The purpose of this Security Policy is to protect Sapoto's information assets from all threats, whether internal or external, deliberate or accidental. This policy applies to all employees, contractors, and third parties who have access to Sapoto's systems and data.
Information Security Officer (ISO): The ISO is responsible for overseeing the implementation of this policy, managing security risks, and ensuring compliance with relevant laws and regulations.
Employees and Contractors: All individuals with access to Sapoto's systems must adhere to this policy, report any security incidents, and participate in security training programs.
User Access Management: Access to Sapoto's systems and data is restricted based on the principle of least privilege. User access rights are regularly reviewed and adjusted as necessary.
Authentication: Strong authentication methods, such as multi-factor authentication (MFA), are required for accessing sensitive systems and data.
Data Classification: Sapoto classifies data according to its sensitivity and applies appropriate security controls based on the classification.
Encryption: Sensitive data, both at rest and in transit, must be encrypted using industry-standard encryption methods.
Data Backup: Regular backups are performed to ensure data availability and integrity. Backups are securely stored and periodically tested for restoration.
Firewalls and Intrusion Detection Systems (IDS): Firewalls and IDS are implemented to monitor and protect the network from unauthorized access and malicious activities.
Network Segmentation: Critical systems and data are segregated from less sensitive areas of the network to reduce the risk of unauthorized access.
Incident Reporting: All security incidents must be promptly reported to the Information Security Officer.
Incident Management: Sapoto has an established incident response plan to manage and mitigate the impact of security incidents. This includes steps for containment, investigation, eradication, and recovery.
Facility Security: Access to Sapoto's facilities is controlled and monitored to prevent unauthorized entry.
Equipment Security: Hardware and equipment are secured against theft, damage, and unauthorized access.
Vendor Management: Third-party vendors with access to Sapoto's systems and data must comply with Sapoto's security standards and undergo regular security assessments.
Contracts and Agreements: Security requirements are incorporated into contracts with third-party vendors to ensure they maintain adequate security controls.
Regulatory Compliance: Sapoto complies with applicable laws, regulations, and industry standards related to information security.
Audits: Regular security audits and assessments are conducted to evaluate the effectiveness of security controls and identify areas for improvement.
Training Programs: All employees and contractors are required to participate in regular security training to stay informed about current threats and best practices.
Awareness Campaigns: Sapoto conducts ongoing awareness campaigns to promote a security-conscious culture within the organization.
This Security Policy is reviewed annually or whenever significant changes occur in the organization or regulatory environment. Updates to the policy are communicated to all relevant parties.
For questions or concerns regarding this Security Policy, please contact the Information Security Officer at helpdesk@sapoto.in.