Certification

We are an ISO 27001:2013 company as per the status granted by the Standards Certification Council accredited to ACCAB (Accreditation Commission for Conformity Assessment Bodies)

Our ISMS Approach

  • Risk assessment of entire organization
  • Design ISMS controls
  • Implement and establish system
  • Operate, monitor, measure and control system
  • Continuous improvement of system

Key Components of ISMS (Information Security Management System) at phamax

Summary of ISMS Related Processes at phamax

  • Helpdesk and Service Management
  • Incident Reporting and Management
  • Change Request Processes
  • Protocols for Request Fulfilments
  • Asset Management
  • Identity Management
  • Service Level/ Third Party Agreements
  • IT Procurement Processes and Protocols
  • HR Recruitment, Employment and Disengagement Protocols
  • Infrastructure Maintenance and Management - ensure availability of redundant and standby systems for business contingency
  • Disaster Management and Business Continuity at an equipped and tested DR site

We Assure our Customers of:

  • A robust Information Security Management System (ISMS) and its suitability to their requirements
  • Confidentiality of data
  • Security against data losses
  • High employee morale and efficient HR management
  • 100% uptime of infrastructure
  • Highly equipped disaster site for Disaster Recovery Management
  • Business continuity through controlled measures to manage disruptions in business
  • Physical security with well-defined security perimeter
  • Robust and efficient Asset Management System encompassing all IT and non IT asset management

Information Security Policy

Protection of company assets is vital to the success of our business. To this end, we have established an Information Security Management System (ISMS) with all the processes required to identify the information that needs protection and the mode of protecting it. Since the needs of our business change, we recognize that our management system must be constantly updated and improvements must be brought in as per changes. To this effect, we continually set new objectives and regularly review our processes.

Objectives

It is the policy of our company to ensure:

  • Information is accessible only to authorized personnel within or outside the company
  • Confidentiality and integrity of information is maintained
  • Business continuity plans are established, maintained and tested
  • All personnel are trained on information security and have to mandatorily maintain compliance
  • All breaches of information security and suspected weaknesses are reported and investigated
  • Procedures including virus control measures, passwords and continuity plans are maintained in line with the policy
  • The Information Security Manager is responsible for maintaining the policy and providing support and advice during its implementation
  • All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments

This policy is approved by the company management and is reviewed by them annually.

Organization of Information Security

We are committed to establish, implement and continuously monitor and improve our information security. The approach adopted when establishing ISMS includes:

  • Risk assessment of the entire organization
  • Design of controls for ISMS
  • Implementation of the system
  • Operation, monitoring, measurement and control of the system
  • Continuous improvement of the system

Asset Management

We have established a robust enterprise solution to handle the assets across the organization which can efficiently manage:

  • Acquisition (procurement)
  • Contract and SLA management
  • Asset discovery and IT inventory updates
  • Tracking custodian/location change
  • Reporting missing assets
  • Not mine/surplus/retire assets
  • Approval process by department head/IT security/receiving manager etc.

Human Resource Security

Qualitative and timely recruitment process, training and HR administration processes play an important role in maintaining the competency level of an organization. The HR security component ensures that human resources and HR practices conform to the availability of appropriate and necessary resources on time to carry out business processes.

This policy specifies controls to reduce the information security risks associated with human resources and HR management activities.

Physical Security

We commit to protect all physical and information assets from threats - internal and external, intentional or accidental. Policies are issued and maintained by the ISMS Manager, who also provides advice and guidance on its implementation and ensures compliance. All employees and consultants within the organization are directly responsible for implementing and complying with this policy.

Communications and Operations Management

This component of ISMS covers the vital areas in the day-to-day operations of the organization’s IT services. The component covers protection against malware like viruses and Trojans, unauthorized changes and leakage of information. It also covers:

  • Processing and handling information (classification of information, confidentiality agreements etc.)
  • Backup procedures
  • Work scheduling requirements (interdependencies, completion times etc.)
  • Instructions and guidance to handle errors
  • Contact and reporting details in the event of unexpected operational issues
  • Procedures for handling special outputs (e.g. special stationery like cheques, payslips etc.)
  • System restart and recovery procedures in the event of system failure
  • Procedures for all housekeeping functions

Access Control

Access to the organization’s computing resources is controlled with restrictions designed to prevent unauthorized access as well as provide unhindered access to informational assets when required.

The organization provides all employees and other users with the information they need to carry out their responsibilities as effectively and efficiently as possible. Access to private information is limited to authorized personnel whose job responsibilities require it.

System Development and Maintenance

All users, depending on their role, must comply with this standard. A breach of this interim standard by users may constitute misconduct, depending on the circumstances. The key objectives of this component are to:

  • Ensure that security is built into information systems, infrastructure, purchased business applications and user developed applications
  • Prevent loss, modification or misuse of user data in application systems
  • Maintain the security of application systems and data
  • Ensure that information projects and support activities are carried out in a secure manner

Incident Management

Our incident response system defines what constitutes a security incident and outlines the incident response phases. It discusses the transfer of information to the appropriate personnel, assessment of the incident, how to minimize damage, response strategy, documentation and preservation of evidence. The incident response system defines areas of responsibility and establishes procedures for handling security incidents. The incident management document discusses the considerations to build an incident response plan. The key goals of this system are:

  • Verify that an incident occurred
  • Maintain or restore business continuity
  • Reduce the incident impact
  • Prevent future incidents
  • Improve security and incident response
  • Prosecute illegal activity
  • Keep the management informed of the situation and response

Business Continuity Planning

  • We ensure timely recovery of our critical business operations in case of a business interruption.
  • We use existing infrastructure and introduce critical components and procedures like backup tape testing for restorability, ensure SLA with vendors, identify cold standby sites for restarting equipment and/or storage of Disaster Recovery tapes
  • The Business Continuity plans are tested at regular intervals and the staff are given adequate training to upgrade their skills in the relevant areas

Compliance

  • We vigilantly track latest regulatory and statutory requirements in the country and ensure perfect compliance through periodic review and alignment of the ISMS system to legal requirements
  • We engage highly competent professionals in the advisory panel of the organization to guide on the legal requirements