Ensuring Confidentiality of client information is a cause for concern for most organizations looking to offshore services.
JIVA’s guiding philosophy is to ensure that customer data and interaction is Integral, Confidential and Available only to the rightful users at the right time. We achieve this through sustained Operational Processes and secure Technical Architecture.
|
| JIVA’s Security Mission Statement |
We at JIVA will strive to:
 |
Maintain Confidentiality of Information |
|
Maintain Integrity of Information |
|
Assure Availability of Information as per our Access Policy |
|
Abide by Regulatory and Legislative Requirements |
|
Create Awareness about Information Security Among all Employees |
|
| Our Proactive Approach |
The Information Security Officer reports to the President and is independent of the IT Operations team. Key initiatives by our Security Team include:
|
Monthly audits to prevent any breach of Security and to identify and close out all gaps found in security operations |
|
Security Sign off for every change initiated in the system and network for long term security measures |
|
Planned responses to security incidents of various severity levels through 24x7 NOC Managed Security Services |
|
Strong controls deployed across the organization to allow user access only to required information and restriction to all other information by implementing auto screen locking, strong password policies etc. |
|
|
| This section details JIVA’s Security Model based on the following aspects: |
1. JIVA Security Framework
2. Key Aspects of JIVA Security
3. New Client Security Measures
|
| JIVA Security Framework |
JIVA’s Security Framework Encompasses the Information Security Management System standard (see diagram). Key Highlights of the same are as follows:
|
Written policies, resulting in well-documented security protection policies applied to networks, hardware,servers, applications and users |
|
Clarity on what needs to be protected and to what extent (degree of assurance is defined) |
|
Adequate and structured approach to risk assessment |
|
Clarity on threats and organizational vulnerabilities |
|
Develop and Review the Security Policy Plan |
|
Implementation & Audit the same on an ongoing basis |
|
|
JIVA Security Fact Sheet
|
Each client’s physical, network and application infrastructure is segregated and dedicated |
|
Dedicated subnets, CRM, Ticketing systems and process specific applications and servers are on separate client Virtual LANs (VLANs) for complete segregation of entire data communication |
|
Client data and users (such as knowledge bases and internal documents) are segregated through Windows Domain Organizational Units (OU) and Group Policy based LAN authentication |
|
Entire perimeter is secured through industry standard Firewalls and access lists on Routers |
|
Log alert and analysis carried out on all critical systems equipments |
|
All core and edge routers are configured for security checks and filters used to protect and allow only pre defined services |
|
|
Individual Physical Access is controlled through access card controls |
|
We had zero Virus infection incidents till date as a result of multiple vendor three-tier Antivirus Filters at the Gateway- Mail, Server and Client locations |
|
Key Aspects of JIVA Security
|
Multi Layered Approach |
|
Process Orientation to Security Management |
|
Regular Updating to Systems |
|
Independent and Continuous Audit |
|
24x7 Equipment Monitoring |
|
Well-defined Access Control |
|
|
Effective Segregation of Projects |
|
| Multi Layered Approach |
This involves access control and security measures at all levels- physical, system, network devices and servers. Our anti-virus update and monitoring process is completely automated; operating on a maximum of 60-minute timing window for any new antivirus update from the Provider to all the systems and workstations. All personnel go through background checks and sign a confidentiality and non-disclosure agreement while joining JIVA
|
| Process Orientation to Security Management |
Some of the processes implemented by the JIVA Security Team include:
|
Change Management- System Change Control |
|
Vulnerability Analysis and fixing each of these |
|
Patch Management and hot fixes application |
|
Incident Response Procedures |
|
Desktop Server Security Policies deployed |
|
Security Policies deployed for Network Devices such as Routers, Switches, Firewalls etc., |
|
|
Anti-Virus Central Management Policy implemented across three tiers: workstations, servers and at the gateway |
|
Log Monitoring carried out on a daily basis and regular auditing methods identified for the same |
|
Application Security implemented using controlled authentication and authorization with privileges |
|
Password Policy and Management implemented across multiple OS, Applications, Network equipments |
|
Clear desk and clean desk policies for all workstations |
|
| Regular Up-gradation to Systems |
We utilize MS-SUS Software Update Server to automatically update multiple Workstations and Servers as and when new patches and fixes are released. Maintaining the most recent system patch for all devices and systems post testing is one of key deliverables for our Technology Team.
|
| Independent and Continuous Audit |
JIVA Security & Risk and Compliance teams carryout regular well-planned monthly audits. They also track to closure any gaps found within the operations and technology teams.
|
| 24x7 Equipment Monitoring |
Continuous automated script-based alert mechanism for critical events on critical systems. We utilize 24x7 NOC services and daily log review to prevent occurrence of critical incidents
|
| Well defined Access Control |
Need-to-use basis and business purpose determine the levels of user access to our systems and devices. There is restriction and control within project subnets and VLANs to specified users. There is restricted access to specified sub networks and workstations. This is decided strictly on the basis of pre defined policies and client authorizations for business needs.
|
| Effective Segregation of Projects |
Dedicated VLANs and Subnets are created for isolating client projects. Further restriction is imposed based on the role of the user involved. This is done using Domain level and Network level Architecture
|
| Typical New Client Security Measures |
How do we segregate and provide security to a new client?
|
| Our approach to a new client on-boarding typically involves following measures (but not limited to these): |
|
Physical Segregation of the client resources |
|
User ID control for the client project |
|
Retention period and deletion of the client records |
|
Restricted access to email, web resources etc., |
|
Restricted access and controls at Desktop and Network levels |
|
Separate Unit within the domain and customized Windows group policy restrictions for the users serving the client |
|
|
Subnet, VLAN based segregation in the network |
|
Access control levels, privileges based on project timings for the day and the project role assigned |
|
Secure and audited Rule base at Firewall and L3 switches |
|
Well defined Access and routing lists at routers and LAN switches |
|
Site-to-Site VPN, SSL encryption etc to the client locations |
|
