DACHSER

Corporate Security Policy

for Data/ Information
Security

Information Technology:
IT Security Policy

[Version 1.0]

Property of Dachser India Pvt. Ltd.

Copving & Distribution of Software and Documentation without prior approval is Strictly Prohibited.
P age 1|11
 DACHSER
Summary of changes
This section records the history of changes to this document.

Version Date Author Approver Description of change

Reviewer
1.0 21-Apr-16 Jyotsna Huned Initial version
Lotlikar Gandhi

Note
For significant changes to this document, the version number is incremented by 1.0.
For changes made for clarity, reading ease without changing the meaning or
intention of this document, the version number is increased by 0.1.

Property of Dachs er India Pvt. Ltd.

Copying&Distribution of Software and Documentation without prior approval is Strictly Prohibited.
Page 2|11
 DACHSER
Contents
2
Summary of changes.. ***" "'"'***"st"'"

Purpose.
*****i'"""
1

2. Scope **"'"****''"'***'*'*****'*****'*'''**"****""*""

3. Responsibilities.. ********'**"tstss****** ****** ***** *************************

Managing Director Indla..

Head Compliance.. ***

********

Branch &Department Heads. ***°********.

*******s ********

DIPL Staff. ************************* ** ******°°

* * * * * * * * * * * * * * * * * * * * * * .

Contract Users and Externa/Third Parties.. *********

b

Protection of IT Systems, Assets and Confidential Information.. * * * * * * * * * * * * * * * * * * * * *

4.1 Storage. * * * * * * * * * * * .

4.2 Access. s**********" * **************************************************

4.3 Remote access..*********°**°******°********************* * * * * *

4,4 Copying.
4.5 Disposal. e*******
* * * * * * * * * * * * .

4.6 Use ofportable devices or media. ***************

4.7 Exchange ofInformation and use of Emal.. *************. 0

8
4.8 System planning and acceptance. ******************e***********************

4.9 Backup, Recovery& Retention.

4.10 Enforcement. **********s **********************

4.11 Disaster Recovery. ************************* *****************************"

Compliance ***°°°° **°*****°°*******.

6. Other relevant IT Policies. 9

Glossary.. *******s*** ssossrs*smmne ****************************"*

9

Property of Dachser India Pvt. Ltd.

Copying&Distribution ofSoftware and Documentation without prior approval is Strictly Prohibited.
Page 3111
 DACHSER
1.Purpose
This policy provides a framework for the
India Pvt. Ltd. and management of information security throughout DACHSER
applies to:

1. all those with access to

DIPL information systems,
2. any systems attached to the DIPL
including staff, visitors and contractors
the DIPL
computer or telephone networks and
any systems supplied by
3. all infomation
(data) electronically processed by DIPL
communications sent to or from the DIPL and pursuant
to its operational activities,, any
any DIPL information (data) held onsystems
external to the DIPL's network
4. all extemal parties that
provide services to DIPL in respect of information
business activities and processing facilities and
5. information assets including the
physical locations from which DIPL operates

2.Scope
2.1 DIPL recognizes the role of information security in ensuring that users have access to the
information they require in order to carry out their work.

2.2 Any reduction in the confidentiality, integrity or availability of information could

prevent DIPL from
functioning effectively and efficiently. In addition, the loss or unauthorized disclosure of information
has the potential to damage DIPL's
reputation and cause financial loss.
2.3 To mitigate these risks, information security must be an integral part of infomation
management.
2.4 DIPL is committed to
protecting the security of its information and information systems in order to
ensure that

1. the integrity of information is maintained, so that it is accurate, up to date and fit for purpose';
2. information is always available to those who need it and there is no disruption to the business of
DIPL;
3. confidentiality is not breached, so that information is accessed only by those authorized to do so;
4. DIPL meets its legal requirements, including those applicable to personal data under the Data
Protection Act, and
5. the reputation of DIPL is safeguarded.

Property of Dachser India Pvt. Ltd.

Copyving&Distribution of Software and Documentation without prior approval is StrictlyProhibited.
Page 4 | 11
 DACHSER
2.5 In order to meet these aims, DIPL is committed to implementing security controls that conform to
best practice, assetout in the ISONEC 27002:2005 Intormation Security Techniques- Code of
practioe for information secunily management. DIPL has drawn up an information security guidance
in order to provide advice on the technical aspects of information security.

2.6 Information security risk assessments should be performed for all information systems on a
regular basis in order to identify key information risks and determine the controls required to keep
those risks within acceptablelimits

2.7 DIPL is committed to providing suficient education and training to users to ensure they
understand the importance of infomation security and, in paricular, exercise appropriate care when
handling confidential information.

2.8 Breaches of infomation security must be recorded and reported to IT Head, who will take action
and infom the relevant authorities.

2.9 This Policy and all other supporting policy documents shall be communicated as necessary
throughout DIPL to meet its objectives and requirements.

3.Responsibilities
Managing Director- India
3.1 The Managing Director - India has ultimate responsibility for information security within DIPL and

responsible for ensuring that DIPL complies with relevant extemal requirements, including
legislation.

Head Compliance
3.2 The Head -Compliance and IT are responsible for

1. ensuring that users are aware of this policy;

2. seeking adequate resources for its implementation;
3. monitoring compliance
4. conducting regular reviews of the policy, having regard to any relevant changes in legislation,
organizational policies and contractual obligations; and
5. ensuring there is clear direction and visible management support for security initiatives.

Branch &Department Heads

3.3 Branch Heads are responsible for information security within their branch and ensure that all the
departments adherence to this IT Security Policy.

Property of Dachser India Pvt. Ltd.

Copying& Distribution of Software and Documentation without prior approval is Strictly Prohibited.
Page 5|11
 DACHSER
DIPL Staff
3.4 All DIPL users are required to adhere to the IT Security Policy and safeguard DIPL intormauon
from any unauthorized access.

3.5 All DIPL users are

required to physically sign the 'IT Security- End User Declaration Fom' and
submit to respective Branch Heads/lT Coordinators

Contract Users and External/Third Parties

3.6 All external
(Contract/External/Third party) users of DIPL information must adhere to this IT
Security Policy at all times.

4.Protection of IT Systems, Assets and

Confidential Information
A List of allIT
Systems & Assets is kept in
are insured as well as covered under
accordance with its location/purpose of use. All IT Assets
appropriate support warranty and maintenance contracts for its
use for DIPL business
operations.
Identifying confidential information is a
matter for assessment in each individual case.
however, information willbe confidential if it is of limited
Broadly,
public availability; is confidential in its very
nature; has been provided on the understanding that it is
confidential; andlor its loss or unauthorized
disclosure could have one or more of the
following consequences:
1. financial loss

2. reputational damage

3. an adverse effect on the safety or well-being of members of DIPL or those associated with it

4.1 Storage
4.1.1 Confidential information should be kept secure,
using, where practicable, dedicated storage
(e.g. file servers), hard disks, and an appropriate level of physical security.

4.1.2 File or disk encryption should be considered as an additional layer of defense, where physical
security is considered insufficient.

Property of Dachser India Pvt. Ltd.

Copying& Distribution of Software and Documentation without prior approval is Strictly Prohibited.

Page 6|11
 DACHSER
4.2 Access
4.2.1 Confidential infomation is stored in such a way, as to ensure that only authorised persons can
access it.

4.,2.2 All users must be authenticated. Authentication should be appropriate, and where passwords
are used, clearty defined policies should be in place and implemented. Users must follow good
secunty practices in the selection and use of passwords.

4,2.3 Where necessary, additional forms of authentication should be considered.

4.2.4 To allow for potential investigations, access records should be kept for a minimum of 3 months,
or for longer, where considered appropriate.

4.2.5 Users with access to confidential information should be security vetted, as appropriate, in
accordance with existing policies.

4.2.6 Physical access should be monitored, and access records maintained.

4.3 Remote access

4.3.2 Any remote access is controlled by secure access control protocols using appropriate levels of
encryption and authentication.

4.4 Copying
4.4.2 The number of copies made of confidential information, whether on portable devices or media
or in hard copy, should be the minimum required, and, where necessary, a record kept of their
distribution. When no longer needed, the copy should be deleted or, in the case of hard copies,
destroyed (see 6.12.5).

4.4.3 All copies should be physically secured eg. stored in a locked cupboard drawer or filing
cabinet.

4.5 Disposal
Policies and procedures must be in place for the secure disposal/destruction of confidential
information. Refer the DIPL IT policy on IT Asset Scrap and Disposal.

4.6 Use of portable devices or media

6.6.1 Procedures should be in place for the management of removable media in order to ensure that

they are appropriately protected from unauthorized access.

Property of Dachser India Pvt. Ltd.

Copying & Dstribution of Software and Documentation without prior approval is Strictly Prohibited.
Page 7|11
 4.7 Exchange of
DACHSER
4.7.1 Controls should be
Information and use of Email
implemented to ensure that electronic messaging is suitably protecied.
4.7.2 Email should be
appropriately protected from unauthorized use and access.
4.7.3 Email should
only be used to send confidential information where
information owner has the recipient is trusted, the
given their permission, and appropriate
safeguards have been taken.
4.8 System planning and acceptance
A risk assessment should
be carried out as part of the
may be used to store confidential
business case for any new IT system that
information. The risk assessment should be
on any existing systems ideally twice in a year or more
repeated periodically
frequently as required
4.9 Backup, Recovery & Retention
Information owners should ensure that
appropriate backup and system recovery
place. Backup copies of all important information procedures are
assets should be taken and tested
in
accordance with such an regularly in
appropriate backup, recovery & retention policy.
4.10 Enforcement
4.10.1 There is a writtern
policy for handling of confidential information and a
provided to every user so that they are aware of their copy of the procedures
responsibilities.
4.10.2 Any failure to
comply with the policy may result in
disciplinary action.
4.10.3 Any loss or unauthorized disclosure must be
promptly reported to the owner of the
information
4.10.4
Computer security incidents invoving the loss or unauthorized
information held
in electronic form must disclosure of confidential
be reported to IT Head for
deemed to be appropriate. further investigation and action as

4.11 Disaster Recovery

4.11.1 DIPL has Disaster
Recovery setup at Chennai Branch office, it hosts critical business
applications and data.

4.11.2 The DR site must be

synchronized with Production database and applications on a regular
basis ensuring smooth transition of critical
operations in case of disaster at Primary Data Centre.

Property of Dachser India Pvt. Ltd.

Copying & Distribution of Software and Documentation without
prior approval is Strictly Prohibited.
P age 8| 11

19/
 DACHSER
5.Compliance
5.1 DIPL has established this policy to promote information secuity and compliance with known best
practices and regards any breach of information security requirements as a serious matter, which
may result in disciplinary action.

5.2 Compliance with this policy should fom part of any contract with a third party that may involve
access to network or computer systems or data.

6.0ther relevant IT Policies

Login to HRIS for other Information Technology Policies, Procedures& User Manuals

Glossary
Access Control-ensures that resources are only granted to those users who are enttled to them.
Appropriate- suitable for the level of risk identified and justifiable by risk assessment.
Asset- anything that has a value to DIPL
Audit- information gathering and analysis ofassets to ensure such things as policy compliance and
security from vulnerabilities.
Authentication -the process of confiming the correctness of a claimed identity.
Best Practice -current standard advice for implementing security controls, synonymous with 'good
practice'
Confidentiality- Confidentiality is the need to ensure that infomation is disclosed only to those who
are authorized to view it.
Control-a means ofmanaging risk by providing safeguards. This includes policies, procedures,
guidelines, other administrative controls, technical controls or managementcontrols
Data - Information held in electronic form.

DPA-Data Protection Act 1998

Information Any communication or representation of knowledge such as facts, data, or opinions in
any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual
Information Owner- synonymous with 'information risk owner. This is the person who is
responsible for accepting any residual risk.
Information Security - Preservation of confidentiality, integrity and availability
Information Systems -Any system, service or infrastructure used to process information or the
physical locations housing them. This includes critical business environments, business processes,
business applications (including those under development), computer systems and networks.
ISOIEC 27002:2005- information security code of practice published by the International
Organization for Standardization (ISO) and by the International Electro-technical Commission (EC),

Property of Dachser India Pvt. Ltd.

Copying& Distribution of Software and Documentation without prior approval lsStrictlyProhibted.
P age 9111

19/7/
 DACHSER
enttled intomation technology Security techniques -Code ofpractioe for infomation secuity
management.
Policy overall intention and direction as formally expressed by management
Kisk- the potential for an unwanted event to have a negative impact as a result of exploiting a

weakness. It can be seen as a function of the value of the asset, threats and vulnerabilities
Risk Assessment overall
process of identifying and evaluating risk.
-

External/Third party - person or body that is recognized as being independent of DIPL.

Threat something that has the potential to exploit a weakness to result in some form of damage.
Threats can be environmental,
deliberate, accidental, logical or technical.
Vulnerability - weakness of an asset or group of assets that may be exploited by a threat.

Property of Dachser India Pvt. Ltd.

Copying & Distribution of Software and Documentation without prior approval is Strictly Prohibited.

Page 10|11
 DACHSERR
IT Security Policy- User Declaration Form

Employee No: Name: MahanedMm

Designation: APk _NanMJemLAt lin Location:_nl htn.

Date of Joining: S 1 2
hereby declare that I have read the IT Security Policy and confirm to comply with the policy
and take adequate precaution in safeguarding DIPL data/information at all times.

1. Iunderstand the rationale for data/information confidentiality policies and procedures

and commit to its adherence

2. Ishall use DIPL's IT Systems and Assets for business and official purpose(s) only.
3. I shall not disclose any datalinfomation pertaining to personal, colleagues, seniors,
of DIPL that may
management, customers/clients and any associated parties
compromise their safety, security & privacy.
4. Ishall seek appropriate support, guidance and permission wheneverI need to share any

confidential datalinformation.

Should I fail in adherence of IT Security Policy, DIPL can take the appropriate disciplinary action

against me as necessary.

Sign: Date: h.
Declaration to be handed over &accepted by IT Engineer/Coordinator

Sign.
Name: Date

Property of Dachser India Pvt. Ltd.

Copying& Distribution of Software and Documentation without prior approval is Strictly Prohibited.
Page 11 |11