Dashboard

Define, approve at management level, publish, and communicate a set of information security policies. Policies must be reviewed at planned intervals and when significant changes occur. Ensure each policy has an owner and a review date; store approved versions in a document management system accessible to all staff.

Assign and document information security roles (CISO, data owner, system custodian, end-user) in job descriptions and an RACI matrix. Every information asset must have a named owner responsible for its protection. Confirm roles are communicated during onboarding and re-confirmed annually.

Maintain a comprehensive asset register covering hardware, software, data assets, and services. Each asset entry should record: asset ID, description, owner, classification, location, and disposal method. Review and reconcile the asset register at least annually and after significant infrastructure changes.

Define an information classification scheme (e.g., Public / Internal / Confidential / Restricted) with clear criteria for each level. Document which business data types map to which classification. Provide decision-tree guidance to help staff classify new documents correctly at creation.

Establish and document an access control policy based on need-to-know and least privilege. Define access provisioning, review, and revocation processes. Conduct access reviews at least semi-annually for privileged accounts and annually for standard accounts. The policy should cover logical, physical, and remote access.

Maintain a full lifecycle management process for all identities (employees, contractors, service accounts, machine identities). Every identity must be uniquely identifiable (no shared accounts). Implement a joiner-mover-leaver process integrated with HR; automate deprovisioning within 24 hours of termination.

Define password/passphrase policies (minimum length, complexity, no reuse, no default credentials). Require MFA for all remote access and privileged accounts. Provide a secure password manager to all staff. Audit authentication configuration against policy quarterly. Do not allow passwords to be transmitted in plaintext.

Implement a formal request, approval, provisioning, and review process for all access rights. Access to sensitive systems requires documented manager approval. Maintain a register of privileged access grants. Conduct quarterly reviews of privileged rights and annual reviews of all other rights; document and action findings.

Define and document an incident management process covering detection, triage, containment, eradication, recovery, and post-incident review. Assign an Incident Response Team (IRT) with documented roles. Conduct at least one tabletop exercise per year. Ensure the process includes escalation paths and regulatory notification obligations (CERT-In 6-hour rule, DPDP obligations).

Execute incident response according to documented procedures, ensuring containment actions are taken swiftly and evidence is preserved forensically where required. Maintain an incident log with timeline, actions taken, decisions made, and personnel involved. Notify relevant stakeholders and authorities within required timeframes.

Identify and document all legal, statutory, regulatory (IT Act 2000, DPDP Act 2023, CERT-In directions, sector regulators such as RBI/SEBI/IRDAI), and contractual requirements relevant to information security. Assign ownership for each compliance obligation. Review the register at least annually and when regulations change.

Establish and maintain a privacy program aligned to applicable privacy regulations (DPDP Act 2023 in India). Define roles (Data Fiduciary, Data Principal), data processing purposes, consent mechanisms, and data subject rights handling. Maintain a Record of Processing Activities (RoPA). Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.

Deliver mandatory information security awareness training to all staff at onboarding and annually thereafter. Training must cover phishing recognition, password hygiene, data classification, incident reporting, and relevant policies. Track completion rates and maintain training records. Conduct phishing simulation exercises at least twice per year and use results to target further training.

Establish and communicate a clear, easy-to-use channel for staff to report security events (suspicious emails, lost devices, unauthorized access). Define what constitutes a reportable event. Set a target reporting time (e.g., within 2 hours of discovery). Provide a no-blame culture to encourage reporting. Measure the number of events reported as a security culture metric.

Establish and enforce security configuration standards for all user endpoint devices (laptops, desktops, mobile phones, tablets). Minimum requirements: full-disk encryption, EDR/antivirus, MDM enrollment, OS and software patching within defined SLAs, and screen lock. Maintain a device inventory and compliance dashboard. Block unmanaged devices from accessing corporate resources.