Bharti Infratel Third Party Security Policy

Bharti Infratel Limited

Policy –Abridged Bharti Infratel Third Party Security Policy-ISBC-40-V1

Policy –Abridged Bharti Infratel Third Party Security

Version: 1 Date: 30th

October 2012





October 2012

Abridged Bharti Infratel Third Party Security Policy

Version 1.0





October 2012

Document Control

Document No. : 40

Document Name : Policy –Abridged Bharti Infratel Third Party Security Policy-ISBC-40-

V1

Version : 1.0 Date of Release : 30th October 2012

Name Function / Designation

Signature

Prepared by Mr. Rajesh Mittal Information Security

Management

Representative

Process Owner Mr. Prashant Veer Singh Chief Information

Security Officer

Reviewed by Mr. Prashant Veer Singh Chief Information

Security Officer

Mr. Devender Singh Rawat Chief Executive Officer

Document Change Approvals

Version

No. Revision Date Nature of Change Date Approved Approved by

1 - - - -

2 - - - -


Policy -Bharti Infratel Third Party Security Policy-ISBC-40-V1

Policy -Bharti Infratel Third Party Security


October 2012

IIInnndddeeexxx

1. Bharti Infratel Third-party Security Policy (BITSP - 001) ........................................7

1.1. Introduction ........................................................................................... 7

1.2. Scope ................................................................................................... 8

1.3. Policy Statement and Objective .................................................................... 9

1.4. Disciplinary Measures for Non-Compliance ........................................................ 9

1.5. Exceptions ............................................................................................. 9

2. Information Security Organisation Policy (BITSP – 002) ........................................ 10

2.1. Introduction ......................................................................................... 10

2.2. Policy Statement and Objective .................................................................. 10

2.3. Sub-Contractors ..................................................................................... 12

3. Asset Management Policy (BITSP – 003) ........................................................... 14

3.1. Introduction ......................................................................................... 14


3.3. Asset Register ....................................................................................... 14

3.4. Asset Management Responsibilities .............................................................. 14

3.5. Information Asset Classification .................................................................. 15

4. Human Resources Security Policy (BITSP - 004) ................................................. 18

4.1. Introduction ......................................................................................... 18


4.3. During Recruitment ................................................................................. 18

4.4. During Employment ................................................................................. 19

4.5. Termination or Change of Employment Responsibility ........................................ 21

5. Physical and Environmental Security Policy (BITSP – 005) .................................... 22

5.1. Introduction ......................................................................................... 22


5.3. Secure Areas ......................................................................................... 22

5.4. Equipment Security ................................................................................. 24

6. Communication and Operations Management Policy (BITSP – 006) .......................... 28

6.1. Introduction ......................................................................................... 28


6.3. Operational Procedures and Responsibilities ................................................... 28

6.4. Sub-Contractor Service Delivery Management .................................................. 31

6.5. System Planning and Acceptance ................................................................. 32

6.6. Protection against Malicious and Mobile Code .................................................. 32

6.7. Back-up ............................................................................................... 33





October 2012

6.8. Network Security Management ................................................................... 33

6.9. Media Handling ...................................................................................... 36

6.10. Exchange of Information ........................................................................ 37

6.11. Electronic Commerce Services ................................................................. 39

6.12. Monitoring ........................................................................................ 40

7. Access Control Policy (BITSP – 007) ................................................................ 42

7.1. Introduction ......................................................................................... 42


7.3. User Access Management .......................................................................... 42

7.4. User Responsibilities ............................................................................... 45

7.5. Network Access Control ............................................................................ 47

7.6. Operating System Access Control ................................................................. 49

7.7. Application and Information Access Control .................................................... 51

7.8. Mobile Computing and Teleworking .............................................................. 51

8. Information Systems Acquisition, Development & Maintenance Policy (BITSP – 008) .... 53

8.1. Introduction ......................................................................................... 53


8.3. Security Requirements of Information System .................................................. 53

8.4. Correct Processing in Application ................................................................ 54

8.5. Cryptographic Controls ............................................................................. 55

8.6. Security of System Files ............................................................................ 56

8.7. Security in Development and Support Processes ............................................... 57

8.8. Technical Vulnerability Management ............................................................ 59

9. Information Security Incident Management Policy (BITSP – 009) ............................ 60

9.1. Introduction ......................................................................................... 60


9.3. Security Incident Identification ................................................................... 60

9.4. Reporting Information Security Events and Weakness ......................................... 61

9.5. Security Incident Response, Recovery and Improvements .................................... 62

10. Business Continuity Management Policy (BITSP – 010) ......................................... 64

10.1. Introduction ...................................................................................... 64

10.2. Policy Statement and Objective ............................................................... 64

10.3. Information Security Aspects of Business Continuity Management ....................... 64

11. Compliance Policy (BITSP – 011).................................................................... 67

11.1. Introduction ...................................................................................... 67

11.2. Policy Statement and Objective ............................................................... 67

11.3. Compliance with Legal Requirements ........................................................ 67





October 2012

11.4. Information Systems Audit Considerations ................................................... 70





October 2012

1. Bharti Infratel Third-party Security Policy (BITSP - 001)

1.1. Introduction

In a rapidly expanding telecom and telecom passive infrastructure market, it is

almost impossible to deliver services to customers and value to stakeholders

without the collaboration of third parties. Today, third parties are extended

members of the value chain of Bharti Infratel Limited (hereafter referred to as

Bharti Infratel). This calls for improving Bharti Infratel’s relationship with third

parties, particularly in the area of information security.

Given the potential for increased information security lapses from the part of

third parties, a stringent Bharti Infratel Third-party Security Policy (hereafter

referred to as the BITSP in this document) is framed to help Bharti Infratel

insulate itself from the risks that are likely to arise from such relationships. The

foundation on which the BITSP is based is “trust but verify stringently”.

Accordingly, there is a need to involve information security ‘before’, ‘during’ and

‘after’ the relationships with third parties are established and to impose strict

security standards and practices on third parties involved with Bharti Infratel

Information Security Policy (BIISP). There is also a need to ensure that these third

parties communicate the effectiveness of their information security controls by

obtaining security certifications such as ISO 27001:2005 and/or by having an

independent body review their information security and privacy practices against

BIISP.





October 2012

1.2. Scope

The Bharti Infratel Third-party Security Policy (BITSP) is applicable to all Third-parties providing

services to Bharti Infratel.

Definition of ‘Third-party’: For the purposes of this document, a ‘Third-party’ is a service

provider/vendor who associates with Bharti Infratel and is involved in handling, managing, storing,

processing and transmitting information of Bharti Infratel. The Third-Party could be a service

provider/vendor as mentioned below but not limited to:-

• Diesel Filler Vendors (for e.g. Pratap, Perigreen etc.);

• Physical Security Vendor (for e.g. CheckMate etc.);

• Equipment Suppliers (for e.g. Mahindra, ACME, & Bluestar etc.);

• IT Equipment Suppliers (for e.g. AGC, Lenovo, & Sony etc.);

• IT Services Vendor (for e.g. IBM, AES, & AGC Networks etc.);

• Site Builtup Services Vendor (for e.g. TVSICS, Emerson, & Punj Lloyd etc.);

• Liasioning Services Vendor ( for e.g. TVSICS etc.);

• Non-conventional Energy Suppliers (for e.g AST, KMR, & OMC etc.);

• Management Consulting/ Manpower Service Provider (for e.g. Adecco,E&Y, Protiviti etc.);

• Office Admin Services (for e.g. CBRE etc.);

• Equipment Services Vendor like AMCs

This definition also includes all sub-contractors, consultants and/or representatives of the Third-

party.

The BITSP is applicable across all geographies where information of Bharti Infratel is processed

and/or stored by Third-party.

Policy Owner

The owner of the BITSP is the Chief Information Security Officer (hereinafter referred to as CISO in

this document).





October 2012

1.3. Policy Statement and Objective

Security of information assets used by Third-parties for providing services to Bharti Infratel is of

paramount importance and Confidentiality, Integrity and Availability of these shall be maintained

at all times by the Third-parties concerned through controls commensurate with the asset value.

The objectives of this policy are to:

• Provide the Third-party with an approach and directives for implementing information

security of all information assets used by them for providing services to Bharti Infratel; and

• Ensure that the Third-party adheres to all provisions of the Third-party Security Policy.

1.4. Disciplinary Measures for Non-Compliance

Non-compliance with the BITSP is ground for disciplinary actions up to and including termination of

the contract.

1.5. Exceptions

The BITSP is intended to be the statement of information security requirements that need to be

met by the Third-party. However, in case a Third-party perceives difficulty in adhering to any of

the controls, exceptions for an individual control may be requested by the Third-party. Exceptions

are applicable only if approved by the CISO.





October 2012

2. Information Security Organisation Policy (BITSP – 002)

2.1. Introduction

The Third-party is required to ensure that they have an Information Security Organisation structure

in place along with mutually-agreed responsibilities, authority and relationships to maintain

information security requirements as per the BITSP.


The Third-party shall ensure that they have an Information Security Organisation in place to

implement the provisions of the Third-party Security Policy.

2.2.1 Management Commitment to Information Security

Control Statement: The Management of the Third-party shall be committed to implement and

adhere to the information security requirements of Bharti Infratel.

Explanatory Notes: The Management of the Third-party is required to extend its full co-operation

and support to the information security requirements of Bharti Infratel and also ensure that all its

employees working for/at Bharti Infratel respect and adhere to the BITSP.

2.2.2 Information Security Co-ordination

Control Statement: A suitable management body to co-ordinate and maintain information security

activities in Bharti Infratel shall be nominated.

Explanatory Notes: It is recommended that the Third-party ensures that all its functions such as

HR, Administration, Information Technology (IT), IAG, Legal and others willingly co-operate and co-

ordinate with Bharti Infratel to satisfy the latter’s information security needs. The Third-party is

required to nominate a SPOC to interface with Bharti Infratel for all its information security

activities. The SPOC is required to communicate to its team that caters to Bharti Infratel the

relevant sections of the BITSP. The CISO of Bharti Infratel and the Third-party Security SPOC shall

coordinate with each other for the implementation of BITSP and address any security-related

issues.

2.2.3 Responsibility for Information Security

Control Statement: The Information Security responsibilities of all employees working for Bharti

Infratel shall be defined and communicated.

Explanatory Notes: The Third-party shall ensure that the information security responsibilities of

third-party are identified, documented and communicated to its employees providing services to





October 2012

Bharti Infratel. The employees of the third-party are required to understand their security roles and

responsibilities that they need to practise in their day-to-day operations in Bharti Infratel.

2.2.4 Authorisation Process for Information Processing Facilities

Control Statement: An authorisation process for new information processing facilities shall be

implemented by the Third-party.

Explanatory Notes: Third-party shall ensure that they obtain an authorisation from the appropriate

authority of Bharti Infratel for obtaining access to information systems and/ or processing facilities

of Bharti Infratel.

Similarly, all new information processing facilities used for providing services to Bharti Infratel shall

be set up only after receiving approvals from the relevant management of third-party. Personal

computing devices that are not allowed into the Bharti Infratel and / or Third-party facility shall be

communicated to the third-party employees, and visitors. It shall be ensured that these devices are

not brought inside the facility without proper authorisation. In case these devices are brought

inside the facility and are required to connect to Bharti Infratel network, it shall be ensured that an

appropriate authorisation is obtained from Bharti Infratel.

Any laptop or other information processing units owned by the Third-party could introduce new

vulnerabilities and therefore, controls like antivirus update, personal firewall software and other

relevant desktop/laptop security software is required to be configured on the system before

connecting it to Bharti Infratel network.

The Information processing facility like an offshore development centre of the Third-party, which

needs to connect to Bharti Infratel network shall require approval from Bharti Infratel before

permitting access.

2.2.5 Confidentiality & Non-Disclosure Agreements

Control Statement: A Non-Disclosure Agreement with Bharti Infratel shall be signed.

Explanatory Notes: The Non-Disclosure Agreement mandates that the Third-party shall not disclose

any information related to Bharti Infratel which is identified as ‘Restricted’, ‘Confidential’ or

‘Internal’ to Bharti Infratel. The Third-party shall ensure that they read, accept and sign the Non-

Disclosure Agreement provided by Bharti Infratel.

2.2.6 Contact with Local Authorities

Control Statement: Appropriate contacts with all relevant local authorities shall be established and

maintained.





October 2012

Explanatory Notes: The Third-party is required to ensure that appropriate contacts are established

with all local authorities such as Fire, Police, Hospital(s), Ambulance and the other

authorities/services which need to be contacted in case of an emergency. An individual shall be

identified (preferably from the Admin function) and assigned with the responsibility to maintain all

such contacts.

2.2.7 Contact with Special Interest Groups

Control Statement: Appropriate contacts with relevant special interest groups shall be established

and maintained.

Explanatory Notes: The Third-party shall establish and maintain contacts with special interest

groups to ensure that the understanding of the information security environment is current,

including updates on security advisories, vulnerabilities and patches. The IT security function of the

Third-party should subscribe to these groups and, based on the periodic updates received; they

shall take initiatives to analyse and resolve the security. It should be ensured that the contacts with

these forums/groups are for only receiving the alerts; users should not post any queries to such

forums revealing details of information assets or network of Bharti Infratel.

2.2.8 Independent Review of Information Security

Control Statement: An independent review of information security should be conducted to assess

the compliance with BITSP.

Explanatory Notes: An independent review should be conducted on a yearly basis to assess the

compliance of Third-party towards BITSP. Bharti Infratel reserves the right to audit the Third-party.

The independent review should be conducted by a reputed audit organisation. It is recommended

that the Third-party obtains audit certification/verification from the auditors. The Third-party may

need to share the audit report with Bharti Infratel if required.

If, during the audit, it is found that the Third-party is not compliant with the directions stated in

the BITSP, actions as stated in the clause for non-compliance shall be applicable.

2.3. Sub-Contractors

2.3.1 Identification of Risk Related to Sub-contractor

Control Statement: All threats and risk related to sub-contractors shall be identified and

mitigated.

Explanatory Notes: The Third-party shall conduct a Risk Assessment and ensure that all risks due to

sub-contractor access to Bharti Infratel information assets are identified, measured and mitigated

appropriately before providing access to Bharti Infratel information assets. The Risk Assessment





October 2012

report is required to be shared with the CISO of Bharti Infratel prior to providing access to

information and/or information-processing facilities to the sub-contractor.

2.3.2 Addressing Security when Dealing with Customers

Control Statement: Appropriate security controls shall be addressed when dealing with customers.

Explanatory Notes: Controls shall be in place so that information assets or Information processing

environment used for providing services to Bharti Infratel are physically and logically segregated

from other customers. Specific approval is required to be taken from CISO for any exception to this.

2.3.3 Addressing Security in Sub-contractor Agreements

Control Statement: Agreements with the sub-contractors, who are involved in providing services to

Bharti Infratel, shall cover information security requirements as applicable in the BITSP.

Explanatory Note: Agreements with the sub-contractors who are engaged by Third party and are

involved in accessing, processing, communicating or managing the information of Bharti Infratel

shall cover all information security requirements in accordance with the BITSP. Additionally, the

Third-party should ensure that their sub-contractors access the information assets of Bharti Infratel

only after signing a formal contract and a Non-Disclosure agreement with them. The Third-party is

also required to ensure that Intellectual Property Rights are honoured by all its sub-contractors.

Such contracts and Non-Disclosure agreements entered with sub-contractors shall be shared with

Bharti Infratel in case required by Bharti Infratel.





October 2012

3. Asset Management Policy (BITSP – 003)

3.1. Introduction

All information assets deployed for providing services to Bharti Infratel by the Third-party shall be

provided comprehensive protection. The Third-party, being the owner and/ or custodian of the

information assets and associated processing facilities, shall be responsible for implementing the

controls defined in this policy to maintain confidentiality, integrity and availability of these

information assets.


Identification, classification and CIA valuation of information assets including the identification of

asset owner and custodian are extremely important to design and implement the required controls

for the protection of the assets.

The objectives of the policy are to ensure that:

• All information assets used by Third-party in providing services to Bharti Infratel have been

identified and designated owner and custodian appointed by the Third-party;

• All information assets are classified based on their criticality to the business; and

• All information assets receive an appropriate level of protection by implementing relevant

controls.

3.3. Asset Register

Third-party shall create and maintain asset registers for all information assets belonging to them

that are deployed to provide services to Bharti Infratel. The asset register is required to contain, at

a minimum, the following information about the assets:

• The identification and location of assets;

• The name of business function, process or function that uses this asset;

• The type and classification of asset;

• The Asset Owner, Custodian and User; and

• The Confidentiality, Integrity and Availability ratings of the asset.

3.4. Asset Management Responsibilities

The responsibility for implementing appropriate security controls to identify, classify and protect

the assets is required to be defined.





October 2012

3.4.1 Inventory of Assets

Control Statement: Information assets owned by the Third-party shall be identified and an

inventory of these assets shall be documented and maintained.

Explanatory Notes: An inventory of all important assets is required to be maintained by the Third-

party. Such an inventory shall include all necessary information, including type of asset, asset

owner, asset custodian, asset location (office location) and criticality value in order to recover

from a disaster. This Inventory is required to be maintained in accordance with the Asset

Management Procedure laid down by Bharti Infratel.

3.4.2 Ownership of Assets

Control Statement: Information assets that are used to provide services to Bharti Infratel shall

have a designated owner from the Third-party.

Explanatory Notes: Assets owned by the Third-party and used to process information of Bharti

Infratel is required to be owned by a designated individual belonging to the Third-party. The asset

owner shall be responsible for the following:

• Ensuring that the assets are appropriately classified as per the Classification Guidelines

(Refer BITSP - section 3.5.1);

• Ensuring that assets are correctly entered in the Asset Register as per a formal Asset

Management Procedure;

• Defining and reviewing periodically the access rights to their respective assets.

3.4.3 Acceptable Use of Assets

Control Statement: Third-party shall develop and implement Rules for the acceptable use of

information assets that are used to provide services to Bharti Infratel.

Explanatory Notes: The Third-party is required to ensure that its employees adhere to the

acceptable use of assets as developed by them.

3.5. Information Asset Classification

The information assets have different degrees of sensitivity and criticality. Some items may require

an additional level of protection or special handling. The information classification criteria shall be

used by the Third-party to classify the information assets used to provide services to Bharti Infratel.

Information Assets that are owned by Bharti Infratel are classified by Bharti Infratel and third-party

have to handle them based on the classification level.





October 2012

3.5.1 Classification Guidelines

Control Statement: All information assets shall be classified in terms of its value, sensitivity, and

criticality to Bharti Infratel.

Explanatory Notes: Important information assets shall be assigned an asset criticality rating as per

guidelines laid down in the Asset Management Procedure, to assess the relative importance of such

assets to Bharti Infratel and to determine the level of security measures to be implemented for

their protection.

The information assets shall be classified in terms of its sensitivity and criticality to the business of

Bharti Infratel, into one of the following categories:

• Restricted: This classification applies to the most critical business information, which is

intended strictly for the use of Bharti Infratel. Its unauthorised disclosure could adversely

impact the Bharti Infratel business, its stockholders, its business partners, and/ or its

customers leading to the legal and financial repercussions and adverse public opinion. The

information that some people would consider to be private is included in this classification.

Examples: Critical Servers, Critical Passive Infrastructure devices, System Access Controls,

System Passwords, Technology related Documents, Engineering documents, etc.

• Confidential: This classification applies to the sensitive business information, which is

intended for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact

Bharti Infratel business, its stockholders, its business partners, its employees, and/or its

customers.

Examples: System configuration procedures, internal audit reports which comprise the

collective experience, knowledge, skill, and information of Bharti Infratel.

• Public: This classification applies to the information, which has been explicitly approved by

the Bharti Infratel management for release to the public. By definition, there is no such

thing as unauthorised disclosure of this information and it may be freely disseminated

without potential harm.

Examples: advertisements, and published press releases.

• Internal: This classification applies to the information, which is specifically meant for

internal use within Bharti Infratel. While its unauthorised disclosure is against the policy, it

is not expected to seriously or adversely impact business of Bharti Infratel, its employees,

customers, stockholders & business partners.

Examples: Telephone directory, training materials and manuals, internal staff circulars.





October 2012

3.5.2 Information Asset Labelling and Handling

Control Statement: The Third-party shall follow the procedures for information asset labelling and

handling for all information assets that are used to provide services to Bharti Infratel.

Explanatory Notes: All information assets are required to be labelled by the Third-party and

maintained as per a formal Information Labelling and Handling Guideline. These assets shall be

labelled (marked) using the classification scheme only to indicate the level of sensitivity of the

information. This may exclude public information.





October 2012

4. Human Resources Security Policy (BITSP - 004)

4.1. Introduction

The Human Resource Security Policy defines the controls that are required to be implemented and

maintained during the recruitment process, employment process and termination or change of

employment to ensure the protection of information assets that are used to provide services to

Bharti Infratel from human error, misuse, theft or fraud.


All employees of the Third-party with access to the information assets of Bharti Infratel shall

understand their responsibilities for the comprehensive protection of information and processing

facilities of Bharti Infratel.


• Ensure that appropriate security controls are followed at the time of recruitment by the

Third-party.

• Ensure that the Third-party employees understand their responsibilities and roles regarding

information security in Bharti Infratel;

• Reduce the risks of human error, theft, fraud or misuse of the information assets; and

• Ensure that employees are aware of information security threats and concerns and are

equipped to support the BITSP in the course of their work.

• Failure to adhere to information security responsibilities may entail appropriate disciplinary

action.

4.3. During Recruitment

The Human Resources function of Third party shall ensure that security responsibilities are defined

and addressed prior to employment in adequate job descriptions and in terms and conditions of

employment. It is strongly recommended that background verification checks are conducted for the

employees who will provide services to Bharti Infratel.

4.3.1 Roles and Responsibilities

Control Statement: The security roles and responsibilities of employees shall be defined and

documented.

Explanatory Notes: It is required that HR function of the Third-party define and document and

communicate the security roles and responsibilities of its employees to ensure that they





October 2012

• Act in accordance with the BITSP;

• Protect assets from unauthorised access, disclosure, modification and destruction; and

• Execute specific security processes and activities.

4.3.2 Screening

Control Statement: Background verification checks shall be carried out for the employees who will

provide services to Bharti Infratel.

Explanatory Notes: It is required that the Third-party carries out background verification checks

for employees who have access to Bharti Infratel information systems and processing facilities.

They are also recommended to provide an evidence of the same to Bharti Infratel.

4.3.3 Terms and Conditions of Employment

Control Statement: The Third-party shall ensure that their employees read and accept the terms

and conditions of employment, which shall reflect the information security requirements of Bharti

Infratel as specified in the BITSP.

Explanatory Notes: Before deployed in Bharti Infratel for providing the services as per contract,

third-party is required to define terms and conditions of employment and communicate them to its

employees. Terms and conditions are required to include the following:

• Sign a confidentiality agreement which may hold them liable for any unauthorised

disclosure, modification and/or destruction of information, information systems and/or

processing facilities of Bharti Infratel;

• Legal responsibilities and rights;

• The responsibility for handling information as per its level of classification;

• The responsibility for exhibiting due diligence while handling information received from

external parties and protecting its confidentiality and integrity;

• The actions to be taken, if any employee disregards the information security requirements

of Bharti Infratel.

4.4. During Employment

HR function and concerned personnel of the Third-party are required to take appropriate actions to

ensure that:





October 2012

• The employees are duly informed of their information security responsibilities to maintain a

reasonable level of security for information assets and processing facilities used to provide

services to Bharti Infratel; and

• An adequate level of awareness, education and training on the information security is

provided to all employees.

4.4.1 Management Responsibilities

Control Statement: The Management of the Third-party should require its employees to adhere to

information security requirements in accordance with the BITSP.

Explanatory Notes: It is recommended that the Management of the Third-party should ensure that

its employees providing services to Bharti Infratel apply security in adherence to the BITSP. The

Management of Third-party should ensure that:

• Employees are properly communicated regarding their roles and responsibilities towards

information security in Bharti Infratel.

• Employees achieve a level of awareness on security in proportion to their roles.

• Employees attend the information security awareness training program before deploying

them in Bharti Infratel premises.

• Employees have appropriate skills and qualifications required to do the job for Bharti

Infratel.

4.4.2 Information Security Awareness, Education and Training

Control Statement: Employees providing services to Bharti Infratel should receive appropriate

awareness training and regular updates on the BITSP and information security, as relevant to their

job.

Explanatory Notes: The Third-party shall ensure that all employees receive formal training in

Information Security Awareness. Inputs and updates for this will be provided by Bharti Infratel to

the Third-party as and when they become available. The Third-party should ensure that they

update their employees as and when these are made available.

4.4.3 Disciplinary Process

Control Statement: A disciplinary process for information security violations shall be established,

and documented. Employees shall be communicated of the disciplinary process.

Explanatory Notes: A formal disciplinary process is required to commence against the BITSP after

verification that a security breach/violation has occurred involving an employee.





October 2012

The Third-party is required to ensure that its employees are made aware of the formal disciplinary

process which may be initiated, if they violate the BITSP or commit/participate in any kind of

security breach.

4.5. Termination or Change of Employment Responsibility

Adequate security measures are required to be taken by the Third-party when employees undergo

role transformation within the Third-party organisation, or withdraw from Bharti Infratel project,

or resign from the Third-party organisation.

It is required to be ensured that the access rights provided to such employees on information,

information assets and/or processing facilities are reduced/changed/revoked depending on the

situation.

4.5.1 Return of Assets

Control Statement: The Third-party’s employees shall return all assets in their possession, used to

provide services to Bharti Infratel, upon termination of their employment.

Explanatory Notes: All Third-party’s employees are required return of all previously-issued

software, documents, equipments, laptops, PDA, access cards, manuals, and information stored on

electronic media which are used to provide services to Bharti Infratel.

4.5.2 Removal of Access Rights

Control Statement: The access rights of employees shall be revoked at the time of termination or

changed when the current role of the employee changes.

Explanatory Notes: Access rights to information and information-processing facilities held by

employees of the Third-party is required to be revoked upon termination or withdrawn from Bharti

Infratel project. It is required that all passwords for active accounts that a departing employee has

known are forcefully changed with immediate effect. In case of change of role of a Third-party

employee, BITSP is required to revise and adjust the access rights as appropriate.





October 2012

5. Physical and Environmental Security Policy (BITSP – 005)

5.1. Introduction

The Physical and Environmental Security Policy defines the appropriate controls to maintain the

required physical and environmental security of information assets and information-processing

facilities that are used to provide services to Bharti Infratel.


Assets and facilities, which house information of Bharti Infratel, shall be protected from

unauthorised physical access and environmental threats. All physical access and movement of

information systems shall be monitored and reviewed.

• The objectives of the policy are to:

• Prevent unauthorised physical access, damage, and interference to information assets;

• Critical and sensitive information systems located at Third-party location and used to

provide services to Bharti Infratel are recommended to be protected by defined security

perimeters parameters, with appropriate security barriers and entry controls;

• Protect assets by implementing environmental controls to prevent damage from

environmental threats; and

• Regularly conduct preventive maintenance for infrastructural equipment to ensure faultless

services.

5.3. Secure Areas

An adequate level of security shall be provided to the facilities and office locations housing

information assets used to provide services to Bharti Infratel.

5.3.1 Physical Security Perimeter

Control Statement: The Third-party shall ensure that a physical security perimeter is defined and

implemented for office locations and facility, housing information assets that are used to provide


Explanatory Notes: The Third-party is required to ensure that a physical security perimeter is used

to secure all such facilities where the information systems that are used to provide services to

Bharti Infratel are hosted. Physical security perimeters such as a wall, card-controlled entry gates

and/or manned reception desks should be used to secure the facility.





October 2012

5.3.2 Physical Entry Controls

Control Statement: Secure areas within the facility of the Third-party shall be protected by

appropriate entry controls to ensure authorised access.

Explanatory Notes: Third-party is recommended to ensure that only authorised persons are

provided access to secure areas (areas hosting information systems/ equipment). Access to all such

areas should be controlled, recorded and monitored by the Third-party. The secure areas shall have

physical security check points.

5.3.3 Securing Offices, Rooms and Facilities

Control Statement: Physical security controls for offices, rooms and facilities should be designed

and applied.

Explanatory Notes: The Third-party is recommended to ensure that offices, rooms and facilities

that store critical information of Bharti Infratel are secured. The following is recommended to be

considered:

• Relevant safety regulations and standards are implemented;

• Key facilities should be sited securely so as to avoid access by the public; and

• Where applicable, buildings should be unobtrusive and give minimum indication of their

purpose, with no obvious signs, outside or inside the building identifying the presence of

information processing activities that are used to provide services to Bharti Infratel.

5.3.4 Protection against External and Environmental Threats

Control Statement: Protection against damage from natural and man-made disasters shall be

designed and implemented.

Explanatory Notes: Physical protection against damage from fire, flood, earthquake, explosion,

civil unrest, and other forms of environmental, natural or man-made disaster is required to be

designed and applied. It should be considered that:

• Adequate air-conditioning and humidity-control systems are implemented to support

information systems and equipment that are used to provide services to Bharti Infratel;

• Fire suppression systems are installed wherever applicable;

• Hazardous, combustible material and stationery items are stored at a secure distance from

the secure area.

• Adequate power supply controls are implemented to ensure continuous power supply at the

facilities being used to provide services to Bharti Infratel;





October 2012

• Fallback equipment and back-up media are sited at a different location to ensure continuity

of business operations.

5.3.5 Working in Secure Areas

Control Statement: Guidelines for working in secure areas shall be designed and implemented.

Explanatory Notes: BITSP is required to ensure the following guidelines:

• Personnel should be aware of the existence of, or activities within, a secure area only on a

‘need-to-know’ basis;

• Unsupervised working in secure areas is required to be avoided to prevent opportunities for

malicious activities;

• Vacant secure areas is required to be physically locked and periodically checked;

• Photographic, video, audio or other recording equipment, such as cameras in mobile

devices, shall not be allowed in restricted areas, unless authorised by the management of

the Third-party.

5.3.6 Public Access, Delivery and Loading Areas

Control Statement: All loading and un-loading areas shall be isolated from information-processing

facilities that are used for providing services to Bharti Infratel.

Explanatory Notes: Entry points in the Third-party’s location such as delivery and loading areas and

other points where unauthorised personnel may enter are required to be controlled and isolated

from information-processing facilities to avoid unauthorised access.

5.4. Equipment Security

Security controls shall be implemented to prevent loss, damage, theft of any equipment,

compromise of information systems and interruption to the services provided to Bharti Infratel by

the Third-party. ‘Equipment’ hereinafter refers to as systems that are used to store and process

information of Bharti Infratel. They include, but are not limited to, laptops, desktops, servers, and

network devices.

5.4.1 Equipment-Siting and Protection

Control Statement: All equipment used to provide services to Bharti Infratel, shall be sited and

protected to reduce risks from environmental threats and hazards and opportunities of

unauthorised access.

Explanatory Notes: All equipment used to provide services to Bharti Infratel is required to shall be

protected against environmental threats and unauthorised access. It is required to ensure that:





October 2012

• The equipment are appropriately located and security controls put in place to reduce risk

of potential threats (e.g., theft, fire, explosive, smoke, flooding, dust, vibrations, chemical

effects, electrical supply interference) to their incessant use;

• Appropriate controls such as for temperature and humidity are implemented for the safety

of the equipment.

• Guidelines for eating, drinking and smoking in the proximity of any equipment shall be

established.

• All equipment that process sensitive data of Bharti Infratel shall be positioned in such way

to restrict the viewing angle in order to reduce the risk of information being viewed by

unauthorised personnel.

5.4.2 Supporting Utilities

Control Statement: All equipment used to provide services to Bharti Infratel shall be protected

from power failures and other disruptions caused by failure of supporting utilities.

Explanatory Notes: The Third-party is required to ensure that:

• All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and

air-conditioning are in appropriate condition for the systems being used to provide services

to Bharti Infratel.

• Uninterruptible Power Supply (UPS) systems and generators are installed to support

controlled shutdown or continued functioning of equipment being used to provide services

to Bharti Infratel.

• An alarm system to highlight any malfunctioning of any of the supporting utilities is

installed.

• Adequate contacts are in place with vendors to provide services whenever there is an

emergency.

5.4.3 Cabling Security

Control Statement: Power and telecommunication network cables shall be protected from damage

or interception.

Explanatory Notes: In places where Bharti Infratel information assets are housed for maintenance,

third-party is required to identify and mark network cables and their corresponding terminals being

used to provide services to Bharti Infratel. Third-party is required to segregate power cables from

the communication cables through a separate conduit to prevent any interference.





October 2012

5.4.4 Equipment Maintenance

Control Statement: All equipment shall be appropriately maintained to ensure their continued

availability and integrity.

Explanatory Notes: All equipments that are used for providing services to Bharti Infratel are

required to be maintained in accordance with the supplier’s recommended service intervals and

specifications.

A preventive maintenance exercise for all equipment being used to provide services to Bharti

Infratel are required to conducted at scheduled intervals ensuring their continued availability and

integrity. The Third Party shall ensure that appropriate controls are applied to prevent any

information leakage or destruction when equipment is scheduled for preventive maintenance.

5.4.5 Security of Equipment Off-premises

Control Statement: Security shall be applied to off-site equipment taking into account different

risks outside the premises.

Explanatory Notes: All equipments being used for Bharti Infratel (e.g. tower, backup media, and

laptops) are required to receive the appropriate level of protection against physical and

environmental threats. The equipments that are used for providing services to Bharti Infratel and

are installed outside the Third-party’s premises are to be monitored at regular intervals.

The Third-party is required to ensure that the information asset of Bharti Infratel is not taken out

without an authorised gate pass signed by concerned authorised personnel.

5.4.6 Secure Disposal and Re-use of Equipment

Control Statement: The equipment containing information of Bharti Infratel shall be disposed of in

a secure manner.

Explanatory Notes: Equipments like OSS and data switches containing information like the

configuration parameters for Bharti Infratel are required to be erased and/ or disposed in a secure

manner. If equipments are un-repairable, they shall be physically destroyed. In case of re-use of

such equipments, third-party shall ensure that they erase/ format all information parameters used

for Bharti Infratel.

5.4.7 Removal of Property

Control Statement: The equipment, information or any software shall not be taken off-site without

prior authorisation.

Explanatory Notes: Any equipment, information system, storage device or software having

information that belongs to Bharti Infratel shall not be taken outside the Third-party’s premises





October 2012

without prior authorisation from the management of the Third-party. Gate-pass shall be used as a

means to prevent any unauthorised removal of property.





October 2012

6. Communication and Operations Management Policy (BITSP – 006)

6.1. Introduction

The Communication and Operations Management Policy establishes appropriate controls, including

development of operating procedures, monitoring user-activities, and deploying appropriate

technology to prevent unauthorised access, misuse or failure of the information systems and

equipment and to ensure confidentiality, integrity and availability of information that is processed

by, or stored in, the information systems/equipment.


The Third-party shall ensure that all defined procedures are followed and implemented to ensure

secure and correct operations.

The objectives of the policy are to:

• Develop documented operation procedures for the information systems and computing

devices used to provide services to Bharti Infratel;

• Ensure protection of information during its transmission through communication networks;

• Protect integrity of software and information against the malicious codes;

• Develop an appropriate backup strategy and monitoring plan for protecting integrity and

availability of information;

• Have appropriate controls over storage media to prevent its damage and/or theft; and

• Maintain security during the information exchange with other organisations.

6.3. Operational Procedures and Responsibilities

6.3.1 Documented Operating Procedure

Control Statement: Standard operating procedures pertaining to all system activities shall be

documented, maintained and followed.

Explanatory Notes: Procedures are required to be in place, to ensure that activities performed for

day-to-day system operations are carried out in a secure manner. Third party is required to

document all Operating Procedures to maintain confidentiality, integrity and availability of that

specific platform or application. The Third-party is required to ensure that procedures are made

available to all their employees who are involved in the respective operations and processes for





October 2012

Bharti Infratel. All system and application administrators shall ensure that operating procedures are

kept up-to-date in accordance with any system changes.

• The procedures are required to include, but not limited to, the following:

• Any automated or scheduled processes that are running on the system or application

associated with Bharti Infratel information;

• Day-to-day operational tasks that need to be performed by the operator;

• The actions performed when an error or an exceptional condition occurs, including listed

contact details for people that may be required to assist or that may have a dependency on

that service;

• The actions required for start-up, restart or shutdown of the system or application

associated with Bharti Infratel information;

• The actions performed for system or application backup;

• The actions performed for system or application recovery or restoration;

• The actions performed for handling of information; for example, backup tapes or disposal

of output (such as printed output) from failed runs of automated processes; and

• Management of audit trail and system log information.

6.3.2 Change Management

Control Statement: A formal Change Management Process shall be developed and implemented for

carrying out changes to information systems associated with Bharti Infratel.

Explanatory Notes: To ensure that the security of the systems/environments is not compromised,

Third party is required to manage the change(s) in the production systems/environment of assets

used to provide services to Bharti Infratel.

Third-party shall ensure that:

a. Change control is required to be applied to all security aspects of the production

applications and infrastructure associated with Bharti Infratel.

b. All Third-party service providers are required to manage the change(s) to the systems and

services supplied to Bharti Infratel.

c. All approved changes are required to be tested in a test setup prior to implementing them

on the production systems.





October 2012

6.3.3 Patch Management

Control Statement: A formal Patch Management Process shall be developed and implemented for

applying patches to the information systems associated with Bharti Infratel.

Explanatory Notes: Third party is required to apply the patches to the systems being used to

provide services to Bharti Infratel in a timely manner to ensure that the systems are running at

their optimum level and the threat from vulnerabilities and malicious agents are reduced to an

acceptable level.

6.3.4 Segregation of Duties

Control Statement: Duties and areas of responsibility should be segregated to reduce opportunities

for unauthorised or unintentional modification or misuse of assets.

Explanatory Notes: Third party is recommended to implement segregation of duties so that no one

user has the opportunity to subvert any security control associated with Bharti Infratel information.

Any one employee of Third-party should not be responsible for more than one of the following

duties, at any given point of time: data entry, computer operation, network management, system

administration, systems development, change management, security administration, security audit,

security monitoring.

Where segregation of duties is not possible or practical, the process is recommended to include

compensating controls such as monitoring of activities, maintenance and review of audit trails and

management supervision. Collusion shall be removed from the design and deployment architecture

of the compensating control.

6.3.5 Separation of Development, Test, and Operational Facilities

Control Statement: Development, test and operational facilities which are used to provide services

to Bharti Infratel shall be separated to reduce the risk of unauthorised access or changes to the

operational system.

Explanatory Notes: The development and production facilities/environments used to provide

services to Bharti Infratel is required to be physically and/or logically separated.

a. Development and Operational software is required to run on different systems.

b. Compilers, editors, and other development tools or system utilities shall not be accessible

from operational systems when not required.

c. Sensitive data shall not be copied into test environment for testing purpose.

d. A formal Change Management Process is required to be followed for implementing any

changes to the development, test and operational facilities.





October 2012

6.4. Sub-Contractor Service Delivery Management

In the course of providing services to Bharti Infratel, the Third-party may outsource some services

to a Sub-contractor. When using the services of a Sub-contractor, the Third-party shall ensure that

agreed service delivery levels are met and security controls are adhered to by the Sub-contractor.

The Third-party shall monitor and review the services of its sub-contractor on an ongoing basis to

ensure that services offered to Bharti Infratel are supported without any interruption.

6.4.1 Service Delivery

Control Statement: Appropriate security controls, service definitions and delivery levels included

in the Sub-contractor service delivery agreement shall be implemented, operated and maintained.

Explanatory Notes: Service delivery by a Sub-contractor is required to include the agreed security

arrangements, service definitions, and other aspects of service management.

The Third-party is required to ensure that the Sub-contractor maintains sufficient service capability

together with workable plans designed to ensure that agreed service continuity levels to Bharti

Infratel are maintained.

6.4.2 Monitoring and Review of Sub-contractor Services

Control Statement: A documented process shall be established to ensure the services, reports and

evidences provided by the Sub-contractors who are involved in providing services to Bharti Infratel

are monitored and reviewed on defined periodic basis.

Explanatory Notes: Third-party is required to monitor and review sub-contractor services to ensure

that the BITSP is being adhered to and that information security incidents and problems are

managed properly.

Audits to assess compliance of the Sub-contractor’s services with the agreed contract shall be

conducted on a periodic basis. The responsibility of managing the relationship with a Sub-

contractor of the Third-party is required to be assigned to a designated individual or service

management team.

6.4.3 Managing Changes to Sub-contractor Services

Control Statement: A documented procedure to control changes pertaining to a Sub-contractor’s

services shall be implemented.

Explanatory Statement: The Third-party is required to ensure that all changes pertaining to the

Sub-contractor’s services are maintained, agreed and documented. Services to Bharti Infratel shall

not be disrupted due to any changes in service levels between the Third-party and its Sub-

contractor.





October 2012

6.5. System Planning and Acceptance

6.5.1 Capacity-Management

Control Statement: Resource utilisation shall be monitored and projections shall be made for the

future capacity requirements to ensure adequate system performance.

Explanatory Notes: The Third-party is required to ensure that the capacity of systems used to

provide services to Bharti Infratel is monitored on a periodic basis. Capacity planning shall be

carried out by the Third-party to ensure future capacity requirements and enhancements. This is

required for security-related logging, analysis and exception-reporting for the systems being used

to provide services to Bharti Infratel. The system/application administrator shall monitor capacity

utilisation and project future capacity requirements to ensure that adequate processing power and

storage are available for systems that are used to provide services to Bharti Infratel.

6.5.2 System-Acceptance

Control Statement: Acceptance criteria for new information systems, upgrades and new versions

shall be defined and followed.

Explanatory Notes: The acceptance criteria for new information systems, upgrades and new

versions of system/software are required to be followed by the Third-party for any new system that

is deployed to provide services to Bharti Infratel. The following is recommended to be considered

prior to formal acceptance:

a. Performance and computer capacity requirements;

b. Error recovery and restart procedures,

c. Contingency plans;

d. Agreed set of security controls in place;

e. Effective manual procedures;

f. Evidence that installation of the new system shall not adversely affect existing systems;

g. Training in the operation or use of new systems; and

h. Ease of use, as this affects user performance and avoids human error.

6.6. Protection against Malicious and Mobile Code

6.6.1 Controls Against Malicious Code

Control Statement: Appropriate controls for detection, prevention and recovery of the information

systems against malicious code shall be developed and implemented.





October 2012

Explanatory Notes: Malicious codes are codes which are capable of creating malfunctions in the

system. They may be something like virus, Trojan horse, worms, adware, spyware and backdoor.

The Third-party is required to design and implement prevention, detection and recovery controls

for malicious codes on all information systems associated with Bharti Infratel.

The implemented controls are required to address the latest vulnerabilities and insecurities that

can bring the system down or result in information disclosure, destruction or modification.

6.6.2 Controls Against Mobile Code

Control Statement: Only authorised mobile codes shall be allowed to execute the information

systems and network environment.

Explanatory Notes: Mobile code is a software code like ActiveX or java code which transfers from

one computer to another computer and then executes automatically and performs a specific

function with little or no user interaction. Third party is required to allow only authorised codes to

be executed. Appropriate safeguards are required to be implemented in the information systems to

prevent the execution of unauthorised mobile code.

6.7. Back-up

6.7.1 Information Back-up

Control Statement: Information back-up shall be performed as per a formal Back-up Procedure

approved by Bharti Infratel.

Explanatory Notes: The information of Bharti Infratel which is managed by the Third-party is

required to be backed up in accordance with a Back-up Procedure. Restoration-testing is required

to be conducted for the backed up data at regular intervals as defined by Bharti Infratel and logs

for backup/restoration shall be stored with restricted access. Log analysis shall be carried out for

all failed backup and restorations and corrective actions shall be taken.

6.8. Network Security Management

Development and implementation of network management controls is required to manage and

maintain the security of information effectively. These controls shall be applied to networking

devices such as switches and routers and any network-attached host or system.

6.8.1 Network Controls

Control Statement: The Third-party shall ensure the security of the networks being used to provide






October 2012

Explanatory Notes: The Third-party is required to design and implement appropriate network

controls to safeguard information of Bharti Infratel. Controls shall also be implemented to maintain

the availability of network services and computers connected. Operational responsibility for

managing the network is required to be segregated from that of system management. Responsibility

for managing remote equipment shall be established. Appropriate logging and monitoring shall be

applied to enable recording of security-relevant actions.

6.8.2 Wireless Local Area Network (WLAN)

Control Statement: A wireless infrastructure system to provide services to Bharti Infratel should be

designed, deployed and maintained taking into account the appropriate information security

requirements.

Explanatory Notes: The following measures are recommended to be implemented for the Wireless

Local Area Network (hereinafter referred to as WLAN) security by the Third-party:

a. WLAN should be separated from the wired LAN by implementing a firewall;

b. All wireless communication devices should be configured appropriately, including secure

configuration of Access Points and wireless client devices such as laptops/workstations;

c. A strong key management system is recommended to be implemented for the

authentication of clients connecting to the WLAN associated with Bharti Infratel;

d. Appropriate physical and environmental security controls should be implemented to protect

wireless access points against theft and damage; and

e. A wireless intrusion detection system is recommended to be deployed to identify and

respond to rogue access points, intruders, poorly configured wireless access points, attacks

and misuse directed over the WLAN associated with Bharti Infratel.

6.8.3 Firewall

Control Statement: A firewall management standard and procedure shall be established and

implemented in all firewalls used to provide services to Bharti Infratel.

Explanatory Notes: A Firewall segments the network based on risk levels. The information systems

with similar risk levels shall be put into one segment. For example, if the firewall is segregating the

internal network from the Internet there shall be a minimum of three segments - one for Internet,

one for internal network and one for systems that are accessed from both (the internal network and

the Internet), called the de-militarized zone. The following controls shall be ensured:

a. An updated, reviewed and approved network diagram with all connections to and from the

firewall shall be documented;





October 2012

b. A documented list of services and ports required to be enabled shall be available;

c. An operation procedure for firewall policy changes, performance monitoring, firewall

backup and firewall change control shall be documented; and

d. Audit and logging shall be enabled on the firewall to ensure that all critical accesses and

changes to firewall configuration and policy are tracked. These logs shall be regularly

reviewed by the firewall administrator.

6.8.4 Security of Network Services

Control Statement: The network services that are enabled shall be securely configured and

services that are not required for the business shall be disabled.

Explanatory Notes: The network services that are required for the business shall be identified and

documented. Non-essential services shall be disabled on all information systems. The services found

to be vulnerable shall be fixed by implementing alternative mitigation controls on the information

systems.

a. Security arrangements necessary for particular services, such as security features, service

levels, and management requirements, shall be identified. The Third-party shall ensure

that these measures are implemented stringently to maintain security and availability of

network services.

b. Network services may include the provision of private network services, value-added

services and managed security solutions like firewall and intrusion detection/prevention

systems.

c. The security features of network services shall include the following:

i. Technology applied for security of network services, such as authentication,

encryption, and network connection controls;

ii. Technical parameters required for secured connection with the network services in

accordance with security and network connection rules; and

iii. Procedures for network service usage to restrict access to network services or

applications, where necessary.

d. Changes to the security of network services in Bharti Infratel shall follow the

steps/measures enumerated in a formal Change Management Process.





October 2012

6.9. Media Handling

6.9.1 Management of Removable Media

Control Statement: A formal Removable Media Management Guideline shall be developed and

implemented for any media containing information of Bharti Infratel.

Explanatory Notes: The Third-party shall ensure that they develop and implement the Removable

Media Management Guideline. The developed procedure shall include re-use, storage availability,

registration and authorisation of removable media.

6.9.2 Disposal of Media

Control Statement: All media containing information of Bharti Infratel shall be disposed off as per

a formal Media Disposal Procedure.

Explanatory Notes: Devices containing information of Bharti Infratel is required to be disposed in a

secure manner. The devices like magnetic media, optical media are required to be physically

destroyed. The Third-party personnel are required to ensure the disposal of media as per a formal

Media Disposal Procedure. When a magnetic media has to be reused, it shall be degaussed to

eradicate all information and make it non-retrievable. All print media like hardcopies shall be

disposed off using shredders. Disposal shall be done by authorised users only.

6.9.3 Information Handling Procedures

Control Statement: The Third-party shall implement and follow an Information Labelling and

Handling Guidelines to ensure that information pertinent to Bharti Infratel is handled accordingly.

Explanatory Notes: The Information Labelling and Handling Guidelines shall be developed and

implemented to handle information on media pertinent to Bharti Infratel. Access restrictions shall

be implemented to prevent access to information of Bharti Infratel by unauthorized personnel.

6.9.4 Security of System-Documentation

Control Statement: The Third-party shall ensure that system-documentation of systems used to

provide services to Bharti Infratel shall be protected against unauthorised access.

Explanatory Notes: Appropriate security measures shall be implemented by the Third-party to

maintain the security of the system-documentation for all information systems used to provide


To secure system-documentation, the following shall be considered:

a. System-documentation shall be stored securely;





October 2012

b. The distribution list for system-documentation shall be limited to those personnel who

require it on a ‘need-to-know’ basis.

c. System-documentation held on a public network, or supplied via a public network, shall be

protected appropriately.

d. All system documentations are required to be classified as per the Asset Management Policy

and handled as per a formal Information labelling and handling guideline.

6.10. Exchange of Information

6.10.1 Information Exchange Policies and Procedures

Control Statement: Formal exchange policies, procedures and controls shall be put in place to

protect the exchange of information through the use of various types of communication facilities.

Explanatory Notes: Appropriate security controls should be implemented for exchange of business

information or software assets between the Third-party, sub-contractors and Bharti Infratel. The

following shall be considered:

a. Policy or guidelines outlining acceptable use of electronic communication facilities;

b. Ensuring that sensitive or critical information of Bharti Infratel is not left unattended on

printing facilities (copiers, printers or facsimile machines), as these may be accessed by

unauthorised personnel; and

c. Reminding the personnel that they shall take appropriate precautions not to reveal

sensitive information inadvertently, as being overheard or intercepted when making a

phone call, by:

i. People in their immediate vicinity, particularly when using mobile phones;

ii. Wiretapping and other forms of eavesdropping through physical access to the phone

handset or the phone line, or using scanning receivers; and

iii. People at the recipient’s end.

6.10.2 Exchange Agreements

Control Statement: The Third-party shall ensure that they maintain appropriate information

exchange agreements with the sub-contractors who are involved in providing services to Bharti

Infratel.

Explanatory Notes: Agreements shall be made between the Third-party and sub-contractor or

customers. The exchange agreements shall include, but not limited, to the following:

a. Procedures for notifying the sender of transmission, dispatch and receipt;





October 2012

b. Procedures to ensure traceability and non-repudiation;

c. Courier-identification standards; and

d. Responsibilities and liabilities in the event of information security incidents, such as loss of

data.

6.10.3 Physical Media in Transit

Control Statement: Media containing sensitive information of Bharti Infratel shall be protected

against unauthorised access, misuse or corruption during transportation within and beyond the

physical boundaries.

Explanatory Notes: The documents and removable media carrying information of Bharti Infratel

(other than the information classified as ‘Public’) shall be transported using only authorised courier

agency. These courier agencies are required to sign a Non-Disclosure Agreement with the third-

party. All Third-party employees carrying media are required to ensure its protection during transit.

6.10.4 Electronic Messaging

Control Statement: The Third-party shall ensure that the information of Bharti Infratel is protected

appropriately while using electronic messaging facilities.

Explanatory Notes: Bharti Infratel recognises the importance of the electronic mail system for

business operations and understands that the E-mail system of the Third-party may contain

information of Bharti Infratel. The Third-party shall ensure that its E-mail system is not vulnerable

to unauthorised access, modification and/or misuse and shall implement relevant E-mail security

guidelines (applicable to their organisation), consisting of appropriate security measures in order to

protect information of Bharti Infratel.

6.10.5 Business Information Systems

Control Statement: Appropriate security controls shall be developed and implemented to protect

the information processed through the interconnection of business information systems.

Explanatory Notes: Business Information systems are opportunities for faster dissemination and

sharing of business information using a combination of documents, computers, mobile

communication, mails, voice mail and other means. The consideration given to the security and

business implications of interconnecting Bharti Infratel and Third-party network shall include the

following:

a. Vulnerabilities of information in business communication systems, e.g., recording phone

calls or conference calls, confidentiality of calls, storage of facsimiles, opening mail,

distribution of mail;





October 2012

b. Appropriate controls to manage information sharing; and

c. Restricting access to information relating to selected individuals, e.g., personnel working

on sensitive projects.

6.11. Electronic Commerce Services

6.11.1 Electronic Commerce

Control Statement: The Third-party shall ensure that the information involved in electronic

commerce passing over public networks shall be protected from fraudulent activity, contract

dispute and unauthorised disclosure and/or modification.

Explanatory Notes: The Third-party shall ensure that the information involved in electronic

commerce is secured and the following controls are followed:

a. An appropriate authentication mechanism shall be implemented in the applications

facilitating the online transaction and secure web services;

b. Prior to the online transaction, it shall be ensured that that trading partners are fully

informed of their authorisations; and

c. The confidentiality and integrity of any order, transactions, payment information, delivery

address details and confirmation of receipts shall be maintained only through secure

channel.

6.11.2 On-Line Transactions

Control Statement: Appropriate controls shall be applied to protect the Information involved in on-

line transactions.

Explanatory Notes: The Third-party shall ensure that incomplete transmission, misrouting,

unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or

replay are prevented in on-line transactions related to Bharti Infratel. The communications path

between all involved parties for online transaction shall be set up using secure protocol like Secure

Socket Layer (SSL).

6.11.3 Publicly Available Systems

Control Statement: Information published on a publicly-available system shall be protected from

unauthorised modification.

Explanatory Notes: Adequate security controls shall be put in place to ensure confidentiality,

integrity and availability for information related to Bharti Infratel information contained in

publicly-available systems of third-party. The publicly available systems owned by the Third-party





October 2012

shall be tested against vulnerabilities and it shall be ensured that the identified vulnerabilities are

fixed prior to publishing the information in such systems.

6.12. Monitoring

6.12.1 Audit Logging

Control Statement: The audit logs recording user activities, exceptions and security events shall be

appropriately enabled and stored.

Explanatory Notes: The Third-party should ensure that the audit logs are enabled on critical

systems and stored for a reasonable period as decided by Bharti Infratel in the contract. In

accordance with the business requirement, user activities, exceptions and security events should be

recorded. Access control monitoring of the systems related to Bharti Infratel shall be done

periodically. The logs shall be monitored and analysed for any possible unauthorised use of

information systems. Privacy protection measures shall be taken for audit logs for these systems. It

shall be ensured that the system administrators do not have permissions to erase or de-activate logs

of their own activities.

6.12.2 Monitoring System Use

Control Statement: The utilisation of information systems that are used to provide services to

Bharti Infratel shall be monitored and controlled.

Explanatory Notes: The results of the monitoring activities are required to be reviewed at regular

intervals by the Third-party. The intervals shall be decided as per criticality of the information

systems and a consolidated report for all reviewed monitoring activities shall be prepared.

An appropriate tool for storing and monitoring the logs shall be implemented by the Third-party.

Log storing and monitoring shall cover the following:

a. Authorised access;

b. All privileged operations;

c. Unauthorised access attempts; and

d. Changes to, or attempts to change, system security settings and controls.

6.12.3 Protection of Log Information

Control Statement: Logging facilities and log information shall be protected against tampering and

unauthorised access.

Explanatory Notes: The log information of systems/equipments/network devices used to provide

services to Bharti Infratel shall be protected against unauthorised access, alterations and





October 2012

operational problems. The Third-party shall ensure that access to logs shall be provided only on a

‘need-to-know’ and ‘need-to-have’ basis. Appropriate controls shall be implemented to prevent:

a. Alterations to the message types that are recorded;

b. Log files being edited or deleted; and

c. Storage capacity of the logging media being exceeded.

6.12.4 Administrator and Operator Logs

Control Statement: System administrator and system operator activities shall be logged.

Explanatory Notes: The information systems being used to provide services to Bharti Infratel are

required to be configured in such a way that the system administrator and system operator

activities are logged and are secure from unauthorised modification. The system administrator and

system operator shall not have rights to access administrator and operator logs. The logs shall be

reviewed by an independent person so as to identify any malpractices happening.

6.12.5 Fault Logging

Control Statement: Fault logging shall be enabled, analysed, and appropriate action shall be taken

on fault-logging.

Explanatory Notes: The Third-party are required to maintain logs of all the faults related to the

data processing problems and communication systems that are used to provide services to Bharti

Infratel. The Third-party shall ensure that such issues are corrected as per the Service Level

Agreement (hereinafter referred to as the SLA). The Third-party shall also ensure that root-cause

analysis is carried out to prevent any reoccurrence of faults.

6.12.6 Clock Synchronisation

Control Statement: The clock time of critical systems that are used to provide services to Bharti

Infratel should be synchronised with an accurate time source.

Explanatory Notes: Systems/equipment being used to provide services to Bharti Infratel shall be

synchronised with a Network Time Protocol server. The clock time shall be identical across all

systems used to provide services to Bharti Infratel.





October 2012

7. Access Control Policy (BITSP – 007)

7.1. Introduction

The Access Control Policy defines the appropriate access controls that need to be put in place by

the Third-party to prevent unauthorised access to information systems that are used to provide



Access to information assets that are used to provide services to Bharti Infratel shall be

controlled, based on the business and security requirements and commensurate with asset

classification.

The Objectives of Access Control Policy are to:

a. Control the access to information, information systems and processing facilities as per

business requirement of Bharti Infratel;

b. Prevent unauthorised access to information systems, networked services, operating systems

and information held in application systems associated with Bharti Infratel information;

c. Ensure that security controls are in place while using the mobile computing and teleworking

facilities associated with Bharti Infratel information; and

d. Ensure that information access controls are implemented to meet relevant legislation,

contractual and statutory requirements.

7.3. User Access Management

Procedures shall be developed to control the allocation of access rights to information systems and

services. The Third-party shall ensure that the procedures cover all stages in the life-cycle of user

access, from the initial registration of new users in Bharti Infratel to the final de-registration of

users who no longer require access to information systems and services. Special attention shall be

given, where appropriate, to the need to control allocation of privileged access rights, which allow

users to override system controls.

7.3.1 Access Control Policy

Control Statement: Access control shall be implemented and applied to all information systems/

equipments/ network devices that are used to provide services to Bharti Infratel.

Explanatory Notes: Access control rules and rights for each user or group of users shall be clearly

stated. Access controls are both logical and physical, and these shall be considered together to





October 2012

prevent any unauthorised access to information assets that are used to provide services to Bharti

Infratel.

7.3.2 User Registration

Control Statement: Formal user registration and de-registration procedure shall be implemented

for granting and revoking access to all information systems and services that are used to provide


Explanatory Notes: Procedures for user registration and de-registration are required to be defined,

documented and implemented for granting access to information systems that are used to provide

services to Bharti Infratel. These procedures shall include the following:

a. All users shall have a unique user ID based on a standard naming convention, for accessing

information systems;

b. Appropriate authorisation shall be obtained prior to creating the user IDs;

c. An audit trail shall be kept for all requests for addition, modification or deletion of user

accounts/ IDs and access rights;

d. User accounts shall be reviewed at regular intervals, at least quarterly for sensitive systems

and half-yearly for the other systems, to identify and facilitate removal/ deactivation of

inactive accounts or accounts that have not been used for a long duration;

e. The Application Administrator must be responsible for implementing access control as

defined by the Application owner.

f. The results of user account reviews, including subsequent actions, shall be documented to

provide an audit trail; and

g. "Guest" accounts and other default accounts shipped with software/ applications shall be

disabled or their passwords changed from the default value, in case there is a justified

business requirement for using these accounts.

7.3.3 Privilege Management

Control Statement: Privileged user access associated with the operating system, database

management system and applications that are used to provide services to Bharti Infratel have to be

identified, allocated and controlled by the Third-party.

Explanatory Notes: Privilege accounts have administrator access on the system. The creation and

allocation of privilege user accounts/IDs on information systems that are used to provide services to

Bharti Infratel shall be controlled through a formal authorisation process. The authorisation process

shall consider the following:





October 2012

a. The privilege associated with each system (e.g. operating systems, databases, applications

etc.) and their corresponding users are identified;

b. The privileges are allocated to individuals on a ‘need-to-have’ basis. The authorisation

process for access

c. Third-party shall approve the usage of group privilege user ids if required. Accountability

shall be ensured for group privilege user ids that are used to access information of Bharti

Infratel.

7.3.4 Password Management

Control Statement: Allocation of passwords for systems that are used to provide services to Bharti

Infratel shall be controlled through a formal Password Management Process.

Explanatory Notes: Passwords shall be distributed to the users in a secure manner. The following

controls relating to password management should be implemented:

a. Users should be forced to change their password during the first log-on and after 45 days of

each password change. However, users shall receive password change warning 15 days prior

to its expiry;

b. Passwords should have combination of alpha-numeric characters and a minimum length of

eight characters;

c. Passwords should have a minimum age of one day;

d. Passwords for all user and privilege accounts should expire after 45 days from its last

change, with the exception of accounts used by services; password for privilege accounts

should have lesser period to change the password

e. A record of five previous passwords should be maintained to prevent the re-use of these

passwords;

f. A maximum of three successive login failures should result in account lockout;

g. A ‘locked out’ user should not be able to login until the account is unlocked by the system

administrator or by the user himself, using the ‘Password Reset’ solution;

h. Passwords should not be displayed in clear text when it is being keyed in or otherwise;

i. Support procedures should be in place to deal with forgotten passwords and account

lockouts;

j. User password resets should be performed only when requested by the individual to whom

the user ID is assigned, after verification of their identity by a defined procedure;





October 2012

k. When passwords are reset, users should be forced to change their password to a password

of their choice on the first use after the reset;

l. Default accounts should be disabled and/or the associated default passwords shall be

changed immediately;

m. A secure ‘Password List’ should be maintained for all critical accounts. Only authorised

individuals should have access to this ‘Password List’; and

n. Passwords should not be coded into logon scripts, batch programs or any other executable

files when user authentication or authorisation is required to complete a function.

7.3.5 Review of User Access Rights

Control Statement: User access rights on systems used to provide services to Bharti Infratel shall

be reviewed at regular intervals, using a formal process.

Explanatory Notes: The review of access rights shall consider the following:

a. User access rights are reviewed at regular intervals, for e.g., a period of three months and

after any change in status of employment, such as promotion, demotion or termination;

b. Whenever the user is moving from one employment to another within the Third-party’s

organisation, user access rights are to be reviewed and re-allocated;

c. Authorisations for special privileged access rights are reviewed at more frequent intervals,

for e.g., every month;

d. Privilege allocations are checked at regular intervals to ensure that unauthorised privileges

have not been obtained; and

e. Changes to privileged accounts are logged for periodic reviews.

7.4. User Responsibilities

All employees of Third-party with access to information systems and facilities that are used to

provide services to Bharti Infratel should be made aware of their responsibilities for maintaining

effective access controls, particularly regarding the use of passwords and the security of user

equipment. A ‘clear desk and clear screen’ policy shall be implemented at all locations and

functions of Bharti Infratel.

7.4.1 Password Use

Control Statement: The Third-party shall ensure that their employees follow good security

practices for the selection and use of passwords for systems that are used to provide services to

Bharti Infratel.





October 2012

Explanatory Notes: The Third-party shall ensure that users with access to information or

information systems that are used to provide services to Bharti Infratel shall be advised for the

following:

a. Keeping the passwords confidential and avoiding the recording of passwords, unless this can

be stored securely and the method of storing approved;

b. Changing passwords whenever there is any indication of possible system or password

compromise;

c. Choosing quality password which is easy to remember but difficult to guess; and

d. Changing passwords at regular intervals or based on the number of accesses (passwords for

privileged accounts shall be changed more frequently than normal passwords).

7.4.2 Unattended User Equipment

Control Statement: The Third-party shall ensure that unattended information systems that are

used to provide services to Bharti Infratel shall not be left unattended.

Explanatory Notes: Appropriate technical controls shall be applied to ensure that the information

systems are locked after a specified duration of inactivity (the duration should be kept as low as

possible). Employees of the Third-party shall be made aware of the security requirements and

procedures for protecting unattended equipment, as well as their responsibilities for implementing

such protection. The Third-party shall ensure that its employees:

Terminate active sessions when finished, or implement an appropriate locking mechanism, for

e.g., a password-protected screen saver;

Log-off office PCs and servers and network devices when the session is finished (i.e., not just

switch off); and

Use the key lock or an equivalent control to secure PC terminals from unauthorised use.

7.4.3 Clear desk and Clear Screen Policy

Control Statement: A clear desk policy for papers and removable storage media containing

information of Bharti Infratel and a clear screen policy for information processing units that are

used to provide services to Bharti Infratel shall be developed and implemented.

Explanatory Notes: Critical information on paper and removable media containing information of

Bharti Infratel are required be locked inside the drawers after office hours or when the office is

vacated by the user.

Information systems that are used to process, manage and/ or store information of Bharti Infratel

are required to be turned off or logged off when the users are away from their systems.





October 2012

7.5. Network Access Control

Appropriate controls for user access to networks and network services shall be applied. The

controls shall ensure that:

Appropriate interfaces are in place to segregate Bharti Infratel network and the networks

owned by other organisations and public networks;

Appropriate authentication mechanisms are applied for the users and equipment; and

Control of user access to the information services is enforced.

7.5.1 Policy on Use of Network Services

Control Statement: The Third-party shall ensure that its employees are provided the least access

privileges to the services which are necessary to perform the job.

Explanatory Notes: The Third-party shall ensure that its users shall be provided with access to the

services only on a ‘need-to-have’ basis. An authorisation process shall be developed and followed to

ensure that only users who are authorised can access the respective network segments and

services. These services are required to be reviewed at regular intervals.

Virtual Local Area Networks (hereinafter referred to as VLAN) should be created to segregate the

networks being used to provide services to Bharti Infratel.

7.5.2 User Authentication for External Connection

Control Statement: The Third-party shall ensure that adequate security controls are implemented

to authenticate users for external connections to systems that are used to provide services to

Bharti Infratel.

Explanatory Notes: The Third-party shall ensure that:

a. Remote access connections to networks being used to provide services to Bharti Infratel are

provided only to authorised users. This shall be authorised by Bharti Infratel;

b. Secure channels like Virtual Private Networks shall be implemented.

c. Modems connected to the end user workstations/laptops are configured to reject all

incoming traffic initiated from other external sources; and

d. Only approved remote control software is used in the network for external connections, if

required.





October 2012

7.5.3 Equipment Identification in Network

Control Statement: Automatic equipment identification should be considered as a means to

authenticate connections from specific locations and equipment.

Explanatory Notes: Equipment identification shall be used, if it is important that the

communication can only be initiated from a specific location or equipment. An identifier shall be

used to indicate whether this equipment is permitted to be connected to the network used to

provide services to Bharti Infratel.

7.5.4 Remote Diagnostic and Configuration Port Protection

Control Statement: Physical and logical access to diagnostic and configuration ports shall be

controlled on systems/network devices that are used to provide services to Bharti Infratel.

Explanatory Notes: Ports, services and similar facilities enabled on the computers or networks that

are not specifically required for the business of Bharti Infratel shall be disabled or removed. Access

to diagnostic and configuration ports shall include the use of a key lock and supporting procedures

to control access to the port. These ports shall be used after appropriate approval and at the time

of diagnostic or configuration support only.

7.5.5 Segregation in Network

Control Statement: The Third-party shall ensure that segregation in network is implemented to

prevent any unauthorised access to systems in the network used to provide services to Bharti

Infratel.

Explanatory Notes: The security of networks associated with information that belongs to Bharti

Infratel should be divided into separate physical and/ or logical network domains. A graduated set

of controls shall be applied in different logical network domains to further segregate the network’s

security environments.

The Third-party shall ensure that they segregate the network used for Bharti Infratel from the rest

of its network.

7.5.6 Network Connection Control

Control Statement: The Third-party should ensure that, in case of shared networks (shared with

public network); the capability of the users to connect to the network used to provide services to

Bharti Infratel shall be restricted.

Explanatory Notes: The Third-party should ensure that the connection capability of users is

restricted through firewalls. FTP downloads and uploads from the Internet shall be permitted only

for business use and only after approval from Bharti Infratel.





October 2012

The only exclusion to this is when fault logs are required to be sent to suppliers for repairs and/or

diagnostics of systems.

7.5.7 Network Routing Control

Control Statement: Routing controls should be implemented for networks to ensure that computer

connections and information flows are as per the Access Control Policy of BITSP.

Explanatory Notes: Network routing controls are based on positive source and destination address-

checking mechanisms. The Third-party shall ensure that they implement network routing controls

to prevent any unauthorised access to information systems that provide services to Bharti Infratel.

7.6. Operating System Access Control

Adequate security controls shall be implemented on the information systems that are used to

provide services to Bharti Infratel to restrict access to authorised users only. The controls shall

authenticate authorised users as per Access Control Policy and record the successful and failed

system authentication attempts.

7.6.1 Secure Log-on Procedure

Control Statement: The Third-party shall ensure that access to operating systems that are used to

provide services to Bharti Infratel are controlled by a secure log-on procedure.

Explanatory Notes: The operating systems that are used to provide services to Bharti Infratel

information are recommended be controlled by secure log-on procedure. The log-on procedure

shall not disclose any version or configuration information about the system. The remote log-on

procedure, if applicable and authorised, is recommended to be designed with encryption of

password during its transmission.

7.6.2 User Identification and Authentication

Control Statement: The Third-party shall ensure that its employees who have access to the

information systems that are used to provide services to Bharti Infratel shall be assigned a unique

login ID for accessing those information systems. A suitable authentication mechanism shall be used

to allow authorised users to access the information systems.

Explanatory Notes: The Third-party shall ensure that unique user id is assigned to each user who

needs to access the information systems that are used to provide services to Bharti Infratel. An

authentication system is required to be implemented to identify the user. As an exception,

group/shared ID may be used but an approval shall be obtained from Bharti Infratel. Additional

compensating controls shall be established in this case.





October 2012

The authentication methods alternative to passwords, such as cryptographic means, smart cards,

tokens or biometric means shall be used appropriately.

7.6.3 Password Management System

Control Statement: The system for managing passwords shall be interactive and capable of

implementing quality passwords on systems/network devices that are used to provide services to

Bharti Infratel.

Explanatory Notes: As passwords are the principal means of validating a user’s authority on a

system, a system that ensures the use of quality passwords shall be identified and implemented by

the Third-party.

7.6.4 Use of System Utilities

Control Statement: The use of utility programs shall be restricted and tightly controlled.

Explanatory Notes: Utility programs are those programs which are capable of changing

configuration parameters on the system. Access to such utilities shall be restricted only to

authorised personnel. A formal Change Management Process shall be followed before using utilities

that might be capable of overriding system parameters.

7.6.5 Session Time-Out

Control Statement: Inactive sessions of applications and systems shall shut down after a defined

period of inactivity.

Explanatory Notes: All information systems that are used to provide services to Bharti Infratel are

required to have a time-out facility to clear the session screen and also, possibly later, close both

application and network sessions after a defined period of inactivity. The sessions shall be shut

down to prevent access by unauthorised persons and the possibility of denial of service attacks. The

terminal time-out shall be configured for all the terminals connected to critical systems.

7.6.6 Limitation of Connection Time

Control Statement: Restrictions on connection times shall be configured on high-risk

applications/systems that are used to provide services to Bharti Infratel.

Explanatory Notes: The applications and information systems that are catering to sensitive

information of Bharti Infratel shall have restrictions on connection times as an additional security

control. The following shall be considered:

a. Using predetermined time slots, for e.g., for batch file transmissions, or regular interactive

sessions of short duration;





October 2012

b. Restricting connection times to normal office hours if there is no requirement for overtime

or extended hours of operation;

c. Considering re-authentication at timed intervals.

7.7. Application and Information Access Control

Logical access to the application software that is used to provide services to Bharti Infratel

information shall be restricted to authorised users only. Appropriate security controls shall be used

to restrict access to application systems.

7.7.1 Information Access Restriction

Control Statement: The Third-party shall ensure that access to information and functional

application systems by users and support personnel is restricted.

Explanatory Notes: Access to application systems shall be restricted to users who require them.

The system administrator or the person performing the equivalent role shall maintain the updated

user access matrix detailing privileges assigned to them.

7.7.2 Sensitive System Isolation

Control Statement: Sensitive systems that are used to provide services to Bharti Infratel shall have

a dedicated (isolated) computing environment.

Explanatory Notes: The application systems hosting sensitive information of Bharti Infratel shall

not be hosted on a shared server. All such application systems are required to be identified and

hosted on an isolated dedicated server by the Third-party.

7.8. Mobile Computing and Teleworking

7.8.1 Mobile computing and communication

Control Statement: Appropriate security measures shall be adopted to protect against the risks of

using mobile computing and communication facilities.

Explanatory Notes: Mobile computing devices include laptops, handheld computing devices like

PDA, blackberry and palmtops. The Third-party shall ensure that only authorized users have access

to such mobile computing devices that are used to provide services to Bharti Infratel. The

employees shall take special care of the mobile computing resources to prevent any compromise of

business information of Bharti Infratel.





October 2012

7.8.2 Teleworking

Control Statement: An authorisation process shall be established and implemented for endorsing

teleworking requests.

Explanatory Notes: Teleworking means working from a remote site, in the sense that the Third-

party may connect to the network (containing information of Bharti Infratel) from an outside site

through internet or any other remote connectivity. Adequate teleworking security process shall be

established and implemented. At a minimum, the following should be addressed:

a. Use of two-factor authentication for authenticating the users of teleworking solutions;

b. Secure teleworking solutions for enabling users to remotely access information assets;

c. Physical security for all teleworking sites/devices.





October 2012

8. Information Systems Acquisition, Development & Maintenance

Policy (BITSP – 008)

8.1. Introduction

Bharti Infratel extends its information security requirements to the software developed by the

Third-party for providing services to Bharti Infratel. The Third-party shall ensure that information

security is integrated to information system acquisition, development and maintenance processes.

The security requirements shall be identified and agreed prior to the development and/ or

implementation of information systems. This methodology ensures that the software shall be

adequately documented and tested before it is used for critical information processing.


The purpose of this policy is to ensure that the Third-party addresses confidentiality, Integrity and

availability of all Information assets and Information Processing facilities during their complete

lifecycle and integrate security requirements in Information System Acquisition, Development and

Maintenance Processes.


a. Strengthen the confidentiality, integrity and availability of applications developed by the

Third-party;

b. Ensure that information security is an integral part of information systems, right from the

requirement phase and shall be incorporated in the design phase consequently; and

c. Maintain the information security of application-system software and information during its

lifecycle.

8.3. Security Requirements of Information System

8.3.1 Security Requirements Analysis and Specification

Control Statement: The Third-party shall ensure that security requirements are established for the

development of new systems and for carrying out enhancements to existing systems.

Explanatory Notes: The Third-party is required to ensure that they consider appropriate automated

controls while designing the information systems that are used to provide services to Bharti

Infratel.

All new application systems developed/to be deployed by the Third-party to provide services to

Bharti Infratel shall be formally reviewed for compliance with the security policy before being





October 2012

deployed in the production environment. The development, testing, operations and maintenance

teams of the Third-party shall be trained on security aspects of application development and

maintenance.

8.4. Correct Processing in Application

It is very crucial that correct processing is undertaken to prevent error, loss, unauthorised

modification or misuse of information in applications. This can be done by implementing security

controls at the data input stage, internal processing stage and, finally, at the output stage.

8.4.1 Input Data Validation

Control Statement: Appropriate security controls shall be built into the applications to validate the

data entered in the application system.

Explanatory Notes: System requirements specification shall include controls in the application for

the input data provided. Periodic reviews of the content of key fields or data files to confirm their

validity and integrity shall be conducted by the Third-party. Procedures for responding to validation

errors and defining the responsibilities of personnel involved in the data input process shall be

documented by the Third-party.

8.4.2 Control of Internal Processing

Control Statement: Validation checks shall be incorporated into the applications developed to

provide services to Bharti Infratel, to detect any corruption of information through processing

errors or deliberate acts.

Explanatory Notes: Risk associated to processing facilities shall be minimised by considering

security controls in the design and implementation phase of applications development and

deployment. Specific security controls that are required to be incorporated in this stage are as

follows:

a. Session or batch controls, to reconcile data file balances after transaction updates;

b. Balancing controls, to check opening balances against previous closing balances, namely:

i. Run-to-run controls;

ii. File update totals;

iii. Program-to-program controls;

c. Validation of system-generated input data;

d. Checks on the integrity, authenticity or any other security feature of data or software

downloaded, or uploaded, between central and remote computers;





October 2012

e. Hash totals of records and files;

f. Checks to ensure that application programs are run at the correct time;

g. Checks to ensure that programs are run in the correct order and terminate in case of a

failure, and that further processing is halted until the problem is resolved;

h. Creating a log of the activities involved in the processing.

8.4.3 Message Integrity

Control Statement: The requirements for ensuring authenticity and protecting message integrity in

application shall be identified and appropriate controls identified and implemented.

Explanatory Notes: The validity of the message integrity shall be protected by appropriate

encryption management for developing applications that will be used to provide services to Bharti

Infratel. It deals with methods that ensure that the contents of a message have not been tampered

and/ or altered. Message integrity protection requirements shall be identified by Third-party in the

applications and information systems and the controls for integrity shall be implemented. An

assessment of security risks shall be carried out by Third-party to determine if message integrity is

required. Appropriate method of message integrity check shall be identified as per the risk

assessment results.

8.4.4 Output Data Validation

Control Statement: Data output from an application shall be validated to ensure that the

processing of stored information is correct and appropriate to the circumstances.

Explanatory Notes: During the development stage of application systems, data generated from the

application system after processing of the stored information shall be validated to ensure that

output is correct and appropriate.

8.5. Cryptographic Controls

8.5.1 Policy on Use of Cryptographic Controls

Control Statement: Use of cryptographic controls for the protection of information shall be

implemented.

Explanatory Notes: The appropriate cryptographic controls shall be applied to protect information

assets which require stringent security. Examples of cryptographic controls are public and private

key cryptosystems. Third-party shall define and deploy the procedures for maintenance of the keys.





October 2012

8.5.2 Key Management

Control Statement: The key management procedures shall be put in place to support the use of

cryptographic techniques.

Explanatory Notes: Wherever required, the appropriate encryption controls shall be implemented

by Third-party to protect the confidentiality and integrity of information on the applications/

systems that are used to provide services to Bharti Infratel. The encryption type and other

implementation details shall be decided by Third-party after taking into account relevant

legislative and regulatory requirements.

The access to sensitive commands pertaining to encryption key data on the devices shall be

restricted to key administrators only. The activities of the users having access to such sensitive

commands shall be appropriately logged and monitored periodically.

8.6. Security of System Files

8.6.1 Control of Operational Software

Control Statement: The procedures shall be put in place to control the installation of software on

operational systems. The controls to implement software on operational systems to minimise the

risk of corruption of operational systems shall be deployed.

Explanatory Notes: Applications and operating system software shall only be implemented after

extensive and successful testing. All tests shall be carried out on separate systems and the tests

results shall be documented for the tests on usability, security, effects on other systems and user-

friendliness. Third-party shall ensure that all corresponding program source libraries have been

updated. The modifications to the operational environment shall be logged and previous versions

shall be maintained for contingency/ roll back purpose. The operational systems shall only hold

executable code.

8.6.2 Protection of System Test Data

Control Statement: The third-party shall ensure that test data is selected carefully and is

protected and controlled.

Explanatory Notes: The test data that has classified information of Bharti Infratel shall be secured

and controlled appropriately in the testing environment and the Third-party shall ensure that this

information is not leaked outside. The Third-party shall ensure that the test data is secured and

sanitised during testing. Testing reports shall be documented and maintained till the new

application stabilises. These reports shall be stored securely and available to authorised personnel

of third-party.





October 2012

8.6.3 Access Control to Program Source Code

Control Statement: The access to program source code of operational systems that are used to

provide services to Bharti Infratel shall be restricted.

Explanatory Notes: Third-party shall identify program librarians to maintain source libraries of

operational application systems in configuration management database. All source codes shall be

stored in a secure environment. All updates or issue of program sources to developers shall be

carried out through an authorised request. Configuration changes to program source codes shall be

made through configuration management process to prevent any unauthorised and unintentional

changes. Previous versions of source programs shall be archived, with a clear indication of the

precise dates and times when they were operational, together with all supporting software, job

control, data definitions and procedures.

8.7. Security in Development and Support Processes

8.7.1 Change Control Procedure

Control Statement: The changes to application systems shall be carried out in a controlled manner

as per a formal Change Management Process developed by the Third-party.

Explanatory Notes: A formal Change Management Process is required to be developed and

implemented for all changes pertinent to Bharti Infratel applications and systems. The Third-party

shall ensure:

a. The recording of changes in change request forms and approval of change requests;

b. That impact assessment due to the change is being carried out;

c. The documentation of changes is being carried out; and

d. The changes shall not be carried out in production environment directly; all changes shall

be applied to development/ test environment.

8.7.2 Technical Review of Applications after Operating System Changes

Control Statement: When operating systems are upgraded, business critical applications shall be

reviewed and tested to ensure there is no adverse impact on operations and security of applications

that are used to provide services to Bharti Infratel.

Explanatory Notes: A review of application control and integrity procedures shall be done to

ensure that they have not been compromised by the operating system changes. Third-party shall





October 2012

ensure that notification of operating system change is provided in time to allow appropriate test

being done.

8.7.3 Restrictions on Changes to Software Packages

Control Statement: The vendor supplied software packages shall not be modified as far as possible

without consulting the vendor.

Explanatory Notes: Third-party shall ensure that vendor supplied software packages are not

changed. If changes are essential, then original software shall be retained and changes could be

applied to a clearly identified copy. In such cases, changes shall be carried out only by authorised

users. The Risk factors like vendor’s continued support for maintenance of the application before

making any change to the software and compromise of built-in controls shall be considered before

making changes.

8.7.4 Information Leakage

Control Statement: The risks related to information leakage shall be prevented for systems that

are used to provide services to Bharti Infratel.

Explanatory Notes: The following controls shall be considered for preventing information leakage.

a. Scanning of outbound media and communications for hidden information;

b. Making use of systems and software that are considered to be of high integrity, e.g. using

evaluated products;

c. Regular monitoring of personnel and system activities, where permitted under existing

legislation or regulation; and

d. Monitoring resource usage in computer systems.

8.7.5 Outsourced Software Development

Control Statement: Third-party shall ensure the monitoring and review of further outsourced

software development.

Explanatory Notes: For the customised (not off the shelf/ standard offerings) software developed

by Third-party’s sub-contractor, the arrangements pertaining to licensing, code ownership and the

intellectual property rights shall be documented in the contract between Third-party and its sub-

contractor. As per the applicability, the contract shall also include at a minimum, Third-party’s

and/ or Bharti Infratel right to audit quality and accuracy of software development and testing

work carried out by the sub-contractor vendor. Such software code shall also have escrow

arrangements.





October 2012

8.8. Technical Vulnerability Management

8.8.1 Control of Technical Vulnerabilities

Control Statement: Timely information about technical vulnerabilities shall be obtained for the

information systems that are used to provide services to Bharti Infratel and timely & appropriate

measures shall be taken to address the associated risk.

Explanatory Notes: All technical vulnerabilities of information systems that are used to provide

services to Bharti Infratel shall be identified and documented. Appropriate measures shall be taken

to address the associated risk. Timelines shall be defined to respond to technical vulnerabilities

observed in the system. Third-party shall define and establish the roles and responsibilities

associated with technical vulnerability management, including vulnerability monitoring,

vulnerability risk assessment, patching, and any coordination responsibilities required. All patch

management shall be followed using a formal Patch Management Process.





October 2012

9. Information Security Incident Management Policy (BITSP – 009)

9.1. Introduction

The Information Security Incident Management Policy provides directions to develop and implement

the information security incident management process for networks and computers, improving user

security awareness, early detection and mitigation of security incidents and suggesting the actions

that can be taken to reduce the risk due to security incidents.


All security breaches or attempts to breach and all identified security weaknesses in information

systems and processing facilities that are used to provide services to Bharti Infratel information

shall be reported. The information security incident management process shall ensure that all

reported security breaches or weaknesses are responded to promptly and appropriate actions

taken to prevent reoccurrence.

The objective of this policy is to:

a. To develop proactive measures to minimise the impact of any Incident on information

systems and processing facilities associated with the information;

b. To create the awareness among users of Third-party and encourage them to report the

security weaknesses and/ or incident that they identify/notice;

c. Enable the proactive management of problems by capturing data that can be used to

analyse trends and problems areas, thereby preventing the security incidents to occur; and

d. Learning from the incidents and continually improving.

9.3. Security Incident Identification

a. A security incident is the act of violating an explicit or implied security policy. The actions

that may be classified as incidents are, but not limited to, the following:

i. Attempts to gain unauthorised access to a system or its data; masquerading,

spoofing as authorised users;

ii. Unwanted disruption or denial of service;

iii. The unauthorised use of a system for the processing or storage of data by

authorised/ unauthorised users;

iv. The changes to the system hardware, firmware or software characteristics and data

without the application/ information system owner's knowledge;





October 2012

v. The existence of unknown user accounts;

vi. Information system failures;

vii. Malicious code;

viii. Denial of service;

ix. Errors resulting from incomplete or inaccurate business data (for example, invalid

input, failed processes);

x. Breaches of confidentiality and integrity; and /or

xi. Misuse of information systems.

9.4. Reporting Information Security Events and Weakness

9.4.1 Reporting Information Security Events

Control Statement: Information security events within Third-party organisation for those

information assets that are used to provide services to Bharti Infratel shall be reported to incident

management team within Third-party.

Explanatory Notes: Third-party shall ensure that they have an incident management team in place

to respond to information security incidents pertaining to information asset of Bharti Infratel. This

team shall submit security incidents reports to Bharti Infratel on request.

A formal Information Security Incident Management Process shall be developed and implemented

within Third-party organisation. The process shall include the incident reporting, incident response,

escalation and incident resolution pertinent to Bharti Infratel information. The Third-party

employees shall be made aware of their responsibilities regarding information security incident

management.

9.4.2 Reporting Information Security Weaknesses

Control Statement: Third-party shall ensure that their employees note and report any observed or

suspected security weaknesses in systems or services that are used to provide services to Bharti

Infratel.

Explanatory Notes: All employees of Third-party shall report the information security weaknesses

to their Incident Management Team. The users shall not attempt to prove the suspected security

weaknesses. In addition to this, users shall not test the existence of vulnerability in any information

system used to provide services to Bharti Infratel.





October 2012

9.5. Security Incident Response, Recovery and Improvements

9.5.1 Responsibilities and Procedures

Control Statement: The responsibilities and supporting procedures shall be established to ensure a

quick, effective and orderly response to information security incidents.

Explanatory Notes: The responsibilities shall be identified and defined within Third-party

organisation to ensure a quick, efficient and systematic response to information security incident.

The procedures shall be established to handle the different types of information security incidents.

A formal review process shall be conducted after the recovery from incident has been completed

(within two weeks). A feedback mechanism shall be available to identify improvements to the

incident handling process.

The audit trails and similar evidence shall be collected during the whole incident handling process -

from the initial incident report to the incident follow-up. The audit trails shall be used for the

following:

a. Internal problem analysis (or root cause analysis) of how the incident occurred;

b. As forensic evidence in relation to a potential contract breach or regulatory requirement or

in the event of civil or criminal proceedings and shall include the following types of logs:

i. Communication log;

ii. Incident survey, containment land eradication logs; and

iii. Raw data, as in. actual system logs;

c. Retention of incident reports and logs shall be in accordance with the legal and regulatory

requirements; and

d. The incident handling procedures shall be regularly reviewed and tested to establish their

ongoing effectiveness.

9.5.2 Learning from Information Security Incidents

Control Statement: The information gained from the evaluation of information security incidents

shall be used to reduce the recurrence of the security incidents.

Explanatory Notes: Third-party shall ensure that there are mechanisms in place to enable the

types, volumes and costs of information security incidents to be quantified and monitored. The

information gained from the evaluation of information security incidents should be used to identify

recurring or high impact incidents.





October 2012

9.5.3 Collection of Evidence

Control Statement: Third-party shall ensure that they collect sufficient amount of evidence during

the incident analysis phase.

Explanatory Notes: Third-party shall ensure that the evidence is collected in a manner that does

not destroy its evidentiary value. While collecting the evidences, the following shall be considered

by Third-party:

a. Applicability of evidence: The evidence can be used in court; and

b. Weightage of evidence: The quality and completeness of the evidence.





October 2012

10. Business Continuity Management Policy (BITSP – 010)

10.1. Introduction

Bharti Infratel recognises the criticality and need of its business and understands the importance of

the availability of its information, information systems and processing facilities. The dependency of

Bharti Infratel business on Third-party induces to develop and maintain the business continuity

plans by Third-party to ensure timely resumption of essential operations in case of disasters

pertinent to Bharti Infratel business.


Information systems shall be planned for the continuity of operations in the event of disasters. A

documented Business Continuity Management Plan shall be maintained, tested and updated by

Third-party, for systems that are critical and are used to provide services to Bharti Infratel.

The objectives of this policy are to

a. To identify the critical business processes and to integrate the information security

management requirements of business continuity with other continuity requirements

relating to such aspects as operations, staffing, materials, transport and facilities;

b. To strengthen the continuity of services offered to Bharti Infratel in case of any disaster;

and

c. To provide a disaster recovery plan to understand the current state, mitigating risks and

planning for recovery.

10.3. Information Security Aspects of Business Continuity Management

Third-party shall ensure that Business Impact Analysis (BIA) is carried out for all the business

processes to assess the consequences of disasters, security failures, loss of services and service

availability to Bharti Infratel. The business continuity management shall include the controls

required for the identification and mitigation of risks, in addition to the general risks assessment

process to limit the consequences of damaging incidents, and ensure that information required for

the business processes is readily available to serve Bharti Infratel.

10.3.1 Including Information Security in the Business Continuity Management Process

Control Statement: A business continuity management process should be developed for the

processes and facilities that are used to provide services to Bharti Infratel. It should include the

information security requirements of Bharti Infratel.





October 2012

Explanatory Notes: The business continuity plan developed by Third-party should include the risk

assessment, prioritisation and treatment for the critical services to Bharti Infratel. The business

continuity management process shall be able to identify the impact of interruptions caused by

information security incidents on business.

10.3.2 Business Continuity and Risk Assessment

Control Statement: Events that can cause interruptions to business processes pertinent to Bharti

Infratel should be identified, along with the probability and impact on business continuity.

Explanatory Notes: A risk assessment should be executed for all applicable assets required for

business continuity, considering all the events that can cause disruption to the Third-party services

to Bharti Infratel. The considered threats/ events that shall be included are man-made error/

disaster, natural disaster and technical failure.

10.3.3 Developing and Implementing Continuity Plans including information security

Control Statement: Plans shall be developed and implemented to maintain and restore the

operations and ensure the availability of services that are used to provide further services to Bharti

Infratel at the required level and time scales.

Explanatory Notes: The business continuity management plans shall be developed and

implemented by Third-party to maintain and restore operations and ensure the availability of

services, considering the recovery time objective (RTO), recovery point objective (RPO) and

information security requirements for the critical applications/ business processes along with the

acceptable loss of information and services to Bharti Infratel.

10.3.4 Business Continuity Planning Framework

Control Objective: A business continuity planning framework shall be developed to ensure all plans

are consistent, to constantly address information security requirements.

Explanatory Notes: The controls that are required to ensure the availability of information and

information systems being used to provide services to Bharti Infratel shall be identified. A

consolidated and consistent approach for the continuity of all important business processes,

applications and Information processing facilities shall be included in business continuity planning

framework.

10.3.5 Testing, Maintaining and Re-assessing Business Continuity Plans

Control Statement: Business continuity plans should be tested and updated as per the test plan.

Explanatory Notes: Each Third-party shall ensure that:

a. The developed business continuity plan is tested in defined intervals;





October 2012

b. The developed business continuity plan is effective;

c. The relevant controls with their corresponding roles and responsibilities are maintained,

working and known to the concerned individual of the BCP team;

d. The effectiveness of business continuity plans is measured and reviewed; and

e. The test results are presented to Bharti Infratel on request.





October 2012

11. Compliance Policy (BITSP – 011)

11.1. Introduction

The Compliance Policy provides the compliance requirements of Bharti Infratel from its Third-party.

Third-party shall ensure that effective arrangements to comply with statutory, regulatory and

contractual requirements are implemented in their organisation pertaining to information assets

that are used to provide services to Bharti Infratel.


A compliance culture shall be that helps the organisation to prevent breaches of any law,

regulatory requirements and helps in complying with the organisation security policies and

standards.


a. Avoid breaches of any law, statutory, regulatory or contractual obligations, and security

requirements;

b. Ensure that Third-party employees and their sub-contractor users are aware of regulatory

and contractual security requirements which may have an impact on their responsibilities

towards Bharti Infratel;

c. Assist in complying with the organisation security policies; and

d. Maximize the effectiveness of and to minimize interference to/from the information

systems audit process.

11.3. Compliance with Legal Requirements

11.3.1 Identification of Applicable Legislation

Control Statement: All relevant statutory, regulatory and contractual requirements and the

approach to meet these requirements shall be defined, documented and kept up to date.

Explanatory Notes: A list of all relevant statutory, regulatory and contractual requirements shall

be maintained by Third-party.

11.3.2 Intellectual Property Rights (IPR)

Control Statement: Appropriate procedures shall be implemented to ensure compliance with

legislative, regulatory, and contractual requirements on the use of material in respect of which

there may be intellectual property rights and on the use of proprietary software products that are

used to provide services to Bharti Infratel.





October 2012

Explanatory Notes: Third-party shall ensure the following:

a. Acquiring software only through reputable sources;

b. Maintaining proof of ownership of licenses of software procured to provide services to

Bharti Infratel; and

c. Carrying out checks that only authorised and licensed software are used to provide services

to Bharti Infratel.

d. Bharti Infratel reserves the right to audit the Third-party for all/ any authorised and/ or

licensed software used to provide services to Bharti Infratel.

11.3.3 Protection of Organisational Records

Control Statement: The organisational records pertinent to Bharti Infratel shall be prevented from

loss, damage and falsification in accordance with the relevant legislative, regulatory and

contractual requirements.

Explanatory Notes: The mechanism used for the storage and handling of records pertinent to Bharti

Infratel, shall ensure clear identification of records and the retention period as defined by national

or regional legislation or regulations.

a. The records pertinent to Bharti Infratel shall be retained and stored as per the Control of

Record Procedure;

b. Information Labelling and Handling Guidelines and Media Disposal Procedure shall be

applicable to records pertinent to Bharti Infratel;

c. The review period and review rights of Bharti Infratel institutionalised records shall be

defined; and

d. The backup of records pertinent to Bharti Infratel shall adhere to the Back-up Procedure.

11.3.4 Data Protection and Privacy of Personal Information

Control Statement: The data protection and privacy as required in relevant legislation, regulations,

and, if applicable, contractual clauses shall be ensured.

Explanatory Notes: A data protection and privacy policy shall be developed and implemented. This

policy should be communicated to all persons involved in the processing of personal information of

Bharti Infratel’s customers. Third-party shall ensure that they adhere to the Bharti Infratel

information security policy for protecting personal information of Bharti Infratel’s customers.





October 2012

11.3.5 Prevention of Misuse of Information Processing Facilities

Control Statement: The appropriate access controls shall be implemented to prevent the users

from misusing the information systems and/ or facilities that are used to provide services to Bharti

Infratel.

Explanatory Notes: Third-party shall ensure that their users are prevented from misusing the

information processing systems/ facility that is used to provide services to Bharti Infratel. Adequate

detection and monitoring controls shall be implemented to prevent any misuse on the information

systems/ facilities.

11.3.6 Regulation of Cryptographic Controls

Control Statement: The appropriate cryptographic controls in compliance with the relevant

agreements, laws, and regulations shall be identified and applied.

Explanatory Notes: Legal advice shall be sought to ensure compliance with national laws and

regulations. The appropriate procedure for compliance assurance shall be documented and

maintained by Legal function.

11.3.7 Compliance with BITSP

Control Statement: Third-party shall ensure compliance with the BITSP.

Explanatory Notes: Third-party shall ensure compliance with the BITSP. Bharti Infratel reserves the

right to audit the third-party as per the controls of BITSP applicable to them. Third-party shall

ensure that they implement all those controls applicable to them. Non-compliance to the BITSP

may subject to penalty charges as mentioned in the business contract.

11.3.8 Technical Compliance Checking

Control Statement: Information systems shall be regularly checked for compliance with security

standards.

Explanatory Notes: The technical compliance checking shall cover the penetration testing and

vulnerability assessments of systems/ network devices that are used to provide services to Bharti

Infratel information. All identified vulnerabilities shall be analysed and fixed within a definite time-

frame. Bharti Infratel reserves the right to review the vulnerability closure report and / or conduct

technical compliance checking on third-party network.





October 2012

11.4. Information Systems Audit Considerations

11.4.1 Information Systems Audit Controls

Control Statement: Third-party shall ensure that the audit requirements and activities involving

checks on operational systems shall be carefully planned and agreed to minimise the risk of

disruptions to services pertinent to Bharti Infratel.

Explanatory Notes: The audit activities involving checks on operational systems shall be carefully

planned as they may result in service disruption and in turn affect the services for Bharti Infratel.

Third-party shall ensure checks shall only allow read-only access.

11.4.2 Protection of Information Systems Audit Tools

Control Statement: Third-party shall ensure that the information system audit tools are protected

to prevent their misuse.

Explanatory Notes: Information system audit tools shall be separated from the development and

operational systems. An authorisation process shall be developed to allow access to the audit tools.

Third-party shall ensure that they provide adequate controls to prevent audit tools from running in

the environment that carries information of Bharti Infratel.

Bharti Infratel Third Party Security Policy

Documents

Transcript of Bharti Infratel Third Party Security Policy