleworking: ......................................................................................................... 3

Personal devices ....................................................................................................................................... 4

1.4 Enforcement ....................................................................................................................................... 4

Annexure ‘A’ – Mobile Policy......................................................................................................................... 5

Mobile Devices ......................................................................................................................................... 5

Annexure ‘B’ – Mobile Device Management................................................................................................. 6

IBEX Owned Devices ................................................................................................................................ 6

Employee Owned Devices ........................................................................................................................ 6

1.5 Revision History .................................................................................................................................. 9

Page 1 of 9
INTERNAL USE ONLY
 IBEX Information Security

Teleworking Policy
1.1 Purpose
The purpose of this policy is to outline the policies for providing teleworking facilities to all stakeholders.
The guidelines documented in the policy shall govern usage of IBEX network and services for performing
work from outside IBEX facilities. This policy with all its annexures and in conjunction with below policies
is to be understood and acknowledged by all stakeholders.

• IBEX Information Security Policy available on BPO Core (Self Service → Documents/Policies → Information
Security) & Intranet
• IBEX Acceptable Use Policy available on BPO Core (Self Service → Documents/Policies → Information
Security) & Intranet

1.2 Scope
This policy applies to all IBEX employees, contractors and third-party personnel authorized to utilize IBEX
resources for performing work from outside IBEX facilities. IBEX reserves the right to make amends to this
policy unilaterally as deemed necessary at any time with or without a prior notice.

1.3 Policy
Eligibility & Authorization
• All IBEX employees, clients and third-party vendors with a valid business need to access
IBEX network and systems remotely shall be provided remote access VPN to IBEX network
on need to know business.
• Users shall also be granted access to IBEX resources such as emails and publicly hosted
application without provision of VPN access.
• The need to access IBEX network over VPN shall be backed by their job responsibilities,
legitimate contractual requirements or covered by “Statement of Work” approved by
IBEX.
• IBEX IT Security team shall approve or reject the VPN requests after evaluating the
legitimacy and validity of the business need.
• VPN access to IBEX network shall be provided on temporary basis. This access shall be
revoked at any time when the legitimacy or validity of the need might seem to no longer
exist. Also, if the device is observed to cause disruption to IBEX network and its services
or is observed to spread malicious traffic, the VPN access shall be revoked without prior
notice.
• Only company provided assets shall be allowed to connect remotely to IBEX network.
Exceptions to this clause are required to be approved by IT Security after evaluation of a
valid and legitimate business need. Please refer to sectional “Personal devices” for more
details.
• Access to IBEX network over VPN shall be provided on need to know basis and principle
of least privilege.
Page 2 of 9
INTERNAL USE ONLY
 IBEX Information Security

• User actions and network traffic shall be monitored and logged when performing
teleworking over VPN.

Checks prior to accessing IBEX data or network remotely

All authorized users are required to check enforcement of below controls before they attempt to access
IBEX network via VPN or data through hosted applications.

• IBEX approved VPN client should be used to connect to IBEX facilities.

• Publicly accessible networks such as at airports or coffee places must be disconnected.
Also, insecure networks including but not limited to those which do not require user
authentication and authorization or can be easily connected to must also be
disconnected.
• Multi-factor authentication must be implemented to gain authorized remote access to
IBEX network via VPN or to IBEX applications that are available online without the need
to connect to VPN.
• Remote authentication either single or multi factor must use industry accepted
encryption protocols such as TLS 1.2 or above to transmit authentication credentials.
Only those wireless networks having WPA-2 or higher encryption enabled must be
used.
• Up to date anti malware tools shall be enabled and made effective.
• Only IBEX approved applications should be installed on the devices. All other
application should be removed prior to accessing IBEX data or network. All operating
system and applications should be updated to latest versions.
• Installation of counterfeit software or any software not procured from official vendor
is prohibited.
• All devices should be encrypted with full disk encryption to protect the data.
• Where possible, devices should be enrolled in Mobile Device Management (MDM)
solution.
• All users doing teleworking must have undergone and successfully completed
Information Security Awareness training at least once in last six months. They should
also acknowledge IBEX Information Security Policy, Acceptable Use Policy &
Teleworking Policy.

Considerations during teleworking:

• Websites not required by business need should not be opened during teleworking.
• Browsing personal emails is prohibited while accessing IBEX network over VPN.
• Attempting to gain access to IBEX servers which are not allowed is prohibited. If access is
required, this must be requested through EACR process.
• Do not open any emails or links and attachments within emails which are received from
unrecognized senders. Emails received from outside IBEX senders must be opened with
Page 3 of 9
INTERNAL USE ONLY
 IBEX Information Security

due precautions.
• All systems must be locked manually when leaving them unattended.

Personal devices
Under some circumstances, when IBEX management has invoked Business Continuity Plan (BCP), some
employees might be allowed to use personal devices for teleworking. Employees might be granted VPN
access to IBEX infrastructure through VPN or secure Virtual Desktop Infrastructure (VDI) over public
cloud on employee’s personal devices depending upon the business need. Since these devices are not
managed by IBEX, therefore the responsibility of securing these devices physically and logically rest on
the employees. Moreover, any IBEX data that might be allowed to be stored on personal devices
remains IBEX property and employees are responsible for security of that data. Since personal devices
are not managed by IBEX, therefore their access to IBEX network and data shall remain restricted to
the maximum extent possible as compared to access provided on IBEX provided devices.

• Personal devices must be adequately secured prior to attempting access to IBEX online hosted
applications or remote network access via VPN.
• All end of support software or software that are not procured from official vendors must be
removed.
• Any tools that can interfere or are designed to circumvent security controls must not be installed.
Existing tools must be removed.
• Devices used for connecting to IBEX VPN must not be shared with anyone else other than they
employee.
• Access to VDI should be restricted to authorized users only. Sharing VDI credentials with
unauthorized users or attempting to perform non-business related work using VDI is strictly
prohibited.
• Transmission (downloading) or storage of sensitive data including but not limited to IBEX
confidential data, customer PII, PCI and PHI data is prohibited when performing teleworking.
Downloading IBEX emails on local systems is also prohibited.

1.4 Enforcement
Adherence to this policy through various methods, including but not limited to; video monitoring, business
tool reports, internal and external audits, and inspection of logs shall be enforced. Any suspicious activity
or misuse of access and tools will be reported to ServiceDesk and further escalated to IT Security or
Compliance Management as deemed necessary. Any employee found to have violated this policy may be
subject to disciplinary action, up to and including immediate termination of employment.

Page 4 of 9
INTERNAL USE ONLY
 IBEX Information Security

Annexure ‘A’ – Mobile Policy

Mobile Devices
▪ All devices including but not limited to Laptops, smartphones, and smart watches if process,
transmit or store IBEX data fall under the category of mobile devices.
▪ All mobile device users shall sign a Custody Agreement for taking responsibility for the mobile
devices.
▪ Mobile Devices shall not be used for IBEX business information unless they have first been
configured with the necessary controls managed centrally, such as MDM solution where needed,
and approved for such use by the Information Security Team. For users that may store or transmit
sensitive information via their mobile devices, encryption shall be configured centrally and pushed
out via a policy where needed.
▪ Smartphone and mobile devices shall be used exclusively by the involved IBEX personnel. IBEX
personnel shall never lend their devices that store information about IBEX business activities to
family members, friends and others.
▪ All mobile device users shall ensure that data is backed up periodically.
▪ To facilitate backup file restoration processes and to assist with the recording of system logs, all
mobile device users shall diligently keep their devices internal clocks synchronized to the actual
date and time.
▪ IBEX personnel in the possession of mobile devices containing confidential IBEX information shall
not leave these devices unattended at any time unless they have been adequately secured.
▪ All mobile devices shall have up-to-date operating system.
▪ IBEX personnel in the possession of a smartphones and mobile devices containing sensitive IBEX
information shall not check these devices into airline luggage systems. These shall remain in the
possession of the personnel as hand luggage.
▪ Data with a classification of “Client” is not permitted on mobile devices.

Page 5 of 9
INTERNAL USE ONLY
 IBEX Information Security

Annexure ‘B’ – Mobile Device Management

IBEX Owned Devices
• All mobile devices regardless of their ownership if process, store or transmit IBEX Global data or
are used to connect to IBEX Global network shall be enrolled in a Mobile Device Management
solution where possible.
• All users who required access to organization resources including but not limited to emails on
mobile devices shall only be allowed access if enrolled in MDM.
• The organization shall control what information user has access to on IBEX provided mobile
devices via MDM control.
• All pre-installed applications that do not provide a business justification are to be removed.
• Installation of applications shall be prohibited and access to App Store shall be restricted.
• Access to mobile device settings shall be prohibited via MDM control.
• Connection to wireless networks including but not limited to Wi-Fi, mobile data, GPS and
Bluetooth shall be restricted via MDM.
• Internet access and activity on mobile devices shall be monitored and restricted via MDM control.
• USB and MTP access on the devices shall be disabled.
• In case of loss or theft of device, all corporate data on the device shall be remotely wiped.
• Organization shall also monitor location information on mobile devices via MDM with exception
of personal devices.
• Organization shall enforce encryption on IBEX provided mobile devices via MDM.
• All IBEX user shall be prohibited to remove MDM control from their mobile devices. Personal
devices shall also be restricted to remove MDM control until they are involved in processing,
storage and transmission of IBEX Global data.

Employee Owned Devices

• Where feasible employee owned devices shall be enrolled in MDM.
• The MDM shall be configured to remotely wipe IBEX data such as emails etc.
• The MDM shall also prevent connection to Wireless Networks with insecure encryption such as
WEP etc.

Page 6 of 9
INTERNAL USE ONLY
 IBEX Information Security

Annexure ‘C’ – Password Policy

Password Management
• Users shall be provided initially with a secure temporary password. The temporary
password must be changed immediately upon first use, through user awareness and/or
system controls.
• Passwords shall be forced to change every 60 days. In case of requirement for password
never set to expire, the requirement shall only be entertained for service accounts with
minimum password length set to 16 characters. Also, password change by user shall also
be disabled. Such exceptions shall only be provided after approval from respective HOD
and Security team.
• Temporary passwords shall be provided when users forget their passwords and only after
verification of user’s identity.
• New passwords shall be provided to the users in a secure manner with an appropriate
proof-of-identity of the intended user.
• Passwords shall not be stored in clear text on the computer system.
• Vendor supplied default passwords shall be modified before the system is used in the
operational environment.
• Remove development, test and/or custom application accounts, user IDs, and passwords
before applications moves to production.

Password Use
Users shall be responsible for selection, use and management of their password as a means to control
access to the systems. Users shall not share their passwords with anyone and shall be responsible to
maintain the confidentiality of passwords.

The following are requirements for IBEX passwords:

• Passwords must be at least ten characters in length.

• User shall be prohibited to use the last fifteen passwords.
• User shall change password on initial login.
• Passwords should contain characters from at least three of the following four classes:

Class Examples

Uppercase letters A, B, C

Lowercase letters a, b, c

Numerals 0, 1, 2

Non-alphanumeric (special characters) #, &, !, %, @, ?, -, *

Page 7 of 9
INTERNAL USE ONLY
 IBEX Information Security

• Passwords must not contain:

a. Username
b. First and/or last name; or,
c. A single word from the dictionary with a number or special character at the beginning
or end
d. Derivatives of user-IDs, and common character sequences such as "123456" must not
be employed
e. Personal details such as spouse's name, automobile license plate, social security
number, and birthday must not be used unless accompanied by additional unrelated
characters
• User-chosen passwords must also not be any part of speech. For example, proper names,
geographical locations, common acronyms, and slang must not be employed
• Passwords for use in IBEX domain shall be never shared or revealed to anyone else
regardless of the circumstances.
• Users shall change their passwords whenever there is an indication of system or password
compromise.
• Passwords shall not be written down.
• User account shall be locked after three consecutive unsuccessful logon attempts.
• Users shall not allowed to submit a new password that is the same as any of the last four
passwords he or she has used
• When a password is reset via the Service Desk, the Service Desk personnel must ensure
to follow this format:
a. Full Name of the user with the last letter omitted
b. The month in the mm format
c. The day in the dd format
d. Example: User: Joe Smith, Username: jsmith, Password would be joesmit0428
e. Password must be changed at next logon must be enabled

Page 8 of 9
INTERNAL USE ONLY
 IBEX Information Security

1.5 Revision History

Version Date Change Description Prepared by Reviewed By

1.0 3/16/2020 Initial Draft Muqeet Kamal Mubsshar Ismail

1.1 3/18/2020 Added VDI clauses Muqeet Kamal Mubsshar Ismail

Added Annexure C –
1.2 3/23/2020 Muqeet Kamal Mubsshar Ismail
Password Policy

Page 9 of 9
INTERNAL USE ONLY