- Purpose Of Policy
The purpose of this policy presents PeopleThriver commitment for privacy of user information and sensitive commercial/financial data.
- Scope of Policy
This policy applies to all data that is either owned or managed by PeopleThriver.
- Supporting Documents
List of documents supporting this policy,
- Information Security Policy
- Chief Information Security Officer is responsible for development, implementation, maintenance and enforcement of the policy
- PeopleThriver’s Internal Audit Team is responsible for conducting regular audits to ensure compliance to this policy
- Employees and non-employees of PeopleThriver are responsible and/or accountable to ensure adherence to the terms of this policy in the course of their job duties
- Policy Statements
- Purpose for collection of personal information
- Manner in which the information will be processed
- Controls for protection of personal information
- Usage of tools such as cookies to collect personal information online
- Details of information such as IP address, Domain information captured about the user
- Sharing of information with third parties
- User rights to access of personal information
- Details to contact PeopleThriver for queries on processing personal information
- PeopleThriver commitment to privacy and security
- Period for which the terms and conditions are valid
- PeopleThriver information security standards and practices
- Policy on external links
- PeopleThriver will not use information about user activities on the Internet together with any information that would result in user being identified without his consent.
- PeopleThriver will not associate the information collected by software utilities (cookies, single-pixel gif images) with user name or email address, at the time of the user visiting the sites.
- PeopleThriver will implement policy guidelines to safeguard the privacy of the user identifiable information from unauthorized access or improper use, and will continue to enhance security procedures as new technology becomes available.
- PeopleThriver honour requests from user to review all personally identifiable information maintained in reasonably retrievable form, which currently consists of the employee’s name, address, e-mail address, telephone number and will correct any such information which may be inaccurate. Users may verify that appropriate corrections have been made.
- PeopleThriver may use user identifiable information to investigate and help prevent potentially unlawful activity or activity that threatens the network or otherwise violates the user agreement for that service
- All kinds of data such as personally identifiable information shared by users shall be:
- Processed fairly, lawfully and securely
- Processed in relation to the purpose for which it is collected
- Maintained up to date and accurate as necessary
- Retained for no longer than is necessary for the purpose for which it is collected
- Users shall be provided with at least the following information before collecting personally identifiable information
- Purposes of processing the information
- Any further information regarding the specific circumstances in which personal information is collected, such as:
- The recipients of the information
- Whether submission of information is obligatory or voluntary, as well as the impact of failure to submit such information
- The existence of the right to access, update or remove personal information
- Whether personal information will be used for marketing purpose
- Policy Violations
Violation of the policy will result in corrective action from the management. Disciplinary action will be consistent with the severity of the incident, as determined by the investigation, and may include, but not limited to
- Loss of access privileges to information assets
- Termination of employment or contract
- Other actions deemed appropriate by management, HR division, Legal division and their relevant policies
Violation or deviation of the policy shall be reported to the service desk and a security incident record has to be created for the further investigation of the incident.
- Policy Exceptions
Any exceptions to this policy have to be formally approved by the Chief Information Security Officer. All the exceptions shall be formally documented in the standard IT exceptions request form.
The exception request shall follow the below mentioned approval matrix.
|Unit Manager/Reporting Manager
|Chief Information Security Officer
After approval by the Chief Information Security Officer, the exception request form should be forwarded to relevant IT unit for execution.
Information Security Policy
This policy applies to PeopleThriver, its employees, its operations as well as covers its group companies and subsidiaries.
The purpose of this policy is to define the rules and guidelines for managing the information security throughout PeopleThriver.
- Terms and definitions
Following is an explanation of various terms used within this document –
- LT: Leadership Team
- ISG: Information Security Group
- API: Application Programming Interface – Which is a software intermediary that allows two applications to talk to each other.
- Information: Meaningful Data within PeopleThriver belonging to them or their clients.
- Confidentiality: Information designated as confidential is protected to meet the entity’s objectives. Confidentiality addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives. Information is confidential if the custodian of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation.
- Availability: Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers. It addresses whether systems include controls to support accessibility for operation, monitoring, and maintenance.
- Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives. Security refers to the protection of
- information during its collection or creation, use, processing, transmission, and storage and
- systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. Privacy applies only to personal information. The privacy criteria are organized as follows:
- Notice and communication of objectives. The entity provides notice to data subjects about its objectives related to privacy.
- Choice and consent. The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects.
- Collection. The entity collects personal information to meet its objectives related to privacy.
- Use, retention, and disposal. The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy.
- Access. The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy.
- Disclosure and notification. The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy.
- Quality. The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet its objectives related to privacy.
- Monitoring and enforcement. The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.
The primary ownership of implementing this policy is with the Leadership Team.
ISG and department heads are responsible for communicating the policy internally and externally respectively.
- PeopleThriver system and data architecture is designed to be compliant with safety standards set by regulators.
- PeopleThriver Open API’s enable easy integrations with ERPs, MIS and other IT Systems of Clients.
- PeopleThriver understands that security, confidentiality, integrity, availability and privacy of data and information are critical aspects while working with clients and business partners.
- Any data or information, including but not limited to, organizational information, data, confidential data, intellectual property, personal data or personally identifiable information (PII), is a valuable asset and must be protected from unauthorized access, sharing, disclosure, modification, loss, damage and destruction.
- Managing information security of all data and information which is created, collected, acquired, stored, retained, processed, transferred, shared, distributed by PeopleThriver which may belong to them or to their clients or business partners, is the key towards building trust and confidence.
- PeopleThriver aspires to fulfill its commitment towards ensuring information security by –
- Conducting periodical risk assessments to identify possible risks for confidentiality, privacy, security, integrity and availability of data, information assets, information systems as well as information processing facilities,
- Employing prudent controls, policies, standards, practices, processes and procedures to mitigate and minimize the risks,
- Identifying all applicable compliance requirements including legal, statutory, regulatory as well as contractual obligations and ensuring timely and continual compliance of them,
- Involving and engaging employees, non-employees, outsourced resources, independent contractors, clients, business partners, service providers in the process of information security and ensuring that everybody follows policies and contributes in their responsibilities towards effective information security,
- Creating widespread and regular awareness amongst all stakeholders about their responsibilities towards information security,
- Committing continual improvement through effective monitoring, measurement and analysis of information security performance,
- Implementing effective response and reporting mechanisms for information security violations and breaches as well as by planning causal analysis and corrective actions for reducing the recurrence in future,
- Planning effective continuity of people, services and systems for ensuring continuation, resilience and restoration of client deliveries, trust, satisfaction and confidence.
- All Policies created within PeopleThriver
- All Procedures created within PeopleThriver
- Records and Evidences maintained to demonstrate compliance towards policies