Purpose

This Policy has been developed to align with the Information Security Policy of Apptimus Tech Private Limited (hereafter referred to as “APPTIMUS” or “company”). APPTIMUS is dedicated to safeguarding its stakeholders and information against any illegal or damaging actions, whether intentional or unintentional, by individuals (hereafter referred to as “users”).

The systems, including those owned or leased by APPTIMUS, as well as those for which APPTIMUS has usage rights, encompassing information assets, software, operating systems, and storage media are considered the property of APPTIMUS. These systems, which provide electronic mail, web browsing, and data and information services, are to be utilized exclusively for business purposes, serving the interests of the company, its clients, customers, and stakeholders during regular operations.

Effective security is a collective endeavor requiring the active participation and support of all users and affiliates who engage with the company's information systems. All users are responsible for familiarizing themselves with these guidelines and ensuring their activities comply with them.

Scope

This policy applies to all employees and third-party users who access, use, or interact with the information systems, networks, devices, and other resources provided by APPTIMUS.

The policy governs the use of both company-owned and client-provided information assets and resources to ensure compliance with applicable laws, regulations, and industry standards.

Incident Reporting  

An information security incident is any event that threatens the confidentiality, integrity, or availability of information or information systems. Examples include, but are not limited to:

• Unauthorized access to data or systems; 
• Data breaches or leaks; 
• Loss or theft of company devices or data; 
• Malware or ransomware attacks; and 
• Phishing attempts.

All users are required to report any suspected information security incidents immediately upon discovery.

Incidents must be reported to the IS Officer using the designated reporting channels.

All incident reports will be treated as confidential. APPTIMUS will take appropriate steps to protect the identity of the user reporting the incident.

Users bear the responsibility of promptly reporting any suspicious events in APPTIMUS’s information security and any instances of potential misuse or violation of this policy to their respective unit head and the IS Officer. 

Information And Resources Usage 

All APPTIMUS Equipment and Information Resources shall be utilized solely to conduct the company’s business, except in instances explicitly specified herein.

Users are accountable for the proper use, handling, and dissemination of all data and relevant information in accordance with the Acceptable Usage Policy, as well as other applicable organizational directives. This includes, but is not limited to, adherence to the following:

• Users with access to company data are responsible for adhering to all company policies, standards, and procedures.
• Users are required to maintain the confidentiality of all technical and business information about APPTIMUS and all customer information.
• Users are required to remain fully cognizant of all information produced or processed using APPTIMUS's information assets and resources. APPTIMUS does not accept liability for any harmful, erroneous, or damaging content arising from the dissemination of such information and explicitly disclaims responsibility for any associated consequences.
• APPTIMUS does not guarantee the confidentiality, integrity, or availability of any non-business data stored on information assets and resources. Therefore, the storage or transfer of personal data on company workstations is discouraged. 
• However, APPTIMUS will assume responsibility for any personal data collected by the organization. For instance, if such data is disclosed to the public by another internal employee or a third-party supplier, management will initiate the necessary legal and disciplinary actions against the responsible parties. 
• Users are responsible for exercising sound judgment in determining the appropriateness of personal use of company resources. In cases of uncertainty, users should seek guidance from their immediate supervisor or the IS Officer.

For security and maintenance purposes, the IT Administrator or its authorized personnel may monitor any or all traffic passing through the company’s information assets and resources.

APPTIMUS reserves the right to periodically audit and verify all information assets and resources to ensure compliance with this policy. 

Users are expected to remain vigilant and refrain from becoming victims of social engineering, corporate espionage, and competitive intelligence gathering through electronic media. 

Periodically, APPTIMUS will conduct information security awareness and training sessions. All users are required to participate in such training when invited.  

Users are expected to adhere to the access control process established by the IT Administrator or respective asset owners requesting system access.

Unacceptable Usage of Information 

Users are strictly prohibited from engaging in or facilitating any activity that violates the APPTIMUS Acceptable Usage Policy or is deemed illegal under any applicable law while utilizing information assets and resources.

Violations of rights protected by copyrights, trade secrets, patents, or other intellectual property, or similar laws or regulations, including but not limited to the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by APPTIMUS, are strictly prohibited.

Users are prohibited from disabling the virus guard installed on their workstations unless the IS Officer has given explicit approval.

Revealing login credentials to others, permitting others to use workstations (and accounts), or utilizing another person’s workstation (and account) is strictly prohibited (refer to Password Usage Guidelines for additional information).

Users must refrain from engaging in activities that may intentionally harass, threaten, or abuse others; degrade the performance of information assets and resources; block authorized users' access to an information resource; obtain additional resources beyond those allocated; or circumvent APPTIMUS Information Security policies.

Users are strictly prohibited from utilizing information assets and resources for personal gain, including but not limited to advertising, promotions, commercial activities, or any related endeavors on behalf of individuals, groups, or external organizations.

Users are not permitted to connect personal devices to the corporate network without obtaining approval from the IS Officer.

Users are prohibited from storing any information (e.g., files received through e-mails) on their personal devices unless the IS Officer grants prior approval.

Accessing, storing, or distributing obscene content unrelated to organizational activities on company equipment or utilizing information assets and resources for such purposes is strictly prohibited. Any attempt to obscure or conceal these prohibited contents by renaming, compressing, encrypting, or embedding them in other file formats, or using any other means, is also strictly forbidden.

Users are strictly prohibited from writing, generating, compiling, copying, collecting, propagating, executing, or attempting to introduce any code designed to perform malicious activities, self-replicate, damage, or otherwise compromise the performance or security of information systems and networks.

Users are prohibited from connecting external storage media (e.g., external hard disk) to company-provided workstations and mobile devices.

The alteration of operating system security settings, including network and register values, must be conducted exclusively by the IT Administrator. Users are required to contact the IT Administrator to implement any necessary network and system changes.

Electronic Mail (E-Mail) Usage 

E-mail services must only be used for business-related purposes. 

The composition and structure of email messages should be approached with care, ensuring they do not contain inappropriate materials.  

Email users should exercise caution when making commitments to external parties, such as suppliers, regulators, customers, etc. 

Users should exercise awareness regarding email messages exchanged with external parties, as they may carry unintended implications and could inadvertently contravene the laws of certain countries. 

Information exchanged via email carries the risk of interception or accidental exposure. Hence, exercise caution when transmitting confidential or sensitive information. In rare instances, email may not be suitable for transmitting confidential material. In such instances, users are advised to contact the IT Administrator to inquire about secure methods of transmission via email.  

Users are prohibited from using email in a manner that is disruptive, harmful, or offensive to others. This includes accessing, displaying, or transmitting politically sensitive material or obscene content, such as pornographic or abusive material, and using ethnic slurs or engaging in any activity that may be construed as harassment or disparagement of others. 

Users are strictly prohibited from misrepresenting themselves as another user or attempting to modify or gain access to email messages, mailboxes, or archive files that do not belong to them. 

Users are advised against subscribing to public mailing lists using company email addresses unless it is for official purposes. Should a user subscribe to such mailing lists, it is the sole responsibility of the user to unsubscribe. 

Users shall not under any circumstances use their personal e-mail accounts to conduct business-related activities. 

The forwarding of chain emails, junk mail, jokes, politically sensitive material, non-business executable files, non-business-related slideshows, videos, images, music files, and any other unsolicited emails or materials deemed a threat to APPTIMUS’s systems and reputation is strictly forbidden. 

To facilitate legitimate management functions, APPTIMUS reserves the right to monitor, intercept, and review, as necessary, any email message transmitted on email systems under the control of APPTIMUS. The IT Administrator may inspect emails with the consent of the IS Officer when necessary.  

The originator of an email will bear full responsibility for its content and will face consequences for violating these rules or any applicable laws.  

APPTIMUS may collaborate with legal authorities and/or third parties to investigate any suspected or alleged crime or civil wrong and may provide information, including the contents of emails when required by law. 

If an email or an attachment appears suspicious, users should refrain from responding to the message and promptly notify the IS Officer.

Internet Usage  

While users can download content from the Internet, they should limit the downloading of applications not pertinent to business functions (i.e., personal applications, and music audio/video) to ensure seamless Internet usage for business purposes.  

Users are prohibited from using the Internet in a manner that is disruptive, harmful, or offensive to others. This includes accessing, displaying, transmitting, or downloading politically sensitive material or obscene content, as well as using ethnic slurs or engaging in any activity that may be construed as harassment or disparagement of others. 

Users are prohibited from using the Internet to make offers to sell or buy products, items, or services from fraudulent websites, or to promote any financial scam, such as "pyramid schemes," "Ponzi schemes," or unregistered sales of securities. 

Users must exercise caution to avoid violating laws, copyright laws, intellectual property rights, licensing agreements about material obtained from the Internet, and any other applicable laws. 

All internet sites accessed through the company networks will be recorded. The information recorded by the monitoring system includes the username, source IP address, destination address, date and time, applications, and service.  

The IT Administrator will restrict access to specific internet websites and protocols deemed unsuitable for APPTIMUS's corporate environment.  

Users may access blocked sites or services with permission if deemed appropriate and necessary for business-related purposes.

Mobile Device Usage and Guidelines 

All company-provided mobile devices, including laptops, smartphones, mobile tablets, and other portable devices, as well as their contents, remain the property of APPTIMUS and are subject to audit and monitoring.  

APPTIMUS reserves the right to withhold, remove, or assume control of the mobile device from the user in the event of misuse or violation of company policies. 

Users are required to acknowledge that such devices contain company data and must take appropriate measures to safeguard them against loss or theft. If a mobile device is lost or stolen, the user must promptly notify the IT Administrator. 

Users are not authorized to modify any device security settings. If there is a business justification for such changes, users may contact the IT Administrator to request the necessary modifications to the device. 

All mobile devices should be returned to the IT Administrator for repairs, replacement, disposal, or exchange. Users are not permitted to hand over the device directly to a vendor or any third party for any purpose without prior approval from the IT Administrator. 

User should ensure that data on the mobile device is regularly backed. Backups of confidential data should be stored only in a secure location (refer to the Data Backup Section). 

Users are strictly prohibited from using mobile devices in a manner that is disruptive, harmful, or offensive to others and/or in any way that violates local or applicable international laws. 

Company-provided mobile devices should not be altered or augmented in any way. 

Company-provided mobile devices are designated for official use only. Users are strictly prohibited from allowing these devices to be used by any other party. 

It is the sole responsibility of the user to ensure the proper care of the allocated mobile devices. 

Password Usage Guidelines 

Users are reminded of their responsibility for all events occurring under their login accounts. Therefore, users must always maintain the confidentiality of their passwords. 

Users are strictly prohibited from giving, sharing, or hinting at their passwords to anyone, including IT Administrator staff, HR staff, supervisors, coworkers, friends, law enforcement, or family members, under any circumstances. However, in cases where shared accounts are explicitly approved, only authorized individuals may access the account, following the appropriate controls. If a password is requested, the individual should be referred to this policy or directed to contact the IS Officer. In exceptional cases, law enforcement may be granted access only if authorized by APPTIMUS management. 

It is recommended to refrain from using the "remember password" feature of applications, including internet browsers, email programs, or any other program. 

Users must utilize multi-factor authentication (MFA) for all system access where it is supported. 

If a user either knows or suspects that their password has been compromised, it is imperative to report it to the IT Administrator immediately and change the password without delay. 

Users are strictly prohibited from recording their passwords on sticky notes, books, or any other printed materials. Additionally, passwords must not be stored in plain text format.

The specific parameters defining the approved password policy currently followed by APPTIMUS can be referenced in the Password Management Procedure.

Social Media Guidelines 

Users are required to follow the below guidelines when using social media (e.g., facebook, LinkedIn, Instagram, etc.) where references to the company are made: 

When APPTIMUS communicates publicly and officially, whether, to the marketplace or the public, it employs established channels. Only authorized personnel are permitted to post content and participate in discussions via company social media accounts.

The Code of Conduct and all APPTIMUS policies about external communications, professional conduct, and the use of information systems and equipment apply equally to social media. Three key areas to familiarize oneself with when tagging APPTIMUS on social media are:

• Confidentiality: Refrain from mentioning or discussing confidential, proprietary, or non-public information regarding business, HR, financial, or customer information on social media platforms.
• Personally Identifiable Information (PII): Respect the privacy of others and refrain from posting PII about individuals, by applicable laws and regulations, such as those governing privacy and data protection.
• Discrimination, harassment, and defamation: Avoid posting any content that is discriminatory, defamatory, harassing, offensive, derogatory, sexually suggestive, racist, threatening, indecent, or in violation of applicable law, regulation, or policy on social media platforms.

In general, copying any materials (including from the Internet) that are not one's own (e.g., photos, music, videos, text, etc.) to the company devices without the copyright owner's consent is prohibited. If consent is obtained, always reference the source of the content if it is not, one's own.

Users are prohibited from impersonating anyone or misrepresenting (expressly or by omission) their identity, affiliation, or status through social media accounts.

Data Backup 

Users must ensure that all critical files and business data are stored exclusively on  designated cloud services that have been approved by the IT Administrator. 

Users must regularly review and organize their files to ensure the removal of unnecessary or outdated data, thereby maintaining the efficient use of backup resources. 

Users must adhere to established backup retention requirements, ensuring that data is retained in accordance with organizational requirements and that no sensitive information is lost or misplaced. 

Users must handle sensitive or confidential data securely, ensuring it is stored in approved locations where regular backups occur and encryption is applied as required. 

Users must familiarize themselves with disaster recovery procedures and understand how to access and recover critical data in the event of an IT system outage or data loss.

Work From Home 

APPTIMUS permits users to Work from Home (WFH) under specific conditions to ensure information security is upheld. Users are required to comply with the following guidelines stated herein.

• Users must obtain proper authorization from designated authorities to engage in WFH activities. 
• Storing APPTIMUS-related information on personal devices is strictly prohibited. 
• Users must ensure the physical security of APPTIMUS-issued devices at all times during WFH. 
• Users should be mindful of their surroundings when working remotely to prevent unauthorized individuals from viewing or overhearing confidential information. 

Clear Desk and Clear Screen 

Documents containing sensitive information must be securely stored in locked drawers or cabinets when not in use. 

Any notes or papers that are no longer needed should be disposed of using the company's approved method for shredding confidential documents. 

Users are required to "lock" their workstations when leaving them temporarily. Furthermore, users must log out and power off their workstations when leaving for the day, unless instructed otherwise by the IT Administrator. 

Passwords should not be written down or stored in clearly visible or accessible places. 

Users must ensure that confidential information is not left unattended on printers, fax machines, or copiers.