Tinkerbox Technology Private Limited Security Policy

Objective

To protect Tinkerbox Technology Private Limited's information, systems, and resources from unauthorized access, disclosure, alteration, and destruction, while ensuring compliance with legal and regulatory requirements.

Introduction

This Security Policy outlines the measures Tinkerbox Technology Private Limited ("Tinkerbox") will implement to safeguard its assets, including its software product Digia, its employees, and its clients. This policy is designed to protect against potential threats and vulnerabilities, ensuring the confidentiality, integrity, and availability of Tinkerbox's information and systems.

Scope

This policy applies to all Tinkerbox employees, contractors, vendors, and any other parties with access to Tinkerbox's systems, data, and facilities.

Information Security Governance

3.1. Security Leadership

Chief Information Security Officer (CISO): Responsible for overseeing and enforcing the security policy.
Security Committee: Comprises representatives from key departments to review and address security concerns regularly.

3.2. Policy Review and Updates

This policy will be reviewed annually and updated as necessary to address emerging threats and changes in the business environment.

Access Control

4.1. User Access Management

Account Creation: All user accounts must be approved by department managers and created by the IT department.
Least Privilege Principle: Users are granted the minimum level of access necessary to perform their job functions.
Regular Audits: Conduct regular audits of user access rights to ensure appropriateness.

4.2. Authentication

Strong Passwords: Passwords must be at least 12 characters long and include a combination of letters, numbers, and special characters.
Multi-Factor Authentication (MFA): Required for access to critical systems and data.

Data Protection

5.1. Data Classification

Sensitive Data: Includes proprietary software, client information, and employee records. Must be encrypted in transit and at rest.
Public Data: Non-sensitive data that can be shared without restrictions.

5.2. Data Encryption

Encryption Standards: Use industry-standard encryption methods (e.g., AES-256) for sensitive data.

5.3. Data Backup and Recovery

Regular Backups: Daily backups of critical data. Store backups securely offsite and in the cloud.
Disaster Recovery Plan: Maintain and test a disaster recovery plan to ensure rapid restoration of services.

Network Security

6.1. Perimeter Defense

Firewalls: Deploy firewalls to protect internal networks from external threats.
Intrusion Detection and Prevention Systems (IDPS): Monitor network traffic for suspicious activity.

6.2. Secure Remote Access

Virtual Private Network (VPN): Require VPN for all remote access to the internal network.
Remote Work Security: Ensure remote work devices meet company security standards.

Application Security

7.1. Secure Development

Code Reviews: Conduct regular code reviews and security testing during the software development lifecycle.
Vulnerability Management: Use automated tools to scan for vulnerabilities and apply patches promptly.

7.2. Third-Party Software

Vendor Assessment: Evaluate third-party software for security risks before implementation.
Contracts: Include security requirements in contracts with third-party vendors.

Incident Response

8.1. Incident Reporting

Immediate Reporting: Employees must report any security incidents or suspicious activities immediately to the IT department.
Incident Response Team: A dedicated team responsible for managing and investigating security incidents.

8.2. Incident Management

Response Procedures: Follow predefined procedures for incident detection, analysis, containment, eradication, and recovery.
Post-Incident Review: Conduct a review after each incident to identify lessons learned and improve the security posture.

Physical Security

9.1. Facility Access

Controlled Access: Use access controls (e.g., keycards) to restrict entry to company facilities.
Visitor Management: Require visitors to sign in and be escorted by authorized personnel.

9.2. Equipment Security

Secure Storage: Store critical hardware in secure, access-controlled areas.
Asset Management: Maintain an inventory of all IT assets and conduct regular audits.

Employee Awareness and Training

10.1. Security Training

Onboarding: Provide security training to all new employees during onboarding.
Ongoing Training: Conduct regular training sessions to keep employees informed about security best practices and emerging threats.

10.2. Security Policies

Policy Access: Ensure all employees have access to and understand the security policies.
Acknowledgment: Require employees to acknowledge understanding and compliance with security policies.

Compliance and Legal Requirements

11.1. Regulatory Compliance

Data Protection Laws: Comply with all relevant data protection and privacy laws (e.g., GDPR, CCPA).
Industry Standards: Adhere to industry standards and best practices for information security (e.g., ISO/IEC 27001).

11.2. Regular Audits

Internal Audits: Conduct regular internal audits to assess compliance with the security policy.
External Audits: Engage external auditors to evaluate the effectiveness of the security controls.

Policy Enforcement

12.1. Disciplinary Action

Non-Compliance: Employees found in violation of this security policy may face disciplinary action, up to and including termination.
Incident Handling: Violations related to security incidents will be handled in accordance with the incident response plan.

Approval and Implementation

This Security Policy has been reviewed and approved by Tinkerbox's senior management. It will be communicated to all employees and implemented immediately.

Policy Approval

This Security Policy has been reviewed and approved by Tinkerbox Technology Private Limited's management team and is effective immediately.

Approved by: Vivek Singh

Title: Co-Founder

Date: 2nd Feb 2024