DATA ACCESS CONTROL / PRIVACY POLICY

Overview

The policy describes Paul Merchants Finance Pvt. Ltd. (PMFPL) guidelines to ensure that appropriate access controls and data privacy is implemented and being maintained to protect customer’s information including IT assets.

Scope

This policy applies to all employees of PMFPL in all locations including the Non-Executive Directors, temporary employees, consultants and contracted staff. It is the responsibility of all operating units to ensure that these policies are clearly communicated, understood and being strictly followed. Access to IT assets is to be granted on a “need to know” and “need to access” basis.

Policy

• Personnel who requires access to systems and information resources must have their access approved by the respective Head of the Department prior to being granted access. Where data is freely available to public, identification and authentication may not be required.
• Access to various applications is given to all personnel based on their job roles and responsibilities.
• Users shall be managed through the Active Directory implementation and shall having unique User ID and password for each user.
• All personnel shall be given unique User ID & Password and root logins shall not be allowed to anyone except System Administrator. Use of root login by System Administrator shall be approved by IT Manager/Head - IT. Activities related to System Administrator shall also be logged.
• Unauthorized users shall be denied access.
• A list of all personnel authorized to access/manage systems, networks and information resources, (including their level of access) shall be maintained and shall be kept up to date.
• The rules for the creation of an ID and password shall be observed.
• System Administrator shall ensure that there are no unmanaged direct connections (e.g., unauthorized modems, wireless devices) to/from PMFPL’s internal or external network. Any exceptions shall be reviewed, documented and the same shall be approved by Head of Dept.
• Personnel who will be authorized to use PMLPL assets shall take all reasonable precautions to prevent loss, damage or unauthorized data access to the equipment and information. This includes but not limited to passwords, physical security precautions, unauthorized software (shareware and freeware) and encryption measures.
• System Administrator shall determine the acceptable period of time for disabling unused privileges based on the information’s value and sensitivity.
• The network provides for selective or secured access to ports and devices. Any use of storage/ writing media like floppy, USB, pen drive, etc. shall be permitted only after prior approval of HOD and the same shall be strictly monitored.
• The areas declared as Restricted Area must be follow the following:
  1. Only authorized personnel be allowed inside the area.
  2. Area shall have an access card entry system.
  3. Conversation on all the telecommunication equipment’s if required might be recorded for any discrepancies.
• To ensure data privacy, the HOD upon any employee’s termination shall collect the access cards and all related rights which were in possession of that employee. Further, the appropriate senior in the department shall be intimated regarding such termination and all his / her access to the systems (like Unique User ID & Password) shall be deactivated with immediate effect.

ACCESS BY CLIENTS AND THIRD PARTY

This aims at outlining the security controls to be maintained by the organization regarding access to its Clients and Third parties.

• Access to PMFPL payment system shall solely be provided to authorized clients and their customers.
• Confidential information/messages/files shall be transferred/communicated only through secured channels to the Clients.
• System shall prompt the Clients to change their passwords when they log in with the default password for the first time.
• FTP access provided, if any, to the Clients shall be protected using a username and password.
• Any information transfer or any other communication with the banks and other third parties shall be kept secured.
• Any incomplete transmission of transactions with the Clients are properly dealt with by the Organization.
• The system shall ensure to lock the User ID on three unsuccessful login attempts.
• Any information involved in electronic commerce which shall be passing over through public networks will be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification. All clients connecting to PMFPL over the internet shall be secured.
• Information regarding on-line transactions shall be protected to prevent mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. This is ensured by the system and its supporting network infrastructure.
• Third party contractors shall not be allowed to connect to PMFPL technologies network without prior approvals from the HOD.
• PMFPL shall ensure not to share production data with third party contractors without proper Non-Disclosure Agreement in place.
• All third parties connected to PMFPL’s network shall adhere to PMFPL’s IT policy.

CONFIDENTIAL DATA OF CUSTOMERS

Confidential Data is information protected by statutes, regulations, policies or contractual language. Managers may also designate data as Confidential. Confidential Data may be disclosed to individuals on a need-to-know basis only. Executive management and/or the Vice President and General Counsel should authorize disclosure to parties outside the PMFPL.

By way of illustration only, some examples of Confidential Data include:

• Transaction history of Customers.
• Any other Payment related information.
• Any data identified by government regulation to be treated as confidential or sealed by order of a court of competent jurisdiction.

Following precautions shall be taken with regards to such data:

• When stored in an electronic format, the same shall be protected with strong passwords and stored on servers that have protection and encryption measures provided by ISS in order to protect against loss, theft, unauthorized access and unauthorized disclosure.
• Must not be disclosed to parties without explicit management authorization.
• Must be stored only in a locked drawer or room or an area where access is controlled by a guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.
• When sent via fax must be sent only to a previously established and used address or one that has been verified as a secured location.
• Must not be posted on any public website.
• Must be destroyed when no longer needed subject to the Internal Policy. Destruction may only be accomplished by IT manager.
• Hard Copy" materials must be destroyed by shredding or another process that destroys the data beyond either recognition or reconstruction. After destruction, materials may be disposed of with normal waste.
• Electronic storage media shall be sanitized appropriately by overwriting or degaussing prior to disposal.

The Office of the Head – IT shall be notified in a timely manner if data classified as Confidential is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the PMFPL Information systems has taken place or is suspected of taking place.