Yoeki Soft Pvt. Ltd.

Purpose

This Information Security Management System (ISMS) policy establishes the framework, principles, and responsibilities for ensuring the confidentiality, integrity, and availability of the organization's information assets. The ISMS is designed to protect against unauthorized access, disclosure, alteration, and destruction of sensitive information, while also ensuring compliance with relevant laws, regulations, and contractual obligations.

Scope

This policy applies to all employees, contractors, vendors, and third parties who have access to the organization's information assets, including but not limited to electronic data, physical documents, and verbal communications. It covers all information systems, networks, and technologies owned, operated, or used by the organization, regardless of location or platform.

Information Security Objective

Yoeki is committed to safeguard the Confidentiality, Integrity and Availability of all physical and electronic information assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled.

The overall objective for information security at Yoeki are the following:

1. Ensure compliance with current laws, regulations and guidelines.
2. Information is protected against unauthorized access and confidentiality of information is maintained.
3. Ensure Integrity of information to maintain accuracy.
4. Availability of information to authorized users when needed.
5. Information security training is given to all employees to motivate them to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents.
6. Ensure business continuity even in case of a disaster.
7. To ensure legal & regulation compliance and contractual requirement.

Yoeki’s top management (CEO) has established an Information Security Team to implement, maintain and continuously improve the Information Security Management Systems (ISMS).

Information Security Governance

Information security governance consists of leadership, organisational structures and processes that protect information and mitigation of growing information security threats Critical outcomes of information security governance include:

1. Alignment of information security with business strategy to support organisational objectives.
2. Management and mitigation of risks and reduction of potential impacts on information resources to an acceptable level .
3. Management of performance of information security by measuring, monitoring and reporting information security governance metrics to ensure that organisational objectives are achieved.
4. Optimisation of information security investments in support of organisational Objectives.

It is important to consider the organisational necessity and benefits of information security governance. They include increased predictability and the reduction of uncertainty in business operations, a level of assurance that critical decisions are not based on faulty information, enabling efficient and effective risk management, protection from the increasing potential for legal liability, process improvement, reduced losses from security-related events and prevention of catastrophic consequences and improved reputation in the market and among customers.

Management Responsibility

1. Approve policies related to information security function.
2. Ownership for implementation of board approved information security policy.
3. Ownership for establishing necessary organisational processes for information security.
4. Ownership for providing necessary resources for successful information security.
5. Ownership for establishing a structure for implementation of an information security program (framework).

Organisation Structure

Role	Responsibilities	Position/Individual
Top Management	Ensure that the ISMS receives the necessary resources and support. Provide leadership and strategic direction for the ISMS. Participate in management reviews and approve key ISMS policies.	CEO
Chief Information Security Officer (CISO)	Lead the ISMS team and overall responsibility for the ISMS. Ensure the ISMS is aligned with the organization’s business goals and ISO 27001 requirements. Coordinate the establishment, maintenance, and continual improvement of the ISMS. Ensure compliance with all legal, regulatory, and contractual obligations related to information security. Conduct internal and external audits of the ISMS. Prepare for third-party certifications and manage corrective actions from audit findings. Ensure compliance with data protection laws and regulations. Evaluate and manage third-party vendors for information security risks. Ensure third-party contracts contain appropriate security clauses.	Yogendra Tyagi
ISMS Manager	Manage day-to-day activities of the ISMS. Monitor and measure security performance. Ensure risk management and compliance with security controls. Coordinate incident response activities and reporting. Prepare documentation and reports. Act as the main point of contact for information security. Conduct internal and external audits of the ISMS. Manage data privacy risks and breaches. Liaise with regulators and stakeholders for privacy-related issues. Conduct third-party risk assessments and audits. Manage vendor-related incidents.	Vishal Verma
HR Manager	Oversee the integration of information security policies into the employee lifecycle (on boarding, training, and off boarding). Ensure employees are trained on ISMS policies and security awareness. Manage the disciplinary process for non compliance with security policies.	Naina Chauhan
Risk Manager	Conduct and coordinate regular risk assessments. Manage the risk treatment plan and ensure that mitigation measures are implemented. Identify and evaluate new risks as they emerge. Ensure continual monitoring of risk across the organization. Implement and maintain technical security controls (e.g., firewalls, antivirus, encryption, etc.). Conduct vulnerability assessments and penetration testing. Ensure secure configurations for IT infrastructure. Investigate and resolve technical security incidents. Manage the incident response process. Coordinate detection, reporting, and resolution of security incidents. Document lessons learned from security incidents. Update incident response procedures regularly.	Default HOD
Internal Auditor	Conduct internal audits to assess compliance with the ISMS. Provide recommendations for corrective actions and improvements. Track and verify that corrective actions are implemented.
Business Continuity Manager	Ensure the ISMS supports business continuity and disaster recovery plans. Test and review business continuity and recovery plans regularly. Ensure that critical systems and data remain available during incidents.	Vasant Kumar & Divyansh Singh
Developer	Software Team will ensure the following. Secure Coding Practices: Developers should follow the best practices in secure coding to minimize the risk of vulnerabilities (e.g., SQL injections, cross-site scripting, etc.). Testing and Validation: Regular security testing, including vulnerability assessments and penetration testing, should be performed during the development and maintenance phases. This also includes code reviews to spot potential security flaws. Change Management: Any changes to the software or underlying systems must be controlled and documented in accordance with ISO 27001's change management procedures.	Software Development Team

Role & Responsibility

Information security organisation shall comprise of the following:

1. Chief Executor Officer
2. Chief Information Security Officer (CISO)
3. Information Security Manager(ISM)
4. Risk Manager
5. IT Operation
6. Information Asset Owner
7. Asset Custodian
8. Internal Audit

Risk Management

Conduct regular risk assessments to identify, analyze, and evaluate information security risks and vulnerabilities.
Develop risk treatment plans to mitigate identified risks to an acceptable level, considering cost, feasibility, and impact on business operations.
Monitor and review the effectiveness of risk mitigation measures and update risk assessments as necessary.

User Access Control

Implement access control mechanisms, such as user authentication, authorization, and accountability, to prevent unauthorized access to information assets.
Enforce the principle of least privilege, granting users access only to the resources necessary for their roles and responsibilities.
Monitor user activity and enforce access controls using audit logs, intrusion detection systems, and security incident monitoring.
Access to Yoeki’s information, information systems (Infrastructure, applications, source code repositories) and information processing facilities shall be controlled to prevent unauthorized access.
Access shall be granted considering least privilege principle and on need to know basis only.
Logs/records should be maintained for access granted to critical systems.
Refer ‘User Access Management Process’ for further details.

Information Security Awareness and Training

Provide regular training and awareness programs to educate employees about information security risks, policies, and procedures.
Encourage a culture of security awareness and accountability throughout the organization.

Incident Management

Establish incident response procedures to detect, assess, and respond to information security incidents in a timely and effective manner.
Designate an incident response team and define roles and responsibilities for responding to security incidents.
Document and report security incidents to senior management, legal counsel, regulatory authorities, and affected parties as required by law or regulation.

Physical Security

Implement physical security controls, such as access controls, surveillance cameras, and environmental controls, to protect physical assets and facilities.
Restrict access to sensitive areas, server rooms, and data centers to authorized personnel only.
Regularly review and update physical security measures to address emerging threats and vulnerabilities.

Human Resource Security

Based on proper education, training, abilities, and experience, Yoeki will ensure that all personnel involved in information security are competent. The required skills will be determined and assessed regularly, as well as an assessment of current skill levels within Yoeki. This Training will be done by all Yoeki employees in order to ensure a level of information awareness. The HR department will keep track of training, education, and other necessary data to document individual skill levels.

Screening or background checks will be performed at time of hire.
Employees shall sign the organization’s terms and conditions of employment that includes the employee’s and the organization’s responsibilities for information security, at the time of hire.
Employees must take Information security and Data Privacy training at the time of hire and annually thereafter, or as per the business needs.

Assets Management

Yoeki’s information assets must be appropriately protected from theft, loss or any unauthorized access. Assets may include but not limited to:

Documented business processes and activities (electronic or physical)
Electronic information (data, spreadsheets, presentations, documents, notes, email etc.)
Physical information (papers, signs, posters, etc.)
Hardware (servers, laptops, desktops, printers, photocopiers, routers, switches, firewalls, mobile phones, tablets, computing devices, etc.)
Software (databases, applications, utilities, productivity software, cloud services, etc.)
Network (communication links, wired network, wireless network, etc.)
People (employees, contractors, interns, etc., as defined in this policy)
Facilities (offices, network rooms, wiring closets, storage facilities etc.)
An accurate and up-to-date inventory of critical assets shall be maintained. Critical assets are those, which if compromised or lost, could cause significant business disruption or revenue loss. An asset owner must be designated for each inventoried critical asset, though assets remain Yoeki’s property.

Acceptable Use

Yoeki’s proprietary information shall be used or shared only to the extent it is authorized and necessary to fulfill the assigned job duties of employees.
Only Yoeki’s provided systems and laptops shall be used to access Yoeki’s emails and applications. The use of a personal device is not recommended until approved.
Any related data breach, credentials sharing and all related unwanted consequences will be treated under Code of Conduct.

Cloud Infrastructure Security

Yoeki’s IT infrastructure is set up on Yotta Data Center with own infra and ensures high availability, scalability and security of its application and data.
All access to the servers and managed services is private, unless proxied through a public secure resource.
Internal vulnerability assessment is performed at regular intervals.
Only authenticated users are allowed to access Yoeki’s Cloud Infra.

Equipment Security

Equipment must be protected to minimize potential risks such as theft, fire, explosives, smoke, water, dust, vibration, electrical supply interference, electromagnetic radiation, vandalism and unauthorized access.
Equipment must be protected from power failures and other disruptions caused by failures in electricity, telecommunications, ventilation, air conditioning, etc.
Appropriate protection must be applied to protect laptops, mobile phones, tablets, etc., while working remotely from home or other offsite locations.

Business Continuity Management

Business continuity, within the context of an Information Security Management System (ISMS) policy, refers to the strategies, plans, and procedures put in place to ensure the organization can continue its critical operations and minimize the impact of disruptions or incidents that may threaten the availability of its information assets. It involves proactive measures to identify potential risks, develop resilience capabilities, and establish effective response and recovery mechanisms. Yoeki defines business continuity as a fundamental aspect of the organization's information security strategy, highlighting the commitment to maintaining the continuity of business operations, safeguarding critical assets, and minimizing the impact of incidents. Yoeki shall take following steps for the business continuity management;

Yoeki shall plan for and implement the controls to mitigate the impact of disaster and timely resumption of business activities and information security.
- Yoeki shall provide direction and support for business continuity
- Set the organizational requirements and expectations for business continuity
- Guide the implementation of appropriate policies, standards, processes, procedures, plans and controls necessary to recover functions within the organization
- Define the roles and responsibilities of employees towards business continuity
Perform annual mock drills of the business function to keep the Business Continuity measures up to date.

Personal Data Protection

A. Privacy Notice

Where Yoeki collects Personal Data of an individual a privacy notice must be provided to the Data Subjects prior to collection. All privacy notices should be approved by the top management before being published.

B. Consent Management

Data Subjects should be required to provide an explicit consent (such as selecting a checkbox) prior to submitting their Personal Data to Yoeki. Consents provided by the Data Subject should be logged along with the date and timestamp.

C. Records of Processing Activities

When a team at Yoeki processes Personal Data for performance of their activities, they must ensure that details of such activities are captured in the Records of Processing Activities document. The records should be reviewed annually to ensure that updates to the data processing activities are accurately reflected.

D. Manual Data Handling Guidelines

Where possible Personal Data should not be processed manually. For activities where Personal Data needs to be processed manually an approval must be obtained from the top management.

E. Privacy Impact Assessment

A Privacy Impact Assessment (PIA) should be performed for all processes and applications relying on Personal Data. The risk levels of an activity must be determined by the top management.

Related Standards, Policies and Processes

The following detailed policies provide principles and guidance on specific aspects of information security. List of all Related Standards, Policies and Processes refer the 62. Document and Record Control.

Policy Violation

Failure to observe this policy may expose Yoeki to breaches of relevant laws, the loss of vital information or the impairment of business operations, and cause significant damage to the public image and reputation of Yoeki. The employees not complying with this policy may be subject to disciplinary action, up to and including termination of employment.

Compliance and Monitoring

The organization is committed to complying with all applicable laws, regulations, and contractual requirements related to information security, privacy, and data protection. Any deviations from this policy must be authorized by senior management and documented appropriately.

18.1 Compliance Framework

Definition: Establishing a framework for ensuring compliance with laws and regulations.
Application: Yoeki will have a robust compliance framework from FY 24-25 onwards to ensure adherence to applicable laws and regulations.

18.2 Monitoring and Reporting

Definition: Monitoring compliance and reporting to relevant stakeholders.
Application: Regular monitoring and reporting mechanisms will be in place from FY 24-25 onwards to track and report on compliance with corporate governance standards.

18.3 Internal Audit

Definition: Conducting internal audits to ensure adherence to policies and procedures.
Application: Yoeki will conduct regular internal audits from FY 24-24 to assess compliance with corporate governance policies and identify areas for improvement.

Continual Improvement

Yoeki policy about continual improvement is to:

Increase the level of proactivity (and stakeholder perception of proactivity) about information security, according to the Yoeki Policy on continuous improvement.
Make information security processes and controls more measurable so that informed decisions may be made
Evaluate important metrics yearly to see if they should be changed based on historical data.
Collect ideas for continuous improvement through regular meetings and communication with stakeholders.
In evaluating improvement recommendations, the following criteria must be used:
- Cost
- Business Benefit
- Risk
- Timeline for Implementation
- Resources required

Policy/Document approval

The ISO 27001 document/policy is approved or reviewed by the following persons/individuals;

Prepared By	Yogendra Tyagi (CISO)
Approved By	Varun Burman (Director and CEO)

Exemptions and exceptions

Any exceptions to this policy shall be approved by the CEO and documented.

Review and Amendments

Regular Review: The policy will be regularly reviewed to ensure its effectiveness and relevance.
Amendments and Updates: Amendments to the policy will be made as necessary, and updates will be communicated to all employees/stake-holders.

Contact Information

Email: legal@yoekisoft.com

Published on – 24 December 2024

Version 1.1

Yoeki Soft Private Limited