Tinkerbox Technology Private Limited Security Policy
Objective: To protect Tinkerbox Technology Private Limited's information, systems, and resources from unauthorized access, disclosure, alteration, and destruction, while ensuring compliance with legal and regulatory requirements.
​
1. Introduction
This Security Policy outlines the measures Tinkerbox Technology Private Limited ("Tinkerbox") will implement to safeguard its assets, including its software product Digia, its employees, and its clients. This policy is designed to protect against potential threats and vulnerabilities, ensuring the confidentiality, integrity, and availability of Tinkerbox’s information and systems.
2. Scope
This policy applies to all Tinkerbox employees, contractors, vendors, and any other parties with access to Tinkerbox’s systems, data, and facilities.
3. Information Security Governance
3.1. Security Leadership
Chief Information Security Officer (CISO): Responsible for overseeing and enforcing the security policy.
Security Committee: Comprises representatives from key departments to review and address security concerns regularly.
3.2. Policy Review and Updates
This policy will be reviewed annually and updated as necessary to address emerging threats and changes in the business environment.
4. Access Control
4.1. User Access Management
Account Creation: All user accounts must be approved by department managers and created by the IT department.
Least Privilege Principle: Users are granted the minimum level of access necessary to perform their job functions.
Regular Audits: Conduct regular audits of user access rights to ensure appropriateness.
4.2. Authentication
Strong Passwords: Passwords must be at least 12 characters long and include a combination of letters, numbers, and special characters.
Multi-Factor Authentication (MFA): Required for access to critical systems and data.
5. Data Protection
5.1. Data Classification
Sensitive Data: Includes proprietary software, client information, and employee records. Must be encrypted in transit and at rest.
Public Data: Non-sensitive data that can be shared without restrictions.
5.2. Data Encryption
Encryption Standards: Use industry-standard encryption methods (e.g., AES-256) for sensitive data.
5.3. Data Backup and Recovery
Regular Backups: Daily backups of critical data. Store backups securely offsite and in the cloud.
Disaster Recovery Plan: Maintain and test a disaster recovery plan to ensure rapid restoration of services.
6. Network Security
6.1. Perimeter Defense
Firewalls: Deploy firewalls to protect internal networks from external threats.
Intrusion Detection and Prevention Systems (IDPS): Monitor network traffic for suspicious activity.
6.2. Secure Remote Access
Virtual Private Network (VPN): Require VPN for all remote access to the internal network.
Remote Work Security: Ensure remote work devices meet company security standards.
7. Application Security
7.1. Secure Development
Code Reviews: Conduct regular code reviews and security testing during the software development lifecycle.
Vulnerability Management: Use automated tools to scan for vulnerabilities and apply patches promptly.
7.2. Third-Party Software
Vendor Assessment: Evaluate third-party software for security risks before implementation.
Contracts: Include security requirements in contracts with third-party vendors.
8. Incident Response
8.1. Incident Reporting
Immediate Reporting: Employees must report any security incidents or suspicious activities immediately to the IT department.
Incident Response Team: A dedicated team responsible for managing and investigating security incidents.
8.2. Incident Management
Response Procedures: Follow predefined procedures for incident detection, analysis, containment, eradication, and recovery.
Post-Incident Review: Conduct a review after each incident to identify lessons learned and improve the security posture.
9. Physical Security
9.1. Facility Access
Controlled Access: Use access controls (e.g., keycards) to restrict entry to company facilities.
Visitor Management: Require visitors to sign in and be escorted by authorized personnel.
9.2. Equipment Security
Secure Storage: Store critical hardware in secure, access-controlled areas.
Asset Management: Maintain an inventory of all IT assets and conduct regular audits.
10. Employee Awareness and Training
10.1. Security Training
Onboarding: Provide security training to all new employees during onboarding.
Ongoing Training: Conduct regular training sessions to keep employees informed about security best practices and emerging threats.
10.2. Security Policies
Policy Access: Ensure all employees have access to and understand the security policies.
Acknowledgment: Require employees to acknowledge understanding and compliance with security policies.
11. Compliance and Legal Requirements
11.1. Regulatory Compliance
Data Protection Laws: Comply with all relevant data protection and privacy laws (e.g., GDPR, CCPA).
Industry Standards: Adhere to industry standards and best practices for information security (e.g., ISO/IEC 27001).
11.2. Regular Audits
Internal Audits: Conduct regular internal audits to assess compliance with the security policy.
External Audits: Engage external auditors to evaluate the effectiveness of the security controls.
12. Policy Enforcement
12.1. Disciplinary Action
Non-Compliance: Employees found in violation of this security policy may face disciplinary action, up to and including termination.
Incident Handling: Violations related to security incidents will be handled in accordance with the incident response plan.
13. Approval and Implementation
This Security Policy has been reviewed and approved by Tinkerbox’s senior management. It will be communicated to all employees and implemented immediately.
Approved by:
Vivek Singh
Title: Co-Founder
Date: 2nd Feb 2024