ISMS Policy Statement [PDF]

Zitiervorschau

Information Security Management Policy [Team 4 – Federal Bank]

Submitted By Aswath.A.C- CB.BU.P2MBA19032 Dharunanand.R- CB.BU.P2MBA19049 Dinesh Kalro- CB.BU.P2MBA19050 Jeevarathinam B- CB.BU.P2MBA19065 Marcus Raja R- CB.BU.P2MBA19089 Pavithra.S- CB.BU.P2MBA19107 Ranjeeta R Iyer- CB.BU.P2MBA19125

[Team 4]

[Federal Bank]

[Confidential]

Objectives The objective of this information security policy is to prescribe mechanism that will assist in identifying, preventing, detecting, and correcting the compromise and misuse of the Federal Bank’s information and Information Technology infrastructure. Information security Policy Statement The Bank’s information systems and the business information therein are assets of strategic and commercial value. They are fundamentals to the efficient business continuity. Federal Bank Ltd shall implement controls to ensure the confidentiality, integrity and availability of the information and information processing assets of our customers and our Bank by deploying appropriate people, technology and processes.

 Information assets and IT assets are protected against unauthorized access.  Information is not disclosed to unauthorized persons through deliberate or careless action.  Information is protected from unauthorized modification.  Information is available to authorized users when needed.  Applicable regulatory and legislative requirements are met.  Disaster recovery plans for IT assets are developed, maintained and tested as far as practicable.  Information security training is imparted to all users who gain knowledge of personal data must receive training and instruction in how to process personal data.  Any breach of information security is reported and investigated by authorized person including System Administrator and Incident investigator  Violations of policies are dealt with a disciplinary action

[Team 4]

[Federal Bank]

[Confidential]

Under this policy:  All managers are directly responsible for implementing policy and ensuring staff compliance in their respective department  Compliance with the information security policy is mandatory  All breaches of information security, actual or suspected will be reported to and investigated by authorized person including System Administrator and Incident investigator

This Policy has been approved by CEO, Federal Bank and is subject to periodic changes and will be posted on our website. All suggestions are welcomed on this policy and can be mailed to [email protected]

[Team 4]

[Federal Bank]

[Confidential]

INFORMATION SECURITY POLICY STATEMENT Information is an important business asset of significant value to the company and needs to be protected from threats that could potentially disrupt business continuity. This policy has been written to provide a mechanism to establish procedures to protect against security threats and minimise the impact of security incidents. The Chief Executive has approved the Information Security Policy The purpose of this Policy is to protect the company’s information assets from all threats, whether internal or external, deliberate or accidental. The Policy Scope covers Physical Security and encompasses all forms of Information Security such as data stored on computers, transmitted across networks, printed or written on paper, stored on tapes and diskettes or spoken in conversation or over the telephone. All managers are directly responsible for implementing the Policy within their business areas, and for adherence by their staff. It is the responsibility of each employee to adhere to the policy. Disciplinary processes will be applicable in those instances where staff fail to abide by this security policy. IT IS THE POLICY OF THE COMPANY TO ENSURE THAT: Information will be protected against unauthorised access Confidentiality of information is assured. Integrity of information is maintained. Regularity and legislative requirements regarding Intellectual property rights, Data protection and privacy of personal information are met. Business Continuity plans will be produced, maintained and tested. Staff receive sufficient Information Security training. All breaches of information security, actual or suspected are reported and investigated by the Security Policy Review Team.

Signed: __________________________________________________________________ Title:

__________________________________________ Date: __________________________ This template security policy has been produced by sitehelpdesk.com Ltd. It is made freely available to copy and edit to meet your specific requirements. More information about sitehelpdesk.com products and services is available at http://www.sitehelpdesk.com

INFORMATION SECURITY POLICY STATEMENT Information is an important business asset of significant value to the company and needs to be protected from threats that could potentially disrupt business continuity. This policy has been written to provide a mechanism to establish procedures to protect against security threats and minimise the impact of security incidents. The Chief Executive has approved the Information Security Policy The purpose of this Policy is to protect the company’s information assets from all threats, whether internal or external, deliberate or accidental. The Policy Scope covers Physical Security and encompasses all forms of Information Security such as data stored on computers, transmitted across networks, printed or written on paper, stored on tapes and diskettes or spoken in conversation or over the telephone. All managers are directly responsible for implementing the Policy within their business areas, and for adherence by their staff. It is the responsibility of each employee to adhere to the policy. Disciplinary processes will be applicable in those instances where staff fail to abide by this security policy. IT IS THE POLICY OF THE COMPANY TO ENSURE THAT: Information will be protected against unauthorised access Confidentiality of information is assured. Integrity of information is maintained. Regularity and legislative requirements regarding Intellectual property rights, Data protection and privacy of personal information are met. Business Continuity plans will be produced, maintained and tested. Staff receive sufficient Information Security training. All breaches of information security, actual or suspected are reported and investigated by the Security Policy Review Team.

Signed: __________________________________________________________________ Title:

__________________________________________ Date: __________________________ This template security policy has been produced by sitehelpdesk.com Ltd. It is made freely available to copy and edit to meet your specific requirements. More information about sitehelpdesk.com products and services is available at http://www.sitehelpdesk.com

Information Security and Privacy at Airtel Safeguarding customer privacy, and ensuring security of data across its operations, lines of business and supply chain, is a key focus area for Airtel. This is not just to ensure legal and regulatory compliance, but to reinforce the trust that our customers and other stakeholders have placed in us. To ensure that the privacy of information is maintained during the entire information lifecycle, we have implemented robust internal systems and checks. This is encapsulated in the comprehensive Bharti Airtel Information Privacy Policy, which contains management direction and guidelines to ensure privacy of personal information collected by Airtel so that information is handled in accordance with the appropriate laws, regulations and contractual obligations. The Policy is owned by the Chief Information Security Officer and approved by the Airtel Management Board, and is embedded in the risk/compliance management system at Airtel. It is applicable to all employees of Airtel and third parties including suppliers, who have access to information of customers, employees and vendors. We have identified different stakeholders and assigned accountability for relevant clauses of the Policy that fall within their area of responsibility. We are certified against global standards such as ISO27001 and ISO22301, and have adopted the NASSCOM-DSCI Privacy Framework (DPF) to protect the privacy of personal information from unauthorized use, disclosure, modification, or misuse, which allows us to identify critical customer information and ensure adequate measures to safeguard it. To ensure compliance with the Policy, we conduct periodic internal and external audits of various functions. Information moving within and across the boundaries of our organization is effectively monitored in real-time for any breach in company policy. Any non-compliance is immediately escalated and investigated. The Circle Information Security Council (CISC) recommends disciplinary actions against employees, partners or third parties involved in privacy breaches. Having zero tolerance towards the breach, strict actions, like separation from services and/or police complaints, are initiated against the individuals. Non-compliance of any third party with the privacy practices followed at Airtel is ground for disciplinary actions up to and including termination of the contract. As per the policy, the Third party is required to establish a procedure to ensure that the associates are made aware of their personal liability of personal information and that any deviation to the policy may lead to the associate’s services being discontinued/ terminated. Airtel has also established an efficient Fraud Management Program driven by revenue assurance and fraud management experts, which makes use of highly sophisticated and evolved tools and processes to detect and prevent the occurrence of fraud. Airtel associates with Law Enforcement Agencies (LEA) to support investigations by provision of customer information and complying with all requests as per regulatory norms. We work with industry, government, law enforcement and community organizations to help our customers understand and manage the risks associated with the online world. We support a range of government initiatives to raise awareness, and provide online education and guidance. Some of the measures undertaken in the last few years include: • Working with CERT-In to resolve cyber incidents and malware infections • Upgrading technology constantly to reduce threat exposures

• Associating with Law Enforcement Agencies (LEA) to support investigations • Actively participating in multiple national level working groups and numerous international forums on internet safety and cyber security

Information Security Management System Policy Statement The purpose of this policy is to protect, preserve and manage the confidentiality, integrity and availability of information and all supporting business processes, systems and applications. This policy sets out the principles required to protect Playfords information assets from threats, whether internal or external, deliberate or accidental. This policy applies to, and is mandatory for, all Playfords personnel. All references made to personnel in this policy include Playfords employees, whether full or part-time, contractors and third-party personnel. All personnel, regardless of their role, are responsible for conducting their work in a manner that protects the security of Playfords information. This includes adhering to the following information security principles: 

Information, and the supporting business processes, systems and applications, will be protected by implementing appropriate controls to preserve their confidentiality, integrity and availability.



Risks to information will be actively identified and managed as per the Hedley Solutions Risk Management Framework and in context of the overall business risks.



Physical and logical access to information is restricted to authorised users. The access to information will be monitored on an ongoing basis.



Appropriate business continuity and disaster recovery plans are in place. The plans will be tested periodically.



Third parties with authorisation to access Playfords information assets will be made aware of their responsibilities with regards to information security and the protection of information.



Awareness of information security will be provided to all personnel on a regular basis.



Information security incidents (both suspected and actual) will be reported immediately to the Networks Department or Quality & Information Security Manager.



All personnel will comply with all relevant legal and regulatory requirements related to information security, including but not limited to the Data Protection Act 1998.



Supporting information security policies are in place to ensure the principles above are achieved.

All Managers are directly responsible for implementing the policy within their business areas, and for adherence by their staff. It is the responsibility of each employee to adhere to the Information Security Management System Policy This policy will be reviewed annually at The Management Review Last reviewed Date 25th June 2014

ALAN TUOHY Managing Director

Saved on 25/09/2014 09:24:00 Current on25/09/2014 09:24:00 Information Security Management System Policy Statement Playfords

INFORMATION SECURITY POLICY STATEMENT BAI Communications designs, builds and operates highly available communications networks – broadcast, radio, cellular, Wi-Fi, digital – for our customers across the globe. The objective of this Information Security Policy Statement is to ensure that BAI Communications (BAI) and its companies deliver a consistently high level of information security throughout its business groups. BAI is committed to implementing and maintaining compliance with ISO 27001, and to continuous, practical improvement of our information security practices. This will help maintain our reputation in the industry and meet our legal/regulatory and customers’ requirements. BAI Communications commits to: •

Clearly understanding the requirements and expectations of our customers and relevant regulatory authorities

•

Working closely with our customers and suppliers to deliver services in a security conscious fashion

•

Ensuring every employee shares responsibility for effective information security

•

Protecting its people, information, intellectual property, assets, activities and facilities against misuse, loss, damage, disruption, interference, espionage, or unauthorised disclosure. It is also critical that we retain the confidence of those who entrust sensitive information to BAI Communications.

•

Developing and maintaining security policies and controls designed to meet the requirements of ISO 27001. The policy statements contained in our Information Security Policy (ISP), procedures, guidelines, and standards, reflect the minimum requirements necessary to maintain an acceptable standard for protecting our information assets and, at the same time, our reputation.

•

Implement an Information Security Management System (ISMS) and ensure it is maintained, continually improved, and supported with adequate resources to achieve the objectives set in this Policy Statement.

Our approach to achieving these objectives is to enhance information security through investment in technology, processes, and employee skills. This will improve the way we both manage our business and deliver services to our customers. Underpinning our approach to information security is the Group Risk Management Framework which allows the business to present threats, risks, and opportunities for management review. This allows the BAI leadership team (including the Audit and Risk Committee and the Board) to ensure the risk profile of the business is accurate and that risk mitigation efforts are focused on appropriately supporting strategic outcomes. This policy statement shall be easily accessible to all staff and available on the BAI Communications intranet. It is also available for public viewing on the web at www.baicommunications.com. Each member of staff is asked to take particular care in their approach to security and to accept the important role they play in maintaining an effective information security program throughout BAI Communications. Effective: 30th day of June 2017

Jim Hassell Group Chief Executive Officer, BAI Communications

BAI Communications comprises: BAI Communications Pty Limited ABN 99 086 048 562 BAI Critical Communications Pty Limited ACN 133 800 129 _________________________________________________________________________________________________________________________________________________ bai communications | Information Security Policy Statement

Privacy Policy Template

Privacy Policy Template How to use this template The information in this template provides some base content for you to use and modify with information that relates to your specific privacy policy. Follow the steps below: 1. Replace the bold items in square brackets with your business information 2. Update content to align with your business's privacy policy 3. Create or update the privacy policy page on your website using the updated text.

Page 1

Privacy Policy Template

Privacy Policy [Your business name] is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information. We have adopted the National Privacy Principles (NPPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The NPPs govern the way in which we collect, use, disclose, store, secure and dispose of your Personal Information. A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Federal Privacy Commissioner at www.privacy.gov.au.

What is Personal Information and why do we collect it? Personal Information is information or an opinion that identifies an individual. Examples of Personal Information we collect include: names, addresses, email addresses, phone and facsimile numbers. This Personal Information is obtained in many ways including [interviews, correspondence, by telephone and facsimile, by email, via our website www.yourbusinessname.com.au, from your website, from media and publications, from other publicly available sources, from cookies- delete all that aren’t applicable] and from third parties. We don’t guarantee website links or policy of authorised third parties. We collect your Personal Information for the primary purpose of providing our services to you, providing information to our clients and marketing. We may also use your Personal Information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure. You may unsubscribe from our mailing/marketing lists at any time by contacting us in writing. When we collect Personal Information we will, where appropriate and where possible, explain to you why we are collecting the information and how we plan to use it.

Sensitive Information Sensitive information is defined in the Privacy Act to include information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information. Sensitive information will be used by us only: •

For the primary purpose for which it was obtained

Page 2

Privacy Policy Template

•

For a secondary purpose that is directly related to the primary purpose

•

With your consent; or where required or authorised by law.

Third Parties Where reasonable and practicable to do so, we will collect your Personal Information only from you. However, in some circumstances we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.

Disclosure of Personal Information Your Personal Information may be disclosed in a number of circumstances including the following: •

Third parties where you consent to the use or disclosure; and

•

Where required or authorised by law.

Security of Personal Information Your Personal Information is stored in a manner that reasonably protects it from misuse and loss and from unauthorized access, modification or disclosure. When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the Personal Information is or will be stored in client files which will be kept by us for a minimum of 7 years.

Access to your Personal Information You may access the Personal Information we hold about you and to update and/or correct it, subject to certain exceptions. If you wish to access your Personal Information, please contact us in writing. [Your business name] will not charge any fee for your access request, but may charge an administrative fee for providing a copy of your Personal Information. In order to protect your Personal Information we may require identification from you before releasing the requested information.

Page 3

Privacy Policy Template

Maintaining the Quality of your Personal Information It is an important to us that your Personal Information is up to date. We will take reasonable steps to make sure that your Personal Information is accurate, complete and up-to-date. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.

Policy Updates This Policy may change from time to time and is available on our website.

Privacy Policy Complaints and Enquiries If you have any queries or complaints about our Privacy Policy please contact us at:

[Your business address] [Your business email address] [Your business phone number]

Page 4

Information Security Policy Outline RHM Telecommunications processes customer personal information on a daily basis. This Information must have adequate safeguards in place to ensure its safety and integrity for the benefit of both the customer and the company. RHM Telecommunications commits to respecting the privacy of all its customers and to protecting any information about customers from outside parties. To this end management are committed to maintaining a secure environment in which to process this information so that we can meet these promises. Employees handling customer information should ensure: • All customer information is handled in a manner that is appropriate for the content • They do not disclose customer information unless authorised • They take all necessary steps to protect sensitive customer information • They keep passwords and accounts secure • They request approval from management prior to installing or configuring any new software or hardware, third party connections, modems, wireless access points etc • Information security incidents are reported, without delay, to the relevant line manager or directly to the DPO Everyone has a responsibility for ensuring the companies systems and data are protected from unauthorised access and improper use.

Information Security Policy Statement APS Group’s senior management recognises the importance of developing and implementing an Information Security Management System (ISMS). To protect business information assets within APS Group from all threats, whether internal or external, deliberate or accidental, and also to demonstrate the commitment we have towards our customers’ information security. APS Group’s ISMS programme is founded on the international standard BS ISO/IEC 27001:2013, published by the BSI, which came into effect Sept 2013. The APS Group ISMS control documents have been produced to define requirements for a management systems approach to information security management, based on industry best practices. The framework for setting Information Security objectives has been established and documented within the APS Group ISMS manual. It is the objective of APS Group to ensure that information is only accessible to authorised persons from within or outside the company and minimise damage by preventing and reducing the impact of security incidents. Confidentiality, Integrity and Availability of information is maintained throughout business functions and processes. APS Group has established a risk assessment methodology to identify and control the security of business information meeting legal, regulatory and contractual requirements. Demonstration of successful implementation of this management system will assure all interested parties to the business that an appropriate and effective information security management system is in place. These specific requirements for setting up and managing an effective information security management system emphasise APS Group’s commitment to: • • • •

understanding information security needs and the necessity of establishing policy and objectives for information security; implementing and operating controls and measures for managing the organisation’s overall information security risk; monitoring and reviewing the performance and effectiveness of the ISMS; and continual improvement based on objective measurement.

It is the policy of APS Group to conduct a management review of the ISMS annually or when significant changes take place to ensure the system meets the requirements of all stakeholders and compliance to the ISO 27001 standard. John Holmes - Executive Director - has overall responsibility for maintaining this Policy and providing guidance on its implementation. All managers are directly responsible for ensuring that policies and procedures are followed within their business areas. It is the responsibility of each employee to adhere to the business ISMS policies and procedures.

Signed Date

(Nick Snelson, Managing Director) 25th June 2020

ISMS PS-v4.2 25/006/2020 CLASSIFICATION: Level 0 - PUBLIC

INFORMATION SECURITY MANAGEMENT POLICY STATEMENT

Information Security Management is an integral part of ESAF’s commitment to provide sustainable and secure service to its customers. We strive to achieve confidentiality and integrity of all kinds of information we disseminate, produce, manage and save through state of the art procedures. This policy aims to achieve protect and safeguard our information assets from internal, external, deliberate and accidental threats. For this we shall ensure: 1.

2. 3.

4. 5. 6.

Integrity of all business processes, information assets, and supporting IT assets and processes of ESAF, through protection from unauthorized modification, guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Availability of all business processes, information assets, and supporting IT assets and processes to authorized users when needed, ensuring timely and reliable access to and use of information Confidentiality of all information assets (information is not disclosed to unauthorized persons through deliberate or careless action). Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Continuous improvement of the information security management system to keep up with ESAF’s promise of security to its customers. Comply with the laws, regulations and contractual obligations which are applicable to the organization in general and in particular to its ISMS Work force members complete an annual information security and privacy awareness and training program. As part of this program, additional role-based training will be provided to the workforce, before they start handling sensitive and confidential information.

Under this policy,    





Administrative access to systems is limited to Workforce Members who have a legitimate business need for this type of access. Administrative access to network devices is logged. All breaches of information security, whether actual or suspected will be reported to and hence investigated by Authorized personnel. A Security Operations Center shall be established for security monitoring of logs of critical IT Assets as per guidelines issued by the RBI. Audits shall be conducted to ensure compliance with the information security policies, procedures and guidelines with managers making sure that all employees in their respective branches are aware and complying with the policy. Information security documents not limited to policies, procedures and guidelines are available in both online and offline format for quick reference.

Any workforce member found to have violated this policy may be subject to disciplinary and/or legal action according to the Sanction policy.

This policy has been approved by the Board of Directors, ESAF and is subject to periodic changes and will be posted on the official bank website. All suggestions and remarks regarding the policy can be sent to: [email protected]

BHARTI AIRTEL LTD. INFORMATION SECURITY POLICY STATEMENT Airtel prides itself as being a leader in the Telecommunications industry. As part of this, we recognise that we have a responsibility to protect all of the data we hold or process, whether it belongs to Airtel, our employees, partners, customers, or suppliers. By protecting this data, we can ensure that we maintain our reputation as a trusted employer and partner, enabling us to grow as a business and deliver exceptional service to our customers. Safeguarding customer privacy, and ensuring security of data across its operations, lines of business and supply chain, is a key focus area for Airtel. This is not just to ensure legal and regulatory compliance, but to reinforce the trust that our customers and other stakeholders have placed in us. Confidentiality, Integrity and Availability of information in Information Security Management are integral parts of its management function and view these as their primary responsibility and fundamental to best business practice. The objective of this Information Security Policy Statement is to ensure that Airtel and its companies deliver a consistently high level of information security throughout its business. Airtel is certified against global standards such as ISO27001 and ISO22301, and has adopted the NASSCOM-DSCI Privacy Framework (DPF) to protect the privacy of personal information from unauthorized use, disclosure, modification, or misuse, which allows us to identify critical customer information and ensure adequate measures to safeguard it. To ensure compliance with the policy, we conduct periodic internal and external audits of various functions. Information moving within and across the boundaries of our organization is effectively monitored in real-time for any breach in company policy. Any non-compliance is immediately escalated and investigated. The Circle Information Security Council (CISC) recommends disciplinary actions against employees, partners or third parties involved in privacy breaches. Airtel has also established an efficient Fraud Management Program driven by revenue assurance and fraud management experts, which makes use of highly sophisticated and evolved tools and processes to detect and prevent the occurrence of fraud and data loss. Airtel commits to: • Clearly understanding the requirements and expectations of our customers and relevant regulatory authorities • Working closely with our customers and suppliers to deliver services in a security conscious fashion • Ensuring every employee shares responsibility for effective information security • Protecting its people, information, intellectual property, assets, activities and facilities against misuse, loss, damage, disruption, interference, espionage, or unauthorised disclosure. It is also critical that we retain the confidence of those who entrust sensitive information to Airtel. • Developing and maintaining security policies and controls designed to meet the requirements of ISO 27001. The policy statements contained in our Information Security Policy (ISP), procedures, guidelines, and standards, reflect the minimum requirements necessary to maintain an acceptable standard for protecting our information assets and, at the same time, our reputation. • Implement an Information Security Management System (ISMS) and ensure it is maintained, continually improved, and supported with adequate resources to achieve the objectives set in this Policy Statement. Our approach to achieving these objectives is to enhance information security through investment in technology, processes, and employee skills. This will improve the way we both manage our business and deliver services to our customers and also allows the Airtel leadership team (including the Audit and Risk Committee and the Board) to ensure the risk profile of the business is accurate and that risk mitigation efforts are focused on appropriately supporting strategic outcomes. The Executive Board fully supports the information security management system and require all our staff, whether permanent or temporary, partner organisations, suppliers and contractors to do the same. Airtel shall ensure that the review of the Information Security Policy and related documents is performed at least on an annual basis or when significant changes occur to ensure suitability, adequacy, and effectiveness of the ISMS framework. Effective: 15th October 2020 Gopal Vittal, Chief Executive Officer, Airtel Bharti Airtel Limited – Enterprise (Corporate), A-4, Sector-10, Noida, Uttar Pradesh Airtel | Information Security Policy Statement |Public

INFORMATION SECURITY MANAGEMENT POLICY STATEMENT SpiceJet Ltd is India's best low-cost airline delivering the lowest airfares with the highest consumer value. SpiceJet is headquartered in Gurgaon, Haryana and is the second-largest airline in the country by the number of domestic passengers carried. The objective of this Information Security Policy Statement is to ensure that SpiceJet delivers a consistently high level of information security throughout its business groups. It is committed to implementing and maintaining compliance with ISO 27001, and to the continuous, practical improvement of our information security practices. This will help maintain our reputation in the industry and meet our legal/regulatory and customers’ requirements. SpiceJet commits to: ● Clearly understanding the requirements and expectations of our customers and relevant regulatory authorities ● Working closely with our customers and suppliers to deliver services in a security-conscious fashion ● Ensuring every employee shares responsibility for effective information security. ● Implement an Information Security Management System (ISMS) and ensure it is maintained, continually improved, and supported with adequate resources to achieve the objectives set. ● Protecting its people, information, intellectual property, assets, activities and facilities against misuse, loss, damage to retain the confidence of various stakeholders. ● Maintain an effective Information Security Management System. ● Deploy the most appropriate technology and infrastructure. ● Create and maintain security-conscious culture within Information Services; and ● Continually monitor and improve the effectiveness of the Information Security Management System. ● Implement continual improvement initiatives, including risk assessment and risk treatment strategies Under this policy● It applies to all officers and staff of SpiceJet, employees, and third party employees under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of ISMS ● All personnel, even if not included in the scope of ISMS, have a responsibility for reporting security incidents and identified weaknesses, and contribute to the protection of business processes, information assets, and resources of SpiceJet. This policy statement shall be easily accessible to all staff and available on the SpiceJet intranet. It is also available for viewing on the web at https://www.spicejet.com The policy has been approved by the Directors and is reviewed annually to ensure its continuing suitability, adequacy, and effectiveness.

Information security management policy statement Version 1.0 - 15/10/2020

SpiceJet