INFORMATION SECURITY POLICY

SECTION 1 - PURPOSE AND SCOPE

1.1 Policy Objectives

1.1.1 This Information Security Policy establishes employee responsibilities and obligations for:

(a) Protecting Company information assets and data

(b) Maintaining confidentiality, integrity, and availability of information systems

(c) Preventing unauthorized access, disclosure, or misuse of information

(d) Ensuring compliance with information security standards and regulations

(e) Reporting security incidents and vulnerabilities

1.2 Scope of Application

1.2.1 This policy applies to:

(a) All employees regardless of employment type, location, or work arrangement

(b) All Company information assets including data, systems, networks, and devices

(c) All information in any format: electronic, physical, or verbal

(d) Company-owned and personal devices used for Company work

(e) All work locations: office, remote, client sites, or public spaces

1.3 Employee Acknowledgment

1.3.1 Employees must:

(a) Read and understand this Information Security Policy

(b) Sign written acknowledgment of policy acceptance

(c) Comply with all security requirements and procedures

(d) Complete mandatory security awareness training

(e) Report any security concerns or violations immediately

SECTION 2 - INFORMATION CLASSIFICATION

2.1 Classification Categories

2.1.1 All Company information is classified into the following categories:

2.1.1.a CONFIDENTIAL

• Proprietary business information, trade secrets
• Client data, contracts, and confidential agreements
• Financial data, pricing strategies, business plans
• Source code, technical designs, algorithms
• Employee personal data and HR records
• Unauthorized disclosure causes severe damage

2.1.1.b INTERNAL USE ONLY

• Internal communications, policies, procedures
• Organizational charts, contact directories
• Non-confidential project documentation
• Training materials, internal presentations
• Disclosure limited to authorized employees

2.1.1.c PUBLIC

• Published marketing materials
• Public website content
• Press releases and public announcements
• Approved for external distribution

2.2 Employee Handling Obligations

2.2.1 Employees must:

(a) Identify classification level before handling information

(b) Handle information according to its classification level

(c) Not downgrade classification without authorization

(d) Mark documents with appropriate classification labels

(e) Store, transmit, and dispose of information per classification requirements

2.3 Confidential Information Protection

2.3.1 When handling CONFIDENTIAL information, employees shall:

(a) Access only on need-to-know basis for job duties

(b) Not share with unauthorized persons internal or external

(c) Encrypt when transmitting electronically

(d) Lock physical documents in secure storage

(e) Use secure channels for communication (encrypted email, approved platforms)

(f) Not discuss in public places or with unauthorized persons

(g) Securely destroy when no longer needed

SECTION 3 - PASSWORD AND AUTHENTICATION MANAGEMENT

3.1 Password Requirements

3.1.1 Employees must create passwords that meet the following minimum standards:

(a) Length: Minimum 12 characters

(b) Complexity: Must include:

• Uppercase letters (A-Z)
• Lowercase letters (a-z)
• Numbers (0-9)
• Special characters (!@#$%^&*)

(c) No Dictionary Words: Avoid common words, names, or predictable patterns

(d) No Personal Information: Do not use birthdates, names, phone numbers

(e) Unique Passwords: Different password for each system/application

3.2 Password Security Obligations

3.2.1 Employees shall:

(a) Keep passwords strictly confidential

(b) Never share passwords with anyone including colleagues, managers, IT staff

(c) Never write passwords down on paper, whiteboards, or sticky notes

(d) Never store passwords in plain text files or unencrypted documents

(e) Use approved password managers for secure storage

(f) Change password immediately if compromised or suspected compromise

(g) Change default passwords immediately upon first login

(h) Not reuse passwords across different systems

3.3 Password Change Requirements

3.3.1 Employees must:

(a) Change passwords every 90 days for critical systems

(b) Change immediately upon:

• Suspected compromise or security breach
• Termination of employee who had access
• Request from IT Security team

(c) Not reuse previous 10 passwords

(d) Create new unique passwords, not variations of old ones

3.4 Multi-Factor Authentication (MFA)

3.4.1 Employees must:

(a) Enable MFA on all systems that support it

(b) Use Company-approved MFA methods (authenticator apps, hardware tokens)

(c) Protect MFA devices and recovery codes securely

(d) Report lost or stolen MFA devices immediately to IT

(e) Never share MFA codes or approval with others

SECTION 4 - DEVICE AND ENDPOINT SECURITY

4.1 Company Device Responsibilities

4.1.1 Employees issued Company devices (laptops, phones, tablets) must:

(a) Use devices exclusively for Company business purposes

(b) Install Company-required security software (antivirus, firewall, encryption)

(c) Keep operating system and software updated with latest security patches

(d) Enable full disk encryption on all devices

(e) Configure screen lock with password/PIN (max 5-minute timeout)

(f) Not disable or circumvent security controls

(g) Not install unauthorized software or applications

(h) Not share device access with family members or unauthorized persons

4.2 Physical Device Security

4.2.1 Employees must:

(a) Keep devices physically secure at all times

(b) Lock screen when leaving device unattended

(c) Never leave devices unattended in public places, vehicles, or unsecured areas

(d) Use cable locks when working in public spaces

(e) Report lost or stolen devices immediately to IT Security

(f) Not leave devices visible in parked vehicles

(g) Carry devices in secure bags during travel

4.3 Personal Device Usage (BYOD)

4.3.1 If authorized to use personal devices for work:

(a) Install Company-required security software and MDM profile

(b) Comply with all Company security policies

(c) Allow Company to remotely wipe Company data if device is lost/stolen

(d) Use separate work profiles/containers for Company data

(e) Keep device updated with latest security patches

(f) Report device compromise immediately

(g) Remove all Company data upon separation

4.4 Removable Media and External Devices

4.4.1 Employees shall:

(a) Not use unauthorized USB drives, external hard drives, or removable media

(b) Use only Company-approved and encrypted removable media

(c) Scan all external media for malware before use

(d) Not connect unknown or untrusted devices to Company network

(e) Securely erase Company data from removable media before disposal

SECTION 5 - NETWORK AND ACCESS SECURITY

5.1 Network Access Obligations

5.1.1 Employees must:

(a) Access Company network only through authorized methods

(b) Use Company VPN when accessing systems remotely

(c) Connect only to secure, trusted networks for Company work

(d) Not use public Wi-Fi without VPN protection

(e) Not share network credentials or VPN access

(f) Disconnect from network when not actively using

5.2 Remote Access Security

5.2.1 When working remotely, employees shall:

(a) Use Company-provided VPN for all remote connections

(b) Ensure home network is secured with WPA3 or WPA2 encryption

(c) Change default router passwords

(d) Not allow unauthorized persons to access Company systems

(e) Work in private spaces where screens are not visible to others

(f) Use privacy screens on laptops when in public

5.3 Wireless Network Usage

5.3.1 Employees must:

(a) Connect only to Company-authorized Wi-Fi networks

(b) Not create unauthorized wireless access points or hotspots

(c) Disable Wi-Fi and Bluetooth when not in use

(d) Not connect to open/unsecured public Wi-Fi for Company work

(e) Use VPN when connecting to any non-Company network

SECTION 6 - EMAIL AND COMMUNICATION SECURITY

6.1 Email Security Obligations

6.1.1 Employees must:

(a) Use Company email only for legitimate business purposes

(b) Not send Confidential information to personal email accounts

(c) Verify recipient addresses before sending sensitive information

(d) Use encryption for emails containing Confidential data

(e) Not open suspicious emails, attachments, or links

(f) Report phishing attempts and suspicious emails to IT Security

(g) Not click links or download attachments from unknown senders

(h) Verify sender identity before responding to requests for sensitive information

6.2 Phishing and Social Engineering Protection

6.2.1 Employees shall:

(a) Be vigilant for phishing attempts and social engineering tactics

(b) Verify identity through alternative channel before providing information

(c) Not respond to requests for passwords, financial data, or credentials via email

(d) Report suspected phishing to IT Security immediately

(e) Not follow instructions in suspicious emails (password resets, fund transfers)

(f) Hover over links to verify destination before clicking

(g) Check sender email address carefully for spoofing

6.3 Instant Messaging and Collaboration Tools

6.3.1 When using approved communication platforms (Slack, Teams, etc.):

(a) Use only Company-approved collaboration tools

(b) Not share Confidential information through unauthorized platforms

(c) Enable security features (encryption, access controls)

(d) Not share sensitive information in public channels

(e) Verify recipient identity before sharing sensitive data

(f) Log out from shared or public devices

SECTION 7 - DATA PROTECTION AND PRIVACY

7.1 Data Handling Responsibilities

7.1.1 Employees must:

(a) Collect only data necessary for business purposes

(b) Process data lawfully and transparently

(c) Store data securely with appropriate access controls

(d) Retain data only as long as required by policy or law

(e) Securely delete data when no longer needed

(f) Not transfer data to unauthorized locations or persons

7.2 Client and Customer Data Protection

7.2.1 When handling client data, employees shall:

(a) Access client data only for authorized business purposes

(b) Comply with client-specific security requirements

(c) Not copy, download, or transfer client data without authorization

(d) Store client data in approved Company systems only

(e) Not use client data for personal purposes

(f) Return or securely delete client data upon project completion

(g) Report client data incidents immediately

7.3 Personal Data Protection

7.3.1 Employees handling employee or customer personal data must:

(a) Comply with Digital Personal Data Protection Act, 2023

(b) Access personal data only on need-to-know basis

(c) Maintain confidentiality of personal information

(d) Not disclose personal data to unauthorized parties

(e) Process personal data only for specified lawful purposes

(f) Implement appropriate security measures

SECTION 8 - SECURITY INCIDENT REPORTING

8.1 Incident Reporting Obligations

8.1.1 Employees must immediately report the following to IT Security:

(a) Data Breaches: Unauthorized access, disclosure, or loss of data

(b) Malware Infections: Viruses, ransomware, or suspicious software behavior

(c) Lost or Stolen Devices: Company laptops, phones, or storage media

(d) Compromised Credentials: Suspected password theft or account compromise

(e) Phishing Attacks: Suspicious emails or communication attempts

(f) Security Violations: Observed violations of security policies

(g) System Anomalies: Unusual system behavior or unauthorized access attempts

(h) Physical Security Incidents: Unauthorized access to premises or assets

8.2 Incident Response Requirements

8.2.1 Upon discovering a security incident, employee shall:

(a) Stop activity that may worsen the incident

(b) Do not delete or modify evidence

(c) Isolate affected device from network if possible

(d) Immediately notify IT Security via security@webreinvent.com or emergency hotline

(e) Document what happened, when, and what data was affected

(f) Cooperate fully with incident investigation

(g) Follow instructions from IT Security team

(h) Not disclose incident details to unauthorized persons

8.3 Timely Reporting

8.3.1 Employees must:

(a) Report security incidents within 1 hour of discovery

(b) Not delay reporting due to fear of consequences

(c) Report good-faith concerns without retaliation risk

(d) Prioritize immediate reporting over investigation

SECTION 9 - SOFTWARE AND APPLICATION SECURITY

9.1 Software Installation Restrictions

9.1.1 Employees shall:

(a) Install only Company-approved software and applications

(b) Not install unauthorized, pirated, or unlicensed software

(c) Obtain IT approval before installing new software

(d) Not disable or uninstall Company-required security software

(e) Download software only from official vendor websites

(f) Verify software integrity before installation

9.2 Software Updates and Patching

9.2.1 Employees must:

(a) Install security updates and patches promptly when notified

(b) Enable automatic updates for operating systems and applications

(c) Not postpone critical security updates

(d) Restart devices to complete updates as required

(e) Report update failures to IT Support

9.3 Cloud Services and Third-Party Applications

9.3.1 Employees shall:

(a) Use only Company-approved cloud services

(b) Not upload Company data to personal cloud storage (Dropbox, Google Drive, etc.)

(c) Not use unauthorized file sharing services

(d) Obtain approval before using third-party SaaS applications

(e) Review and understand security settings of approved cloud services

SECTION 10 - PHYSICAL SECURITY OBLIGATIONS

10.1 Workplace Security

10.1.1 Employees must:

(a) Display Company ID badge at all times in office premises

(b) Not tailgate or allow unauthorized persons to enter secured areas

(c) Challenge unidentified persons in restricted areas

(d) Not share access cards, keys, or entry codes

(e) Report lost access badges immediately

(f) Lock screen and secure documents when leaving workstation

(g) Use clean desk policy - lock away sensitive documents

10.2 Visitor Management

10.2.1 When hosting visitors:

(a) Escort visitors at all times in Company premises

(b) Not allow visitors access to sensitive areas without authorization

(c) Ensure visitors sign in/out and wear visitor badges

(d) Not leave visitors unattended in work areas

(e) Protect sensitive information from visitor view

10.3 Document Security

10.3.1 Employees shall:

(a) Store physical documents containing Confidential information in locked cabinets

(b) Not leave sensitive documents on desks overnight

(c) Shred confidential documents before disposal

(d) Use secure printers requiring PIN for document release

(e) Not print confidential information on shared printers when possible

SECTION 11 - SECURE DEVELOPMENT PRACTICES

11.1 Code Security Obligations

11.1.1 Employees involved in software development must:

(a) Follow secure coding guidelines and best practices

(b) Not hardcode passwords, API keys, or credentials in source code

(c) Use secure authentication and authorization mechanisms

(d) Validate and sanitize all user inputs

(e) Implement proper error handling without exposing sensitive information

(f) Conduct code reviews for security vulnerabilities

(g) Use approved code repositories with access controls

11.2 Code Repository Security

11.2.1 Developers shall:

(a) Use Company-approved version control systems (GitHub, GitLab)

(b) Enable two-factor authentication on repository accounts

(c) Not commit credentials, secrets, or API keys to repositories

(d) Use .gitignore to exclude sensitive configuration files

(e) Review commits for accidental inclusion of sensitive data

(f) Not make Company repositories public without authorization

11.3 Third-Party Code and Libraries

11.3.1 Employees must:

(a) Use only approved open-source libraries and components

(b) Review licenses before incorporating third-party code

(c) Keep dependencies updated to patch security vulnerabilities

(d) Scan third-party code for known vulnerabilities

(e) Not use code from untrusted or unknown sources

SECTION 12 - CONSEQUENCES OF POLICY VIOLATIONS

12.1 Disciplinary Action

12.1.1 Violations of this Information Security Policy may result in:

(a) Written warning for minor or first-time violations

(b) Suspension without pay for repeated violations

(c) Immediate termination for serious violations including:

• Willful data breach or unauthorized disclosure
• Installing malware or compromising systems
• Theft or misuse of confidential information
• Deliberate circumvention of security controls
• Sharing credentials or unauthorized access

(d) Referral to Policy: Disciplinary Action & Penalties

12.2 Legal Consequences

12.2.1 Serious security violations may result in:

(a) Civil liability for damages caused to Company or clients

(b) Criminal prosecution under Information Technology Act, 2000

(c) Recovery of losses through salary deduction or legal action

(d) Termination of employment without notice period

(e) Legal action for breach of confidentiality or intellectual property theft

12.3 Financial Liability

12.3.1 Employees may be held financially liable for:

(a) Data breach costs caused by employee negligence

(b) Client penalties resulting from security incidents

(c) Forensic investigation and remediation costs

(d) Legal fees and regulatory fines

(e) Cost of compromised or lost Company devices

SECTION 13 - EMPLOYEE TRAINING AND AWARENESS

13.1 Mandatory Training

13.1.1 All employees must:

(a) Complete information security awareness training within first week of joining

(b) Complete annual refresher training

(c) Complete role-specific security training as assigned

(d) Pass security training assessments with minimum 80% score

(e) Stay updated on security threats and best practices

13.2 Ongoing Awareness

13.2.1 Employees shall:

(a) Read security alerts and advisories sent by IT Security

(b) Participate in security awareness campaigns

(c) Report security concerns proactively

(d) Share security knowledge with team members