IT Policy

1. Purpose

The Information Technology (IT) Policy of the organization defines rules, regulations and guidelines for proper usage and maintenance of these technological assets to ensure their ethical and acceptable use and assure health, safety and security of data, products, facilities as well as the people using them.

Additionally, the policy provides direction on issues such as procurement, compliance, IT support, and addressing employee grievances related to technological assets and services utilized for office duties beside addressing the emerging technology related aspects on AI , Machine learning , Bots etc

2. Compliance

• This policy applies to all individuals working at all levels and grades, including officers, employees (whether permanent, fixed-term or temporary), consultants, contractors, trainees, seconded staff, casual workers and agency staff, volunteers, interns, agents, sponsors, business partners, and third-party representatives, or any other person associated with us, wherever located who may be acting on behalf of SODES.
• All employees are expected to comply with the IT Policy rules and guidelines while purchasing, using and maintaining any equipment or software purchased or provided by the organization.
• Inappropriate use of equipment and software by an employee will be subject to disciplinary action as deemed fit by the Management of the organization
• Employees are required to promptly report any instances of misuse or improper use of equipment or software within the organization to their respective Reporting Manager(s).

3. Employee IT Training

• All new employees will be facilitated with basic IT training and guidance about using and maintaining their Personal Computer (PC), peripheral devices and equipment in the organization, accessing the organization network and using application software.
• Employees can request and/or the Management can decide to conduct an IT training on a regular or requirement basis.
• A proper training completion certificate need to be submitted by each employee

4. IT Support

• Employees meeting hardware or software installations or facing technological issues which cannot be resolved on their own are expected to get help from the IT Department by drooping mail to IT support Email ID only.
• Employees are expected to provide details of their issue or help required in IT Support Email.
• For major issues such as PC replacement, non-functional equipment, installation of application software, and other significant technological matters employee are required to inform IT Department.
• Approval from the Reporting Manager is necessary for PC replacements in the event of any damage to Personal Computers.
• After communicating the issue employees should expect a reply from the IT Dept. within 1 working day.If necessary, the IT Department may request the employee to submit the problematic equipment for inspection. Subsequently, the IT Department will provide a timeframe for repair, maintenance, troubleshooting, installations, or any other required work.
• If no response is obtained in 3 working days, a complaint can be raised through an email to the employee’s Reporting Manager and IT Department Designated Staff.
• Issue/problem escalated will be resolved on a First-Come-First-Serve basis. However, the priority can be changed on request at the sole discretion of the designated team in IT Department.
• It is the responsibility of the IT Dept. to establish and maintain standard configurations of hardware and software for PCs owned by the organization. The standard, can however, be modified at any point in time as required by the IT Dept. Head in consultation with the Management Committee.
• Employees are expected to undertake appropriate security measures as enlisted in the IT Policy.

5. Equipment Usage

The Equipment Usage policy provides guidelines to employees and managers regarding equipment procurement, organizational and project-level inventory management, allocation and transfer of equipment to employees, departments, or projects, and best practices for equipment usage and maintenance.

• It is the responsibility of all employees to ensure careful, safe and judicious use of the equipment & other assets allocated to and/or being used by them.
• Any observed malfunction, error, fault or problem while operating any equipment owned by the organization or assigned to you must be immediately informed to the designated staff in IT Department.
• Any repeated instances of improper or careless use, wastage of supplies, or any behavior compromising the safety or health of equipment and individuals will result in disciplinary action.

Inventory Management

• The Procurement Dept. is responsible for maintaining an accurate inventory of all technological assets, software and tangible equipment acquired by the organization.
• All technological assets of the organization must be physically tagged with codes for easy identification
• Detailed information about all technological assets provided to a specific department, project or center must be regularly maintained and updated in their respective Inventory Sheets with proper logs.
• The IT Department will conduct periodic inventory audits to validate the inventory, ensuring that all assets are up-to-date and in optimal working condition.

Equipment Allocation, Deallocation

• New employees may be assigned a personal computer (desktop or laptop) for office work on their Day of Joining, based on the specific requirements of their role.
• If required,employee can request additional equipment or supplies, such as an external keyboard or mouse, from their Reporting Manager(s). Allocation of additional assets to an employee is solely at the discretion of the Reporting Manager(s).
• Employees are prohibited from taking official electronic devices out of the office premises without prior permission from their Reporting Manager.
• It is the Reporting Manager’s responsibility of collecting all allocated organizational equipment and other assets from an employee who is leaving the organization lies with the Reporting Manager.
• It is mandatory to update the Inventory Sheet after receiving back all allocated equipment. The received assets must then be returned to the Admin. Department.

6. Network Access

• Employees are required to adhere to the security protocols outlined in the IT Policy, ensuring the implementation of appropriate security measures to safeguard organizational assets and data.
• All PCs utilized within the organization are configured to connect to both the organization's Local Area Network and the Internet.
• Network security is enabled in all PCs through Firewall, Web Security and Email Security.

7. Data Backup Procedure

The purpose of this procedure is to establish guidelines and best practices for the backup of data assets within SODES to ensure data integrity, availability, and recoverability in the event of data loss, corruption, or system failure.

This procedure applies to all employees, contractors, and third-party vendors who have access to SODES data assets and are responsible for the management, storage, and protection of such data.

• Employees are required to adhere to the security protocols outlined in the IT Policy, ensuring the implementation of appropriate security measures to safeguard organizational assets and data.
• All PCs utilized within the organization are configured to connect to both the organization's Local Area Network and the Internet.
• Network security is enabled in all PCs through Firewall, Web Security and Email Security.

Backup Schedule

Regular backups of critical data shall be performed according to the following schedule

• Daily Backups:Incremental backups of critical data shall be conducted daily to capture any changes since the last backup.
• Weekly Backups: Full backups of critical data shall be performed weekly to ensure comprehensive data protection.
• Monthly Backups: Full backups of all data shall be conducted monthly for archival purposes.

Data Classification

Classification levels may include:

• Critical Data: Data essential for business operations and continuity.
• Sensitive Data: Data subject to regulatory requirements or containing personally identifiable information (PII).
• Non-Critical Data:Data that is not essential for immediate business operations.

Data Classification

Classification levels may include:

• Critical Data: Data essential for business operations and continuity.
• Sensitive Data: Data subject to regulatory requirements or containing personally identifiable information (PII).
• Non-Critical Data:Data that is not essential for immediate business operations.

Backup Methods

The following backup methods shall be employed based on the classification of data:

• On-Site Backups: Regular backups shall be stored on-site using dedicated backup servers or network-attached storage (NAS) devices.
• Off-Site Backups: Periodic backups shall be replicated to off-site locations to mitigate the risk of data loss due to disasters or physical damage to on-site infrastructure.
• Cloud Backups: Critical data may be backed up to secure cloud storage services to provide an additional layer of redundancy and accessibility.

Encryption and Security

All backup data, whether stored on-site or off-site, shall be encrypted using industry-standard encryption algorithms to protect against unauthorized access or data breaches.

Testing and Verification

Regular testing and verification of backup systems shall be conducted to ensure the integrity and recoverability of backup data.

Documentation and Compliance

Comprehensive documentation of backup procedures, schedules, and configurations shall be maintained and regularly updated.

Backup processes shall comply with relevant regulatory requirements, industry standards, and best practices for data protection and retention.

Periodic restoration tests to verify the completeness and accuracy of backup data.Validation of backup logs and reports to identify any anomalies or failures in the backup process.

8. Anti-Virus Software

Antivirus software shall be deployed on all endpoints connected to SODES' network, including:

• Desktop computers
• Laptops
• Servers

Antivirus software shall be configured to:

• Perform real-time scanning of files, emails, and web traffic to detect and block malware threats
• Schedule regular system scans to detect and remove any malware that may have evaded real-time detection.
• Automatically update virus definitions and security patches to ensure protection against the latest threats.

9. Internet Usage Policy

This policy applies to all devices and systems connected to SODES' network, including desktop computers, laptops, mobile devices, servers, and any other endpoints accessing the internet through SODES' network infrastructure.

Internet access provided by SODES is intended for business-related activities, including but not limited to:

• Conducting research relevant to job responsibilities.
• Accessing corporate email, intranet, and collaboration tools.
• Engaging in professional development and training activities.
• Performing work-related communications and transactions.

Prohibited Activities

The following activities are strictly prohibited and may result in disciplinary action, including termination of employment or contract:

• Accessing or distributing illegal or offensive material, including but not limited to pornography, hate speech, or pirated software.
• Engaging in activities that violate copyright laws, intellectual property rights, or licensing agreements.
• Participating in unauthorized or malicious activities, such as hacking, phishing, or malware distribution.
• Using SODES' internet resources for personal gain or commercial purposes unrelated to work duties.
• Sharing sensitive or confidential information without proper authorization and encryption measures.
• Participating in social media activties – not approved / allowed by the organization

Security Measures

Users accessing the internet through SODES' network shall adhere to the following security measures:

• Regularly update and patch software and operating systems to mitigate security vulnerabilities.
• Use strong, unique passwords for accessing internet resources and avoid sharing passwords with unauthorized individuals.
• Implement encryption protocols, such as HTTPS, when transmitting sensitive information over the internet.
• Exercise caution when downloading files or clicking on links from unknown or suspicious sources to prevent malware infections or phishing attacks.

Monitoring and Logging

SODES reserves the right to monitor and log internet usage to:

• Ensure compliance with this policy and other applicable policies and regulations.
• Detect and investigate security incidents, unauthorized access, or misuse of internet resources.
• Manage network bandwidth and performance to maintain optimal service levels for business-critical applications.

Reporting Violations

Users who become aware of any violations of this policy or suspicious internet activity are required to report such incidents to the IT department or designated IT administrators promptly and the reporting manager .

Adherence to this policy is mandatory for all personnel with access to SODES' network infrastructure. Violations of this policy may result in disciplinary action, including warnings, suspension of internet privileges, termination of employment or contract, and legal action as appropriate.

10. Information Security Policy

SODES' information assets shall be classified into the following categories

Confidential: Information that requires the highest level of protection due to its sensitive nature or potential impact on SODES' operations, reputation, or legal obligations.

Internal Use Only: Information intended for internal use within SODES and may be shared with authorized personnel on a need-to-know basis.

Public: Information that may be disclosed publicly without any restrictions or limitations.

Access Control

Access to SODES' information assets shall be granted based on the principle of least privilege, ensuring that users have access only to the information necessary to perform their job responsibilities. Access control measures shall include:

• User authentication through strong passwords, multi-factor authentication (MFA), or biometric authentication where feasible.
• Role-based access control (RBAC) to assign access rights and permissions based on job roles and responsibilities.
• Regular review and audit of user access rights to ensure compliance with access control policies.

Data Protection

SODES shall implement appropriate technical and organizational measures to protect data against unauthorized access, disclosure, alteration, and destruction, including:

• Encryption of sensitive data at rest and in transit using industry-standard encryption algorithms.
• Regular data backups and off-site storage to ensure data integrity and availability in the event of data loss or system failure.
• Implementation of data loss prevention (DLP) solutions to monitor and prevent unauthorized data exfiltration or leakage.

Network Security

SODES' network infrastructure shall be secured against unauthorized access and malicious activities through the implementation of:

• Firewalls, intrusion detection/prevention systems (IDS/IPS), and network segmentation to control and monitor network traffic.
• Secure configuration and hardening of network devices, including routers, switches, and access points, to minimize security vulnerabilities.
• Continuous monitoring and logging of network activities to detect and respond to security incidents promptly.

Incident Response

SODES shall maintain an incident response plan to address and mitigate security incidents, including data breaches, unauthorized access, and malware infections. The incident response plan shall include:

• Procedures for reporting security incidents to the appropriate authorities and stakeholders promptly.
• Steps for containing and investigating security incidents to determine the cause and extent of the breach.
• Protocols for notifying affected individuals, regulatory authorities, and other relevant parties as required by applicable laws and regulations.

Employee Training and Awareness

SODES shall provide regular training and awareness programs to educate employees and contractors/ franchisee on information security best practices, including:

• Recognizing and reporting security threats, such as phishing emails, social engineering attacks, and suspicious activities.
• Understanding their roles and responsibilities in safeguarding SODES' information assets and complying with security policies and procedures.

11. Email Policy

This policy applies to all email accounts provided by SODES, including corporate email accounts, distribution lists, and mailing groups, accessed through SODES' email servers or cloud-based email services.

Usage

Email services provided by SODES are intended for business-related communications and shall be used in accordance with the following guidelines:

Email communications shall be professional, respectful, and courteous, adhering to SODES' code of conduct and workplace policies.

Confidentiality and Privacy

Users of SODES' email services shall:

• Exercise caution when transmitting sensitive or confidential information via email, ensuring that such information is encrypted or password-protected where necessary.
• Avoid sharing passwords, access credentials, or other sensitive information via email, as email communications are inherently vulnerable to interception and unauthorized access.

Security Measures

To ensure the security of email communications, SODES shall implement the following security measures:

• Encryption: Sensitive email communications containing confidential or proprietary information shall be encrypted using secure encryption protocols (e.g., S/MIME, PGP).
• Authentication: Users shall be required to authenticate their identities using strong passwords, multi-factor authentication (MFA), or digital certificates to access SODES' email services.
• Anti-Phishing Measures: SODES shall implement anti-phishing measures, such as spam filters, email authentication protocols (e.g., SPF, DKIM, DMARC), and employee training programs to prevent phishing attacks and email spoofing.

Email Content

Users of SODES' email services shall

• Refrain from sending or forwarding chain letters, spam, or unsolicited commercial emails (UCE) that may disrupt or congest email traffic and violate anti-spam regulations.
• Exercise caution when sending attachments or hyperlinks in email messages to prevent the spread of malware, viruses, or malicious content.

Email Retention and Archiving

Email retention policies shall include:

• Regular backup and archiving of email data to preserve historical records and facilitate e-discovery in the event of litigation or regulatory investigations.
• Automated deletion of outdated or redundant emails based on predefined retention periods and classification levels.

12. Software Usage Policy

Software Installation and Configuration

• Installation of software on SODES' computing devices shall be performed by authorized IT personnel or individuals trained in software deployment procedures.
• Prior to installation, software must undergo a thorough review to assess compatibility with existing systems, potential security risks, and licensing requirements.
• Default installation settings shall be configured to ensure optimal performance, security, and compliance with SODES' IT standards and policies.

Software Usage and Restrictions

• Software installed on SODES' computing devices shall be used solely for legitimate business purposes and in accordance with the terms of the software license agreements.
• Unauthorized duplication, distribution, or sharing of software licenses or installation media is strictly prohibited.
• Users shall not modify, reverse-engineer, or tamper with software code or settings without proper authorization from IT management.

Unlicensed Software and Audits

Use of unlicensed or unauthorized software within SODES' computing environment is strictly prohibited and may result in disciplinary action, including termination of employment or contract.

SODES reserves the right to conduct periodic audits and software asset management reviews to ensure compliance with software licensing agreements and detect instances of unauthorized software usage.

Software Registration

• Software licensed or purchased by the organization must be registered in the name of theorganization with the Job Role or Department in which it will be used and not in the name ofan individual.
• After proper registration, the software may be installed as per the Software Usage Policy ofthe organization. A copy of all license agreements must be maintained by the IT Dept.
• After installation, all original installation media (CDs, DVDs, etc.) must be safely stored in adesignated location by the IT Dept

Compliance to IT Act and other regulatory directions

SODES will always adhere to India Government Act , Rules , Guidelines regarding information technology and related areas . SODES will also strictly follow the partner organization ( both national and International) prescription as contained in the agreement signed with them