INFORMATION SECURITY POLICY

MJ Pvt. Ltd.

Version 1
Date: 17/03/2023
Table of Contents
1. PURPOSE................................................................................................................................................. 3

2. SCOPE ...................................................................................................................................................... 3

3. SECURITY POLICIES........................................................................................................................... 3

3.1 ACCESS CONTROL POLICY ........................................................................................................... 3

3.2 PROGRAM MANAGEMENT POLICY ............................................................................................ 4

3.3 AWARENESS TRAINING POLICY ................................................................................................. 4

3.4 SYSTEM AND INFORMATION INTEGRITY POLICY ................................................................. 4

3.5 SYSTEM AND COMMUNICATIONS PROTECTION POLICY .................................................... 5

1. PURPOSE
The entity as described in Scope below is subject to the obligatory minimum information security
requirements specified in this policy. Every company may go above the security standards outlined
in this document depending on its unique business needs and particular legal and federal
obligations, but it must, at the very least, meet the standards set out in this policy.

2. SCOPE
This policy applies to all automated and manual systems, including those administered or hosted
by outside parties on the entity's behalf, for which the entity has administrative responsibility. It
covers any data produced or utilized to support corporate operations, regardless of its shape or
format.

3. SECURITY POLICIES
3.1 ACCESS CONTROL POLICY
3.1.1 Assign account managers to oversee the usage of accounts and define and document
the sorts of accounts that are expressly permitted and banned in the system. Create and
implement a procedure for updating shared or group account authenticators (if used) when
members of the group are expelled. (NIST 800-53 V.5, AC-2)

3.1.2 Access computing platforms, programmes, or data that are located across numerous
security domains from a single device while blocking information flow across the various
security domains, and Record and audit content filtering activities and outcomes for the
information being filtered while moving data between security domains. (NIST 800-53
V.5, AC-4)

3.1.3 Stop non-organizational users from having privileged access to the system, log when
privileged actions are taken, and forbid privileged actions from being taken by non-
privileged users. (NIST 800-53 V.5, AC-6)

3.1.4 Restrict additional system access by triggering a device lock after 15 minutes of
inactivity; forcing the user to trigger a device lock before leaving the system alone and
 keep the device locked until the user regains access by following the predefined
identification and authentication processes. (NIST 800-53 V.5, AC-11)

3.1.5 Automated procedures should be used to monitor and regulate remote access
methods, as well as cryptographic measures to ensure the confidentiality and integrity of
remote access sessions. (NIST 800-53 V.5, AC-17)

3.2 PROGRAM MANAGEMENT POLICY

3.2.1 A senior agency information security officer should be appointed with the
responsibility and funding to plan, create, implement, and manage an organization-wide
information security program. (NIST 800-53 V.5, PM-2)

3.2.2 Create and manage an enterprise architecture while taking information security,
privacy, and the consequent risk to organisational operations, assets, people, other
organisations, and the nation into account. (NIST 800-53 V.5, PM-7)

3.2.3 While creating, documenting, and revising a strategy to secure essential infrastructure
and vital resources, consider information security and privacy concerns. (NIST 800-53
V.5, PM-8)

3.2.4 Consistently implement the risk management plan throughout the business, and
evaluate and update it every month or as needed to reflect organisational changes. (NIST
800-53 V.5, PM-9)

3.2.5 Establish a cross-disciplinary team to handle insider threat incidents as part of an

insider threat programme. (NIST 800-53 V.5, PM-12)

3.3 AWARENESS TRAINING

3.3.1. XYZ Organizations provide basic and advanced levels of literacy training to system
users, including measures to test the knowledge level of users. Organizations determine the
content of literacy training and awareness based on specific organizational requirements,
the systems to which personnel have authorized access, and work environments Awareness
techniques include displaying posters, offering supplies inscribed with security and privacy
reminders, displaying logon screen messages, generating email advisories or notices from
organizational officials, and conducting awareness events. [AT-2 Literacy Training And
Awareness]

3.3.2. XYZ Organization determine the content of training based on the assigned roles and
responsibilities of individuals as well as the security and privacy requirements of
organizations and the systems to which personnel have authorized access, including
technical training specifically tailored for assigned duties. [AT-3 Role-Based Training]

3.4 SYSTEM AND INFORMATION INTEGRITY POLICY

3.4.1 Detect, report, and remedy system weaknesses; test flaw remediation software and
firmware upgrades for efficacy and any negative effects before installation; and include
flaw remediation into the organisational configuration management process. (NIST 800-
53 V.5, SI-2)

3.4.2 Install signature-based malicious code protection mechanisms at system entry and
exit points to find and remove malicious code, and update such mechanisms automatically
when new releases become available in compliance with organisational configuration
management policy and procedures (NIST 800-53 V.5, SI-3)

3.4.3 Use automated tools and methods to provide near-real-time event analysis. Integrate
and configure separate intrusion detection technologies into a system-wide intrusion
detection system. (NIST 800-53 V.5, SI-4)

3.4.4 Develop automated tools to enable the administration of distributed security and
privacy function testing, and alert senior agency information security officers of the
findings of security and privacy function verification. (NIST 800-53 V.5, SI-6)

3.4.5 Use centrally controlled integrity verification tools and cryptographic safeguards to
identify illegal software, firmware, and data modifications. (NIST 800-53 V.5, SI-7)

3.5 SYSTEM AND COMMUNICATIONS PROTECTION POLICY

3.5.1 Avoid giving non-privileged users access to system management capabilities at
interfaces, and maintain application and software state information separately. (NIST 800-
53 V.5, SC-2)
3.5.2 Reduce the amount of nonsecurity functions present within the isolation border
containing security functions and employ hardware separation methods to provide security
function isolation. (NIST 800-53 V.5, SC-3)

3.5.3 Implement distinct network addresses to connect to systems in various security

domains, and preventing systems from entering unsafe states in the event that a border
protection device fails to function. (NIST 800-53 V.5 SC-7)

3.5.4 Use cryptographic techniques to prevent unauthorised information disclosure, detect

information changes during transmission, and safeguard the confidentiality and integrity
of sent data. (NIST 800-53 V.5, SC-8)

3.5.5 After the termination of the communication session or after 30 minutes of inactivity,
disconnect the network connection connected to it. (NIST 800-53 V.5, SC-10)