SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd F3 _ Doc_ 0 - - PDF document

F3 _ Doc_ 0 0 6 VER4 .0 Page 1 of 1

SECURITY POLICY

Confidential Focal3 Softw are Pvt Ltd

F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2

Background

Focal3 and its Customers provide Focal3 Agents with Confidential and Proprietary information (collectively, “Information”). It is very important that all of this Information be handled with great care to prevent the inadvertent or intentional disclosure to anyone other than an authorized party. For both its own and its Customers’ benefit, Focal3 is committed to protecting the security and confidentiality of all Information. To that end, this policy addresses the necessary and appropriate procedures for maintaining data security and confidentiality.

Scope

This policy governs the procedures followed by all business units of the company who encounter Confidential and Proprietary Information. Together with Focal3’ Employee Handbook and related Human Resources documents, these establish all of the guidelines for the use and protection of this Information.

Definitions

The following terms used within this Policy are defined as follows: Active Use The actual or planned use of Information within a one-year period. Agent Any full- or part-time employee, temporary or contracted employee, consultant, vendor, volunteer, director or other person who is provided access by Focal3 or a Customer to Information whether or not in exchange for wages, salary or other remuneration. Authorized Use A situation in which either Focal3 or a Customer has granted specific permission to use Information for a particular purpose. Blinding Confidential Focal3 Softw are Pvt Ltd The process whereby Information is shielded from identification by removing any direct and indirect identifying information which would allow a third party to directly

• bserve or indirectly reconstruct the identity of party to the Information.

F3 _ Doc_ 0 0 6 VER4 .0 Page 3 of 3 Classification Level Information is classified into one of three distinct levels as defined in the table below. The Classification Level determines the particular rules that govern the use, transmission, storage and disposal of the Information. By contrast, unclassified information (e.g., press releases, company address and phone) is fit for public consumption and has no rules for handling or protection, outside of appropriate business protocol. Com pany Confidential and Proprietary I nform ation Company Information includes, but is not limited to: analytic methods, software source code, research and software development methods, business plans and strategies, non-Public financial information and non-Public Human Resources

• information. In general, any information that is protected by regulation or law, that

is deemed by Focal3 to be a proprietary component of one or more of its business units, that is not made publicly available by Focal3 and which Focal3 attempts to keep confidential in the routine course of its business is Information.

1 These examples are illustrative only and are specifically NOT meant to be all-inclusive.

Confidential Focal3 Softw are Pvt Ltd Classification Level Representative Examples1 Level I - Information that necessitates the most limited handling, is provided to individuals

• n a Need to Know basis only, and which,

when discarded, must be shredded or

• therwise destroyed in a manner that

eliminates the practical ability to reconstruct that information from its component parts; Peer review data System passwords Confidential human resource information Level II - Information that necessitates specific handling and that is provided to individuals

• n a Need to Know basis only, but which

may be disposed of discreetly in a non- Public trash can; Blinded Customer data Business plans and relationships Proprietary analytic methods Blinded Customer case studies or analyses Level III - Information that is generally available to Focal3 Agents, but which is provided only

• n limited terms to non-Agents;

Sales presentation materials Marketing Materials

F3 _ Doc_ 0 0 6 VER4 .0 Page 4 of 4 I nactive The lack of actual or planned use of Information within a one-year period. I nform ation Collectively, Confidential and/ or Proprietary Information of either Focal3, a Customer

• r an Agent of either party.

Need to Know Need to know is defined as the requirement, as a part of a direct job function, for an Agent to have access to the particular Information under consideration. Public areas Public areas consists of all areas outside of Focal3, and within Focal3, those areas with high visitor traffic, namely lobbies, waiting areas, kitchens and any other Company areas specifically designated by the Executive Council as Public. Security Officer The Director of Technical Services, who will provide implementation and overall security monitoring for Focal3. System s Adm inistrator An Agent with access to and responsibility for computer systems administration and

• maintenance. A Systems Administrator is distinguished from other Agents by the

need to have widespread access to secure systems and materials as a routine part of his or her job. For the purposes of this Policy, Database Administrators are considered to be System Administrators.

Policy

It is Focal3’ policy to both explicitly and implicitly protect Confidential and Proprietary Information (collectively, “Information”) from unauthorized access, use, dissemination, or disclosure.

Procedures

General Principles It is impossible to define every possible interaction between Agents and Information. Therefore, the following general principles should govern all Agent interactions with Information unless specific procedures exist to the contrary: Confidential Focal3 Softw are Pvt Ltd

• Obtain proper authorization from a Manager before accepting any

Information;

F3 _ Doc_ 0 0 6 VER4 .0 Page 5 of 5

• When possible, avoid access to or possession of Information unless

specifically required for the task;

• Always keep Information for the shortest possible time required for the

specific task at hand and then properly destroy or store that Information in accordance with the handling requirements;

• Presume that others do not have proper authorization or the Need to Know

unless proven otherwise;

• Information may not be discussed in Public areas and may never be given to

any party without proper Authorization for use;

• When possible and reasonable, downgrade the Information to the lowest

possible Classification Level consistent with your required task (e.g., by Blinding);

• When Information of different Classification Levels is commingled, the entire

Information bundle assumes the Classification Level of the highest individual component;

• Information maintained for any purpose must be protected from accidental

disclosure in accordance with the Information handling requirements;

• Information may be removed from Company premises only for authorized

business purposes and must be treated in the same manner as on-site data; by definition, family members do not have a Need to Know; Confidential Focal3 Softw are Pvt Ltd

• When it is not known whether or not information is Proprietary and

Confidential, it should be presumed to be so until proven otherwise;

F3 _ Doc_ 0 0 6 VER4 .0 Page 6 of 6 I nform ation handling requirem ents by Classification Level

• Confidential and Proprietary Information has specific handling requirements

defined by its Classification Level as specified in the table below: Confidential Focal3 Softw are Pvt Ltd Level Locations Mediums I Active Use within Focal3: personal desk area when not immediately visible to unauthorized persons, or in a closed room; Active Use outside of Focal3: only if required and concealed during transit; all Information must remain in direct, personal possession at all times; Inactive: destroyed or maintained in a locked storage area; Electronic transport: password protected, marked “Confidential”; encrypted and blinded unless it is impractical or dysfunctional to do so; Hard copy: always marked “Confidential”; blinded when possible; use of common area printers discouraged -- must retrieve printing as soon as possible; Mail: item tracking required; Fax: discouraged strongly; when required, must have a confirmed, Authorized User waiting on opposite end; Verbal: allowed via standard telephone or in proper locations; White Boards: must be erased when not in use. II Active Use within Focal3: personal desk area or in a closed room; Active Use outside of Focal3: only if specifically authorized and concealed during transit; all Information must remain in direct, personal possession at all times; Inactive: discarded in a non- Public trash can or maintained in a non-visible area; Same as Level I III Same as Level II Electronic: encrypted or password protected when possible; Hard copy: concealed; Mail: regular U.S. mail allowed; Fax: allowed without standby; Phone: allowed via standard telephone or in proper locations; White Board: erase as appropriate.

F3 _ Doc_ 0 0 6 VER4 .0 Page 7 of 7 Assignm ent of Classification Levels

• Classification Levels will be applied to Information, but may also be assigned

to persons, locations or other things.

• Assignments may be permanent or applicable only for a specific period of

time.

• Recommendations for Assignments will be made by each Manager related to

the Information within his or her span of control. All such recommendations must be reviewed and approved by the Executive Council. Executive Council approvals will be forwarded to the Security Officer, who will maintain and regularly update the master Assignment list. Agent Responsibility

• Each Agent must adhere to this policy.
• As managers, custodians or users of data, each Agent is responsible for

helping to ensure that all Information is protected and for complying with all established security standards, practices and procedures.

• Agents must maintain the security of all passwords that permit access to

Information, including but not limited to Focal3 products. Passwords may not be shared with coworkers or anyone else under any circumstances without the prior written approval of the Security Officer except when required for troubleshooting in specific cases, such as by System Administrators. In such an instance, users are required to change their passwords upon resolution of the problem.

• Each Agent must log out of any systems containing Information when they

will be away from their computer terminal at the end of each workday.

• Each Agent must immediately report any actual or potential breaches in this

policy, whether prospective or retrospective, to their Manager, who will bring that knowledge to the manager of the agent in question and the Security Officer. Confidential Focal3 Softw are Pvt Ltd

• Each Agent must read, sign and abide by the Confidentiality, Proprietary

Information and Assignment of Rights Agreement and the Data Security and Data Confidentiality Policy.

F3 _ Doc_ 0 0 6 VER4 .0 Page 8 of 8 Agent education

• The Security Officer, in conjunction with the CDF Impact Team and Corporate

Services, shall be responsible for ensuring that a centralized system is in place to educate staff on data security and confidentiality issues. This education shall occur both during each Agent’s initial company orientation and through periodic updates.

• Managers shall be responsible for educating and reminding their staff about

security and confidentiality issues so that each Agent is aware of and understands their responsibility for maintaining the security of Information. This may occur during departmental orientation and/ or departmental staff meetings. Release of Confidential and Proprietary I nform ation to an outside party

• Except as specifically provided for under handling requirements, Information

may only be released outside of Focal3 or the particular Customer in question, with the prior written Manager approval. The Security Officer may approve release of Proprietary Information only under the circumstances wherein Focal3 is compelled to disclose, by a legal or administrative entity with competent jurisdiction over the party or when advance written approval has been obtained from the Customer or a Focal3 Officer. Original Custom er data protection

• Any data package received from a Focal3 Customer must be logged in the

Data Tracking Log by the receiving party or by the receptionist at the receiving party’s request. Logging must include: date of receipt, entity received from, sending person and shipping company. The logging party must then notify the Director of Information Management or his or her designee of the package’s arrival who will open the package and confirm its

• content. The receiving Information Specialist must record his or her name,

the media type, the number of pieces, and a description or nature of data into the Data Tracking Log.

• Data is loaded into a secure on-line storage area by a Systems Administrator
• r Information Specialist and all original data copies shall be labeled and

stored in a locked location by an Information Specialist or his or her designee. Data backup files

• All disaster recovery and archival backup tapes shall be stored in locked

compartments accessed only by Focal3 Systems Administrators, the Security Officer or other specifically authorized parties. System security Confidential Focal3 Softw are Pvt Ltd

• Focal3 uses a variety of security systems to protect its information systems

from unauthorized access by outside sources over the Internet, locally or via

• ther networks. Focal3 uses these multi-tiered defenses to address the

F3 _ Doc_ 0 0 6 VER4 .0 Page 9 of 9 different kinds of security risks as detailed in Attachment 6.9.1 - “Multi- layered Internet security risks and defenses.”

• No Agent may disable or alter Company security systems at any time without

the prior written approval of the Security Officer.

• No Agent shall describe any of Focal3’ security systems to any person or entity
• utside of Focal3 whether in verbal, written or other form without the

expressed written permission of the Security Officer. When so authorized, Agents must adhere to the Company’s security systems description. Establishing I nform ation Access

• Access to Information may be established only after an individual has

completed training on the proper handling of Confidential and Proprietary Information and signed the required statements outlined in Section 6.4.

• Technical Services establishes the electronic system access granted by the

Executive Council and for all electronic systems other than Oracle databases.

• Information Management establishes the electronic system access granted by

the Executive Council for Oracle databases.

• Access to electronic systems is controlled by user names, which are

authenticated by passwords.

• Wherever technically possible, passwords must age and expire every 180

days, although they should be changed more frequently if there are any concerns related to password confidentiality. On systems without automatic password aging, Agents are responsible for manually changing passwords every 180 days.

• Reports generated from Focal3 products are recorded by login ID, date and

time whenever technically possible. Reports of user usage, which must be maintained for at least six months, are available to authorized Focal3 staff.

• In situations where there are technical limitations, a Systems Administrator

may assign common passwords to specific accounts with approval of the Security Officer.

• Access to Focal3’ Unix servers (e.g., via unencrypted protocols such as

Telnet, ftp, X-windows etc.) from locations other than the corporate office is controlled via a one-time password system.

Contingencies

Data that might otherwise be construed as Information shall be considered Public, if and only if: Confidential Focal3 Softw are Pvt Ltd

• The relevant information is generated from any public source. Although the

use, disclosure, dissemination or disposal of this information need not adhere

F3 _ Doc_ 0 0 6 VER4 .0 Page 1 0 of 1 0 to the procedures outlined in this policy, general common sense and Customer sensitivities should be observed.

• The relevant information that would otherwise be considered Confidential and

Proprietary becomes known to Focal3 either publicly (through no fault of Focal3) or is learned by Focal3 from a third party that is entitled to disclose that information to Focal3. Any other contingencies must be approved in writing by the Executive Council.

Compliance and Enforcement

Reporting An Agent must immediately report any actual or potential breaches in this policy, whether prospective or retrospective, to a member of the Business Policy Council, who will bring that knowledge directly to the manager of the agent in question and the Security Officer. I nvestigation of a breach or potential breach of this policy Upon notification of a breach or potential breach of this policy, the manager of the agent in question and the Security Officer will investigate the breach, propose an equitable penalty level and submit the penalty recommendation to the Executive Council; the identity of the agent will be kept anonymous unless it is deemed a significant breach. The Executive Council will supervise the case-by-case evaluation

• f the facts involved for each matter. The Executive Council will make the final

determination as to whether a breach did or did not occur, and approve any recommendation for disciplinary action prior to such action being taken. Penalty determ ination for a determ ined breach The following principles will guide the determination of the penalty level: a) the higher the Classification Level associated with a breach, the worse the penalty; b) the more intentional the violation, the worse the penalty; c) the more repetitive the violation, the worse the penalty; d) the more consequential the effects of the violation, the worse the penalty. Confidential Focal3 Softw are Pvt Ltd Penalties for violations include, but are not limited to a: warning, suspension, termination and civil or criminal legal penalties. All determined breaches of this policy shall ultimately be reported by the Executive Council to the Chief Financial Officer, who is responsible for the Human Resources department. He or she will ensure uniform application of any penalties associated with this policy is consistent with the Company’s Human Resources policies and procedures.

F3 _ Doc_ 0 0 6 VER4 .0 Page 1 1 of 1 1 Confidential Focal3 Softw are Pvt Ltd

• A. Risk:

Internal misbehavior Defense: Ethics, Education, Policy, Audits & Sanctions

• B. Risk:

Criminal Attacks -- Con-artists Defense: Education, Awareness, Policy, Audits (KSA)

• C. Risk:

Terminated Employees Defense: Policy, Education, Closure of accounts, changing passwords

• D. Risk:

Technical Cracking via Network Services Defense: Firewall with packet filters, proxy and application servers, attack simulators (SATAN) and attack detectors (Big Brother)

• E. Risk:

Technical Cracking via Operating System holes Defense: C2 security (hard passwords, password aging, access control and auditing), configuration auditing (COPS), and patch vigilance

• F. Risk:

Technical Cracking via Sniffing Network for Passwords and/or Data Defense: Netscape Enterprise Server with HTTPS to fully encrypt all communications, hard passwords and access logs

A B C D E F Multi-layered Internet Security Risks and Defenses

F3 _ Doc_ 0 0 6 VER4 .0 Page 1 2 of 1 2

Physical Safeguard

The physical safeguards are a series of requirements meant to protect a Covered Entity’s electronic information systems from unauthorized physical access. Covered Entities must limit physical access while permitting properly authorized access. The specific standards are: Facility access controls An overall requirement to implement policies, procedures and processes that limit physical access to electronic information systems while ensuring that properly authorized access is allowed. W orkstation use Policies and procedures must be developed and implemented that specify appropriate use of workstations and the characteristics of the physical environment of workstations. W orkstation security Covered Entities must implement physical safeguards for all workstations that can access data in order to limit access to only authorized users. Device/ m edia controls Policies, procedures, and processes must be developed and implemented for the receipt and removal of hardware and electronic media into and

• ut of a Covered Entity, and the movement of those items within a Covered Entity.

Confidential Focal3 Softw are Pvt Ltd Physical Security Addressed by 24 X 7 security personnel, visitor's log monitoring, swipe card access to the main building and a second swipe card access to development center and only for authorized personnel.

F3 _ Doc_ 0 0 6 VER4 .0 Page 1 3 of 1 3

High Level Network Architecture

Confidential Focal3 Softw are Pvt Ltd