Information Security

Management Policy
[Team 4 – Federal Bank]

Submitted By

Aswath.A.C- CB.BU.P2MBA19032
Dharunanand.R- CB.BU.P2MBA19049
Dinesh Kalro- CB.BU.P2MBA19050
Jeevarathinam B- CB.BU.P2MBA19065
Marcus Raja R- CB.BU.P2MBA19089
Pavithra.S- CB.BU.P2MBA19107
Ranjeeta R Iyer- CB.BU.P2MBA19125

[Team 4] [Federal Bank] [Confidential]

Objectives

The objective of this information security policy is to prescribe mechanism that

will assist in identifying, preventing, detecting, and correcting the compromise
and misuse of the Federal Bank’s information and Information Technology
infrastructure.

Information security Policy Statement

The Bank’s information systems and the business information therein are assets
of strategic and commercial value. They are fundamentals to the efficient
business continuity. Federal Bank Ltd shall implement controls to ensure the
confidentiality, integrity and availability of the information and information
processing assets of our customers and our Bank by deploying appropriate
people, technology and processes.

 Information assets and IT assets are protected against unauthorized

access.
 Information is not disclosed to unauthorized persons through deliberate or
careless action.
 Information is protected from unauthorized modification.
 Information is available to authorized users when needed.
 Applicable regulatory and legislative requirements are met.
 Disaster recovery plans for IT assets are developed, maintained and tested
as far as practicable.
 Information security training is imparted to all users who gain knowledge
of personal data must receive training and instruction in how to process
personal data.
 Any breach of information security is reported and investigated by
authorized person including System Administrator and Incident
investigator
 Violations of policies are dealt with a disciplinary action

[Team 4] [Federal Bank] [Confidential]

Under this policy:
 All managers are directly responsible for implementing policy and ensuring
staff compliance in their respective department
 Compliance with the information security policy is mandatory
 All breaches of information security, actual or suspected will be reported to
and investigated by authorized person including System Administrator and
Incident investigator

This Policy has been approved by CEO, Federal Bank and is subject to periodic changes and will be
posted on our website. All suggestions are welcomed on this policy and can be mailed to
[email protected]

[Team 4] [Federal Bank] [Confidential]

INFORMATION SECURITY
POLICY STATEMENT

Information is an important business asset of significant value to the company and needs to
be protected from threats that could potentially disrupt business continuity. This policy has
been written to provide a mechanism to establish procedures to protect against security
threats and minimise the impact of security incidents.

The Chief Executive has approved the Information Security Policy

The purpose of this Policy is to protect the company’s information assets from all threats,
whether internal or external, deliberate or accidental.

The Policy Scope covers Physical Security and encompasses all forms of Information
Security such as data stored on computers, transmitted across networks, printed or written
on paper, stored on tapes and diskettes or spoken in conversation or over the telephone.

All managers are directly responsible for implementing the Policy within their business
areas, and for adherence by their staff.

It is the responsibility of each employee to adhere to the policy. Disciplinary processes will be
applicable in those instances where staff fail to abide by this security policy.

IT IS THE POLICY OF THE COMPANY TO ENSURE THAT:

Information will be protected against unauthorised access

Confidentiality of information is assured.

Integrity of information is maintained.

Regularity and legislative requirements regarding Intellectual property rights, Data

protection and privacy of personal information are met.

Business Continuity plans will be produced, maintained and tested.

Staff receive sufficient Information Security training.

All breaches of information security, actual or suspected are reported and investigated by
the Security Policy Review Team.

Signed: __________________________________________________________________

Title: __________________________________________ Date: __________________________

This template security policy has been produced by sitehelpdesk.com Ltd.

It is made freely available to copy and edit to meet your specific requirements. More
information about sitehelpdesk.com products and services is available at
http://www.sitehelpdesk.com
INFORMATION SECURITY
POLICY STATEMENT

Information is an important business asset of significant value to the company and needs to
be protected from threats that could potentially disrupt business continuity. This policy has
been written to provide a mechanism to establish procedures to protect against security
threats and minimise the impact of security incidents.

The Chief Executive has approved the Information Security Policy

The purpose of this Policy is to protect the company’s information assets from all threats,
whether internal or external, deliberate or accidental.

The Policy Scope covers Physical Security and encompasses all forms of Information
Security such as data stored on computers, transmitted across networks, printed or written
on paper, stored on tapes and diskettes or spoken in conversation or over the telephone.

All managers are directly responsible for implementing the Policy within their business
areas, and for adherence by their staff.

It is the responsibility of each employee to adhere to the policy. Disciplinary processes will be
applicable in those instances where staff fail to abide by this security policy.

IT IS THE POLICY OF THE COMPANY TO ENSURE THAT:

Information will be protected against unauthorised access

Confidentiality of information is assured.

Integrity of information is maintained.

Regularity and legislative requirements regarding Intellectual property rights, Data

protection and privacy of personal information are met.

Business Continuity plans will be produced, maintained and tested.

Staff receive sufficient Information Security training.

All breaches of information security, actual or suspected are reported and investigated by
the Security Policy Review Team.

Signed: __________________________________________________________________

Title: __________________________________________ Date: __________________________

This template security policy has been produced by sitehelpdesk.com Ltd.

It is made freely available to copy and edit to meet your specific requirements. More
information about sitehelpdesk.com products and services is available at
http://www.sitehelpdesk.com
Information Security and Privacy at Airtel

Safeguarding customer privacy, and ensuring security of data across its operations, lines of business and
supply chain, is a key focus area for Airtel. This is not just to ensure legal and regulatory compliance, but
to reinforce the trust that our customers and other stakeholders have placed in us. To ensure that the
privacy of information is maintained during the entire information lifecycle, we have implemented
robust internal systems and checks. This is encapsulated in the comprehensive Bharti Airtel Information
Privacy Policy, which contains management direction and guidelines to ensure privacy of personal
information collected by Airtel so that information is handled in accordance with the appropriate laws,
regulations and contractual obligations.

The Policy is owned by the Chief Information Security Officer and approved by the Airtel Management
Board, and is embedded in the risk/compliance management system at Airtel. It is applicable to all
employees of Airtel and third parties including suppliers, who have access to information of customers,
employees and vendors. We have identified different stakeholders and assigned accountability for
relevant clauses of the Policy that fall within their area of responsibility. We are certified against global
standards such as ISO27001 and ISO22301, and have adopted the NASSCOM-DSCI Privacy Framework
(DPF) to protect the privacy of personal information from unauthorized use, disclosure, modification, or
misuse, which allows us to identify critical customer information and ensure adequate measures to
safeguard it. To ensure compliance with the Policy, we conduct periodic internal and external audits of
various functions.

Information moving within and across the boundaries of our organization is effectively monitored in
real-time for any breach in company policy. Any non-compliance is immediately escalated and
investigated. The Circle Information Security Council (CISC) recommends disciplinary actions against
employees, partners or third parties involved in privacy breaches. Having zero tolerance towards the
breach, strict actions, like separation from services and/or police complaints, are initiated against the
individuals. Non-compliance of any third party with the privacy practices followed at Airtel is ground for
disciplinary actions up to and including termination of the contract. As per the policy, the Third party is
required to establish a procedure to ensure that the associates are made aware of their personal liability
of personal information and that any deviation to the policy may lead to the associate’s services being
discontinued/ terminated.

Airtel has also established an efficient Fraud Management Program driven by revenue assurance and
fraud management experts, which makes use of highly sophisticated and evolved tools and processes to
detect and prevent the occurrence of fraud. Airtel associates with Law Enforcement Agencies (LEA) to
support investigations by provision of customer information and complying with all requests as per
regulatory norms.

We work with industry, government, law enforcement and community organizations to help our
customers understand and manage the risks associated with the online world. We support a range of
government initiatives to raise awareness, and provide online education and guidance. Some of the
measures undertaken in the last few years include:

• Working with CERT-In to resolve cyber incidents and malware infections

• Upgrading technology constantly to reduce threat exposures

• Associating with Law Enforcement Agencies (LEA) to support investigations

• Actively participating in multiple national level working groups and numerous international forums on
internet safety and cyber security
Information Security Management System Policy Statement

The purpose of this policy is to protect, preserve and manage the confidentiality, integrity and
availability of information and all supporting business processes, systems and applications.
This policy sets out the principles required to protect Playfords information assets from threats,
whether internal or external, deliberate or accidental.
This policy applies to, and is mandatory for, all Playfords personnel. All references made to
personnel in this policy include Playfords employees, whether full or
part-time, contractors and third-party personnel.

All personnel, regardless of their role, are responsible for conducting their work in a manner that
protects the security of Playfords information. This includes adhering to the following
information security principles:
 Information, and the supporting business processes, systems and applications, will be
protected by implementing appropriate controls to preserve their confidentiality, integrity and
availability.
 Risks to information will be actively identified and managed as per the Hedley Solutions Risk
Management Framework and in context of the overall business risks.
 Physical and logical access to information is restricted to authorised users. The access to
information will be monitored on an ongoing basis.
 Appropriate business continuity and disaster recovery plans are in place. The plans will be
tested periodically.
 Third parties with authorisation to access Playfords information assets will be made aware of
their responsibilities with regards to information security and the protection of information.
 Awareness of information security will be provided to all personnel on a regular basis.
 Information security incidents (both suspected and actual) will be reported immediately to
the Networks Department or Quality & Information Security Manager.
 All personnel will comply with all relevant legal and regulatory requirements related to
information security, including but not limited to the Data Protection Act 1998.
 Supporting information security policies are in place to ensure the principles above are
achieved.
All Managers are directly responsible for implementing the policy within their business areas, and
for adherence by their staff. It is the responsibility of each employee to adhere to the
Information Security Management System Policy
This policy will be reviewed annually at The Management Review

Last reviewed Date

25th June 2014

ALAN TUOHY
Managing Director

Saved on 25/09/2014 09:24:00

Current on25/09/2014 09:24:00
Information Security Management System Policy Statement Playfords
INFORMATION SECURITY POLICY STATEMENT
BAI Communications designs, builds and operates highly available communications networks – broadcast, radio,
cellular, Wi-Fi, digital – for our customers across the globe.

The objective of this Information Security Policy Statement is to ensure that BAI Communications (BAI) and its
companies deliver a consistently high level of information security throughout its business groups. BAI is committed to
implementing and maintaining compliance with ISO 27001, and to continuous, practical improvement of our
information security practices. This will help maintain our reputation in the industry and meet our legal/regulatory and
customers’ requirements.

BAI Communications commits to:

• Clearly understanding the requirements and expectations of our customers and relevant regulatory authorities
• Working closely with our customers and suppliers to deliver services in a security conscious fashion
• Ensuring every employee shares responsibility for effective information security
• Protecting its people, information, intellectual property, assets, activities and facilities against misuse, loss,
damage, disruption, interference, espionage, or unauthorised disclosure. It is also critical that we retain the
confidence of those who entrust sensitive information to BAI Communications.
• Developing and maintaining security policies and controls designed to meet the requirements of ISO 27001. The
policy statements contained in our Information Security Policy (ISP), procedures, guidelines, and standards, reflect
the minimum requirements necessary to maintain an acceptable standard for protecting our information assets
and, at the same time, our reputation.
• Implement an Information Security Management System (ISMS) and ensure it is maintained, continually
improved, and supported with adequate resources to achieve the objectives set in this Policy Statement.

Our approach to achieving these objectives is to enhance information security through investment in technology,
processes, and employee skills. This will improve the way we both manage our business and deliver services to our
customers. Underpinning our approach to information security is the Group Risk Management Framework which
allows the business to present threats, risks, and opportunities for management review. This allows the BAI leadership
team (including the Audit and Risk Committee and the Board) to ensure the risk profile of the business is accurate and
that risk mitigation efforts are focused on appropriately supporting strategic outcomes.

This policy statement shall be easily accessible to all staff and available on the BAI Communications intranet. It is also
available for public viewing on the web at www.baicommunications.com. Each member of staff is asked to take
particular care in their approach to security and to accept the important role they play in maintaining an effective
information security program throughout BAI Communications.

Effective: 30th day of June 2017

Jim Hassell
Group Chief Executive Officer, BAI Communications

BAI Communications comprises:

BAI Communications Pty Limited ABN 99 086 048 562
BAI Critical Communications Pty Limited ACN 133 800 129
_________________________________________________________________________________________________________________________________________________
bai communications | Information Security Policy Statement
 Privacy Policy Template

Privacy Policy Template

How to use this template
The information in this template provides some base content for you to use and modify with
information that relates to your specific privacy policy. Follow the steps below:

1. Replace the bold items in square brackets with your business information

2. Update content to align with your business's privacy policy

3. Create or update the privacy policy page on your website using the updated text.

Page 1
 Privacy Policy Template

Privacy Policy
[Your business name] is committed to providing quality services to you and this policy outlines
our ongoing obligations to you in respect of how we manage your Personal Information.

We have adopted the National Privacy Principles (NPPs) contained in the Privacy Act 1988
(Cth) (the Privacy Act). The NPPs govern the way in which we collect, use, disclose, store,
secure and dispose of your Personal Information.

A copy of the Australian Privacy Principles may be obtained from the website of The Office of
the Federal Privacy Commissioner at www.privacy.gov.au.

What is Personal Information and why do we collect it?

Personal Information is information or an opinion that identifies an individual. Examples of
Personal Information we collect include: names, addresses, email addresses, phone and
facsimile numbers.

This Personal Information is obtained in many ways including [interviews, correspondence,

by telephone and facsimile, by email, via our website www.yourbusinessname.com.au,
from your website, from media and publications, from other publicly available sources,
from cookies- delete all that aren’t applicable] and from third parties. We don’t guarantee
website links or policy of authorised third parties.

We collect your Personal Information for the primary purpose of providing our services to you,
providing information to our clients and marketing. We may also use your Personal Information
for secondary purposes closely related to the primary purpose, in circumstances where you
would reasonably expect such use or disclosure. You may unsubscribe from our
mailing/marketing lists at any time by contacting us in writing.

When we collect Personal Information we will, where appropriate and where possible, explain
to you why we are collecting the information and how we plan to use it.

Sensitive Information
Sensitive information is defined in the Privacy Act to include information or opinion about such
things as an individual's racial or ethnic origin, political opinions, membership of a political
association, religious or philosophical beliefs, membership of a trade union or other
professional body, criminal record or health information.

Sensitive information will be used by us only:

• For the primary purpose for which it was obtained

Page 2
 Privacy Policy Template

• For a secondary purpose that is directly related to the primary purpose

• With your consent; or where required or authorised by law.

Third Parties
Where reasonable and practicable to do so, we will collect your Personal Information only from
you. However, in some circumstances we may be provided with information by third parties. In
such a case we will take reasonable steps to ensure that you are made aware of the
information provided to us by the third party.

Disclosure of Personal Information

Your Personal Information may be disclosed in a number of circumstances including the
following:

• Third parties where you consent to the use or disclosure; and

• Where required or authorised by law.

Security of Personal Information

Your Personal Information is stored in a manner that reasonably protects it from misuse and
loss and from unauthorized access, modification or disclosure.

When your Personal Information is no longer needed for the purpose for which it was obtained,
we will take reasonable steps to destroy or permanently de-identify your Personal Information.
However, most of the Personal Information is or will be stored in client files which will be kept
by us for a minimum of 7 years.

Access to your Personal Information

You may access the Personal Information we hold about you and to update and/or correct it,
subject to certain exceptions. If you wish to access your Personal Information, please contact
us in writing.

[Your business name] will not charge any fee for your access request, but may charge an
administrative fee for providing a copy of your Personal Information.

In order to protect your Personal Information we may require identification from you before
releasing the requested information.

Page 3
 Privacy Policy Template

Maintaining the Quality of your Personal Information

It is an important to us that your Personal Information is up to date. We will take reasonable
steps to make sure that your Personal Information is accurate, complete and up-to-date. If you
find that the information we have is not up to date or is inaccurate, please advise us as soon as
practicable so we can update our records and ensure we can continue to provide quality
services to you.

Policy Updates
This Policy may change from time to time and is available on our website.

Privacy Policy Complaints and Enquiries

If you have any queries or complaints about our Privacy Policy please contact us at:

[Your business address]

[Your business email address]

[Your business phone number]

Page 4
Information Security Policy Outline
RHM Telecommunications processes customer personal information on a daily
basis. This Information must have adequate safeguards in place to ensure its safety
and integrity for the benefit of both the customer and the company.

RHM Telecommunications commits to respecting the privacy of all its customers

and to protecting any information about customers from outside parties. To this
end management are committed to maintaining a secure environment in which to
process this information so that we can meet these promises.

Employees handling customer information should ensure:

• All customer information is handled in a manner that is appropriate for the

content
• They do not disclose customer information unless authorised
• They take all necessary steps to protect sensitive customer information
• They keep passwords and accounts secure
• They request approval from management prior to installing or configuring any
new software or hardware, third party connections, modems, wireless access
points etc
• Information security incidents are reported, without delay, to the relevant line
manager or directly to the DPO

Everyone has a responsibility for ensuring the companies systems and data are
protected from unauthorised access and improper use.
Information Security Policy Statement

APS Group’s senior management recognises the importance of developing and implementing an
Information Security Management System (ISMS). To protect business information assets within APS
Group from all threats, whether internal or external, deliberate or accidental, and also to demonstrate the
commitment we have towards our customers’ information security.

APS Group’s ISMS programme is founded on the international standard BS ISO/IEC 27001:2013,
published by the BSI, which came into effect Sept 2013.

The APS Group ISMS control documents have been produced to define requirements for
a management systems approach to information security management, based on industry best practices.
The framework for setting Information Security objectives has been established and documented within
the APS Group ISMS manual.

It is the objective of APS Group to ensure that information is only accessible to authorised persons from
within or outside the company and minimise damage by preventing and reducing the impact of security
incidents. Confidentiality, Integrity and Availability of information is maintained throughout business
functions and processes.

APS Group has established a risk assessment methodology to identify and control the security of
business information meeting legal, regulatory and contractual requirements.

Demonstration of successful implementation of this management system will assure all interested parties
to the business that an appropriate and effective information security management system is in place.

These specific requirements for setting up and managing an effective information security management
system emphasise APS Group’s commitment to:

• understanding information security needs and the necessity of establishing policy and objectives
for information security;
• implementing and operating controls and measures for managing the organisation’s overall
information security risk;
• monitoring and reviewing the performance and effectiveness of the ISMS; and
• continual improvement based on objective measurement.

It is the policy of APS Group to conduct a management review of the ISMS annually or when significant
changes take place to ensure the system meets the requirements of all stakeholders and compliance to
the ISO 27001 standard.

John Holmes - Executive Director - has overall responsibility for maintaining this Policy and providing
guidance on its implementation. All managers are directly responsible for ensuring that policies and
procedures are followed within their business areas. It is the responsibility of each employee to adhere to
the business ISMS policies and procedures.

Signed (Nick Snelson, Managing Director)

Date 25th June 2020

ISMS PS-v4.2 25/006/2020 CLASSIFICATION: Level 0 - PUBLIC

INFORMATION SECURITY MANAGEMENT POLICY STATEMENT

Information Security Management is an integral part of ESAF’s commitment to provide sustainable and
secure service to its customers. We strive to achieve confidentiality and integrity of all kinds of
information we disseminate, produce, manage and save through state of the art procedures. This policy
aims to achieve protect and safeguard our information assets from internal, external, deliberate and
accidental threats. For this we shall ensure:
1. Integrity of all business processes, information assets, and supporting IT assets and processes of
ESAF, through protection from unauthorized modification, guarding against improper information
modification or destruction, and includes ensuring information non-repudiation and authenticity.
2. Availability of all business processes, information assets, and supporting IT assets and processes to
authorized users when needed, ensuring timely and reliable access to and use of information
3. Confidentiality of all information assets (information is not disclosed to unauthorized persons through
deliberate or careless action). Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.
4. Continuous improvement of the information security management system to keep up with ESAF’s
promise of security to its customers.
5. Comply with the laws, regulations and contractual obligations which are applicable to the
organization in general and in particular to its ISMS
6. Work force members complete an annual information security and privacy awareness and training
program. As part of this program, additional role-based training will be provided to the workforce,
before they start handling sensitive and confidential information.

Under this policy,

 Administrative access to systems is limited to Workforce Members who have a legitimate business
need for this type of access. Administrative access to network devices is logged.
 All breaches of information security, whether actual or suspected will be reported to and hence
investigated by Authorized personnel.
 A Security Operations Center shall be established for security monitoring of logs of critical IT Assets
as per guidelines issued by the RBI.
 Audits shall be conducted to ensure compliance with the information security policies, procedures
and guidelines with managers making sure that all employees in their respective branches are aware
and complying with the policy.
 Information security documents not limited to policies, procedures and guidelines are available in
both online and offline format for quick reference.
 Any workforce member found to have violated this policy may be subject to disciplinary
and/or legal action according to the Sanction policy.

This policy has been approved by the Board of Directors, ESAF and is subject to periodic
changes and will be posted on the official bank website. All suggestions and remarks regarding
the policy can be sent to: [email protected]
 BHARTI AIRTEL LTD.

INFORMATION SECURITY POLICY STATEMENT

Airtel prides itself as being a leader in the Telecommunications industry. As part of this, we recognise that we
have a responsibility to protect all of the data we hold or process, whether it belongs to Airtel, our employees,
partners, customers, or suppliers. By protecting this data, we can ensure that we maintain our reputation as a
trusted employer and partner, enabling us to grow as a business and deliver exceptional service to our
customers. Safeguarding customer privacy, and ensuring security of data across its operations, lines of business
and supply chain, is a key focus area for Airtel. This is not just to ensure legal and regulatory compliance, but to
reinforce the trust that our customers and other stakeholders have placed in us.

Confidentiality, Integrity and Availability of information in Information Security Management are integral parts
of its management function and view these as their primary responsibility and fundamental to best business
practice. The objective of this Information Security Policy Statement is to ensure that Airtel and its companies
deliver a consistently high level of information security throughout its business. Airtel is certified against global
standards such as ISO27001 and ISO22301, and has adopted the NASSCOM-DSCI Privacy Framework (DPF) to
protect the privacy of personal information from unauthorized use, disclosure, modification, or misuse, which
allows us to identify critical customer information and ensure adequate measures to safeguard it. To ensure
compliance with the policy, we conduct periodic internal and external audits of various functions. Information
moving within and across the boundaries of our organization is effectively monitored in real-time for any breach
in company policy. Any non-compliance is immediately escalated and investigated. The Circle Information
Security Council (CISC) recommends disciplinary actions against employees, partners or third parties involved in
privacy breaches. Airtel has also established an efficient Fraud Management Program driven by revenue
assurance and fraud management experts, which makes use of highly sophisticated and evolved tools and
processes to detect and prevent the occurrence of fraud and data loss. Airtel commits to:
• Clearly understanding the requirements and expectations of our customers and relevant regulatory
authorities
• Working closely with our customers and suppliers to deliver services in a security conscious fashion
• Ensuring every employee shares responsibility for effective information security
• Protecting its people, information, intellectual property, assets, activities and facilities against misuse,
loss, damage, disruption, interference, espionage, or unauthorised disclosure. It is also critical that we
retain the confidence of those who entrust sensitive information to Airtel.
• Developing and maintaining security policies and controls designed to meet the requirements of ISO
27001. The policy statements contained in our Information Security Policy (ISP), procedures, guidelines,
and standards, reflect the minimum requirements necessary to maintain an acceptable standard for
protecting our information assets and, at the same time, our reputation.
• Implement an Information Security Management System (ISMS) and ensure it is maintained, continually
improved, and supported with adequate resources to achieve the objectives set in this Policy
Statement.

Our approach to achieving these objectives is to enhance information security through investment in
technology, processes, and employee skills. This will improve the way we both manage our business and deliver
services to our customers and also allows the Airtel leadership team (including the Audit and Risk Committee
and the Board) to ensure the risk profile of the business is accurate and that risk mitigation efforts are focused
on appropriately supporting strategic outcomes.

The Executive Board fully supports the information security management system and require all our staff,
whether permanent or temporary, partner organisations, suppliers and contractors to do the same. Airtel shall
ensure that the review of the Information Security Policy and related documents is performed at least on an
annual basis or when significant changes occur to ensure suitability, adequacy, and effectiveness of the ISMS
framework.

Effective: 15th October 2020

Gopal Vittal, Chief Executive Officer, Airtel
Bharti Airtel Limited – Enterprise (Corporate), A-4, Sector-10, Noida, Uttar Pradesh

Airtel | Information Security Policy Statement |Public

 INFORMATION SECURITY MANAGEMENT POLICY STATEMENT

SpiceJet Ltd is India's best low-cost airline delivering the lowest airfares with the highest consumer value.
SpiceJet is headquartered in Gurgaon, Haryana and is the second-largest airline in the country by the
number of domestic passengers carried.

The objective of this Information Security Policy Statement is to ensure that SpiceJet delivers a consistently
high level of information security throughout its business groups. It is committed to implementing and
maintaining compliance with ISO 27001, and to the continuous, practical improvement of our information
security practices. This will help maintain our reputation in the industry and meet our legal/regulatory and
customers’ requirements.

SpiceJet commits to:

● Clearly understanding the requirements and expectations of our customers and relevant regulatory
authorities
● Working closely with our customers and suppliers to deliver services in a security-conscious
fashion
● Ensuring every employee shares responsibility for effective information security.
● Implement an Information Security Management System (ISMS) and ensure it is maintained,
continually improved, and supported with adequate resources to achieve the objectives set.
● Protecting its people, information, intellectual property, assets, activities and facilities against
misuse, loss, damage to retain the confidence of various stakeholders.
● Maintain an effective Information Security Management System.
● Deploy the most appropriate technology and infrastructure.
● Create and maintain security-conscious culture within Information Services; and
● Continually monitor and improve the effectiveness of the Information Security Management
System.
● Implement continual improvement initiatives, including risk assessment and risk treatment
strategies

Under this policy-

● It applies to all officers and staff of SpiceJet, employees, and third party employees under contract,
who have any access to, or involvement with, the business processes, information assets, and
supporting IT assets and processes covered under the scope of ISMS
● All personnel, even if not included in the scope of ISMS, have a responsibility for reporting security
incidents and identified weaknesses, and contribute to the protection of business processes,
information assets, and resources of SpiceJet.

This policy statement shall be easily accessible to all staff and available on the SpiceJet intranet. It is also
available for viewing on the web at https://www.spicejet.com
The policy has been approved by the Directors and is reviewed annually to ensure its continuing suitability,
adequacy, and effectiveness.

Information security management policy statement SpiceJet

Version 1.0 - 15/10/2020